chore(deps): update terraform vault to v5

[kubeagon]

This PR contains the following updates:

Package	Type	Update	Change
vault (source)	required_provider	major	~> 4.0 -> ~> 5.0

---

Release Notes

hashicorp/terraform-provider-vault (vault)

v5.7.0

Compare Source

FEATURES:

• New Ephemeral Resource: vault_approle_auth_backend_role_secret_id - Generate AppRole SecretIDs on-demand with automatic cleanup. Requires Terraform 1.10+.(#​2745)
• New Ephemeral Resource: Add Kubernetes service account token ephemeral resource vault_kubernetes_service_account_token: (#​2712)

IMPROVEMENTS:

• vault_kmip_secret_role: Add support for additional KMIP operation fields (operation_import, operation_query, operation_encrypt, operation_decrypt, operation_create_key_pair, operation_delete_attribute, operation_rng_retrieve, operation_mac, operation_signature_verify, operation_sign, operation_rng_seed, operation_modify_attribute, operation_mac_verify, operation_rekey_key_pair) to grant granular permissions for KMIP operations. (#​2744)

• vault_saml_auth_backend: Add support for validate_assertion_signature and validate_response_signature parameters to control SAML signature validation (Vault 1.19+)

• vault_approle_auth_backend_login: Add write-only fields secret_id_wo and secret_id_wo_version to support ephemeral SecretID values without persisting them in state.(#​2745)

• vault_password_policy: Add field entropy_source field to specify an override to the default source of entropy (randomness) used to generate the passwords.(#​2753)

• vault_mfa_totp: Add support for max_validation_attempts field to configure the maximum number of consecutive failed validation attempts allowed. (#​2751)

• vault_mongodbatlas_secret_backend: Add support for write-only private key fields (private_key_wo, private_key_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#​2741)

• vault_consul_secret_backend: Add support for write-only fields (token_wo, token_wo_version, client_key_wo, client_key_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#​2730)

• vault_azure_auth_backend_config: Add support for write-only client secret fields (client_secret_wo, client_secret_wo_version) to prevent sensitive credentials from being stored in Terraform state. (#​2726)

• vault_azure_secret_backend: Add support for write-only client_secret_wo and client_secret_wo_version fields to configure the client secret without storing it in state. Requires Terraform 1.11+. (#​2721)

• vault_aws_secret_backend: Add write-only secret_key_wo and secret_key_wo_version fields to allow configuring the AWS secret key without storing it in Terraform state (#​2713)

• vault_gcp_auth_backend: Add write-only credential support via credentials_wo and credentials_wo_version fields (#​2724)

• vault_ldap_auth_backend: Add write-only field support for bindpass via bindpass_wo and bindpass_wo_version attributes (#​2716)

• vault_ldap_secret_backend: Add write-only field support for bindpass via bindpass_wo and bindpass_wo_version attributes (#​2719)

• vault_aws_auth_backend_client: Add write-only field support for secret_key (secret_key_wo and secret_key_wo_version) to prevent sensitive AWS credentials from being stored in Terraform state. (#​2717)

• vault_jwt_auth_backend: Add support for write-only oidc_client_secret_wo and oidc_client_secret_wo_version fields to prevent storing sensitive OIDC client secrets in Terraform state. (#​2714)

• vault_cert_auth_backend_role: Add support for ocsp_max_retries and ocsp_this_update_max_age fields for OCSP configuration. Requires Vault 1.16+. (#​2749)

• vault_kubernetes_auth_backend_config: Add support for write-only token_reviewer_jwt_wo field with token_reviewer_jwt_wo_version to prevent sensitive JWT token from being stored in Terraform state (#​2715)

• vault_kubernetes_secret_backend: Add write-only fields service_account_jwt_wo and service_account_jwt_wo_version for managing service account JWT credentials without storing them in state.(#​2720)

• vault_nomad_secret_backend: Add support for write-only fields token_wo and client_key_wo with version counters to prevent sensitive credentials from being stored in Terraform state. (#​2729)

• Add support for fields: context,managed_key_name,managed_key_id in vault_transit_secret_backend_key resource. (#​2743)

• vault_rabbitmq_secret_backend: Add support for write-only password_wo and password_wo_version fields to configure the password without storing it in state. Requires Terraform 1.11+. (#​2733)

• vault_approle_auth_backend_role_secret_id: Add support for token_bound_cidrs parameter to specify blocks of IP addresses which can use the auth tokens generated by a SecretID. (#​2718)

• vault_secrets_sync_gcp_destination: Add support for replication field (replication_locations; Vault 1.18+), networking allowlist fields (allowed_ipv4_addresses, allowed_ipv6_addresses, allowed_ports, disable_strict_networking; Vault 1.19+), and encryption fields (global_kms_key, locational_kms_keys; Vault 1.19+) in vault_secrets_sync_gcp_destination resource. (#​2699)

• Add support for networking allowlist fields (allowed_ipv4_addresses, allowed_ipv6_addresses, allowed_ports, disable_strict_networking) in vault_secrets_sync_azure_destination resource. Requires Vault 1.19+. (#​2702)

• vault_database_secret_backend_connection: Add support for MongoDB write_concern parameter and TLS parameters (tls_ca, tls_certificate_key) (#​2678)

• Add support for username_template parameter in vault_database_secret_backend_connection and vault_database_secrets_mount resource for MongoDB Atlas(#​2674)

• Add support for username_template parameter in vault_database_secret_backend_connection and vault_database_secrets_mount resources for HANADB connections: (#​2671)

• Add support for networking allowlist fields (allowed_ipv4_addresses, allowed_ipv6_addresses, allowed_ports, disable_strict_networking) in vault_secrets_sync_vercel_destination resource. Requires Vault 1.19+. (#​2681)

• Add support for configuration parameters (allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking,secrets_location,environment_name) in vault_secrets_sync_gh_destination resource. Requires Vault 1.18+ for secrets_location,environment_name.Requires Vault 1.19+ for allowed_ipv4_addresses,allowed_ipv6_addresses,allowed_ports,disable_strict_networking.(#​2697).

• Add support for tls_server_name , local_datacenter, socket_keep_alive, consistency and username_template parameters for Cassandra in vault_database_secret_backend_connection resource. (#​2677)

• vault_secrets_sync_aws_destination: Add support for networking configuration parameters allowed_ipv4_addresses, allowed_ipv6_addresses, allowed_ports, and disable_strict_networking to control outbound connections from Vault to AWS Secrets Manager. Requires Vault 1.19.0+.(#​2698)

• Updated dependencies:

  • github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 -> v2.1.1

• Docs: fix heredoc example for LDAP dynamic role LDIFs ([#​2728]https://github.com/hashicorp/terraform-provider-vault/pull/2728)

• Docs: Update example to use write-only attribute ([#​2731]https://github.com/hashicorp/terraform-provider-vault/pull/2731)

• vault_database_secret_backend_connection: Add support for top-level plugin_version and password_policy fields to allow configuration at the resource level in addition to engine-specific blocks. (#​2748)

• vault_database_secret_backend_connection: Add support for skip_static_role_import_rotation field to skip initial password rotation when creating static roles. This value is inherited by static roles that do not explicitly set skip_import_rotation. Requires Vault 1.19+ Enterprise. (#​2748)

• vault_database_secret_backend_static_role: The skip_import_rotation field now correctly reads Vault's computed value into state. When not set in config, it inherits from the connection's skip_static_role_import_rotation setting. Requires Vault 1.19+ Enterprise. (#​2748)

• vault_database_secret_mount: Added plugin_version,skip_static_role_import_rotation and password_policy fields to allow configuration at the resource level(#​2748)

• Add support for local_secret_ids which may only be set at role creation. On updates the provider will send the original creation value to Vault to avoid unintentionally attempting to modify this immutable setting.The provider now surfaces Vault's native immutability error when an update attempts to change local_secret_ids.(#​2723)

BUGS:

• provider/auth_login_aws: Fix issue where AWS authentication with IAM role assumption (aws_role_arn) was not working correctly due to incorrect credential handling (#​2679)
• Fix plugin_name attribute not correctly use in vault_database_secret_backend_connection. (#​2705)

v5.6.0

Compare Source

FEATURES:

• Add support for self managed workflow for rootless static roles in Oracle Secret Engine: (#​2661)
• Add AWS access creds ephemeral resource: (#​2659)
• Add AWS static access credentials ephemeral resource.: (#​2657)
• Add GCP ephemeral resources for OAuth2 access token and service account key: (#​2655)
• Add Azure access credentials ephemeral resource: (#​2654)

IMPROVEMENTS:

• Added fields related to namespace used to create a role in kubernetes auth method: (#​2644)

BUGS:

• Fix LDAP auth tune block read failure caused by extra /tune segment in the API request path (#​2676)

v5.5.0

Compare Source

BEHAVIOR CHANGES: With v5.5.0, the default value for deny_null_bind in the vault_ldap_auth_backend resource has changed from false to true
to match with the Vault API defaults. Configurations that do not explicitly set deny_null_bind will now have it set to true upon upgrade, and
customers should verify that this change aligns with their intended LDAP authentication behavior. Furthermore, Customers should also consider
upgrading to Vault Community Edition 1.21.1 and Vault Enterprise 1.21.1, 1.20.6, 1.19.12, and 1.16.28, which no longer allows Vault to perform
unauthenticated or null binds against the LDAP server.

SECURITY:

• vault_ldap_auth_backend: Fix incorrect deny_null_bind default. Set deny_null_bind to true if not provided in configuration (#​2622) (CVE-13357,HCSEC-2025-33)

FEATURES:

• Add support for alias_metadata field in auth resources (#​2547)
• Add support for not_before_duration field in vault_pki_secret_backend_root_cert (#​2664)

IMPROVEMENTS:

• Updated dependencies:
  • golang.org/x/crypto v0.41.0 -> v0.45.0
  • golang.org/x/net v0.43.0 -> v0.47.0
  • golang.org/x/mod v0.26.0 -> v0.29.0
  • golang.org/x/sync v0.16.0 -> v0.18.0
  • golang.org/x/sys v0.35.0 -> v0.38.0
  • golang.org/x/text v0.28.0 -> v0.31.0
  • golang.org/x/tools v0.35.0 -> v0.38.0

v5.4.0

Compare Source

BEHAVIOR CHANGES: Please refer to the upgrade topics
in the guide for details on all behavior changes.

FEATURES:

• Add support for Azure Static Secrets: (#​2635)
• Add support for write-only token argument in vault_terraform_cloud_secret_backend resource (#​2603)
• New parameters for vault_terraform_cloud_secret_role to support multi-team tokens, by @​drewmullen (#​2498)
• Add support for tune in vault_saml_auth_backend resource (#​2566)
• Add support for tune in vault_ldap_auth_backend and vault_okta_auth_backend resources (#​2602)
• Add support for allowed_sts_header_values parameter in vault_aws_auth_backend_client resource to specify additional headers allowed in STS requests
• New parameters for vault_gcp_secret_backend to support ttl and max_ttl, by @​vijayavelsekar (#​2627)
• Add support for request_timeout, dereference_aliases,enable_samaccountname_login and anonymous_group_search parameters in vault_ldap_auth_backend resource.(#​2634)
• Add support for max_retries parameter in vault_aws_secret_backend resource. (#​2623)
• Add support for iam_alias, iam_metadata, gce_alias and gce_metadata fields in vault_gcp_auth_backend resource (#​2636)
• Add support for role_id field in vault_gcp_auth_backend_role resource (#​2636)
• Add retry configuration fields (max_retries, retry_delay, max_retry_delay) to vault_azure_auth_backend_config resource for Azure API request resilience (#​2629)
• Add new resources vault_spiffe_auth_backend_config and vault_spiffe_auth_backend_role (#​2620)
• Add support for mfa_serial_number parameter in vault_aws_secret_backend_role resource. (#​2637)
• Add support for persist_appparameters in vault_azure_secret_backend_role resource.
  (#​2642)

BUGS:

• Fix pki config resources to allow unsetting of fields (to empty fields) (#​2558)
• Fix tune auth mounts to allow unsetting of fields (setting fields to empty values) (#​2605)
• Fix vault_pki_secret_backend_crl_config resource to allow disabling flags previously set to true (#​2615)
• Fix the tune block issue where it always updates unless field values match Vault server defaults
  • vault_jwt_auth_backend resource (#​2560)
  • vault_github_auth_backend and vault_auth_backend resources (#​2565)
  • vault_saml_auth_backend resource (#​2566)
  • vault_gcp_auth_backend and vault_oci_auth_backend resources (#​2596)

v5.3.0

Compare Source

FEATURES:

• Add support for password phrases via the credential_type field in the vault_ldap_secret_backend resource (#​2548)

IMPROVEMENTS:

• build(deps): bump the gomod-backward-compatible group with 5 updates: GH-2583
• Move to the standard CRT release workflow and tooling: GH-2582

BUGS:

• Fix azure_secret_backend_role to prevent persistent diff for null value on max_ttl and explicit_max_ttl argument (#​2581)

v5.2.1

Compare Source

BUGS:

• Fix a failure to initialize the provider due to incompatible dependencies (#​2575)
• Fix auth_login_gcp field constraint on field credentials service_account
• Fix auth_login_azure field constraint on field vmss_name tenant_id client_id scope
• Fix auth_login_kerberos field constraint on fields username service realm krb5conf_path keytab_path disable_fast_negotiation remove_instance_name
• Fix auth_login_userpass field constraint on field password_file
• Fix auth_login field constraint on field use_root_namespace
• Fix to allow Snowflake keypair auth with Vault 1.16+ (#​2575)

v5.2.0

Compare Source

FEATURES:

• Add support for jwks_pairs in vault_jwt_auth_backend resource. Requires Vault 1.16+ (#​2523)
• Add support for root_password_ttl in vault_azure_secret_backend resource. Requires Vault 1.15+ (#​2529)
• Add support for managed key parameters in the SSH CA config endpoint (#​2480)
• Add new resources vault_oci_auth_backend and vault_oci_auth_backend_role to manage OCI auth backend and roles. (#​1761)
• Add support for log_level in vault_pki_secret_backend_config_scep resource. Requires Vault 1.20.1+ (#​2525)

IMPROVEMENTS:

• Bump Go version to 1.24.6: (#​2550)
• Ensure all resources that use custom mounts support all mount parameters. (#​2332)
• Updated dependencies:
  • golang.org/x/oauth2 v0.24.0 -> v0.30.0
  • github.com/cloudflare/circl v1.3.7 -> v1.6.1
  • github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
  • github.com/go-jose/go-jose/v4 v4.0.4 -> v4.1.2
  • github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
  • cloud.google.com/go/iam v1.2.2 -> v1.5.2
  • cloud.google.com/go/compute/metadata v0.6.0 -> v0.8.0
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 -> v1.18.2
  • github.com/aws/aws-sdk-go v1.55.6 -> v1.55.8
  • github.com/go-sql-driver/mysql v1.8.1 -> v1.9.3
  • github.com/hashicorp/consul/api v1.27.0 -> v1.32.1
  • github.com/hashicorp/terraform-plugin-framework v1.14.1 -> 1.15.1
  • github.com/hashicorp/terraform-plugin-framework-validators v0.17.0 -> v0.18.0
  • hashicorp/ghaction-terraform-provider-release v4.0.1 -> v5.0.0

BUGS:

• Fix panic when reading the vault_gcp_secret_backend resource. (#​2549)
• Fix regression where VAULT_NAMESPACE was not being honored, causing child namespaces to be created in the root namespace instead (#​2540)

v5.1.0

Compare Source

FEATURES:

• Add support for key_usage to vault_pki_secret_backend_root_sign_intermediate (#​2421)

• Add private_key_wo and private_key_wo_version fields to Snowflake DB secrets engine config (#​2508)

• Add support for group_by and secondary_rate on resource vault_quota_rate_limit. Requires Vault Enterprise 1.20.0+ (#​2476)

• Add support for Transit CMAC endpoint (#​2488)

• Add new resource vault_scep_auth_backend_role to manage roles in a SCEP auth backend. #​2479.

• Add new datasource and resource vault_pki_secret_backend_config_scep for PKI SCEP configuration. #​2487.

v5.0.0

Compare Source

Important: 5.X multiplexes the Vault provider to use the Terraform Plugin Framework,
upgrades to Terraform 1.11.x, and adds support for Ephemeral Resources and Write-Only attributes.
Please refer to the
Terraform Vault Provider 5.0.0 Upgrade Guide for specific
details around the changes.

VERSION COMPATIBILITY:
5.X is officially supported and tested against Vault server versions >= 1.15.x.
5.X supports Terraform versions >= 1.11.x in order to support ephemeral resources and write-only attributes.

BREAKING CHANGES:
Please refer to the upgrade topics
in the guide for details on all breaking changes.

FEATURES:

• Add new ephemeral resources/attributes (#​2457):
  • Add new ephemeral resource vault_kv_secret_v2
  • Add new ephemeral resource vault_database_secret
  • Add new write-only attribute data_json_wo (along with data_json_wo_version) to resource vault_kv_secret_v2
  • Add new write-only attribute credentials_wo, (along with credentials_wo_version) to resource vault_gcp_secret_backend
  • Add new write-only attribute password_wo, (along with password_wo_version to resource) vault_database_secret_backend_connection

BUGS:

• fix vault_policy_document data source regression to allow empty capabilities (#​2466)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.