Topics
This release contains a dozen+ new modules for working with Vault's database secrets engine and some new vars
entries for specifying public and private keys in cert
auth.
- cert auth - add option to set the
cert_auth_public_key
andcert_auth_private_key
parameters using the variablesansible_hashi_vault_cert_auth_public_key
andansible_hashi_vault_cert_auth_private_key
(#428).
- vault_database_connection_configure - Configures the database engine
- vault_database_connection_delete - Delete a Database Connection
- vault_database_connection_read - Returns the configuration settings for a O(connection_name)
- vault_database_connection_reset - Closes a O(connection_name) and its underlying plugin and restarts it with the configuration stored
- vault_database_connections_list - Returns a list of available connections
- vault_database_role_create - Creates or updates a (dynamic) role definition
- vault_database_role_delete - Delete a role definition
- vault_database_role_read - Queries a dynamic role definition
- vault_database_roles_list - Returns a list of available (dynamic) roles
- vault_database_rotate_root_credentials - Rotates the root credentials stored for the database connection. This user must have permissions to update its own password.
- vault_database_static_role_create - Create or update a static role
- vault_database_static_role_get_credentials - Returns the current credentials based on the named static role
- vault_database_static_role_read - Queries a static role definition
- vault_database_static_role_rotate_credentials - Trigger the credential rotation for a static role
- vault_database_static_roles_list - Returns a list of available static roles
This release addresses some breaking changes in core that were backported.
- requirements - the
requests
package which is required byhvac
now has a more restrictive range for this collection in certain use cases due to breaking security changes inansible-core
that were backported (#416).
This major version of the collection has no functional changes from the previous version, however the minimum versions of hvac
and ansible-core
have been raised. While the collection may still work with those earlier versions, future changes will not test against them.
- The minimum required version of
hvac
is now1.2.1
(https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/docsite/user_guide.html#hvac-version-specifics).
- The minimum supported version of
ansible-core
is now2.14
, support for2.13
has been dropped (#403).
This release fixes a bug in vault_write
ahead of the collection's next major release.
- vault_write - the
vault_write
lookup and module were not able to write data containing keys namedpath
orwrap_ttl
due to a bug in thehvac
library. These plugins have now been updated to take advantage of fixes inhvac>=1.2
to address this (#389).
This version makes some relatively minor but technically breaking changes. Support for ansible-core
versions 2.11
and 2.12
have been dropped, and there is now a minimum supported version of hvac
which will be updated over time. A warning in the hashi_vault
lookup on duplicate option specifications in the term string has been changed to a fatal error.
- Support for
ansible-core
2.11 and 2.12 has been removed (#340). - The minimum version of
hvac
forcommunity.hashi_vault
is now1.1.0
(#324). - hashi_vault lookup - duplicate option entries in the term string now raises an exception instead of a warning (#356).
This patch version updates the documentation for the vault_kv2_write
module. There are no functional changes.
This release contains a new module for KVv2 writes, and a new warning for duplicated term string options in the hashi_vault
lookup.
- hashi_vault lookup - in
v5.0.0
duplicate term string options will raise an exception instead of showing a warning (#356).
- hashi_vault lookup - a term string with duplicate options would silently use the last value. The lookup now shows a warning on option duplication (#349).
- vault_kv2_write - Perform a write operation against a KVv2 secret in HashiCorp Vault
This release brings new generic vault_list
plugins from a new contributor!
There are also some deprecation notices for the next major version, and some updates to documentation attributes.
- ansible-core - support for
ansible-core
versions2.11
and2.12
will be dropped in collection version5.0.0
, making2.13
the minimum supported version ofansible-core
(#340). - hvac - the minimum version of
hvac
to be supported in collection version5.0.0
will be at least1.0.2
; this minimum may be raised before5.0.0
is released, so please subscribe to the linked issue and look out for new notices in the changelog (#324).
- vault_list - Perform a list operation against HashiCorp Vault
- vault_list - Perform a list operation against HashiCorp Vault
The next major version of the collection includes previously announced breaking changes to some default values, and improvements to module documentation with attributes that describe the use of action groups and check mode support.
- modules - all modules now document their action group and support for check mode in their attributes documentation (#197).
- auth - the default value for
token_validate
has changed fromtrue
tofalse
, as previously announced (#248). - vault_kv2_get lookup - as previously announced, the default value for
engine_mount_point
in thevault_kv2_get
lookup has changed fromkv
tosecret
(#279).
This release includes a new module, fixes (another) requests
header issue, and updates some inaccurate documentation.
This is the last planned release before v4.0.0.
- vault_pki_generate_certificate - the documentation has been updated to match the argspec for the default values of options
alt_names
,ip_sans
,other_sans
, anduri_sans
(#318).
- connection options - the
namespace
connection option will be forced into a string to ensure cmpatibility with recentrequests
versions (#309).
- vault_kv2_delete - Delete one or more versions of a secret from HashiCorp Vault's KV version 2 secret store
No functional changes in this release, this provides updated filter documentation for the public docsite.
With the release of hvac
version 1.0.0
, we needed to update vault_token_create
's support for orphan tokens.
The collection's changelog is now viewable in the Ansible documentation site.
- vault_token_create - creation or orphan tokens uses
hvac
's new v1 method for creating orphans, or falls back to the v0 method if needed (#301).
This release brings support for the azure
auth method, adds 412
to the default list of HTTP status codes to be retried, and fixes a bug that causes failures in token auth with requests>=2.28.0
.
- community.hashi_vault collection - add support for
azure
auth method, for Azure service principal, managed identity, or plain JWT access token (#293). - community.hashi_vault retries - HTTP status code 412 has been added to the default list of codes to be retried, for the new Server Side Consistent Token feature in Vault Enterprise (#290).
- community.hashi_vault plugins - tokens will be cast to a string type before being sent to
hvac
to prevent errors inrequests
when values areAnsibleUnsafe
(#289). - modules - fix a "variable used before assignment" that cannot be reached but causes sanity test failures (#296).
A default value that was set incorrectly will be corrected in 4.0.0
.
A deprecation warning will be shown until then if the value is not specified explicitly.
This version also includes some fixes and improvements to the licensing in the collection, which does not affect any functionality.
- vault_kv2_get lookup - the
engine_mount_point option
in thevault_kv2_get
lookup only will change its default fromkv
tosecret
in community.hashi_vault version 4.0.0 (#279).
- Add SPDX license headers to individual files (#282).
- Add missing
BSD-2-Clause.txt
file for BSD licensed content (#275). - Use the correct GPL license for plugin_utils (#276).
Version 3.0.0 of community.hashi_vault
drops support for Ansible 2.9 and ansible-base 2.10.
Several deprecated features have been removed. See the changelog for the full list.
- token_validate options - the shared auth option
token_validate
will change its default fromtrue
tofalse
in community.hashi_vault version 4.0.0. Thevault_login
lookup and module will keep the default value oftrue
(#248).
- aws_iam auth - the deprecated alias
aws_iam_login
for theaws_iam
value of theauth_method
option has been removed (#194). - community.hashi_vault collection - support for Ansible 2.9 and ansible-base 2.10 has been removed (#189).
- hashi_vault lookup - the deprecated
[lookup_hashi_vault]
INI config section has been removed in favor of the collection-wide[hashi_vault_collection]
section (#179).
This release finally contains dedicated KV plugins and modules, and an exciting new lookup to help use plugin values in module calls.
With that, we also have a guide in the collection docsite for migrating away from the hashi_vault
lookup toward dedicated content.
We are also announcing that the token_validate
option will change its default value in version 4.0.0.
This is the last planned release before 3.0.0. See the porting guide for breaking changes and removed features in the next version.
- vault_login module & lookup - no friendly error message was given when
hvac
was missing (#257). - vault_pki_certificate - add
vault_pki_certificate
to thecommunity.hashi_vault.vault
action group (#251). - vault_read module & lookup - no friendly error message was given when
hvac
was missing (#257). - vault_token_create - add
vault_token_create
to thecommunity.hashi_vault.vault
action group (#251). - vault_token_create module & lookup - no friendly error message was given when
hvac
was missing (#257). - vault_write - add
vault_write
to thecommunity.hashi_vault.vault
action group (#251).
- token_validate options - the shared auth option
token_validate
will change its default fromTrue
toFalse
in community.hashi_vault version 4.0.0. Thevault_login
lookup and module will keep the default value ofTrue
(#248).
- vault_ansible_settings - Returns plugin settings (options)
- vault_kv1_get - Get a secret from HashiCorp Vault's KV version 1 secret store
- vault_kv2_get - Get a secret from HashiCorp Vault's KV version 2 secret store
- vault_kv1_get - Get a secret from HashiCorp Vault's KV version 1 secret store
- vault_kv2_get - Get a secret from HashiCorp Vault's KV version 2 secret store
Our first content for writing to Vault is now live.
- vault_write - Perform a write operation against HashiCorp Vault
- vault_write - Perform a write operation against HashiCorp Vault
This release contains new plugins and modules for creating tokens and for generating certificates with Vault's PKI secrets engine.
- vault_token_create - Create a HashiCorp Vault token
- vault_pki_generate_certificate - Generates a new set of credentials (private key and certificate) using HashiCorp Vault PKI
- vault_token_create - Create a HashiCorp Vault token
This release contains a new lookup/module combo for logging in to Vault, and includes our first filter plugin.
- The Filter guide has been added to the collection's docsite.
- vault_login_token - Extracts the client token from a Vault login response
- vault_login - Perform a login operation against HashiCorp Vault
- vault_login - Perform a login operation against HashiCorp Vault
The most important change in this release is renaming the aws_iam_login
auth method to aws_iam
and deprecating the old name. This release also announces the deprecation of Ansible 2.9 and ansible-base 2.10 support in 3.0.0.
- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.hashi_vault 3.0.0) next spring (ansible-community/community-topics#50, #189).
- aws_iam_login auth method - the
aws_iam_login
method has been renamed toaws_iam
. The old name will be removed in collection version3.0.0
. Until then both names will work, and a warning will be displayed when using the old name (#193).
- the "legacy" integration test setup has been removed; this does not affect end users and is only relevant to contributors (#191).
Version 2.0.0 of the collection drops support for Python 2 & Python 3.5, making Python 3.6 the minimum supported version. Some deprecated features and settings have been removed as well.
- connection options - there is no longer a default value for the
url
option (the Vault address), so a value must be supplied (#83).
- drop support for Python 2 and Python 3.5 (#81).
- support for the following deprecated environment variables has been removed:
VAULT_AUTH_METHOD
,VAULT_TOKEN_PATH
,VAULT_TOKEN_FILE
,VAULT_ROLE_ID
,VAULT_SECRET_ID
(#173).
This release includes a new action group for use with module_defaults
, and additional ways of specifying the mount_point
option for plugins.
This will be the last 1.x
release.
- add the
community.hashi_vault.vault
action group (#172). - auth methods - Add support for configuring the
mount_point
auth method option in plugins via theANSIBLE_HASHI_VAULT_MOUNT_POINT
environment variable,ansible_hashi_vault_mount_point
ansible variable, ormount_point
INI section (#171).
This release contains a bugfix for aws_iam_login
authentication.
- aws_iam_login auth method - fix incorrect use of
boto3
/botocore
that prevented proper loading of AWS IAM role credentials (#167).
This release includes bugfixes, a new auth method (cert
), and the first new content since the collection's formation, the vault_read
module and lookup plugin.
We're also announcing the deprecation of the [lookup_hashi_vault]
INI section (which will continue working up until its removal only for the hashi_vault
lookup), to be replaced by the [hashi_vault_collection]
section that will apply to all plugins in the collection.
- community.hashi_vault collection - add cert auth method (#159).
- lookup hashi_vault - the
[lookup_hashi_vault]
section in theansible.cfg
file is deprecated and will be removed in collection version3.0.0
. Instead, the section[hashi_vault_collection]
can be used, which will apply to all plugins in the collection going forward (#144).
- aws_iam_login auth - the
aws_security_token
option was not used, causing assumed role credentials to fail (#160). - hashi_vault collection - a fallback import supporting the
retries
option forurllib3
viarequests.packages.urllib3
was not correctly formed (#116). - hashi_vault collection - unhandled exception with
token
auth whentoken_file
exists but is a directory (#152).
- vault_read - Perform a read operation against HashiCorp Vault
- vault_read - Perform a read operation against HashiCorp Vault
This release adds requirements detection support for Ansible Execution Environments. It also updates and adds new guides in our collection docsite.
This release also announces the dropping of Python 3.5 support in version 2.0.0
of the collection, alongside the previous announcement dropping Python 2.x in 2.0.0
.
- hashi_vault collection - add
execution-environment.yml
and a python requirements file to better supportansible-builder
(#105).
- hashi_vault collection - support for Python 3.5 will be dropped in version
2.0.0
ofcommunity.hashi_vault
(#81).
This release fixes an error in the documentation. No functionality is changed so it's not necessary to upgrade from 1.3.0
.
This release adds two connection-based options for controlling timeouts and retrying failed Vault requests.
- hashi_vault lookup - add
retries
andretry_action
to enable built-in retry on failure (#71). - hashi_vault lookup - add
timeout
option to control connection timeouts (#100).
This release brings several new ways of accessing options, like using Ansible vars, and addng new environment variables and INI config entries.
A special none
auth type is also added, for working with certain Vault Agent configurations.
This release also announces the deprecation of Python 2 support in version 2.0.0
of the collection.
- hashi_vault lookup - add
ANSIBLE_HASHI_VAULT_CA_CERT
env var (withVAULT_CACERT
low-precedence fallback) forca_cert
option (#97). - hashi_vault lookup - add
ANSIBLE_HASHI_VAULT_PASSWORD
env var andansible_hashi_vault_password
ansible var forpassword
option (#96). - hashi_vault lookup - add
ANSIBLE_HASHI_VAULT_USERNAME
env var andansible_hashi_vault_username
ansible var forusername
option (#96). - hashi_vault lookup - add
ansible_hashi_vault_auth_method
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_ca_cert
ansible var forca_cert
option (#97). - hashi_vault lookup - add
ansible_hashi_vault_namespace
Ansible vars entry to thenamespace
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_proxies
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_role_id
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_secret_id
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_token_file
Ansible vars entry to thetoken_file
option (#95). - hashi_vault lookup - add
ansible_hashi_vault_token_path
Ansible vars entry to thetoken_path
option (#95). - hashi_vault lookup - add
ansible_hashi_vault_token_validate
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_token
Ansible vars entry to theproxies
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_url
andansible_hashi_vault_addr
Ansible vars entries to theurl
option (#86). - hashi_vault lookup - add
ansible_hashi_vault_validate_certs
Ansible vars entry to thevalidate_certs
option (#95). - hashi_vault lookup - add
ca_cert
INI config file keyca_cert
option (#97). - hashi_vault lookup - add
none
auth type which allows for passive auth via a Vault agent (#80).
- hashi_vault collection - support for Python 2 will be dropped in version
2.0.0
ofcommunity.hashi_vault
(#81).
This release fixes a bug with userpass
authentication and hvac
versions 0.9.6 and higher.
- hashi_vault - userpass authentication did not work with hvac 0.9.6 or higher (#68).
This release contains the same functionality as 1.1.1. The only change is to mark some code as internal to the collection. If you are already using 1.1.1 as an end user you do not need to update.
This bugfix release restores the use of the VAULT_ADDR
environment variable for setting the url
option.
See the PR linked from the changelog entry for details and workarounds if you cannot upgrade.
- hashi_vault - restore use of
VAULT_ADDR
environment variable as a low preference env var (#61).
This release contains a new proxies
option for the hashi_vault
lookup.
- hashi_vault - add
proxies
option (#50).
Our first major release contains a single breaking change that will affect only a small subset of users. No functionality is removed. See the details in the changelog to determine if you're affected and if so how to transition to remediate.
- hashi_vault - the
VAULT_ADDR
environment variable is now checked last for theurl
parameter. For details on which use cases are impacted, see (#8).
Several backwards-compatible bugfixes and enhancements in this release. Some environment variables are deprecated and have standardized replacements.
- Add optional
aws_iam_server_id
parameter as the value forX-Vault-AWS-IAM-Server-ID
header (#27). - hashi_vault -
ANSIBLE_HASHI_VAULT_ADDR
environment variable added for optionurl
(#8). - hashi_vault -
ANSIBLE_HASHI_VAULT_AUTH_METHOD
environment variable added for optionauth_method
(#17). - hashi_vault -
ANSIBLE_HASHI_VAULT_ROLE_ID
environment variable added for optionrole_id
(#20). - hashi_vault -
ANSIBLE_HASHI_VAULT_SECRET_ID
environment variable added for optionsecret_id
(#20). - hashi_vault -
ANSIBLE_HASHI_VAULT_TOKEN_FILE
environment variable added for optiontoken_file
(#15). - hashi_vault -
ANSIBLE_HASHI_VAULT_TOKEN_PATH
environment variable added for optiontoken_path
(#15). - hashi_vault -
namespace
parameter can be specified in INI or via env varsANSIBLE_HASHI_VAULT_NAMESPACE
(new) andVAULT_NAMESPACE
(lower preference) (#14). - hashi_vault -
token
parameter can now be specified viaANSIBLE_HASHI_VAULT_TOKEN
as well as viaVAULT_TOKEN
(the latter with lower preference) (#16). - hashi_vault - add
token_validate
option to control token validation (#24). - hashi_vault - uses new AppRole method in hvac 0.10.6 with fallback to deprecated method with warning (#33).
- hashi_vault -
VAULT_ADDR
environment variable for optionurl
will have its precedence lowered in 1.0.0; useANSIBLE_HASHI_VAULT_ADDR
to intentionally override a config value (#8). - hashi_vault -
VAULT_AUTH_METHOD
environment variable for optionauth_method
will be removed in 2.0.0, useANSIBLE_HASHI_VAULT_AUTH_METHOD
instead (#17). - hashi_vault -
VAULT_ROLE_ID
environment variable for optionrole_id
will be removed in 2.0.0, useANSIBLE_HASHI_VAULT_ROLE_ID
instead (#20). - hashi_vault -
VAULT_SECRET_ID
environment variable for optionsecret_id
will be removed in 2.0.0, useANSIBLE_HASHI_VAULT_SECRET_ID
instead (#20). - hashi_vault -
VAULT_TOKEN_FILE
environment variable for optiontoken_file
will be removed in 2.0.0, useANSIBLE_HASHI_VAULT_TOKEN_FILE
instead (#15). - hashi_vault -
VAULT_TOKEN_PATH
environment variable for optiontoken_path
will be removed in 2.0.0, useANSIBLE_HASHI_VAULT_TOKEN_PATH
instead (#15).
- hashi_vault -
mount_point
parameter did not work withaws_iam_login
auth method (#7) - hashi_vault - fallback logic for handling deprecated style of auth in hvac was not implemented correctly (#33).
- hashi_vault - parameter
mount_point
does not work with JWT auth (#29). - hashi_vault - tokens without
lookup-self
ability can't be used because of validation (#18).
Our first release matches the hashi_vault
lookup functionality provided by community.general
version 1.3.0
.