From e511e24cabb4117547737a0805c37bae088c8fbb Mon Sep 17 00:00:00 2001
From: Marc Greenstock <marc.greenstock@vercel.com>
Date: Fri, 6 Jun 2025 16:08:57 +0200
Subject: [PATCH 1/2] Deprecated oict_token_config.enabled field

---
 docs/data-sources/project.md  | 2 +-
 docs/resources/project.md     | 5 +----
 vercel/data_source_project.go | 5 +++--
 vercel/resource_project.go    | 9 +++++----
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/docs/data-sources/project.md b/docs/data-sources/project.md
index 96cd0938..1b8719c1 100644
--- a/docs/data-sources/project.md
+++ b/docs/data-sources/project.md
@@ -129,7 +129,7 @@ Optional:
 
 Read-Only:
 
-- `enabled` (Boolean) When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.
+- `enabled` (Boolean, Deprecated) When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.
 
 
 <a id="nestedatt--options_allowlist"></a>
diff --git a/docs/resources/project.md b/docs/resources/project.md
index 9546b27a..9eedbc8b 100644
--- a/docs/resources/project.md
+++ b/docs/resources/project.md
@@ -157,12 +157,9 @@ Read-Only:
 <a id="nestedatt--oidc_token_config"></a>
 ### Nested Schema for `oidc_token_config`
 
-Required:
-
-- `enabled` (Boolean) When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.
-
 Optional:
 
+- `enabled` (Boolean, Deprecated) When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.
 - `issuer_mode` (String) Configures the URL of the `iss` claim. `team` = `https://oidc.vercel.com/[team_slug]` `global` = `https://oidc.vercel.com`
 
 
diff --git a/vercel/data_source_project.go b/vercel/data_source_project.go
index 1963ecaf..5c41af71 100644
--- a/vercel/data_source_project.go
+++ b/vercel/data_source_project.go
@@ -239,8 +239,9 @@ For more detailed information, please see the [Vercel documentation](https://ver
 				Computed:    true,
 				Attributes: map[string]schema.Attribute{
 					"enabled": schema.BoolAttribute{
-						Description: "When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.",
-						Computed:    true,
+						DeprecationMessage: "This field is deprecated and will be removed in a future version.",
+						Description:        "When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.",
+						Computed:           true,
 					},
 					"issuer_mode": schema.StringAttribute{
 						Description: "Configures the URL of the `iss` claim. `team` = `https://oidc.vercel.com/[team_slug]` `global` = `https://oidc.vercel.com`",
diff --git a/vercel/resource_project.go b/vercel/resource_project.go
index bbd55e52..33f028c4 100644
--- a/vercel/resource_project.go
+++ b/vercel/resource_project.go
@@ -357,8 +357,9 @@ At this time you cannot use a Vercel Project resource with in-line ` + "`environ
 				Computed:    true,
 				Attributes: map[string]schema.Attribute{
 					"enabled": schema.BoolAttribute{
-						Description: "When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.",
-						Required:    true,
+						DeprecationMessage: "This field is deprecated and will be removed in a future version.",
+						Description:        "When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.",
+						Optional:           true,
 					},
 					"issuer_mode": schema.StringAttribute{
 						Optional:      true,
@@ -377,8 +378,8 @@ At this time you cannot use a Vercel Project resource with in-line ` + "`environ
 						"issuer_mode": types.StringType,
 					},
 					map[string]attr.Value{
-						"enabled":     types.BoolValue(false),
-						"issuer_mode": types.StringValue("global"),
+						"enabled":     types.BoolValue(true),
+						"issuer_mode": types.StringValue("team"),
 					},
 				)),
 			},

From 32ba4189d5ad906d2c8d7098ff9fa1526fd96ae6 Mon Sep 17 00:00:00 2001
From: Douglas Harcourt Parsons <dglsparsons@gmail.com>
Date: Mon, 9 Jun 2025 15:27:12 +0100
Subject: [PATCH 2/2] Force oidc_token values to only allow true

---
 vercel/resource_project.go      |  3 +++
 vercel/resource_project_test.go |  2 +-
 vercel/validator_only_true.go   | 39 +++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 vercel/validator_only_true.go

diff --git a/vercel/resource_project.go b/vercel/resource_project.go
index 33f028c4..77b93548 100644
--- a/vercel/resource_project.go
+++ b/vercel/resource_project.go
@@ -360,6 +360,9 @@ At this time you cannot use a Vercel Project resource with in-line ` + "`environ
 						DeprecationMessage: "This field is deprecated and will be removed in a future version.",
 						Description:        "When true, Vercel issued OpenID Connect (OIDC) tokens will be available on the compute environments. See https://vercel.com/docs/security/secure-backend-access/oidc for more information.",
 						Optional:           true,
+						Validators: []validator.Bool{
+							onlyTrueValidator("This field is deprecated and can no longer be specified as 'false'"),
+						},
 					},
 					"issuer_mode": schema.StringAttribute{
 						Optional:      true,
diff --git a/vercel/resource_project_test.go b/vercel/resource_project_test.go
index 52e879de..8be8cfc8 100644
--- a/vercel/resource_project_test.go
+++ b/vercel/resource_project_test.go
@@ -95,7 +95,7 @@ func TestAcc_Project(t *testing.T) {
 						"key":   "bar",
 						"value": "baz",
 					}),
-					resource.TestCheckResourceAttr("vercel_project.test", "oidc_token_config.enabled", "false"),
+					resource.TestCheckResourceAttr("vercel_project.test", "oidc_token_config.enabled", "true"),
 					resource.TestCheckResourceAttr("vercel_project.test", "preview_comments", "false"),
 					resource.TestCheckResourceAttr("vercel_project.test", "enable_preview_feedback", "false"),
 					resource.TestCheckResourceAttr("vercel_project.test", "enable_production_feedback", "true"),
diff --git a/vercel/validator_only_true.go b/vercel/validator_only_true.go
new file mode 100644
index 00000000..904fd526
--- /dev/null
+++ b/vercel/validator_only_true.go
@@ -0,0 +1,39 @@
+package vercel
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+)
+
+var _ validator.Bool = validatorOnlyTrue{}
+
+func onlyTrueValidator(msg string) validatorOnlyTrue {
+	return validatorOnlyTrue{msg: msg}
+}
+
+type validatorOnlyTrue struct {
+	msg string
+}
+
+func (v validatorOnlyTrue) Description(ctx context.Context) string {
+	return "Value must be true"
+}
+func (v validatorOnlyTrue) MarkdownDescription(ctx context.Context) string {
+	return "Value must be true"
+}
+
+func (v validatorOnlyTrue) ValidateBool(ctx context.Context, req validator.BoolRequest, resp *validator.BoolResponse) {
+	if req.ConfigValue.IsUnknown() || req.ConfigValue.IsNull() {
+		return
+	}
+
+	if !req.ConfigValue.ValueBool() {
+		resp.Diagnostics.AddAttributeError(
+			req.Path,
+			"Invalid value provided",
+			v.msg,
+		)
+		return
+	}
+}