diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5584f7d4a9f8b5050d45ac40f4141f356712d33c..4533fe2564c2b02f6ca49adf8544a508e22b6272 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -269,6 +269,57 @@ test-init-with-reconfigure:
       EOF
     - gitlab-terraform init
 
+test-init-with-prepared-registry-token:
+  extends:
+    - .test
+  stage: test-init
+  variables:
+    TERRAFORM_VERSION: $STABLE_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      export TF_TOKEN_gitlab_com=mysecrettoken
+      . $(which gitlab-terraform)
+      terraform_authenticate_private_registry
+      test "$TF_TOKEN_gitlab_com" = "mysecrettoken"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
+test-init-without-prepared-registry-token:
+  extends:
+    - .test
+  stage: test-init
+  variables:
+    TERRAFORM_VERSION: $STABLE_VERSION
+  script:
+    - apk add --update $PKG
+    - |
+      cat <<'EOF' > test.sh
+      set -x
+      . $(which gitlab-terraform)
+      terraform_authenticate_private_registry
+      test -n "$TF_TOKEN_gitlab_com"
+      EOF
+    - $SHELL test.sh
+  parallel:
+    matrix:
+      - SHELL: "bash"
+        PKG: "bash"
+      - SHELL: "zsh"
+        PKG: "zsh"
+      - SHELL: "ksh"
+        PKG: "loksh"
+
 test-fmt:
   extends:
     - .test
diff --git a/src/bin/gitlab-terraform.sh b/src/bin/gitlab-terraform.sh
index 6c01144dc052b9f0203ccbc5742ae3ae1002f008..68c5cfaee10d7129dc934eeb8866aabaf772b6f6 100755
--- a/src/bin/gitlab-terraform.sh
+++ b/src/bin/gitlab-terraform.sh
@@ -13,13 +13,13 @@ terraform_is_at_least() {
 # Evaluate if this script is being sourced or executed directly.
 # See https://stackoverflow.com/a/28776166
 sourced=0
-if [ -n "$ZSH_VERSION" ]; then 
+if [ -n "$ZSH_VERSION" ]; then
   case $ZSH_EVAL_CONTEXT in *:file) sourced=1;; esac
 elif [ -n "$KSH_VERSION" ]; then
   # shellcheck disable=SC2296
   [ "$(cd -- "$(dirname -- "$0")" && pwd -P)/$(basename -- "$0")" != "$(cd -- "$(dirname -- "${.sh.file}")" && pwd -P)/$(basename -- "${.sh.file}")" ] && sourced=1
 elif [ -n "$BASH_VERSION" ]; then
-  (return 0 2>/dev/null) && sourced=1 
+  (return 0 2>/dev/null) && sourced=1
 else # All other shells: examine $0 for known shell binary filenames.
      # Detects `sh` and `dash`; add additional shell filenames as needed.
   case ${0##*/} in sh|-sh|dash|-dash) sourced=1;; esac
@@ -108,7 +108,10 @@ terraform_authenticate_private_registry() {
     # For more info, see https://www.terraform.io/cli/config/config-file#environment-variable-credentials
     if [ "${CI_SERVER_PROTOCOL}" = "https" ] && [ -n "${CI_SERVER_HOST}" ]; then
       tf_token_var_name=TF_TOKEN_$(idn2 "${CI_SERVER_HOST}" | sed 's/\./_/g' | sed 's/-/__/g')
-      export "${tf_token_var_name}"="${CI_JOB_TOKEN}"
+      # If TF_TOKEN_ for the Gitlab domain is not set then use the CI_JOB_TOKEN
+      if [ -z "$(eval "echo \${${tf_token_var_name}:-}")" ]; then
+        export "${tf_token_var_name}"="${CI_JOB_TOKEN}"
+      fi
     fi
   else
     # If we have a version older than 1.2.0, we use the credentials file.
@@ -189,4 +192,4 @@ else
   # This variable can be used if the script is sourced
   # shellcheck disable=SC2034
   TF_GITLAB_SOURCED=true
-fi
\ No newline at end of file
+fi