Add AllowMemberTokenManagement to Team

Author: juliannatetreault

CHANGELOG.md

@@ -1,8 +1,12 @@
 ## Unreleased
 
+<<<<<<< HEAD
 ENHANCEMENTS:
 * `d/tfe_project`: Add `workspace_names` attribute, by @1natedawg [#1429](https://github.com/hashicorp/terraform-provider-tfe/pull/1429)
 
+FEATURES:
+* `r/tfe_team`: Add attribute `allow_member_token_management` to `tfe_team` by @juliannatetreault [#1398](https://github.com/hashicorp/terraform-provider-tfe/pull/1398)
+
 BUG FIXES:
 * `r/tfe_workspace` html_url is now planned to be recomputed when `name` changes. Previously, changed values would show up on the next plan, by @brandonc [1422](https://github.com/hashicorp/terraform-provider-tfe/issues/1422)
 

internal/provider/resource_tfe_team.go

@@ -141,6 +141,11 @@ func resourceTFETeam() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"allow_member_token_management": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
 		},
 	}
 }
@@ -190,6 +195,10 @@ func resourceTFETeamCreate(d *schema.ResourceData, meta interface{}) error {
 		options.SSOTeamID = tfe.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("allow_member_token_management"); ok {
+		options.AllowMemberTokenManagement = tfe.Bool(v.(bool))
+	}
+
 	log.Printf("[DEBUG] Create team %s for organization: %s", name, organization)
 	team, err := config.Client.Teams.Create(ctx, organization, options)
 	if err != nil {
@@ -250,6 +259,7 @@ func resourceTFETeamRead(d *schema.ResourceData, meta interface{}) error {
 	}
 	d.Set("visibility", team.Visibility)
 	d.Set("sso_team_id", team.SSOTeamID)
+	d.Set("allow_member_token_management", team.AllowMemberTokenManagement)
 
 	return nil
 }
@@ -297,6 +307,10 @@ func resourceTFETeamUpdate(d *schema.ResourceData, meta interface{}) error {
 		options.SSOTeamID = tfe.String("")
 	}
 
+	if v, ok := d.GetOk("allow_member_token_management"); ok {
+		options.AllowMemberTokenManagement = tfe.Bool(v.(bool))
+	}
+
 	log.Printf("[DEBUG] Update team: %s", d.Id())
 	_, err := config.Client.Teams.Update(ctx, d.Id(), options)
 	if err != nil {

internal/provider/resource_tfe_team_test.go

@@ -57,6 +57,8 @@ func TestAccTFETeam_full(t *testing.T) {
 						"tfe_team.foobar", "name", "team-test"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "visibility", "organization"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "allow_member_token_management", "true"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_policies", "true"),
 					resource.TestCheckResourceAttr(
@@ -112,6 +114,8 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "name", "team-test"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "visibility", "organization"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "allow_member_token_management", "true"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_policies", "true"),
 					resource.TestCheckResourceAttr(
@@ -154,6 +158,8 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "name", "team-test-1"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "visibility", "secret"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "allow_member_token_management", "false"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_policies", "false"),
 					resource.TestCheckResourceAttr(
@@ -195,6 +201,8 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "name", "team-test-1"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "visibility", "secret"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "allow_member_token_management", "false"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_policies", "false"),
 					resource.TestCheckResourceAttr(
@@ -461,6 +469,10 @@ func testAccCheckTFETeamAttributes_full(
 			return fmt.Errorf("Bad visibility: %s", team.Visibility)
 		}
 
+		if !team.AllowMemberTokenManagement {
+			return fmt.Errorf("team.AllowMemberTokenManagement should be true")
+		}
+
 		if !team.OrganizationAccess.ManagePolicies {
 			return fmt.Errorf("OrganizationAccess.ManagePolicies should be true")
 		}
@@ -511,6 +523,10 @@ func testAccCheckTFETeamAttributes_full_update(
 			return fmt.Errorf("Bad visibility: %s", team.Visibility)
 		}
 
+		if !team.AllowMemberTokenManagement {
+			return fmt.Errorf("team.AllowMemberTokenManagement should be false")
+		}
+
 		if team.OrganizationAccess.ManagePolicies {
 			return fmt.Errorf("OrganizationAccess.ManagePolicies should be false")
 		}
@@ -596,6 +612,7 @@ resource "tfe_team" "foobar" {
   organization = tfe_organization.foobar.id
 
   visibility = "organization"
+  allow_member_token_management = true
 
   organization_access {
     manage_policies = true
@@ -630,6 +647,7 @@ resource "tfe_team" "foobar" {
   organization = tfe_organization.foobar.id
 
   visibility = "secret"
+  allow_member_token_management = false
 
   organization_access {
     manage_policies = false

website/docs/r/team.html.markdown

@@ -41,6 +41,7 @@ The following arguments are supported:
 * `visibility` - (Optional) The visibility of the team ("secret" or "organization"). Defaults to "secret".
 * `organization_access` - (Optional) Settings for the team's [organization access](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/permissions#organization-permissions).
 * `sso_team_id` - (Optional) Unique Identifier to control [team membership](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/single-sign-on#team-names-and-sso-team-ids) via SAML. Defaults to `null`
+* `allow_member_token_management` - (Optional) Used by Owners and users with "Manage Teams" permissions to control whether team members can manage team tokens. Defaults to `true`.
 
 The `organization_access` block supports: