Skip to content

breaking: the dependency vault has been updated to a new major version (4.8.0), which may include breaking changes. #major#459

Open
public-glueops-renovatebot[bot] wants to merge 1 commit intomainfrom
renovate/vault-4.x
Open

breaking: the dependency vault has been updated to a new major version (4.8.0), which may include breaking changes. #major#459
public-glueops-renovatebot[bot] wants to merge 1 commit intomainfrom
renovate/vault-4.x

Conversation

@public-glueops-renovatebot
Copy link
Contributor

@public-glueops-renovatebot public-glueops-renovatebot bot commented Sep 17, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
vault (source) required_provider major 3.25.04.8.0

Release Notes

hashicorp/terraform-provider-vault (vault)

v4.8.0

Compare Source

FEATURES:

  • Add support for recursive search in data_vault_namespaces #​2408
  • Add support for subscribe_event_types in data_source_policy_document #​2445
  • Add support for explicit_max_ttl in vault_azure_secret_backend_role resources. Requires Vault 1.18+ (#​2438).

BUGS:

  • Fix credential validation failures in vault_azure_access_credentials data source caused by Azure RBAC propagation delays using azure_groups #​2437

v4.7.0

Compare Source

FEATURES:

  • Update vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate to support the new fields for the name constraints extension. Requires Vault 1.19+ (#​2396).
  • Update vault_pki_secret_backend_issuer resource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ (#​2400).
  • Add support for certificate revocation with revoke_with_key in vault_pki_secret_backend_cert (#​2242)
  • Add support for signature_bits field to vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate and vault_pki_secret_backend_intermediate_cert_request ([#​2401])(#​2401)
  • Add support for key_usage and serial_number to vault_pki_secret_backend_intermediate_cert_request ([#​2404])(#​2404)
  • Add support for skip_import_rotation in vault_database_secret_backend_static_role. Requires Vault Enterprise 1.18.5+ (#​2386).
  • Add support for not_after in vault_pki_secret_backend_cert, vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate, and vault_pki_secret_backend_sign (#​2385).
  • Update vault_pki_secret_backend_config_acme to support the max_ttl field. #​2411
  • Add new data source vault_ssh_secret_backend_sign. (#​2409)
  • Add support for disabled_validations in vault_pki_secret_backend_config_cmpv2 #​2412
  • Add credential_type and credential_config to database_secret_backend_static_role to support features like rsa keys for Snowflake DB engines with static roles #​2384
  • Add support for missing parameters to vault_pki_secret_backend_root_sign_intermediate: not_before_duration, skid and use_pss #​2417
  • Add support for use_pss, no_store_metadata, and serial_number_source to vault_pki_secret_backend_role #​2420
  • Add support for Transit sign and verify endpoints (#​2418)
  • Add new data source vault_pki_secret_backend_cert_metadata and support for cert_metadata in vault_pki_secret_backend_cert and vault_pki_secret_backend_sign #​2422
  • Add support for max_crl_entries in vault_pki_secret_backend_crl_config #​2423
  • Add support for new Automated Root Rotation parameters in several plugins. Requires Vault Enterprise 1.19.0+.
  • Add new resource vault_pki_secret_backend_config_auto_tidy to set PKI automatic tidy configuration #​1934
  • Add support for cross-account management of static roles in AWS Secrets: (#​2413)

BUGS:

  • Do not panic on Vault PKI roles without the cn_validations field: (#​2398)

IMPROVEMENTS:

  • Update pki_secret_backend_crl_config to be more resilent to unknown response fields (#​2429)

v4.6.0

Compare Source

FEATURES:

  • Update vault_kubernetes_auth_backend_role to support bound_service_account_namespace_selector, enabling the use of namespace selectors for allowing Kubernetes namespaces to access roles. (#​2379)
  • Update vault_database_secret_backend_connectionto support password_authentication for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL (#​2371)
  • Add support for external_id field for the vault_aws_auth_backend_sts_role resource (#​2370)
  • Add support for ACME configuration with the vault_pki_secret_backend_config_acme resource. Requires Vault 1.14+ (#​2157).
  • Update vault_pki_secret_backend_role to support the cn_validations role field (#​1820).
  • Add new resource vault_pki_secret_backend_acme_eab to manage PKI ACME external account binding tokens. Requires Vault 1.14+. (#​2367)
  • Add new data source and resource vault_pki_secret_backend_config_cmpv2. Requires Vault 1.18+. Available only for Vault Enterprise (#​2330)

IMPROVEMENTS:

  • Support the event subscribe policy capability for vault_policy_document data source (#​2293)

v4.5.0

Compare Source

FEATURES:

  • Update vault_database_secret_backend_connection to support inline TLS config for PostgreSQL (#​2339)
  • Update vault_database_secret_backend_connection to support skip_verification config for Cassandra (#​2346)
  • Update vault_approle_auth_backend_role_secret_id to support num_uses and ttl fields (#​2345)
  • Add support for allow_empty_principals field for the vault_ssh_secret_backend_role resource (#​2354)
  • Update vault_gcp_secret_impersonated_account to support setting ttl (#​2318)
  • Add support for connection_timeout field for the vault_ldap_auth_backend resource (#​2358)
  • Add support for Rootless Configuration for Static Roles to Postgres DB (#​2341)
  • Add support for use_annotations_as_alias_metadata field for the vault_kubernetes_auth_backend_config resource (#​2226)

BUGS:

  • Remove consul secret backend role from state if not found on vault: (#​2321)

v4.4.0

Compare Source

FEATURES:

  • Update vault_aws_secret_backend_role to support setting session_tags and external_id (#​2290)

BUGS:

  • fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#​2308)
  • fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#​2289)

v4.3.0

Compare Source

FEATURES:

  • Add support for iam_tags in vault_aws_secret_backend_role (#​2231).
  • Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#​2133).
  • Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2249).
  • Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2250)
  • Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#​2243).
  • Add support for new WIF fields in vault_gcp_auth_backend (#​2256)
  • Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#​2254).
  • Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#​2246)
  • Support missing token parameters on vault_okta_auth_backend resource: (#​2210)
  • Add support for max_retries in vault_aws_auth_backend_client: (#​2270)
  • Add new resources vault_plugin and vault_plugin_pinned_version: (#​2159)
  • Add key_type and key_bits to vault_ssh_secret_backend_ca: (#​1454)

IMPROVEMENTS:

  • return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#​2232)
    BUGS:
  • Remove dependency on github.com/hashicorp/vault package: (#​2251)
  • Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#​2247)
  • Fix handling of 0 value within field max_path_length in vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate resources (#​2253)

v4.2.0

Compare Source

FEATURES:

  • Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#​2202)
  • Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#​2180).
  • Add new data source vault_namespace. Requires Vault Enterprise: (#​2208).
  • Add new data source vault_namespaces. Requires Vault Enterprise: (#​2212).

IMPROVEMENTS:

  • Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#​2202)

BUGS:

  • fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#​2204)
  • fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#​2207)
  • fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#​2207)

v4.1.0

Compare Source

CHANGES TO VAULT POLICY REQUIREMENTS:

  • Important: This release requires read policies to be set at the path level for mount metadata.
    The v4.0.0 release required read permissions at sys/auth/:path which was a
    sudo endpoint. The v4.1.0 release changed that to instead require permissions
    at the sys/mounts/auth/:path level and sudo is no longer required. Please
    refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

  • Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#​2154).

IMPROVEMENTS:

  • do not require sudo permissions for auth read operations (#​2198)

BUGS:

  • fix vault_azure_access_credentials to default to Azure Public Cloud (#​2190)

v4.0.0

Compare Source

Important: This release requires read policies to be set at the path level for mount metadata.
For example, instead of permissions at sys/auth you must set permissions at
the sys/auth/:path level. Please refer to the details in the
Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

  • Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#​1949).
  • Add support to enable_templating in vault_pki_secret_backend_config_urls (#​2147).
  • Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#​2128).
  • Improve logging to track full API exchanges between the provider and Vault (#​2139)
  • Add new vault_plugin and vault_plugin_pinned_version resources for managing external plugins (#​2159)

IMPROVEMENTS:

  • Improve performance of READ operations across many resources: (#​2145), (#​2152)
  • Add the metadata version in returned values for vault_kv_secret_v2 data source: (#​2095)
  • Add new secret sync destination fields: (#​2150)

BUGS:

  • Handle graceful destruction of resources when approle is deleted out-of-band (#​2142).
  • Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#​2156).
  • Ensure proper use of issuer endpoints for root sign intermediate resource: (#​2160)
  • Fix issuer data overwrites on updates: (#​2186)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@public-glueops-renovatebot public-glueops-renovatebot bot changed the title breaking: the dependency vault has been updated to a new major version (v4.8.0), which may include breaking changes. #major breaking: the dependency vault has been updated to a new major version (4.8.0), which may include breaking changes. #major Sep 17, 2025
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 5 times, most recently from d0c058f to 650550c Compare September 24, 2025 20:16
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 16 times, most recently from 52833c3 to 55f00ad Compare October 12, 2025 06:58
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 5 times, most recently from a1fb16d to 33fada5 Compare October 29, 2025 18:47
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 2 times, most recently from 02b7788 to a6f8a88 Compare November 1, 2025 02:42
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 6 times, most recently from 28788a6 to 38189fc Compare November 17, 2025 22:15
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 4 times, most recently from f7f8ce2 to 090b3b3 Compare January 20, 2026 16:16
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 4 times, most recently from c1d39ce to 5901c0e Compare January 30, 2026 16:19
@public-glueops-renovatebot public-glueops-renovatebot bot force-pushed the renovate/vault-4.x branch 2 times, most recently from e7a3a94 to 226e9a2 Compare February 11, 2026 19:11
@public-glueops-renovatebot
breaking: the dependency vault has been updated to a new major vers…
a00f1e8 
…ion (4.8.0), which may include breaking changes. #major
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-update include-in-release-notes major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants