v5.3.0

5.3.0 (Sep 4, 2025)

FEATURES:

• Add support for password phrases via the credential_type field in the vault_ldap_secret_backend resource (#2548)

IMPROVEMENTS:

• build(deps): bump the gomod-backward-compatible group with 5 updates: GH-2583
• Move to the standard CRT release workflow and tooling: GH-2582

BUGS:

• Fix azure_secret_backend_role to prevent persistent diff for null value on max_ttl and explicit_max_ttl argument (#2581)

v5.2.1

5.2.1 (Aug 19, 2025)

BUGS:

• Fix a failure to initialize the provider due to incompatible dependencies (#2575)
• Fix auth_login_gcp field constraint on field credentials service_account
• Fix auth_login_azure field constraint on field vmss_name tenant_id client_id scope
• Fix auth_login_kerberos field constraint on fields username service realm krb5conf_path keytab_path disable_fast_negotiation remove_instance_name
• Fix auth_login_userpass field constraint on field password_file
• Fix auth_login field constraint on field use_root_namespace
• Fix to allow Snowflake keypair auth with Vault 1.16+ (#2575)

v5.2.0

5.2.0 (Aug 18, 2025)

FEATURES:

• Add support for jwks_pairs in vault_jwt_auth_backend resource. Requires Vault 1.16+ (#2523)
• Add support for root_password_ttl in vault_azure_secret_backend resource. Requires Vault 1.15+ (#2529)
• Add support for managed key parameters in the SSH CA config endpoint (#2480)
• Add new resources vault_oci_auth_backend and vault_oci_auth_backend_role to manage OCI auth backend and roles. (#1761)
• Add support for log_level in vault_pki_secret_backend_config_scep resource. Requires Vault 1.20.1+ (#2525)

IMPROVEMENTS:

• Bump Go version to 1.24.6: (#2550)
• Ensure all resources that use custom mounts support all mount parameters. (#2332)
• Updated dependencies:
  • golang.org/x/oauth2 v0.24.0 -> v0.30.0
  • github.com/cloudflare/circl v1.3.7 -> v1.6.1
  • github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
  • github.com/go-jose/go-jose/v4 v4.0.4 -> v4.1.2
  • github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
  • cloud.google.com/go/iam v1.2.2 -> v1.5.2
  • cloud.google.com/go/compute/metadata v0.6.0 -> v0.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 -> v1.18.2
  • github.com/aws/aws-sdk-go v1.55.6 -> v1.55.8
  • github.com/go-sql-driver/mysql v1.8.1 -> v1.9.3
  • github.com/hashicorp/consul/api v1.27.0 -> v1.32.1
  • github.com/hashicorp/terraform-plugin-framework v1.14.1 -> 1.15.1
  • github.com/hashicorp/terraform-plugin-framework-validators v0.17.0 -> v0.18.0
  • hashicorp/ghaction-terraform-provider-release v4.0.1 -> v5.0.0

BUGS:

• Fix panic when reading the vault_gcp_secret_backend resource. (#2549)
• Fix regression where VAULT_NAMESPACE was not being honored, causing child namespaces to be created in the root namespace instead (#2540)

v5.1.0

5.1.0 (Jul 9, 2025)

FEATURES:

• Add support for key_usage to vault_pki_secret_backend_root_sign_intermediate ([#2421])(#2421)

• Add private_key_wo and private_key_wo_version fields to Snowflake DB secrets engine config ([#2508])(#2508)

• Add support for group_by and secondary_rate on resource vault_quota_rate_limit. Requires Vault Enterprise 1.20.0+ (#2476)

• Add support for Transit CMAC endpoint (#2488)

• Add new resource vault_scep_auth_backend_role to manage roles in a SCEP auth backend. #2479.

• Add new datasource and resource vault_pki_secret_backend_config_scep for PKI SCEP configuration. #2487.

v5.0.0

5.0.0 (May 21, 2025)

Important: 5.X multiplexes the Vault provider to use the Terraform Plugin Framework,
upgrades to Terraform 1.11.x, and adds support for Ephemeral Resources and Write-Only attributes.
Please refer to the
Terraform Vault Provider 5.0.0 Upgrade Guide for specific
details around the changes.

VERSION COMPATIBILITY:
5.X is officially supported and tested against Vault server versions >= 1.15.x.
5.X supports Terraform versions >= 1.11.x in order to support ephemeral resources and write-only attributes.

BREAKING CHANGES:
Please refer to the upgrade topics
in the guide for details on all breaking changes.

FEATURES:

• Add new ephemeral resources/attributes (#2457):
  • Add new ephemeral resource vault_kv_secret_v2
  • Add new ephemeral resource vault_database_secret
  • Add new write-only attribute data_json_wo (along with data_json_wo_version) to resource vault_kv_secret_v2
  • Add new write-only attribute credentials_wo, (along with credentials_wo_version) to resource vault_gcp_secret_backend
  • Add new write-only attribute password_wo, (along with password_wo_version to resource) vault_database_secret_backend_connection

BUGS:

• fix vault_policy_document data source regression to allow empty capabilities (#2466)

v4.8.0

4.8.0 (Apr 23, 2025)

FEATURES:

• Add support for recursive search in data_vault_namespaces #2408
• Add support for subscribe_event_types in data_source_policy_document #2445
• Add support for explicit_max_ttl in vault_azure_secret_backend_role resources. Requires Vault 1.18+ (#2438).

BUGS:

• Fix credential validation failures in vault_azure_access_credentials data source caused by Azure RBAC propagation delays using azure_groups #2437

v4.7.0

4.7.0 (Mar 12, 2025)

FEATURES:

• Update vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate to support the new fields for the name constraints extension. Requires Vault 1.19+ (#2396).
• Update vault_pki_secret_backend_issuer resource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ (#2400).
• Add support for certificate revocation with revoke_with_key in vault_pki_secret_backend_cert (#2242)
• Add support for signature_bits field to vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate and vault_pki_secret_backend_intermediate_cert_request ([#2401])(#2401)
• Add support for key_usage and serial_number to vault_pki_secret_backend_intermediate_cert_request ([#2404])(#2404)
• Add support for skip_import_rotation in vault_database_secret_backend_static_role. Requires Vault Enterprise 1.18.5+ (#2386).
• Add support for not_after in vault_pki_secret_backend_cert, vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate, and vault_pki_secret_backend_sign (#2385).
• Update vault_pki_secret_backend_config_acme to support the max_ttl field. #2411
• Add new data source vault_ssh_secret_backend_sign. (#2409)
• Add support for disabled_validations in vault_pki_secret_backend_config_cmpv2 #2412
• Add credential_type and credential_config to database_secret_backend_static_role to support features like rsa keys for Snowflake DB engines with static roles #2384
• Add support for missing parameters to vault_pki_secret_backend_root_sign_intermediate: not_before_duration, skid and use_pss #2417
• Add support for use_pss, no_store_metadata, and serial_number_source to vault_pki_secret_backend_role #2420
• Add support for Transit sign and verify endpoints (#2418)
• Add new data source vault_pki_secret_backend_cert_metadata and support for cert_metadata in vault_pki_secret_backend_cert and vault_pki_secret_backend_sign #2422
• Add support for max_crl_entries in vault_pki_secret_backend_crl_config #2423
• Add support for new Automated Root Rotation parameters in several plugins. Requires Vault Enterprise 1.19.0+.
  • AWS Auth/Secrets (#2414)
  • Azure Auth/Secrets (#2428)
  • DB Secrets (#2414).
  • LDAP Auth/Secrets (#2428)
  • GCP Auth/Secrets (#2427)
• Add new resource vault_pki_secret_backend_config_auto_tidy to set PKI automatic tidy configuration #1934
• Add support for cross-account management of static roles in AWS Secrets: (#2413)

BUGS:

• Do not panic on Vault PKI roles without the cn_validations field: (#2398)

IMPROVEMENTS:

• Update pki_secret_backend_crl_config to be more resilent to unknown response fields (#2429)

v4.6.0

4.6.0 (Jan 15, 2025)

FEATURES:

• Update vault_database_secret_backend_connectionto support password_authentication for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL (#2371)
• Add support for external_id field for the vault_aws_auth_backend_sts_role resource (#2370)
• Add support for ACME configuration with the vault_pki_secret_backend_config_acme resource. Requires Vault 1.14+ (#2157).
• Update vault_pki_secret_backend_role to support the cn_validations role field (#1820).
• Add new resource vault_pki_secret_backend_acme_eab to manage PKI ACME external account binding tokens. Requires Vault 1.14+. (#2367)
• Add new data source and resource vault_pki_secret_backend_config_cmpv2. Requires Vault 1.18+. Available only for Vault Enterprise (#2330)

IMPROVEMENTS:

• Support the event subscribe policy capability for vault_policy_document data source (#2293)

v4.5.0

4.5.0 (Nov 19, 2024)

FEATURES:

• Update vault_database_secret_backend_connection to support inline TLS config for PostgreSQL (#2339)
• Update vault_database_secret_backend_connection to support skip_verification config for Cassandra (#2346)
• Update vault_approle_auth_backend_role_secret_id to support num_uses and ttl fields (#2345)
• Add support for allow_empty_principals field for the vault_ssh_secret_backend_role resource (#2354)
• Update vault_gcp_secret_impersonated_account to support setting ttl (#2318)
• Add support for connection_timeout field for the vault_ldap_auth_backend resource (#2358)
• Add support for Rootless Configuration for Static Roles to Postgres DB (#2341)
• Add support for use_annotations_as_alias_metadata field for the vault_kubernetes_auth_backend_config resource (#2226)

BUGS:

• Remove consul secret backend role from state if not found on vault: (#2321)

v4.4.0

4.4.0 (Aug 7, 2024)

FEATURES:

• Update vault_aws_secret_backend_role to support setting session_tags and external_id (#2290)

BUGS:

• fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#2308)
• fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#2289)