Add GitLab Terraform state provider support (tfstategitlab)

[Copilot]

This PR adds support for reading Terraform state from GitLab's Terraform state API, addressing the limitation where ref+tfstateremote only works with Terraform Cloud/Enterprise but not with GitLab.

Problem

Users with Terraform state stored in GitLab cannot use vals to read state values. The existing tfstateremote provider only supports Terraform Cloud/Enterprise API endpoints, not GitLab's Terraform state API which uses different authentication and URL patterns.

For example, this command works with tfstate-lookup but fails with vals:

tfstate-lookup -state https://username:[email protected]/api/v4/projects/xx/terraform/state/Xxx/ 

Solution

Added a new tfstategitlab provider that:

• Supports GitLab Terraform state API URLs: ref+tfstategitlab://gitlab.com/api/v4/projects/PROJECT_ID/terraform/state/STATE_NAME/RESOURCE_NAME
• Multiple authentication methods:
  • GITLAB_TOKEN environment variable (GitLab private token)
  • TFE_TOKEN environment variable (for Terraform Enterprise workflow compatibility)
  • TFE_USER + TFE_TOKEN for HTTP basic authentication
• Automatic GitLab URL detection for /api/v4/projects/.../terraform/state/ endpoints
• Query parameter support for inline configuration
• Backward compatibility - all existing tfstate providers continue to work unchanged

Usage Examples

# Using GitLab token
export GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx
echo 'db_url: ref+tfstategitlab://gitlab.com/api/v4/projects/123/terraform/state/production/aws_db_instance.main.endpoint' | vals eval -f -

# Using TFE token for compatibility
export TFE_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx  
echo 'vpc_id: ref+tfstategitlab://gitlab.example.com/api/v4/projects/456/terraform/state/staging/aws_vpc.main.id' | vals eval -f -

# Using basic authentication
export TFE_USER=myusername
export TFE_TOKEN=mypassword
echo 'subnet: ref+tfstategitlab://my-gitlab.company.com/api/v4/projects/789/terraform/state/default/aws_subnet.private.id' | vals eval -f -

Implementation Details

• Extends the existing tfstate provider with GitLab-specific HTTP authentication
• Follows established patterns for environment variable handling (similar to AWS/Azure support)
• Maintains code quality standards and passes all linting checks
• Includes comprehensive documentation and examples

Fixes #661.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: ./bin/vals eval -f - (dns block)
• gitlab.com
  • Triggering command: ./bin/vals eval -f - (dns block)
• httpbin.org
  • Triggering command: ./bin/vals eval -f - (dns block)
• my-gitlab.com
  • Triggering command: ./bin/vals eval -f - (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.