breaking: the dependency vault has been updated to a new major version (5.5.0), which may include breaking changes. #major

[public-glueops-renovatebot]

This PR contains the following updates:

Package	Type	Update	Change
vault (source)	required_provider	major	3.25.0 -> 5.5.0

---

Release Notes

hashicorp/terraform-provider-vault (vault)

v5.5.0

Compare Source

BEHAVIOR CHANGES: With v5.5.0, the default value for deny_null_bind in the vault_ldap_auth_backend resource has changed from false to true
to match with the Vault API defaults. Configurations that do not explicitly set deny_null_bind will now have it set to true upon upgrade, and
customers should verify that this change aligns with their intended LDAP authentication behavior. Furthermore, Customers should also consider
upgrading to Vault Community Edition 1.21.1 and Vault Enterprise 1.21.1, 1.20.6, 1.19.12, and 1.16.28, which no longer allows Vault to perform
unauthenticated or null binds against the LDAP server.

SECURITY:

• vault_ldap_auth_backend: Fix incorrect deny_null_bind default. Set deny_null_bind to true if not provided in configuration (#​2622) (CVE-13357,HCSEC-2025-33)

FEATURES:

• Add support for alias_metadata field in auth resources (#​2547)
• Add support for not_before_duration field in vault_pki_secret_backend_root_cert (#​2664)

IMPROVEMENTS:

• Updated dependencies:
  • golang.org/x/crypto v0.41.0 -> v0.45.0
  • golang.org/x/net v0.43.0 -> v0.47.0
  • golang.org/x/mod v0.26.0 -> v0.29.0
  • golang.org/x/sync v0.16.0 -> v0.18.0
  • golang.org/x/sys v0.35.0 -> v0.38.0
  • golang.org/x/text v0.28.0 -> v0.31.0
  • golang.org/x/tools v0.35.0 -> v0.38.0

v5.4.0

Compare Source

BEHAVIOR CHANGES: Please refer to the upgrade topics
in the guide for details on all behavior changes.

FEATURES:

• Add support for Azure Static Secrets: (#​2635)
• Add support for write-only token argument in vault_terraform_cloud_secret_backend resource (#​2603)
• New parameters for vault_terraform_cloud_secret_role to support multi-team tokens, by @​drewmullen (#​2498)
• Add support for tune in vault_saml_auth_backend resource (#​2566)
• Add support for tune in vault_ldap_auth_backend and vault_okta_auth_backend resources (#​2602)
• Add support for allowed_sts_header_values parameter in vault_aws_auth_backend_client resource to specify additional headers allowed in STS requests
• New parameters for vault_gcp_secret_backend to support ttl and max_ttl, by @​vijayavelsekar (#​2627)
• Add support for request_timeout, dereference_aliases,enable_samaccountname_login and anonymous_group_search parameters in vault_ldap_auth_backend resource.(#​2634)
• Add support for max_retries parameter in vault_aws_secret_backend resource. (#​2623)
• Add support for iam_alias, iam_metadata, gce_alias and gce_metadata fields in vault_gcp_auth_backend resource (#​2636)
• Add support for role_id field in vault_gcp_auth_backend_role resource (#​2636)
• Add retry configuration fields (max_retries, retry_delay, max_retry_delay) to vault_azure_auth_backend_config resource for Azure API request resilience (#​2629)
• Add new resources vault_spiffe_auth_backend_config and vault_spiffe_auth_backend_role (#​2620)
• Add support for mfa_serial_number parameter in vault_aws_secret_backend_role resource. (#​2637)
• Add support for persist_appparameters in vault_azure_secret_backend_role resource.
  (#​2642)

BUGS:

• Fix pki config resources to allow unsetting of fields (to empty fields) (#​2558)
• Fix tune auth mounts to allow unsetting of fields (setting fields to empty values) (#​2605)
• Fix vault_pki_secret_backend_crl_config resource to allow disabling flags previously set to true (#​2615)
• Fix the tune block issue where it always updates unless field values match Vault server defaults
  • vault_jwt_auth_backend resource (#​2560)
  • vault_github_auth_backend and vault_auth_backend resources (#​2565)
  • vault_saml_auth_backend resource (#​2566)
  • vault_gcp_auth_backend and vault_oci_auth_backend resources (#​2596)

v5.3.0

Compare Source

FEATURES:

• Add support for password phrases via the credential_type field in the vault_ldap_secret_backend resource (#​2548)

IMPROVEMENTS:

• build(deps): bump the gomod-backward-compatible group with 5 updates: GH-2583
• Move to the standard CRT release workflow and tooling: GH-2582

BUGS:

• Fix azure_secret_backend_role to prevent persistent diff for null value on max_ttl and explicit_max_ttl argument (#​2581)

v5.2.1

Compare Source

BUGS:

• Fix a failure to initialize the provider due to incompatible dependencies (#​2575)
• Fix auth_login_gcp field constraint on field credentials service_account
• Fix auth_login_azure field constraint on field vmss_name tenant_id client_id scope
• Fix auth_login_kerberos field constraint on fields username service realm krb5conf_path keytab_path disable_fast_negotiation remove_instance_name
• Fix auth_login_userpass field constraint on field password_file
• Fix auth_login field constraint on field use_root_namespace
• Fix to allow Snowflake keypair auth with Vault 1.16+ (#​2575)

v5.2.0

Compare Source

FEATURES:

• Add support for jwks_pairs in vault_jwt_auth_backend resource. Requires Vault 1.16+ (#​2523)
• Add support for root_password_ttl in vault_azure_secret_backend resource. Requires Vault 1.15+ (#​2529)
• Add support for managed key parameters in the SSH CA config endpoint (#​2480)
• Add new resources vault_oci_auth_backend and vault_oci_auth_backend_role to manage OCI auth backend and roles. (#​1761)
• Add support for log_level in vault_pki_secret_backend_config_scep resource. Requires Vault 1.20.1+ (#​2525)

IMPROVEMENTS:

• Bump Go version to 1.24.6: (#​2550)
• Ensure all resources that use custom mounts support all mount parameters. (#​2332)
• Updated dependencies:
  • golang.org/x/oauth2 v0.24.0 -> v0.30.0
  • github.com/cloudflare/circl v1.3.7 -> v1.6.1
  • github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
  • github.com/go-jose/go-jose/v4 v4.0.4 -> v4.1.2
  • github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
  • cloud.google.com/go/iam v1.2.2 -> v1.5.2
  • cloud.google.com/go/compute/metadata v0.6.0 -> v0.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 -> v1.18.2
  • github.com/aws/aws-sdk-go v1.55.6 -> v1.55.8
  • github.com/go-sql-driver/mysql v1.8.1 -> v1.9.3
  • github.com/hashicorp/consul/api v1.27.0 -> v1.32.1
  • github.com/hashicorp/terraform-plugin-framework v1.14.1 -> 1.15.1
  • github.com/hashicorp/terraform-plugin-framework-validators v0.17.0 -> v0.18.0
  • hashicorp/ghaction-terraform-provider-release v4.0.1 -> v5.0.0

BUGS:

• Fix panic when reading the vault_gcp_secret_backend resource. (#​2549)
• Fix regression where VAULT_NAMESPACE was not being honored, causing child namespaces to be created in the root namespace instead (#​2540)

v5.1.0

Compare Source

FEATURES:

• Add support for key_usage to vault_pki_secret_backend_root_sign_intermediate (#​2421)

• Add private_key_wo and private_key_wo_version fields to Snowflake DB secrets engine config (#​2508)

• Add support for group_by and secondary_rate on resource vault_quota_rate_limit. Requires Vault Enterprise 1.20.0+ (#​2476)

• Add support for Transit CMAC endpoint (#​2488)

• Add new resource vault_scep_auth_backend_role to manage roles in a SCEP auth backend. #​2479.

• Add new datasource and resource vault_pki_secret_backend_config_scep for PKI SCEP configuration. #​2487.

v5.0.0

Compare Source

Important: 5.X multiplexes the Vault provider to use the Terraform Plugin Framework,
upgrades to Terraform 1.11.x, and adds support for Ephemeral Resources and Write-Only attributes.
Please refer to the
Terraform Vault Provider 5.0.0 Upgrade Guide for specific
details around the changes.

VERSION COMPATIBILITY:
5.X is officially supported and tested against Vault server versions >= 1.15.x.
5.X supports Terraform versions >= 1.11.x in order to support ephemeral resources and write-only attributes.

BREAKING CHANGES:
Please refer to the upgrade topics
in the guide for details on all breaking changes.

FEATURES:

• Add new ephemeral resources/attributes (#​2457):
  • Add new ephemeral resource vault_kv_secret_v2
  • Add new ephemeral resource vault_database_secret
  • Add new write-only attribute data_json_wo (along with data_json_wo_version) to resource vault_kv_secret_v2
  • Add new write-only attribute credentials_wo, (along with credentials_wo_version) to resource vault_gcp_secret_backend
  • Add new write-only attribute password_wo, (along with password_wo_version to resource) vault_database_secret_backend_connection

BUGS:

• fix vault_policy_document data source regression to allow empty capabilities (#​2466)

v4.8.0

Compare Source

FEATURES:

• Add support for recursive search in data_vault_namespaces #​2408
• Add support for subscribe_event_types in data_source_policy_document #​2445
• Add support for explicit_max_ttl in vault_azure_secret_backend_role resources. Requires Vault 1.18+ (#​2438).

BUGS:

• Fix credential validation failures in vault_azure_access_credentials data source caused by Azure RBAC propagation delays using azure_groups #​2437

v4.7.0

Compare Source

FEATURES:

• Update vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate to support the new fields for the name constraints extension. Requires Vault 1.19+ (#​2396).
• Update vault_pki_secret_backend_issuer resource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ (#​2400).
• Add support for certificate revocation with revoke_with_key in vault_pki_secret_backend_cert (#​2242)
• Add support for signature_bits field to vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate and vault_pki_secret_backend_intermediate_cert_request ([#​2401])(#​2401)
• Add support for key_usage and serial_number to vault_pki_secret_backend_intermediate_cert_request ([#​2404])(#​2404)
• Add support for skip_import_rotation in vault_database_secret_backend_static_role. Requires Vault Enterprise 1.18.5+ (#​2386).
• Add support for not_after in vault_pki_secret_backend_cert, vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate, and vault_pki_secret_backend_sign (#​2385).
• Update vault_pki_secret_backend_config_acme to support the max_ttl field. #​2411
• Add new data source vault_ssh_secret_backend_sign. (#​2409)
• Add support for disabled_validations in vault_pki_secret_backend_config_cmpv2 #​2412
• Add credential_type and credential_config to database_secret_backend_static_role to support features like rsa keys for Snowflake DB engines with static roles #​2384
• Add support for missing parameters to vault_pki_secret_backend_root_sign_intermediate: not_before_duration, skid and use_pss #​2417
• Add support for use_pss, no_store_metadata, and serial_number_source to vault_pki_secret_backend_role #​2420
• Add support for Transit sign and verify endpoints (#​2418)
• Add new data source vault_pki_secret_backend_cert_metadata and support for cert_metadata in vault_pki_secret_backend_cert and vault_pki_secret_backend_sign #​2422
• Add support for max_crl_entries in vault_pki_secret_backend_crl_config #​2423
• Add support for new Automated Root Rotation parameters in several plugins. Requires Vault Enterprise 1.19.0+.
  • AWS Auth/Secrets (#​2414)
  • Azure Auth/Secrets (#​2428)
  • DB Secrets (#​2414).
  • LDAP Auth/Secrets (#​2428)
  • GCP Auth/Secrets (#​2427)
• Add new resource vault_pki_secret_backend_config_auto_tidy to set PKI automatic tidy configuration #​1934
• Add support for cross-account management of static roles in AWS Secrets: (#​2413)

BUGS:

• Do not panic on Vault PKI roles without the cn_validations field: (#​2398)

IMPROVEMENTS:

• Update pki_secret_backend_crl_config to be more resilent to unknown response fields (#​2429)

v4.6.0

Compare Source

FEATURES:

• Update vault_database_secret_backend_connectionto support password_authentication for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL (#​2371)
• Add support for external_id field for the vault_aws_auth_backend_sts_role resource (#​2370)
• Add support for ACME configuration with the vault_pki_secret_backend_config_acme resource. Requires Vault 1.14+ (#​2157).
• Update vault_pki_secret_backend_role to support the cn_validations role field (#​1820).
• Add new resource vault_pki_secret_backend_acme_eab to manage PKI ACME external account binding tokens. Requires Vault 1.14+. (#​2367)
• Add new data source and resource vault_pki_secret_backend_config_cmpv2. Requires Vault 1.18+. Available only for Vault Enterprise (#​2330)

IMPROVEMENTS:

• Support the event subscribe policy capability for vault_policy_document data source (#​2293)

v4.5.0

Compare Source

FEATURES:

• Update vault_database_secret_backend_connection to support inline TLS config for PostgreSQL (#​2339)
• Update vault_database_secret_backend_connection to support skip_verification config for Cassandra (#​2346)
• Update vault_approle_auth_backend_role_secret_id to support num_uses and ttl fields (#​2345)
• Add support for allow_empty_principals field for the vault_ssh_secret_backend_role resource (#​2354)
• Update vault_gcp_secret_impersonated_account to support setting ttl (#​2318)
• Add support for connection_timeout field for the vault_ldap_auth_backend resource (#​2358)
• Add support for Rootless Configuration for Static Roles to Postgres DB (#​2341)
• Add support for use_annotations_as_alias_metadata field for the vault_kubernetes_auth_backend_config resource (#​2226)

BUGS:

• Remove consul secret backend role from state if not found on vault: (#​2321)

v4.4.0

Compare Source

FEATURES:

• Update vault_aws_secret_backend_role to support setting session_tags and external_id (#​2290)

BUGS:

• fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#​2308)
• fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#​2289)

v4.3.0

Compare Source

FEATURES:

• Add support for iam_tags in vault_aws_secret_backend_role (#​2231).
• Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#​2133).
• Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2249).
• Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2250)
• Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#​2243).
• Add support for new WIF fields in vault_gcp_auth_backend (#​2256)
• Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#​2254).
• Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#​2246)
• Support missing token parameters on vault_okta_auth_backend resource: (#​2210)
• Add support for max_retries in vault_aws_auth_backend_client: (#​2270)
• Add new resources vault_plugin and vault_plugin_pinned_version: (#​2159)
• Add key_type and key_bits to vault_ssh_secret_backend_ca: (#​1454)

IMPROVEMENTS:

• return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#​2232)
  BUGS:
• Remove dependency on github.com/hashicorp/vault package: (#​2251)
• Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#​2247)
• Fix handling of 0 value within field max_path_length in vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate resources (#​2253)

v4.2.0

Compare Source

FEATURES:

• Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#​2202)
• Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#​2180).
• Add new data source vault_namespace. Requires Vault Enterprise: (#​2208).
• Add new data source vault_namespaces. Requires Vault Enterprise: (#​2212).

IMPROVEMENTS:

• Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#​2202)

BUGS:

• fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#​2204)
• fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#​2207)
• fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#​2207)

v4.1.0

Compare Source

CHANGES TO VAULT POLICY REQUIREMENTS:

• Important: This release requires read policies to be set at the path level for mount metadata.
  The v4.0.0 release required read permissions at sys/auth/:path which was a
  sudo endpoint. The v4.1.0 release changed that to instead require permissions
  at the sys/mounts/auth/:path level and sudo is no longer required. Please
  refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#​2154).

IMPROVEMENTS:

• do not require sudo permissions for auth read operations (#​2198)

BUGS:

• fix vault_azure_access_credentials to default to Azure Public Cloud (#​2190)

v4.0.0

Compare Source

Important: This release requires read policies to be set at the path level for mount metadata.
For example, instead of permissions at sys/auth you must set permissions at
the sys/auth/:path level. Please refer to the details in the
Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#​1949).
• Add support to enable_templating in vault_pki_secret_backend_config_urls (#​2147).
• Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#​2128).
• Improve logging to track full API exchanges between the provider and Vault (#​2139)
• Add new vault_plugin and vault_plugin_pinned_version resources for managing external plugins (#​2159)

IMPROVEMENTS:

• Improve performance of READ operations across many resources: (#​2145), (#​2152)
• Add the metadata version in returned values for vault_kv_secret_v2 data source: (#​2095)
• Add new secret sync destination fields: (#​2150)

BUGS:

• Handle graceful destruction of resources when approle is deleted out-of-band (#​2142).
• Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#​2156).
• Ensure proper use of issuer endpoints for root sign intermediate resource: (#​2160)
• Fix issuer data overwrites on updates: (#​2186)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.