Unable to use provider 1.1.6 w/o primary password auth method

Question

Unable to use provider 1.1.6 w/o primary password auth method

vhatsura opened this issue a year ago · 6 comments

We're using OIDC auth method as primary auth method and authenticate our boundary provider in terraform using recovery_kms_hcl configuration. After upgrading to 1.1.6 version, the setup stops working with arguing that we don't have password primary auth method.

Terraform Version

1.3.9

Affected Resource(s)

The entire provider

Terraform Configuration Files

provider "boundary" {
  addr             = var.boundary_address
  recovery_kms_hcl = <<EOT
kms "awskms" {
  purpose    = "recovery"
  key_id     = "global_recovery"
  region     = "${var.region}"
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}"
}
EOT
}

Debug Output

Error: error looking up primary auth method for scope ID: 'global'. got 'amoidc_...' but the provider requires an auth method prefix of 'ampw'
│ 
│   with provider["registry.terraform.io/hashicorp/boundary"],
│   on providers.tf line 65, in provider "boundary":
│   65: provider "boundary" {
│

Expected Behavior

The provider should works w/o errors

Actual Behavior

terraform apply command failed with error provided above

Answer 1 · 2023-05-10T19:46:53.000Z

If you remove the key_id line from the awskms config, does it start working?

Answer 2 · 2023-05-10T19:54:10.000Z

It seems the boundary provider in terraform is trying to find the default auth_method_id when you are using recovery_kms_hcl . Does it work when you explicitly pass in auth_method_id value?

Example:

provider "boundary" {
  addr              = var.boundary_address
  auth_method_id = "oidc_12345567" #update to OIDC or any auth method id 
  recovery_kms_hcl = <<EOT
kms "awskms" {
  purpose    = "recovery"
  key_id     = "global_recovery"
  region     = "${var.region}"
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}"
}
EOT
}

Answer 3 · 2023-05-11T11:00:17.000Z

If you remove the key_id line from the awskms config, does it start working?

unfortunately, it doesn't help

Answer 4 · 2023-05-11T11:11:51.000Z

It seems the boundary provider in terraform is trying to find the default auth_method_id when you are using recovery_kms_hcl . Does it work when you explicitly pass in auth_method_id value?

Example:
provider "boundary" {
  addr              = var.boundary_address
  auth_method_id = "oidc_12345567" #update to OIDC or any auth method id 
  recovery_kms_hcl = <<EOT
kms "awskms" {
  purpose    = "recovery"
  key_id     = "global_recovery"
  region     = "${var.region}"
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}"
}
EOT
}

if I set auth_method_id to oidc auth method, it works, but it doesn't make sense as auth method is not used at all because recovery_kms_hcl has a priority overall other authentication approaches. I'd expect in case of recovery_kms_hcl set, provider will not try to find default auth_method_id as it's useless

Answer 5 · 2023-05-12T15:12:51.000Z

A new version (v.1.1.7) of boundary terraform provider has been released to address this issue. Please upgrade and let us know if that addresses your issue.

Answer 6 · 2023-05-15T13:34:56.000Z

A new version (v.1.1.7) of boundary terraform provider has been released to address this issue. Please upgrade and let us know if that addresses your issue.

The issue is resolved using the provider of version 1.1.7.

Thanks for the quick fix. Much appreciated!)