v4.4.0

Compare Source

FEATURES:

• Update vault_aws_secret_backend_role to support setting session_tags and external_id (#​2290)

BUGS:

• fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#​2308)
• fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#​2289)

v4.3.0

Compare Source

FEATURES:

• Add support for iam_tags in vault_aws_secret_backend_role (#​2231).
• Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#​2133).
• Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2249).
• Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2250)
• Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#​2243).
• Add support for new WIF fields in vault_gcp_auth_backend (#​2256)
• Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#​2254).
• Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#​2246)
• Support missing token parameters on vault_okta_auth_backend resource: (#​2210)
• Add support for max_retries in vault_aws_auth_backend_client: (#​2270)
• Add new resources vault_plugin and vault_plugin_pinned_version: (#​2159)
• Add key_type and key_bits to vault_ssh_secret_backend_ca: (#​1454)

IMPROVEMENTS:

• return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#​2232)
• Remove dependency on github.com/hashicorp/vault package: (#​2251)
• Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#​2247)

v4.2.0

Compare Source

FEATURES:

• Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#​2202)
• Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#​2180).
• Add new data source vault_namespace. Requires Vault Enterprise: (#​2208).
• Add new data source vault_namespaces. Requires Vault Enterprise: (#​2212).

IMPROVEMENTS:

• Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#​2202)

BUGS:

• fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#​2204)
• fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#​2207)
• fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#​2207)

v4.1.0

Compare Source

CHANGES TO VAULT POLICY REQUIREMENTS:

• Important: This release requires read policies to be set at the path level for mount metadata.
  The v4.0.0 release required read permissions at sys/auth/:path which was a
  sudo endpoint. The v4.1.0 release changed that to instead require permissions
  at the sys/mounts/auth/:path level and sudo is no longer required. Please
  refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#​2154).

IMPROVEMENTS:

• do not require sudo permissions for auth read operations (#​2198)

BUGS:

• fix vault_azure_access_credentials to default to Azure Public Cloud (#​2190)

v4.0.0

Compare Source

Important: This release requires read policies to be set at the path level for mount metadata.
For example, instead of permissions at sys/auth you must set permissions at
the sys/auth/:path level. Please refer to the details in the
Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#​1949).
• Add support to enable_templating in vault_pki_secret_backend_config_urls (#​2147).
• Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#​2128).
• Improve logging to track full API exchanges between the provider and Vault (#​2139)
• Add new vault_plugin and vault_plugin_pinned_version resources for managing external plugins (#​2159)

IMPROVEMENTS:

• Improve performance of READ operations across many resources: (#​2145), (#​2152)
• Add the metadata version in returned values for vault_kv_secret_v2 data source: (#​2095)
• Add new secret sync destination fields: (#​2150)

BUGS:

• Handle graceful destruction of resources when approle is deleted out-of-band (#​2142).
• Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#​2156).
• Ensure proper use of issuer endpoints for root sign intermediate resource: (#​2160)
• Fix issuer data overwrites on updates: (#​2186)

v3.25.0

Compare Source

FEATURES:

• Add destination and association resources to support Secrets Sync. Requires Vault 1.16+ (#​2098).
• Add support for configuration of plugin WIF to the AWS Secret Backend. Requires Vault 1.16+ (#​2138).
• Add support for Oracle database plugin configuration options split_statements and disconnect_sessions: (#​2085)

IMPROVEMENTS:

• Add an API client lock to the vault_identity_group_alias resource: (#​2140)

v3.24.0

Compare Source

FEATURES:

• Add support for ext_key_usage_oids in vault_pki_secret_backend_role (#​2108)
• Adds support to vault_gcp_auth_backend for common backend tune parameters (#​1997).
• Adds support to vault_azure_secret_backend_role for sign_in_audience and tags. Requires Vault 1.16+. (#​2101).

BUGS:

• fix vault_kv_secret_v2 drift when "data" is in secret name/path (#​2104)
• fix vault_database_secret_backend_connection: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key (#​2106)
• Fix ignored description updates for aws_secret_backend resource (#​2057)

IMPROVEMENTS:

• Updated dependencies (#​2129):
  • cloud.google.com/go/iam v1.1.2 -> v1.1.5
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 -> v1.9.1
  • github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 -> v1.5.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 -> v1.2.0
  • github.com/aws/aws-sdk-go v1.45.24 -> v1.49.22
  • github.com/google/uuid v1.3.1 -> v1.5.0
  • github.com/hashicorp/go-hclog v1.5.0 -> v1.6.2
  • github.com/hashicorp/go-retryablehttp v0.7.4 -> v0.7.5
  • github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 -> v0.1.8
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0 -> v2.31.0
  • github.com/hashicorp/vault-plugin-auth-jwt v0.17.0 -> v0.18.0
  • github.com/hashicorp/vault/sdk v0.10.0 -> v0.10.2
  • golang.org/x/crypto v0.14.0 -> v0.18.0
  • golang.org/x/net v0.15.0 -> v0.20.0
  • golang.org/x/oauth2 v0.12.0 -> v0.16.0
  • google.golang.org/api v0.144.0 -> v0.156.0
  • google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 -> v0.0.0-20240116215550-a9fa1716bcac
  • k8s.io/utils v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240102154912-e7106e64919e

v3.23.0

Compare Source

FEATURES:

• Add support for lazily authenticating to Vault: (#​2049)

BUGS:

• Fix vault_identity_group loses externally managed policies on updates when external_policies = true (#​2084)
• Fix regression in vault_azure_access_credentials where we returned prematurely on 401 responses:(#​2086)