Vault Userpass auth method initial implementation

[harshit-nema]

Description

The PR contains initial implementation of Vault Userpass auth method. It introduces :

• vault_userpass_auth_backend_user for managing Userpass users (Creating/Deletion) along with policy and password update capabilities.

• vault_userpass_auth_login as an ephemeral resource for authenticating with Userpass and using ephemeral token data during Terraform operations.

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'
$TF_ACC=1 go test -v ./internal/vault/auth/userpass -run TestAccUserpassAuthBackendUser 
$TF_ACC=1 go test -v ./internal/vault/auth/userpass -run TestAccUserpassAuthLogin
...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[Copilot]

Pull request overview

Initial implementation of Vault’s Userpass auth method support in the Terraform Vault provider, adding management of Userpass users and an ephemeral login mechanism for short-lived tokens during Terraform operations.

Changes:

• Added vault_userpass_auth_backend_user resource (create/delete user; manage token-related settings; support password updates including bcrypt hash in Vault 1.17+).
• Added vault_userpass_auth_login ephemeral resource to authenticate via Userpass and expose token details without storing the token in state.
• Registered the new resource/ephemeral resource with the framework provider and added acceptance tests + docs + changelog entry.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
website/docs/r/userpass_auth_backend_user.md	New docs for the Userpass user resource (examples, arguments, import)
website/docs/ephemeral-resources/userpass_auth_login.md	New docs for the Userpass login ephemeral resource
internal/vault/auth/userpass/user_resource.go	Implements the Userpass user resource using the Plugin Framework
internal/vault/auth/userpass/user_resource_test.go	Acceptance tests for the Userpass user resource
internal/vault/auth/userpass/login_ephemeral_resource.go	Implements the Userpass login ephemeral resource with token revocation on close
internal/vault/auth/userpass/login_ephemeral_resource_test.go	Acceptance tests for the login ephemeral resource
internal/provider/fwprovider/provider.go	Registers the new resource + ephemeral resource
internal/consts/consts.go	Adds the password_hash_wo field constant
CHANGELOG.md	Adds a feature entry for Userpass auth support

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sanvikam79]

Instead of only checking that  is non-null, can we verify the actual expected value here?
check in all places where policies used for the same

[harshit-nema]

Setting the expected value check in Policy field. Other fields where values are obtained in the response from vault end like 'renewable' and 'lease_duration', better not provide value check, as if there is any change in default values, these test cases will fail in future.

[tejashwiniingalagi]

this seems be to duplicate with line 137. Could you remove either of one

[harshit-nema]

Code is refactored. Placing common code in helper function.

[tejashwiniingalagi]

Do we also need a test to verify behavior when password changes without incrementing version counter.

[harshit-nema]

Added test to verify the behaviour when password changes without version increment.

[siyer-corp]

Can we check how this is handled in Vault side?

[harshit-nema]

Validation check as present in Vault side implemented.

[siyer-corp]

Is there a reason why password and poilcy updates are handled in the user resource? It looks like these are calling different endpoints.

[harshit-nema]

Password and policy updates are still part of the Userpass user lifecycle, so handling them in the user resource looks to be the appropriate design.

[siyer-corp]

We are calling a sub-path in the API endpoint, not the one that Update calls. The password on the user resource should probably be Create Only if that's how it's designed in vault. And the user will need to use the sub-path to udpate the password.

[harshit-nema]

Redudant sub-endponits call removed.