breaking: the dependency vault has been updated to a new major version (5.8.0), which may include breaking changes. #major#460
Open
public-glueops-renovatebot[bot] wants to merge 1 commit intomainfrom
Conversation
public-glueops-renovatebot
bot
changed the title
vault has been updated to a new major version (v5.3.0), which may include breaking changes. #majorvault has been updated to a new major version (5.3.0), which may include breaking changes. #major
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
5 times, most recently
from
fa21967 to
aa2be53
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
16 times, most recently
from
e6df502 to
d4c671d
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
5 times, most recently
from
edb8890 to
a88710d
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
ca2b8e0 to
bee72fa
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
6 times, most recently
from
8be2f4a to
ab49cb8
Compare
public-glueops-renovatebot
bot
changed the title
vault has been updated to a new major version (5.4.0), which may include breaking changes. #majorvault has been updated to a new major version (5.5.0), which may include breaking changes. #major
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
ab49cb8 to
caf5ee5
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
caf5ee5 to
82f7a24
Compare
public-glueops-renovatebot
bot
changed the title
vault has been updated to a new major version (5.5.0), which may include breaking changes. #majorvault has been updated to a new major version (5.6.0), which may include breaking changes. #major
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
82f7a24 to
88a071d
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
88a071d to
b1c3741
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
4 times, most recently
from
0407491 to
ed47b18
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
4 times, most recently
from
38fd16f to
6b2893f
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
6b2893f to
b880b74
Compare
public-glueops-renovatebot
bot
changed the title
vault has been updated to a new major version (5.6.0), which may include breaking changes. #majorvault has been updated to a new major version (5.7.0), which may include breaking changes. #major
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
2 times, most recently
from
680837d to
e1d89cf
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
e1d89cf to
87c882e
Compare
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
87c882e to
da68185
Compare
…ion (5.8.0), which may include breaking changes. #major
public-glueops-renovatebot
bot
force-pushed
the
renovate/vault-5.x
branch
from
da68185 to
c0225c3
Compare
public-glueops-renovatebot
bot
changed the title
vault has been updated to a new major version (5.7.0), which may include breaking changes. #majorvault has been updated to a new major version (5.8.0), which may include breaking changes. #major
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.25.0→5.8.0Release Notes
hashicorp/terraform-provider-vault (vault)
v5.8.0Compare Source
FEATURES:
vault_cf_auth_backend_configandvault_cf_auth_backend_roleresources, andvault_cf_auth_loginephemeral resource for short-lived Vault tokens.vault_kmip_secret_ca_generated,vault_kmip_secret_ca_imported,vault_kmip_secret_listener, and add support for thecafield invault_kmip_secret_role: (#2773)vault_secrets_sync_azure_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience,identity_token_audience_wo_version,identity_token_ttl, andidentity_token_keyto enable token-based authentication with Azure. Requires Vault 2.0.0+. (#2790)vault_secrets_sync_aws_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience,identity_token_ttl, andidentity_token_keyto enable token-based authentication with AWS. Requires Vault 2.0.0+. (#2792)vault_secrets_sync_gcp_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience_wo,identity_token_audience_wo_version,identity_token_ttl,identity_token_key_wo,identity_token_key_wo_versionandservice_account_emailto enable token-based authentication with GCP. Requires Vault 2.0.0+. (#2798)vault_generic_secret(#2735)vault_terraform_token, by @drewmullen (#2616)IMPROVEMENTS:
vault_managed_keys: Add support for GCP Cloud KMS managed keys with parameters:credentials,project,key_ring,region,crypto_key,crypto_key_version, andalgorithm. (#2769)vault_okta_auth_backend: Add support for write-only field api_token_wo with version counters to prevent sensitive credentials from being stored in Terraform state. Deprecateorganizationandtokenand replace withorg_nameandapi_tokenrespectively invault_okta_auth_backendresource. (#2736)vault_kubernetes_secret_backend_role: Add support fortoken_default_audiencesfield to configure default audiences for generated Kubernetes tokens. Requires Vault 1.15+. (#2722)vault_raft_snapshot_agent_config: Add support forazure_auth_modeandazure_client_idfields for Azure Managed Identity authentication (Vault Enterprise 1.18.0+), andautoload_enabledfield for automatic snapshot restoration (Vault Enterprise 1.21.0+). (#2758)vault_ssh_secret_backend_role: Add support for fields (default_extensions_template,exclude_cidr_list,port) and improve handling of key-type-specific fields (default_extensions,default_extensions_template,exclude_cidr_list,port) to prevent drift. Fields that are not applicable to a role's key type (CA or OTP) are now conditionally set in state only when returned by Vault, preventing perpetual drift when users configure fields that Vault ignores. CA key type supports:default_extensions,default_extensions_template. OTP key type supports:port,exclude_cidr_list. (#2747)vault_pki_secret_backend_root_certandresource_pki_secret_backend_sign. (#2760)vault_pki_secret_backend_root_cert: Add support foruse_pssandkey_usagefields to configure PSS signature scheme and X.509 key usage constraints for root CA certificates. Requires Vault 1.18.0+ and 1.19.2+ respectively. (#2754)vault_pki_secret_backend_root_sign_intermediate: Add version check forkey_usagefield to ensure compatibility with Vault 1.19.2+ for configuring X.509 key usage constraints on intermediate CA certificates. (#2754)provider/auth_jwt: Add support fordistributed_claim_access_tokenfield in theauth_login_jwtconfiguration block. (#2782)vault_database_secret: Add support for additional credential types (rsa_private_key,client_certificate,private_key,private_key_type) in the ephemeral resource to support all database credential types available in Vault's database secrets engine. (#2767)github.com/Azure/azure-sdk-for-go/sdk/azcorev1.20.0 -> v1.21.0github.com/aws/aws-sdk-go-v2v1.32.5 -> v1.41.3github.com/aws/aws-sdk-go-v2/service/iamv1.38.1 -> v1.53.5github.com/aws/aws-sdk-go-v2/service/stsv1.33.1 -> v1.41.8github.com/aws/smithy-gov1.22.1 -> v1.24.2github.com/coreos/pkgv0.0.0-20230601102743-20bbbf26f4d8 -> v0.0.0-20240122114842-bbd7aa9bf6fbgithub.com/go-viper/mapstructure/v2v2.4.0 -> v2.5.0github.com/googleapis/enterprise-certificate-proxyv0.3.12 -> v0.3.14github.com/hashicorp/consul/apiv1.33.0 -> v1.33.4github.com/hashicorp/go-secure-stdlib/awsutil/v2v2.1.1 -> v2.1.2github.com/hashicorp/terraform-plugin-frameworkv1.16.1 -> v1.19.0github.com/hashicorp/terraform-plugin-gov0.29.0 -> v0.31.0github.com/hashicorp/terraform-plugin-muxv0.21.0 -> v0.23.0github.com/hashicorp/terraform-plugin-sdk/v2v2.38.1 -> v2.40.0github.com/hashicorp/terraform-plugin-testingv1.13.3 -> v1.15.0github.com/hashicorp/vault-plugin-auth-ociv0.20.0 -> v0.20.1github.com/hashicorp/vault/sdkv0.22.0 -> v0.23.0github.com/spiffe/go-spiffe/v2v2.5.0 -> v2.6.0golang.org/x/cryptov0.45.0 -> v0.49.0golang.org/x/netv0.47.0 -> v0.52.0golang.org/x/oauth2v0.31.0 -> v0.36.0golang.org/x/syncv0.19.0 -> v0.20.0golang.org/x/sysv0.41.0 -> v0.42.0golang.org/x/textv0.34.0 -> v0.35.0golang.org/x/timev0.14.0 -> v0.15.0golang.org/x/toolsv0.41.0 -> v0.42.0google.golang.org/apiv0.251.0 -> v0.271.0google.golang.org/genprotov0.0.0-20250603155806-513f23925822 -> v0.0.0-20260311181403-84a4fc48630cgoogle.golang.org/genproto/googleapis/apiv0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260226221140-a57be14db171google.golang.org/genproto/googleapis/rpcv0.0.0-20260217215200-42d3e9bedb6d -> v0.0.0-20260226221140-a57be14db171google.golang.org/grpcv1.79.1 -> v1.79.2hashicorp/setup-terraformv3 -> v4github.com/cloudflare/circlv1.6.1 -> v1.6.3filippo.io/edwards25519v1.1.0 -> v1.1.1k8s.io/utilsv0.0.0-20240102154912-e7106e64919e -> v0.0.0-20260210185600-b8788abfbbc2BUGS:
vault_ldap_auth_backendresource. (#2813)v5.7.0Compare Source
FEATURES:
vault_approle_auth_backend_role_secret_id- Generate AppRole SecretIDs on-demand with automatic cleanup. Requires Terraform 1.10+.(#2745)vault_kubernetes_service_account_token: (#2712)IMPROVEMENTS:
vault_kmip_secret_role: Add support for additional KMIP operation fields (operation_import,operation_query,operation_encrypt,operation_decrypt,operation_create_key_pair,operation_delete_attribute,operation_rng_retrieve,operation_mac,operation_signature_verify,operation_sign,operation_rng_seed,operation_modify_attribute,operation_mac_verify,operation_rekey_key_pair) to grant granular permissions for KMIP operations. (#2744)vault_saml_auth_backend: Add support forvalidate_assertion_signatureandvalidate_response_signatureparameters to control SAML signature validation (Vault 1.19+)vault_approle_auth_backend_login: Add write-only fieldssecret_id_woandsecret_id_wo_versionto support ephemeral SecretID values without persisting them in state.(#2745)vault_password_policy: Add fieldentropy_sourcefield to specify an override to the default source of entropy (randomness) used to generate the passwords.(#2753)vault_mfa_totp: Add support formax_validation_attemptsfield to configure the maximum number of consecutive failed validation attempts allowed. (#2751)vault_mongodbatlas_secret_backend: Add support for write-only private key fields (private_key_wo,private_key_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#2741)vault_consul_secret_backend: Add support for write-only fields (token_wo,token_wo_version,client_key_wo,client_key_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#2730)vault_azure_auth_backend_config: Add support for write-only client secret fields (client_secret_wo,client_secret_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#2726)vault_azure_secret_backend: Add support for write-onlyclient_secret_woandclient_secret_wo_versionfields to configure the client secret without storing it in state. Requires Terraform 1.11+. (#2721)vault_aws_secret_backend: Add write-onlysecret_key_woandsecret_key_wo_versionfields to allow configuring the AWS secret key without storing it in Terraform state (#2713)vault_gcp_auth_backend: Add write-only credential support viacredentials_woandcredentials_wo_versionfields (#2724)vault_ldap_auth_backend: Add write-only field support forbindpassviabindpass_woandbindpass_wo_versionattributes (#2716)vault_ldap_secret_backend: Add write-only field support forbindpassviabindpass_woandbindpass_wo_versionattributes (#2719)vault_aws_auth_backend_client: Add write-only field support forsecret_key(secret_key_woandsecret_key_wo_version) to prevent sensitive AWS credentials from being stored in Terraform state. (#2717)vault_jwt_auth_backend: Add support for write-onlyoidc_client_secret_woandoidc_client_secret_wo_versionfields to prevent storing sensitive OIDC client secrets in Terraform state. (#2714)vault_cert_auth_backend_role: Add support forocsp_max_retriesandocsp_this_update_max_agefields for OCSP configuration. Requires Vault 1.16+. (#2749)vault_kubernetes_auth_backend_config: Add support for write-onlytoken_reviewer_jwt_wofield withtoken_reviewer_jwt_wo_versionto prevent sensitive JWT token from being stored in Terraform state (#2715)vault_kubernetes_secret_backend: Add write-only fieldsservice_account_jwt_woandservice_account_jwt_wo_versionfor managing service account JWT credentials without storing them in state.(#2720)vault_nomad_secret_backend: Add support for write-only fieldstoken_woandclient_key_wowith version counters to prevent sensitive credentials from being stored in Terraform state. (#2729)Add support for fields:
context,managed_key_name,managed_key_idinvault_transit_secret_backend_keyresource. (#2743)vault_rabbitmq_secret_backend: Add support for write-onlypassword_woandpassword_wo_versionfields to configure the password without storing it in state. Requires Terraform 1.11+. (#2733)vault_approle_auth_backend_role_secret_id: Add support fortoken_bound_cidrsparameter to specify blocks of IP addresses which can use the auth tokens generated by a SecretID. (#2718)vault_secrets_sync_gcp_destination: Add support for replication field (replication_locations; Vault 1.18+), networking allowlist fields (allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking; Vault 1.19+), and encryption fields (global_kms_key,locational_kms_keys; Vault 1.19+) invault_secrets_sync_gcp_destinationresource. (#2699)Add support for networking allowlist fields (
allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking) invault_secrets_sync_azure_destinationresource. Requires Vault 1.19+. (#2702)vault_database_secret_backend_connection: Add support for MongoDBwrite_concernparameter and TLS parameters (tls_ca,tls_certificate_key) (#2678)Add support for
username_templateparameter invault_database_secret_backend_connectionandvault_database_secrets_mountresource for MongoDB Atlas(#2674)Add support for
username_templateparameter invault_database_secret_backend_connectionandvault_database_secrets_mountresources for HANADB connections: (#2671)Add support for networking allowlist fields (
allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking) invault_secrets_sync_vercel_destinationresource. Requires Vault 1.19+. (#2681)Add support for configuration parameters (
allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking,secrets_location,environment_name) invault_secrets_sync_gh_destinationresource. Requires Vault 1.18+ forsecrets_location,environment_name.Requires Vault 1.19+ forallowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking.(#2697).Add support for
tls_server_name,local_datacenter,socket_keep_alive,consistencyandusername_templateparameters for Cassandra invault_database_secret_backend_connectionresource. (#2677)vault_secrets_sync_aws_destination: Add support for networking configuration parametersallowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports, anddisable_strict_networkingto control outbound connections from Vault to AWS Secrets Manager. Requires Vault 1.19.0+.(#2698)Updated dependencies:
github.com/hashicorp/go-secure-stdlib/awsutilv0.3.0 -> v2.1.1Docs: fix heredoc example for LDAP dynamic role LDIFs ([#2728]#2728)
Docs: Update example to use write-only attribute ([#2731]#2731)
vault_database_secret_backend_connection: Add support for top-levelplugin_versionandpassword_policyfields to allow configuration at the resource level in addition to engine-specific blocks. (#2748)vault_database_secret_backend_connection: Add support forskip_static_role_import_rotationfield to skip initial password rotation when creating static roles. This value is inherited by static roles that do not explicitly setskip_import_rotation. Requires Vault 1.19+ Enterprise. (#2748)vault_database_secret_backend_static_role: Theskip_import_rotationfield now correctly reads Vault's computed value into state. When not set in config, it inherits from the connection'sskip_static_role_import_rotationsetting. Requires Vault 1.19+ Enterprise. (#2748)vault_database_secret_mount: Addedplugin_version,skip_static_role_import_rotationandpassword_policyfields to allow configuration at the resource level(#2748)Add support for
local_secret_idswhich may only be set at role creation. On updates the provider will send the original creation value to Vault to avoid unintentionally attempting to modify this immutable setting.The provider now surfaces Vault's native immutability error when an update attempts to changelocal_secret_ids.(#2723)BUGS:
provider/auth_login_aws: Fix issue where AWS authentication with IAM role assumption (aws_role_arn) was not working correctly due to incorrect credential handling (#2679)v5.6.0Compare Source
FEATURES:
IMPROVEMENTS:
BUGS:
v5.5.0Compare Source
BEHAVIOR CHANGES: With v5.5.0, the default value for
deny_null_bindin thevault_ldap_auth_backendresource has changed fromfalsetotrueto match with the Vault API defaults. Configurations that do not explicitly set
deny_null_bindwill now have it set totrueupon upgrade, andcustomers should verify that this change aligns with their intended LDAP authentication behavior. Furthermore, Customers should also consider
upgrading to Vault Community Edition 1.21.1 and Vault Enterprise 1.21.1, 1.20.6, 1.19.12, and 1.16.28, which no longer allows Vault to perform
unauthenticated or null binds against the LDAP server.
SECURITY:
vault_ldap_auth_backend: Fix incorrectdeny_null_binddefault. Setdeny_null_bindtotrueif not provided in configuration (#2622) (CVE-13357,HCSEC-2025-33)FEATURES:
alias_metadatafield in auth resources (#2547)not_before_durationfield invault_pki_secret_backend_root_cert(#2664)IMPROVEMENTS:
golang.org/x/cryptov0.41.0 -> v0.45.0golang.org/x/netv0.43.0 -> v0.47.0golang.org/x/modv0.26.0 -> v0.29.0golang.org/x/syncv0.16.0 -> v0.18.0golang.org/x/sysv0.35.0 -> v0.38.0golang.org/x/textv0.28.0 -> v0.31.0golang.org/x/toolsv0.35.0 -> v0.38.0v5.4.0Compare Source
BEHAVIOR CHANGES: Please refer to the upgrade topics
in the guide for details on all behavior changes.
FEATURES:
vault_terraform_cloud_secret_roleto support multi-team tokens, by @drewmullen (#2498)tuneinvault_saml_auth_backendresource (#2566)tuneinvault_ldap_auth_backendandvault_okta_auth_backendresources (#2602)allowed_sts_header_valuesparameter invault_aws_auth_backend_clientresource to specify additional headers allowed in STS requestsvault_gcp_secret_backendto support ttl and max_ttl, by @vijayavelsekar (#2627)request_timeout,dereference_aliases,enable_samaccountname_loginandanonymous_group_searchparameters invault_ldap_auth_backendresource.(#2634)max_retriesparameter invault_aws_secret_backendresource. (#2623)iam_alias,iam_metadata,gce_aliasandgce_metadatafields invault_gcp_auth_backendresource (#2636)role_idfield invault_gcp_auth_backend_roleresource (#2636)max_retries,retry_delay,max_retry_delay) tovault_azure_auth_backend_configresource for Azure API request resilience (#2629)vault_spiffe_auth_backend_configandvault_spiffe_auth_backend_role(#2620)mfa_serial_numberparameter invault_aws_secret_backend_roleresource. (#2637)persist_appparameters invault_azure_secret_backend_roleresource.(#2642)
BUGS:
vault_pki_secret_backend_crl_configresource to allow disabling flags previously set to true (#2615)vault_jwt_auth_backendresource (#2560)vault_github_auth_backendandvault_auth_backendresources (#2565)vault_saml_auth_backendresource (#2566)vault_gcp_auth_backendandvault_oci_auth_backendresources (#2596)v5.3.0Compare Source
FEATURES:
credential_typefield in thevault_ldap_secret_backendresource (#2548)IMPROVEMENTS:
BUGS:
azure_secret_backend_roleto prevent persistent diff for null value onmax_ttlandexplicit_max_ttlargument (#2581)v5.2.1Compare Source
BUGS:
auth_login_gcpfield constraint on fieldcredentialsservice_accountauth_login_azurefield constraint on fieldvmss_nametenant_idclient_idscopeauth_login_kerberosfield constraint on fieldsusernameservicerealmkrb5conf_pathkeytab_pathdisable_fast_negotiationremove_instance_nameauth_login_userpassfield constraint on fieldpassword_fileauth_loginfield constraint on fielduse_root_namespacev5.2.0Compare Source
FEATURES:
jwks_pairsinvault_jwt_auth_backendresource. Requires Vault 1.16+ (#2523)root_password_ttlinvault_azure_secret_backendresource. Requires Vault 1.15+ (#2529)vault_oci_auth_backendandvault_oci_auth_backend_roleto manage OCI auth backend and roles. (#1761)log_levelinvault_pki_secret_backend_config_scepresource. Requires Vault 1.20.1+ (#2525)IMPROVEMENTS:
golang.org/x/oauth2v0.24.0 -> v0.30.0github.com/cloudflare/circlv1.3.7 -> v1.6.1github.com/go-jose/go-jose/v3v3.0.3 -> v3.0.4github.com/go-jose/go-jose/v4v4.0.4 -> v4.1.2github.com/golang-jwt/jwt/v5v5.2.2 -> v5.3.0cloud.google.com/go/iamv1.2.2 -> v1.5.2cloud.google.com/go/compute/metadatav0.6.0 -> v0.8.0github.com/Azure/azure-sdk-for-go/sdk/azcorev1.11.1 -> v1.18.2github.com/aws/aws-sdk-gov1.55.6 -> v1.55.8github.com/go-sql-driver/mysqlv1.8.1 -> v1.9.3github.com/hashicorp/consul/apiv1.27.0 -> v1.32.1github.com/hashicorp/terraform-plugin-frameworkv1.14.1 -> 1.15.1github.com/hashicorp/terraform-plugin-framework-validatorsv0.17.0 -> v0.18.0hashicorp/ghaction-terraform-provider-releasev4.0.1 -> v5.0.0BUGS:
vault_gcp_secret_backendresource. (#2549)VAULT_NAMESPACEwas not being honored, causing child namespaces to be created in the root namespace instead (#2540)v5.1.0Compare Source
FEATURES:
Add support for key_usage to
vault_pki_secret_backend_root_sign_intermediate(#2421)Add
private_key_woandprivate_key_wo_versionfields to Snowflake DB secrets engine config (#2508)Add support for
group_byandsecondary_rateon resourcevault_quota_rate_limit. Requires Vault Enterprise 1.20.0+ (#2476)Add support for Transit CMAC endpoint (#2488)
Add new resource
vault_scep_auth_backend_roleto manage roles in a SCEP auth backend. #2479.Add new datasource and resource
vault_pki_secret_backend_config_scepfor PKI SCEP configuration. #2487.v5.0.0Compare Source
Important:
5.Xmultiplexes the Vault provider to use the Terraform Plugin Framework,upgrades to Terraform
1.11.x, and adds support for Ephemeral Resources and Write-Only attributes.Please refer to the
Terraform Vault Provider 5.0.0 Upgrade Guide for specific
details around the changes.
VERSION COMPATIBILITY:
5.Xis officially supported and tested against Vault server versions >=1.15.x.5.Xsupports Terraform versions >=1.11.xin order to support ephemeral resources and write-only attributes.BREAKING CHANGES:
Please refer to the upgrade topics
in the guide for details on all breaking changes.
FEATURES:
vault_kv_secret_v2vault_database_secretdata_json_wo(along withdata_json_wo_version) to resourcevault_kv_secret_v2credentials_wo, (along withcredentials_wo_version) to resourcevault_gcp_secret_backendpassword_wo, (along withpassword_wo_versionto resource)vault_database_secret_backend_connectionBUGS:
vault_policy_documentdata source regression to allow emptycapabilities(#2466)v4.8.0Compare Source
FEATURES:
recursivesearch indata_vault_namespaces#2408subscribe_event_typesindata_source_policy_document#2445explicit_max_ttlinvault_azure_secret_backend_roleresources. Requires Vault 1.18+ (#2438).BUGS:
vault_azure_access_credentialsdata source caused by Azure RBAC propagation delays usingazure_groups#2437v4.7.0Compare Source
FEATURES:
vault_pki_secret_backend_root_certandvault_pki_secret_backend_root_sign_intermediateto support the new fields for the name constraints extension. Requires Vault 1.19+ (#2396).vault_pki_secret_backend_issuerresource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ (#2400).revoke_with_keyinvault_pki_secret_backend_cert(#2242)vault_pki_secret_backend_role,vault_pki_secret_backend_root_cert,vault_pki_secret_backend_root_sign_intermediateandvault_pki_secret_backend_intermediate_cert_request([#2401])(#2401)vault_pki_secret_backend_intermediate_cert_request([#2404])(#2404)skip_import_rotationinvault_database_secret_backend_static_role. Requires Vault Enterprise 1.18.5+ (#2386).not_afterinvault_pki_secret_backend_cert,vault_pki_secret_backend_role,vault_pki_secret_backend_root_cert,vault_pki_secret_backend_root_sign_intermediate, andvault_pki_secret_backend_sign(#2385).vault_pki_secret_backend_config_acmeto support themax_ttlfield. #2411vault_ssh_secret_backend_sign. (#2409)disabled_validationsinvault_pki_secret_backend_config_cmpv2#2412credential_typeandcredential_configtodatabase_secret_backend_static_roleto support features like rsa keys for Snowflake DB engines with static roles #2384vault_pki_secret_backend_root_sign_intermediate:not_before_duration,skidanduse_pss#2417use_pss,no_store_metadata, andserial_number_sourcetovault_pki_secret_backend_role#2420signandverifyendpoints (#2418)vault_pki_secret_backend_cert_metadataand support forcert_metadatainvault_pki_secret_backend_certandvault_pki_secret_backend_sign#2422max_crl_entriesinvault_pki_secret_backend_crl_config#2423vault_pki_secret_backend_config_auto_tidyto set PKI automatic tidy configuration #1934BUGS:
IMPROVEMENTS:
v4.6.0Compare Source
FEATURES:
vault_kubernetes_auth_backend_roleto supportbound_service_account_namespace_selector, enabling the use of namespace selectors for allowing Kubernetes namespaces to access roles. (#2379)vault_database_secret_backend_connectionto supportpassword_authenticationfor PostgreSQL, allowing to encrypt password before being passed to PostgreSQL (#2371)external_idfield for thevault_aws_auth_backend_sts_roleresource (#2370)vault_pki_secret_backend_config_acmeresource. Requires Vault 1.14+ (#2157).vault_pki_secret_backend_roleto support thecn_validationsrole field (#1820).vault_pki_secret_backend_acme_eabto manage PKI ACME external account binding tokens. Requires Vault 1.14+. (#2367)vault_pki_secret_backend_config_cmpv2. Requires Vault 1.18+. Available only for Vault Enterprise (#2330)IMPROVEMENTS:
subscribepolicy capability forvault_policy_documentdata source (#2293)v4.5.0Compare Source
FEATURES:
vault_database_secret_backend_connectionto support inline TLS config for PostgreSQL (#2339)vault_database_secret_backend_connectionto support skip_verification config for Cassandra (#2346)vault_approle_auth_backend_role_secret_idto supportnum_usesandttlfields (#2345)allow_empty_principalsfield for thevault_ssh_secret_backend_roleresource (#2354)vault_gcp_secret_impersonated_accountto support settingttl(#2318)connection_timeoutfield for thevault_ldap_auth_backendresource (#2358)use_annotations_as_alias_metadatafield for thevault_kubernetes_auth_backend_configresource (#2226)BUGS:
v4.4.0Compare Source
FEATURES:
vault_aws_secret_backend_roleto support settingsession_tagsandexternal_id(#2290)BUGS:
vault_ssh_secret_backend_cawhere a schema change forced the resource to be replaced (#2308)v4.3.0Compare Source
FEATURES:
iam_tagsinvault_aws_secret_backend_role(#2231).inheritableonvault_quota_rate_limitandvault_quota_lease_count. Requires Vault 1.15+.: (#2133).vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2249).vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2250)vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#2243).vault_gcp_auth_backend(#2256)vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#2254).vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#2246)vault_okta_auth_backendresource: (#2210)max_retriesinvault_aws_auth_backend_client: (#2270)vault_pluginandvault_plugin_pinned_version: (#2159)key_typeandkey_bitstovault_ssh_secret_backend_ca: (#1454)IMPROVEMENTS:
vault_jwt_auth_backend_roleresource: (#2232)BUGS:
github.com/hashicorp/vaultpackage: (#2251)custom_tagsandsecret_name_templatefields tovault_secrets_sync_azure_destinationresource (#2247)max_path_lengthinvault_pki_secret_backend_root_certandvault_pki_secret_backend_root_sign_intermediateresources (#2253)v4.2.0Compare Source
FEATURES:
granularityto Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#2202)allowed_kubernetes_namespace_selectorinvault_kubernetes_secret_backend_role(#2180).vault_namespace. Requires Vault Enterprise: (#2208).vault_namespaces. Requires Vault Enterprise: (#2212).IMPROVEMENTS:
BUGS:
vault_approle_auth_backend_role_secret_idregression to handle 404 errors (#2204)vault_kv_secretandvault_kv_secret_v2failure to update secret data modified outside terraform (#2207)vault_kv_secret_v2failing on imported resource when data_json should be ignored (#2207)v4.1.0Compare Source
CHANGES TO VAULT POLICY REQUIREMENTS:
The v4.0.0 release required read permissions at
sys/auth/:pathwhich was asudo endpoint. The v4.1.0 release changed that to instead require permissions
at the
sys/mounts/auth/:pathlevel and sudo is no longer required. Pleaserefer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.
FEATURES:
vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#2154).IMPROVEMENTS:
BUGS:
vault_azure_access_credentialsto default to Azure Public Cloud (#2190)v4.0.0Compare Source
Important: This release requires read policies to be set at the path level for mount metadata.
For example, instead of permissions at
sys/authyou must set permissions atthe
sys/auth/:pathlevel. Please refer to the details in theTerraform Vault Provider 4.0.0 Upgrade Guide.
FEATURES:
vault_pki_secret_backend_config_clusterresource. Requires Vault 1.13+ (#1949).enable_templatinginvault_pki_secret_backend_config_urls(#2147).skip_import_rotationandskip_static_role_import_rotationinldap_secret_backend_static_roleandldap_secret_backendrespectively. Requires Vault 1.16+ (#2128).vault_pluginandvault_plugin_pinned_versionresources for managing external plugins (#2159)IMPROVEMENTS:
versionin returned values forvault_kv_secret_v2data source: (#2095)BUGS:
vault_ldap_secret_backend_static_role,vault_ldap_secret_backend_library_set, andvault_ldap_secret_backend_static_role([#2156](https://redirect.github.com/hashicorp/terraforConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.