feat: Add is_primary_for_scope attribute to boundary_auth_method and boundary_auth_method_password resources

docs/resources/auth_method.md

@@ -25,6 +25,12 @@ resource "boundary_auth_method" "password" {
   scope_id = boundary_scope.org.id
   type     = "password"
 }
+
+resource "boundary_auth_method" "password_is_primary" {
+  scope_id = boundary_scope.org.id
+  type     = "password"
+  is_primary_for_scope = true
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -38,6 +44,7 @@ resource "boundary_auth_method" "password" {
 ### Optional
 
 - `description` (String) The auth method description.
+- `is_primary_for_scope` (Boolean) When true, makes this auth method the primary auth method for the scope in which it resides.
 - `min_login_name_length` (Number, Deprecated) The minimum login name length.
 - `min_password_length` (Number, Deprecated) The minimum password length.
 - `name` (String) The auth method name. Defaults to the resource name.

docs/resources/auth_method_password.md

@@ -10,7 +10,26 @@ description: |-
 
 The auth method resource allows you to configure a Boundary auth_method_password.
 
-
+## Example Usage
+
+```terraform
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_auth_method_password" "password" {
+  scope_id = boundary_scope.org.id
+}
+
+resource "boundary_auth_method_password" "password_is_primary" {
+  scope_id = boundary_scope.org.id
+  is_primary_for_scope = true
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -22,6 +41,7 @@ The auth method resource allows you to configure a Boundary auth_method_password
 ### Optional
 
 - `description` (String) The auth method description.
+- `is_primary_for_scope` (Boolean) When true, makes this auth method the primary auth method for the scope in which it resides.
 - `min_login_name_length` (Number) The minimum login name length.
 - `min_password_length` (Number) The minimum password length.
 - `name` (String) The auth method name. Defaults to the resource name.
@@ -30,3 +50,13 @@ The auth method resource allows you to configure a Boundary auth_method_password
 ### Read-Only
 
 - `id` (String) The ID of the account.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+terraform import boundary_auth_method_password.foo <my-id>
+```

examples/resources/boundary_auth_method/resource.tf

@@ -10,3 +10,9 @@ resource "boundary_auth_method" "password" {
   scope_id = boundary_scope.org.id
   type     = "password"
 }
+
+resource "boundary_auth_method" "password_is_primary" {
+  scope_id = boundary_scope.org.id
+  type     = "password"
+  is_primary_for_scope = true
+}

examples/resources/boundary_auth_method_password/import.sh

@@ -0,0 +1 @@
+terraform import boundary_auth_method_password.foo <my-id>

examples/resources/boundary_auth_method_password/resource.tf

@@ -0,0 +1,16 @@
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_auth_method_password" "password" {
+  scope_id = boundary_scope.org.id
+}
+
+resource "boundary_auth_method_password" "password_is_primary" {
+  scope_id = boundary_scope.org.id
+  is_primary_for_scope = true
+}

internal/provider/resource_auth_method.go

@@ -73,6 +73,11 @@ func resourceAuthMethod() *schema.Resource {
 				Computed:    true,
 				Deprecated:  "Will be removed in favor of using attributes parameter",
 			},
+			authmethodIsPrimaryAuthMethodForScopeKey: {
+				Description: "When true, makes this auth method the primary auth method for the scope in which it resides.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+			},
 		},
 	}
 }
@@ -91,6 +96,10 @@ func setFromAuthMethodResponseMap(d *schema.ResourceData, raw map[string]interfa
 		return err
 	}
 
+	if p, ok := raw[authmethodIsPrimaryAuthMethodForScopeKey]; ok {
+		d.Set(authmethodIsPrimaryAuthMethodForScopeKey, p.(bool))
+	}
+
 	switch raw["type"].(string) {
 	case authmethodTypePassword:
 		if attrsVal, ok := raw["attributes"]; ok {
@@ -160,6 +169,19 @@ func resourceAuthMethodCreate(ctx context.Context, d *schema.ResourceData, meta
 		return diag.Errorf("nil auth method after create")
 	}
 
+	amid := amcr.GetResponse().Map["id"].(string)
+
+	// update scope when set to primary
+	if p, ok := d.GetOk(authmethodIsPrimaryAuthMethodForScopeKey); ok {
+		if p.(bool) {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, amid, meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+
+			amcr.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = true
+		}
+	}
+
 	if err := setFromAuthMethodResponseMap(d, amcr.GetResponse().Map); err != nil {
 		return diag.FromErr(err)
 	}
@@ -183,6 +205,13 @@ func resourceAuthMethodRead(ctx context.Context, d *schema.ResourceData, meta in
 		return diag.Errorf("auth method nil after read")
 	}
 
+	serr, isPrimary := readScopeIsPrimaryAuthMethodId(ctx, amrr.GetResponse().Map["scope_id"].(string), amrr.GetResponse().Map["id"].(string), meta)
+	if serr != nil {
+		return diag.Errorf("%v", serr)
+	}
+
+	amrr.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = isPrimary
+
 	if err := setFromAuthMethodResponseMap(d, amrr.GetResponse().Map); err != nil {
 		return diag.FromErr(err)
 	}
@@ -225,13 +254,48 @@ func resourceAuthMethodUpdate(ctx context.Context, d *schema.ResourceData, meta
 		}
 	}
 
-	opts = append(opts, authmethods.WithAutomaticVersioning(true))
-	amu, err := amClient.Update(ctx, d.Id(), 0, opts...)
-	if err != nil {
-		return diag.Errorf("error updating auth method: %v", err)
+	if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+		amrr, err := amClient.Read(ctx, d.Id())
+		if err != nil {
+			return diag.Errorf("error updating auth method: %v", err)
+		}
+		if amrr == nil {
+			return diag.Errorf("error updating auth method: nil resource")
+		}
+		scopeId := amrr.GetResponse().Map["scope_id"].(string)
+		authMethodId := amrr.GetResponse().Map["id"].(string)
+
+		isPrimary := d.Get(authmethodIsPrimaryAuthMethodForScopeKey).(bool)
+
+		if isPrimary {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, authMethodId, meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+		} else {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, "", meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+		}
 	}
 
-	setFromAuthMethodResponseMap(d, amu.GetResponse().Map)
+	if len(opts) > 0 {
+		opts = append(opts, authmethods.WithAutomaticVersioning(true))
+		amu, err := amClient.Update(ctx, d.Id(), 0, opts...)
+		if err != nil {
+			return diag.Errorf("error updating auth method: %v", err)
+		}
+
+		if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+			amu.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = d.Get(authmethodIsPrimaryAuthMethodForScopeKey).(bool)
+		}
+
+		setFromAuthMethodResponseMap(d, amu.GetResponse().Map)
+	}
+
+	// If only is_primary_for_scope changed
+	if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+		return resourceAuthMethodPasswordRead(ctx, d, meta)
+	}
 
 	return nil
 }

internal/provider/resource_auth_method_oidc.go

@@ -405,7 +405,12 @@ func updateScopeWithPrimaryAuthMethodId(ctx context.Context, scopeId, authmethod
 
 	opts := []scopes.Option{}
 	opts = append(opts, scopes.WithAutomaticVersioning(true))
-	opts = append(opts, scopes.WithPrimaryAuthMethodId(authmethodId))
+
+	if authmethodId != "" {
+		opts = append(opts, scopes.WithPrimaryAuthMethodId(authmethodId))
+	} else {
+		opts = append(opts, scopes.DefaultPrimaryAuthMethodId())
+	}
 
 	_, err := scp.Update(ctx, scopeId, 0, opts...)
 	if err != nil {

internal/provider/resource_auth_method_password.go

@@ -15,9 +15,10 @@ import (
 )
 
 const (
-	authmethodTypePassword          = "password"
-	authmethodMinLoginNameLengthKey = "min_login_name_length"
-	authmethodMinPasswordLengthKey  = "min_password_length"
+	authmethodTypePassword                   = "password"
+	authmethodMinLoginNameLengthKey          = "min_login_name_length"
+	authmethodMinPasswordLengthKey           = "min_password_length"
+	authmethodIsPrimaryAuthMethodForScopeKey = "is_primary_for_scope"
 )
 
 func resourceAuthMethodPassword() *schema.Resource {
@@ -72,6 +73,11 @@ func resourceAuthMethodPassword() *schema.Resource {
 				Optional:    true,
 				Computed:    true,
 			},
+			authmethodIsPrimaryAuthMethodForScopeKey: {
+				Description: "When true, makes this auth method the primary auth method for the scope in which it resides.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+			},
 		},
 	}
 }
@@ -82,6 +88,10 @@ func setFromPasswordAuthMethodResponseMap(d *schema.ResourceData, raw map[string
 	d.Set(ScopeIdKey, raw[ScopeIdKey])
 	d.Set(TypeKey, raw[TypeKey])
 
+	if p, ok := raw[authmethodIsPrimaryAuthMethodForScopeKey]; ok {
+		d.Set(authmethodIsPrimaryAuthMethodForScopeKey, p.(bool))
+	}
+
 	if attrsVal, ok := raw["attributes"]; ok {
 		attrs := attrsVal.(map[string]interface{})
 
@@ -158,6 +168,19 @@ func resourceAuthMethodPasswordCreate(ctx context.Context, d *schema.ResourceDat
 		return diag.Errorf("nil auth method after create")
 	}
 
+	amid := amcr.GetResponse().Map["id"].(string)
+
+	// update scope when set to primary
+	if p, ok := d.GetOk(authmethodIsPrimaryAuthMethodForScopeKey); ok {
+		if p.(bool) {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, amid, meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+
+			amcr.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = true
+		}
+	}
+
 	return setFromPasswordAuthMethodResponseMap(d, amcr.GetResponse().Map)
 }
 
@@ -177,6 +200,13 @@ func resourceAuthMethodPasswordRead(ctx context.Context, d *schema.ResourceData,
 		return diag.Errorf("auth method nil after read")
 	}
 
+	serr, isPrimary := readScopeIsPrimaryAuthMethodId(ctx, amrr.GetResponse().Map["scope_id"].(string), amrr.GetResponse().Map["id"].(string), meta)
+	if serr != nil {
+		return diag.Errorf("%v", serr)
+	}
+
+	amrr.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = isPrimary
+
 	return setFromPasswordAuthMethodResponseMap(d, amrr.GetResponse().Map)
 }
 
@@ -218,15 +248,47 @@ func resourceAuthMethodPasswordUpdate(ctx context.Context, d *schema.ResourceDat
 		}
 	}
 
+	if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+		amrr, err := amClient.Read(ctx, d.Id())
+		if err != nil {
+			return diag.Errorf("error updating auth method: %v", err)
+		}
+		if amrr == nil {
+			return diag.Errorf("error updating auth method: nil resource")
+		}
+		scopeId := amrr.GetResponse().Map["scope_id"].(string)
+		authMethodId := amrr.GetResponse().Map["id"].(string)
+
+		if d.Get(authmethodIsPrimaryAuthMethodForScopeKey).(bool) {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, authMethodId, meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+		} else {
+			if err := updateScopeWithPrimaryAuthMethodId(ctx, scopeId, "", meta); err != nil {
+				return diag.Errorf("%v", err)
+			}
+		}
+	}
+
 	if len(opts) > 0 {
 		opts = append(opts, authmethods.WithAutomaticVersioning(true))
 		amur, err := amClient.Update(ctx, d.Id(), 0, opts...)
 		if err != nil {
 			return diag.Errorf("error updating auth method: %v", err)
 		}
 
+		if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+			amur.GetResponse().Map[authmethodIsPrimaryAuthMethodForScopeKey] = d.Get(authmethodIsPrimaryAuthMethodForScopeKey).(bool)
+		}
+
 		return setFromPasswordAuthMethodResponseMap(d, amur.GetResponse().Map)
 	}
+
+	// If only is_primary_for_scope changed
+	if d.HasChange(authmethodIsPrimaryAuthMethodForScopeKey) {
+		return resourceAuthMethodPasswordRead(ctx, d, meta)
+	}
+
 	return nil
 }