Prepare for v4.1.0 release (#2200)

* Prepare for v4.1.0 release

* update v4 upgrade guide

* Update CHANGELOG.md

.github/workflows/build.yml

@@ -31,9 +31,9 @@ jobs:
           cache: false
       # setup-terraform is used to install the Terraform CLI. If we don't do
       # this then the terraform-plugin-sdk will attempt to download it for each test!
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: '1.4.*'
+          terraform_version: '1.7.*'
           terraform_wrapper: false
 
       - name: Cache go build
@@ -65,10 +65,10 @@ jobs:
         image:
         - "vault-enterprise:1.11.12-ent"
         - "vault-enterprise:1.12.11-ent"
-        - "vault-enterprise:1.13.12-ent"
-        - "vault-enterprise:1.14.8-ent"
-        - "vault-enterprise:1.15.4-ent"
-        - "vault:1.15.0"
+        - "vault-enterprise:1.13.13-ent"
+        - "vault-enterprise:1.14.10-ent"
+        - "vault-enterprise:1.15.6-ent"
+        - "vault:latest"
     services:
       vault:
         image: hashicorp/${{ matrix.image }}
@@ -159,9 +159,9 @@ jobs:
           cache: false
       # setup-terraform is used to install the Terraform CLI. If we don't do
       # this then the terraform-plugin-sdk will attempt to download it for each test!
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: '1.4.*'
+          terraform_version: '1.7.*'
           terraform_wrapper: false
       - name: Check Terraform CLI version
         run: terraform --version

CHANGELOG.md

@@ -1,8 +1,23 @@
 ## Unreleased
 
+## 4.1.0 (Mar 20, 2024)
+
+CHANGES TO VAULT POLICY REQUIREMENTS:
+
+* **Important**: This release requires read policies to be set at the path level for mount metadata.
+The v4.0.0 release required read permissions at `sys/auth/:path` which was a
+sudo endpoint. The v4.1.0 release changed that to instead require permissions
+at the `sys/mounts/auth/:path` level and sudo is no longer required. Please
+refer to the details in the [Terraform Vault Provider 4.0.0 Upgrade Guide](/docs/providers/vault/guides/version_4_upgrade.html).
+
+FEATURES:
+* Add new resource `vault_config_ui_custom_message`. Requires Vault 1.16+ Enterprise: ([#2154](https://github.com/hashicorp/terraform-provider-vault/pull/2154)).
+
+IMPROVEMENTS:
+* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198))
+
 BUGS:
 * fix `vault_azure_access_credentials` to default to Azure Public Cloud ([#2190](https://github.com/hashicorp/terraform-provider-vault/pull/2190))
-* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198))
 
 ## 4.0.0 (Mar 13, 2024)
 
@@ -16,7 +31,6 @@ FEATURES:
 * Add support to `enable_templating` in `vault_pki_secret_backend_config_urls` ([#2147](https://github.com/hashicorp/terraform-provider-vault/pull/2147)).
 * Add support for `skip_import_rotation` and `skip_static_role_import_rotation` in `ldap_secret_backend_static_role` and `ldap_secret_backend` respectively. Requires Vault 1.16+ ([#2128](https://github.com/hashicorp/terraform-provider-vault/pull/2128)).
 * Improve logging to track full API exchanges between the provider and Vault ([#2139](https://github.com/hashicorp/terraform-provider-vault/pull/2139))
-* Add new resource `vault_config_ui_custom_message`. Requires Vault 1.16+ Enterprise: ([#2154](https://github.com/hashicorp/terraform-provider-vault/pull/2154)).
 
 IMPROVEMENTS:
 * Improve performance of READ operations across many resources: ([#2145](https://github.com/hashicorp/terraform-provider-vault/pull/2145)), ([#2152](https://github.com/hashicorp/terraform-provider-vault/pull/2152))

website/docs/guides/version_4_upgrade.html.markdown

@@ -1,18 +1,18 @@
 ---
 layout: "vault"
-page_title: "Terraform Vault Provider 4.0.0 Upgrade Guide"
+page_title: "Terraform Vault Provider 4.X Upgrade Guide"
 sidebar_current: "docs-vault-provider-version-4-upgrade"
 description: |-
-  Terraform Vault Provider 4.0.0 Upgrade Guide
+  Terraform Vault Provider 4.X Upgrade Guide
 
 ---
 
-# Terraform Vault Provider 4.0.0 Upgrade Guide
+# Terraform Vault Provider 4.X Upgrade Guide
 
-Version `4.0.0` of the Vault provider for Terraform is a major release and
+Version `4.X` of the Vault provider for Terraform is a major release and
 includes some changes that you will need to consider when upgrading. This guide
 is intended to help with that process and focuses only on the changes necessary
-to upgrade from version `3.25.0` to `4.0.0`.
+to upgrade from version `3.X` to `4.X`.
 
 Most of the changes outlined in this guide have been previously marked as
 deprecated in the Terraform `plan`/`apply` output throughout previous provider
@@ -25,9 +25,9 @@ can always be found in the [CHANGELOG](https://github.com/hashicorp/terraform-pr
 -> If you are upgrading from `2.24.x`. Please follow the
 [3.0.0 Upgrade Guide](./version_3_upgrade.html) before proceeding any further.
 
-## Why version 4.0.0?
+## Why version 4.X?
 
-We introduced version `4.0.0` of the Vault provider in order to make
+We introduced version `4.X` of the Vault provider in order to make
 performance improvements for deployments that manage many Vault secret or auth
 engine mounts. This improvement required changes to the underlying Vault API
 calls, which in turn would require policy adjustments in environments where
@@ -43,7 +43,7 @@ However, please pay special attention to the changes noted in the [Provider Poli
 
 ## What performance improvements should we expect to see?
 
-Version `4.0.0` changed the READ operations across many resources to call Vault
+Version `4.X` changed the READ operations across many resources to call Vault
 API's to only fetch mount metadata necessary for the resource.  Previously,
 these resources were calling a Vault API which returned mount metadata for all
 enabled mounts. This would result in a substantially higher CPU and memory
@@ -100,9 +100,9 @@ Terraform versions `1.0.x ` and greater are fully supported.
 Please see the [Terraform Upgrade Guide](https://www.terraform.io/upgrade-guides/index.html)
 for more info about upgrading Terraform.
 
-## I accidentally upgraded to 4.0.0, how do I downgrade to `3.X`?
+## I accidentally upgraded to 4.X, how do I downgrade to 3.X?
 
-If you've inadvertently upgraded to `4.0.0`, first see the
+If you've inadvertently upgraded to `4.X`, first see the
 [Provider Version Configuration Guide](#provider-version-configuration) to lock
 your provider version; if you've constrained the provider to a lower version
 such as shown in the previous version example in that guide, Terraform will pull
@@ -149,7 +149,7 @@ state changes in the meantime.
 
 ## Provider Version Configuration
 
--> Before upgrading to version `4.0.0`, it is recommended to upgrade to the most
+-> Before upgrading to version `4.X`, it is recommended to upgrade to the most
 recent version of the provider (`3.25.0`) and ensure that your environment
 successfully runs [`terraform plan`](https://www.terraform.io/docs/commands/plan.html)
 without unexpected changes or deprecation notices.
@@ -185,14 +185,18 @@ provider "vault" {
 
 ## Provider Policy Changes
 
-Version `4.0.0` of the Vault provider made changes to the underlying Vault API
+Version `4.X` of the Vault provider made changes to the underlying Vault API
 calls, which in turn may require policy adjustments in environments where
 permissions are least privilege.
 
 Please see the [Capabilities](https://developer.hashicorp.com/vault/docs/concepts/policies#capabilities)
 section of the Vault Policies documentation for more information on Vault
 policies.
 
+-> Note the `4.0.0` release required read permissions at `sys/auth/:path` which was a
+sudo endpoint. The `4.1.0` release changed that to instead require permissions
+at the `sys/mounts/auth/:path` level and sudo is no longer required.
+
 ### Auth method resource changes
 
 The below table specifies what changed between version 3.X and 4.X for the