Version 3.0.0
of the Vault provider for Terraform is a major release and
includes some changes that you will need to consider when upgrading. This guide
is intended to help with that process and focuses only on the changes necessary
to upgrade from version 2.24.0
to 3.0.0
.
Most of the changes outlined in this guide have been previously marked as
deprecated in the Terraform plan
/apply
output throughout previous provider
releases, up to and including 2.24.0. These changes, such as deprecation notices,
can always be found in the CHANGELOG.
We introduced version 3.0.0
of the Vault provider in order to upgrade to the
Terraform Plugin SDKv2.
The change was deemed significant enough to warrant the major version bump.
In addition to the aforementioned SDK upgrade all previously deprecated fields,
and resources have been removed.
While you may see some small changes in your configurations as a result of these changes, we don't expect you'll need to make any major refactorings.
Terraform versions 0.12.x
and greater are fully supported. Support for 0.11.x
has been removed.
If you are still on one of the 0.11.x
versions we recommend upgrading to the latest stable release of Terraform.
Please see the Terraform Upgrade Guide for more info about upgrading Terraform.
2.X
?If you've inadvertently upgraded to 3.0.0
, first see the
Provider Version Configuration Guide to lock
your provider version; if you've constrained the provider to a lower version
such as shown in the previous version example in that guide, Terraform will pull
in a 2.X
series release on terraform init
.
If you've only run terraform init
or terraform plan
, your state will not
have been modified and downgrading your provider is sufficient.
If you've run terraform refresh
or terraform apply
, Terraform may have made
state changes in the meantime.
terraform refresh
with a downgraded
provider is likely sufficient to revert your state.terraform apply
, you'll need to either terraform import
them or delete
them by hand.vault_auth_backend
vault_aws_auth_backend_role
vault_azure_auth_backend_role
vault_cert_auth_backend_role
vault_consul_secret_backend_role
vault_gcp_auth_backend_role
vault_generic_secret
vault_github_auth_backend
vault_jwt_auth_backend_role
vault_kubernetes_auth_backend_role
vault_pki_secret_backend
vault_token
vault_token_auth_backend_role
It is recommended to use version constraints
when configuring Terraform providers. If you are following that recommendation,
update the version constraints in your Terraform configuration and run
terraform init
to download
the new version.
If you aren't using version constraints, you can use terraform init -upgrade
in order to upgrade your provider to the latest released version.
For example, given this previous configuration:
provider "vault" {
# ... other configuration ...
version = "~> 2.24.0"
}
An updated configuration:
provider "vault" {
# ... other configuration ...
version = "~> 3.0.0"
}
vault_kubernetes_auth_backend_role
The following deprecated fields have been removed:
bound_cidrs
- use token_bound_cidrs
instead.
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
num_uses
- use token_num_uses
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_approle_auth_backend_role
The following deprecated fields have been removed:
bound_cidr_list
- use secret_id_bound_cidrs
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_auth_backend
The following deprecated fields have been removed:
default_lease_ttl_seconds
- use tune.default_lease_ttl
instead.
max_lease_ttl_seconds
- use tune.max_lease_ttl
instead.
listing_visibility
- use tune.listing_visibility
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_aws_auth_backend_role
The following deprecated fields have been removed:
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_azure_auth_backend_role
The following deprecated fields have been removed:
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_cert_auth_backend_role
The following deprecated fields have been removed:
bound_cidrs
- use token_bound_cidrs
instead.
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_consul_secret_backend_role
The following deprecated fields have been removed:
path
- use backend
instead._Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_gcp_auth_backend_role
The following deprecated fields have been removed:
project_id
- use bound_projects
instead._Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_generic_secret
The following deprecated fields have been removed:
allow_read
- use disable_read
instead._Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_github_auth_backend
The following deprecated fields have been removed:
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_jwt_auth_backend_role
The following deprecated fields have been removed:
groups_claim_delimiter_pattern
- no alternate exists._Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_kubernetes_auth_backend_role
The following deprecated fields have been removed:
num_uses
- use token_num_uses
instead.
ttl
- use token_ttl
instead.
max_ttl
- use token_max_ttl
instead.
policies
- use token_policies
instead.
period
- use token_period
instead.
bound_cidrs
- use token_bound_cidrs
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_pki_secret_backend
A replacement might look like:
resource "vault_mount" "pki-example" {
path = "pki-example"
type = "pki"
description = "This is an example PKI mount"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
_Attempting to provision a vault_pki_secret_backend
resource will raise an error._
vault_token
The following fields have been removed as they are no longer supported by the Terraform Plugin SDK. Please see Sensitive State Best Practices for more info.
encrypted_client_token
- removed.
pgp_key
- removed
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._
vault_token_auth_backend_role
The following deprecated fields have been removed:
explicit_max_ttl
use token_explicit_max_ttl
instead.
period
- use token_period
instead.
bound_cidrs
- use token_bound_cidrs
instead.
_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._