FEATURES:
- New Resource
vault_quota_lease_count
: Adds ability to manage lease-count quota's (Vault Enterprise Feature) (#948)
FEATURES:
data/vault_gcp_auth_backend_role
: Added GCP auth role data source to fetch role ID (#1011)
IMPROVEMENTS:
provider/auth_login
: Supprt AWS STS signing whenmethod=aws
for inauth_type
(#1060)resource/vault_ldap_auth_backend
: Addclient_tls_cert
andclient_tls_key
options (#1074)resource/vault_identity_entity
Added additional logging information about entity (#987)
IMPROVEMENTS:
resource/vault_azure_secret_backend
: Added support for updating the backend (#1009)resource/vault_aws_secret_backend
: Addiam_endpoint
andsts_endpoint
options (#1043)
BUG FIXES:
resource/vault_gcp_auth_backend
: Support nested backend paths (#1050)resource/vault_kubernetes_auth_backend_role
: allow unset audience (#1022)resource/vault_identity_entity
: Fix bug where values are not removed if removed from file (#1054)
SECURITY:
resource/vault_gcp_auth_backend_role
: Fixed typo inbound_labels
parameter name causing no values to be applied to created roles CVE-2021-30476 (#1028)
FEATURES:
- New Resource:
terraform_cloud_secret
resources (#959)
IMPROVEMENTS:
resource/pki_secret_backend
: Support allowed_domains_template option for vault_pki_secret_backend_role (#869)
BUG FIXES:
resource/vault_identity_group
: Don't sendname
parameter unless specified (#1002)
FEATURES:
- New Resource:
vault_password_policy
resource (#927)
IMPROVEMENTS:
resource/vault_consul_secret_backend
: Extend consul secret engine definition to cover all vault parameters (#910)resource/vault_jwt_auth_backend
: Added support forprovider_config
(#943)
FEATURES:
- New Data Source:
vault_nomad_access_token
data source (#923) - New Resource:
vault_nomad_secret_backend
resource (#923) - New Resource:
vault_nomad_secret_role
resource (#923)
IMPROVEMENTS:
resource/vault_audit
: added support for local mount to prevent replicating the audit backend (#915)resource/jwt_auth_backend_role
: Added support for using globs in matching bound_claims (#877)resource/vault_aws_auth_backend_client
: Addedsts_region
parameter (#931)resource/vault_azure_secret_backend_role
: Added support forazure_groups
(#891)resource/vault_identity_oidc_role
:client_id
parameter can optionally be configured (#815)
BUG FIXES:
resource/vault_identity_entity
: Fixed nil pointer exception (#899)resource/vault_mount
: Fixed bug where mount was deleted when description was changed (#929)
FEATURES:
- New Data Source:
vault_ad_access_credentials
data source (#902) - New Resource:
vault_ad_secret_backend
resource (#902) - New Resource:
vault_ad_secret_role
resource (#902) - New Resource:
vault_ad_secret_library
resource (#902)
IMPROVEMENTS:
resource/vault_gcp_auth_backend
: added support for local mount to prevent replicating the secret engine (#861)data.vault_aws_access_credentials
: Add optional ttl parameter to data source (#878)
BUG FIXES:
resource/vault_jwt_auth_backend
: Fix possible reoccuring diff when usingoidc_client_secret
(#803)
FEATURES:
- New Data Source:
vault_transit_decrypt
data source (#872). - New Data Source:
vault_transit_encrypt
data source (#872).
IMPROVEMENTS:
resource/vault_gcp_secret_backend
: added support forlocal
mount to prevent replicating the secret engine (#855)resource/vault_ssh_secret_backend_role
: added support for newallowed_users_template
argument(#875)resource/vault_ssh_secret_backend_role
: added support for newalgorithm_signer
argument(#809)resource/vault_kubernetes_auth_backend_config
: Adddisable_iss_validation
anddisable_local_ca_jwt
config parameters to k8s auth backend (#870)data/vault_kubernetes_auth_backend_config
: Adddisable_iss_validation
anddisable_local_ca_jwt
config parameters to k8s auth backend (#870)
FEATURES:
- New Resource:
vault_quota_rate_limit
resource to manage resource quota limit (#825).
BUG FIXES:
resource/vault_aws_secret_backend_role
: fix AWS Secrets Engine Role resource to allow only IAM Groups (#862)resource/vault_ssh_secret_backend_ca
: detect misconfigured resource and remove from state (#856)
IMPROVEMENTS:
resource/transit_secret_backend_key
: add supported by Vault type of algorithm rsa-3072 (#773)data.vault_generic_secret
: Markdata
anddata_json
asSensitive
(#844)- Add
iam_groups
tovault_aws_secret_backend_role
(#826) - Add support for
uri_sans
parameter for resourcevault_pki_secret_backend_cert
(#759)
BUG FIXES:
data/vault_generic_secret
: Fix perpetual diff when using Terraform v0.13.0 (#849)data.vault_aws_access_credentials
: Re-add support for passing region information stored in Vault backend to AWS Config (#841)
BUG FIXES:
data.vault_aws_access_credentials
: Revert #832, which inadvertently introduced issues when the token policy did not have the required permissions to read the root configuration. (#837)
BUG FIXES:
data.vault_aws_access_credentials
: Add support for passing region information stored in Vault backend to AWS Config (#832)
FEATURES:
- New Resource:
vault_identity_group_member_entity_ids
(#724). - New Resource:
vault_transform_alphabet
(#783). - New Resource:
vault_transform_role
(#783). - New Resource:
vault_transform_template
(#783). - New Resource:
vault_transform_transformation
(#783). - New Data Source:
vault_transform_encode
data source (#783). - New Data Source:
vault_transform_decode
data source (#783).
IMPROVEMENTS:
- resource/vault_mount: Adds support for the
external_entropy_access
field (#792). - resource/vault_jwt_auth_backend: enable existing JWT Auth backends to be imported (#806).
- resource/vault_jwt_auth_backend: store
type
andtune
information in state (#806).
IMPROVEMENTS:
- Add
headers
provider configuration setting to allow setting HTTP headers for all requests to the Vault server (#730).
BUG FIXES:
vault_jwt_auth_backend
: Fix plan error whenoidc_discovery_url
,jwks_url
, orjwt_validation_pubkeys
is set to a value that is not known until apply time (#753).vault_pki_secret_backend_root_cert
,vault_pki_secret_backend_root_sign_intermediate
, andvault_pki_secret_backend_sign
: Fixserial
field (#761).vault_token
: Avoid panic whenvault_token
is gone from the server (#740).vault_approle_auth_backend_role
: Fix perpetual diff whenpolicies
andperiod
are updated to betoken_policies
andtoken_period
(#744).vault_jwt_auth_backend_role
: Fix crash whenbound_audiences
is empty (#763).vault_identity_group
: Fix removal ofpolicies
,member_group_ids
, andmember_entity_ids
(#766).
FEATURES:
- Add
vault_azure_access_credentials
data source that retries creds before returning them (#713). - To
vault_database_secret_backend_connection
, add support for theelasticsearch-database-plugin
(#704).
IMPROVEMENTS:
- Add
add_address_to_env
argument to set the value of the provider's address argument as the VAULT_ADDR environment variable in the Terraform process, enabling VAULT_ADDR external token helpers to work with this provider (#651). - Provide the ability to encrypt generated tokens using Keybase when using
/auth/token/create
,/auth/token/create-orphan
, or/auth/token/create/{role_name}
(#686).
BUG FIXES:
- In
vault_aws_auth_backend_role
, allowrole_arns
andpolicy_arns
to be used together (#710).
FEATURES:
- Add
vault_alicloud_auth_backend_role
resource (#673).
IMPROVEMENTS:
- Allow
/
character in the group_name field of theokta_auth_backend_group
resource (#687). - Support
not_before_duration
property inpki_secret_backend_role
(#698).
BUG FIXES:
- Fix
vault_cert_auth_backend_role
deletion (#690). - Fix
use_token_groups
changes not being applied properly invault_ldap_auth_backend
resource (#674).
IMPROVEMENTS:
- Adds ability to choose a specific AWS ARN in vault_aws_access_credentials when a Vault role has multiple ARNs configured (#661).
- Updates to Go 1.13 (#642).
- Adds doc on multiple namespace support (#654).
- Sorts
vault_policy_document
data source allowed/denied parameters by key name (#656). - Adds support to
vault_auth_backend
for common backend tune parameters. Also allows updating Max TTL, Default TTL and Visibility Listing tuning settings onvault_auth_backend
without forcing a new resource (#650).
BUG FIXES:
- Fix panic when reading unconfigured PKI mount URLs (#641).
- Update JWT bound_audiences to be optional (649).
- Solves permanent diff with the Mongo database connection URL (#659 and #662).
- Fixes an issue where the "vault_ldap_auth_backend_user" resource did not respect an empty
groups
value (#655).
BUG FIXES:
- For the
/gcp/config
endpoint, fixes issue where credentials weren't being updated when changed (#635). - For the
/aws/config/root
endpoint, no longer requiresaccess_key
orsecret_key
(#634).
FEATURES:
- For the
/sys/auth
endpoint, adds a new data source (#606).
IMPROVEMENTS:
- For the Vault child token created for Terraform to use during a run, adds a
token_name
field for easier identification in Vault (#594). - For the
/ssh/roles/{role}
endpoint, adds support forallowed_user_key_lengths
(#605). - For the
/sys/mounts/{path}
endpoint, adds support forseal_wrap
(#616). - For the
/auth/kubernetes/config
endpoints, adds support forissuer
(#601). - For the
/auth/kubernetes/role/{name}
endpoints, adds support foraudience
(#601).
BUG FIXES:
- For the
/identity/entity-alias
endpoint, fixes updates to thename
field (#610).
FEATURES:
- Adds a resource for the
/database/static-roles/{name}
endpoint (#577). - Adds a resource for the
/identity/lookup/entity
endpoint (#587).
IMPROVEMENTS:
- Improved deprecation notices for Vault 1.2 token.* fields (#565).
- Adds new JWT Auth role fields introduced with Vault 1.2 (#566).
- Eliminates the need to add an outer delay while waiting for AWS creds to propagate (#571).
- For the
/consul/roles/{name}
endpoint, adds support forttl
,max_ttl
,token_type
, andlocal
fields (#581). - For the
/sys/namespaces/{path}
endpoint, uses thepath
for the namespace ID to allow imports (#570).
BUG FIXES:
- Fix panic when trying to write an entity alias that already exists (#573).
IMPROVEMENTS:
- Migrates to using the standalone Terraform plugin SDK (#558).
FEATURES:
- Adds support for alternative auth methods using a method-agnostic implementation (#552).
- Adds a resource for the "/consul/roles/{name}" endpoint (#480).
- Adds a resource for the "/pki/config/crl" endpoint (#506).
IMPROVEMENTS:
- Adds support for Vault 1.2+ token fields to LDAP auth (#553)
- Adds support for configuring the Transit cache (#548)
- Adds support for updates to the identity group alias field (#536).
- Adds support for reading the AWS access key and region from the AWS client config (#539).
- In AWS auth, only updates the access key and secret if they've changed (#540).
- Adds support for
"root_rotation_statements"
in the database secret engine's connection params (#530). - Adds support for
token_type
andallowed_response_headers
in Github and JWT auth backends (#556)
BUG FIXES:
- Fixes incorrect handling of user and team policies in the Github auth backend (#543).
IMPROVEMENTS:
- Adds support for importing roles in "vault_gcp_auth_backend_role" (#517).
- Adds support for importing groups in "vault_okta_auth_backend_group" (#514).
- Adds JWKS configuration options to "vault_jwt_auth_backend" (#483).
- Adds support for response wrapping to "vault_approle_auth_backend_role_secret_id" (#518).
BUG FIXES:
- Fixes an issue where using mount type "kv-v2" in "vault_mount" would continuously recreate the resource (#515).
- Fixes an issue where the "vault_token" resource would try to renew the access token instead of the resource token (#423).
- In the "vault_gcp_auth_backend", marks "credentials" as optional rather than required (#509).
- Fixes an issue where "vault_pki_secret_backend_config_urls" was forming an invalid URL for updating (#512).
FEATURES:
- Adds a datasource for the "/identity/lookup/entity" and "/identity/lookup/group" endpoints (#494).
- Adds a resource for the "/azure/roles/{name}" endpoint (#493).
- Adds a resource for the "/identity/oidc/config", "/identity/oidc/key/{name}", "/identity/oidc/key/{key_name}", and "/identity/oidc/role/{name}" endpoints (#488).
- Adds a resource for the "/transit/keys/{name}" endpoint (#477).
- Adds a resource for the "/sys/mfa/method/duo/{name}" endpoint (#443).
- Adds a resource for the "/azure/config" endpoint (#481).
IMPROVEMENTS:
- Adds a lock to prevent races in identity group resources (#492 and #495).
- Adds support for new common token fields on roles that were introduced in Vault 1.2.0 (#478 and #487).
- Adds the ability to run a coverage report to learn what Vault OpenAPI endpoints are and aren't supported (#466).
- Exposes the "local" flag on the
vault_mount
resource (#462).
BUG FIXES:
resource/aws_auth_backend_client
: Backend supports nested paths [#461]- Adds "ForceNew" to the "groupname" parameter on the LDAP auth groups endpoint so if there's a change, the old group is deleted (#465).
- Fixes issue with a permanent diff in
vault_gcp_secret_roleset
(#476).
IMPROVEMENTS:
- For
aws_secret_backend_role
, adds support fordefault_sts_ttl
andmax_sts_ttl
(#444).
BUG FIXES:
- Fixes ordering issues with
aws_auth_backend_role
andaws_auth_backend_role_tags
(#439). - Supports providing lists for
bound_claims
(#455). - Resolves issue with persistent diffs on
vault_generic_secret
(#456).
FEATURES:
- Adds support for using the Vault provider with Terraform 0.12. See the upgrade guide (#446)
BACKWARDS INCOMPATIBILITIES/NOTES:
all
: deprecated fields are now removed (#446)auth_backend
: thepath
field andid
now no longer have a trailing slash (#446)database_secret_backend_role
: the_statements
fields are now a list, not strings (#446)pki_secret_backend_config_urls
: the certificate fields are now lists, not strings (#446)pki_secret_backend_role
: the certificate fields are now lists, not strings (#446)pki_secret_backend_sign
: theca_chain
field is now a list, not a string (#446)rabbitmq_secret_backend_role
: thevhosts
field is now avhost
block (#446)
IMPROVEMENTS:
azure_auth_backend_role
:client_secret
will now be set in state (#446)
BUG FIXES:
namespace
: namespaces will now be removed from state instead of erroring when they're not found (#446)
IMPROVEMENTS:
- Adds support for
role_arns
onaws_secret_backend_role
(#407). - Updates the vendored version of Vault to 1.1.2 so features introduced since then can be added (#413).
- Implements
accessor
attribute on the Okta auth backend (#420). - Allows the Vault token to be read from the environment (#434).
- Supports
project_id
andbound_projects
in the GCP auth backend's roles (#411).
BUG FIXES:
- Fixes a case on
vault_aws_auth_backend_role
whereresolve_aws_unique_ids
could not be updated fromtrue
tofalse
without recreating the resource (#382). - Removes default TTL's from the GCP secret backend resource, letting them instead be set by Vault (#426).
FEATURES:
- Adds OIDC support to the JWT auth backend (#398).
- New Resource: Adds a
vault_pki_secret_backend_config_urls
resource (#399).
IMPROVEMENTS:
- Adds support for automatically renewing certificates in the PKI certs backend (#386).
- Adds support for
uri_sans
in the PKI secret backend (#373). - Allows a user to delete all policies in the AWS auth role resource (#395).
BUG FIXES:
- Fixes the ability to handle JWT roles that lack policies (#389).
- Allows
vault_ldap_auth
resources to be imported (#387). - Fixes issue with trailing slashes for the Vault namespaces resource (#391).
- Fixes a bug with namespaces where the path was being overwritten (#396).
FEATURES:
- New Resource: Adds a "Flexible Generic Secret" resource so it can be used to consume Vault APIs that don't yet have a resource (#244).
- New Resource: Adds a token resource (#337).
- New Resource: Adds a GCP secret roleset resource (#312).
- New Resource: Adds a
vault_identity_group_policies
resource (#321).
IMPROVEMENTS:
- For the LDAP auth method, adds support for the
use_token_groups
field (#367). - Adds the ability to set
max_retries
on the Vault client (#355). - For the Github auth method, adds support for the
accessor
field (#350). - For the generic secrets resource, adds support for a
data
field (#330). - For the JWT auth backend, adds support for a
groups_claim_delimiter_pattern
on roles (#296). - For the JWT auth backend, adds a
role_type
field (#317). - For the JWT auth backend, adds a
jwt_supported_algs
field (#345).
BUG FIXES:
- Fixes TTL parsing on PKI certificate creation (#314).
- Fixes ability to update the
data
field on database secrets engine connections (#340). - Unmarks
policy_document
andpolicy_arns
from being in conflict with each other (#344).
FEATURES:
- Adds compatibility with Vault 1.0 (#292).
- New Resource: Supports the SSH secrets engine role endpoint (#285, #303, and #331).
- New Data Source: Adds a
vault_policy_document
data source (#283). - New Resource: Adds a namespace resource (#338).
IMPROVEMENTS:
- Adds a guide for how to contribute in the least iterations possible.
- For the TLS Certificates auth method, adds support for the following role fields:
allowed_common_names
,allowed_dns_sans
,allowed_email_sans
,allowed_uri_sans
, andallowed_organization_units
(#282). - For the GCP auth method, adds support for the following role fields:
add_group_aliases
,max_jwt_exp
, andallow_gce_inference
(#308 and #318). - For the Kubernetes auth method, adds support for
bound_cidrs
(#305). - For
vault_identity_group
, fixes issue withpolicies
not being updated properly (#301). - For the AWS secret engine, updates to the current role fields (#323).
BUG FIXES:
- Marks the
token_reviewer_jwt
sensitive (#282). - Fixes an issue where boolean parameters were not set when the value was false in the AWS role resource (#302).
- Guards for a nil CA chain in
resource_pki_secret_backend_cert
(#310).
FEATURES:
- Adds support for namespaces (#262)
- Adds support for EGP and RGP, a.k.a. Sentinel (#264)
- New Resource: Supports the PKI secrets backend (#158)
- New Resource: Supports identity entities and entity aliases (#247 and #287)
- New Resource: Supports Github auth backend (#255)
- New Resource: Supports Azure auth backend (#275)
- New Resource: Supports JWT auth backend (#272)
BUG FIXES:
- Fixes a panic related to
max_connection_lifetime
parameters in the database secrets backends (#250) - Fixes issue where the
role_name
ontoken_auth_backend_role
would not be updated (#279) - Fixes wrong response data from
gcp_auth_backend_role
(#243)
BUG FIXES:
- Fixes an issue with database resources where db statements were overwritten when not provided (#260)
FEATURES:
- New Resource:
vault_gcp_auth_backend
(#198) - New Resource:
vault_identity_group
(#220) - New Resource:
vault_identity_group_alias
(#220)
IMPROVEMENTS:
- Makes
gcp_secret_backend
credentials optional (#239) - Adds more configuration parameters for
auth_backend
(#245)
BUG FIXES:
- Fixes issue with
vault_database_secret_backend_connection
always updating the connection URL (#217)
BUG FIXES:
- Solves issue where the incorrect KV store was selected for older Vault versions as described in #229.
FEATURES:
- New Resource: Supports KV V2 (#156)
- New Resource:
vault_gcp_secret_backend
(#212) - New Resource:
vault_aws_auth_backend_roletag_blacklist
(#27) - New Resources:
vault_rabbitmq_secret_backend
andvault_rabbitmq_secret_backend_role
(#216)
IMPROVEMENTS:
- Adds
bound_zones
,bound_regions
,bound_instance_groups
, andbound_labels
for GCP auth roles via #227 - Exports the LDAP auth backend
accessor
via #195 - Allows for templated database backends via #168
BUG FIXES:
- #222 ensures that booleans on AWS roles default to values matchiing Vault's defaults
FEATURES:
- New Resource:
vault_jwt_auth_backend_role
(#188) - New Resources:
vault_kubernetes_auth_backend_config
andvault_kubernetes_auth_backend_role
(#94) - New Resource:
vault_ssh_secret_backend_ca
(#163) - New Feature: Support for the Vault token helper (#136)
IMPROVEMENTS:
- Re-adds changes to
vault_aws_auth_backend_role
from #53 - Adds backwards compatibility for the above via #189
- Adds
bound_ec2_instance_id
tovault_aws_auth_backend_role
(#135) - Adds
mysql_rds
,mysql_aurora
, andmysql_legacy
to the MySQL backend via #87 - Makes audit device path optional via #180
- Adds the field
accessor
toresource_auth_backend
andresource_mount
via #150 - Marks
bindpass
as sensitive in thevault_ldap_auth_backend
(#184)
BUG FIXES:
BUG FIXES:
- Reverts breaking changes to
vault_aws_auth_backend_role
introduced by (#53)
FEATURES:
- New Resource:
vault_consul_secret_backend
(#59) - New Resource:
vault_cert_auth_backend_role
(#123) - New Resource:
vault_gcp_auth_backend_role
(#124) - New Resource:
vault_ldap_auth_backend
(#126) - New Resource:
vault_ldap_auth_backend_user
(#126) - New Resource:
vault_ldap_auth_backend_group
(#126)
FEATURES:
UPDATES:
- Update to vendoring Vault 0.11.1. Introduces some breaking changes for some back ends so update with care.
BUG FIXES:
- Fix panic in
vault_approle_auth_backend_role
when used with Vault 0.10 (#103)
FEATURES:
- New Resource:
vault_okta_auth_backend
(#8) - New Resource:
vault_okta_auth_backend_group
(#8) - New Resource:
vault_okta_auth_backend_user
(#8) - New Resource:
vault_approle_auth_backend_login
(#34) - New Resource:
vault_approle_auth_backend_role_secret_id
(#31) - New Resource:
vault_database_secret_backend_connection
(#37)
BUG FIXES:
- Fix bug in
policy_arn
parameter ofvault_aws_secret_backend_role
(#49) - Fix panic in
vault_generic_secret
when reading a missing secret (#55) - Fix bug in
vault_aws_secret_backend_role
preventing use of nested paths (#79) - Fix bug in
vault_aws_auth_backend_role
that failed to update the role name when it changed (#86)
BACKWARDS INCOMPATIBILITIES / NOTES:
vault_auth_backend
's ID has changed from thetype
to thepath
of the auth backend. Interpolations referring to the.id
of avault_auth_backend
should be updated to use its.type
property. (#12)vault_generic_secret
'sallow_read
field is deprecated; usedisable_read
instead. Ifdisable_read
is set to false or not set, the secret will be read. Ifdisable_read
is true andallow_read
is false or not set, the secret will not be read. Ifdisable_read
is true andallow_read
is true, the secret will be read. (#17)
FEATURES:
- New Data Source:
aws_access_credentials
(#20) - New Resource:
aws_auth_backend_cert
(#21) - New Resource:
aws_auth_backend_client
(#19) - New Resource:
aws_auth_backend_login
(#28) - New Resource:
aws_auth_backend_role
(#24) - New Resource:
aws_auth_backend_sts_role
(#22)
IMPROVEMENTS:
vault_auth_backend
s are now importable. (#12)vault_policy
s are now importable (#15)vault_mount
s are now importable (#16)vault_generic_secret
s are now importable (#17)
BUG FIXES:
NOTES:
- Same functionality as that of Terraform 0.9.8. Repacked as part of Provider Splitout