Add support for default_auth sys backend resource

[Siddharth-Kannan]

Description

Implemented vault_config_ui_default_auth resource for /sys/config/ui/login/default-auth/{name}. supports CRUD operations from administrative and root namespaces. Added acceptance test cases for the same. This endpoint only has support from version 1.20.0+ent. versions prior to this are skipped during testing.
NOTE: Acceptance test cases are only for root namespaces, adding acceptance test cases can cause issues with the GitHub CI. Tested manually. added screenshot to acceptance tests for reference. (acceptance tests were run on versions 1.15.0+ent to 1.21.0+ent)

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

% go test -v -count=1 -run TestAccConfigUIDefaultAuth ./internal/vault/sys/config

=== RUN   TestAccConfigUIDefaultAuth
    ui_default_auth_test.go:29: Vault server version "1.21.0+ent"
--- PASS: TestAccConfigUIDefaultAuth (1.94s)
=== RUN   TestAccConfigUIDefaultAuthMinimal
    ui_default_auth_test.go:68: Vault server version "1.21.0+ent"
--- PASS: TestAccConfigUIDefaultAuthMinimal (1.26s)
=== RUN   TestAccConfigUIDefaultAuthWithNamespacePath
    ui_default_auth_test.go:93: Vault server version "1.21.0+ent"
--- PASS: TestAccConfigUIDefaultAuthWithNamespacePath (1.18s)
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/github
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/jwt
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/ldap
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/oidc
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/okta
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/radius
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/saml
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/token
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
=== RUN   TestAccConfigUIDefaultAuthAllAuthTypes/userpass
    ui_default_auth_test.go:123: Vault server version "1.21.0+ent"
--- PASS: TestAccConfigUIDefaultAuthAllAuthTypes (8.55s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/github (0.96s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/jwt (0.89s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/ldap (0.90s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/oidc (1.05s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/okta (0.91s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/radius (0.98s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/saml (0.95s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/token (0.90s)
    --- PASS: TestAccConfigUIDefaultAuthAllAuthTypes/userpass (1.00s)
=== RUN   TestAccConfigUIDefaultAuthConfigNotFound
    ui_default_auth_test.go:148: Vault server version "1.21.0+ent"
--- PASS: TestAccConfigUIDefaultAuthConfigNotFound (1.75s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/sys/config 15.281s

...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[Copilot]

Pull request overview

Adds support in the Terraform Vault provider for managing Vault UI “default auth” login configuration via the /sys/config/ui/login/default-auth/{name} endpoint (Enterprise-only, Vault 1.20.0+), including documentation and acceptance tests.

Changes:

• Introduces vault_config_ui_default_auth resource implementation (CRUD + import support).
• Adds acceptance tests for the new resource across supported auth types and scenarios.
• Adds provider registration, constants, CHANGELOG entry, and website documentation for the resource.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
internal/vault/sys/config/ui_default_auth.go	Implements the vault_config_ui_default_auth resource (schema + CRUD + import).
internal/vault/sys/config/ui_default_auth_test.go	Adds acceptance test coverage for CRUD/import and various auth type values.
website/docs/r/config_ui_default_auth.html.md	Adds end-user docs, examples, arguments/attributes, and import notes.
internal/provider/fwprovider/provider.go	Registers the new framework resource with the provider.
internal/consts/consts.go	Adds new field constants used by the resource/tests.
CHANGELOG.md	Adds an unreleased FEATURES entry announcing the new resource.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[siyer-corp]

Can we simplify this as ValueBool already handles nulls?

[siyer-corp]

Do we have tests covering these scenarios?

[siyer-corp]

This would need to be moved to the Unreleased section once changes are merged from main.