v4.3.0

4.3.0 (Jun 17, 2024)

FEATURES:

• Add support for iam_tags in vault_aws_secret_backend_role (#2231).
• Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#2133).
• Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2249).
• Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2250)
• Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#2243).
• Add support for new WIF fields in vault_gcp_auth_backend (#2256)
• Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#2254).
• Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#2246)
• Support missing token parameters on vault_okta_auth_backend resource: (#2210)
• Add support for max_retries in vault_aws_auth_backend_client: (#2270)
• Add new resources vault_plugin and vault_plugin_pinned_version: (#2159)
• Add key_type and key_bits to vault_ssh_secret_backend_ca: (#1454)

IMPROVEMENTS:

• return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#2232)
• Remove dependency on github.com/hashicorp/vault package: (#2251)
• Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#2247)

v4.2.0

4.2.0 (Mar 27, 2024)

FEATURES:

• Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#2202)
• Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#2180).
• Add new data source vault_namespace. Requires Vault Enterprise: (#2208).
• Add new data source vault_namespaces. Requires Vault Enterprise: (#2212).

IMPROVEMENTS:

• Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#2202)

BUGS:

• fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#2204)
• fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#2207)
• fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#2207)

v4.1.0

4.1.0 (Mar 20, 2024)

CHANGES TO VAULT POLICY REQUIREMENTS:

• Important: This release requires read policies to be set at the path level for mount metadata.
  The v4.0.0 release required read permissions at sys/auth/:path which was a
  sudo endpoint. The v4.1.0 release changed that to instead require permissions
  at the sys/mounts/auth/:path level and sudo is no longer required. Please
  refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#2154).

IMPROVEMENTS:

• do not require sudo permissions for auth read operations (#2198)

BUGS:

• fix vault_azure_access_credentials to default to Azure Public Cloud (#2190)

v4.0.0

4.0.0 (Mar 13, 2024)

Important: This major version release includes performance improvements for deployments that manage many Vault secret or auth engine mounts. This release requires read policies to be set at the path level for mount metadata. For example, instead of permissions at sys/auth you must set permissions at the sys/auth/:path level. Please refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#1949).
• Add support to enable_templating in vault_pki_secret_backend_config_urls (#2147).
• Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#2128).
• Improve logging to track full API exchanges between the provider and Vault (#2139)

IMPROVEMENTS:

• Improve performance of READ operations across many resources: (#2145), (#2152)
• Add the metadata version in returned values for vault_kv_secret_v2 data source: (#2095)
• Add new secret sync destination fields: (#2150)

BUGS:

• Handle graceful destruction of resources when approle is deleted out-of-band (#2142).
• Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#2156).
• Ensure proper use of issuer endpoints for root sign intermediate resource: (#2160)
• Fix issuer data overwrites on updates: (#2186)

v3.25.0

3.25.0 (Feb 14, 2024)

FEATURES:

• Add destination and association resources to support Secrets Sync. Requires Vault 1.16+ (#2098).
• Add support for configuration of plugin WIF to the AWS Secret Backend. Requires Vault 1.16+ (#2138).
• Add support for Oracle database plugin configuration options split_statements and disconnect_sessions: (#2085)

IMPROVEMENTS:

• Add an API client lock to the vault_identity_group_alias resource: (#2140)

v3.24.0

3.24.0 (Jan 17, 2024)

FEATURES:

• Add support for ext_key_usage_oids in vault_pki_secret_backend_role (#2108)
• Adds support to vault_gcp_auth_backend for common backend tune parameters (#1997).
• Adds support to vault_azure_secret_backend_role for sign_in_audience and tags. Requires Vault 1.16+. (#2101).

BUGS:

• fix vault_kv_secret_v2 drift when "data" is in secret name/path (#2104)
• fix vault_database_secret_backend_connection: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key (#2106)
• Fix ignored description updates for aws_secret_backend resource (#2057)

IMPROVEMENTS:

• Updated dependencies (#2129):
  • cloud.google.com/go/iam v1.1.2 -> v1.1.5
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 -> v1.9.1
  • github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 -> v1.5.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 -> v1.2.0
  • github.com/aws/aws-sdk-go v1.45.24 -> v1.49.22
  • github.com/google/uuid v1.3.1 -> v1.5.0
  • github.com/hashicorp/go-hclog v1.5.0 -> v1.6.2
  • github.com/hashicorp/go-retryablehttp v0.7.4 -> v0.7.5
  • github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 -> v0.1.8
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0 -> v2.31.0
  • github.com/hashicorp/vault-plugin-auth-jwt v0.17.0 -> v0.18.0
  • github.com/hashicorp/vault/sdk v0.10.0 -> v0.10.2
  • golang.org/x/crypto v0.14.0 -> v0.18.0
  • golang.org/x/net v0.15.0 -> v0.20.0
  • golang.org/x/oauth2 v0.12.0 -> v0.16.0
  • google.golang.org/api v0.144.0 -> v0.156.0
  • google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 -> v0.0.0-20240116215550-a9fa1716bcac
  • k8s.io/utils v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240102154912-e7106e64919e

v3.23.0

3.23.0 (Nov 15, 2023)

FEATURES:

• Add support for lazily authenticating to Vault: (#2049)

BUGS:

• Fix vault_identity_group loses externally managed policies on updates when external_policies = true (#2084)
• Fix regression in vault_azure_access_credentials where we returned prematurely on 401 responses:(#2086)

v3.22.0

3.22.0 (Nov 1, 2023)

FEATURES:

• Add support for configuring SAML Auth resources (#2053)
• Add support for custom_metadata on vault_namespace: (#2033)
• Add support for OCSP* role fields for the cert auth resource: (#2056)
• Add field set_namespace_from_token to Provider configuration (#2070)
• Support authenticating to the root namespace from within an auth_login*: (#2066)

BUGS:

• Fix panic when reading client_secret from a public oidc client (#2048)
• Fix API request missing roles field for mongodbatlas_secret_role resource (#2047)
• Fix bug when updating vault_azure_secret_backend_role: (#2063)
• Fix audience string ordering for auth_login_gcp causing GCE auth to fail (#2064)

IMPROVEMENTS:

• Updated dependencies: (#2038)
  • github.com/aws/aws-sdk-go v1.44.106 -> v1.45.24
• Updated dependencies: (#2050)
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0 -> v1.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2 -> v1.4.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v0.3.1 -> v1.1.1
  • github.com/Azure/go-autorest/autorest v0.11.29 removed

v3.21.0

3.21.0 (Oct 9, 2023)

FEATURES:

• Add GCP CloudSQL support to Postgres, MySQL DB engines: (#2012)
• Add support for DB Adv TTL Mgmt: (#2011)
• Add support for setting not_before_duration argument on vault_ssh_secret_backend_role: (#2019)
• Add support for hmac key type and key_size to vault_transit_secret_backend_key: (#2034)
• Add support for roles to both rate limit and lease count quotas: (#1994)
• Add allowed_email_sans field to write and update functions of vault_cert_auth_backend_role: (#1140)
• Add support for local parameter in aws secret engine: (#2013)

BUGS:

• Fix duplicate timestamp and incorrect level messages: (#2031)
• Fix panic when setting key_usage to an array of empty string and enable it to unset the key usage constraints: (#2036)
• Add state migrator for external_member_group_ids in Identity Group (#2043)
• Fix drift detection for the kv-v2 secrets resource when disable_read is enabled: (#2039)
• Add state migrator in secrets/auth backends for disable_remount parameter (#2037)
• Fix failure when auth_login is specified and vault token is picked up from the runtime/execution environment: (#2029)
• Remove logging of password key: (#2044)

IMPROVEMENTS:

• Oracle DB engine enablement on HCP Vault: (#2006)
• Ensure sensitive values are masked in vault_approle_auth_backend_login plan output (#2008)
• Updated dependencies: (#2038)
  • cloud.google.com/go/compute v1.10.0 removed
  • cloud.google.com/go/compute/metadata v0.2.3 added
  • cloud.google.com/go/iam v0.3.0 -> v1.1.2
  • github.com/Azure/go-autorest/autorest v0.11.24 -> v0.11.29
  • github.com/cenkalti/backoff/v4 v4.1.2 -> v4.2.1
  • github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f -> v0.0.0-20230601102743-20bbbf26f4d8
  • github.com/denisenkom/go-mssqldb v0.12.0 -> v0.12.3
  • github.com/go-sql-driver/mysql v1.6.0 -> v1.7.1
  • github.com/google/uuid v1.3.0 -> v1.3.1
  • github.com/gosimple/slug v1.11.0 -> v1.13.1
  • github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 -> v1.4.1-0.20200723130312-85980079f637
  • github.com/hashicorp/go-retryablehttp v0.7.1 -> v0.7.4
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.16.0 -> v2.29.0
  • github.com/hashicorp/vault-plugin-auth-jwt v0.13.2-0.20221012184020-28cc68ee722b -> v0.17.0
  • github.com/hashicorp/vault-plugin-auth-kerberos v0.8.0 -> v0.10.1
  • github.com/hashicorp/vault-plugin-auth-oci v0.13.0-pre -> v0.14.2
  • github.com/hashicorp/vault/api v1.9.3-0.20230628215639-3ca33976762c -> v1.10.0
  • github.com/hashicorp/vault/sdk v0.6.0 -> v0.10.0
  • github.com/jcmturner/gokrb5/v8 v8.4.2 -> v8.4.4
  • golang.org/x/crypto v0.6.0 -> v0.14.0
  • golang.org/x/net v0.7.0 -> v0.15.0
  • golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 -> v0.12.0
  • google.golang.org/api v0.98.0 -> v0.144.0
  • google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e -> v0.0.0-20231002182017-d307bd883b97
  • k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 -> v0.0.0-20230726121419-3b25d923346b

v3.20.1

3.20.1 (Sep 13, 2023)

IMPROVEMENTS:

• Update dependencies (#1958)
  • github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 -> v0.2.3

BUGS:

• Update k8s-auth config to support unsetting the K8s CA Cert: (#2005)

CHANGES:

• vault_kubernetes_auth_backend_config: prior to vault-1.9.3, the k8s-auth engine would store the K8S CA cert in its configuration if Vault was running in K8s. Post vault-1.9.3, this behaviour was changed to no longer store the K8s CA cert in config. That change confuses TFVP since the kubernetes_ca_cert field can no longer be computed. This fix detects and remedies the issue by adding the ability to "unset" the CA cert in the case where we are provisioning vault-1.9.3+. It should also clean up any K8s CA cert that was left behind after upgrading from any Vault version prior to 1.9.3 with disable_local_ca_jwt=false and kubernetes_ca_cert is either unset or set to "".