Support multiple team tokens for a single team with tfe_team_token

[mkam]

Description

This PR adds support to create multiple team tokens for a single team using tfe_team_token by adding the description attribute. If no description is provided, it follows the previous behavior of tfe_team_token, which uses the old team token API that assumes there is only one token per team.

Some other notable differences:

• The new API for team tokens that supports multiple tokens does not support regenerating tokens with a single API request (i.e., they must be rotated via separate delete and create requests). That means force_regenerate cannot be used when description is set.
• The ID of the resource was previously the team ID since there was only ever one token per team. For tokens without descriptions, this will continue to be the team ID to preserve backwards compatibility. For tokens with descriptions, the ID is the ID of the authentication token itself. This is distinguished by inspecting the the prefix of the ID (team- vs. at-)

Also, adding support for creating multiple ephemeral team tokens is out of scope for this PR. This will be added in a separate, follow-up PR.

This feature is not GA yet, so I've labeled this PR as "do not merge" for now.

• Update the Change Log
• Update the Documentation

Testing plan

1. Create a team.
2. Create multiple tokens for the team with unique descriptions, including one without a description.
3. Modify the description of a token and validate that the token is recreated.
4. Import a team token by team ID and a team token by token ID.

resource "tfe_team" "this" {
  organization = data.tfe_organization.test.name
  name         = "test-team"
}

resource "time_rotating" "example" {
  rotation_days = 30
}

resource "tfe_team_token" "multi_token_1" {
  team_id     = tfe_team.this.id
  description = "test1"
}


resource "tfe_team_token" "multi_token_2" {
  team_id     = tfe_team.this.id
  description = "test2"
  expired_at  = time_rotating.example.rotation_rfc3339
}


resource "tfe_team_token" "legacy" {
  team_id     = tfe_team.this.id
}

terraform import tfe_team_token.import_by_team_id team-1234
terraform import tfe_team_token.import_by_token_id at-1234

resource "tfe_team_token" "import_by_team_id" {
  team_id = "team-1234"
  expired_at = time_rotating.example.rotation_rfc3339
}

resource "tfe_team_token" "import_by_token_id" {
  team_id = "team-1234"
  description = "test-updated"
}

Output from acceptance tests

Test results with beta enabled

-> % ENABLE_BETA=1 go test ./... -v -run "TestAccTFETeamToken"
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
=== RUN   TestAccTFETeamToken_basic
--- PASS: TestAccTFETeamToken_basic (5.95s)
=== RUN   TestAccTFETeamToken_multiple_team_tokens
--- PASS: TestAccTFETeamToken_multiple_team_tokens (7.97s)
=== RUN   TestAccTFETeamToken_existsWithoutForce
--- PASS: TestAccTFETeamToken_existsWithoutForce (6.32s)
=== RUN   TestAccTFETeamToken_existsWithForce
--- PASS: TestAccTFETeamToken_existsWithForce (8.84s)
=== RUN   TestAccTFETeamToken_invalidWithForceGenerateAndDescription
--- PASS: TestAccTFETeamToken_invalidWithForceGenerateAndDescription (0.36s)
=== RUN   TestAccTFETeamToken_withBlankExpiry
--- PASS: TestAccTFETeamToken_withBlankExpiry (4.95s)
=== RUN   TestAccTFETeamToken_withValidExpiry
--- PASS: TestAccTFETeamToken_withValidExpiry (5.37s)
=== RUN   TestAccTFETeamToken_withInvalidExpiry
--- PASS: TestAccTFETeamToken_withInvalidExpiry (3.01s)
=== RUN   TestAccTFETeamToken_import
--- PASS: TestAccTFETeamToken_import (7.04s)
=== RUN   TestAccTFETeamToken_importByTokenID
--- PASS: TestAccTFETeamToken_importByTokenID (9.84s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	60.387s
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/validators	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/version	[no test files]

Output from documentation preview

Docs changes

[brandonc]

I assume this is just to get nil Description support?

[mkam]

Yes, that's correct!

[brandonc]

I think this is looking and behaving very well. I smoke-tested import and different combinations of adding/removing descriptions and force_regenerate. It works as documented.

When does your feature reach GA? That would probably be the time to merge this PR.

[mkam]

@brandonc Thanks for taking a look! The plan is to GA for HCP Terraform this upcoming Monday, and then hopefully have it included in next TFE release (v202505-1).