Add UserTokensEnabled field for Organizations

[JarrettSpiker]

Description

Adds UserTokensEnabled for Organizations.

This new HCP Terraform setting defaults to true. When disabled by an organization owner, user tokens will no longer be permitted to access the organization's resources through the API.

Testing plan

1. Validate that the setting can be read from existing orgs
2. Test creating orgs with the setting enabled/disabled
3. Test updating an org to enable/disable the setting
4. Validate that the setting is not included in update request serialization if not specified

External links

• Documentation PRAdd documentation for new organization level user-token-enabled setting web-unified-docs#952

Output from tests

Including output from tests may require access to a TFE instance. Ignore this section if you have no environment to test against.

/usr/local/bin/go test -timeout 3000s -run ^TestOrganizationsUpdate$ github.com/hashicorp/go-tfe

=== RUN   TestOrganizationsUpdate
=== RUN   TestOrganizationsUpdate/with_HCP_Terraform-only_options
--- PASS: TestOrganizationsUpdate/with_HCP_Terraform-only_options (2.83s)
=== RUN   TestOrganizationsUpdate/with_new_AggregatedCommitStatusEnabled_option
--- PASS: TestOrganizationsUpdate/with_new_AggregatedCommitStatusEnabled_option (5.25s)
=== RUN   TestOrganizationsUpdate/with_new_SpeculativePlanManagementEnabled_option
--- PASS: TestOrganizationsUpdate/with_new_SpeculativePlanManagementEnabled_option (3.65s)
=== RUN   TestOrganizationsUpdate/with_new_UserTokensEnabled_option
--- PASS: TestOrganizationsUpdate/with_new_UserTokensEnabled_option (5.66s)
=== RUN   TestOrganizationsUpdate/with_valid_options
--- PASS: TestOrganizationsUpdate/with_valid_options (3.72s)
=== RUN   TestOrganizationsUpdate/with_invalid_name
--- PASS: TestOrganizationsUpdate/with_invalid_name (0.00s)
=== RUN   TestOrganizationsUpdate/with_agent_pool_provided,_but_remote_execution_mode
--- PASS: TestOrganizationsUpdate/with_agent_pool_provided,_but_remote_execution_mode (3.75s)
=== RUN   TestOrganizationsUpdate/when_only_updating_a_subset_of_fields
--- PASS: TestOrganizationsUpdate/when_only_updating_a_subset_of_fields (2.16s)
=== RUN   TestOrganizationsUpdate/with_different_default_execution_modes
--- PASS: TestOrganizationsUpdate/with_different_default_execution_modes (3.93s)
--- PASS: TestOrganizationsUpdate (31.59s)
PASS
ok      github.com/hashicorp/go-tfe
...

Rollback Plan

If we need to revert this change before a go-tfe release, we will.

Changes to Security Controls

no

[datadog-terraform-cloud-hashicorp]

⚠️ Tests

⚠️ Warnings

❄️ 4 New flaky tests detected

TestCostEstimatesRead_RunDependent from cost_estimate_integration_test.go (Datadog)

Run "run-GYjzvycVgEgxeJW1" unexpectedly errored

TestRunsListQueryParams_RunDependent from run_integration_test.go (Datadog)

Run "run-YRbCUCqTgzy3Prbj" unexpectedly errored

TestWorkspaces_AddTags from workspace_integration_test.go (Datadog)

failed test

TestWorkspaces_AddTags/successfully_adds_tags_by_id_and_name from workspace_integration_test.go (Datadog)

	Error Trace:	/home/runner/work/go-tfe/go-tfe/workspace_integration_test.go:2919
	            				/home/runner/go/pkg/mod/github.com/!data!dog/dd-trace-go/v2@v2.4.0/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go:242
	Error:      	Not equal: 
	            	expected: "tag-NPxJdPpBesdMtg4E"
	            	actual  : "tag-JGWep3M9JNY44naa"
	            	
	            	Diff:
	            	--- Expected
	            	+++ Actual
...

View all

ℹ️ Info

🧪 All tests passed

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 44f2192 | Docs | Was this helpful? Give us feedback!}

[ctrombley]

Why do we use a bool pointer type? false and nil are both logically equivalent, correct?

[JarrettSpiker]

Good question: it is because this setting defaults to true. Making this a bool pointer allows us to distinguish between "this is unspecified on the organization" (ie, because it is an older version of TFE) and "this is explicitly false" (ie, because this is an up-to-date TFE and the user has disabled the setting)

That is important because in the provider when we read an organization from an old TFE version, we dont want the the value to appear as false. That could lead to the provider always showing drift for the org and/or be misleading since the behaviour of the old org is that user tokens are enabled.

[JarrettSpiker]

A similar example would be like OrganizationScoped for agent pools

[ctrombley]

Consider including assertions that validate the change had the intended effect, i.e. try and look up some resources and expect an error here. (& the inverse when the setting is off)

[JarrettSpiker]

thanks for the suggestion, I have added some more assertions!

[ctrombley]

Thanks @JarrettSpiker !

[github-actions]

Reminder to the contributor that merged this PR: if your changes have added important functionality or fixed a relevant bug, open a follow-up PR to update CHANGELOG.md with a note on your changes.