Unreleased

FEATURES:

Update vault_database_secret_backend_connection to support inline TLS config for PostgreSQL (#2339)
Update vault_database_secret_backend_connection to support skip_verification config for Cassandra (#2346)
Update vault_approle_auth_backend_role_secret_id to support num_uses and ttl fields (#2345)
Add support for use_annotations_as_alias_metadata field for the vault_kubernetes_auth_backend_config resource (#2206)
Add support for allow_empty_principals field for the vault_ssh_secret_backend_role resource (#2354)
Update vault_gcp_secret_impersonated_account to support setting ttl (#2318)
Add support for connection_timeout field for the vault_ldap_auth_backend resource (#2358)
Add support for Rootless Configuration for Static Roles to Postgres DB (#2341)

4.4.0 (Aug 7, 2024)

FEATURES:

Update vault_aws_secret_backend_role to support setting session_tags and external_id (#2290)

BUGS:

fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#2308)
fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#2289)

4.3.0 (Jun 17, 2024)

FEATURES:

Add support for iam_tags in vault_aws_secret_backend_role (#2231).
Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#2133).
Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2249).
Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#2250)
Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#2243).
Add support for new WIF fields in vault_gcp_auth_backend (#2256)
Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#2254).
Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#2246)
Support missing token parameters on vault_okta_auth_backend resource: (#2210)
Add support for max_retries in vault_aws_auth_backend_client: (#2270)
Add new resources vault_plugin and vault_plugin_pinned_version: (#2159)
Add key_type and key_bits to vault_ssh_secret_backend_ca: (#1454)

IMPROVEMENTS:

return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#2232)
Remove dependency on github.com/hashicorp/vault package: (#2251)
Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#2247)

4.2.0 (Mar 27, 2024)

FEATURES:

Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#2202)
Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#2180).
Add new data source vault_namespace. Requires Vault Enterprise: (#2208).
Add new data source vault_namespaces. Requires Vault Enterprise: (#2212).

IMPROVEMENTS:

Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#2202)

BUGS:

fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#2204)
fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#2207)
fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#2207)

4.1.0 (Mar 20, 2024)

CHANGES TO VAULT POLICY REQUIREMENTS:

Important: This release requires read policies to be set at the path level for mount metadata. The v4.0.0 release required read permissions at sys/auth/:path which was a sudo endpoint. The v4.1.0 release changed that to instead require permissions at the sys/mounts/auth/:path level and sudo is no longer required. Please refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#2154).

IMPROVEMENTS:

do not require sudo permissions for auth read operations (#2198)

BUGS:

fix vault_azure_access_credentials to default to Azure Public Cloud (#2190)

4.0.0 (Mar 13, 2024)

Important: This release requires read policies to be set at the path level for mount metadata. For example, instead of permissions at sys/auth you must set permissions at the sys/auth/:path level. Please refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#1949).
Add support to enable_templating in vault_pki_secret_backend_config_urls (#2147).
Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#2128).
Improve logging to track full API exchanges between the provider and Vault (#2139)
Add new vault_plugin and vault_plugin_pinned_version resources for managing external plugins (#2159)

IMPROVEMENTS:

Improve performance of READ operations across many resources: (#2145), (#2152)
Add the metadata version in returned values for vault_kv_secret_v2 data source: (#2095)
Add new secret sync destination fields: (#2150)

BUGS:

Handle graceful destruction of resources when approle is deleted out-of-band (#2142).
Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#2156).
Ensure proper use of issuer endpoints for root sign intermediate resource: (#2160)
Fix issuer data overwrites on updates: (#2186)

3.25.0 (Feb 14, 2024)

FEATURES:

Add destination and association resources to support Secrets Sync. Requires Vault 1.16+ (#2098).
Add support for configuration of plugin WIF to the AWS Secret Backend. Requires Vault 1.16+ (#2138).
Add support for Oracle database plugin configuration options split_statements and disconnect_sessions: (#2085)

IMPROVEMENTS:

Add an API client lock to the vault_identity_group_alias resource: (#2140)

3.24.0 (Jan 17, 2024)

FEATURES:

Add support for ext_key_usage_oids in vault_pki_secret_backend_role (#2108)
Adds support to vault_gcp_auth_backend for common backend tune parameters (#1997).
Adds support to vault_azure_secret_backend_role for sign_in_audience and tags. Requires Vault 1.16+. (#2101).

BUGS:

fix vault_kv_secret_v2 drift when "data" is in secret name/path (#2104)
fix vault_database_secret_backend_connection: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key (#2106)
Fix ignored description updates for aws_secret_backend resource (#2057)

IMPROVEMENTS:

Updated dependencies (#2129):
- cloud.google.com/go/iam v1.1.2 -> v1.1.5
- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 -> v1.9.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 -> v1.5.0
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 -> v1.2.0
- github.com/aws/aws-sdk-go v1.45.24 -> v1.49.22
- github.com/google/uuid v1.3.1 -> v1.5.0
- github.com/hashicorp/go-hclog v1.5.0 -> v1.6.2
- github.com/hashicorp/go-retryablehttp v0.7.4 -> v0.7.5
- github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 -> v0.1.8
- github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0 -> v2.31.0
- github.com/hashicorp/vault-plugin-auth-jwt v0.17.0 -> v0.18.0
- github.com/hashicorp/vault/sdk v0.10.0 -> v0.10.2
- golang.org/x/crypto v0.14.0 -> v0.18.0
- golang.org/x/net v0.15.0 -> v0.20.0
- golang.org/x/oauth2 v0.12.0 -> v0.16.0
- google.golang.org/api v0.144.0 -> v0.156.0
- google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 -> v0.0.0-20240116215550-a9fa1716bcac
- k8s.io/utils v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240102154912-e7106e64919e

3.23.0 (Nov 15, 2023)

FEATURES:

Add support for lazily authenticating to Vault: (#2049)

BUGS:

Fix vault_identity_group loses externally managed policies on updates when external_policies = true (#2084)
Fix regression in vault_azure_access_credentials where we returned prematurely on 401 responses:(#2086)

3.22.0 (Nov 1, 2023)

FEATURES:

Add support for configuring SAML Auth resources (#2053)
Add support for custom_metadata on vault_namespace: (#2033)
Add support for OCSP* role fields for the cert auth resource: (#2056)
Add field set_namespace_from_token to Provider configuration (#2070)
Support authenticating to the root namespace from within an auth_login*: (#2066)

BUGS:

Fix panic when reading client_secret from a public oidc client (#2048)
Fix API request missing roles field for mongodbatlas_secret_role resource (#2047)
Fix bug when updating vault_azure_secret_backend_role: (#2063)
Fix audience string ordering for auth_login_gcp causing GCE auth to fail (#2064)

IMPROVEMENTS:

Updated dependencies: (#2038)
- github.com/aws/aws-sdk-go v1.44.106 -> v1.45.24
Updated dependencies: (#2050)
- github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0 -> v1.8.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2 -> v1.4.0
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v0.3.1 -> v1.1.1
- github.com/Azure/go-autorest/autorest v0.11.29 removed

3.21.0 (Oct 9, 2023)

FEATURES:

Add GCP CloudSQL support to Postgres, MySQL DB engines: (#2012)
Add support for DB Adv TTL Mgmt: (#2011)
Add support for setting not_before_duration argument on vault_ssh_secret_backend_role: (#2019)
Add support for hmac key type and key_size to vault_transit_secret_backend_key: (#2034)
Add support for roles to both rate limit and lease count quotas: (#1994)
Add allowed_email_sans field to write and update functions of vault_cert_auth_backend_role: (#1140)
Add support for local parameter in aws secret engine: (#2013)

BUGS:

Fix duplicate timestamp and incorrect level messages: (#2031)
Fix panic when setting key_usage to an array of empty string and enable it to unset the key usage constraints: (#2036)
Add state migrator for external_member_group_ids in Identity Group (#2043)
Fix drift detection for the kv-v2 secrets resource when disable_read is enabled: (#2039)
Add state migrator in secrets/auth backends for disable_remount parameter (#2037)
Fix failure when auth_login is specified and vault token is picked up from the runtime/execution environment: (#2029)
Remove logging of password key: (#2044)

IMPROVEMENTS:

Oracle DB engine enablement on HCP Vault: (#2006)
Ensure sensitive values are masked in vault_approle_auth_backend_login plan output (#2008)
Updated dependencies: (#2038)
- cloud.google.com/go/compute v1.10.0 removed
- cloud.google.com/go/compute/metadata v0.2.3 added
- cloud.google.com/go/iam v0.3.0 -> v1.1.2
- github.com/Azure/go-autorest/autorest v0.11.24 -> v0.11.29
- github.com/cenkalti/backoff/v4 v4.1.2 -> v4.2.1
- github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f -> v0.0.0-20230601102743-20bbbf26f4d8
- github.com/denisenkom/go-mssqldb v0.12.0 -> v0.12.3
- github.com/go-sql-driver/mysql v1.6.0 -> v1.7.1
- github.com/google/uuid v1.3.0 -> v1.3.1
- github.com/gosimple/slug v1.11.0 -> v1.13.1
- github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 -> v1.4.1-0.20200723130312-85980079f637
- github.com/hashicorp/go-retryablehttp v0.7.1 -> v0.7.4
- github.com/hashicorp/terraform-plugin-sdk/v2 v2.16.0 -> v2.29.0
- github.com/hashicorp/vault-plugin-auth-jwt v0.13.2-0.20221012184020-28cc68ee722b -> v0.17.0
- github.com/hashicorp/vault-plugin-auth-kerberos v0.8.0 -> v0.10.1
- github.com/hashicorp/vault-plugin-auth-oci v0.13.0-pre -> v0.14.2
- github.com/hashicorp/vault/api v1.9.3-0.20230628215639-3ca33976762c -> v1.10.0
- github.com/hashicorp/vault/sdk v0.6.0 -> v0.10.0
- github.com/jcmturner/gokrb5/v8 v8.4.2 -> v8.4.4
- golang.org/x/crypto v0.6.0 -> v0.14.0
- golang.org/x/net v0.7.0 -> v0.15.0
- golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 -> v0.12.0
- google.golang.org/api v0.98.0 -> v0.144.0
- google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e -> v0.0.0-20231002182017-d307bd883b97
- k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 -> v0.0.0-20230726121419-3b25d923346b

3.20.1 (Sep 13, 2023)

IMPROVEMENTS:

Update dependencies (#1958)
- github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 -> v0.2.3
Add local variable to aws_secret_backend resource, in order to mark the mount as non - replicated

BUGS:

Update k8s-auth config to support unsetting the K8s CA Cert: (#2005)

3.20.0 (Aug 30, 2023)

FEATURES:

Add support for setting permanently_delete argument on resource_azure_secret_backend_role: (#1958)
Add use_sts_region_from_client to AWS Auth Config: (#1963)
Add accessor attribute for vault_gcp_auth_backend resource: (#1980)

BUGS:

Fixes a panic that can occur when Vault lookup-self API returns nil token info (#1978)
Resolve TF state for PKI Multi-Issuer workflows: (#1973)
Check the seal-status on the default namespace: (#1967)

3.19.0 (Aug 2, 2023)

FEATURES:

Add support for User ID configuration for PKI Secrets Engine: (#1936)
Add support for use_sts_region_from_client in vault_aws_auth_backend_client available in Vault v1.15.0+: (#1963)

BUGS:

auth/aws: enable namespace support for AWS backend config identity: (#1961)
Retry Write on kv-v2 config: (#1955)
Update vault_identity_entity to exclude policies from Vault request if external_policies is true: (#1950)
Bump Go version to fix macOS resolver issue: (#1941)

3.18.0 (Jul 12, 2023)

FEATURES:

Add support to set default issuers configuration for PKI Secrets Engine: (#1937)
Add new auth_login_token_file method: (#1928)
Update HTTP transport wrapper to support TLSConfig cloning: (#1926)

BUGS:

secrets/pki: fix server_flag being ignored: (#1933)

3.17.0 (June 21, 2023)

FEATURES:

Add support for multi-issuer functionality to PKI: (#1910)
Add x509 support to database roles: (#1901)
Add AWS Static Roles support: (#1877)
Add support for max_page_size in the vault_ldap_auth_backend: (#1878)

BUGS:

Fix DB Engine password overwrite for remaining databases: (#1912)

3.16.0 (June 7, 2023)

FEATURES:

Add support for LDAP secrets engine: (#1859)
Add new data source vault_auth_backends: (#1827)
Support allowed_domains_template on ssh_secret_backend_role. Fixes #1675: (#1676)

IMPROVEMENTS:

Add support for retrying kv-v2 secret data writes: (#1887)
Add back support for deriving the provider namespace from the Vault token's: (#1841)

BUGS:

Fix DB engine password overwrite: (#1876)
azure/auth: fix config path parsing: (#1871)

3.15.2 (May 3, 2023)

BUGS:

Revert #1830 which introduced a unexpected breaking change in the way authentication is done within a namespace: (#1840)

3.15.1 (May 3, 2023)

BUGS:

Ensure that the auth_login honours the provider's namespace: (#1830)

3.15.0 (April 17, 2023)

FEATURES:

Add support for MongoDB Atlas Secrets engine: (#1816)

BUGS:

Fix panic while importing namespaces: (#1818)
Avoid writing empty strings to Vault when creating PKCS managed keys: (#1803)
Fix possible panic with autopilot import: (#1801)
Ensure that the qr_size can be properly configured for MFA TOTP: (#1750)

3.14.0 (March 15, 2023)

FEATURES:

Add PKI Unified CRL parameters: (#1789)
Add resource for GCP impersonated account support: (#1745)

BUGS:

Add nil check for IsEnterpriseSupported util: (#1787)
Fix KV incorrect metadata path for prefixed mounts: (#1781)

3.13.0 (February 17, 2023)

FEATURES:

Add new resource for AWS Auth Backend config identity: (#1724)
Support default_user_template field on vault_ssh_secret_backend_role: (#1725)

IMPROVEMENTS:

Secrets from the AD, AWS, Azure & Nomad Secrets Engines are sensitive: (#1726)
Add enterprise check for new Raft Autopilot parameter: (#1721)

BUGS:

Fix KVV2 datasource upon retrieval of soft deleted secrets: (#1760)
Fix issue where removing optional fields in database secrets backend connection resource did not reset the fields to their default values: (#1737)
Fix construction of metadata path in KV V2 resource: (#1722)

3.12.0 (January 5, 2023)

IMPROVEMENTS:

Add support for importing the PKI CRL config: (#1710)
Ensure duplicate alias names are handled properly in LookupEntityAlias: (#1708)
Add support for a Raft Autopilot State datasource: (#1705)
Add support for adding metadata to a KV V2 Secret: (#1687)
Set AWS credentials sensitive: (#1678)
Set ForceNew on the path field of namespaces: (#1713)

BUGS:

Fix removed MSGraph param in Azure Secrets: (#1682)
Fix KV V2 data source when specifying a version: (#1677)
Ensure that vault_kv_secret_backend_v2 mount is correctly imported: (#1701)

3.11.0 (November 16, 2022)

IMPROVEMENTS:

Add Basic Constraints attribute to vault_pki_secret_backend_intermediate_cert_request: (#1661)
Add Redis database secrets engine support: (#1659)
Add support for setting deletion_allowed on a transformation: (#1650)

BUGS:

Fix panic while importing MFA Duo resource: (#1669)
Fix GCP auth with service account credentials: (#1648)

3.10.0 (October 26, 2022)

IMPROVEMENTS:

Add support for externally managed Group Member IDs to Vault Identity Group: (#1630)
Support configuring vault version handling: (#1646)

BUGS:

Ensure that namespaced github auth mounts are destroyed: (#1637)
Ensure all AuthLogin instances are validated on call to Login(): (#1631)

3.9.1 (October 06, 2022)

BUGS:

Use the correct AWS login headers within auth_generic: (#1625)
Fix resource recreation following out-of-band changes in Vault: (#1567)

3.9.0 (October 05, 2022)

IMPROVEMENTS:

Add first-class Azure login support: (#1617)
Add first-class OIDC andJWT login support: (#1615)
Add first-class OCI login support: (#1614)
Add first-class Radius login support: (#1609)
Add first-class Kerberos login support: (#1608)
Add first-class GCP login support: (#1607)
Add first-class TLS certificates login support: (#1605)
Add first-class auth login config support for AWS: (#1599) (#1618)
Add support for login MFA resources: (#1620)
Add Managed Keys support: (#1508)
Add support to perform semantic version comparisons against Vault's server version: (#1426)
Add Mount Migration support to all secrets/auth backends: (#1594)
Use new semantic version checking for Consul secrets backend logic: (#1593)
Docs: Fix vault_kv_secret_backend_v2 delete_version_after example: (#1602)
Support creating Azure secret backend role by specifying the role_id: (#1573)
Add Redis ElastiCache database secrets engine support: (#1596)
vault_pki_secret_backend_cert: Report when renewal is pending: (#1597)
Accept data source values in the token field for Consul secrets backend: (#1600)

BUGS:

Fix erroneous persistent diff in the vault_token resource.: (#1622)
Fix data_source_azure_access_credentials US Government Cloud: (#1590)
Add kv-v2 write retry: (#1579)

3.8.2 (August 11, 2022)

IMPROVEMENTS:

Add bootstrap field to Consul backend resources: (#1571)
Add data field to KV data sources: (#1577)

BUGS:

fix: remove unnecessary nesting of secret data for KV-V1 secrets: (#1570)

NOTES:

vault_kv_secret no longer stores secrets in Vault under a nested data object. In versions 3.8.1 and below, the kv resource inadvertently nested the value under data. To remedy this please update any consumers of this KV and run a terraform apply to properly set the value.

3.8.1 (August 04, 2022)

IMPROVEMENTS:

docs: Fix broken provider.namespace links: (#1562)
docs: Add Azure example for r/raft_snapshot_agent_config: (#1534)
docs: Document namespaced resource import: (#1561)
docs: Add more visible note that d/aws_access_credentials cannot be renewed: (#1464)

BUGS:

fix: Persist namespace to state on resource import: (#1563)
fix: Update all transform resources with namespace support: (#1558)
fix: Make password_policy conflict with the formatter field: (#1557)
fix: Correct typo in r/pki_secret_backend_root_cert description: (#1511)

3.8.0 (July 26, 2022)

FEATURES:

Adds support for Kubernetes secrets engine: (#1515)
PKI: Add support for CPS URL in custom policy identifiers: (#1495)

IMPROVEMENTS:

Fix Import for OIDC Scope resource: (#1548)
Update entity alias creation to use entity lookup api: (#1517) (#1552)
Add support for Consul secrets engine enhancements: (#1518)
auth/gcp: adds custom_endpoint parameter to backend config: (#1482)
auth/jwt: adds user_claim_json_pointer and max_age to roles: (#1478)

BUGS:

Support updating backend descriptions: (#1550) (#1543)
Properly set the base64_pem in Vault for Couchbase: (#1545)
Fix bug where some rabbitmq config changes trigger erroneous mount recreation: (#1542)
Update *kv_secrets* resources to support namespaces: (#1529)
Do not validate JSON on OIDC scope template: (#1547)

3.7.0 (June 15, 2022)

FEATURES:

Support setting namespace by resource (#1305) (#1479)
Add dedicated KV (v1/v2) secret engine resources, and data sources, supersedes vault_generic_secret (#1457)

IMPROVEMENTS:

Update vault libs to v1.10.3 (#1483)
Drop debug log calls containing the full vault response (#1477)
resource/token: Add metadata support (#1470)
resource/vault_ldap_auth_backend: support LDAP username_as_alias attribute: (#1460)
resource/vault_quota_rate_limit: Add support for interval and block_interval: (#1084)
ci: Test against vault-enterprise 1.10.3-ent: (#1461)

BUGS:

resource/auth_backend: validate path, disallowing leading/trailing / (#1471)
resource/vault_jwt_auth_backend_role: fix bound_claims not being unset when empty (#1469)
resource/cert_auth_backend: add the correct field name: allowed_organizational_units (#1496)

3.6.0 (May 18, 2022)

IMPROVEMENTS:

resource/pki_secret_backend_root_cert: Force new root CA resource creation on out-of-band changes. (#1428)
resource/pki_secret_backend_intermediate_set_signed: Document complete usage example. (#1452)
resource/pki_secret_backend_config_urls: Add support for importing PKI config URLs (#1451)
vault/resource_pki_secret_backend*: Extend revocation support to other resources (#1446)
vault/resource_pki_secret_backend*: Force new root CA/cert resource creation on out-of-band changes. (#1432)
datasource/generic_secret: Improve documentation. (#1390)
resource/ldap_auth_backend: Support setting userfilter. (#1378)
resource/aws_auth_backend_role: Add role_id as a computed field. (#1377)
Auth: Handle CIDR prefix being stripped for hosts in token_bound_cidrs (#1346)
Add allowed_serial_numbers support (#1119)
resource/pki_secret_backend_role: Allow key_type to be set to any. (#791)
resource/aws_secret_backend_role: Add user_path and permissions_boundary_arn arguments. (#781)

BUGS:

resource/pki_secret_backend_root_sign_intermediate: Ensure that the certificate_bundle, and ca_chain do not contain duplicate certificates. (#1428)
resource/identity_entity_alias: Serialize create, update, and delete operations in order to prevent alias mismatches. (#1429)
database_secret*: Ignore mongodb-atlas private_key on read from Vault. mismatches. (#1438)
resource/auth_backend: Remove ForceNew behavior when updating description. (#1439)
resource/identity_group_member_entity_ids: Properly handle nil member_entity_ids in response. (#1448)
resource/pki_secret_backend_role: Fix TTL handling in PKI role. (#1447)
resource/pki_secret_backend_role: key_usage value should be computed. (#1443)
resource/vault_pki_secret_backend_{cert,sign}: Properly force a new resource whenever the cert is near expiry. (#1440)
resource/identity_entity_alias: Remove read operation on entity alias update. (#1434)

3.5.0 (April 20, 2022)

FEATURES:

Add MFA support: new resources vault_mfa_okta, vault_mfa_totp, vault_mfa_pingid (#1395)
New resource/database_secrets_mount: Configures any number of database secrets engines under a single, dedicated mount resource (#1400)

IMPROVEMENTS:

data/vault_generic_secret: Add new field with_lease_start_time to vault_generic_secret datasource (#1414)
resource/vault_ssh_secret_backend_role: support configuring multiple public SSH key lengths in vault-1.10+ (#1413)
resource/database_secret*: Add support for configuring TLS, and the username_template field for the ElasticSearch.
resource/pki_secret_backend_cert: Add support for optionally revoking the certificate upon resource destruction. (#1411)
provider: Add support for setting the tls_server_name to use as the SNI host when connecting via TLS. (#1145
docs: Add links to Learn Tutorials. (#1399)

BUGS:

resource/identity_group: Fix issue where the group's member_entity_ids were being unset in error on update. (#1409)
resource/transit_secret_backend_key: Add auto_rotate_period field which deprecates auto_rotate_interval. (#1402)

3.4.1 (March 31, 2022)

BUGS:

data/azure_access_credentials: Fix panic when tenant_id and subscription_id are specified together; add new environment override field (#1391).

IMPROVEMENTS:

resource/rabbitmq_secret_backend: Add support for the password_policy and username_template fields (#1276)

3.4.0 (March 24, 2022)

FEATURES:

data/azure_access_credentials Add subscription_id and tenant_id fields to used during credential validation (#1384)
Add OIDC Provider support: new resources vault_identity_oidc_scope, vault_identity_oidc_assignment, vault_identity_oidc_client , vault_identity_oidc_provider, vault_identity_oidc_public_keys, vault_identity_oidc_openid_config (#1363)

BUGS:

data/azure_access_credentials: Fix credential validation (#1381).

IMPROVEMENTS:

resource/database_secret_backend_connection: Add disable_escaping parameter support to Redshift, HanaDB, Postgres and MSSQL (#1321)
resource/transit_secret_backend_key: Add auto_rotate_interval parameter support to Transit Key Backend (#1345)
resource/consul_secret_backend_role: Add support for Consul role (#1366)
resource/consul_secret_backend_role: Add support for Consul namespaces and partitions (#1367)
resource/github_auth_backend: Add support for organization_id field (#1296)
resource/approle_auth_backend_role_secret_id: Add with_wrapped_accessor to control how the resource ID is set (#1166)

3.3.1 (February 25, 2022)

BUGS:

resource/identity_group: Report an error upon duplicate resource creation failure. Document group name caveats. (#1352)
resource/pki_secret_backend_root_sign_intermediate: Fix panic when reading ca_chain from Vault (#1357)
resource/raft_snapshot_agent_config: Properly handle nil response on read (#1360)
resource/identity_*: Ensure non-existent entities are handled properly (#1361)
resource/dentity_group_member_entity_ids: Properly handle nil member_identity_ids on read (#1356)

3.3.0 (February 17, 2022)

FEATURES:

Add KMIP support: new resources vault_kmip_secret_backend, vault_kmip_secret_scope and vault_kmip_secret_role (#1339)

BUGS:

resource/kubernetes_auth_backend_config: Ensure disable_iss_validation is honored in all cases (#1315)
resource/database_secret_backend_connection: Add error handling for unrecognized plugins on read (#1325)
resource/kubernetes_auth_backend_config: Prevent persistent diff for kubernetes_ca_cert when it is loaded by the backend (#1337)

IMPROVEMENTS:

resource/token_auth_backend_role: Add allowed_policies_glob and disallowed_polices_glob (#1316)
resource/database_secret_backend_connection: Add support for configuring the secret engine's plugin_name (#1320)
resource/pki_secret_backend_root_sign_intermediate: Update schema for ca_chain from string to a list of issuing_ca and certificate, add new certificate_bundle attribute that provides the concatenation of the intermediate and issuing CA certificates (PEM encoded) (#1330)
resource/azure_secret_backend: Add support for setting use_microsoft_graph_api (#1335)
r/d/kubernetes_auth_backend_role: Add support for setting and getting alias_name_source (#1336)
resource/database_secret_backend_connection: Add username and password fields to all DB Engines that support them (#1331)
resource/token_auth_backend_role: Add support for setting allowed_entity_aliases (#1126)
resource/ad_secret_backend: Restore deprecated formatter, and length fields. (#1341)
resource/ldap_auth_backend: Add support for setting case_sensitive_names (#1176)

3.2.1 (January 20, 2022)

BUGS:

resource/rabbitmq_secret_backend_role: Add nil check when reading RabbitMQ role from Vault (#1312)

3.2.0 (January 19, 2022)

BUGS:

resource/aws_secret_backend_role: Ensure all updated fields are applied (#1277)

IMPROVEMENTS:

resource/database_secret_backend_connection: Add support for configuring Redshift databases (#1279)
resource/pki_secret_backend_intermediate_cert_request: Add support for the ed25519 key_type (#1278)
resource/rabbitmq_secret_backend_role: Add support for vhost_topics (#1246)
resource/vault_mount: Add support for audit_non_hmac_request_keys and audit_non_hmac_response_keys (#1297)
resource/vault_aws_secret_backend: Add support for username_template (#1292)

3.1.1 (December 22, 2021)

BUGS:

Prevent new entity read failures when the VAULT_TOKEN environment variable is not set (#1270)

3.1.0 (December 22, 2021)

FEATURES:

provider: Add support retrying entity reads for Client Controlled Consistency type operations (#1263)
provider: Add support for optionally creating a batch child token via the skip_child_token option (#775)

IMPROVEMENTS:

data/policy_document: Add support for patch capability for vault-1.9+. (#1238)
resource/database_secret_backend_connection: Add support for InfluxDB connections (#1121)
resource/generic_secret: Add support for deleting all version data for a KV-V2 secret (#1254)
resource/database_secret_backend_connection: Add support configuring Contained Databases for mssql (#1259)
resource/vault_jwt_auth_backend: Add oidc_response_mode, oidc_response_types, and namespace_in_state fields (#1244)
Add better error reporting whenever invalid JSON metadata is encountered (#1262)
resource/vault_identity_entity_alias: Add custom_metadata support for entity aliases (#1235)
resource/approle_auth_backend_role_secret_id: Update Vault provider to be compatible with Vault 1.9 changes (#1242)
provider: Encrypt logged HTTP secret header values (#1250)
provider: Optionally log request and response bodies (#1251)

BUGS:

resource/identity_group_policies: Fix potential nil panic in type conversion for API policies (#1245)
resource/aws_secret_backend_role: Fix for properly detecting changes in the JSON policy document (#1014)

3.0.1 (November 23, 2021)

BUGS:

resource/aws_secret_backend_role: Prevent invalid policy_arns from being created (#1229)
resource/approle_auth_backend_secret_id: Handle nil cidr_list introduced in vault-1.9.0 (#1230)
resource/kubernetes_auth_backend_config: Ensure disable_iss_validation is properly set in vault-1.9+ (#1231)

3.0.0 (November 17, 2021)

FEATURES:

New Resource vault_raft_autopilot: Configure Vault's Raft Autopilot settings (#1210)

IMPROVEMENTS:

Upgrade Terraform Plugin SDK to v2
Add support for client controlled consistency on Vault Enterprise (#1188)
resource/jwt_auth_backend_role: Add field disable_bound_claims_parsing to disable bound claim value parsing, which is useful when values contain commas (#1200)
resource/transform_template: Add encode_format and decode_formats fields for Vault Enterprise with the Advanced Data Protection Transform Module (#1214)
data/generic_secret: Store lease_start_time UTC. (#1216)
resource/identity_entity_alias: Add support for configuring custom_metadata. (#1235)

BUGS:

data/gcp_auth_backend_role: Report an error when attempting to access a nonexistent role. (#1184)
data/generic_secret: Ensure lease_start_time is stored in RFC3339 format. (#770)

2.24.1 (October 05, 2021)

BUGS:

resource/vault_raft_snapshot_agent_config: Fix bug where cloud provider was missing and google_endpoint is returned as false instead of null (#1173)

2.24.0 (September 15, 2021)

FEATURES:

New Database Resource: Added support for the snowflake-database-plugin to vault_database_secret_backend_connection (#983)
resource/vault_raft_snapshot_agent_config: Provision Raft Snapshot Agent Configurations in Vault Enterprise. (#1139)

IMPROVEMENTS:

resource/database_secret_backend_connection: Add username_template to vault_database_secret_backend_connection (#1103)
resource/ldap_auth_backend: Allow the creation of local mounts (#1115)
resource/jwt_auth_backend: Allow the creation of local mounts (#1115)
resource/consul_secret_backend: Allow the creation of local mounts (#1115)

BUGS:

resource/vault_identity_group: Fix bug where member_entity_ids & member_group_ids were attempted to be managed on external identity groups (#1134)

2.23.0 (August 18, 2021)

FEATURES:

New Resource vault_gcp_secret_static_account: Provision Static Accounts in the GCP Secrets Engine (#1094)

IMPROVEMENTS:

resource/database_secret_backend/mysql: Add tls_certificate_key and tls_ca options (#1098)

BUGS:

resource/jwt_auth_backend: Fixed bug where provider_config did not configure non-string values correctly (#1118)
resource/gcp_auth_backend: Support importing resource (#1125)
resource/okta_auth_backend: Support importing resource (#1123)
resource/audit: List audit only once during read (#1138)
resource/identity_oidc_key: Error handling for identity oidc key vault calls (#1142)

2.22.1 (July 23, 2021)

BUGS:

resource/vault_identity_group: Correctly handle the case of a preexisting identity group, suggest resource import in this case (#1014)
resource/jwt_auth_backend: Reverted (#960) due to migration errors (#1114)

2.22.0 (July 22, 2021)

FEATURES:

New Resource vault_quota_lease_count: Adds ability to manage lease-count quota's (Vault Enterprise Feature) (#948)

IMPROVEMENTS:

Remove last dependency on github.com/terraform-providers (#1090)

BUGS:

resource/vault_identity_group: Fix bug where metadata values are not removed if removed from file (#1061)
resource/jwt_auth_backend: Fixed bug where provider_config only supported string values (#960)
provider: Fix inconsistent handling of namespace when wrapping_ttl was specified in any resource (#1107)

2.21.0 (June 17, 2021)

FEATURES:

data/vault_gcp_auth_backend_role: Added GCP auth role data source to fetch role ID (#1011)

IMPROVEMENTS:

provider/auth_login: Supprt AWS STS signing when method=aws for in auth_type (#1060)
resource/vault_ldap_auth_backend: Add client_tls_cert and client_tls_key options (#1074)
resource/vault_identity_entityAdded additional logging information about entity (#987)

2.20.0 (May 19, 2021)

IMPROVEMENTS:

resource/vault_azure_secret_backend: Added support for updating the backend (#1009)
resource/vault_aws_secret_backend: Add iam_endpoint and sts_endpoint options (#1043)

BUG FIXES:

resource/vault_gcp_auth_backend: Support nested backend paths (#1050)
resource/vault_kubernetes_auth_backend_role: allow unset audience (#1022)
resource/vault_identity_entity: Fix bug where values are not removed if removed from file (#1054)

2.19.1 (April 21, 2021)

SECURITY:

resource/vault_gcp_auth_backend_role: Fixed typo in bound_labels parameter name causing no values to be applied to created roles CVE-2021-30476 (#1028)

2.19.0 (March 17, 2021)

FEATURES:

New Resource: terraform_cloud_secret resources (#959)

IMPROVEMENTS:

resource/pki_secret_backend: Support allowed_domains_template option for vault_pki_secret_backend_role (#869)

BUG FIXES:

resource/vault_identity_group: Don't send name parameter unless specified (#1002)

2.18.0 (January 21, 2021)

FEATURES:

New Resource: vault_password_policy resource (#927)

IMPROVEMENTS:

resource/vault_consul_secret_backend: Extend consul secret engine definition to cover all vault parameters (#910)
resource/vault_jwt_auth_backend: Added support for provider_config (#943)

2.17.0 (December 15, 2020)

FEATURES:

New Data Source: vault_nomad_access_token data source (#923)
New Resource: vault_nomad_secret_backend resource (#923)
New Resource: vault_nomad_secret_role resource (#923)

IMPROVEMENTS:

resource/vault_audit: added support for local mount to prevent replicating the audit backend (#915)
resource/jwt_auth_backend_role: Added support for using globs in matching bound_claims (#877)
resource/vault_aws_auth_backend_client: Added sts_region parameter (#931)
resource/vault_azure_secret_backend_role: Added support for azure_groups (#891)
resource/vault_identity_oidc_role: client_id parameter can optionally be configured (#815)

BUG FIXES:

resource/vault_identity_entity: Fixed nil pointer exception (#899)
resource/vault_mount: Fixed bug where mount was deleted when description was changed (#929)

2.16.0 (November 19, 2020)

FEATURES:

New Data Source: vault_ad_access_credentials data source (#902)
New Resource: vault_ad_secret_backend resource (#902)
New Resource: vault_ad_secret_role resource (#902)
New Resource: vault_ad_secret_library resource (#902)

IMPROVEMENTS:

resource/vault_gcp_auth_backend: added support for local mount to prevent replicating the secret engine (#861)
data.vault_aws_access_credentials: Add optional ttl parameter to data source (#878)

BUG FIXES:

resource/vault_jwt_auth_backend: Fix possible reoccuring diff when using oidc_client_secret (#803)

2.15.0 (October 21, 2020)

FEATURES:

New Data Source: vault_transit_decrypt data source (#872).
New Data Source: vault_transit_encrypt data source (#872).

IMPROVEMENTS:

resource/vault_gcp_secret_backend: added support for local mount to prevent replicating the secret engine (#855)
resource/vault_ssh_secret_backend_role: added support for new allowed_users_template argument(#875)
resource/vault_ssh_secret_backend_role: added support for new algorithm_signer argument(#809)
resource/vault_kubernetes_auth_backend_config: Add disable_iss_validation and disable_local_ca_jwt config parameters to k8s auth backend (#870)
data/vault_kubernetes_auth_backend_config: Add disable_iss_validation and disable_local_ca_jwt config parameters to k8s auth backend (#870)

2.14.0 (September 15, 2020)

FEATURES:

New Resource: vault_quota_rate_limit resource to manage resource quota limit (#825).

BUG FIXES:

resource/vault_aws_secret_backend_role: fix AWS Secrets Engine Role resource to allow only IAM Groups (#862)
resource/vault_ssh_secret_backend_ca: detect misconfigured resource and remove from state (#856)

2.13.0 (August 27, 2020)

IMPROVEMENTS:

resource/transit_secret_backend_key: add supported by Vault type of algorithm rsa-3072 (#773)
data.vault_generic_secret: Mark data and data_json as Sensitive (#844)
Add iam_groups to vault_aws_secret_backend_role (#826)
Add support for uri_sans parameter for resource vault_pki_secret_backend_cert (#759)

BUG FIXES:

data/vault_generic_secret: Fix perpetual diff when using Terraform v0.13.0 (#849)
data.vault_aws_access_credentials: Re-add support for passing region information stored in Vault backend to AWS Config (#841)

2.12.2 (July 31, 2020)

BUG FIXES:

data.vault_aws_access_credentials: Revert #832, which inadvertently introduced issues when the token policy did not have the required permissions to read the root configuration. (#837)

2.12.1 (July 30, 2020)

BUG FIXES:

data.vault_aws_access_credentials: Add support for passing region information stored in Vault backend to AWS Config (#832)

2.12.0 (July 20, 2020)

FEATURES:

New Resource: vault_identity_group_member_entity_ids (#724).
New Resource: vault_transform_alphabet (#783).
New Resource: vault_transform_role (#783).
New Resource: vault_transform_template (#783).
New Resource: vault_transform_transformation (#783).
New Data Source: vault_transform_encode data source (#783).
New Data Source: vault_transform_decode data source (#783).

IMPROVEMENTS:

resource/vault_mount: Adds support for the external_entropy_access field (#792).
resource/vault_jwt_auth_backend: enable existing JWT Auth backends to be imported (#806).
resource/vault_jwt_auth_backend: store type and tune information in state (#806).

2.11.0 (May 21, 2020)

IMPROVEMENTS:

Add headers provider configuration setting to allow setting HTTP headers for all requests to the Vault server (#730).

BUG FIXES:

vault_jwt_auth_backend: Fix plan error when oidc_discovery_url, jwks_url, or jwt_validation_pubkeys is set to a value that is not known until apply time (#753).
vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate, and vault_pki_secret_backend_sign: Fix serial field (#761).
vault_token: Avoid panic when vault_token is gone from the server (#740).
vault_approle_auth_backend_role: Fix perpetual diff when policies and period are updated to be token_policies and token_period (#744).
vault_jwt_auth_backend_role: Fix crash when bound_audiences is empty (#763).
vault_identity_group: Fix removal of policies, member_group_ids, and member_entity_ids (#766).

2.10.0 (April 03, 2020)

FEATURES:

Add vault_azure_access_credentials data source that retries creds before returning them (#713).
To vault_database_secret_backend_connection, add support for the elasticsearch-database-plugin (#704).

IMPROVEMENTS:

Add add_address_to_env argument to set the value of the provider's address argument as the VAULT_ADDR environment variable in the Terraform process, enabling VAULT_ADDR external token helpers to work with this provider (#651).
Provide the ability to encrypt generated tokens using Keybase when using /auth/token/create, /auth/token/create-orphan, or /auth/token/create/{role_name} (#686).

BUG FIXES:

In vault_aws_auth_backend_role, allow role_arns and policy_arns to be used together (#710).

2.9.0 (March 13, 2020)

FEATURES:

Add vault_alicloud_auth_backend_role resource (#673).

IMPROVEMENTS:

Allow / character in the group_name field of the okta_auth_backend_group resource (#687).
Support not_before_duration property in pki_secret_backend_role (#698).

BUG FIXES:

Fix vault_cert_auth_backend_role deletion (#690).
Fix use_token_groups changes not being applied properly in vault_ldap_auth_backend resource (#674).

2.8.0 (February 05, 2020)

IMPROVEMENTS:

Adds ability to choose a specific AWS ARN in vault_aws_access_credentials when a Vault role has multiple ARNs configured (#661).
Updates to Go 1.13 (#642).
Adds doc on multiple namespace support (#654).
Sorts vault_policy_document data source allowed/denied parameters by key name (#656).
Adds support to vault_auth_backend for common backend tune parameters. Also allows updating Max TTL, Default TTL and Visibility Listing tuning settings on vault_auth_backend without forcing a new resource (#650).

BUG FIXES:

Fix panic when reading unconfigured PKI mount URLs (#641).
Update JWT bound_audiences to be optional (649).
Solves permanent diff with the Mongo database connection URL (#659 and #662).
Fixes an issue where the "vault_ldap_auth_backend_user" resource did not respect an empty groups value (#655).

2.7.1 (January 03, 2020)

BUG FIXES:

For the /gcp/config endpoint, fixes issue where credentials weren't being updated when changed (#635).
For the /aws/config/root endpoint, no longer requires access_key or secret_key (#634).

2.7.0 (December 06, 2019)

FEATURES:

For the /sys/auth endpoint, adds a new data source (#606).

IMPROVEMENTS:

For the Vault child token created for Terraform to use during a run, adds a token_name field for easier identification in Vault (#594).
For the /ssh/roles/{role} endpoint, adds support for allowed_user_key_lengths (#605).
For the /sys/mounts/{path} endpoint, adds support for seal_wrap (#616).
For the /auth/kubernetes/config endpoints, adds support for issuer (#601).
For the /auth/kubernetes/role/{name} endpoints, adds support for audience (#601).

BUG FIXES:

For the /identity/entity-alias endpoint, fixes updates to the name field (#610).

2.6.0 (November 08, 2019)

FEATURES:

Adds a resource for the /database/static-roles/{name} endpoint (#577).
Adds a resource for the /identity/lookup/entity endpoint (#587).

IMPROVEMENTS:

Improved deprecation notices for Vault 1.2 token.* fields (#565).
Adds new JWT Auth role fields introduced with Vault 1.2 (#566).
Eliminates the need to add an outer delay while waiting for AWS creds to propagate (#571).
For the /consul/roles/{name} endpoint, adds support for ttl, max_ttl, token_type, and local fields (#581).
For the /sys/namespaces/{path} endpoint, uses the path for the namespace ID to allow imports (#570).

BUG FIXES:

Fix panic when trying to write an entity alias that already exists (#573).

2.5.0 (October 17, 2019)

IMPROVEMENTS:

Migrates to using the standalone Terraform plugin SDK (#558).

2.4.0 (October 11, 2019)

FEATURES:

Adds support for alternative auth methods using a method-agnostic implementation (#552).
Adds a resource for the "/consul/roles/{name}" endpoint (#480).
Adds a resource for the "/pki/config/crl" endpoint (#506).

IMPROVEMENTS:

Adds support for Vault 1.2+ token fields to LDAP auth (#553)
Adds support for configuring the Transit cache (#548)
Adds support for updates to the identity group alias field (#536).
Adds support for reading the AWS access key and region from the AWS client config (#539).
In AWS auth, only updates the access key and secret if they've changed (#540).
Adds support for "root_rotation_statements" in the database secret engine's connection params (#530).
Adds support for token_type and allowed_response_headers in Github and JWT auth backends (#556)

BUG FIXES:

Fixes incorrect handling of user and team policies in the Github auth backend (#543).

2.3.0 (September 06, 2019)

IMPROVEMENTS:

Adds support for importing roles in "vault_gcp_auth_backend_role" (#517).
Adds support for importing groups in "vault_okta_auth_backend_group" (#514).
Adds JWKS configuration options to "vault_jwt_auth_backend" (#483).
Adds support for response wrapping to "vault_approle_auth_backend_role_secret_id" (#518).

BUG FIXES:

Fixes an issue where using mount type "kv-v2" in "vault_mount" would continuously recreate the resource (#515).
Fixes an issue where the "vault_token" resource would try to renew the access token instead of the resource token (#423).
In the "vault_gcp_auth_backend", marks "credentials" as optional rather than required (#509).
Fixes an issue where "vault_pki_secret_backend_config_urls" was forming an invalid URL for updating (#512).

2.2.0 (August 09, 2019)

FEATURES:

Adds a datasource for the "/identity/lookup/entity" and "/identity/lookup/group" endpoints (#494).
Adds a resource for the "/azure/roles/{name}" endpoint (#493).
Adds a resource for the "/identity/oidc/config", "/identity/oidc/key/{name}", "/identity/oidc/key/{key_name}", and "/identity/oidc/role/{name}" endpoints (#488).
Adds a resource for the "/transit/keys/{name}" endpoint (#477).
Adds a resource for the "/sys/mfa/method/duo/{name}" endpoint (#443).
Adds a resource for the "/azure/config" endpoint (#481).

IMPROVEMENTS:

Adds a lock to prevent races in identity group resources (#492 and #495).
Adds support for new common token fields on roles that were introduced in Vault 1.2.0 (#478 and #487).
Adds the ability to run a coverage report to learn what Vault OpenAPI endpoints are and aren't supported (#466).
Exposes the "local" flag on the vault_mount resource (#462).

BUG FIXES:

resource/aws_auth_backend_client: Backend supports nested paths [#461]
Adds "ForceNew" to the "groupname" parameter on the LDAP auth groups endpoint so if there's a change, the old group is deleted (#465).
Fixes issue with a permanent diff in vault_gcp_secret_roleset (#476).

2.1.0 (July 05, 2019)

IMPROVEMENTS:

For aws_secret_backend_role, adds support for default_sts_ttl and max_sts_ttl (#444).

BUG FIXES:

Fixes ordering issues with aws_auth_backend_role and aws_auth_backend_role_tags (#439).
Supports providing lists for bound_claims (#455).
Resolves issue with persistent diffs on vault_generic_secret (#456).

2.0.0 (June 19, 2019)

FEATURES:

Adds support for using the Vault provider with Terraform 0.12. See the upgrade guide (#446)

BACKWARDS INCOMPATIBILITIES/NOTES:

all: deprecated fields are now removed (#446)
auth_backend: the path field and id now no longer have a trailing slash (#446)
database_secret_backend_role: the _statements fields are now a list, not strings (#446)
pki_secret_backend_config_urls: the certificate fields are now lists, not strings (#446)
pki_secret_backend_role: the certificate fields are now lists, not strings (#446)
pki_secret_backend_sign: the ca_chain field is now a list, not a string (#446)
rabbitmq_secret_backend_role: the vhosts field is now a vhost block (#446)

IMPROVEMENTS:

azure_auth_backend_role: client_secret will now be set in state (#446)

BUG FIXES:

namespace: namespaces will now be removed from state instead of erroring when they're not found (#446)

1.9.0 (June 12, 2019)

IMPROVEMENTS:

Adds support for role_arns on aws_secret_backend_role(#407).
Updates the vendored version of Vault to 1.1.2 so features introduced since then can be added (#413).
Implements accessor attribute on the Okta auth backend (#420).
Allows the Vault token to be read from the environment (#434).
Supports project_id and bound_projects in the GCP auth backend's roles (#411).

BUG FIXES:

Fixes a case on vault_aws_auth_backend_role where resolve_aws_unique_ids could not be updated from true to false without recreating the resource (#382).
Removes default TTL's from the GCP secret backend resource, letting them instead be set by Vault (#426).

1.8.0 (May 07, 2019)

FEATURES:

Adds OIDC support to the JWT auth backend (#398).
New Resource: Adds a vault_pki_secret_backend_config_urls resource (#399).

IMPROVEMENTS:

Adds support for automatically renewing certificates in the PKI certs backend (#386).
Adds support for uri_sans in the PKI secret backend (#373).
Allows a user to delete all policies in the AWS auth role resource (#395).

BUG FIXES:

Fixes the ability to handle JWT roles that lack policies (#389).
Allows vault_ldap_auth resources to be imported (#387).
Fixes issue with trailing slashes for the Vault namespaces resource (#391).
Fixes a bug with namespaces where the path was being overwritten (#396).

1.7.0 (April 03, 2019)

FEATURES:

New Resource: Adds a "Flexible Generic Secret" resource so it can be used to consume Vault APIs that don't yet have a resource (#244).
New Resource: Adds a token resource (#337).
New Resource: Adds a GCP secret roleset resource (#312).
New Resource: Adds a vault_identity_group_policies resource (#321).

IMPROVEMENTS:

For the LDAP auth method, adds support for the use_token_groups field (#367).
Adds the ability to set max_retries on the Vault client (#355).
For the Github auth method, adds support for the accessor field (#350).
For the generic secrets resource, adds support for a data field (#330).
For the JWT auth backend, adds support for a groups_claim_delimiter_pattern on roles (#296).
For the JWT auth backend, adds a role_type field (#317).
For the JWT auth backend, adds a jwt_supported_algs field (#345).

BUG FIXES:

Fixes TTL parsing on PKI certificate creation (#314).
Fixes ability to update the data field on database secrets engine connections (#340).
Unmarks policy_document and policy_arns from being in conflict with each other (#344).

1.6.0 (March 06, 2019)

FEATURES:

Adds compatibility with Vault 1.0 (#292).
New Resource: Supports the SSH secrets engine role endpoint (#285, #303, and #331).
New Data Source: Adds a vault_policy_document data source (#283).
New Resource: Adds a namespace resource (#338).

IMPROVEMENTS:

Adds a guide for how to contribute in the least iterations possible.
For the TLS Certificates auth method, adds support for the following role fields: allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans, and allowed_organization_units (#282).
For the GCP auth method, adds support for the following role fields: add_group_aliases, max_jwt_exp, and allow_gce_inference (#308 and #318).
For the Kubernetes auth method, adds support for bound_cidrs (#305).
For vault_identity_group, fixes issue with policies not being updated properly (#301).
For the AWS secret engine, updates to the current role fields (#323).

BUG FIXES:

Marks the token_reviewer_jwt sensitive (#282).
Fixes an issue where boolean parameters were not set when the value was false in the AWS role resource (#302).
Guards for a nil CA chain in resource_pki_secret_backend_cert (#310).

1.5.0 (January 30, 2019)

FEATURES:

Adds support for namespaces (#262)
Adds support for EGP and RGP, a.k.a. Sentinel (#264)
New Resource: Supports the PKI secrets backend (#158)
New Resource: Supports identity entities and entity aliases (#247 and #287)
New Resource: Supports Github auth backend (#255)
New Resource: Supports Azure auth backend (#275)
New Resource: Supports JWT auth backend (#272)

BUG FIXES:

Fixes a panic related to max_connection_lifetime parameters in the database secrets backends (#250)
Fixes issue where the role_name on token_auth_backend_role would not be updated (#279)
Fixes wrong response data from gcp_auth_backend_role (#243)

1.4.1 (December 14, 2018)

BUG FIXES:

Fixes an issue with database resources where db statements were overwritten when not provided (#260)

1.4.0 (December 11, 2018)

FEATURES:

New Resource: vault_gcp_auth_backend (#198)
New Resource: vault_identity_group (#220)
New Resource: vault_identity_group_alias (#220)

IMPROVEMENTS:

Makes gcp_secret_backend credentials optional (#239)
Adds more configuration parameters for auth_backend (#245)

BUG FIXES:

Fixes issue with vault_database_secret_backend_connection always updating the connection URL (#217)

1.3.1 (November 06, 2018)

BUG FIXES:

Solves issue where the incorrect KV store was selected for older Vault versions as described in #229.

1.3.0 (November 05, 2018)

FEATURES:

New Resource: Supports KV V2 (#156)
New Resource: vault_gcp_secret_backend (#212)
New Resource: vault_aws_auth_backend_roletag_blacklist (#27)
New Resources: vault_rabbitmq_secret_backend and vault_rabbitmq_secret_backend_role (#216)

IMPROVEMENTS:

Adds bound_zones, bound_regions, bound_instance_groups, and bound_labels for GCP auth roles via #227
Exports the LDAP auth backend accessor via #195
Allows for templated database backends via #168

BUG FIXES:

#222 ensures that booleans on AWS roles default to values matchiing Vault's defaults

1.2.0 (October 26, 2018)

FEATURES:

New Resource: vault_jwt_auth_backend_role (#188)
New Resources: vault_kubernetes_auth_backend_config and vault_kubernetes_auth_backend_role (#94)
New Resource: vault_ssh_secret_backend_ca (#163)
New Feature: Support for the Vault token helper (#136)

IMPROVEMENTS:

Re-adds changes to vault_aws_auth_backend_role from #53
Adds backwards compatibility for the above via #189
Adds bound_ec2_instance_id to vault_aws_auth_backend_role (#135)
Adds mysql_rds, mysql_aurora, and mysql_legacy to the MySQL backend via #87
Makes audit device path optional via #180
Adds the field accessor to resource_auth_backend and resource_mount via #150
Marks bindpass as sensitive in the vault_ldap_auth_backend (#184)

BUG FIXES:

Fixes inablity to destroy a secret ID after consumption (#97) via #148

1.1.4 (September 20, 2018)

BUG FIXES:

Reverts breaking changes to vault_aws_auth_backend_role introduced by (#53)

1.1.3 (September 18, 2018)

FEATURES:

New Resource: vault_consul_secret_backend (#59)
New Resource: vault_cert_auth_backend_role (#123)
New Resource: vault_gcp_auth_backend_role (#124)
New Resource: vault_ldap_auth_backend (#126)
New Resource: vault_ldap_auth_backend_user (#126)
New Resource: vault_ldap_auth_backend_group (#126)

1.1.2 (September 14, 2018)

FEATURES:

New Resource: vault_audit (#81)
New Resource: vault_token_auth_backend_role (#80)

UPDATES:

Update to vendoring Vault 0.11.1. Introduces some breaking changes for some back ends so update with care.

1.1.1 (July 23, 2018)

BUG FIXES:

Fix panic in vault_approle_auth_backend_role when used with Vault 0.10 (#103)

1.1.0 (April 09, 2018)

FEATURES:

New Resource: vault_okta_auth_backend (#8)
New Resource: vault_okta_auth_backend_group (#8)
New Resource: vault_okta_auth_backend_user (#8)
New Resource: vault_approle_auth_backend_login (#34)
New Resource: vault_approle_auth_backend_role_secret_id (#31)
New Resource: vault_database_secret_backend_connection (#37)

BUG FIXES:

Fix bug in policy_arn parameter of vault_aws_secret_backend_role (#49)
Fix panic in vault_generic_secret when reading a missing secret (#55)
Fix bug in vault_aws_secret_backend_role preventing use of nested paths (#79)
Fix bug in vault_aws_auth_backend_role that failed to update the role name when it changed (#86)

1.0.0 (November 16, 2017)

BACKWARDS INCOMPATIBILITIES / NOTES:

vault_auth_backend's ID has changed from the type to the path of the auth backend. Interpolations referring to the .id of a vault_auth_backend should be updated to use its .type property. (#12)
vault_generic_secret's allow_read field is deprecated; use disable_read instead. If disable_read is set to false or not set, the secret will be read. If disable_read is true and allow_read is false or not set, the secret will not be read. If disable_read is true and allow_read is true, the secret will be read. (#17)

FEATURES:

New Data Source: aws_access_credentials (#20)
New Resource: aws_auth_backend_cert (#21)
New Resource: aws_auth_backend_client (#19)
New Resource: aws_auth_backend_login (#28)
New Resource: aws_auth_backend_role (#24)
New Resource: aws_auth_backend_sts_role (#22)

IMPROVEMENTS:

vault_auth_backends are now importable. (#12)
vault_policys are now importable (#15)
vault_mounts are now importable (#16)
vault_generic_secrets are now importable (#17)

BUG FIXES:

0.1.0 (June 21, 2017)

NOTES:

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Unreleased

4.4.0 (Aug 7, 2024)

4.3.0 (Jun 17, 2024)

4.2.0 (Mar 27, 2024)

4.1.0 (Mar 20, 2024)

4.0.0 (Mar 13, 2024)

3.25.0 (Feb 14, 2024)

3.24.0 (Jan 17, 2024)

3.23.0 (Nov 15, 2023)

3.22.0 (Nov 1, 2023)

3.21.0 (Oct 9, 2023)

3.20.1 (Sep 13, 2023)

3.20.0 (Aug 30, 2023)

3.19.0 (Aug 2, 2023)

3.18.0 (Jul 12, 2023)

3.17.0 (June 21, 2023)

3.16.0 (June 7, 2023)

3.15.2 (May 3, 2023)

3.15.1 (May 3, 2023)

3.15.0 (April 17, 2023)

3.14.0 (March 15, 2023)

3.13.0 (February 17, 2023)

3.12.0 (January 5, 2023)

3.11.0 (November 16, 2022)

3.10.0 (October 26, 2022)

3.9.1 (October 06, 2022)

3.9.0 (October 05, 2022)

3.8.2 (August 11, 2022)

3.8.1 (August 04, 2022)

3.8.0 (July 26, 2022)

3.7.0 (June 15, 2022)

3.6.0 (May 18, 2022)

3.5.0 (April 20, 2022)

3.4.1 (March 31, 2022)

3.4.0 (March 24, 2022)

3.3.1 (February 25, 2022)

3.3.0 (February 17, 2022)

3.2.1 (January 20, 2022)

3.2.0 (January 19, 2022)

3.1.1 (December 22, 2021)

3.1.0 (December 22, 2021)

3.0.1 (November 23, 2021)

3.0.0 (November 17, 2021)

2.24.1 (October 05, 2021)

2.24.0 (September 15, 2021)

2.23.0 (August 18, 2021)

2.22.1 (July 23, 2021)

2.22.0 (July 22, 2021)

2.21.0 (June 17, 2021)

2.20.0 (May 19, 2021)

2.19.1 (April 21, 2021)

2.19.0 (March 17, 2021)

2.18.0 (January 21, 2021)

2.17.0 (December 15, 2020)

2.16.0 (November 19, 2020)

2.15.0 (October 21, 2020)

2.14.0 (September 15, 2020)

2.13.0 (August 27, 2020)

2.12.2 (July 31, 2020)

2.12.1 (July 30, 2020)

2.12.0 (July 20, 2020)

2.11.0 (May 21, 2020)

2.10.0 (April 03, 2020)

2.9.0 (March 13, 2020)

2.8.0 (February 05, 2020)

2.7.1 (January 03, 2020)

2.7.0 (December 06, 2019)

2.6.0 (November 08, 2019)

2.5.0 (October 17, 2019)

2.4.0 (October 11, 2019)

2.3.0 (September 06, 2019)

2.2.0 (August 09, 2019)

2.1.0 (July 05, 2019)

2.0.0 (June 19, 2019)