chore(deps): update terraform vault to ~> 5.8.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
vault (source)	required_provider	minor	~> 5.7.0 → ~> 5.8.0

---

Pre-merge checks for Synapse or MAS workloads

• The Release Notes do not describe any breaking changes.

• The Upgrade document does not describe any breaking changes.

---

Release Notes

hashicorp/terraform-provider-vault (vault)

v5.8.0

Compare Source

FEATURES:

• Add support for CF auth backend: vault_cf_auth_backend_config and vault_cf_auth_backend_role resources, and vault_cf_auth_login ephemeral resource for short-lived Vault tokens.
• Add support for SPIFFE secrets backend: (#​2660)
• Add support for pki-external-ca secrets backend: (#​2771)
• Add new KMIP resources vault_kmip_secret_ca_generated, vault_kmip_secret_ca_imported, vault_kmip_secret_listener, and add support for the ca field in vault_kmip_secret_role: (#​2773)
• vault_secrets_sync_azure_destination: Add support for Workload Identity Federation (WIF) fields identity_token_audience, identity_token_audience_wo_version, identity_token_ttl, and identity_token_key to enable token-based authentication with Azure. Requires Vault 2.0.0+. (#​2790)
• vault_secrets_sync_aws_destination: Add support for Workload Identity Federation (WIF) fields identity_token_audience, identity_token_ttl, and identity_token_key to enable token-based authentication with AWS. Requires Vault 2.0.0+. (#​2792)
• vault_secrets_sync_gcp_destination: Add support for Workload Identity Federation (WIF) fields identity_token_audience_wo, identity_token_audience_wo_version, identity_token_ttl, identity_token_key_wo, identity_token_key_wo_version and service_account_email to enable token-based authentication with GCP. Requires Vault 2.0.0+. (#​2798)
• New Ephemeral Resource: Add ephemeral resource for vault_generic_secret (#​2735)
• New Ephemeral Resource: Add ephemeral resource vault_terraform_token, by @​drewmullen (#​2616)

IMPROVEMENTS:

• vault_managed_keys: Add support for GCP Cloud KMS managed keys with parameters: credentials, project, key_ring, region, crypto_key, crypto_key_version, and algorithm. (#​2769)
• vault_okta_auth_backend: Add support for write-only field api_token_wo with version counters to prevent sensitive credentials from being stored in Terraform state. Deprecate organization and token and replace with org_name and api_token respectively in vault_okta_auth_backend resource. (#​2736)
• vault_kubernetes_secret_backend_role: Add support for token_default_audiences field to configure default audiences for generated Kubernetes tokens. Requires Vault 1.15+. (#​2722)
• vault_raft_snapshot_agent_config: Add support for azure_auth_mode and azure_client_id fields for Azure Managed Identity authentication (Vault Enterprise 1.18.0+), and autoload_enabled field for automatic snapshot restoration (Vault Enterprise 1.21.0+). (#​2758)
• vault_ssh_secret_backend_role: Add support for fields (default_extensions_template, exclude_cidr_list, port) and improve handling of key-type-specific fields (default_extensions, default_extensions_template, exclude_cidr_list, port) to prevent drift. Fields that are not applicable to a role's key type (CA or OTP) are now conditionally set in state only when returned by Vault, preventing perpetual drift when users configure fields that Vault ignores. CA key type supports: default_extensions, default_extensions_template. OTP key type supports: port, exclude_cidr_list. (#​2747)
• Added remove_roots_from_chain field to vault_pki_secret_backend_root_cert and resource_pki_secret_backend_sign. (#​2760)
• vault_pki_secret_backend_root_cert: Add support for use_pss and key_usage fields to configure PSS signature scheme and X.509 key usage constraints for root CA certificates. Requires Vault 1.18.0+ and 1.19.2+ respectively. (#​2754)
• vault_pki_secret_backend_root_sign_intermediate: Add version check for key_usage field to ensure compatibility with Vault 1.19.2+ for configuring X.509 key usage constraints on intermediate CA certificates. (#​2754)
• provider/auth_jwt: Add support for distributed_claim_access_token field in the auth_login_jwt configuration block. (#​2782)
• vault_database_secret: Add support for additional credential types (rsa_private_key, client_certificate, private_key, private_key_type) in the ephemeral resource to support all database credential types available in Vault's database secrets engine. (#​2767)
• Updated dependencies:
  • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 -> v1.21.0
  • github.com/aws/aws-sdk-go-v2 v1.32.5 -> v1.41.3
  • github.com/aws/aws-sdk-go-v2/service/iam v1.38.1 -> v1.53.5
  • github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 -> v1.41.8
  • github.com/aws/smithy-go v1.22.1 -> v1.24.2
  • github.com/coreos/pkg v0.0.0-20230601102743-20bbbf26f4d8 -> v0.0.0-20240122114842-bbd7aa9bf6fb
  • github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
  • github.com/googleapis/enterprise-certificate-proxy v0.3.12 -> v0.3.14
  • github.com/hashicorp/consul/api v1.33.0 -> v1.33.4
  • github.com/hashicorp/go-secure-stdlib/awsutil/v2 v2.1.1 -> v2.1.2
  • github.com/hashicorp/terraform-plugin-framework v1.16.1 -> v1.19.0
  • github.com/hashicorp/terraform-plugin-go v0.29.0 -> v0.31.0
  • github.com/hashicorp/terraform-plugin-mux v0.21.0 -> v0.23.0
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1 -> v2.40.0
  • github.com/hashicorp/terraform-plugin-testing v1.13.3 -> v1.15.0
  • github.com/hashicorp/vault-plugin-auth-oci v0.20.0 -> v0.20.1
  • github.com/hashicorp/vault/sdk v0.22.0 -> v0.23.0
  • github.com/spiffe/go-spiffe/v2 v2.5.0 -> v2.6.0
  • golang.org/x/crypto v0.45.0 -> v0.49.0
  • golang.org/x/net v0.47.0 -> v0.52.0
  • golang.org/x/oauth2 v0.31.0 -> v0.36.0
  • golang.org/x/sync v0.19.0 -> v0.20.0
  • golang.org/x/sys v0.41.0 -> v0.42.0
  • golang.org/x/text v0.34.0 -> v0.35.0
  • golang.org/x/time v0.14.0 -> v0.15.0
  • golang.org/x/tools v0.41.0 -> v0.42.0
  • google.golang.org/api v0.251.0 -> v0.271.0
  • google.golang.org/genproto v0.0.0-20250603155806-513f23925822 -> v0.0.0-20260311181403-84a4fc48630c
  • google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260226221140-a57be14db171
  • google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d -> v0.0.0-20260226221140-a57be14db171
  • google.golang.org/grpc v1.79.1 -> v1.79.2
  • hashicorp/setup-terraform v3 -> v4
  • github.com/cloudflare/circl v1.6.1 -> v1.6.3
  • filippo.io/edwards25519 v1.1.0 -> v1.1.1
  • k8s.io/utils v0.0.0-20240102154912-e7106e64919e -> v0.0.0-20260210185600-b8788abfbbc2

BUGS:

• Clears the bindpass field in the state file after migrating to the write-only field in vault_ldap_auth_backend resource. (#​2813)

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.