Add user_token_enabled attribute to organizations

Author: JarrettSpiker

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-slug v0.16.7
-	github.com/hashicorp/go-tfe v1.93.0
+	github.com/hashicorp/go-tfe v1.93.1-0.20250924155324-62ba5e85f6fb
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/hcl v1.0.0
 	github.com/hashicorp/hcl/v2 v2.24.0 // indirect

go.sum

@@ -75,6 +75,10 @@ github.com/hashicorp/go-slug v0.16.7 h1:sBW8y1sX+JKOZKu9a+DQZuWDVaX+U9KFnk6+VDQv
 github.com/hashicorp/go-slug v0.16.7/go.mod h1:X5fm++dL59cDOX8j48CqHr4KARTQau7isGh0ZVxJB5I=
 github.com/hashicorp/go-tfe v1.93.0 h1:hJubwn1xNCo1iBO66iQkjyC+skR61cK1AQUj4O9vvuI=
 github.com/hashicorp/go-tfe v1.93.0/go.mod h1:QwqgCD5seztgp76CP7F0POJPflQNSqjIvBpVohg9X50=
+github.com/hashicorp/go-tfe v1.93.1-0.20250923213433-bf749f02529d h1:aYUoNBYzQXEARIeOnHvS4MXvZAskNe7p0L4vWW4Jr2E=
+github.com/hashicorp/go-tfe v1.93.1-0.20250923213433-bf749f02529d/go.mod h1:QwqgCD5seztgp76CP7F0POJPflQNSqjIvBpVohg9X50=
+github.com/hashicorp/go-tfe v1.93.1-0.20250924155324-62ba5e85f6fb h1:ygCjBBxFY65m2jmo34Cta5NCFBa4HngicWcWYvZY2pk=
+github.com/hashicorp/go-tfe v1.93.1-0.20250924155324-62ba5e85f6fb/go.mod h1:QwqgCD5seztgp76CP7F0POJPflQNSqjIvBpVohg9X50=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=

internal/provider/provider_test.go

@@ -157,6 +157,19 @@ func getClientUsingEnv() (*tfe.Client, error) {
 	return tfeClient, nil
 }
 
+func getClientWithToken(token string) (*tfe.Client, error) {
+	hostname := client.DefaultHostname
+	if os.Getenv("TFE_HOSTNAME") != "" {
+		hostname = os.Getenv("TFE_HOSTNAME")
+	}
+
+	tfeClient, err := client.GetClient(hostname, token, defaultSSLSkipVerify)
+	if err != nil {
+		return nil, fmt.Errorf("Error getting client: %w", err)
+	}
+	return tfeClient, nil
+}
+
 func TestProvider(t *testing.T) {
 	if err := Provider().InternalValidate(); err != nil {
 		t.Fatalf("err: %s", err)

internal/provider/resource_tfe_organization.go

@@ -108,6 +108,11 @@ func resourceTFEOrganization() *schema.Resource {
 				Optional: true,
 				Default:  true,
 			},
+			"user_tokens_enabled": {
+				Type:     schema.TypeBool,
+				Default:  true,
+				Optional: true,
+			},
 		},
 	}
 }
@@ -164,6 +169,9 @@ func resourceTFEOrganizationRead(d *schema.ResourceData, meta interface{}) error
 	d.Set("assessments_enforced", org.AssessmentsEnforced)
 	d.Set("allow_force_delete_workspaces", org.AllowForceDeleteWorkspaces)
 	d.Set("speculative_plan_management_enabled", org.SpeculativePlanManagementEnabled)
+	if org.UserTokensEnabled != nil {
+		d.Set("user_tokens_enabled", org.UserTokensEnabled)
+	}
 
 	if org.DefaultProject != nil {
 		d.Set("default_project_id", org.DefaultProject.ID)
@@ -233,6 +241,11 @@ func resourceTFEOrganizationUpdate(d *schema.ResourceData, meta interface{}) err
 		options.SpeculativePlanManagementEnabled = tfe.Bool(speculativePlanManagementEnabled.(bool))
 	}
 
+	// If user_tokens_enabled is supplied, set it using the options struct.
+	if userTokensEnabled, ok := d.GetOkExists("user_tokens_enabled"); ok {
+		options.UserTokensEnabled = tfe.Bool(userTokensEnabled.(bool))
+	}
+
 	log.Printf("[DEBUG] Update configuration of organization: %s", d.Id())
 	org, err := config.Client.Organizations.Update(ctx, d.Id(), options)
 	if err != nil {

internal/provider/resource_tfe_organization_test.go

@@ -85,6 +85,8 @@ func TestAccTFEOrganization_full(t *testing.T) {
 						"tfe_organization.foobar", "allow_force_delete_workspaces", "false"),
 					resource.TestCheckResourceAttr(
 						"tfe_organization.foobar", "speculative_plan_management_enabled", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
 				),
 			},
 		},
@@ -205,6 +207,80 @@ func TestAccTFEOrganization_update_costEstimation(t *testing.T) {
 	})
 }
 
+func TestAccTFEOrganization_user_tokens_enabled(t *testing.T) {
+	// this test is a bit tricky because once user tokens are disabled, we cannot use a user token to re-enable them
+	// through the API.
+	// Therefore, we need to create an org, generate an owners team token for that org, and then use that token
+	// in the go-tfe client to test the user_tokens_enabled setting.
+
+	org := &tfe.Organization{}
+	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
+	orgName := fmt.Sprintf("tst-terraform-%d", rInt)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFEOrganizationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEOrganization_basic(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEOrganizationExists(
+						"tfe_organization.foobar", org),
+					testAccCheckTFEOrganizationAttributesBasic(org, orgName),
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
+				),
+			},
+			{
+				PreConfig: func() {
+					// create a team token for the owners team in the org,
+					// then set the provider token to that value
+					ownersTeams, err := testAccConfiguredClient.Client.Teams.List(ctx, org.Name, &tfe.TeamListOptions{
+						Names: []string{"owners"},
+					})
+					if err != nil {
+						t.Fatal(err)
+					}
+					if len(ownersTeams.Items) != 1 {
+						t.Fatalf("expected to find 1 owners team, found %d", len(ownersTeams.Items))
+					}
+					ownersTeam := ownersTeams.Items[0]
+
+					teamToken, err := testAccConfiguredClient.Client.TeamTokens.Create(ctx, ownersTeam.ID)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					tfeClient, err := getClientWithToken(teamToken.ID)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					testAccConfiguredClient = &ConfiguredClient{
+						Client:       tfeClient,
+						Organization: org.Name,
+					}
+				},
+				Config: testAccTFEOrganization_userTokensEnabled(rInt, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "false"),
+					testAccCheckTFEOrganizationUserTokensEnabled(org, orgName, false),
+				),
+			},
+			{
+				Config: testAccTFEOrganization_userTokensEnabled(rInt, true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"tfe_organization.foobar", "user_tokens_enabled", "true"),
+					testAccCheckTFEOrganizationUserTokensEnabled(org, orgName, true),
+				),
+			},
+		},
+	})
+}
+
 func TestAccTFEOrganization_case(t *testing.T) {
 	org := &tfe.Organization{}
 	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
@@ -343,6 +419,20 @@ func testAccCheckTFEOrganizationAttributesFull(
 	}
 }
 
+func testAccCheckTFEOrganizationUserTokensEnabled(
+	org *tfe.Organization, expectedOrgName string, expectedUserTokensEnabled bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if org.Name != expectedOrgName {
+			return fmt.Errorf("Bad name: %s", org.Name)
+		}
+
+		if org.UserTokensEnabled != nil && *org.UserTokensEnabled != expectedUserTokensEnabled {
+			return fmt.Errorf("Bad user tokens enabled: %v", org.UserTokensEnabled)
+		}
+		return nil
+	}
+}
+
 func testAccCheckTFEOrganizationAttributesUpdated(
 	org *tfe.Organization, expectedOrgName string, expectedCostEstimationEnabled bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -441,3 +531,12 @@ resource "tfe_organization" "foobar" {
   allow_force_delete_workspaces     = %t
 }`, orgName, orgEmail, costEstimationEnabled, assessmentsEnforced, allowForceDeleteWorkspaces)
 }
+
+func testAccTFEOrganization_userTokensEnabled(rInt int, userTokensEnabled bool) string {
+	return fmt.Sprintf(`
+resource "tfe_organization" "foobar" {
+  name  = "tst-terraform-%d"
+  email = "[email protected]"
+  user_tokens_enabled = %t
+}`, rInt, userTokensEnabled)
+}