From 6fde7499cdefd684de85e761c9c0c316fc85a6f5 Mon Sep 17 00:00:00 2001
From: Luiz Aoqui <luiz@hashicorp.com>
Date: Fri, 6 Oct 2023 15:37:46 -0400
Subject: [PATCH 1/2] cli: remove default for ACL token type on update

With a default value set to `client`, the `nomad acl token update`
command can silently downgrade a management token to client on update if
the command does not specify `-type=management` on every update.
---
 command/acl_token_update.go                        | 4 ++--
 website/content/docs/commands/acl/token/update.mdx | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/command/acl_token_update.go b/command/acl_token_update.go
index e3240fb99014..2da6a6c8d91d 100644
--- a/command/acl_token_update.go
+++ b/command/acl_token_update.go
@@ -30,7 +30,7 @@ Update Options:
     Sets the human readable name for the ACL token.
 
   -type="client"
-    Sets the type of token. Must be one of "client" (default), or "management".
+    Sets the type of token. Must be one of "client" or "management".
 
   -global=false
     Toggles the global mode of the token. Global tokens are replicated to all regions.
@@ -70,7 +70,7 @@ func (c *ACLTokenUpdateCommand) Run(args []string) int {
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.StringVar(&name, "name", "", "")
-	flags.StringVar(&tokenType, "type", "client", "")
+	flags.StringVar(&tokenType, "type", "", "")
 	flags.BoolVar(&global, "global", false, "")
 	flags.Var((funcVar)(func(s string) error {
 		policies = append(policies, s)
diff --git a/website/content/docs/commands/acl/token/update.mdx b/website/content/docs/commands/acl/token/update.mdx
index e74a72f61e48..bf13ae093bc0 100644
--- a/website/content/docs/commands/acl/token/update.mdx
+++ b/website/content/docs/commands/acl/token/update.mdx
@@ -25,8 +25,7 @@ The `acl token update` command requires an existing token's accessor ID.
 
 - `-name`: Sets the human readable name for the ACL token.
 
-- `-type`: Sets the type of token. Must be one of "client" (default), or
-  "management".
+- `-type`: Sets the type of token. Must be one of "client" or "management".
 
 - `-global`: Toggles the global mode of the token. Global tokens are replicated
   to all regions. Defaults false.

From 30ed8d882a959c5a64b41ac350e09035bc2375e6 Mon Sep 17 00:00:00 2001
From: Luiz Aoqui <luiz@hashicorp.com>
Date: Fri, 6 Oct 2023 15:43:44 -0400
Subject: [PATCH 2/2] changelog: add entry for #18689

---
 .changelog/18689.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/18689.txt

diff --git a/.changelog/18689.txt b/.changelog/18689.txt
new file mode 100644
index 000000000000..8b92580de656
--- /dev/null
+++ b/.changelog/18689.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fixed an unexpected behavior of the `nomad acl token update` command that could cause a management token to be downgraded to client on update
+```