From 3ca1904358eb326983f8f671683f5675441a363d Mon Sep 17 00:00:00 2001 From: John-Michael Faircloth Date: Wed, 20 Mar 2024 13:38:21 -0500 Subject: [PATCH] Prepare for v4.1.0 release (#2200) * Prepare for v4.1.0 release * update v4 upgrade guide * Update CHANGELOG.md --- .github/workflows/build.yml | 16 +++++------ CHANGELOG.md | 18 ++++++++++-- .../guides/version_4_upgrade.html.markdown | 28 +++++++++++-------- 3 files changed, 40 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1abcbe03a4..1fb7d468e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,9 +31,9 @@ jobs: cache: false # setup-terraform is used to install the Terraform CLI. If we don't do # this then the terraform-plugin-sdk will attempt to download it for each test! - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: - terraform_version: '1.4.*' + terraform_version: '1.7.*' terraform_wrapper: false - name: Cache go build @@ -65,10 +65,10 @@ jobs: image: - "vault-enterprise:1.11.12-ent" - "vault-enterprise:1.12.11-ent" - - "vault-enterprise:1.13.12-ent" - - "vault-enterprise:1.14.8-ent" - - "vault-enterprise:1.15.4-ent" - - "vault:1.15.0" + - "vault-enterprise:1.13.13-ent" + - "vault-enterprise:1.14.10-ent" + - "vault-enterprise:1.15.6-ent" + - "vault:latest" services: vault: image: hashicorp/${{ matrix.image }} @@ -159,9 +159,9 @@ jobs: cache: false # setup-terraform is used to install the Terraform CLI. If we don't do # this then the terraform-plugin-sdk will attempt to download it for each test! - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: - terraform_version: '1.4.*' + terraform_version: '1.7.*' terraform_wrapper: false - name: Check Terraform CLI version run: terraform --version diff --git a/CHANGELOG.md b/CHANGELOG.md index 691c29c0eb..8b050036f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,23 @@ ## Unreleased +## 4.1.0 (Mar 20, 2024) + +CHANGES TO VAULT POLICY REQUIREMENTS: + +* **Important**: This release requires read policies to be set at the path level for mount metadata. +The v4.0.0 release required read permissions at `sys/auth/:path` which was a +sudo endpoint. The v4.1.0 release changed that to instead require permissions +at the `sys/mounts/auth/:path` level and sudo is no longer required. Please +refer to the details in the [Terraform Vault Provider 4.0.0 Upgrade Guide](/docs/providers/vault/guides/version_4_upgrade.html). + +FEATURES: +* Add new resource `vault_config_ui_custom_message`. Requires Vault 1.16+ Enterprise: ([#2154](https://github.com/hashicorp/terraform-provider-vault/pull/2154)). + +IMPROVEMENTS: +* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198)) + BUGS: * fix `vault_azure_access_credentials` to default to Azure Public Cloud ([#2190](https://github.com/hashicorp/terraform-provider-vault/pull/2190)) -* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198)) ## 4.0.0 (Mar 13, 2024) @@ -16,7 +31,6 @@ FEATURES: * Add support to `enable_templating` in `vault_pki_secret_backend_config_urls` ([#2147](https://github.com/hashicorp/terraform-provider-vault/pull/2147)). * Add support for `skip_import_rotation` and `skip_static_role_import_rotation` in `ldap_secret_backend_static_role` and `ldap_secret_backend` respectively. Requires Vault 1.16+ ([#2128](https://github.com/hashicorp/terraform-provider-vault/pull/2128)). * Improve logging to track full API exchanges between the provider and Vault ([#2139](https://github.com/hashicorp/terraform-provider-vault/pull/2139)) -* Add new resource `vault_config_ui_custom_message`. Requires Vault 1.16+ Enterprise: ([#2154](https://github.com/hashicorp/terraform-provider-vault/pull/2154)). IMPROVEMENTS: * Improve performance of READ operations across many resources: ([#2145](https://github.com/hashicorp/terraform-provider-vault/pull/2145)), ([#2152](https://github.com/hashicorp/terraform-provider-vault/pull/2152)) diff --git a/website/docs/guides/version_4_upgrade.html.markdown b/website/docs/guides/version_4_upgrade.html.markdown index 70c4fdb7fb..71e1d6cf3d 100644 --- a/website/docs/guides/version_4_upgrade.html.markdown +++ b/website/docs/guides/version_4_upgrade.html.markdown @@ -1,18 +1,18 @@ --- layout: "vault" -page_title: "Terraform Vault Provider 4.0.0 Upgrade Guide" +page_title: "Terraform Vault Provider 4.X Upgrade Guide" sidebar_current: "docs-vault-provider-version-4-upgrade" description: |- - Terraform Vault Provider 4.0.0 Upgrade Guide + Terraform Vault Provider 4.X Upgrade Guide --- -# Terraform Vault Provider 4.0.0 Upgrade Guide +# Terraform Vault Provider 4.X Upgrade Guide -Version `4.0.0` of the Vault provider for Terraform is a major release and +Version `4.X` of the Vault provider for Terraform is a major release and includes some changes that you will need to consider when upgrading. This guide is intended to help with that process and focuses only on the changes necessary -to upgrade from version `3.25.0` to `4.0.0`. +to upgrade from version `3.X` to `4.X`. Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform `plan`/`apply` output throughout previous provider @@ -25,9 +25,9 @@ can always be found in the [CHANGELOG](https://github.com/hashicorp/terraform-pr -> If you are upgrading from `2.24.x`. Please follow the [3.0.0 Upgrade Guide](./version_3_upgrade.html) before proceeding any further. -## Why version 4.0.0? +## Why version 4.X? -We introduced version `4.0.0` of the Vault provider in order to make +We introduced version `4.X` of the Vault provider in order to make performance improvements for deployments that manage many Vault secret or auth engine mounts. This improvement required changes to the underlying Vault API calls, which in turn would require policy adjustments in environments where @@ -43,7 +43,7 @@ However, please pay special attention to the changes noted in the [Provider Poli ## What performance improvements should we expect to see? -Version `4.0.0` changed the READ operations across many resources to call Vault +Version `4.X` changed the READ operations across many resources to call Vault API's to only fetch mount metadata necessary for the resource. Previously, these resources were calling a Vault API which returned mount metadata for all enabled mounts. This would result in a substantially higher CPU and memory @@ -100,9 +100,9 @@ Terraform versions `1.0.x ` and greater are fully supported. Please see the [Terraform Upgrade Guide](https://www.terraform.io/upgrade-guides/index.html) for more info about upgrading Terraform. -## I accidentally upgraded to 4.0.0, how do I downgrade to `3.X`? +## I accidentally upgraded to 4.X, how do I downgrade to 3.X? -If you've inadvertently upgraded to `4.0.0`, first see the +If you've inadvertently upgraded to `4.X`, first see the [Provider Version Configuration Guide](#provider-version-configuration) to lock your provider version; if you've constrained the provider to a lower version such as shown in the previous version example in that guide, Terraform will pull @@ -149,7 +149,7 @@ state changes in the meantime. ## Provider Version Configuration --> Before upgrading to version `4.0.0`, it is recommended to upgrade to the most +-> Before upgrading to version `4.X`, it is recommended to upgrade to the most recent version of the provider (`3.25.0`) and ensure that your environment successfully runs [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) without unexpected changes or deprecation notices. @@ -185,7 +185,7 @@ provider "vault" { ## Provider Policy Changes -Version `4.0.0` of the Vault provider made changes to the underlying Vault API +Version `4.X` of the Vault provider made changes to the underlying Vault API calls, which in turn may require policy adjustments in environments where permissions are least privilege. @@ -193,6 +193,10 @@ Please see the [Capabilities](https://developer.hashicorp.com/vault/docs/concept section of the Vault Policies documentation for more information on Vault policies. +-> Note the `4.0.0` release required read permissions at `sys/auth/:path` which was a +sudo endpoint. The `4.1.0` release changed that to instead require permissions +at the `sys/mounts/auth/:path` level and sudo is no longer required. + ### Auth method resource changes The below table specifies what changed between version 3.X and 4.X for the