From 47dedfa3537a8233e7f3573b7f5974f5fcaf2042 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Fri, 17 Oct 2025 14:29:23 +0200
Subject: [PATCH 01/14] allow mig tests in SA

---
 .github/workflows/acceptance-tests-runner.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index a119c30c24..f25b0697ad 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -211,9 +211,8 @@ env:
   TF_LOG: ${{ vars.LOG_LEVEL }}
   ACCTEST_TIMEOUT: ${{ vars.ACCTEST_TIMEOUT }}
   # If the name (regex) of the test is set, only that test is run.
-  # Don't run migration tests if using Service Accounts because previous provider versions don't support SA yet.
   # Only Migration tests are run when a specific previous provider version is set.
-  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.use_sa && '^TestAcc' || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
+  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
   MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
   MONGODB_REALM_BASE_URL: ${{ inputs.mongodb_realm_base_url }}
   MONGODB_ATLAS_ORG_ID: ${{ inputs.mongodb_atlas_org_id }}
@@ -427,7 +426,7 @@ jobs:
 
   advanced_cluster_tpf_mig_from_sdkv2:
     needs: [ change-detection, get-provider-version ]
-    # Previous advanced_cluster versions don't support SA.
+    # advanced_cluster v1.x versions don't support SA.
     if: ${{ inputs.reduced_tests == false && inputs.use_sa == false && (needs.change-detection.outputs.advanced_cluster == 'true' || inputs.test_group == 'advanced_cluster') }}
     runs-on: ubuntu-latest
     permissions: {}
@@ -453,7 +452,7 @@ jobs:
 
   advanced_cluster_tpf_mig_from_tpf_preview:
     needs: [ change-detection, get-provider-version ]
-    # Previous advanced_cluster versions don't support SA.
+    # advanced_cluster v1.x versions don't support SA.
     if: ${{ inputs.reduced_tests == false && inputs.use_sa == false && (needs.change-detection.outputs.advanced_cluster == 'true' || inputs.test_group == 'advanced_cluster') }}
     runs-on: ubuntu-latest
     permissions: {}
@@ -601,7 +600,6 @@ jobs:
           MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
           MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_REGEX_RUN: '^TestAcc' # Don't run migration tests because previous provider versions don't support SA.
           ACCTEST_PACKAGES: |
             ./internal/service/alertconfiguration
             ./internal/service/databaseuser

From 3e8c0dec1f86bbc4d86dd975d43a8098f69afc58 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Thu, 23 Oct 2025 02:36:21 +0200
Subject: [PATCH 02/14] no need for smoke tests anymore

---
 .github/workflows/acceptance-tests-runner.yml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index 8f36a71527..a32ebddfbc 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -593,18 +593,6 @@ jobs:
           ACCTEST_REGEX_RUN: '^TestAccAccessToken'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
-      - name: Acceptance Tests (Service Account smoke tests) # small selection of fast tests to run with SA
-        env:
-          MONGODB_ATLAS_PUBLIC_KEY: ""
-          MONGODB_ATLAS_PRIVATE_KEY: ""
-          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
-          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
-          MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_PACKAGES: |
-            ./internal/service/alertconfiguration
-            ./internal/service/databaseuser
-            ./internal/service/maintenancewindow
-        run: make testacc
 
   autogen_fast:
     needs: [change-detection, get-provider-version]

From c2f065f8147ee9ac668bfd7276eec5c972166117 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Thu, 23 Oct 2025 02:48:33 +0200
Subject: [PATCH 03/14] don't run mig tests

---
 .github/workflows/acceptance-tests-runner.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index a32ebddfbc..c26ce97c0b 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -212,7 +212,9 @@ env:
   ACCTEST_TIMEOUT: ${{ vars.ACCTEST_TIMEOUT }}
   # If the name (regex) of the test is set, only that test is run.
   # Only Migration tests are run when a specific previous provider version is set.
-  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
+  # Don't run migration tests if using Service Account because each migration test creates a new SA token in the test first step.
+  # The previous provider runs externally (equivalent to running a Terraform command), causing token creation limit issues.
+  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.use_sa && '^TestAcc' || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
   MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
   MONGODB_REALM_BASE_URL: ${{ inputs.mongodb_realm_base_url }}
   MONGODB_ATLAS_ORG_ID: ${{ inputs.mongodb_atlas_org_id }}

From d2eeefa4fca778cbc6f9ad9c53bb704343e8c785 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Tue, 28 Oct 2025 21:08:53 +0100
Subject: [PATCH 04/14] leftover

---
 .github/workflows/acceptance-tests-runner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index a7b2b77add..78e5625fd7 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -214,7 +214,7 @@ env:
   # If the name (regex) of the test is set, only that test is run.
   # Only Migration tests are run when a specific previous provider version is set.
   # Don't run migration tests if using Service Account because each migration test creates a new SA token in the test first step.
-  # The previous provider runs externally (equivalent to running a Terraform command), causing token creation limit issues.  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.use_sa == true && '^TestAcc' || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
+  # The previous provider runs externally (equivalent to running a Terraform command), causing token creation limit issues.
   MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
   MONGODB_REALM_BASE_URL: ${{ inputs.mongodb_realm_base_url }}
   MONGODB_ATLAS_ORG_ID: ${{ inputs.mongodb_atlas_org_id }}

From ecae999244f71499cea6e6b34e3e3caa566849b7 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 07:10:26 +0100
Subject: [PATCH 05/14] move logic to Go script

---
 .github/workflows/acceptance-tests-runner.yml | 16 +--------
 tools/generate-oauth2-token/main.go           | 35 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index 78e5625fd7..0ea22af234 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -565,25 +565,11 @@ jobs:
         run: make testacc
       - name: Generate OAuth2 Token
         id: generate-token
-        shell: bash
         env:
           MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
           MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
           MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
-        run: |
-          if ! ACCESS_TOKEN=$(make generate-oauth2-token); then
-            echo "Error: Failed to generate access token"
-            exit 1
-          fi
-          if [ -z "$ACCESS_TOKEN" ]; then
-            echo "Error: Generated access token is empty"
-            exit 1
-          fi
-          {
-            echo "access_token<<EOF"
-            echo "$ACCESS_TOKEN"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+        run: make generate-oauth2-token
       - name: Acceptance Tests (Access Token)
         env:
           MONGODB_ATLAS_PUBLIC_KEY: ""
diff --git a/tools/generate-oauth2-token/main.go b/tools/generate-oauth2-token/main.go
index 6410b23a97..9ae3a1d04d 100644
--- a/tools/generate-oauth2-token/main.go
+++ b/tools/generate-oauth2-token/main.go
@@ -24,5 +24,38 @@ func main() {
 		fmt.Fprintf(os.Stderr, "Failed to generate OAuth2 token: %v\n", err)
 		os.Exit(1)
 	}
-	fmt.Print(token.AccessToken)
+
+	accessToken := token.AccessToken
+	if accessToken == "" {
+		fmt.Fprintln(os.Stderr, "Error: Generated access token is empty")
+		os.Exit(1)
+	}
+
+	if err := outputToken(accessToken); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}
+
+func outputToken(accessToken string) error {
+	// Check if running in GitHub Actions
+	if githubOutput := os.Getenv("GITHUB_OUTPUT"); githubOutput != "" {
+		return writeGitHubOutput(githubOutput, accessToken)
+	}
+	// Local usage: just print the token
+	fmt.Print(accessToken)
+	return nil
+}
+
+func writeGitHubOutput(githubOutput, accessToken string) error {
+	file, err := os.OpenFile(githubOutput, os.O_APPEND|os.O_WRONLY, 0o644)
+	if err != nil {
+		return fmt.Errorf("failed to open GITHUB_OUTPUT file: %w", err)
+	}
+	defer file.Close()
+
+	if _, err := fmt.Fprintf(file, "access_token<<EOF\n%s\nEOF\n", accessToken); err != nil {
+		return fmt.Errorf("failed to write to GITHUB_OUTPUT file: %w", err)
+	}
+	return nil
 }

From 8e4f5ff8e52b5b40c90dd36bc7568b1f685a6ecd Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 07:31:11 +0100
Subject: [PATCH 06/14] TEMPORARY: trigger tests

---
 internal/config/service_account.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/config/service_account.go b/internal/config/service_account.go
index 49c0693009..0479ee7f2a 100644
--- a/internal/config/service_account.go
+++ b/internal/config/service_account.go
@@ -13,6 +13,8 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// TODO: TEMPORARY, DONT MERGE
+
 // Renew token if it expires within 10 minutes to avoid authentication errors during Atlas API calls.
 const saTokenExpiryBuffer = 10 * time.Minute
 

From 243cacbafaf055ae3e03de982c093f0672fcfb68 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 07:39:16 +0100
Subject: [PATCH 07/14] TEMPORARY: don't wait to run acc tests

---
 .github/workflows/code-health.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml
index 0d64879670..38070c0034 100644
--- a/.github/workflows/code-health.yml
+++ b/.github/workflows/code-health.yml
@@ -88,7 +88,6 @@ jobs:
           cat doc.repo.patch
           exit 1
   call-acceptance-tests-workflow:
-    needs: [build, lint, shellcheck, unit-test, generate-doc-check]
     secrets: inherit
     uses: ./.github/workflows/acceptance-tests.yml
     with:

From ef67aaf0cc9f31357b00f4181b1d28f579890d4a Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 08:31:55 +0100
Subject: [PATCH 08/14] revoke token

---
 .github/workflows/acceptance-tests-runner.yml |  11 +-
 Makefile                                      |  10 +-
 tools/access-token/main.go                    | 110 ++++++++++++++++++
 tools/generate-oauth2-token/main.go           |  61 ----------
 4 files changed, 125 insertions(+), 67 deletions(-)
 create mode 100644 tools/access-token/main.go
 delete mode 100644 tools/generate-oauth2-token/main.go

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index 0ea22af234..f6ac4a129a 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -563,13 +563,13 @@ jobs:
           ACCTEST_REGEX_RUN: '^TestAccServiceAccount'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
-      - name: Generate OAuth2 Token
+      - name: Generate access token
         id: generate-token
         env:
           MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
           MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
           MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
-        run: make generate-oauth2-token
+        run: make access-token-create
       - name: Acceptance Tests (Access Token)
         env:
           MONGODB_ATLAS_PUBLIC_KEY: ""
@@ -577,10 +577,15 @@ jobs:
           MONGODB_ATLAS_CLIENT_ID: ""
           MONGODB_ATLAS_CLIENT_SECRET: ""
           MONGODB_ATLAS_ACCESS_TOKEN: ${{ steps.generate-token.outputs.access_token }}
-          MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
           ACCTEST_REGEX_RUN: '^TestAccAccessToken'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
+      - name: Revoke access token
+        env:
+          MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
+          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
+          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
+        run: make access-token-revoke token="${{ steps.generate-token.outputs.access_token }}"
 
   autogen_fast:
     needs: [change-detection, get-provider-version]
diff --git a/Makefile b/Makefile
index 7c4517c104..5a5756d4f4 100644
--- a/Makefile
+++ b/Makefile
@@ -201,9 +201,13 @@ check-changelog-entry-file: ## Check a changelog entry file in a PR
 jira-release-version: ## Update Jira version in a release
 	go run ./tools/jira-release-version/*.go
 
-.PHONY: generate-oauth2-token
-generate-oauth2-token: ## Generate OAuth2 access token from Service Account credentials
-	@go run ./tools/generate-oauth2-token/*.go
+.PHONY: access-token-create
+access-token-create: ## Create a new OAuth2 access token from Service Account credentials
+	@go run ./tools/access-token/*.go create
+
+.PHONY: access-token-revoke
+access-token-revoke: ## Revoke an OAuth2 access token. Usage: make access-token-revoke token=<token>
+	@go run ./tools/access-token/*.go revoke $(token)
 
 .PHONY: enable-autogen
 enable-autogen: ## Enable use of autogen resources in the provider
diff --git a/tools/access-token/main.go b/tools/access-token/main.go
new file mode 100644
index 0000000000..9284058424
--- /dev/null
+++ b/tools/access-token/main.go
@@ -0,0 +1,110 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/mongodb/atlas-sdk-go/auth/clientcredentials"
+	"golang.org/x/oauth2"
+)
+
+func main() {
+	if len(os.Args) < 2 {
+		printUsage()
+		os.Exit(1)
+	}
+	switch command := os.Args[1]; command {
+	case "create":
+		if err := createToken(); err != nil {
+			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+			os.Exit(1)
+		}
+	case "revoke":
+		if len(os.Args) < 3 {
+			fmt.Fprintln(os.Stderr, "Error: revoke command requires an access token as second argument")
+			printUsage()
+			os.Exit(1)
+		}
+		accessToken := os.Args[2]
+		if err := revokeToken(accessToken); err != nil {
+			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+			os.Exit(1)
+		}
+	default:
+		fmt.Fprintf(os.Stderr, "Error: unknown command '%s'\n", command)
+		printUsage()
+		os.Exit(1)
+	}
+}
+
+func printUsage() {
+	fmt.Fprintln(os.Stderr, "Usage:")
+	fmt.Fprintln(os.Stderr, "  access-token create             # Generate a new OAuth2 access token")
+	fmt.Fprintln(os.Stderr, "  access-token revoke <token>     # Revoke an existing OAuth2 access token")
+}
+
+func createToken() error {
+	conf, err := getConfig()
+	if err != nil {
+		return err
+	}
+	token, err := conf.Token(context.Background())
+	if err != nil {
+		return fmt.Errorf("failed to generate OAuth2 token: %w", err)
+	}
+	accessToken := token.AccessToken
+	if accessToken == "" {
+		return fmt.Errorf("generated access token is empty")
+	}
+	return outputToken(accessToken)
+}
+
+func revokeToken(accessToken string) error {
+	if accessToken == "" {
+		return fmt.Errorf("access token cannot be empty")
+	}
+	conf, err := getConfig()
+	if err != nil {
+		return err
+	}
+	// OAuth2 revocation is always successful as per RFC 7009 for security and idempotency, even for invalid tokens.
+	_ = conf.RevokeToken(context.Background(), &oauth2.Token{AccessToken: accessToken})
+	return nil
+}
+
+func getConfig() (*clientcredentials.Config, error) {
+	baseURL := strings.TrimRight(os.Getenv("MONGODB_ATLAS_BASE_URL"), "/")
+	clientID := os.Getenv("MONGODB_ATLAS_CLIENT_ID")
+	clientSecret := os.Getenv("MONGODB_ATLAS_CLIENT_SECRET")
+	if baseURL == "" || clientID == "" || clientSecret == "" {
+		return nil, fmt.Errorf("MONGODB_ATLAS_BASE_URL, MONGODB_ATLAS_CLIENT_ID, and MONGODB_ATLAS_CLIENT_SECRET environment variables are required")
+	}
+	conf := clientcredentials.NewConfig(clientID, clientSecret)
+	conf.TokenURL = baseURL + clientcredentials.TokenAPIPath
+	conf.RevokeURL = baseURL + clientcredentials.RevokeAPIPath
+	return conf, nil
+}
+
+func outputToken(accessToken string) error {
+	// Check if running in GitHub Actions.
+	if githubOutput := os.Getenv("GITHUB_OUTPUT"); githubOutput != "" {
+		return writeGitHubOutput(githubOutput, accessToken)
+	}
+	// Local usage: just print the token.
+	fmt.Print(accessToken)
+	return nil
+}
+
+func writeGitHubOutput(githubOutput, accessToken string) error {
+	file, err := os.OpenFile(githubOutput, os.O_APPEND|os.O_WRONLY, 0o644)
+	if err != nil {
+		return fmt.Errorf("failed to open GITHUB_OUTPUT file: %w", err)
+	}
+	defer file.Close()
+	if _, err := fmt.Fprintf(file, "access_token<<EOF\n%s\nEOF\n", accessToken); err != nil {
+		return fmt.Errorf("failed to write to GITHUB_OUTPUT file: %w", err)
+	}
+	return nil
+}
diff --git a/tools/generate-oauth2-token/main.go b/tools/generate-oauth2-token/main.go
deleted file mode 100644
index 9ae3a1d04d..0000000000
--- a/tools/generate-oauth2-token/main.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/mongodb/atlas-sdk-go/auth/clientcredentials"
-)
-
-func main() {
-	baseURL := strings.TrimRight(os.Getenv("MONGODB_ATLAS_BASE_URL"), "/")
-	clientID := os.Getenv("MONGODB_ATLAS_CLIENT_ID")
-	clientSecret := os.Getenv("MONGODB_ATLAS_CLIENT_SECRET")
-	if baseURL == "" || clientID == "" || clientSecret == "" {
-		fmt.Fprintln(os.Stderr, "Error: MONGODB_ATLAS_BASE_URL, MONGODB_ATLAS_CLIENT_ID, and MONGODB_ATLAS_CLIENT_SECRET environment variables are required")
-		os.Exit(1)
-	}
-	conf := clientcredentials.NewConfig(clientID, clientSecret)
-	conf.TokenURL = baseURL + clientcredentials.TokenAPIPath
-	token, err := conf.Token(context.Background())
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Failed to generate OAuth2 token: %v\n", err)
-		os.Exit(1)
-	}
-
-	accessToken := token.AccessToken
-	if accessToken == "" {
-		fmt.Fprintln(os.Stderr, "Error: Generated access token is empty")
-		os.Exit(1)
-	}
-
-	if err := outputToken(accessToken); err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
-		os.Exit(1)
-	}
-}
-
-func outputToken(accessToken string) error {
-	// Check if running in GitHub Actions
-	if githubOutput := os.Getenv("GITHUB_OUTPUT"); githubOutput != "" {
-		return writeGitHubOutput(githubOutput, accessToken)
-	}
-	// Local usage: just print the token
-	fmt.Print(accessToken)
-	return nil
-}
-
-func writeGitHubOutput(githubOutput, accessToken string) error {
-	file, err := os.OpenFile(githubOutput, os.O_APPEND|os.O_WRONLY, 0o644)
-	if err != nil {
-		return fmt.Errorf("failed to open GITHUB_OUTPUT file: %w", err)
-	}
-	defer file.Close()
-
-	if _, err := fmt.Fprintf(file, "access_token<<EOF\n%s\nEOF\n", accessToken); err != nil {
-		return fmt.Errorf("failed to write to GITHUB_OUTPUT file: %w", err)
-	}
-	return nil
-}

From e55c7052ec4e082bc6eb49a5aa007c7a6385f101 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 08:59:50 +0100
Subject: [PATCH 09/14] SA mig tests for config and adv_cluster

---
 .github/workflows/acceptance-tests-runner.yml | 115 +++++++++++++++---
 1 file changed, 100 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index f6ac4a129a..d41324ba69 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -213,8 +213,10 @@ env:
   ACCTEST_TIMEOUT: ${{ vars.ACCTEST_TIMEOUT }}
   # If the name (regex) of the test is set, only that test is run.
   # Only Migration tests are run when a specific previous provider version is set.
-  # Don't run migration tests if using Service Account because each migration test creates a new SA token in the test first step.
-  # The previous provider runs externally (equivalent to running a Terraform command), causing token creation limit issues.
+  # When using Service Account, migration tests are run in dedicated jobs using access tokens to avoid token creation limit issues.
+  # Currently dedicated jobs are: config_sa_mig (fast tests) and advanced_cluster_sa_mig (most important resource), more can be added as needed.
+  # This is because each migration test creates a new SA token in the test first step as the previous provider runs externally (equivalent to running a Terraform command).
+  ACCTEST_REGEX_RUN: ${{ inputs.test_name || inputs.use_sa == true && '^TestAcc' || inputs.provider_version == '' && '^Test(Acc|Mig)' || '^TestMig' }}
   MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
   MONGODB_REALM_BASE_URL: ${{ inputs.mongodb_realm_base_url }}
   MONGODB_ATLAS_ORG_ID: ${{ inputs.mongodb_atlas_org_id }}
@@ -479,6 +481,39 @@ jobs:
           ACCTEST_PACKAGES: ./internal/service/advancedcluster
         run: make testacc
 
+  advanced_cluster_sa_mig:
+    needs: [ change-detection, get-provider-version ]
+    if: ${{ inputs.use_sa == true && inputs.reduced_tests != true && (needs.change-detection.outputs.advanced_cluster == 'true' || inputs.test_group == 'advanced_cluster') }}
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
+        with:
+          go-version-file: 'go.mod'
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: false
+      - id: create-token
+        run: make access-token-create
+      - name: Migration Tests with Access Token
+        env:
+          MONGODB_ATLAS_PUBLIC_KEY: ""
+          MONGODB_ATLAS_PRIVATE_KEY: ""
+          MONGODB_ATLAS_CLIENT_ID: ""
+          MONGODB_ATLAS_CLIENT_SECRET: ""
+          MONGODB_ATLAS_ACCESS_TOKEN: ${{ steps.create-token.outputs.access_token }}
+          MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
+          HTTP_MOCKER_CAPTURE: 'true'
+          ACCTEST_REGEX_RUN: '^TestMig'
+          ACCTEST_PACKAGES: ./internal/service/advancedcluster
+        run: make testacc
+      - name: Remove token
+        run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
+
   assume_role:
     needs: [ change-detection, get-provider-version ]
     if: ${{ needs.change-detection.outputs.assume_role == 'true' || inputs.test_group == 'assume_role' }}
@@ -563,12 +598,7 @@ jobs:
           ACCTEST_REGEX_RUN: '^TestAccServiceAccount'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
-      - name: Generate access token
-        id: generate-token
-        env:
-          MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
-          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
-          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
+      - id: create-token
         run: make access-token-create
       - name: Acceptance Tests (Access Token)
         env:
@@ -576,16 +606,12 @@ jobs:
           MONGODB_ATLAS_PRIVATE_KEY: ""
           MONGODB_ATLAS_CLIENT_ID: ""
           MONGODB_ATLAS_CLIENT_SECRET: ""
-          MONGODB_ATLAS_ACCESS_TOKEN: ${{ steps.generate-token.outputs.access_token }}
+          MONGODB_ATLAS_ACCESS_TOKEN: ${{ steps.create-token.outputs.access_token }}
           ACCTEST_REGEX_RUN: '^TestAccAccessToken'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
-      - name: Revoke access token
-        env:
-          MONGODB_ATLAS_BASE_URL: ${{ inputs.mongodb_atlas_base_url }}
-          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
-          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}
-        run: make access-token-revoke token="${{ steps.generate-token.outputs.access_token }}"
+      - name: Remove token
+        run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
 
   autogen_fast:
     needs: [change-detection, get-provider-version]
@@ -839,6 +865,65 @@ jobs:
             ./internal/service/thirdpartyintegration
         run: make testacc
 
+  config_sa_mig:
+    needs: [ change-detection, get-provider-version ]
+    if: ${{ inputs.use_sa == true && (needs.change-detection.outputs.config == 'true' || inputs.test_group == 'config') }}
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
+        with:
+          go-version-file: 'go.mod'
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: ${{ inputs.terraform_version }}
+          terraform_wrapper: false
+      - id: create-token
+        run: make access-token-create
+      - name: Migration Tests with Access Token
+        env:
+          MONGODB_ATLAS_PUBLIC_KEY: ""
+          MONGODB_ATLAS_PRIVATE_KEY: ""
+          MONGODB_ATLAS_CLIENT_ID: ""
+          MONGODB_ATLAS_CLIENT_SECRET: ""
+          MONGODB_ATLAS_ACCESS_TOKEN: ${{ steps.create-token.outputs.access_token }}
+          MONGODB_ATLAS_PROJECT_OWNER_ID: ${{ inputs.mongodb_atlas_project_owner_id }}
+          MONGODB_ATLAS_USERNAME: ${{ vars.MONGODB_ATLAS_USERNAME }}
+          MONGODB_ATLAS_USERNAME_2: ${{ vars.MONGODB_ATLAS_USERNAME_2 }}
+          AZURE_ATLAS_APP_ID: ${{ inputs.azure_atlas_app_id }}
+          AZURE_SERVICE_PRINCIPAL_ID: ${{ inputs.azure_service_principal_id }}
+          AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }}
+          AWS_REGION: ${{ vars.AWS_REGION_LOWERCASE }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
+          AWS_S3_BUCKET: ${{ secrets.aws_s3_bucket_federation }}
+          MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
+          ACCTEST_REGEX_RUN: '^TestMig'
+          ACCTEST_PACKAGES: |
+            ./internal/config
+            ./internal/service/alertconfiguration
+            ./internal/service/atlasuser
+            ./internal/service/cloudprovideraccess
+            ./internal/service/customdbrole
+            ./internal/service/customdnsconfigurationclusteraws
+            ./internal/service/databaseuser
+            ./internal/service/maintenancewindow
+            ./internal/service/organization
+            ./internal/service/orginvitation
+            ./internal/service/projectapikey
+            ./internal/service/apikeyprojectassignment
+            ./internal/service/apikey
+            ./internal/service/rolesorgid
+            ./internal/service/team
+            ./internal/service/teamprojectassignment
+            ./internal/service/thirdpartyintegration
+        run: make testacc
+      - name: Remove token
+        run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
+
   encryption:
     needs: [ change-detection, get-provider-version ]
     concurrency:

From 0330930a62789212fb58536fcd25fb5d46124816 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 09:19:18 +0100
Subject: [PATCH 10/14] access token in tests

---
 .../provider/provider_authentication_test.go   |  2 ++
 .../project/resource_project_migration_test.go |  1 +
 .../service/project/resource_project_test.go   |  1 +
 internal/testutil/acc/factory.go               |  1 +
 internal/testutil/acc/pre_check.go             | 18 ++++++++++++++----
 internal/testutil/acc/skip.go                  | 11 +++++++++++
 6 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/internal/provider/provider_authentication_test.go b/internal/provider/provider_authentication_test.go
index 202d8a1baa..490d78c172 100644
--- a/internal/provider/provider_authentication_test.go
+++ b/internal/provider/provider_authentication_test.go
@@ -12,6 +12,7 @@ import (
 func TestAccSTSAssumeRole_basic(t *testing.T) {
 	acc.SkipInPAK(t, "skipping as this test is for AWS credentials only")
 	acc.SkipInSA(t, "skipping as this test is for AWS credentials only")
+	acc.SkipInAccessToken(t, "skipping as this test is for AWS credentials only")
 	var (
 		resourceName = "mongodbatlas_project.test"
 		orgID        = os.Getenv("MONGODB_ATLAS_ORG_ID")
@@ -44,6 +45,7 @@ func TestAccSTSAssumeRole_basic(t *testing.T) {
 
 func TestAccServiceAccount_basic(t *testing.T) {
 	acc.SkipInPAK(t, "skipping as this test is for SA only")
+	acc.SkipInAccessToken(t, "skipping as this test is for SA only")
 	var (
 		resourceName = "data.mongodbatlas_organization.test"
 		orgID        = os.Getenv("MONGODB_ATLAS_ORG_ID")
diff --git a/internal/service/project/resource_project_migration_test.go b/internal/service/project/resource_project_migration_test.go
index 5cdae8001c..5c244c1871 100644
--- a/internal/service/project/resource_project_migration_test.go
+++ b/internal/service/project/resource_project_migration_test.go
@@ -154,6 +154,7 @@ func TestMigProject_withLimits(t *testing.T) {
 // based on bug report: https://github.com/mongodb/terraform-provider-mongodbatlas/issues/2263
 func TestMigGovProject_regionUsageRestrictionsDefault(t *testing.T) {
 	acc.SkipInSA(t, "SA not supported in Gov tests yet")
+	acc.SkipInAccessToken(t, "SA not supported in Gov tests yet")
 	var (
 		orgID       = os.Getenv("MONGODB_ATLAS_GOV_ORG_ID")
 		projectName = acc.RandomProjectName()
diff --git a/internal/service/project/resource_project_test.go b/internal/service/project/resource_project_test.go
index b7db616d70..182c5673e9 100644
--- a/internal/service/project/resource_project_test.go
+++ b/internal/service/project/resource_project_test.go
@@ -639,6 +639,7 @@ func TestAccProject_basic(t *testing.T) {
 
 func TestAccGovProject_withProjectOwner(t *testing.T) {
 	acc.SkipInSA(t, "SA not supported in Gov tests yet")
+	acc.SkipInAccessToken(t, "SA not supported in Gov tests yet")
 	var (
 		orgID          = os.Getenv("MONGODB_ATLAS_GOV_ORG_ID")
 		projectOwnerID = os.Getenv("MONGODB_ATLAS_GOV_PROJECT_OWNER_ID")
diff --git a/internal/testutil/acc/factory.go b/internal/testutil/acc/factory.go
index ed944cf387..17811058ef 100644
--- a/internal/testutil/acc/factory.go
+++ b/internal/testutil/acc/factory.go
@@ -61,6 +61,7 @@ func init() {
 		PrivateKey:   os.Getenv("MONGODB_ATLAS_PRIVATE_KEY"),
 		ClientID:     os.Getenv("MONGODB_ATLAS_CLIENT_ID"),
 		ClientSecret: os.Getenv("MONGODB_ATLAS_CLIENT_SECRET"),
+		AccessToken:  os.Getenv("MONGODB_ATLAS_ACCESS_TOKEN"),
 		BaseURL:      os.Getenv("MONGODB_ATLAS_BASE_URL"),
 		RealmBaseURL: os.Getenv("MONGODB_REALM_BASE_URL"),
 	}
diff --git a/internal/testutil/acc/pre_check.go b/internal/testutil/acc/pre_check.go
index 0bc99d38b7..edad2a1470 100644
--- a/internal/testutil/acc/pre_check.go
+++ b/internal/testutil/acc/pre_check.go
@@ -14,11 +14,21 @@ func PreCheckBasic(tb testing.TB) {
 	if os.Getenv("MONGODB_ATLAS_ORG_ID") == "" {
 		tb.Fatal("`MONGODB_ATLAS_ORG_ID` must be set for acceptance testing")
 	}
-	if HasPAKCreds() && HasSACreds() {
-		tb.Fatal("PAK and SA credentials are defined in this test but only one should be set.")
+	authCount := 0
+	if HasPAKCreds() {
+		authCount++
 	}
-	if !HasPAKCreds() && !HasSACreds() {
-		tb.Fatal("No credentials are defined in this test, PAK or SA credentials should be set.")
+	if HasSACreds() {
+		authCount++
+	}
+	if HasAccessToken() {
+		authCount++
+	}
+	if authCount > 1 {
+		tb.Fatal("Multiple credentials are set (PAK, SA, Access Token) but only one should be set.")
+	}
+	if authCount == 0 {
+		tb.Fatal("No credentials are set, one of PAK, SA, or Access Token should be set.")
 	}
 }
 
diff --git a/internal/testutil/acc/skip.go b/internal/testutil/acc/skip.go
index 8e3db37f0e..555e5a3689 100644
--- a/internal/testutil/acc/skip.go
+++ b/internal/testutil/acc/skip.go
@@ -40,6 +40,10 @@ func HasSACreds() bool {
 	return os.Getenv("MONGODB_ATLAS_CLIENT_ID") != "" || os.Getenv("MONGODB_ATLAS_CLIENT_SECRET") != ""
 }
 
+func HasAccessToken() bool {
+	return os.Getenv("MONGODB_ATLAS_ACCESS_TOKEN") != ""
+}
+
 func SkipInSA(tb testing.TB, description string) {
 	tb.Helper()
 	if HasSACreds() {
@@ -53,3 +57,10 @@ func SkipInPAK(tb testing.TB, description string) {
 		tb.Skip(description)
 	}
 }
+
+func SkipInAccessToken(tb testing.TB, description string) {
+	tb.Helper()
+	if HasAccessToken() {
+		tb.Skip(description)
+	}
+}

From 935bcd3a7d2f30ea598b5b1f36218072e222d841 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 09:22:46 +0100
Subject: [PATCH 11/14] use SA credentials

---
 .github/workflows/acceptance-tests-runner.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index d41324ba69..db48966dab 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -599,6 +599,9 @@ jobs:
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
       - id: create-token
+        env:
+          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
+          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}        
         run: make access-token-create
       - name: Acceptance Tests (Access Token)
         env:
@@ -611,6 +614,9 @@ jobs:
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
       - name: Remove token
+        env:
+          MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
+          MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}        
         run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
 
   autogen_fast:

From 374187f221cc8874957d5188c8d66165808d935d Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 09:40:48 +0100
Subject: [PATCH 12/14] copy

---
 .github/workflows/acceptance-tests-runner.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/acceptance-tests-runner.yml b/.github/workflows/acceptance-tests-runner.yml
index db48966dab..cd22d6df5c 100644
--- a/.github/workflows/acceptance-tests-runner.yml
+++ b/.github/workflows/acceptance-tests-runner.yml
@@ -511,7 +511,7 @@ jobs:
           ACCTEST_REGEX_RUN: '^TestMig'
           ACCTEST_PACKAGES: ./internal/service/advancedcluster
         run: make testacc
-      - name: Remove token
+      - name: Revoke token
         run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
 
   assume_role:
@@ -613,7 +613,7 @@ jobs:
           ACCTEST_REGEX_RUN: '^TestAccAccessToken'
           ACCTEST_PACKAGES: ./internal/provider
         run: make testacc
-      - name: Remove token
+      - name: Revoke token
         env:
           MONGODB_ATLAS_CLIENT_ID: ${{ secrets.mongodb_atlas_client_id }}
           MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.mongodb_atlas_client_secret }}        
@@ -927,7 +927,7 @@ jobs:
             ./internal/service/teamprojectassignment
             ./internal/service/thirdpartyintegration
         run: make testacc
-      - name: Remove token
+      - name: Revoke token
         run: make access-token-revoke token="${{ steps.create-token.outputs.access_token }}"
 
   encryption:

From 4548d2097112939743eba359b8dd0eef9a60b062 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 09:40:58 +0100
Subject: [PATCH 13/14] Revert "TEMPORARY: don't wait to run acc tests"

This reverts commit 243cacbafaf055ae3e03de982c093f0672fcfb68.
---
 .github/workflows/code-health.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml
index 38070c0034..0d64879670 100644
--- a/.github/workflows/code-health.yml
+++ b/.github/workflows/code-health.yml
@@ -88,6 +88,7 @@ jobs:
           cat doc.repo.patch
           exit 1
   call-acceptance-tests-workflow:
+    needs: [build, lint, shellcheck, unit-test, generate-doc-check]
     secrets: inherit
     uses: ./.github/workflows/acceptance-tests.yml
     with:

From 693bc0da6f6a1a7489834cc453dbd5087c3081f9 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 29 Oct 2025 09:41:04 +0100
Subject: [PATCH 14/14] Revert "TEMPORARY: trigger tests"

This reverts commit 8e4f5ff8e52b5b40c90dd36bc7568b1f685a6ecd.
---
 internal/config/service_account.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/internal/config/service_account.go b/internal/config/service_account.go
index 0479ee7f2a..49c0693009 100644
--- a/internal/config/service_account.go
+++ b/internal/config/service_account.go
@@ -13,8 +13,6 @@ import (
 	"golang.org/x/oauth2"
 )
 
-// TODO: TEMPORARY, DONT MERGE
-
 // Renew token if it expires within 10 minutes to avoid authentication errors during Atlas API calls.
 const saTokenExpiryBuffer = 10 * time.Minute