feat: allow repository to use bearer token for authentication (#714)

the-technat · web-flow · commit 61e5af1fc8e4 · 2025-08-22T15:21:58.000+02:00
Signed-off-by: Nathanael Liechti &lt;technat@technat.ch&gt;
diff --git a/docs/resources/repository.md b/docs/resources/repository.md
@@ -43,6 +43,7 @@ resource "argocd_repository" "private" {
 
 ### Optional
 
+- `bearer_token` (String, Sensitive) BearerToken contains the bearer token used for Git BitBucket Data Center auth at the repo server
 - `enable_lfs` (Boolean) Whether `git-lfs` support should be enabled for this repository.
 - `enable_oci` (Boolean) Whether `helm-oci` support should be enabled for this repository.
 - `githubapp_enterprise_base_url` (String) GitHub API URL for GitHub app authentication.
diff --git a/internal/provider/model_repository.go b/internal/provider/model_repository.go
@@ -34,6 +34,7 @@ type repositoryModel struct {
 	GitHubAppInstallationID    types.String `tfsdk:"githubapp_installation_id"`
 	GitHubAppEnterpriseBaseURL types.String `tfsdk:"githubapp_enterprise_base_url"`
 	GitHubAppPrivateKey        types.String `tfsdk:"githubapp_private_key"`
+	BearerToken                types.String `tfsdk:"bearer_token"`
 }
 
 func repositorySchemaAttributes() map[string]schema.Attribute {
@@ -75,6 +76,11 @@ func repositorySchemaAttributes() map[string]schema.Attribute {
 			Optional:            true,
 			Sensitive:           true,
 		},
+		"bearer_token": schema.StringAttribute{
+			MarkdownDescription: "BearerToken contains the bearer token used for Git BitBucket Data Center auth at the repo server",
+			Optional:            true,
+			Sensitive:           true,
+		},
 		"ssh_private_key": schema.StringAttribute{
 			MarkdownDescription: "PEM data for authenticating at the repo server. Only used with Git repos.",
 			Optional:            true,
@@ -143,6 +149,7 @@ func (m *repositoryModel) toAPIModel() (*v1alpha1.Repository, error) {
 		Project:                    m.Project.ValueString(),
 		Username:                   m.Username.ValueString(),
 		Password:                   m.Password.ValueString(),
+		BearerToken:                m.BearerToken.ValueString(),
 		SSHPrivateKey:              m.SSHPrivateKey.ValueString(),
 		TLSClientCertData:          m.TLSClientCertData.ValueString(),
 		TLSClientCertKey:           m.TLSClientCertKey.ValueString(),
diff --git a/internal/provider/resource_repository_test.go b/internal/provider/resource_repository_test.go
@@ -225,6 +225,56 @@ func TestAccArgoCDRepository_GitHubAppConsistency(t *testing.T) {
 	})
 }
 
+// TestAccArgoCDRepository_BearerTokenConsistency tests consistency of bearer token field
+// Note: This test uses a Helm repository which doesn't require authentication but allows token auth
+func TestAccArgoCDRepository_BearerTokenConsistency(t *testing.T) {
+	config := `
+resource "argocd_repository" "bearer_token" {
+  repo     = "https://helm.nginx.com/stable"
+  type     = "helm"
+	bearer_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30"
+}
+`
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"argocd_repository.bearer_token",
+						"bearer_token",
+						"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+					),
+					resource.TestCheckResourceAttr(
+						"argocd_repository.bearer_token",
+						"connection_state_status",
+						"Successful",
+					),
+				),
+			},
+			{
+				// Apply the same configuration again to test for consistency
+				Config: config,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"argocd_repository.bearer_token",
+						"bearer_token",
+						"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+					),
+					resource.TestCheckResourceAttr(
+						"argocd_repository.bearer_token",
+						"connection_state_status",
+						"Successful",
+					),
+				),
+			},
+		},
+	})
+}
+
 // TestAccArgoCDRepository_UsernamePasswordConsistency tests consistency of username/password fields
 // Note: This test uses a Helm repository which doesn't require authentication but allows username/password fields
 func TestAccArgoCDRepository_UsernamePasswordConsistency(t *testing.T) {
