Add user_token_enabled attribute to organizations

Author: JarrettSpiker

internal/provider/provider_test.go

@@ -157,6 +157,19 @@ func getClientUsingEnv() (*tfe.Client, error) {
 	return tfeClient, nil
 }
 
+func getClientWithToken(token string) (*tfe.Client, error) {
+	hostname := client.DefaultHostname
+	if os.Getenv("TFE_HOSTNAME") != "" {
+		hostname = os.Getenv("TFE_HOSTNAME")
+	}
+
+	tfeClient, err := client.GetClient(hostname, token, defaultSSLSkipVerify)
+	if err != nil {
+		return nil, fmt.Errorf("Error getting client: %w", err)
+	}
+	return tfeClient, nil
+}
+
 func TestProvider(t *testing.T) {
 	if err := Provider().InternalValidate(); err != nil {
 		t.Fatalf("err: %s", err)

internal/provider/resource_tfe_organization.go

@@ -108,6 +108,11 @@ func resourceTFEOrganization() *schema.Resource {
 				Optional: true,
 				Default:  true,
 			},
+			"user_tokens_enabled": {
+				Type:     schema.TypeBool,
+				Default:  true,
+				Optional: true,
+			},
 
 			"enforce_hyok": {
 				Type:     schema.TypeBool,
@@ -172,6 +177,10 @@ func resourceTFEOrganizationRead(d *schema.ResourceData, meta interface{}) error
 	d.Set("speculative_plan_management_enabled", org.SpeculativePlanManagementEnabled)
 	d.Set("enforce_hyok", org.EnforceHYOK)
 
+	if org.UserTokensEnabled != nil {
+		d.Set("user_tokens_enabled", org.UserTokensEnabled)
+	}
+
 	if org.DefaultProject != nil {
 		d.Set("default_project_id", org.DefaultProject.ID)
 	}
@@ -240,6 +249,11 @@ func resourceTFEOrganizationUpdate(d *schema.ResourceData, meta interface{}) err
 		options.SpeculativePlanManagementEnabled = tfe.Bool(speculativePlanManagementEnabled.(bool))
 	}
 
+	// If user_tokens_enabled is supplied, set it using the options struct.
+	if userTokensEnabled, ok := d.GetOkExists("user_tokens_enabled"); ok {
+		options.UserTokensEnabled = tfe.Bool(userTokensEnabled.(bool))
+	}
+
 	// If enforce_hyok is supplied, set it using the options struct.
 	if enforceHYOK, ok := d.GetOkExists("enforce_hyok"); ok {
 		options.EnforceHYOK = tfe.Bool(enforceHYOK.(bool))

internal/provider/resource_tfe_organization_test.go

@@ -85,6 +85,8 @@ func TestAccTFEOrganization_full(t *testing.T) {
 						"tfe_organization.foobar", "allow_force_delete_workspaces", "false"),
 					resource.TestCheckResourceAttr(
 						"tfe_organization.foobar", "speculative_plan_management_enabled", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
 				),
 			},
 		},
@@ -205,6 +207,80 @@ func TestAccTFEOrganization_update_costEstimation(t *testing.T) {
 	})
 }
 
+func TestAccTFEOrganization_user_tokens_enabled(t *testing.T) {
+	// this test is a bit tricky because once user tokens are disabled, we cannot use a user token to re-enable them
+	// through the API.
+	// Therefore, we need to create an org, generate an owners team token for that org, and then use that token
+	// in the go-tfe client to test the user_tokens_enabled setting.
+
+	org := &tfe.Organization{}
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+	orgName := fmt.Sprintf("tst-terraform-%d", rInt)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFEOrganizationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEOrganization_basic(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOrganizationExists(
+						"tfe_organization.foobar", org),
+					testAccCheckTFEOrganizationAttributesBasic(org, orgName),
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
+				),
+			},
+			{
+				PreConfig: func() {
+					// create a team token for the owners team in the org,
+					// then set the provider token to that value
+					ownersTeams, err := testAccConfiguredClient.Client.Teams.List(ctx, org.Name, &tfe.TeamListOptions{
+						Names: []string{"owners"},
+					})
+					if err != nil {
+						t.Fatal(err)
+					}
+					if len(ownersTeams.Items) != 1 {
+						t.Fatalf("expected to find 1 owners team, found %d", len(ownersTeams.Items))
+					}
+					ownersTeam := ownersTeams.Items[0]
+
+					teamToken, err := testAccConfiguredClient.Client.TeamTokens.Create(ctx, ownersTeam.ID)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					tfeClient, err := getClientWithToken(teamToken.ID)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					testAccConfiguredClient = &ConfiguredClient{
+						Client:       tfeClient,
+						Organization: org.Name,
+					}
+				},
+				Config: testAccTFEOrganization_userTokensEnabled(rInt, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "false"),
+					testAccCheckTFEOrganizationUserTokensEnabled(org, orgName, false),
+				),
+			},
+			{
+				Config: testAccTFEOrganization_userTokensEnabled(rInt, true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
+					testAccCheckTFEOrganizationUserTokensEnabled(org, orgName, true),
+				),
+			},
+		},
+	})
+}
+
 func TestAccTFEOrganization_EnforceHYOK(t *testing.T) {
 	skipUnlessHYOKEnabled(t)
 
@@ -381,6 +457,20 @@ func testAccCheckTFEOrganizationAttributesFull(
 	}
 }
 
+func testAccCheckTFEOrganizationUserTokensEnabled(
+	org *tfe.Organization, expectedOrgName string, expectedUserTokensEnabled bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if org.Name != expectedOrgName {
+			return fmt.Errorf("Bad name: %s", org.Name)
+		}
+
+		if org.UserTokensEnabled != nil && *org.UserTokensEnabled != expectedUserTokensEnabled {
+			return fmt.Errorf("Bad user tokens enabled: %v", org.UserTokensEnabled)
+		}
+		return nil
+	}
+}
+
 func testAccCheckTFEOrganizationAttributesUpdated(
 	org *tfe.Organization, expectedOrgName string, expectedCostEstimationEnabled bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -480,6 +570,15 @@ resource "tfe_organization" "foobar" {
 }`, orgName, orgEmail, costEstimationEnabled, assessmentsEnforced, allowForceDeleteWorkspaces)
 }
 
+func testAccTFEOrganization_userTokensEnabled(rInt int, userTokensEnabled bool) string {
+	return fmt.Sprintf(`
+resource "tfe_organization" "foobar" {
+  name  = "tst-terraform-%d"
+  email = "[email protected]"
+  user_tokens_enabled = %t
+}`, rInt, userTokensEnabled)
+}
+
 func testAccTFEOrganization_updateEnforceHYOK(orgName string, enforceHYOK bool) string {
 	return fmt.Sprintf(`
 resource "tfe_organization" "foobar" {