v5.5.0

5.5.0 (Nov 20, 2025)

BEHAVIOR CHANGES: With v5.5.0, the default value for deny_null_bind in the vault_ldap_auth_backend resource has changed from false to true
to match with the Vault API defaults. Configurations that do not explicitly set deny_null_bind will now have it set to true upon upgrade, and
customers should verify that this change aligns with their intended LDAP authentication behavior. Furthermore, Customers should also consider
upgrading to Vault Community Edition 1.21.1 and Vault Enterprise 1.21.1, 1.20.6, 1.19.12, and 1.16.28, which no longer allows Vault to perform
unauthenticated or null binds against the LDAP server.

BUGS:

• vault_ldap_auth_backend: Fix incorrect deny_null_bind default. Set deny_null_bind to true if not provided in configuration (#2622)

FEATURES:

• Add support for alias_metadata field in auth resources (#2547)
• Add support for not_before_duration field in vault_pki_secret_backend_root_cert (#2664)

IMPROVEMENTS:

• Updated dependencies:
  • golang.org/x/crypto v0.41.0 -> v0.45.0
  • golang.org/x/net v0.43.0 -> v0.47.0
  • golang.org/x/mod v0.26.0 -> v0.29.0
  • golang.org/x/sync v0.16.0 -> v0.18.0
  • golang.org/x/sys v0.35.0 -> v0.38.0
  • golang.org/x/text v0.28.0 -> v0.31.0
  • golang.org/x/tools v0.35.0 -> v0.38.0

v5.4.0

5.4.0 (Nov 3, 2025)

BEHAVIOR CHANGES: Please refer to the upgrade topics
in the guide for details on all behavior changes.

FEATURES:

• Add support for Azure Static Secrets: (#2635)
• Add support for write-only token argument in vault_terraform_cloud_secret_backend resource (#2603)
• New parameters for vault_terraform_cloud_secret_role to support multi-team tokens, by @drewmullen (#2498)
• Add support for tune in vault_saml_auth_backend resource (#2566)
• Add support for tune in vault_ldap_auth_backend and vault_okta_auth_backend resources (#2602)
• Add support for allowed_sts_header_values parameter in vault_aws_auth_backend_client resource to specify additional headers allowed in STS requests
• New parameters for vault_gcp_secret_backend to support ttl and max_ttl, by @vijayavelsekar (#2627)
• Add support for request_timeout, dereference_aliases,enable_samaccountname_login and anonymous_group_search parameters in vault_ldap_auth_backend resource.(#2634)
• Add support for max_retries parameter in vault_aws_secret_backend resource. (#2623)
• Add support for iam_alias, iam_metadata, gce_alias and gce_metadata fields in vault_gcp_auth_backend resource (#2636)
• Add support for role_id field in vault_gcp_auth_backend_role resource (#2636)
• Add retry configuration fields (max_retries, retry_delay, max_retry_delay) to vault_azure_auth_backend_config resource for Azure API request resilience (#2629)
• Add new resources vault_spiffe_auth_backend_config and vault_spiffe_auth_backend_role (#2620)
• Add support for mfa_serial_number parameter in vault_aws_secret_backend_role resource. (#2637)
• Add support for persist_appparameters in vault_azure_secret_backend_role resource.
  (#2642)

BUGS:

• Fix pki config resources to allow unsetting of fields (to empty fields) (#2558)
• Fix tune auth mounts to allow unsetting of fields (setting fields to empty values) (#2605)
• Fix vault_pki_secret_backend_crl_config resource to allow disabling flags previously set to true (#2615)
• Fix the tune block issue where it always updates unless field values match Vault server defaults
  • vault_jwt_auth_backend resource (#2560)
  • vault_github_auth_backend and vault_auth_backend resources (#2565)
  • vault_saml_auth_backend resource (#2566)
  • vault_gcp_auth_backend and vault_oci_auth_backend resources (#2596)

v5.3.0

5.3.0 (Sep 4, 2025)

FEATURES:

• Add support for password phrases via the credential_type field in the vault_ldap_secret_backend resource (#2548)

IMPROVEMENTS:

• build(deps): bump the gomod-backward-compatible group with 5 updates: GH-2583
• Move to the standard CRT release workflow and tooling: GH-2582

BUGS:

• Fix azure_secret_backend_role to prevent persistent diff for null value on max_ttl and explicit_max_ttl argument (#2581)

v5.2.1

5.2.1 (Aug 19, 2025)

BUGS:

• Fix a failure to initialize the provider due to incompatible dependencies (#2575)
• Fix auth_login_gcp field constraint on field credentials service_account
• Fix auth_login_azure field constraint on field vmss_name tenant_id client_id scope
• Fix auth_login_kerberos field constraint on fields username service realm krb5conf_path keytab_path disable_fast_negotiation remove_instance_name
• Fix auth_login_userpass field constraint on field password_file
• Fix auth_login field constraint on field use_root_namespace
• Fix to allow Snowflake keypair auth with Vault 1.16+ (#2575)

v5.2.0

5.2.0 (Aug 18, 2025)

FEATURES:

• Add support for jwks_pairs in vault_jwt_auth_backend resource. Requires Vault 1.16+ (#2523)
• Add support for root_password_ttl in vault_azure_secret_backend resource. Requires Vault 1.15+ (#2529)
• Add support for managed key parameters in the SSH CA config endpoint (#2480)
• Add new resources vault_oci_auth_backend and vault_oci_auth_backend_role to manage OCI auth backend and roles. (#1761)
• Add support for log_level in vault_pki_secret_backend_config_scep resource. Requires Vault 1.20.1+ (#2525)

IMPROVEMENTS:

• Bump Go version to 1.24.6: (#2550)
• Ensure all resources that use custom mounts support all mount parameters. (#2332)
• Updated dependencies:
  • golang.org/x/oauth2 v0.24.0 -> v0.30.0
  • github.com/cloudflare/circl v1.3.7 -> v1.6.1
  • github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
  • github.com/go-jose/go-jose/v4 v4.0.4 -> v4.1.2
  • github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
  • cloud.google.com/go/iam v1.2.2 -> v1.5.2
  • cloud.google.com/go/compute/metadata v0.6.0 -> v0.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 -> v1.18.2
  • github.com/aws/aws-sdk-go v1.55.6 -> v1.55.8
  • github.com/go-sql-driver/mysql v1.8.1 -> v1.9.3
  • github.com/hashicorp/consul/api v1.27.0 -> v1.32.1
  • github.com/hashicorp/terraform-plugin-framework v1.14.1 -> 1.15.1
  • github.com/hashicorp/terraform-plugin-framework-validators v0.17.0 -> v0.18.0
  • hashicorp/ghaction-terraform-provider-release v4.0.1 -> v5.0.0

BUGS:

• Fix panic when reading the vault_gcp_secret_backend resource. (#2549)
• Fix regression where VAULT_NAMESPACE was not being honored, causing child namespaces to be created in the root namespace instead (#2540)

v5.1.0

5.1.0 (Jul 9, 2025)

FEATURES:

• Add support for key_usage to vault_pki_secret_backend_root_sign_intermediate ([#2421])(#2421)

• Add private_key_wo and private_key_wo_version fields to Snowflake DB secrets engine config ([#2508])(#2508)

• Add support for group_by and secondary_rate on resource vault_quota_rate_limit. Requires Vault Enterprise 1.20.0+ (#2476)

• Add support for Transit CMAC endpoint (#2488)

• Add new resource vault_scep_auth_backend_role to manage roles in a SCEP auth backend. #2479.

• Add new datasource and resource vault_pki_secret_backend_config_scep for PKI SCEP configuration. #2487.

v5.0.0

5.0.0 (May 21, 2025)

Important: 5.X multiplexes the Vault provider to use the Terraform Plugin Framework,
upgrades to Terraform 1.11.x, and adds support for Ephemeral Resources and Write-Only attributes.
Please refer to the
Terraform Vault Provider 5.0.0 Upgrade Guide for specific
details around the changes.

VERSION COMPATIBILITY:
5.X is officially supported and tested against Vault server versions >= 1.15.x.
5.X supports Terraform versions >= 1.11.x in order to support ephemeral resources and write-only attributes.

BREAKING CHANGES:
Please refer to the upgrade topics
in the guide for details on all breaking changes.

FEATURES:

• Add new ephemeral resources/attributes (#2457):
  • Add new ephemeral resource vault_kv_secret_v2
  • Add new ephemeral resource vault_database_secret
  • Add new write-only attribute data_json_wo (along with data_json_wo_version) to resource vault_kv_secret_v2
  • Add new write-only attribute credentials_wo, (along with credentials_wo_version) to resource vault_gcp_secret_backend
  • Add new write-only attribute password_wo, (along with password_wo_version to resource) vault_database_secret_backend_connection

BUGS:

• fix vault_policy_document data source regression to allow empty capabilities (#2466)

v4.8.0

4.8.0 (Apr 23, 2025)

FEATURES:

• Add support for recursive search in data_vault_namespaces #2408
• Add support for subscribe_event_types in data_source_policy_document #2445
• Add support for explicit_max_ttl in vault_azure_secret_backend_role resources. Requires Vault 1.18+ (#2438).

BUGS:

• Fix credential validation failures in vault_azure_access_credentials data source caused by Azure RBAC propagation delays using azure_groups #2437

v4.7.0

4.7.0 (Mar 12, 2025)

FEATURES:

• Update vault_pki_secret_backend_root_cert and vault_pki_secret_backend_root_sign_intermediate to support the new fields for the name constraints extension. Requires Vault 1.19+ (#2396).
• Update vault_pki_secret_backend_issuer resource with the new issuer configuration fields to control certificate verification. Requires Vault Enterprise 1.19+ (#2400).
• Add support for certificate revocation with revoke_with_key in vault_pki_secret_backend_cert (#2242)
• Add support for signature_bits field to vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate and vault_pki_secret_backend_intermediate_cert_request ([#2401])(#2401)
• Add support for key_usage and serial_number to vault_pki_secret_backend_intermediate_cert_request ([#2404])(#2404)
• Add support for skip_import_rotation in vault_database_secret_backend_static_role. Requires Vault Enterprise 1.18.5+ (#2386).
• Add support for not_after in vault_pki_secret_backend_cert, vault_pki_secret_backend_role, vault_pki_secret_backend_root_cert, vault_pki_secret_backend_root_sign_intermediate, and vault_pki_secret_backend_sign (#2385).
• Update vault_pki_secret_backend_config_acme to support the max_ttl field. #2411
• Add new data source vault_ssh_secret_backend_sign. (#2409)
• Add support for disabled_validations in vault_pki_secret_backend_config_cmpv2 #2412
• Add credential_type and credential_config to database_secret_backend_static_role to support features like rsa keys for Snowflake DB engines with static roles #2384
• Add support for missing parameters to vault_pki_secret_backend_root_sign_intermediate: not_before_duration, skid and use_pss #2417
• Add support for use_pss, no_store_metadata, and serial_number_source to vault_pki_secret_backend_role #2420
• Add support for Transit sign and verify endpoints (#2418)
• Add new data source vault_pki_secret_backend_cert_metadata and support for cert_metadata in vault_pki_secret_backend_cert and vault_pki_secret_backend_sign #2422
• Add support for max_crl_entries in vault_pki_secret_backend_crl_config #2423
• Add support for new Automated Root Rotation parameters in several plugins. Requires Vault Enterprise 1.19.0+.
  • AWS Auth/Secrets (#2414)
  • Azure Auth/Secrets (#2428)
  • DB Secrets (#2414).
  • LDAP Auth/Secrets (#2428)
  • GCP Auth/Secrets (#2427)
• Add new resource vault_pki_secret_backend_config_auto_tidy to set PKI automatic tidy configuration #1934
• Add support for cross-account management of static roles in AWS Secrets: (#2413)

BUGS:

• Do not panic on Vault PKI roles without the cn_validations field: (#2398)

IMPROVEMENTS:

• Update pki_secret_backend_crl_config to be more resilent to unknown response fields (#2429)

v4.6.0

4.6.0 (Jan 15, 2025)

FEATURES:

• Update vault_database_secret_backend_connectionto support password_authentication for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL (#2371)
• Add support for external_id field for the vault_aws_auth_backend_sts_role resource (#2370)
• Add support for ACME configuration with the vault_pki_secret_backend_config_acme resource. Requires Vault 1.14+ (#2157).
• Update vault_pki_secret_backend_role to support the cn_validations role field (#1820).
• Add new resource vault_pki_secret_backend_acme_eab to manage PKI ACME external account binding tokens. Requires Vault 1.14+. (#2367)
• Add new data source and resource vault_pki_secret_backend_config_cmpv2. Requires Vault 1.18+. Available only for Vault Enterprise (#2330)

IMPROVEMENTS:

• Support the event subscribe policy capability for vault_policy_document data source (#2293)