Terraform Vault Provider 3.0.0 Upgrade Guide

Version 3.0.0 of the Vault provider for Terraform is a major release and includes some changes that you will need to consider when upgrading. This guide is intended to help with that process and focuses only on the changes necessary to upgrade from version 2.24.0 to 3.0.0.

Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform plan/apply output throughout previous provider releases, up to and including 2.24.0. These changes, such as deprecation notices, can always be found in the CHANGELOG.

Why version 3.0.0?

We introduced version 3.0.0 of the Vault provider in order to upgrade to the Terraform Plugin SDKv2. The change was deemed significant enough to warrant the major version bump. In addition to the aforementioned SDK upgrade all previously deprecated fields, and resources have been removed.

While you may see some small changes in your configurations as a result of these changes, we don't expect you'll need to make any major refactorings.

Which Terraform versions are supported?

Terraform versions 0.12.x and greater are fully supported. Support for 0.11.x has been removed. If you are still on one of the 0.11.x versions we recommend upgrading to the latest stable release of Terraform.

Please see the Terraform Upgrade Guide for more info about upgrading Terraform.

I accidentally upgraded to 3.0.0, how do I downgrade to 2.X?

If you've inadvertently upgraded to 3.0.0, first see the Provider Version Configuration Guide to lock your provider version; if you've constrained the provider to a lower version such as shown in the previous version example in that guide, Terraform will pull in a 2.X series release on terraform init.

If you've only run terraform init or terraform plan, your state will not have been modified and downgrading your provider is sufficient.

If you've run terraform refresh or terraform apply, Terraform may have made state changes in the meantime.

Upgrade Topics

Provider Version Configuration

It is recommended to use version constraints when configuring Terraform providers. If you are following that recommendation, update the version constraints in your Terraform configuration and run terraform init to download the new version.

If you aren't using version constraints, you can use terraform init -upgrade in order to upgrade your provider to the latest released version.

For example, given this previous configuration:

provider "vault" {
  # ... other configuration ...

  version = "~> 2.24.0"
}

An updated configuration:

provider "vault" {
  # ... other configuration ...

  version = "~> 3.0.0"
}

Data Source: vault_kubernetes_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_approle_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_auth_backend

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_aws_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_azure_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_cert_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_consul_secret_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_gcp_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_generic_secret

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_github_auth_backend

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_jwt_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_kubernetes_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_pki_secret_backend

Deprecated resource

A replacement might look like:

resource "vault_mount" "pki-example" {
  path        = "pki-example"
  type        = "pki"
  description = "This is an example PKI mount"

  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 86400
}

_Attempting to provision a vault_pki_secret_backend resource will raise an error._

Resource: vault_token

Removed fields

The following fields have been removed as they are no longer supported by the Terraform Plugin SDK. Please see Sensitive State Best Practices for more info.

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._

Resource: vault_token_auth_backend_role

Deprecated fields have been removed

The following deprecated fields have been removed:

_Specifying any of the fields above in your config or trying to interpolate them in your config will raise an error._