fix: default auth method with recovery kms (#405)

* fix bug with getting default auth method when recovery kms is used for provider authentication

* update changelog

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 Canonical reference for changes, improvements, and bugfixes for the Boundary Terraform provider.
 
+## 1.1.7 (May 12, 2023)
+
+### Bug Fix
+* Fix default auth method with recovery kms
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/405))
+
 ## 1.1.6 (May 5, 2023)
 
 ### New and Improved

internal/provider/provider.go

@@ -140,10 +140,11 @@ func providerAuthenticate(ctx context.Context, d *schema.ResourceData, md *metaD
 		md.client.SetToken(token.(string))
 	}
 
-	// If auth_method_id is not set, get the default auth method ID for the given scope ID
+	// If auth_method_id is not set, get the default auth method ID for the given scope ID.
+	// Skip fetching default auth method when recovery_kms_hcl is set or the client token isn't null.
 	authMethodId, authMethodIdOk := d.GetOk("auth_method_id")
-	if !authMethodIdOk {
-		defaultAuthMethodId, err := getDefaultAuthMethodId(ctx, amClient, providerScope, PASSWORD_AUTH_METHOD_PREFIX)
+	if !authMethodIdOk && !recoveryKmsHclOk && md.client.Token() == "" {
+		defaultAuthMethodId, err := getDefaultAuthMethodId(ctx, amClient, providerScope, "")
 		if err != nil {
 			return err
 		}

internal/provider/provider_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/boundary/testing/controller"
+	"github.com/hashicorp/cap/oidc"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-kms-wrapping/v2/aead"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -140,9 +141,6 @@ func testConfigWithRecovery(url string, res ...string) string {
 	provider := fmt.Sprintf(`
 provider "boundary" {
 	addr             = "%s"
-	auth_method_id       = "%s"
-	password_auth_method_login_name = "%s"
-	password_auth_method_password = "%s"
 	recovery_kms_hcl = <<DOC
 	kms "aead" {
 		purpose = ["recovery", "config"]
@@ -151,7 +149,7 @@ provider "boundary" {
 		key_id = "global_recovery"
 	}
 	DOC
-}`, url, tcPAUM, tcLoginName, tcPassword)
+}`, url)
 
 	c := []string{provider}
 	c = append(c, res...)
@@ -236,6 +234,55 @@ func TestConfigWithOIDCAuthMethod(t *testing.T) {
 	})
 }
 
+// Create OIDC auth method and set it as the primary auth method.
+// Attempt to authenticate with recovery to test checks for default auth method
+func TestRecoveryWithOIDCDefaultAuthMethod(t *testing.T) {
+	tp := oidc.StartTestProvider(t)
+	wrapper := testWrapper(context.Background(), t, tcRecoveryKey)
+	tc := controller.NewTestController(t, append(tcConfig, controller.WithRecoveryKms(wrapper))...)
+	defer tc.Shutdown()
+	url := tc.ApiAddrs()[0]
+
+	tpCert := strings.TrimSpace(tp.CACert())
+	createConfig := fmt.Sprintf(fooAuthMethodOidc, fooAuthMethodOidcDesc, tp.Addr(), tpCert)
+	updateConfig := fmt.Sprintf(fooAuthMethodOidcUpdate, fooAuthMethodOidcDescUpdate, fooAuthMethodOidcCaCerts)
+
+	var provider *schema.Provider
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories(&provider),
+		CheckDestroy:      testAccCheckAuthMethodResourceDestroy(t, provider, oidcAuthMethodType),
+		Steps: []resource.TestStep{
+			{
+				// create auth method
+				Config: testConfig(url, fooOrg, createConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "description", fooAuthMethodOidcDesc),
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", authmethodOidcIssuerKey, tp.Addr()),
+				),
+			},
+			importStep("boundary_auth_method_oidc.foo", "client_secret", "is_primary_for_scope"),
+			{
+				// set auth method as primary auth method
+				Config: testConfig(url, fooOrg, updateConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", true),
+				),
+			},
+			{
+				// authenticate provider with recovery kms with unsupported OIDC primary auth method
+				Config: testConfigWithRecovery(url, fooOrg, updateConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", true),
+				),
+			},
+			importStep("boundary_auth_method_oidc.foo", "client_secret", "is_primary_for_scope", authmethodOidcMaxAgeKey),
+		},
+	})
+}
+
 func testProviderTokenExists(testProvider *schema.Provider) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		md := testProvider.Meta().(*metaData)

internal/provider/resource_auth_method_oidc_test.go

@@ -50,7 +50,7 @@ var (
 resource "boundary_auth_method_oidc" "foo" {
 	name        = "test"
 	description = "%s"
-	scope_id    = boundary_scope.org1.id
+	scope_id    = "global"
 	depends_on  = [boundary_role.org1_admin]
 
   issuer            = "%s"
@@ -73,7 +73,7 @@ EOT
 resource "boundary_auth_method_oidc" "foo" {
 	name                 = "test"
 	description          = "%s"
-	scope_id             = boundary_scope.org1.id
+	scope_id             = "global"
 	is_primary_for_scope = true
 	depends_on           = [boundary_role.org1_admin]