Merge branch 'main' into dataJsonReadUpdate

hashicorp · Mar 25, 2024 · 7fa66d7 · 7fa66d7
2 parents 12f9c79 + 3790d6a
commit 7fa66d7
Show file tree

Hide file tree

Showing 276 changed files with 6,429 additions and 1,748 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,9 +31,9 @@ jobs:
           cache: false
       # setup-terraform is used to install the Terraform CLI. If we don't do
       # this then the terraform-plugin-sdk will attempt to download it for each test!
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: '1.4.*'
+          terraform_version: '1.7.*'
           terraform_wrapper: false
 
       - name: Cache go build
@@ -65,9 +65,10 @@ jobs:
         image:
         - "vault-enterprise:1.11.12-ent"
         - "vault-enterprise:1.12.11-ent"
-        - "vault-enterprise:1.13.8-ent"
-        - "vault-enterprise:1.14.4-ent"
-        - "vault-enterprise:1.15.0-ent"
+        - "vault-enterprise:1.13.13-ent"
+        - "vault-enterprise:1.14.10-ent"
+        - "vault-enterprise:1.15.6-ent"
+        - "vault:latest"
     services:
       vault:
         image: hashicorp/${{ matrix.image }}
@@ -158,9 +159,9 @@ jobs:
           cache: false
       # setup-terraform is used to install the Terraform CLI. If we don't do
       # this then the terraform-plugin-sdk will attempt to download it for each test!
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: '1.4.*'
+          terraform_version: '1.7.*'
           terraform_wrapper: false
       - name: Check Terraform CLI version
         run: terraform --version
@@ -198,7 +199,12 @@ jobs:
           LDAP_BINDPASS: "adminpassword"
           LDAP_URL: "ldap://openldap:1389"
         run: |
-          make testacc-ent TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
+          if [[ ${{ matrix.image }} =~ "-ent" ]]; then
+            target="testacc-ent"
+          else
+            target="testacc"
+          fi
+          make $target TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
       - name: "Generate Vault API Path Coverage Report"
         run: |
           go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.21.3
+1.21.6
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,93 @@
 ## Unreleased
 
+* Add support for `allowed_kubernetes_namespace_selector` in `vault_kubernetes_secret_backend_role` ([#2180](https://github.com/hashicorp/terraform-provider-vault/pull/2180)).
+
+## 4.1.0 (Mar 20, 2024)
+
+CHANGES TO VAULT POLICY REQUIREMENTS:
+
+* **Important**: This release requires read policies to be set at the path level for mount metadata.
+The v4.0.0 release required read permissions at `sys/auth/:path` which was a
+sudo endpoint. The v4.1.0 release changed that to instead require permissions
+at the `sys/mounts/auth/:path` level and sudo is no longer required. Please
+refer to the details in the [Terraform Vault Provider 4.0.0 Upgrade Guide](/docs/providers/vault/guides/version_4_upgrade.html).
+
+FEATURES:
+* Add new resource `vault_config_ui_custom_message`. Requires Vault 1.16+ Enterprise: ([#2154](https://github.com/hashicorp/terraform-provider-vault/pull/2154)).
+
+IMPROVEMENTS:
+* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198))
+
+BUGS:
+* fix `vault_azure_access_credentials` to default to Azure Public Cloud ([#2190](https://github.com/hashicorp/terraform-provider-vault/pull/2190))
+
+## 4.0.0 (Mar 13, 2024)
+
+**Important**: This release requires read policies to be set at the path level for mount metadata.
+For example, instead of permissions at `sys/auth` you must set permissions at
+the `sys/auth/:path` level. Please refer to the details in the
+[Terraform Vault Provider 4.0.0 Upgrade Guide](/docs/providers/vault/guides/version_4_upgrade.html).
+
+FEATURES:
+* Add support for PKI Secrets Engine cluster configuration with the `vault_pki_secret_backend_config_cluster` resource. Requires Vault 1.13+ ([#1949](https://github.com/hashicorp/terraform-provider-vault/pull/1949)).
+* Add support to `enable_templating` in `vault_pki_secret_backend_config_urls` ([#2147](https://github.com/hashicorp/terraform-provider-vault/pull/2147)).
+* Add support for `skip_import_rotation` and `skip_static_role_import_rotation` in `ldap_secret_backend_static_role` and `ldap_secret_backend` respectively. Requires Vault 1.16+ ([#2128](https://github.com/hashicorp/terraform-provider-vault/pull/2128)).
+* Improve logging to track full API exchanges between the provider and Vault ([#2139](https://github.com/hashicorp/terraform-provider-vault/pull/2139))
+
+IMPROVEMENTS:
+* Improve performance of READ operations across many resources: ([#2145](https://github.com/hashicorp/terraform-provider-vault/pull/2145)), ([#2152](https://github.com/hashicorp/terraform-provider-vault/pull/2152))
+* Add the metadata `version` in returned values for `vault_kv_secret_v2` data source: ([#2095](https://github.com/hashicorp/terraform-provider-vault/pull/2095))
+* Add new secret sync destination fields: ([#2150](https://github.com/hashicorp/terraform-provider-vault/pull/2150))
+
+BUGS:
+* Handle graceful destruction of resources when approle is deleted out-of-band ([#2142](https://github.com/hashicorp/terraform-provider-vault/pull/2142)).
+* Ensure errors are returned on read operations for `vault_ldap_secret_backend_static_role`, `vault_ldap_secret_backend_library_set`, and `vault_ldap_secret_backend_static_role` ([#2156](https://github.com/hashicorp/terraform-provider-vault/pull/2156)).
+* Ensure proper use of issuer endpoints for root sign intermediate resource: ([#2160](https://github.com/hashicorp/terraform-provider-vault/pull/2160))
+* Fix issuer data overwrites on updates: ([#2186](https://github.com/hashicorp/terraform-provider-vault/pull/2186))
+
+## 3.25.0 (Feb 14, 2024)
+
+FEATURES:
+* Add destination and association resources to support Secrets Sync. Requires Vault 1.16+ ([#2098](https://github.com/hashicorp/terraform-provider-vault/pull/2098)).
+* Add support for configuration of plugin WIF to the AWS Secret Backend. Requires Vault 1.16+ ([#2138](https://github.com/hashicorp/terraform-provider-vault/pull/2138)).
+* Add support for Oracle database plugin configuration options `split_statements` and `disconnect_sessions`: ([#2085](https://github.com/hashicorp/terraform-provider-vault/pull/2085))
+
+IMPROVEMENTS:
+* Add an API client lock to the `vault_identity_group_alias` resource: ([#2140](https://github.com/hashicorp/terraform-provider-vault/pull/2140))
+
+## 3.24.0 (Jan 17, 2024)
+
+FEATURES:
+* Add support for `ext_key_usage_oids` in `vault_pki_secret_backend_role` ([#2108](https://github.com/hashicorp/terraform-provider-vault/pull/2108))
+* Adds support to `vault_gcp_auth_backend` for common backend tune parameters ([#1997](https://github.com/terraform-providers/terraform-provider-vault/pull/1997)).
+* Adds support to `vault_azure_secret_backend_role` for `sign_in_audience` and `tags`. Requires Vault 1.16+. ([#2101](https://github.com/terraform-providers/terraform-provider-vault/pull/2101)).
+
+BUGS:
+* fix `vault_kv_secret_v2` drift when "data" is in secret name/path ([#2104](https://github.com/hashicorp/terraform-provider-vault/pull/2104))
+* fix `vault_database_secret_backend_connection`: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key ([#2106](https://github.com/hashicorp/terraform-provider-vault/pull/2106))
+* Fix ignored `description` updates for `aws_secret_backend` resource ([#2057](https://github.com/hashicorp/terraform-provider-vault/pull/2057))
+
+IMPROVEMENTS:
+* Updated dependencies ([#2129](https://github.com/hashicorp/terraform-provider-vault/pull/2129)):
+   * `cloud.google.com/go/iam` v1.1.2 -> v1.1.5
+   * `github.com/Azure/azure-sdk-for-go/sdk/azcore` v1.8.0 -> v1.9.1
+   * `github.com/Azure/azure-sdk-for-go/sdk/azidentity` v1.4.0 -> v1.5.0
+   * `github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources` v1.1.1 -> v1.2.0
+   * `github.com/aws/aws-sdk-go` v1.45.24 -> v1.49.22
+   * `github.com/google/uuid` v1.3.1 -> v1.5.0
+   * `github.com/hashicorp/go-hclog` v1.5.0 -> v1.6.2
+   * `github.com/hashicorp/go-retryablehttp` v0.7.4 -> v0.7.5
+   * `github.com/hashicorp/go-secure-stdlib/parseutil` v0.1.7 -> v0.1.8
+   * `github.com/hashicorp/terraform-plugin-sdk/v2` v2.29.0 -> v2.31.0
+   * `github.com/hashicorp/vault-plugin-auth-jwt` v0.17.0 -> v0.18.0
+   * `github.com/hashicorp/vault/sdk` v0.10.0 -> v0.10.2
+   * `golang.org/x/crypto` v0.14.0 -> v0.18.0
+   * `golang.org/x/net` v0.15.0 -> v0.20.0
+   * `golang.org/x/oauth2` v0.12.0 -> v0.16.0
+   * `google.golang.org/api` v0.144.0 -> v0.156.0
+   * `google.golang.org/genproto` v0.0.0-20231002182017-d307bd883b97 -> v0.0.0-20240116215550-a9fa1716bcac
+   * `k8s.io/utils` v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240102154912-e7106e64919e
+
 ## 3.23.0 (Nov 15, 2023)
 
 FEATURES: