FEATURES:
- Add support for lazily authenticating to Vault: (#2049)
BUGS:
- Fix
vault_identity_group
loses externally managed policies on updates whenexternal_policies = true
(#2084) - Fix regression in
vault_azure_access_credentials
where we returned prematurely on 401 responses:(#2086)
FEATURES:
- Add support for configuring SAML Auth resources (#2053)
- Add support for
custom_metadata
onvault_namespace
: (#2033) - Add support for
OCSP*
role fields for the cert auth resource: (#2056) - Add field
set_namespace_from_token
to Provider configuration (#2070) - Support authenticating to the root namespace from within an auth_login*: (#2066)
BUGS:
- Fix panic when reading
client_secret
from a public oidc client (#2048) - Fix API request missing
roles
field formongodbatlas_secret_role
resource (#2047) - Fix bug when updating
vault_azure_secret_backend_role
: (#2063) - Fix audience string ordering for
auth_login_gcp
causing GCE auth to fail (#2064)
IMPROVEMENTS:
- Updated dependencies: (#2038)
github.com/aws/aws-sdk-go
v1.44.106 -> v1.45.24
- Updated dependencies: (#2050)
github.com/Azure/azure-sdk-for-go/sdk/azcore
v0.22.0 -> v1.8.0github.com/Azure/azure-sdk-for-go/sdk/azidentity
v0.13.2 -> v1.4.0github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources
v0.3.1 -> v1.1.1github.com/Azure/go-autorest/autorest
v0.11.29 removed
FEATURES:
- Add GCP CloudSQL support to Postgres, MySQL DB engines: (#2012)
- Add support for DB Adv TTL Mgmt: (#2011)
- Add support for setting
not_before_duration
argument onvault_ssh_secret_backend_role
: (#2019) - Add support for
hmac
key type and key_size tovault_transit_secret_backend_key
: (#2034) - Add support for roles to both rate limit and lease count quotas: (#1994)
- Add
allowed_email_sans
field to write and update functions ofvault_cert_auth_backend_role
: (#1140) - Add support for
local
parameter in aws secret engine: (#2013)
BUGS:
- Fix duplicate timestamp and incorrect level messages: (#2031)
- Fix panic when setting
key_usage
to an array of empty string and enable it to unset the key usage constraints: (#2036) - Add state migrator for
external_member_group_ids
in Identity Group (#2043) - Fix drift detection for the kv-v2 secrets resource when
disable_read
is enabled: (#2039) - Add state migrator in secrets/auth backends for
disable_remount
parameter (#2037) - Fix failure when
auth_login
is specified and vault token is picked up from the runtime/execution environment: (#2029) - Remove logging of password key: (#2044)
IMPROVEMENTS:
- Oracle DB engine enablement on HCP Vault: (#2006)
- Ensure sensitive values are masked in
vault_approle_auth_backend_login
plan output (#2008) - Updated dependencies: (#2038)
cloud.google.com/go/compute
v1.10.0 removedcloud.google.com/go/compute/metadata
v0.2.3 addedcloud.google.com/go/iam
v0.3.0 -> v1.1.2github.com/Azure/go-autorest/autorest
v0.11.24 -> v0.11.29github.com/cenkalti/backoff/v4
v4.1.2 -> v4.2.1github.com/coreos/pkg
v0.0.0-20180928190104-399ea9e2e55f -> v0.0.0-20230601102743-20bbbf26f4d8github.com/denisenkom/go-mssqldb
v0.12.0 -> v0.12.3github.com/go-sql-driver/mysql
v1.6.0 -> v1.7.1github.com/google/uuid
v1.3.0 -> v1.3.1github.com/gosimple/slug
v1.11.0 -> v1.13.1github.com/hashicorp/go-cty
v1.4.1-0.20200414143053-d3edf31b6320 -> v1.4.1-0.20200723130312-85980079f637github.com/hashicorp/go-retryablehttp
v0.7.1 -> v0.7.4github.com/hashicorp/terraform-plugin-sdk/v2
v2.16.0 -> v2.29.0github.com/hashicorp/vault-plugin-auth-jwt
v0.13.2-0.20221012184020-28cc68ee722b -> v0.17.0github.com/hashicorp/vault-plugin-auth-kerberos
v0.8.0 -> v0.10.1github.com/hashicorp/vault-plugin-auth-oci
v0.13.0-pre -> v0.14.2github.com/hashicorp/vault/api
v1.9.3-0.20230628215639-3ca33976762c -> v1.10.0github.com/hashicorp/vault/sdk
v0.6.0 -> v0.10.0github.com/jcmturner/gokrb5/v8
v8.4.2 -> v8.4.4golang.org/x/crypto
v0.6.0 -> v0.14.0golang.org/x/net
v0.7.0 -> v0.15.0golang.org/x/oauth2
v0.0.0-20221006150949-b44042a4b9c1 -> v0.12.0google.golang.org/api
v0.98.0 -> v0.144.0google.golang.org/genproto
v0.0.0-20221010155953-15ba04fc1c0e -> v0.0.0-20231002182017-d307bd883b97k8s.io/utils
v0.0.0-20220210201930-3a6ce19ff2f9 -> v0.0.0-20230726121419-3b25d923346b
IMPROVEMENTS:
- Update dependencies (#1958)
- github.com/hashicorp/go-secure-stdlib/awsutil
v0.1.6
->v0.2.3
- github.com/hashicorp/go-secure-stdlib/awsutil
- Add
local
variable toaws_secret_backend
resource, in order to mark the mount as non - replicated
BUGS:
- Update k8s-auth config to support unsetting the K8s CA Cert: (#2005)
FEATURES:
- Add support for setting
permanently_delete
argument onresource_azure_secret_backend_role
: (#1958) - Add
use_sts_region_from_client
to AWS Auth Config: (#1963) - Add accessor attribute for
vault_gcp_auth_backend
resource: (#1980)
BUGS:
- Fixes a panic that can occur when Vault lookup-self API returns nil token info (#1978)
- Resolve TF state for PKI Multi-Issuer workflows: (#1973)
- Check the seal-status on the default namespace: (#1967)
FEATURES:
- Add support for User ID configuration for PKI Secrets Engine: (#1936)
- Add support for
use_sts_region_from_client
invault_aws_auth_backend_client
available in Vault v1.15.0+: (#1963)
BUGS:
- auth/aws: enable namespace support for AWS backend config identity: (#1961)
- Retry Write on kv-v2 config: (#1955)
- Update
vault_identity_entity
to exclude policies from Vault request ifexternal_policies
istrue
: (#1950) - Bump Go version to fix macOS resolver issue: (#1941)
FEATURES:
- Add support to set default issuers configuration for PKI Secrets Engine: (#1937)
- Add new
auth_login_token_file
method: (#1928) - Update HTTP transport wrapper to support TLSConfig cloning: (#1926)
BUGS:
- secrets/pki: fix server_flag being ignored: (#1933)
FEATURES:
- Add support for multi-issuer functionality to PKI: (#1910)
- Add x509 support to database roles: (#1901)
- Add AWS Static Roles support: (#1877)
- Add support for
max_page_size
in thevault_ldap_auth_backend
: (#1878)
BUGS:
- Fix DB Engine password overwrite for remaining databases: (#1912)
FEATURES:
- Add support for LDAP secrets engine: (#1859)
- Add new data source
vault_auth_backends
: (#1827) - Support allowed_domains_template on ssh_secret_backend_role. Fixes hashicorp#1675: (#1676)
IMPROVEMENTS:
- Add support for retrying kv-v2 secret data writes: (#1887)
- Add back support for deriving the provider namespace from the Vault token's: (#1841)
BUGS:
BUGS:
- Revert #1830 which introduced a unexpected breaking change in the way authentication is done within a namespace: (#1840)
BUGS:
- Ensure that the auth_login honours the provider's namespace: (#1830)
FEATURES:
- Add support for MongoDB Atlas Secrets engine: (#1816)
BUGS:
- Fix panic while importing namespaces: (#1818)
- Avoid writing empty strings to Vault when creating PKCS managed keys: (#1803)
- Fix possible panic with autopilot import: (#1801)
- Ensure that the
qr_size
can be properly configured for MFA TOTP: (#1750)
FEATURES:
BUGS:
- Add nil check for
IsEnterpriseSupported
util: (#1787) - Fix KV incorrect metadata path for prefixed mounts: (#1781)
FEATURES:
- Add new resource for AWS Auth Backend config identity: (#1724)
- Support
default_user_template
field onvault_ssh_secret_backend_role
: (#1725)
IMPROVEMENTS:
- Secrets from the AD, AWS, Azure & Nomad Secrets Engines are sensitive: (#1726)
- Add enterprise check for new Raft Autopilot parameter: (#1721)
BUGS:
- Fix KVV2 datasource upon retrieval of soft deleted secrets: (#1760)
- Fix issue where removing optional fields in database secrets backend connection resource did not reset the fields to their default values: (#1737)
- Fix construction of metadata path in KV V2 resource: (#1722)
IMPROVEMENTS:
- Add support for importing the PKI CRL config: (#1710)
- Ensure duplicate alias names are handled properly in LookupEntityAlias: (#1708)
- Add support for a Raft Autopilot State datasource: (#1705)
- Add support for adding metadata to a KV V2 Secret: (#1687)
- Set AWS credentials sensitive: (#1678)
- Set ForceNew on the path field of namespaces: (#1713)
BUGS:
- Fix removed MSGraph param in Azure Secrets: (#1682)
- Fix KV V2 data source when specifying a version: (#1677)
- Ensure that
vault_kv_secret_backend_v2
mount is correctly imported: (#1701)
IMPROVEMENTS:
- Add Basic Constraints attribute to vault_pki_secret_backend_intermediate_cert_request: (#1661)
- Add Redis database secrets engine support: (#1659)
- Add support for setting deletion_allowed on a transformation: (#1650)
BUGS:
- Fix panic while importing MFA Duo resource: (#1669)
- Fix GCP auth with service account credentials: (#1648)
IMPROVEMENTS:
- Add support for externally managed Group Member IDs to Vault Identity Group: (#1630)
- Support configuring vault version handling: (#1646)
BUGS:
- Ensure that namespaced github auth mounts are destroyed: (#1637)
- Ensure all AuthLogin instances are validated on call to Login(): (#1631)
BUGS:
- Use the correct AWS login headers within auth_generic: (#1625)
- Fix resource recreation following out-of-band changes in Vault: (#1567)
IMPROVEMENTS:
- Add first-class Azure login support: (#1617)
- Add first-class OIDC andJWT login support: (#1615)
- Add first-class OCI login support: (#1614)
- Add first-class Radius login support: (#1609)
- Add first-class Kerberos login support: (#1608)
- Add first-class GCP login support: (#1607)
- Add first-class TLS certificates login support: (#1605)
- Add first-class auth login config support for AWS: (#1599) (#1618)
- Add support for login MFA resources: (#1620)
- Add Managed Keys support: (#1508)
- Add support to perform semantic version comparisons against Vault's server version: (#1426)
- Add Mount Migration support to all secrets/auth backends: (#1594)
- Use new semantic version checking for Consul secrets backend logic: (#1593)
- Docs: Fix vault_kv_secret_backend_v2 delete_version_after example: (#1602)
- Support creating Azure secret backend role by specifying the role_id: (#1573)
- Add Redis ElastiCache database secrets engine support: (#1596)
- vault_pki_secret_backend_cert: Report when renewal is pending: (#1597)
- Accept data source values in the token field for Consul secrets backend: (#1600)
BUGS:
- Fix erroneous persistent diff in the vault_token resource.: (#1622)
- Fix data_source_azure_access_credentials US Government Cloud: (#1590)
- Add kv-v2 write retry: (#1579)
IMPROVEMENTS:
BUGS:
- fix: remove unnecessary nesting of secret data for KV-V1 secrets: (#1570)
NOTES:
vault_kv_secret
no longer stores secrets in Vault under a nesteddata
object. In versions 3.8.1 and below, the kv resource inadvertently nested thevalue
underdata
. To remedy this please update any consumers of this KV and run aterraform apply
to properly set the value.
IMPROVEMENTS:
- docs: Fix broken provider.namespace links: (#1562)
- docs: Add Azure example for
r/raft_snapshot_agent_config
: (#1534) - docs: Document namespaced resource import: (#1561)
- docs: Add more visible note that
d/aws_access_credentials
cannot be renewed: (#1464)
BUGS:
- fix: Persist namespace to state on resource import: (#1563)
- fix: Update all transform resources with namespace support: (#1558)
- fix: Make password_policy conflict with the formatter field: (#1557)
- fix: Correct typo in
r/pki_secret_backend_root_cert
description: (#1511)
FEATURES:
- Adds support for Kubernetes secrets engine: (#1515)
- PKI: Add support for CPS URL in custom policy identifiers: (#1495)
IMPROVEMENTS:
- Fix Import for OIDC Scope resource: (#1548)
- Update entity alias creation to use entity lookup api: (#1517) (#1552)
- Add support for Consul secrets engine enhancements: (#1518)
- auth/gcp: adds
custom_endpoint
parameter to backend config: (#1482) - auth/jwt: adds
user_claim_json_pointer
andmax_age
to roles: (#1478)
BUGS:
- Support updating backend descriptions: (#1550) (#1543)
- Properly set the
base64_pem
in Vault for Couchbase: (#1545) - Fix bug where some rabbitmq config changes trigger erroneous mount recreation: (#1542)
- Update
*kv_secrets*
resources to support namespaces: (#1529) - Do not validate JSON on OIDC scope template: (#1547)
FEATURES:
- Support setting
namespace
by resource (#1305) (#1479) - Add dedicated KV (v1/v2) secret engine resources, and data sources, supersedes
vault_generic_secret
(#1457)
IMPROVEMENTS:
- Update vault libs to v1.10.3 (#1483)
- Drop debug log calls containing the full vault response (#1477)
resource/token
: Addmetadata
support (#1470)resource/vault_ldap_auth_backend
: support LDAPusername_as_alias
attribute: (#1460)resource/vault_quota_rate_limit
: Add support forinterval
andblock_interval
: (#1084)- ci: Test against vault-enterprise 1.10.3-ent: (#1461)
BUGS:
resource/auth_backend
: validatepath
, disallowing leading/trailing / (#1471)resource/vault_jwt_auth_backend_role
: fixbound_claims
not being unset when empty (#1469)resource/cert_auth_backend
: add the correct field name:allowed_organizational_units
(#1496)
IMPROVEMENTS:
resource/pki_secret_backend_root_cert
: Force new root CA resource creation on out-of-band changes.
(#1428)resource/pki_secret_backend_intermediate_set_signed
: Document complete usage example.
(#1452)resource/pki_secret_backend_config_urls
: Add support for importing PKI config URLs
(#1451)vault/resource_pki_secret_backend*
: Extend revocation support to other resources
(#1446)vault/resource_pki_secret_backend*
: Force new root CA/cert resource creation on out-of-band changes.
(#1432)datasource/generic_secret
: Improve documentation.
(#1390)resource/ldap_auth_backend
: Support settinguserfilter
.
(#1378)resource/aws_auth_backend_role
: Addrole_id
as a computed field.
(#1377)- Auth: Handle CIDR prefix being stripped for hosts in
token_bound_cidrs
(#1346) - Add
allowed_serial_numbers
support
(#1119) resource/pki_secret_backend_role
: Allowkey_type
to be set toany
.
(#791)resource/aws_secret_backend_role
: Adduser_path
andpermissions_boundary_arn
arguments.
(#781)
BUGS:
resource/pki_secret_backend_root_sign_intermediate
: Ensure that thecertificate_bundle
, andca_chain
do not contain duplicate certificates.
(#1428)resource/identity_entity_alias
: Serialize create, update, and delete operations in order to prevent alias mismatches.
(#1429)database_secret*
: Ignore mongodb-atlasprivate_key
on read from Vault. mismatches.
(#1438)resource/auth_backend
: RemoveForceNew
behavior when updatingdescription
.
(#1439)resource/identity_group_member_entity_ids
: Properly handle nilmember_entity_ids
in response.
(#1448)resource/pki_secret_backend_role
: Fix TTL handling in PKI role.
(#1447)resource/pki_secret_backend_role
:key_usage
value should be computed.
(#1443)resource/vault_pki_secret_backend_{cert,sign}
: Properly force a new resource whenever the cert is near expiry.
(#1440)resource/identity_entity_alias
: Remove read operation on entity alias update.
(#1434)
FEATURES:
- Add MFA support: new resources
vault_mfa_okta
,vault_mfa_totp
,vault_mfa_pingid
(#1395) - New
resource/database_secrets_mount
: Configures any number of database secrets engines under a single, dedicated mount resource (#1400)
IMPROVEMENTS:
data/vault_generic_secret
: Add new fieldwith_lease_start_time
tovault_generic_secret
datasource (#1414)resource/vault_ssh_secret_backend_role
: support configuring multiple public SSH key lengths in vault-1.10+ (#1413)resource/database_secret*
: Add support for configuring TLS, and theusername_template
field for the ElasticSearch.resource/pki_secret_backend_cert
: Add support for optionally revoking the certificate upon resource destruction. (#1411)provider
: Add support for setting thetls_server_name
to use as the SNI host when connecting via TLS. (#1145docs
: Add links to Learn Tutorials. (#1399)
BUGS:
resource/identity_group
: Fix issue where the group'smember_entity_ids
were being unset in error on update. (#1409)resource/transit_secret_backend_key
: Addauto_rotate_period
field which deprecatesauto_rotate_interval
. (#1402)
BUGS:
data/azure_access_credentials
: Fix panic whentenant_id
andsubscription_id
are specified together; add newenvironment
override field (#1391).
IMPROVEMENTS:
resource/rabbitmq_secret_backend
: Add support for thepassword_policy
andusername_template
fields (#1276)
FEATURES:
data/azure_access_credentials
Addsubscription_id
andtenant_id
fields to used during credential validation (#1384)- Add OIDC Provider support: new resources
vault_identity_oidc_scope
,vault_identity_oidc_assignment
,vault_identity_oidc_client
,vault_identity_oidc_provider
,vault_identity_oidc_public_keys
,vault_identity_oidc_openid_config
(#1363)
BUGS:
data/azure_access_credentials
: Fix credential validation (#1381).
IMPROVEMENTS:
resource/database_secret_backend_connection
: Adddisable_escaping
parameter support to Redshift, HanaDB, Postgres and MSSQL (#1321)resource/transit_secret_backend_key
: Addauto_rotate_interval
parameter support to Transit Key Backend (#1345)resource/consul_secret_backend_role
: Add support for Consul role (#1366)resource/consul_secret_backend_role
: Add support for Consul namespaces and partitions (#1367)resource/github_auth_backend
: Add support fororganization_id
field (#1296)resource/approle_auth_backend_role_secret_id
: Addwith_wrapped_accessor
to control how the resource ID is set (#1166)
BUGS:
resource/identity_group
: Report an error upon duplicate resource creation failure. Document group name caveats. (#1352)resource/pki_secret_backend_root_sign_intermediate
: Fix panic when readingca_chain
from Vault (#1357)resource/raft_snapshot_agent_config
: Properly handle nil response on read (#1360)resource/identity_*
: Ensure non-existent entities are handled properly (#1361)resource/dentity_group_member_entity_ids
: Properly handle nilmember_identity_ids
on read (#1356)
FEATURES:
- Add KMIP support: new resources
vault_kmip_secret_backend
,vault_kmip_secret_scope
andvault_kmip_secret_role
(#1339)
BUGS:
resource/kubernetes_auth_backend_config
: Ensuredisable_iss_validation
is honored in all cases (#1315)resource/database_secret_backend_connection
: Add error handling for unrecognized plugins on read (#1325)resource/kubernetes_auth_backend_config
: Prevent persistent diff forkubernetes_ca_cert
when it is loaded by the backend (#1337)
IMPROVEMENTS:
resource/token_auth_backend_role
: Addallowed_policies_glob
anddisallowed_polices_glob
(#1316)resource/database_secret_backend_connection
: Add support for configuring the secret engine'splugin_name
(#1320)resource/pki_secret_backend_root_sign_intermediate
: Update schema forca_chain
from string to a list of
issuing_ca
andcertificate
, add newcertificate_bundle
attribute that provides the concatenation of the
intermediate and issuing CA certificates (PEM encoded) (#1330)resource/azure_secret_backend
: Add support for settinguse_microsoft_graph_api
(#1335)r/d/kubernetes_auth_backend_role
: Add support for setting and gettingalias_name_source
(#1336)resource/database_secret_backend_connection
: Addusername
andpassword
fields to all DB Engines that support them (#1331)resource/token_auth_backend_role
: Add support for settingallowed_entity_aliases
(#1126)resource/ad_secret_backend
: Restore deprecatedformatter
, andlength
fields. (#1341)resource/ldap_auth_backend
: Add support for settingcase_sensitive_names
(#1176)
BUGS:
resource/rabbitmq_secret_backend_role
: Add nil check when reading RabbitMQ role from Vault (#1312)
BUGS:
resource/aws_secret_backend_role
: Ensure all updated fields are applied (#1277)
IMPROVEMENTS:
resource/database_secret_backend_connection
: Add support for configuring Redshift databases (#1279)resource/pki_secret_backend_intermediate_cert_request
: Add support for theed25519
key_type (#1278)resource/rabbitmq_secret_backend_role
: Add support forvhost_topics
(#1246)resource/vault_mount
: Add support foraudit_non_hmac_request_keys
andaudit_non_hmac_response_keys
(#1297)resource/vault_aws_secret_backend
: Add support forusername_template
(#1292)
BUGS:
- Prevent new
entity
read failures when theVAULT_TOKEN
environment variable is not set (#1270)
FEATURES:
provider
: Add support retrying entity reads forClient Controlled Consistency
type operations (#1263)provider
: Add support for optionally creating a batch child token via theskip_child_token
option (#775)
IMPROVEMENTS:
data/policy_document
: Add support forpatch
capability for vault-1.9+. (#1238)resource/database_secret_backend_connection
: Add support for InfluxDB connections (#1121)resource/generic_secret
: Add support for deleting all version data for a KV-V2 secret (#1254)resource/database_secret_backend_connection
: Add support configuringContained Databases
formssql
(#1259)resource/vault_jwt_auth_backend
: Addoidc_response_mode
,oidc_response_types
, andnamespace_in_state
fields (#1244)- Add better error reporting whenever invalid JSON
metadata
is encountered (#1262) resource/vault_identity_entity_alias
: Addcustom_metadata
support for entity aliases (#1235)resource/approle_auth_backend_role_secret_id
: Update Vault provider to be compatible with Vault 1.9 changes (#1242)provider
: Encrypt logged HTTP secret header values (#1250)provider
: Optionally log request and response bodies (#1251)
BUGS:
resource/identity_group_policies
: Fix potentialnil
panic in type conversion for API policies (#1245)resource/aws_secret_backend_role
: Fix for properly detecting changes in the JSON policy document (#1014)
BUGS:
resource/aws_secret_backend_role
: Prevent invalidpolicy_arns
from being created (#1229)resource/approle_auth_backend_secret_id
: Handlenil
cidr_list
introduced in vault-1.9.0 (#1230)resource/kubernetes_auth_backend_config
: Ensuredisable_iss_validation
is properly set in vault-1.9+ (#1231)
FEATURES:
- New Resource
vault_raft_autopilot
: Configure Vault's Raft Autopilot settings (#1210)
IMPROVEMENTS:
- Upgrade Terraform Plugin SDK to v2
- Add support for client controlled consistency on Vault Enterprise (#1188)
resource/jwt_auth_backend_role
: Add fielddisable_bound_claims_parsing
to disable bound claim value parsing, which is useful when values contain commas (#1200)resource/transform_template
: Addencode_format
anddecode_formats
fields forVault Enterprise
with theAdvanced Data Protection Transform Module
(#1214)data/generic_secret
: Storelease_start_time
UTC. (#1216)resource/identity_entity_alias
: Add support for configuringcustom_metadata
. (#1235)
BUGS:
data/gcp_auth_backend_role
: Report an error when attempting to access a nonexistent role. (#1184)data/generic_secret
: Ensurelease_start_time
is stored in RFC3339 format. (#770)
BUGS:
resource/vault_raft_snapshot_agent_config
: Fix bug where cloud provider was missing and google_endpoint is returned as false instead of null (#1173)
FEATURES:
- New Database Resource: Added support for the
snowflake-database-plugin
tovault_database_secret_backend_connection
(#983) resource/vault_raft_snapshot_agent_config
: Provision Raft Snapshot Agent Configurations in Vault Enterprise. (#1139)
IMPROVEMENTS:
resource/database_secret_backend_connection
: Add username_template to vault_database_secret_backend_connection (#1103)resource/ldap_auth_backend
: Allow the creation oflocal
mounts (#1115)resource/jwt_auth_backend
: Allow the creation oflocal
mounts (#1115)resource/consul_secret_backend
: Allow the creation oflocal
mounts (#1115)
BUGS:
resource/vault_identity_group
: Fix bug where member_entity_ids & member_group_ids were attempted to be managed on external identity groups (#1134)
FEATURES:
- New Resource
vault_gcp_secret_static_account
: Provision Static Accounts in the GCP Secrets Engine (#1094)
IMPROVEMENTS:
resource/database_secret_backend/mysql
: Add tls_certificate_key and tls_ca options (#1098)
BUGS:
resource/jwt_auth_backend
: Fixed bug whereprovider_config
did not configure non-string values correctly (#1118)resource/gcp_auth_backend
: Support importing resource (#1125)resource/okta_auth_backend
: Support importing resource (#1123)resource/audit
: List audit only once during read (#1138)resource/identity_oidc_key
: Error handling for identity oidc key vault calls (#1142)
BUGS:
resource/vault_identity_group
: Correctly handle the case of a preexisting identity group, suggest resource import in this case (#1014)resource/jwt_auth_backend
: Reverted (#960) due to migration errors (#1114)
FEATURES:
- New Resource
vault_quota_lease_count
: Adds ability to manage lease-count quota's (Vault Enterprise Feature) (#948)
IMPROVEMENTS:
- Remove last dependency on
github.com/terraform-providers
(#1090)
BUGS:
resource/vault_identity_group
: Fix bug where metadata values are not removed if removed from file (#1061)resource/jwt_auth_backend
: Fixed bug whereprovider_config
only supported string values (#960)provider
: Fix inconsistent handling ofnamespace
whenwrapping_ttl
was specified in any resource (#1107)
FEATURES:
data/vault_gcp_auth_backend_role
: Added GCP auth role data source to fetch role ID (#1011)
IMPROVEMENTS:
provider/auth_login
: Supprt AWS STS signing whenmethod=aws
for inauth_type
(#1060)resource/vault_ldap_auth_backend
: Addclient_tls_cert
andclient_tls_key
options (#1074)resource/vault_identity_entity
Added additional logging information about entity (#987)
IMPROVEMENTS:
resource/vault_azure_secret_backend
: Added support for updating the backend (#1009)resource/vault_aws_secret_backend
: Addiam_endpoint
andsts_endpoint
options (#1043)
BUG FIXES:
resource/vault_gcp_auth_backend
: Support nested backend paths (#1050)resource/vault_kubernetes_auth_backend_role
: allow unset audience (#1022)resource/vault_identity_entity
: Fix bug where values are not removed if removed from file (#1054)
SECURITY:
resource/vault_gcp_auth_backend_role
: Fixed typo inbound_labels
parameter name causing no values to be applied to created roles CVE-2021-30476 (#1028)
FEATURES:
- New Resource:
terraform_cloud_secret
resources (#959)
IMPROVEMENTS:
resource/pki_secret_backend
: Support allowed_domains_template option for vault_pki_secret_backend_role (#869)
BUG FIXES:
resource/vault_identity_group
: Don't sendname
parameter unless specified (#1002)
FEATURES:
- New Resource:
vault_password_policy
resource (#927)
IMPROVEMENTS:
resource/vault_consul_secret_backend
: Extend consul secret engine definition to cover all vault parameters (#910)resource/vault_jwt_auth_backend
: Added support forprovider_config
(#943)
FEATURES:
- New Data Source:
vault_nomad_access_token
data source (#923) - New Resource:
vault_nomad_secret_backend
resource (#923) - New Resource:
vault_nomad_secret_role
resource (#923)
IMPROVEMENTS:
resource/vault_audit
: added support for local mount to prevent replicating the audit backend (#915)resource/jwt_auth_backend_role
: Added support for using globs in matching bound_claims (#877)resource/vault_aws_auth_backend_client
: Addedsts_region
parameter (#931)resource/vault_azure_secret_backend_role
: Added support forazure_groups
(#891)resource/vault_identity_oidc_role
:client_id
parameter can optionally be configured (#815)
BUG FIXES:
resource/vault_identity_entity
: Fixed nil pointer exception (#899)resource/vault_mount
: Fixed bug where mount was deleted when description was changed (#929)
FEATURES:
- New Data Source:
vault_ad_access_credentials
data source (#902) - New Resource:
vault_ad_secret_backend
resource (#902) - New Resource:
vault_ad_secret_role
resource (#902) - New Resource:
vault_ad_secret_library
resource (#902)
IMPROVEMENTS:
resource/vault_gcp_auth_backend
: added support for local mount to prevent replicating the secret engine (#861)data.vault_aws_access_credentials
: Add optional ttl parameter to data source (#878)
BUG FIXES:
resource/vault_jwt_auth_backend
: Fix possible reoccuring diff when usingoidc_client_secret
(#803)
FEATURES:
- New Data Source:
vault_transit_decrypt
data source (#872). - New Data Source:
vault_transit_encrypt
data source (#872).
IMPROVEMENTS:
resource/vault_gcp_secret_backend
: added support forlocal
mount to prevent replicating the secret engine (#855)resource/vault_ssh_secret_backend_role
: added support for newallowed_users_template
argument(#875)resource/vault_ssh_secret_backend_role
: added support for newalgorithm_signer
argument(#809)resource/vault_kubernetes_auth_backend_config
: Adddisable_iss_validation
anddisable_local_ca_jwt
config parameters to k8s auth backend (#870)data/vault_kubernetes_auth_backend_config
: Adddisable_iss_validation
anddisable_local_ca_jwt
config parameters to k8s auth backend (#870)
FEATURES:
- New Resource:
vault_quota_rate_limit
resource to manage resource quota limit (#825).
BUG FIXES:
resource/vault_aws_secret_backend_role
: fix AWS Secrets Engine Role resource to allow only IAM Groups (#862)resource/vault_ssh_secret_backend_ca
: detect misconfigured resource and remove from state (#856)
IMPROVEMENTS:
resource/transit_secret_backend_key
: add supported by Vault type of algorithm rsa-3072 (#773)data.vault_generic_secret
: Markdata
anddata_json
asSensitive
(#844)- Add
iam_groups
tovault_aws_secret_backend_role
(#826) - Add support for
uri_sans
parameter for resourcevault_pki_secret_backend_cert
(#759)
BUG FIXES:
data/vault_generic_secret
: Fix perpetual diff when using Terraform v0.13.0 (#849)data.vault_aws_access_credentials
: Re-add support for passing region information stored in Vault backend to AWS Config (#841)
BUG FIXES:
data.vault_aws_access_credentials
: Revert #832, which inadvertently introduced issues when the token policy did not have the required permissions to read the root configuration. (#837)
BUG FIXES:
data.vault_aws_access_credentials
: Add support for passing region information stored in Vault backend to AWS Config (#832)
FEATURES:
- New Resource:
vault_identity_group_member_entity_ids
(#724). - New Resource:
vault_transform_alphabet
(#783). - New Resource:
vault_transform_role
(#783). - New Resource:
vault_transform_template
(#783). - New Resource:
vault_transform_transformation
(#783). - New Data Source:
vault_transform_encode
data source (#783). - New Data Source:
vault_transform_decode
data source (#783).
IMPROVEMENTS:
- resource/vault_mount: Adds support for the
external_entropy_access
field (#792). - resource/vault_jwt_auth_backend: enable existing JWT Auth backends to be imported (#806).
- resource/vault_jwt_auth_backend: store
type
andtune
information in state (#806).
IMPROVEMENTS:
- Add
headers
provider configuration setting to allow setting HTTP headers for all requests to the Vault server (#730).
BUG FIXES:
vault_jwt_auth_backend
: Fix plan error whenoidc_discovery_url
,jwks_url
, orjwt_validation_pubkeys
is set to a value that is not known until apply time (#753).vault_pki_secret_backend_root_cert
,vault_pki_secret_backend_root_sign_intermediate
, andvault_pki_secret_backend_sign
: Fixserial
field (#761).vault_token
: Avoid panic whenvault_token
is gone from the server (#740).vault_approle_auth_backend_role
: Fix perpetual diff whenpolicies
andperiod
are updated to betoken_policies
andtoken_period
(#744).vault_jwt_auth_backend_role
: Fix crash whenbound_audiences
is empty (#763).vault_identity_group
: Fix removal ofpolicies
,member_group_ids
, andmember_entity_ids
(#766).
FEATURES:
- Add
vault_azure_access_credentials
data source that retries creds before returning them (#713). - To
vault_database_secret_backend_connection
, add support for theelasticsearch-database-plugin
(#704).
IMPROVEMENTS:
- Add
add_address_to_env
argument to set the value of the provider's address argument as the VAULT_ADDR environment variable in the Terraform process, enabling VAULT_ADDR external token helpers to work with this provider (#651). - Provide the ability to encrypt generated tokens using Keybase when using
/auth/token/create
,/auth/token/create-orphan
, or/auth/token/create/{role_name}
(#686).
BUG FIXES:
- In
vault_aws_auth_backend_role
, allowrole_arns
andpolicy_arns
to be used together (#710).
FEATURES:
- Add
vault_alicloud_auth_backend_role
resource (#673).
IMPROVEMENTS:
- Allow
/
character in the group_name field of theokta_auth_backend_group
resource (#687). - Support
not_before_duration
property inpki_secret_backend_role
(#698).
BUG FIXES:
- Fix
vault_cert_auth_backend_role
deletion (#690). - Fix
use_token_groups
changes not being applied properly invault_ldap_auth_backend
resource (#674).
IMPROVEMENTS:
- Adds ability to choose a specific AWS ARN in vault_aws_access_credentials when a Vault role has multiple ARNs configured (#661).
- Updates to Go 1.13 (#642).
- Adds doc on multiple namespace support (#654).
- Sorts
vault_policy_document
data source allowed/denied parameters by key name (#656). - Adds support to
vault_auth_backend
for common backend tune parameters. Also allows updating Max TTL, Default TTL and Visibility Listing tuning settings onvault_auth_backend
without forcing a new resource (#650).
BUG FIXES:
- Fix panic when reading unconfigured PKI mount URLs (#641).
- Update JWT bound_audiences to be optional (649).
- Solves permanent diff with the Mongo database connection URL (#659 and #662).
- Fixes an issue where the "vault_ldap_auth_backend_user" resource did not respect an empty
groups
value (#655).
BUG FIXES:
- For the
/gcp/config
endpoint, fixes issue where credentials weren't being updated when changed (#635). - For the
/aws/config/root
endpoint, no longer requiresaccess_key
orsecret_key
(#634).
FEATURES:
- For the
/sys/auth
endpoint, adds a new data source (#606).
IMPROVEMENTS:
- For the Vault child token created for Terraform to use during a run, adds a
token_name
field for easier identification in Vault (#594). - For the
/ssh/roles/{role}
endpoint, adds support forallowed_user_key_lengths
(#605). - For the
/sys/mounts/{path}
endpoint, adds support forseal_wrap
(#616). - For the
/auth/kubernetes/config
endpoints, adds support forissuer
(#601). - For the
/auth/kubernetes/role/{name}
endpoints, adds support foraudience
(#601).
BUG FIXES:
- For the
/identity/entity-alias
endpoint, fixes updates to thename
field (#610).
FEATURES:
- Adds a resource for the
/database/static-roles/{name}
endpoint (#577). - Adds a resource for the
/identity/lookup/entity
endpoint (#587).
IMPROVEMENTS:
- Improved deprecation notices for Vault 1.2 token.* fields (#565).
- Adds new JWT Auth role fields introduced with Vault 1.2 (#566).
- Eliminates the need to add an outer delay while waiting for AWS creds to propagate (#571).
- For the
/consul/roles/{name}
endpoint, adds support forttl
,max_ttl
,token_type
, andlocal
fields (#581). - For the
/sys/namespaces/{path}
endpoint, uses thepath
for the namespace ID to allow imports (#570).
BUG FIXES:
- Fix panic when trying to write an entity alias that already exists (#573).
IMPROVEMENTS:
- Migrates to using the standalone Terraform plugin SDK (#558).
FEATURES:
- Adds support for alternative auth methods using a method-agnostic implementation (#552).
- Adds a resource for the "/consul/roles/{name}" endpoint (#480).
- Adds a resource for the "/pki/config/crl" endpoint (#506).
IMPROVEMENTS:
- Adds support for Vault 1.2+ token fields to LDAP auth (#553)
- Adds support for configuring the Transit cache (#548)
- Adds support for updates to the identity group alias field (#536).
- Adds support for reading the AWS access key and region from the AWS client config (#539).
- In AWS auth, only updates the access key and secret if they've changed (#540).
- Adds support for
"root_rotation_statements"
in the database secret engine's connection params (#530). - Adds support for
token_type
andallowed_response_headers
in Github and JWT auth backends (#556)
BUG FIXES:
- Fixes incorrect handling of user and team policies in the Github auth backend (#543).
IMPROVEMENTS:
- Adds support for importing roles in "vault_gcp_auth_backend_role" (#517).
- Adds support for importing groups in "vault_okta_auth_backend_group" (#514).
- Adds JWKS configuration options to "vault_jwt_auth_backend" (#483).
- Adds support for response wrapping to "vault_approle_auth_backend_role_secret_id" (#518).
BUG FIXES:
- Fixes an issue where using mount type "kv-v2" in "vault_mount" would continuously recreate the resource (#515).
- Fixes an issue where the "vault_token" resource would try to renew the access token instead of the resource token (#423).
- In the "vault_gcp_auth_backend", marks "credentials" as optional rather than required (#509).
- Fixes an issue where "vault_pki_secret_backend_config_urls" was forming an invalid URL for updating (#512).
FEATURES:
- Adds a datasource for the "/identity/lookup/entity" and "/identity/lookup/group" endpoints (#494).
- Adds a resource for the "/azure/roles/{name}" endpoint (#493).
- Adds a resource for the "/identity/oidc/config", "/identity/oidc/key/{name}", "/identity/oidc/key/{key_name}", and "/identity/oidc/role/{name}" endpoints (#488).
- Adds a resource for the "/transit/keys/{name}" endpoint (#477).
- Adds a resource for the "/sys/mfa/method/duo/{name}" endpoint (#443).
- Adds a resource for the "/azure/config" endpoint (#481).
IMPROVEMENTS:
- Adds a lock to prevent races in identity group resources (#492 and #495).
- Adds support for new common token fields on roles that were introduced in Vault 1.2.0 (#478 and #487).
- Adds the ability to run a coverage report to learn what Vault OpenAPI endpoints are and aren't supported (#466).
- Exposes the "local" flag on the
vault_mount
resource (#462).
BUG FIXES:
resource/aws_auth_backend_client
: Backend supports nested paths [#461]- Adds "ForceNew" to the "groupname" parameter on the LDAP auth groups endpoint so if there's a change, the old group is deleted (#465).
- Fixes issue with a permanent diff in
vault_gcp_secret_roleset
(#476).
IMPROVEMENTS:
- For
aws_secret_backend_role
, adds support fordefault_sts_ttl
andmax_sts_ttl
(#444).
BUG FIXES:
- Fixes ordering issues with
aws_auth_backend_role
andaws_auth_backend_role_tags
(#439). - Supports providing lists for
bound_claims
(#455). - Resolves issue with persistent diffs on
vault_generic_secret
(#456).
FEATURES:
- Adds support for using the Vault provider with Terraform 0.12. See the upgrade guide (#446)
BACKWARDS INCOMPATIBILITIES/NOTES:
all
: deprecated fields are now removed (#446)auth_backend
: thepath
field andid
now no longer have a trailing slash (#446)database_secret_backend_role
: the_statements
fields are now a list, not strings (#446)pki_secret_backend_config_urls
: the certificate fields are now lists, not strings (#446)pki_secret_backend_role
: the certificate fields are now lists, not strings (#446)pki_secret_backend_sign
: theca_chain
field is now a list, not a string (#446)rabbitmq_secret_backend_role
: thevhosts
field is now avhost
block (#446)
IMPROVEMENTS:
azure_auth_backend_role
:client_secret
will now be set in state (#446)
BUG FIXES:
namespace
: namespaces will now be removed from state instead of erroring when they're not found (#446)
IMPROVEMENTS:
- Adds support for
role_arns
onaws_secret_backend_role
(#407). - Updates the vendored version of Vault to 1.1.2 so features introduced since then can be added (#413).
- Implements
accessor
attribute on the Okta auth backend (#420). - Allows the Vault token to be read from the environment (#434).
- Supports
project_id
andbound_projects
in the GCP auth backend's roles (#411).
BUG FIXES:
- Fixes a case on
vault_aws_auth_backend_role
whereresolve_aws_unique_ids
could not be updated fromtrue
tofalse
without recreating the resource (#382). - Removes default TTL's from the GCP secret backend resource, letting them instead be set by Vault (#426).
FEATURES:
- Adds OIDC support to the JWT auth backend (#398).
- New Resource: Adds a
vault_pki_secret_backend_config_urls
resource (#399).
IMPROVEMENTS:
- Adds support for automatically renewing certificates in the PKI certs backend (#386).
- Adds support for
uri_sans
in the PKI secret backend (#373). - Allows a user to delete all policies in the AWS auth role resource (#395).
BUG FIXES:
- Fixes the ability to handle JWT roles that lack policies (#389).
- Allows
vault_ldap_auth
resources to be imported (#387). - Fixes issue with trailing slashes for the Vault namespaces resource (#391).
- Fixes a bug with namespaces where the path was being overwritten (#396).
FEATURES:
- New Resource: Adds a "Flexible Generic Secret" resource so it can be used to consume Vault APIs that don't yet have a resource (#244).
- New Resource: Adds a token resource (#337).
- New Resource: Adds a GCP secret roleset resource (#312).
- New Resource: Adds a
vault_identity_group_policies
resource (#321).
IMPROVEMENTS:
- For the LDAP auth method, adds support for the
use_token_groups
field (#367). - Adds the ability to set
max_retries
on the Vault client (#355). - For the Github auth method, adds support for the
accessor
field (#350). - For the generic secrets resource, adds support for a
data
field (#330). - For the JWT auth backend, adds support for a
groups_claim_delimiter_pattern
on roles (#296). - For the JWT auth backend, adds a
role_type
field (#317). - For the JWT auth backend, adds a
jwt_supported_algs
field (#345).
BUG FIXES:
- Fixes TTL parsing on PKI certificate creation (#314).
- Fixes ability to update the
data
field on database secrets engine connections (#340). - Unmarks
policy_document
andpolicy_arns
from being in conflict with each other (#344).
FEATURES:
- Adds compatibility with Vault 1.0 (#292).
- New Resource: Supports the SSH secrets engine role endpoint (#285, #303, and #331).
- New Data Source: Adds a
vault_policy_document
data source (#283). - New Resource: Adds a namespace resource (#338).
IMPROVEMENTS:
- Adds a guide for how to contribute in the least iterations possible.
- For the TLS Certificates auth method, adds support for the following role fields:
allowed_common_names
,allowed_dns_sans
,allowed_email_sans
,allowed_uri_sans
, andallowed_organization_units
(#282). - For the GCP auth method, adds support for the following role fields:
add_group_aliases
,max_jwt_exp
, andallow_gce_inference
(#308 and #318). - For the Kubernetes auth method, adds support for
bound_cidrs
(#305). - For
vault_identity_group
, fixes issue withpolicies
not being updated properly (#301). - For the AWS secret engine, updates to the current role fields (#323).
BUG FIXES:
- Marks the
token_reviewer_jwt
sensitive (#282). - Fixes an issue where boolean parameters were not set when the value was false in the AWS role resource (#302).
- Guards for a nil CA chain in
resource_pki_secret_backend_cert
(#310).
FEATURES:
- Adds support for namespaces (#262)
- Adds support for EGP and RGP, a.k.a. Sentinel (#264)
- New Resource: Supports the PKI secrets backend (#158)
- New Resource: Supports identity entities and entity aliases (#247 and #287)
- New Resource: Supports Github auth backend (#255)
- New Resource: Supports Azure auth backend (#275)
- New Resource: Supports JWT auth backend (#272)
BUG FIXES:
- Fixes a panic related to
max_connection_lifetime
parameters in the database secrets backends (#250) - Fixes issue where the
role_name
ontoken_auth_backend_role
would not be updated (#279) - Fixes wrong response data from
gcp_auth_backend_role
(#243)
BUG FIXES:
- Fixes an issue with database resources where db statements were overwritten when not provided (#260)
FEATURES:
- New Resource:
vault_gcp_auth_backend
(#198) - New Resource:
vault_identity_group
(#220) - New Resource:
vault_identity_group_alias
(#220)
IMPROVEMENTS:
- Makes
gcp_secret_backend
credentials optional (#239) - Adds more configuration parameters for
auth_backend
(#245)
BUG FIXES:
- Fixes issue with
vault_database_secret_backend_connection
always updating the connection URL (#217)
BUG FIXES:
- Solves issue where the incorrect KV store was selected for older Vault versions as described in #229.
FEATURES:
- New Resource: Supports KV V2 (#156)
- New Resource:
vault_gcp_secret_backend
(#212) - New Resource:
vault_aws_auth_backend_roletag_blacklist
(#27) - New Resources:
vault_rabbitmq_secret_backend
andvault_rabbitmq_secret_backend_role
(#216)
IMPROVEMENTS:
- Adds
bound_zones
,bound_regions
,bound_instance_groups
, andbound_labels
for GCP auth roles via #227 - Exports the LDAP auth backend
accessor
via #195 - Allows for templated database backends via #168
BUG FIXES:
- #222 ensures that booleans on AWS roles default to values matchiing Vault's defaults
FEATURES:
- New Resource:
vault_jwt_auth_backend_role
(#188) - New Resources:
vault_kubernetes_auth_backend_config
andvault_kubernetes_auth_backend_role
(#94) - New Resource:
vault_ssh_secret_backend_ca
(#163) - New Feature: Support for the Vault token helper (#136)
IMPROVEMENTS:
- Re-adds changes to
vault_aws_auth_backend_role
from #53 - Adds backwards compatibility for the above via #189
- Adds
bound_ec2_instance_id
tovault_aws_auth_backend_role
(#135) - Adds
mysql_rds
,mysql_aurora
, andmysql_legacy
to the MySQL backend via #87 - Makes audit device path optional via #180
- Adds the field
accessor
toresource_auth_backend
andresource_mount
via #150 - Marks
bindpass
as sensitive in thevault_ldap_auth_backend
(#184)
BUG FIXES:
BUG FIXES:
- Reverts breaking changes to
vault_aws_auth_backend_role
introduced by (#53)
FEATURES:
- New Resource:
vault_consul_secret_backend
(#59) - New Resource:
vault_cert_auth_backend_role
(#123) - New Resource:
vault_gcp_auth_backend_role
(#124) - New Resource:
vault_ldap_auth_backend
(#126) - New Resource:
vault_ldap_auth_backend_user
(#126) - New Resource:
vault_ldap_auth_backend_group
(#126)
FEATURES:
UPDATES:
- Update to vendoring Vault 0.11.1. Introduces some breaking changes for some back ends so update with care.
BUG FIXES:
- Fix panic in
vault_approle_auth_backend_role
when used with Vault 0.10 (#103)
FEATURES:
- New Resource:
vault_okta_auth_backend
(#8) - New Resource:
vault_okta_auth_backend_group
(#8) - New Resource:
vault_okta_auth_backend_user
(#8) - New Resource:
vault_approle_auth_backend_login
(#34) - New Resource:
vault_approle_auth_backend_role_secret_id
(#31) - New Resource:
vault_database_secret_backend_connection
(#37)
BUG FIXES:
- Fix bug in
policy_arn
parameter ofvault_aws_secret_backend_role
(#49) - Fix panic in
vault_generic_secret
when reading a missing secret (#55) - Fix bug in
vault_aws_secret_backend_role
preventing use of nested paths (#79) - Fix bug in
vault_aws_auth_backend_role
that failed to update the role name when it changed (#86)
BACKWARDS INCOMPATIBILITIES / NOTES:
vault_auth_backend
's ID has changed from thetype
to thepath
of the auth backend. Interpolations referring to the.id
of avault_auth_backend
should be updated to use its.type
property. (#12)vault_generic_secret
'sallow_read
field is deprecated; usedisable_read
instead. Ifdisable_read
is set to false or not set, the secret will be read. Ifdisable_read
is true andallow_read
is false or not set, the secret will not be read. Ifdisable_read
is true andallow_read
is true, the secret will be read. (#17)
FEATURES:
- New Data Source:
aws_access_credentials
(#20) - New Resource:
aws_auth_backend_cert
(#21) - New Resource:
aws_auth_backend_client
(#19) - New Resource:
aws_auth_backend_login
(#28) - New Resource:
aws_auth_backend_role
(#24) - New Resource:
aws_auth_backend_sts_role
(#22)
IMPROVEMENTS:
vault_auth_backend
s are now importable. (#12)vault_policy
s are now importable (#15)vault_mount
s are now importable (#16)vault_generic_secret
s are now importable (#17)
BUG FIXES:
NOTES: