fix: update default token TTL to match Rancher (#2220)

github-actions[bot] · jmeza-xyz · bigkevmcd · web-flow · commit 23d0c8523d63 · 2026-05-13T11:00:35.000-05:00
Signed-off-by: Meza &lt;meza-xyz@proton.me&gt;
Co-authored-by: Meza &lt;meza-xyz@proton.me&gt;
Co-authored-by: Kevin McDermott &lt;bigkevmcd@gmail.com&gt;
Co-authored-by: Matt Trachier &lt;matt.trachier@suse.com&gt;
diff --git a/aspell_custom.txt b/aspell_custom.txt
@@ -41,4 +41,5 @@ oidc
 eslint
 destructuring
 yaml
+ttl
 pkce
diff --git a/docs/resources/custom_user_token.md b/docs/resources/custom_user_token.md
@@ -52,7 +52,7 @@ The following arguments are supported:
 * `cluster_id` - (Optional/ForceNew) Cluster ID for scoped token (string)
 * `description` - (Optional/ForceNew) Token description (string)
 * `renew` - (Optional/ForceNew) Renew token if expired or disabled. If `true`, a terraform diff would be generated to renew the token if it's disabled or expired. If `false`, the token will not be renewed. Default `true` (bool)
-* `ttl` - (Optional/ForceNew) Token time to live in seconds. Default `0` (int) 
+* `ttl` - (Optional/ForceNew) Token time to live in seconds. Default `0` (int)
 
 From Rancher v2.4.6 `ttl` is read in minutes at Rancher API. To avoid breaking change on the provider, we still read in seconds but rounding up division if required.
 
diff --git a/docs/resources/token.md b/docs/resources/token.md
@@ -35,9 +35,11 @@ The following arguments are supported:
 * `cluster_id` - (Optional/ForceNew) Cluster ID for scoped token (string)
 * `description` - (Optional/ForceNew) Token description (string)
 * `renew` - (Optional/ForceNew) Renew token if expired or disabled. If `true`, a terraform diff would be generated to renew the token if it's disabled or expired. If `false`, the token will not be renewed. Default `true` (bool)
-* `ttl` - (Optional/ForceNew) Token time to live in seconds. Default `0` (int) 
+* `ttl` - (Optional/ForceNew) Defaults to the `auth-token-max-ttl-minutes` Rancher setting.
 
-From Rancher v2.4.6 `ttl` is readed in minutes at Rancher API. To avoid breaking change on the provider, we still read in seconds but rounding up division if required.
+From Rancher v2.4.6 `ttl` is read in minutes at Rancher API. To avoid breaking change on the provider, we still read in seconds but rounding up division if required.
+
+From Rancher v2.8.0 the Rancher API and kubeconfig tokens `ttl` is managed by Rancher setting `auth-token-max-ttl-minutes`. Tokens created before v2.8.0 are not affected.
 
 ## Attributes Reference
 
diff --git a/rancher2/schema_token.go b/rancher2/schema_token.go
@@ -6,7 +6,6 @@ import (
 
 const (
 	tokenDefaultSessionDesc = "Terraform token temp token"
-	tokenDefaultTTL         = "60000"
 )
 
 //Schemas
@@ -66,10 +65,10 @@ func tokenFields() map[string]*schema.Schema {
 		},
 		"ttl": {
 			Type:        schema.TypeInt,
+			Computed:    true,
 			Optional:    true,
 			ForceNew:    true,
-			Default:     0,
-			Description: "Token time to live in seconds",
+			Description: "Defaults to auth-token-max-ttl-minutes Rancher setting",
 		},
 		"user_id": {
 			Type:        schema.TypeString,

-Original file line number
+Diff line change
 eslint
 destructuring
 yaml
 +ttl
 pkce