New resource 'tfe_org_max_token_ttl_policy' to create/update token time to live

[sana-faraz]

Description

'tfe_org_max_token_ttl_policy' manages the maximum time-to-live (TTL) policy for API tokens in an organization. When enabled, this policy enforces maximum lifespans for organization, team, audit trail, and user tokens. Any tokens that exceed the configured limits will be revoked. If disabled, the TTL defaults to 2 years

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

1. Define new TTL Token Policy to an existing org
   `
   resource "tfe_organization" "new_org" {
   name = "sanaOrg1"
   email = "admin@company.com"
   max_ttl_enabled = true
   }

resource "tfe_org_max_token_ttl_policy" "token_ttl_policy" {
organization = tfe_organization.new_org.name
org_token_max_ttl = "2h"
user_token_max_ttl = "5y"
team_token_max_ttl = "10w"
}

• organization - (Optional) Name of the organization. If omitted, organization must be defined in the provider config.
• org_token_max_ttl - (Optional) Maximum lifespan allowed for organization tokens to access the organization's resources. Defaults to two years (2y). Format: <number><unit> where unit is h (hours), d (days), w (weeks), mo (months), or y (years). Example 1h- 1 hour
• team_token_max_ttl - (Optional) Maximum lifespan allowed for team tokens to access the organization's resources. Defaults to two years (2y). Format: <number><unit> where unit is h (hours), d (days), w (weeks), mo (months), or y (years). Example 1d- 1 day
• audit_trail_token_max_ttl - (Optional) Maximum lifespan allowed for audit trail tokens to access the organization's resources. Defaults to two years (2y). Format: <number><unit> where unit is h (hours), d (days), w (weeks), mo (months), or y (years). Example 1w- 1 week
• user_token_max_ttl - (Optional) Maximum lifespan allowed for user tokens to access the organization's resources. Defaults to two years (2y). Format: <number><unit> where unit is h (hours), d (days), w (weeks), mo (months), or y (years). Example 1mo- 1 month
  ** Decimal values also accepted: 0.5h is half an hour**

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # tfe_org_max_token_ttl_policy.token_ttl_policy will be created
  + resource "tfe_org_max_token_ttl_policy" "token_ttl_policy" {
      + audit_trail_token_max_ttl    = "2y"
      + audit_trail_token_max_ttl_ms = (known after apply)
      + id                           = (known after apply)
      + org_token_max_ttl            = "2h"
      + org_token_max_ttl_ms         = (known after apply)
      + organization                 = "sanaOrg1"
      + team_token_max_ttl           = "10w"
      + team_token_max_ttl_ms        = (known after apply)
      + user_token_max_ttl           = "5y"
      + user_token_max_ttl_ms        = (known after apply)
    }

  # tfe_organization.new_org will be created
  + resource "tfe_organization" "new_org" {
      + aggregated_commit_status_enabled                        = (known after apply)
      + allow_force_delete_workspaces                           = false
      + collaborator_auth_policy                                = "password"
      + cost_estimation_enabled                                 = (known after apply)
      + default_project_id                                      = (known after apply)
      + email                                                   = "admin@company.com"
      + enforce_hyok                                            = false
      + id                                                      = (known after apply)
      + max_ttl_enabled                                         = true
      + name                                                    = "sanaOrg1"
      + send_passing_statuses_for_untriggered_speculative_plans = (known after apply)
      + speculative_plan_management_enabled                     = true
      + user_tokens_enabled                                     = true
    }

Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_organization.new_org: Creating...
tfe_organization.new_org: Creation complete after 0s [id=sanaOrg2]
tfe_org_max_token_ttl_policy.token_ttl_policy: Creating...
tfe_org_max_token_ttl_policy.token_ttl_policy: Creation complete after 0s [id=sanaOrg1]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Outputs:

token_ttl_policies1 = {
  "audit_trail_token_max_ttl_ms" = 2592000000
  "org_token_max_ttl_ms" = 1800000
  "organization" = "hashicorp"
  "team_token_max_ttl_ms" = 604800000
  "user_token_max_ttl_ms" = 86400000
}

2. Disable TTL policy

resource "tfe_organization" "new_org" {
  name  = "sanaOrg1"
  email = "admin@company.com"
  max_ttl_enabled = false
}

3. Data source to retrieve information about an organization's maximum time-to-live (TTL) policy for API tokens. This policy defines the maximum lifespan for organization, team, audit trail, and user tokens.

data "tfe_org_max_token_ttl_policy" "token_ttl_policy1" {
  organization = data.tfe_organization.org.name
}

output "token_ttl_policies1" {
  value = data.tfe_org_max_token_ttl_policy.token_ttl_policy1
}

Limitation

• If more than 1 TTL policy is created/updated, it will be a race condition and the one executed last will be applied.

External links

• go-tfe PR
• JIRA
• RFC

Output from tests

sanafaraz@Sanas-MacBook-Pro terraform-provider-tfe % TF_ACC=1 go test -v ./internal/provider -run TestAccTFEOrganizationDataSource_maxTTLEnabled
=== RUN   TestAccTFEOrganizationDataSource_maxTTLEnabled
--- PASS: TestAccTFEOrganizationDataSource_maxTTLEnabled (3.87s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	3.983s

sanafaraz@Sanas-MacBook-Pro terraform-provider-tfe % TF_ACC=1 ENABLE_BETA=1 go test -v ./internal/provider -run TestAccTFEOrganization_maxTTLEnabled
=== RUN   TestAccTFEOrganization_maxTTLEnabled
--- PASS: TestAccTFEOrganization_maxTTLEnabled (2.90s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	3.854s

sanafaraz@Sanas-MacBook-Pro terraform-provider-tfe % TF_ACC=1 ENABLE_BETA=1 go test -v ./internal/provider -run TestAccTFEOrgMaxTokenTTLPolicy
=== RUN   TestAccTFEOrgMaxTokenTTLPolicyDataSource_basic
--- PASS: TestAccTFEOrgMaxTokenTTLPolicyDataSource_basic (1.62s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicyDataSource_withResource
--- PASS: TestAccTFEOrgMaxTokenTTLPolicyDataSource_withResource (1.92s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicy_basic
--- PASS: TestAccTFEOrgMaxTokenTTLPolicy_basic (1.58s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicy_update
--- PASS: TestAccTFEOrgMaxTokenTTLPolicy_update (2.55s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicy_disabled
--- PASS: TestAccTFEOrgMaxTokenTTLPolicy_disabled (1.44s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicy_import
--- PASS: TestAccTFEOrgMaxTokenTTLPolicy_import (1.94s)
=== RUN   TestAccTFEOrgMaxTokenTTLPolicy_defaultOrg
--- PASS: TestAccTFEOrgMaxTokenTTLPolicy_defaultOrg (1.12s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	12.267s

[Copilot]

Pull request overview

Adds support in the Terraform TFE provider for managing and reading an organization’s maximum API token time-to-live (TTL) policy via a new resource and data source.

Changes:

• Introduces tfe_org_max_token_ttl_policy resource with TTL validation/conversion and CRUD operations backed by the TFE API.
• Introduces tfe_org_max_token_ttl_policy data source returning TTL limits in milliseconds.
• Adds acceptance tests and new documentation pages for both resource and data source.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
internal/provider/resource_tfe_org_max_token_ttl_policy.go	Implements the new org max token TTL policy resource (schema, plan logic, CRUD, TTL parsing).
internal/provider/data_source_tfe_org_max_token_ttl_policy.go	Implements the new org max token TTL policy data source returning TTLs in milliseconds.
internal/provider/provider_next.go	Registers the new resource and data source with the framework provider.
internal/provider/resource_tfe_org_max_token_ttl_policy_test.go	Adds acceptance tests for the new resource.
internal/provider/data_source_tfe_org_max_token_ttl_policy_test.go	Adds acceptance tests for the new data source.
website/docs/r/org_max_token_ttl_policy.html.markdown	Adds resource documentation and examples.
website/docs/d/org_max_token_ttl_policy.html.markdown	Adds data source documentation and examples.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.