Add UserTokensEnabled field for Organizations

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Unreleased
 
+## Enhancements
+* Adds `UserTokensEnabled` field to `Organization` to support enabling/disabling user tokens for an organization by @JarrettSpiker [#1225](https://github.com/hashicorp/go-tfe/pull/1225)
+
 # v1.97.0
 
 ## Enhancements

organization.go

@@ -118,6 +118,7 @@ type Organization struct {
 	RemainingTestableCount                            int                      `jsonapi:"attr,remaining-testable-count"`
 	SpeculativePlanManagementEnabled                  bool                     `jsonapi:"attr,speculative-plan-management-enabled"`
 	EnforceHYOK                                       bool                     `jsonapi:"attr,enforce-hyok"`
+	UserTokensEnabled                                 *bool                    `jsonapi:"attr,user-tokens-enabled"`
 	// Optional: If enabled, SendPassingStatusesForUntriggeredSpeculativePlans needs to be false.
 	AggregatedCommitStatusEnabled bool `jsonapi:"attr,aggregated-commit-status-enabled,omitempty"`
 	// Note: This will be false for TFE versions older than v202211, where the setting was introduced.
@@ -271,6 +272,9 @@ type OrganizationCreateOptions struct {
 
 	// Optional: RegistryMonorepoSupportEnabled toggles whether monorepo support is enabled for the organization
 	RegistryMonorepoSupportEnabled *bool `jsonapi:"attr,registry-monorepo-support-enabled,omitempty"`
+
+	// Optional: UserTokensEnabled toggles whether user tokens may be used to access resources in this organization.
+	UserTokensEnabled *bool `jsonapi:"attr,user-tokens-enabled,omitempty"`
 }
 
 // OrganizationUpdateOptions represents the options for updating an organization.
@@ -332,6 +336,9 @@ type OrganizationUpdateOptions struct {
 
 	// Optional: RegistryMonorepoSupportEnabled toggles whether monorepo support is enabled for the organization
 	RegistryMonorepoSupportEnabled *bool `jsonapi:"attr,registry-monorepo-support-enabled,omitempty"`
+
+	// Optional: UserTokensEnabled toggles whether user tokens may be used to access resources in this organization.
+	UserTokensEnabled *bool `jsonapi:"attr,user-tokens-enabled,omitempty"`
 }
 
 // ReadRunQueueOptions represents the options for showing the queue.

organization_integration_test.go

@@ -320,6 +320,64 @@ func TestOrganizationsUpdate(t *testing.T) {
 		}
 	})
 
+	t.Run("with new UserTokensEnabled option", func(t *testing.T) {
+		orgTest, orgTestCleanup := createOrganization(t, client)
+		t.Cleanup(orgTestCleanup)
+
+		assert.True(t, *orgTest.UserTokensEnabled, "user tokens enabled by default")
+
+		// we need to switch to an owner's team token, otherwise the client (which auths with a user token)
+		// wont be able to delete the org after we disable user tokens
+		teamList, err := client.Teams.List(ctx, orgTest.Name, &TeamListOptions{
+			Names: []string{"owners"},
+		})
+		require.NoError(t, err)
+
+		// it should be the only team, we just created the org...
+		require.Len(t, teamList.Items, 1)
+		ownersTeam := teamList.Items[0]
+
+		ownerToken, ownerTokenCleanup := createTeamToken(t, client, ownersTeam)
+		t.Cleanup(ownerTokenCleanup)
+
+		ownerClient := testClient(t)
+		ownerClient.token = ownerToken.Token
+
+		// disable user tokens for the organization
+		options := OrganizationUpdateOptions{
+			UserTokensEnabled: Bool(false),
+		}
+
+		org, err := ownerClient.Organizations.Update(ctx, orgTest.Name, options)
+		require.NoError(t, err)
+		assert.False(t, *org.UserTokensEnabled, "user tokens disabled")
+
+		// try reading something with the user token client and verify that it fails, where the team token client
+		// succeeds
+		_, err = client.Organizations.Read(ctx, orgTest.Name)
+		assert.Error(t, err)
+		assert.ErrorContains(t, err, "unauthorized")
+
+		org, err = ownerClient.Organizations.Read(ctx, orgTest.Name)
+		assert.NoError(t, err)
+		assert.Equal(t, orgTest.Name, org.Name)
+		assert.False(t, *org.UserTokensEnabled, "user tokens disabled")
+
+		// re-enable user tokens
+		options = OrganizationUpdateOptions{
+			UserTokensEnabled: Bool(true),
+		}
+		org, err = ownerClient.Organizations.Update(ctx, orgTest.Name, options)
+		require.NoError(t, err)
+		assert.True(t, *org.UserTokensEnabled, "user tokens re-enabled")
+
+		// try reading with the user token again and verify that it works
+		org, err = client.Organizations.Read(ctx, orgTest.Name)
+		assert.NoError(t, err)
+		assert.Equal(t, orgTest.Name, org.Name)
+		assert.True(t, *org.UserTokensEnabled, "user tokens re-enabled")
+	})
+
 	t.Run("with valid options", func(t *testing.T) {
 		orgTest, orgTestCleanup := createOrganization(t, client)