Add warning when expired_at attribute is null#1976
Conversation
|
|
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
debrin-hc
left a comment
debrin-hc
left a comment
There was a problem hiding this comment.
- I don't see any test cases in this PR. Can we add some for the resources we are changing?
| // Issue warning if expired_at is not provided | ||
| if _, ok := d.GetOk("expired_at"); !ok { | ||
| log.Printf("[WARN] The 'expired_at' attribute is not set for organization token. The token will default to an expiration of 24 months from creation. It is recommended to explicitly set an expiration date for security best practices.") | ||
| } |
There was a problem hiding this comment.
- Does this warning show up in the
planrun output for an organization token? This seems to be adding a log message, instead of a "CLI output message".
There was a problem hiding this comment.
Yes, it shows up in the logs.. This uses the legacy SDK v2 plugin that why I added log.. Let me change it
There was a problem hiding this comment.
Tried ValidateFunc, ValidateDiagFunc.. Doesnt seem to work.. It might be a limitation in SDK v2?
There was a problem hiding this comment.
Here is the output I see:
$ TF_LOG=warn terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│ - hashicorp/tfe in /Users/bcroft/hashicorp/terraform-provider-tfe
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with
│ published releases.
╵
2026-02-25T11:31:54.730-0700 [WARN] Provider "registry.terraform.io/hashicorp/tfe" produced an invalid plan for tfe_team.this, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .allow_member_token_management: planned value cty.True for a non-computed attribute
- .organization_access: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
2026-02-25T11:31:54.733-0700 [WARN] provider.terraform-provider-tfe: Response contains warning diagnostic: @module=sdk.proto diagnostic_severity=WARNING tf_proto_version=6.10 tf_req_id=4027a5d6-3191-463e-9ba8-9bd17c93dd54 tf_resource_type=tfe_team_token diagnostic_detail="" diagnostic_summary="Team Token expiration null values defaults to 24 months" tf_provider_addr=registry.terraform.io/hashicorp/tfe tf_rpc=PlanResourceChange @caller=/Users/bcroft/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.29.0/tfprotov6/internal/diag/diagnostics.go:60 timestamp=2026-02-25T11:31:54.732-0700
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# tfe_team.this will be created
+ resource "tfe_team" "this" {
+ allow_member_token_management = true
+ id = (known after apply)
+ name = "test-team"
+ organization = "hashicorp"
+ visibility = (known after apply)
+ organization_access (known after apply)
}
# tfe_team_token.legacy will be created
+ resource "tfe_team_token" "legacy" {
+ id = (known after apply)
+ team_id = (known after apply)
+ token = (sensitive value)
}
# time_rotating.example will be created
+ resource "time_rotating" "example" {
+ day = (known after apply)
+ hour = (known after apply)
+ id = (known after apply)
+ minute = (known after apply)
+ month = (known after apply)
+ rfc3339 = (known after apply)
+ rotation_days = 29
+ rotation_rfc3339 = (known after apply)
+ second = (known after apply)
+ unix = (known after apply)
+ year = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ token = (sensitive value)
╷
│ Warning: Team Token expiration null values defaults to 24 months
│
│ with tfe_team_token.legacy,
│ on main.tf line 26, in resource "tfe_team_token" "legacy":
│ 26: resource "tfe_team_token" "legacy" {
│
╵
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
I don't see this log, but I do see a log reflecting the warning diag
There was a problem hiding this comment.
You are creating a team token that shows the warning because it uses the plugin framework but this log is for organization token..
| } | ||
|
|
||
| func (m warnIfNullOnCreateModifier) PlanModifyString(ctx context.Context, req planmodifier.StringRequest, resp *planmodifier.StringResponse) { | ||
| if req.State.Raw.IsNull() && req.ConfigValue.IsNull() { |
There was a problem hiding this comment.
What do you think about just defaulting the value instead of weirdly coupling the message to the backend default (that is actually not known)
func (m *twoYearsModifier) PlanModifyString(_ context.Context, req planmodifier.StringRequest, resp *planmodifier.StringResponse) {
// If the user explicitly set a value in their HCL config, do nothing.
if !req.ConfigValue.IsNull() {
return
}
resp.PlanValue = types.StringValue(time.Now().AddDate(2, 0, 0).Format(time.RFC3339))
}There was a problem hiding this comment.
Hi Brandon,
We can either set default value during apply or allow the backend API to do so. Although both can be correct, we have implemented the backend API to accept null and calculate the expiry time making it the single source of truth.
We are fetching the expiredAt from the API response and storing it in the state file, also we have made expired_at as computable and UseStateForUnknown so the the customer explicitly knows that this value will be computed and will be available after apply.
There was a problem hiding this comment.
As of now, is it no longer possible to create a non-expiring team token in HCPTF? It raises some tricky questions about provider stability
…form-provider-tfe into WarningWithExpiredAtNull
4 participants
Description
This change add a warning and a disclaimer message to the provider customer that if they create a token(tfe_team_token, tfe_organization_token or tfe_audit_trail_token) with no expiry_at attribute, its defaults to 2 years.
Remember to:
Testing plan
External links
JIRA
RFC