Update Terraform vault to v4

[renovate[bot]]

This PR contains the following updates:

Package	Type	Update	Change
vault (source)	required_provider	major	3.25.0 -> 4.4.0

---

Release Notes

hashicorp/terraform-provider-vault (vault)

v4.4.0

Compare Source

FEATURES:

• Update vault_aws_secret_backend_role to support setting session_tags and external_id (#​2290)

BUGS:

• fix vault_ssh_secret_backend_ca where a schema change forced the resource to be replaced (#​2308)
• fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully (#​2289)

v4.3.0

Compare Source

FEATURES:

• Add support for iam_tags in vault_aws_secret_backend_role (#​2231).
• Add support for inheritable on vault_quota_rate_limit and vault_quota_lease_count. Requires Vault 1.15+.: (#​2133).
• Add support for new WIF fields in vault_gcp_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2249).
• Add support for new WIF fields in vault_azure_secret_backend. Requires Vault 1.17+. Available only for Vault Enterprise (#​2250)
• Add support for new WIF fields in vault_aws_auth_backend_client. Requires Vault 1.17+. Available only for Vault Enterprise (#​2243).
• Add support for new WIF fields in vault_gcp_auth_backend (#​2256)
• Add support for new WIF fields in vault_azure_auth_backend_config. Requires Vault 1.17+. Available only for Vault Enterprise (#​2254).
• Add new data source and resource vault_pki_secret_backend_config_est. Requires Vault 1.16+. Available only for Vault Enterprise (#​2246)
• Support missing token parameters on vault_okta_auth_backend resource: (#​2210)
• Add support for max_retries in vault_aws_auth_backend_client: (#​2270)
• Add new resources vault_plugin and vault_plugin_pinned_version: (#​2159)
• Add key_type and key_bits to vault_ssh_secret_backend_ca: (#​1454)

IMPROVEMENTS:

• return a useful error when delete fails for the vault_jwt_auth_backend_role resource: (#​2232)
• Remove dependency on github.com/hashicorp/vault package: (#​2251)
• Add missing custom_tags and secret_name_template fields to vault_secrets_sync_azure_destination resource (#​2247)

v4.2.0

Compare Source

FEATURES:

• Add granularity to Secrets Sync destination resources. Requires Vault 1.16+ Enterprise. (#​2202)
• Add support for allowed_kubernetes_namespace_selector in vault_kubernetes_secret_backend_role (#​2180).
• Add new data source vault_namespace. Requires Vault Enterprise: (#​2208).
• Add new data source vault_namespaces. Requires Vault Enterprise: (#​2212).

IMPROVEMENTS:

• Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. (#​2202)

BUGS:

• fix vault_approle_auth_backend_role_secret_id regression to handle 404 errors (#​2204)
• fix vault_kv_secret and vault_kv_secret_v2 failure to update secret data modified outside terraform (#​2207)
• fix vault_kv_secret_v2 failing on imported resource when data_json should be ignored (#​2207)

v4.1.0

Compare Source

CHANGES TO VAULT POLICY REQUIREMENTS:

• Important: This release requires read policies to be set at the path level for mount metadata. The v4.0.0 release required read permissions at sys/auth/:path which was a sudo endpoint. The v4.1.0 release changed that to instead require permissions at the sys/mounts/auth/:path level and sudo is no longer required. Please refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add new resource vault_config_ui_custom_message. Requires Vault 1.16+ Enterprise: (#​2154).

IMPROVEMENTS:

• do not require sudo permissions for auth read operations (#​2198)

BUGS:

• fix vault_azure_access_credentials to default to Azure Public Cloud (#​2190)

v4.0.0

Compare Source

Important: This release requires read policies to be set at the path level for mount metadata. For example, instead of permissions at sys/auth you must set permissions at the sys/auth/:path level. Please refer to the details in the Terraform Vault Provider 4.0.0 Upgrade Guide.

FEATURES:

• Add support for PKI Secrets Engine cluster configuration with the vault_pki_secret_backend_config_cluster resource. Requires Vault 1.13+ (#​1949).
• Add support to enable_templating in vault_pki_secret_backend_config_urls (#​2147).
• Add support for skip_import_rotation and skip_static_role_import_rotation in ldap_secret_backend_static_role and ldap_secret_backend respectively. Requires Vault 1.16+ (#​2128).
• Improve logging to track full API exchanges between the provider and Vault (#​2139)
• Add new vault_plugin and vault_plugin_pinned_version resources for managing external plugins (#​2159)

IMPROVEMENTS:

• Improve performance of READ operations across many resources: (#​2145), (#​2152)
• Add the metadata version in returned values for vault_kv_secret_v2 data source: (#​2095)
• Add new secret sync destination fields: (#​2150)

BUGS:

• Handle graceful destruction of resources when approle is deleted out-of-band (#​2142).
• Ensure errors are returned on read operations for vault_ldap_secret_backend_static_role, vault_ldap_secret_backend_library_set, and vault_ldap_secret_backend_static_role (#​2156).
• Ensure proper use of issuer endpoints for root sign intermediate resource: (#​2160)
• Fix issuer data overwrites on updates: (#​2186)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.