Merge pull request #1976 from hashicorp/WarningWithExpiredAtNull

Add warning when expired_at attribute is null

Author: sana-faraz

CHANGELOG.md

@@ -1,4 +1,6 @@
 ## Unreleased
+FEATURES:
+* Adds a warning message to `r/tfe_team_token`, `r/tfe_organization_token` and `r/tfe_audit_trail_token` resources to indicate that if no `expired_at` attribute is set, the token will expire in 2 years. By @sana-faraz [#1976](https://github.com/hashicorp/terraform-provider-tfe/pull/1976)
 
 FEATURES:
 * Adds `tfe_query_run` action, allowing users to invoke remote Terraform queries on HCP Terraform and Terraform Enterprise, by @sebasslash [#1982](https://github.com/hashicorp/terraform-provider-tfe/pull/1982)

internal/provider/planmodifiers/warn_if_null_on_create.go

@@ -0,0 +1,37 @@
+// Copyright IBM Corp. 2018, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package planmodifiers
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+)
+
+type warnIfNullOnCreateModifier struct {
+	message string
+}
+
+func (m warnIfNullOnCreateModifier) Description(ctx context.Context) string {
+	return "Warning that the attribute value is null during resource creation"
+}
+
+func (m warnIfNullOnCreateModifier) MarkdownDescription(ctx context.Context) string {
+	return m.Description(ctx)
+}
+
+func (m warnIfNullOnCreateModifier) PlanModifyString(ctx context.Context, req planmodifier.StringRequest, resp *planmodifier.StringResponse) {
+	if req.State.Raw.IsNull() && req.ConfigValue.IsNull() {
+		resp.Diagnostics.AddWarning(
+			m.message,
+			"",
+		)
+	}
+}
+
+func WarnIfNullOnCreate(message string) planmodifier.String {
+	return warnIfNullOnCreateModifier{
+		message: message,
+	}
+}

internal/provider/resource_tfe_audit_trail_token.go

@@ -21,6 +21,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 )
 
 type resourceAuditTrailToken struct {
@@ -99,8 +100,13 @@ func (r *resourceAuditTrailToken) Schema(ctx context.Context, req resource.Schem
 				Description: "The time when the audit trail token will expire. This must be a valid ISO8601 timestamp.",
 				CustomType:  timetypes.RFC3339Type{},
 				Optional:    true,
+				Computed:    true,
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
+					stringplanmodifier.UseStateForUnknown(),
+					planmodifiers.WarnIfNullOnCreate(
+						"Audit Trail Token expiration null values defaults to 24 months",
+					),
 				},
 			},
 			"organization": schema.StringAttribute{

internal/provider/resource_tfe_audit_trail_token_test.go

@@ -163,6 +163,37 @@ func TestAccTFEAuditTrailToken_withInvalidExpiry(t *testing.T) {
 	})
 }
 
+func TestAccTFEAuditTrailToken_withBlankExpiry(t *testing.T) {
+	skipUnlessBeta(t)
+	token := &tfe.OrganizationToken{}
+
+	tfeClient, err := getClientUsingEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+	org, orgCleanup := createBusinessOrganization(t, tfeClient)
+	t.Cleanup(orgCleanup)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccMuxedProviders,
+		CheckDestroy:             testAccCheckTFEAuditTrailTokenDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccTFEAuditTrailToken_withBlankExpiry(org.Name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckTFEAuditTrailTokenExists(
+						"tfe_audit_trail_token.foobar", token),
+					resource.TestCheckResourceAttr(
+						"tfe_audit_trail_token.foobar", "organization", org.Name),
+					resource.TestCheckResourceAttrSet(
+						"tfe_audit_trail_token.foobar", "expired_at"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccTFEAuditTrailToken_import(t *testing.T) {
 	tfeClient, err := getClientUsingEnv()
 	if err != nil {
@@ -281,7 +312,6 @@ func testAccTFEAuditTrailToken_withBlankExpiry(orgName string) string {
 	return fmt.Sprintf(`
 resource "tfe_audit_trail_token" "foobar" {
   organization = "%s"
-  expired_at = ""
 }`, orgName)
 }
 

internal/provider/resource_tfe_organization_token.go

@@ -53,6 +53,7 @@ func resourceTFEOrganizationToken() *schema.Resource {
 			"expired_at": {
 				Type:     schema.TypeString,
 				Optional: true,
+				Computed: true,
 				ForceNew: true,
 			},
 		},
@@ -68,6 +69,11 @@ func resourceTFEOrganizationTokenCreate(d *schema.ResourceData, meta interface{}
 		return err
 	}
 
+	// Issue warning if expired_at is not provided
+	if _, ok := d.GetOk("expired_at"); !ok {
+		log.Printf("[WARN] The 'expired_at' attribute is not set for organization token. The token will default to an expiration of 24 months from creation.")
+	}
+
 	log.Printf("[DEBUG] Check if a token already exists for organization: %s", organization)
 	_, err = config.Client.OrganizationTokens.Read(ctx, organization)
 	if err != nil && !errors.Is(err, tfe.ErrResourceNotFound) {
@@ -110,7 +116,9 @@ func resourceTFEOrganizationTokenCreate(d *schema.ResourceData, meta interface{}
 	// We need to set this here in the create function as this value will
 	// only be returned once during the creation of the token.
 	d.Set("token", token.Token)
-
+	if !token.ExpiredAt.IsZero() {
+		d.Set("expired_at", token.ExpiredAt.Format(time.RFC3339))
+	}
 	return resourceTFEOrganizationTokenRead(d, meta)
 }
 

internal/provider/resource_tfe_organization_token_test.go

@@ -100,9 +100,9 @@ func TestAccTFEOrganizationToken_existsWithForce(t *testing.T) {
 }
 
 func TestAccTFEOrganizationToken_withBlankExpiry(t *testing.T) {
+	skipUnlessBeta(t)
 	token := &tfe.OrganizationToken{}
 	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
-	expiredAt := ""
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheck(t) },
@@ -114,8 +114,9 @@ func TestAccTFEOrganizationToken_withBlankExpiry(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckTFEOrganizationTokenExists(
 						"tfe_organization_token.foobar", token),
-					resource.TestCheckResourceAttr(
-						"tfe_organization_token.foobar", "expired_at", expiredAt),
+					// When expired_at is not provided, API sets default (24 months and its value is read from the API response
+					resource.TestCheckResourceAttrSet(
+						"tfe_organization_token.foobar", "expired_at"),
 				),
 			},
 		},
@@ -288,7 +289,7 @@ resource "tfe_organization" "foobar" {
 
 resource "tfe_organization_token" "foobar" {
   organization = tfe_organization.foobar.id
-  expired_at = ""
+  # expired_at not provided - API will set default to 24 months
 }`, rInt)
 }
 

internal/provider/resource_tfe_team_token.go

@@ -23,6 +23,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers"
 )
 
 var (
@@ -101,8 +102,13 @@ func (r *resourceTFETeamToken) Schema(_ context.Context, _ resource.SchemaReques
 			"expired_at": schema.StringAttribute{
 				Description: "The token's expiration date.",
 				Optional:    true,
+				Computed:    true,
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
+					stringplanmodifier.UseStateForUnknown(),
+					planmodifiers.WarnIfNullOnCreate(
+						"Team Token expiration null values defaults to 24 months",
+					),
 				},
 			},
 			"description": schema.StringAttribute{
@@ -182,7 +188,14 @@ func (r *resourceTFETeamToken) Create(ctx context.Context, req resource.CreateRe
 		return
 	}
 
-	result := modelFromTFEToken(plan.TeamID, types.StringValue(token.ID), types.StringValue(token.Token), plan.ForceRegenerate, plan.ExpiredAt, plan.Description)
+	var expiredAtValue types.String
+	if !token.ExpiredAt.IsZero() {
+		expiredAtValue = types.StringValue(token.ExpiredAt.Format(time.RFC3339))
+	} else {
+		expiredAtValue = types.StringNull()
+	}
+
+	result := modelFromTFEToken(plan.TeamID, types.StringValue(token.ID), types.StringValue(token.Token), plan.ForceRegenerate, expiredAtValue, plan.Description)
 	resp.Diagnostics.Append(resp.State.Set(ctx, result)...)
 }
 

internal/provider/resource_tfe_team_token_test.go

@@ -131,9 +131,9 @@ func TestAccTFETeamToken_invalidWithForceGenerateAndDescription(t *testing.T) {
 }
 
 func TestAccTFETeamToken_withBlankExpiry(t *testing.T) {
+	skipUnlessBeta(t)
 	token := &tfe.TeamToken{}
 	rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()
-	expiredAt := ""
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheck(t) },
@@ -145,8 +145,10 @@ func TestAccTFETeamToken_withBlankExpiry(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckTFETeamTokenExists(
 						"tfe_team_token.foobar", token),
-					resource.TestCheckResourceAttr(
-						"tfe_team_token.foobar", "expired_at", expiredAt),
+					// When expired_at is not provided, API sets default (24 months)
+					// We now read this value from the API response
+					resource.TestCheckResourceAttrSet(
+						"tfe_team_token.foobar", "expired_at"),
 				),
 			},
 		},
@@ -403,7 +405,7 @@ resource "tfe_team" "foobar" {
 
 resource "tfe_team_token" "foobar" {
   team_id = tfe_team.foobar.id
-  expired_at = ""
+  # expired_at not provided - API will set default to 24 months
 }`, rInt)
 }
 

website/docs/r/audit_trail_token.html.markdown

@@ -30,8 +30,7 @@ The following arguments are supported:
   generated even if a token already exists. This will invalidate the existing
   token!
 * `expired_at` - (Optional) The token's expiration date. The expiration date must be a date/time string in RFC3339
-format (e.g., "2024-12-31T23:59:59Z"). If no expiration date is supplied, the expiration date will default to null and
-never expire.
+format (e.g., "2024-12-31T23:59:59Z"). If no expiration date is supplied, the token will expire 24 months from creation and a warning during plan and apply phases will be displayed.
 
 ## Example Usage
 

website/docs/r/organization_token.html.markdown

@@ -28,9 +28,8 @@ The following arguments are supported:
 * `force_regenerate` - (Optional) If set to `true`, a new token will be
   generated even if a token already exists. This will invalidate the existing
   token!
-* `expired_at` - (Optional) The token's expiration date. The expiration date must be a date/time string in RFC3339 
-format (e.g., "2024-12-31T23:59:59Z"). If no expiration date is supplied, the expiration date will default to null and 
-never expire.
+* `expired_at` - (Optional) The token's expiration date. The expiration date must be a date/time string in RFC3339
+format (e.g., "2024-12-31T23:59:59Z"). If no expiration date is supplied, the token will expire 24 months from creation.
 
 ## Example Usage