v3.22.0

3.22.0 (Nov 1, 2023)

FEATURES:

• Add support for configuring SAML Auth resources (#2053)
• Add support for custom_metadata on vault_namespace: (#2033)
• Add support for OCSP* role fields for the cert auth resource: (#2056)
• Add field set_namespace_from_token to Provider configuration (#2070)
• Support authenticating to the root namespace from within an auth_login*: (#2066)

BUGS:

• Fix panic when reading client_secret from a public oidc client (#2048)
• Fix API request missing roles field for mongodbatlas_secret_role resource (#2047)
• Fix bug when updating vault_azure_secret_backend_role: (#2063)
• Fix audience string ordering for auth_login_gcp causing GCE auth to fail (#2064)

IMPROVEMENTS:

• Updated dependencies: (#2038)
  • github.com/aws/aws-sdk-go v1.44.106 -> v1.45.24
• Updated dependencies: (#2050)
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0 -> v1.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2 -> v1.4.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v0.3.1 -> v1.1.1
  • github.com/Azure/go-autorest/autorest v0.11.29 removed

v3.21.0

3.21.0 (Oct 9, 2023)

FEATURES:

• Add GCP CloudSQL support to Postgres, MySQL DB engines: (#2012)
• Add support for DB Adv TTL Mgmt: (#2011)
• Add support for setting not_before_duration argument on vault_ssh_secret_backend_role: (#2019)
• Add support for hmac key type and key_size to vault_transit_secret_backend_key: (#2034)
• Add support for roles to both rate limit and lease count quotas: (#1994)
• Add allowed_email_sans field to write and update functions of vault_cert_auth_backend_role: (#1140)
• Add support for local parameter in aws secret engine: (#2013)

BUGS:

• Fix duplicate timestamp and incorrect level messages: (#2031)
• Fix panic when setting key_usage to an array of empty string and enable it to unset the key usage constraints: (#2036)
• Add state migrator for external_member_group_ids in Identity Group (#2043)
• Fix drift detection for the kv-v2 secrets resource when disable_read is enabled: (#2039)
• Add state migrator in secrets/auth backends for disable_remount parameter (#2037)
• Fix failure when auth_login is specified and vault token is picked up from the runtime/execution environment: (#2029)
• Remove logging of password key: (#2044)

IMPROVEMENTS:

• Oracle DB engine enablement on HCP Vault: (#2006)
• Ensure sensitive values are masked in vault_approle_auth_backend_login plan output (#2008)
• Updated dependencies: (#2038)
  • cloud.google.com/go/compute v1.10.0 removed
  • cloud.google.com/go/compute/metadata v0.2.3 added
  • cloud.google.com/go/iam v0.3.0 -> v1.1.2
  • github.com/Azure/go-autorest/autorest v0.11.24 -> v0.11.29
  • github.com/cenkalti/backoff/v4 v4.1.2 -> v4.2.1
  • github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f -> v0.0.0-20230601102743-20bbbf26f4d8
  • github.com/denisenkom/go-mssqldb v0.12.0 -> v0.12.3
  • github.com/go-sql-driver/mysql v1.6.0 -> v1.7.1
  • github.com/google/uuid v1.3.0 -> v1.3.1
  • github.com/gosimple/slug v1.11.0 -> v1.13.1
  • github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 -> v1.4.1-0.20200723130312-85980079f637
  • github.com/hashicorp/go-retryablehttp v0.7.1 -> v0.7.4
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.16.0 -> v2.29.0
  • github.com/hashicorp/vault-plugin-auth-jwt v0.13.2-0.20221012184020-28cc68ee722b -> v0.17.0
  • github.com/hashicorp/vault-plugin-auth-kerberos v0.8.0 -> v0.10.1
  • github.com/hashicorp/vault-plugin-auth-oci v0.13.0-pre -> v0.14.2
  • github.com/hashicorp/vault/api v1.9.3-0.20230628215639-3ca33976762c -> v1.10.0
  • github.com/hashicorp/vault/sdk v0.6.0 -> v0.10.0
  • github.com/jcmturner/gokrb5/v8 v8.4.2 -> v8.4.4
  • golang.org/x/crypto v0.6.0 -> v0.14.0
  • golang.org/x/net v0.7.0 -> v0.15.0
  • golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 -> v0.12.0
  • google.golang.org/api v0.98.0 -> v0.144.0
  • google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e -> v0.0.0-20231002182017-d307bd883b97
  • k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 -> v0.0.0-20230726121419-3b25d923346b

v3.20.1

3.20.1 (Sep 13, 2023)

IMPROVEMENTS:

• Update dependencies (#1958)
  • github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 -> v0.2.3

BUGS:

• Update k8s-auth config to support unsetting the K8s CA Cert: (#2005)

CHANGES:

• vault_kubernetes_auth_backend_config: prior to vault-1.9.3, the k8s-auth engine would store the K8S CA cert in its configuration if Vault was running in K8s. Post vault-1.9.3, this behaviour was changed to no longer store the K8s CA cert in config. That change confuses TFVP since the kubernetes_ca_cert field can no longer be computed. This fix detects and remedies the issue by adding the ability to "unset" the CA cert in the case where we are provisioning vault-1.9.3+. It should also clean up any K8s CA cert that was left behind after upgrading from any Vault version prior to 1.9.3 with disable_local_ca_jwt=false and kubernetes_ca_cert is either unset or set to "".

v3.20.0

FEATURES:

• Add support for setting permanently_delete argument on resource_azure_secret_backend_role: (#1958)
• Add use_sts_region_from_client to AWS Auth Config: (#1963)
• Add accessor attribute for vault_gcp_auth_backend resource: (#1980)

BUGS:

• Fixes a panic that can occur when Vault lookup-self API returns nil token info (#1978)
• Resolve TF state for PKI Multi-Issuer workflows: (#1973)
• Check the seal-status on the default namespace: (#1967)

v3.19.0

3.19.0 (Aug 2, 2023)

FEATURES:

• Add support for User ID configuration for PKI Secrets Engine: (#1936)

BUGS:

• auth/aws: enable namespace support for AWS backend config identity: (#1961)
• Retry Write on kv-v2 config: (#1955)
• Update vault_identity_entity to exclude policies from Vault request if external_policies is true: (#1950)
• Bump Go version to fix macOS resolver issue: (#1941)

v3.18.0

FEATURES:

• Add support to set default issuers configuration for PKI Secrets Engine: (#1937)
• Add new auth_login_token_file method: (#1928)
• Update HTTP transport wrapper to support TLSConfig cloning: (#1926)

BUGS:

• secrets/pki: fix server_flag being ignored: (#1933)

v3.17.0

FEATURES:

• Add support for multi-issuer functionality to PKI: (#1910)
• Add x509 support to database roles: (#1901)
• Add AWS Static Roles support: (#1877)
• Add support for max_page_size in the vault_ldap_auth_backend: (#1878)

BUGS:

• Fix DB Engine password overwrite for remaining databases: (#1912)

v3.16.0

FEATURES:

• Add support for LDAP secrets engine: (#1859)
• Add new data source vault_auth_backends: (#1827)
• Support allowed_domains_template on ssh_secret_backend_role. Fixes #1675: (#1676)

IMPROVEMENTS:

• Add support for retrying kv-v2 secret data writes: (#1887)
• Add back support for deriving the provider namespace from the Vault token's: (#1841)

BUGS:

• Fix DB engine password overwrite: (#1876)
• azure/auth: fix config path parsing: (#1871)

v3.15.2

BUGS:

• Revert #1830 which introduced a unexpected breaking change in the way authentication is done within a namespace: (#1840)

v3.15.1

BUGS:

• Ensure that the auth_login honours the provider's namespace: (#1830)