Update Terraform aws to v6 #11
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/aws-6.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
~> 5.0→~> 6.0Release Notes
hashicorp/terraform-provider-aws (aws)
v6.51.0Compare Source
NOTES:
managed_certificate_request, managed certificate issuance uses a fixed 3-hour timeout regardless of the configured resource timeout. This behavior will be updated in a future major version. (#47839)kms_key_arnattribute has been deprecated. All configurations usingkms_key_arnshould be updated to use theserver_side_encryption_kms_key_idattribute instead. (#48441)outpost_config, the changes are best effort and we ask for community help in testing (#48367)FEATURES:
aws_acm_certificate(#48283)aws_bedrockagentcore_evaluator(#47964)aws_sagemaker_hub_content_reference(#48379)aws_bedrockagentcore_evaluator(#47964)aws_sagemaker_hub_content_reference(#48379)ENHANCEMENTS:
outpost_config.control_plane_placement.spread_level,outpost_config.etcd_instance_type, andoutpost_config.etcd_placementattributes (#48367)origin.custom_origin_config.origin_mtls_configargument (#46421)origin.custom_origin_config.origin_mtls_configargument (#46421)outpost_config.control_plane_placement.spread_level,outpost_config.etcd_instance_type, andoutpost_config.etcd_placementarguments (#48367)outpost_config.control_plane_placement.group_nameto Optional (#48367)durabilityargument (#48254)network_typeargument (#48371)destination_metrics_configurationandsource_metrics_configurationblocks (#48303)vector_options.serverless_vector_accelerationargument (#47018)BUG FIXES:
subject_alternative_namesfor Imported certificates (#48362)kms_key_arnis set but not returned by the API for S3 engine endpoints. (#48441)log_delivery_configurationwithlog_type = "slow-log"while simultaneously upgrading the engine from Redis 5 to Redis 6 or Valkey 7 (#46526)InvalidArgumentExceptionerrors when creating or updatingextended_s3_configurationin AWS partitions that report unsupportedcustom_time_zoneandfile_extensionattributes in a combined error message (#48369)principalblock required (#48416)runtime error: index out of range [0] with length 0panic when importing a replicator with no replication configurations (#48338)v6.50.0Compare Source
NOTES:
private_endpoint, it is best effort and we ask for community help in testing (#47602)FEATURES:
aws_bedrockagentcore_policy(#47971)aws_cloudwatch_log_s3_table_integration_source(#48190)aws_ecs_daemon(#47562)aws_ecs_daemon_task_definition(#47562)aws_bedrockagentcore_policy(#47971)aws_cloudwatch_log_s3_table_integration_source(#48190)aws_ecs_daemon(#47562)aws_ecs_daemon_task_definition(#47562)aws_observabilityadmin_s3_table_integration(#48190)ENHANCEMENTS:
AGUIas a valid value forprotocol_configuration.server_protocol(#47906)policy_engine_configurationconfiguration block (#47818)listing_modeargument to thetarget_configuration.mcp.mcp_serverconfiguration block (#48225)private_endpointargument to support private connectivity to VPC-hosted MCP servers via Amazon VPC Lattice (#47602)indexed_keyandstream_delivery_resourcesarguments (#48240)BUG FIXES:
couldn't find resourceerrors when reading a version immediately after creation (#48318)ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided roleIAM eventual consistency errors on Create and Update (#48255)route.gateway_idwhenroute.odb_network_arnis configured (#48239)network_configuration[0].security_groupswhen usingnetwork_configuration.ec2:DescribeSecurityGroupsIAM permission is newly required. (#47944)Resource Already Existserror when recreating a service after deletion (#48098)InvalidArgumentExceptionerrors when creating or updatingextended_s3_configurationin AWS partitions that do not support thecustom_time_zoneandfile_extensionattributes (#48284)gateway_idwhenodb_network_arnis configured (#48239)route.gateway_idwhenroute.odb_network_arnis configured (#48239)Provider produced inconsistent final planerrors whensecret_stringorsecret_string_wo_versionreferences a resource being created or replaced in the same apply (#48318)version_stagesbeing empty in state (#48318)secret_stringandsecret_string_wo(or vice versa) without changing the secret value (#48318)v6.49.0Compare Source
ENHANCEMENTS:
advanced_security_options.jwt_options.jwks_urlattribute (#48146)generationattribute (#48125)protocol_configuration.mcp.session_configurationblock (#48179)protocol_configuration.mcp.streaming_configurationblock (#48179)tagsandtags_allarguments (#47916)advanced_security_options.jwt_options.jwks_urlargument (#48146)generationargument (#48125)BUG FIXES:
runtime error: slice bounds out of range [1:0]panics when refreshing state. This fixes a regression introduced in v6.48.0 (#48215)v6.48.0Compare Source
NOTES:
FEATURES:
aws_ec2_hosts(#47986)aws_cleanrooms_membership(#48166)aws_pinpointsmsvoicev2_event_destination(#48034)aws_ec2_local_gateway_route_table(#48013)aws_ec2_local_gateway_route_table_virtual_interface_group_association(#48014)aws_pinpointsmsvoicev2_event_destination(#48034)ENHANCEMENTS:
state,allocation_time,release_time,host_maintenance,host_reservation_id,availability_zone_id,allows_multiple_instance_types,member_of_service_linked_resource_group,instances, andavailable_capacityattributes (#47991)warm_throughputattribute (#48152)enable_prefix_for_ipv6_source_natattribute (#40431)ec2_placement_group_idsattribute. (#47317)protocol_typeas Optional. Omit it to create a gateway that routes traffic directly to HTTP targets (e.g. AgentCore Runtime) (#47897)credential_provider_configuration.caller_iam_credentialsandcredential_provider_configuration.jwt_passthrougharguments (#47780)credential_provider_configuration.gateway_iam_role.serviceandcredential_provider_configuration.gateway_iam_role.regionarguments to enable SigV4 signing of upstream requests formcp_servertargets pointing at AWS-hosted endpoints (#47626)target_configuration.httpargument (#47897)global_parametersargument (#44857)warm_throughput_mib_psargument. This functionality requires thekinesis:UpdateStreamWarmThroughputIAM permission (#48152)shard_level_metrics(#48152)enable_prefix_for_ipv6_source_natargument (#40431)ruleschema to cover the full SDK shape, includingall_regions,allow_field_updates,regions,scope,selection_criteria,telemetry_source_types, and the fulldestination_configurationtree (cloudtrail_parameters,elb_load_balancer_logging_parameters,log_delivery_parameters,msk_monitoring_parameters,vpc_flow_log_parameters,waf_logging_parameters) (#48072)ruleschema to cover the full SDK shape, includingall_regions,allow_field_updates,regions,scope,selection_criteria,telemetry_source_types, and the fulldestination_configurationtree (cloudtrail_parameters,elb_load_balancer_logging_parameters,log_delivery_parameters,msk_monitoring_parameters,vpc_flow_log_parameters,waf_logging_parameters) (#48072)ec2_placement_group_idsattribute. (#47317)BUG FIXES:
x-amazon-apigateway-policyupdates being overwritten by prior policy state (#48118)ValidationException: Gateway with ID: ... has targets associated with it. Delete all targets before deleting the gatewayerrors on delete (#47626)FAILEDandSYNCHRONIZINGas pending states while a target is deleting (#47626)InvalidDBInstanceState: Cannot create a snapshot because the database instance ... is not currently in the available stateerrors on delete (#46687)CacheClusterNotFoundwhen enabling snapshots after the primary cache cluster has been changed away from-001, andInvalidParameterCombinationwhen enabling snapshots on cluster mode enabled groups (#46326)ValidationException: Unknown parameter: ExtendedS3DestinationConfiguration.CustomTimeZoneerrors in AWS partitions which do not yet support selecting a time zone for bucket prefixes (#48186)function_version(#48116)InvalidParameterValueException: Alias with weights can not be used with Provisioned Concurrencyerror when updating provisioned concurrency simultaneously with alias version change (#48116)versioning_configuration.mfa_deletewhenstatusisDisabled(#48161)v6.47.0Compare Source
FEATURES:
aws_bedrockagentcore_online_evaluation_config(#47209)aws_bedrockagentcore_policy_engine(#47108)aws_bedrockagentcore_resource_policy(#46844)aws_s3control_multi_region_access_point(#48081)aws_s3control_multi_region_access_point_routes(#48081)aws_bedrockagentcore_online_evaluation_config(#47209)aws_bedrockagentcore_policy_engine(#47108)aws_bedrockagentcore_resource_policy(#46844)aws_s3control_multi_region_access_point_routes(#47994)ENHANCEMENTS:
idin favor ofarn(#48036)id(#48036)id(#48036)idin favor ofpartition(#48036)idin favor ofregion(#48036)id(#48036)odb_network_arnattribute (#48027)routes.odb_network_arnattribute (#48027)arnin favor ofsecret_arn. (#48011)arnin favor ofsecret_arn. (#48033)namein favor ofsecret_name. (#48033)idin favor ofreverse_dns_name(#48036)ip_address_typeattribute (#48039)private_key_wowrite-only argument andprivate_key_wo_versionargument (#44414)step.rds_promote_read_replica_config,step.rds_create_cross_region_read_replica_config, andreport_configurationarguments (#46965)remote_node_networksfield inremote_network_configoptional (#47988)outpost_configandremote_network_config(#47988)log_deliveryconfiguration block (#48054)parameters.athena.role_arnargument to allow override an account-wide role for a specific Athena data source (#44666)odb_network_arnargument (#48027)core_network_arn(#48027)route.odb_network_arnargument (#48027)route.core_network_arn(#48027)arnin favor ofsecret_arn. (#48011)s3_destination.destination_data_sharingargument (#21996)ip_address_typeargument (#48039)BUG FIXES:
versions.*.last_accessed_date. (#48033)lifecycle.ignore_changesfor individualtagselements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#48008)securityGroupIdslogic inflattenVPCConfigResponse()for Outpost clusters (#47988)lifecycle.ignore_changesfor individualtagselements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#48008)Provider produced inconsistent final planerrors and force resource recreation for Network Load Balancers when no security groups were initially configured and updated security groups are unknown at plan-time (#46695)replication_info_list.consumer_group_replication.consumer_groups_to_excludeas Computed (#48054)replication_info_list.topic_replication.topics_to_excludeas Computed (#48054)v6.46.0Compare Source
NOTES:
policy_namenow force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updatingpolicy_namewould leave an orphaned policy with the old name in AWS (#47948)FEATURES:
aws_bedrockagentcore_harness(#47725)aws_iam_access_key(#47966)aws_observabilityadmin_telemetry_rule_for_organization(#47920)aws_route53_vpc_association_authorization(#47905)aws_route53_zone_association(#47950)aws_securityhub_automation_rule_v2(#47677)aws_bedrockagentcore_harness(#47725)aws_observabilityadmin_telemetry_rule_for_organization(#47920)aws_securityhub_automation_rule_v2(#47677)aws_xray_indexing_rule(#47975)aws_xray_trace_segment_destination(#47961)ENHANCEMENTS:
outpost_lag_idandlocal_gateway_virtual_interface_group_idattributes (#47974)jwt_optionsblock to fix "Invalid address to set" error (#47874)idle_session_ttl_in_secondsfrom3600to5400to match the AWS API limit (#47890)filesystem_configurationargument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#47810)cache_tag_configconfiguration block (#47872)resource_config_dns_resolutionargument (#47879)BUG FIXES:
acceleration_status,acl,cors_rule,grant,lifecycle_rule,logging,object_lock_configuration,policy,replication_configuration,request_payer,server_side_encryption_configuration,versioning,website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#47962)InvalidRequest: SourceSelectionCriteria cannot be emptyerrors on unrelated updates (e.g.tags) when replication is managed by the dedicatedaws_s3_bucket_replication_configurationresource usingreplica_modifications(#47962)Provider returned invalid result object after applyerrors on Update (#47948)policy_nameas asForceNew(#47948)v6.45.0Compare Source
FEATURES:
aws_observabilityadmin_telemetry_rule(#47857)aws_securityhub_connector_v2(#47678)aws_observabilityadmin_telemetry_evaluation(#47799)aws_observabilityadmin_telemetry_evaluation_for_organization(#47808)aws_observabilityadmin_telemetry_rule(#47857)aws_securityhub_aggregator_v2(#47651)aws_securityhub_connector_v2(#47678)ENHANCEMENTS:
ruby4.0as aruntimevalue (#47841)ruby4.0as acompatible_runtimesvalue (#47841)secret_stringtosecret_string_wowithout re-creating the resource. (#47815)maintenance_scheduleconfiguration block (#47853)BUG FIXES:
engine_versionreturning full patch version instead of minor version for Valkey engine (#46109)engine,engine_version, andparameter_group_namechanges being ignored after disassociating from a global replication group (#46109)network_access_controlregression causingValidationExceptionwhen only one ofvpce_idsorprefix_list_idsis set (#47646)v6.44.0Compare Source
NOTES:
FEATURES:
aws_glue_catalog(#43583)aws_alb_target_group_attachment(#47724)aws_appautoscaling_policy(#47718)aws_arczonalshift_zonal_autoshift_configuration(#46114)aws_dynamodb_global_secondary_index(#47785)aws_dynamodb_table(#47518)aws_ecr_repository_policy(#47763)aws_glue_catalog(#43583)aws_lb_target_group_attachment(#47724)aws_s3_bucket_logging(#47766)aws_securityhub_standards_control(#47702)aws_vpc_endpoint_route_table_association(#47751)aws_arczonalshift_zonal_autoshift_configuration(#46114)aws_glue_catalog(#43583)aws_outposts_capacity_task(#47681)aws_redshift_namespace_registration(#43583)ENHANCEMENTS:
authentication_configurationattribute (#43583)transit_gateway_configurationblock (#47635)file_system_type_version(#47703)self_managed_active_directory.password_woandself_managed_active_directory.password_wo_versionarguments (#47752)authentication_configurationargument (#43583)maintenance_scheduleconfiguration block (#47354)BUG FIXES:
Deleteto use the file system prefix when resetting the synchronization configuration (#47760)waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s)errors on Create. This fixes a regression introduced in v6.34.0 (#47783)db_parameter_group_identifier(#47052)v6.43.0Compare Source
FEATURES:
aws_securityhub_enabled_standards(#43947)aws_securityhub_security_controls(#43947)aws_db_subnet_group(#47637)aws_ec2_network_insights_access_scope(#47582)aws_iam_group_policy_attachment(#47667)aws_lambda_event_source_mapping(#47686)aws_securityhub_insight(#47622)aws_arczonalshift_autoshift_observer_notification_status(#46343)aws_ec2_network_insights_access_scope(#47582)aws_securityhub_account_v2(#47356)ENHANCEMENTS:
EPISODICas a valid value fortype(#47589)current_deployment. (#47694)SELF_MANAGED_SECURITY_HUBas apolicy_idvalue (#47078)arnattribute (#47543)arnattribute (#47543)terraform destroywhen they block subnet deletion (#46953)terraform destroywhen they block VPC deletion (#46953)BUG FIXES:
One of 'metric_name', 'metric_query', or 'evaluation_criteria' must be set for a cloudwatch metric alarmplan-time errors. This fixes a regression introduced in v6.42.0 (#47666)current_deploymentchanges. (#47694)INACTIVEinstead ofDRAINING. (#47568)runtime error: invalid memory address or nil pointer dereferencepanics when removingresourceblocks (#47625)limits.messages_per_secondfrom 50 to 1 to match the AWS API. (#47636)MalformedXMLerrors during tag-on-create andCreateBucketConfigurationoperations (#47530)v6.42.0Compare Source
BREAKING CHANGES:
mq:DeleteConfigurationIAM permission. To restore the previous no-op behavior, setskip_destroytotrue. (#47273)NOTES:
FEATURES:
aws_ec2_service_link_virtual_interface(#47478)aws_ec2_service_link_virtual_interfaces(#47478)aws_apigatewayv2_api(#47472)aws_cloudwatch_log_metric_filter(#47495)aws_config_remediation_configuration(#47514)aws_ebs_volume(#47551)aws_ebs_volume_attachment(#47561)aws_eip(#47557)aws_iam_user_policy_attachment(#47467)aws_internet_gateway(#47529)aws_lambda_layer_version(#47496)aws_launch_template(#47540)aws_route53_zone(#47494)aws_sagemaker_hyper_parameter_tuning_job(#47138)aws_sqs_queue_policy(#47489)aws_cloudwatch_otel_enrichment(#47275)aws_ebs_volume_copy(#47311)aws_sagemaker_hyper_parameter_tuning_job(#47138)ENHANCEMENTS:
user_statusattribute (#47323)user_statusattribute (#47323)ena_srd_specificationattribute (#46669)evaluation_criteriaandevaluation_intervalarguments in support of PromQL queries. Changecomparison_operatorandevaluation_periodsto Optional (#47449)namespace_configargument (#44087)identity_provider_config_nameattribute (#47428)user_statusattribute (#47323)resource_selection.recipe.semantic_version(#47443)skip_destroyargument (#47273)ena_srd_specificationargument to support ENA Express (#46669)routing_policy_labelargument. This functionality requires thenetworkmanager: PutAttachmentRoutingPolicyLabelandnetworkmanager: RemoveAttachmentRoutingPolicyLabelIAM permissions (#47541)integration_identifierattribute (#45632)data_filterandintegration_name(#45632)storage_lens_configuration.expanded_prefixes_data_exportandstorage_lens_configuration.prefix_delimiterarguments (#47205)accept_bucket_warningargument (#47510)peer_network_cidrsargument. (#46207)BUG FIXES:
source_uriregular expression validation (#47498)topic_policy_config.topics_config.definitionfrom 200 to 1000 to support standard tier. (#47574)mute_targets.alarm_namesordering causing "Provider produced inconsistent result after apply" errors (#47507)UnsupportedOperationerrors in isolated regions (#47091)broker_node_group_info.vpc_connectivityconfiguration block. This fixes a regression introduced in v6.40.0 (#47515)runtime error: invalid memory address or nil pointer dereferencepanic instatusManagedService()andstatusNetwork()whenFindOracleDBNetworkResourceByIDreturns a nil result during resource creation (#47159)emailif returned by AWS API and don't recomputeinvitefrommember_status. This prevents drift for organization members (#47106)v6.41.0Compare Source
FEATURES:
aws_api_gateway_integration(#47370)aws_api_gateway_integration_response(#47388)aws_api_gateway_method(#47365)aws_api_gateway_method_response(#47387)aws_api_gateway_resource(#47382)aws_api_gateway_rest_api(#47404)aws_apigatewayv2_route(#47452)aws_cloudfront_distribution(#47459)aws_cloudwatch_alarm_mute_rule(#46750)aws_cloudwatch_log_subscription_filter(#47451)aws_nat_gateway(#47349)aws_sns_topic_policy(#47445)aws_cloudwatch_alarm_mute_rule(#46750)ENHANCEMENTS:
volume.s3files_volume_configurationattribute (#47363)deployment_strategy_optionsblock (#47401)topic_arn(#47381)metricsattribute (#47047)enable_directory_data_accessargument (#44736)volume.s3files_volume_configurationargument (#47363)passwords_woandpasswords_wo_versionwrite-only arguments (#45988)deployment_strategy_optionsconfiguration block (#47401)BUG FIXES:
ComputeAttributesorAssetLocation(#47450)traffic_sourceto Required (#47381)response_completion_timeoutfor Origins, by removing its default value (#46329)function_associationandlambda_function_associationblock ordering producing inconsistent result after apply when multiple associations are configured (#46378)originblock ordering producing inconsistent result after apply when multiple origins are configured (#47199)key_typeis unknown during plan-time. (#47456)range_keyis set to empty string (#47427)MySQLengine types triggered by upstream changes to the API error response text (#47448)MySQLengine types triggered by upstream changes to the API error response text (#47448)v6.40.0Compare Source
FEATURES:
aws_opensearchserverless_collection_group(#46308)aws_opensearchserverless_collection_groups(#46308)aws_s3files_access_point(#47352)aws_s3files_file_system(#47344)aws_s3files_file_systems(#47344)aws_s3files_mount_target(#47347)aws_config_config_rule(#47319)aws_glue_job(#47266)aws_opensearchserverless_collection_group(#46308)aws_s3files_access_point(#47352)aws_s3files_file_system(#47325)aws_s3files_file_system_policy(#47355)aws_s3files_mount_target(#47347)aws_s3files_synchronization_configuration(#47353)aws_ssm_association(#47321)aws_ssm_patch_group(#47329)aws_opensearchserverless_collection_group(#46308)aws_s3files_access_point(#47352)aws_s3files_file_system(#47325)aws_s3files_file_system_policy(#47355)aws_s3files_mount_target(#47347)aws_s3files_synchronization_configuration(#47353)aws_servicequotas_auto_management(#45968)ENHANCEMENTS:
broker_node_group_info.connectivity_info.network_typeattribute (#47279)depends_on_stack_setstoauto_deploymentconfiguration block (#47269)remediation_typesattribute (#46549)FLINK-2_2as a valid value forruntime_environment(#47207)broker_node_group_info.connectivity_info.network_typeargument (#47279)storage_lens_configuration.data_export.storage_lens_table_destinationargument (#47152)BUG FIXES:
export.data_query.table_configurations(#47261)patternlength in UTF-8 characters (#47287)nameas asForceNew(#47286)AccountAlreadyClosedExceptionerror when deleting an account that has already been closed withclose_on_deletionset totrue(#46627)rule.apply_server_side_encryption_by_default.kms_master_key_id,rule.blocked_encryption_types, andrule.bucket_key_enabledto Optional and Computed, preventings diffs once SSE-C is disabled for all new general purpose buckets (#47359)visible_regionsorvisible_servicesis set to an explicit empty set ([]) (#47290)v6.39.0Compare Source
NOTES:
tags_allattribute is deprecated and will be removed in a future major version (#47133)FEATURES:
aws_iam_role_policies(#46936)aws_iam_role_policy_attachments(#47119)aws_networkmanager_core_network(#45798)aws_uxc_services(#47115)aws_eks_cluster(#47133)aws_organizations_aws_service_access(#46993)aws_sagemaker_training_job(#46892)aws_workmail_group(#47131)aws_workmail_user(#47131)aws_organizations_aws_service_access(#46993)aws_sagemaker_training_job(#46892)aws_uxc_account_customizations(#47115)aws_workmail_group(#47131)aws_workmail_user(#47131)ENHANCEMENTS:
instance_familiesattribute (#47153)tier-8xlas a valid value forcontrol_plane_scaling_config.tier(#46976)source.source_logs_configuration.data_source_selection_criteriaargument. Changesource.source_logs_configuration.log_group_selection_criteriato Optional (#47154)source.vpcargument. Changesource.eksto Optional (#47155)storage_lens_configuration.account_level.advanced_performance_metricsandstorage_lens_configuration.account_level.bucket_level.advanced_performance_metricsarguments (#46865)BUG FIXES:
aws-cnpartition (#47141)Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resourcein highly active accounts by restoring5sdelay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)bootstrap_self_managed_addonstotruewhen importing (#47133)InvalidParameterCombinationerror whencache_usage_limitsis removed (#46134)v6.38.0Compare Source
FEATURES:
aws_dms_start_replication_task_assessment_run(#47058)aws_dynamodb_backups(#47036)aws_msk_topic(#46490)aws_savingsplans_offerings(#47081)aws_msk_cluster(#46490)aws_msk_serverless_cluster(#46490)aws_msk_topic(#46490)aws_route53_resolver_rule(#47063)aws_sagemaker_algorithm(#47051)aws_ssm_document(#46974)aws_ssoadmin_account_assignment(#47067)aws_vpc_endpoint(#46977)aws_workmail_domain(#46931)aws_msk_topic(#46490)aws_observabilityadmin_telemetry_enrichment(#47089)aws_sagemaker_algorithm(#47051)aws_workmail_default_domain(#46931)aws_workmail_domain(#46931)ENHANCEMENTS:
firewall_policy.enable_tls_session_holdingattribute (#47065)authorizer_configuration.custom_jwt_authorizer.custom_claimconfiguration block (#47049)authorizer_configuration.custom_jwt_authorizer.custom_claimconfiguration block (#47049)target_configuration.mcp.api_gatewayconfiguration block (#46916)restore_backup_arnargument (#47068)KinesisStreamsas a value foraction.target.key(#47010)VPCEndpointsas a value foraction.target.key(#47045)userblock to Optional (#46883)firewall_policy.enable_tls_session_holdingargument (#47065)filters.aws_account_nameconfiguration block (#47027)filters.compliance_associated_standards_idconfiguration block (#47027)filters.compliance_security_control_idconfiguration block (#47027)filters.compliance_security_control_parameters_nameconfiguration block (#47027)filters.compliance_security_control_parameters_valueconfiguration block (#47027)BUG FIXES:
@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)Provider produced inconsistent result after applyerror whenenvironmentvariables are defined in non-alphabetical order (#46771)Provider returned invalid result object after applyerrors where computed attributes remained unknown after create (#47012)@regionsuffix when using resource-levelregionattribute (#47043)userblock (#46883)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)@regionsuffix when using resource-levelregionattribute (#47043)Unable to unmarshal DynamicValueerror whenstatement.managed_rule_group_statement.rule_action_overrideblock is specified (#46998)WAFOptimisticLockExceptionerrors when multiple associations target the same Web ACL (#47037)v6.37.0Compare Source
BREAKING CHANGES:
resource_data.lf_tag.valuetoresource_data.lf_tag.valuesand change to a set of string values (#46788)NOTES:
offering_idattribute is deprecated. Usesavings_plan_offering_idinstead. (#46959)offering_idattribute is deprecated. Usesavings_plan_offering_idinstead. (#46959)FEATURES:
aws_ec2_transit_gateway_metering_policy(#46812)aws_iam_user(#46869)aws_s3_bucket_ownership_controls(#46832)aws_wafv2_web_acl_rule(#46682)aws_workmail_organization(#46692)aws_ec2_transit_gateway_metering_policy(#46812)aws_ec2_transit_gateway_metering_policy_entry(#46812)aws_wafv2_web_acl_rule(#46682)aws_workmail_organization(#46692)ENHANCEMENTS:
schedule.statusargument (#46037)shard_instance_countargument (#46938)bucket_namespaceargument in support of account regional namespaces for general purpose buckets (#46917)BUG FIXES:
savings_plan_offering_idduring read (#46959)authorizer_configuration.custom_jwt_authorizer. This fixes a regression introduced in v6.36.0 (#46908)EOFerrors when retrieving the activation key (#46958)key_schemasyntax deleting all GSIs (#46602)MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCoreerrors when updatingcpu_options.core_countorcpu_options.threads_per_core(#46879)resource_data.lf_tag.valuetoresource_data.lf_tag.valuesand change to a set of string values. Previously, attempting to useresource_data.lf_tag.valuewould result inmissing required fielderrors (#46788)client_authentication.saslblock (#42163)client_authentication.tlsblock (#42163)client_authentication.saslblocks (#42163)client_authentication.tlsblocks (#42163)savings_plan_offering_idduring read to prevent forced replacement following import (#46959)enable_machine_learninginaws_managed_rules_bot_control_rule_setincorrectly defaulting tofalseinstead of reflecting the AWS default oftrue(#46682)v6.36.0Compare Source
NOTES:
GO-2026-4602, FileInfo can escape from a Root in os,GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, andGO-2026-4601, Incorrect parsing of IPv6 host literals in net/url(#46820)FEATURES:
aws_iam_outbound_web_identity_federation(#46503)aws_sts_web_identity_token(#46173)aws_s3_bucket_versioning(#46802)ENHANCEMENTS:
authorizer_config.custom_jwt_authorizer.allowed_scopesargument (#46828)resource_arnargument andpolicy_scopeandrevision_idattributes.policy_nameis now optional (#46813)open_table_format_input.iceberg_input.iceberg_table_inputargument (#46843)view_definitionargument (#46843)open_table_format_input.iceberg_input.metadata_operationandopen_table_format_input.iceberg_input.versionto ForceNew (#46843)parameters,storage_descriptor, andtable_typeto Optional and Computed (#46843)ip_set_idattribute (#46703)arnanddestination_idattributes (#46703)threat_intel_set_idattribute (#46703)rule.destination.destination_logs_configuration.log_group_name_configurationblock (#46811)BUG FIXES:
EntityNotFoundExceptionerrors (#46843)growth_factor(#46810)EntityNotFoundExceptionerrors (#46843)private_dns_enabledwhenvpc_endpoint_typeisInterface(#46800)network_interface_idsattribute when changingsubnet_configurationorsubnet_ids(#46800)VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reachederrors on Create (#46823)v6.35.1Compare Source
BUG FIXES:
LifecycleRuleAndOperatorwhile flattening configuration (#46778)v6.35.0Compare Source
FEATURES:
aws_ecs_service(#46678)aws_lb(#46660)aws_lb_listener(#46679)aws_lb_listener_rule(#46731)aws_lb_target_group(#46662)aws_sns_topic(#46744)aws_sns_topic_subscription(#46738)aws_observabilityadmin_telemetry_pipeline(#46698)aws_sagemaker_mlflow_app(#45565)ENHANCEMENTS:
layer_version_arnargument to support cross-account Lambda layer access (#46673)job_level_cost_allocation_configurationblock (#46107)resource_share_configurationblock (#46715)BUG FIXES:
split_charge_ruletargetsfromTypeSettoTypeListto retain order (#42856)InvalidParameterCombinationExceptionerrors whenoracle_settingsis configured (#46689)replicas_per_node_groupandnode_group_configuration.replica_countto support quota increases (#46670)v6.34.0Compare Source
FEATURES:
aws_ec2_secondary_network(#46552)aws_ec2_secondary_subnet(#46552)aws_ecr_task_definition(#46628)aws_elb(#46639)aws_s3_bucket_lifecycle_configuration(#46531)aws_networkmanager_prefix_list_association(#46566)ENHANCEMENTS:
kms_key_idattribute (#46584)network_typeandip_discoveryattributes (#46636)configuration.query_results_s3_access_grants_configurationargument (#46376)metadata_configurationblock for HTTP header and query parameter propagation (#45808)auth_parameters.connectivity_parametersargument (#41561)service_connect_configuration.access_log_configurationargument (#45820)kms_key_idargument (#46584)cpu_options.core_count,cpu_options.nested_virtualization, andcpu_options.threads_per_coreto be updated in-place (#46568)network_typeandip_discoveryarguments (#46636)jwt_optionsattribute (#46439)managed_rule_group_configswithinmanaged_rule_groupand root-levelvisibility_configblock for CloudWatch metrics configuration (#44426)BUG FIXES:
mongodb_settings.use_update_lookupattribute to fix "invalid address to set" error (#46616)statement.principals.identifierscontains a non-string value (#46226)couldn't find resource (21 retries)errors updatingload_balancers,target_group_arns, andtraffic_source(#46622)credential_provider_configuration.oauth.default_return_urlandcredential_provider_configuration.oauth.grant_typearguments (#46127)data_filter_expression.dimensions.values(#46462)encryption_configurationto Optional and Computed, fixingunexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")})errors (#46150)ResourceInUseerror when creating multiple image versions concurrently (#44694)InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpointserrors when creating S3Tables VPC endpoints (#46102)v6.33.0Compare Source
FEATURES:
aws_networkmanager_attachment_routing_policy_label(#46489)ENHANCEMENTS:
cpu_options.nested_virtualizationandnetwork_performance_optionsattributes (#46540)custom_pathargument torevocation_configuration.crl_configurationconfiguration block (#46487)custom_pathargument torevocation_configuration.crl_configurationconfiguration block (#46487)filter_expressionattribute (#46501)access_alternate_directly,add_supplemental_logging,additional_archived_log_dest_id,allow_selected_nested_tables,archived_log_dest_id,archived_logs_only,asm_password,asm_server,asm_user,authentication_method,char_length_semantics,convert_timestamp_with_zone_to_utc,direct_path_no_log,direct_path_parallel_load,enable_homogenous_tablespace,extra_archived_log_dest_ids,fail_task_on_lob_truncation,number_datatype_scale,open_transaction_window,oracle_path_prefix,parallel_asm_read_threads,read_ahead_blocks,read_table_space_name,replace_path_prefix,retry_interval,secrets_manager_oracle_asm_access_role_arn,secrets_manager_oracle_asm_secret_id,security_db_encryption,security_db_encryption_name,spatial_data_option_to_geo_json_function_name,standby_delay_time,trim_space_in_char,use_alternate_folder_for_online,use_bfile,use_direct_path_full_load,use_logminer_reader, anduse_path_prefixarguments to theoracle_settings` configuration block (#46516)use_update_lookupargument tomongodb_settingsconfiguration block (#46253)nested_virtualizationattribute tocpu_optionsconfiguration block (#46533)nested_virtualizationattribute tocpu_optionsconfiguration block (#46533)secondary_interfacesconfiguration block (#46540)qna_intent_configurationattribute (#46419)domain_settings.trusted_identity_propagation_settingsargument (#44965)BUG FIXES:
runtime error: invalid memory address or nil pointer dereferencepanics whenname_regexis an invalid regular expression (#46478)ap-southeast-5andeusc-de-east-1as valid values fors3_region(#46475)serverless_v2_scaling_configurationwithout forcing cluster replacement (#45049)ValidationError ... Member must have length less than or equal to 20errors when more than 20 load balancer attributes are being modified (#46496)cidr_blockwhen allocating a subnet from an IPAM resource pool. (#46453)expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64validation error (#46515)v6.32.1Compare Source
BUG FIXES:
couldn't find resourceerror during creation when waiting for capacity to be satisfied (#46452)s3_delivery_configuration.suffix_pathlosing AWS-added prefix on update (#46455)key_schemawith a single range key on a global secondary index (#46442)auth_tokenreferences another resource (#46454)v6.32.0Compare Source
FEATURES:
aws_ecr_repository(#46344)aws_lambda_permission(#46341)aws_route(#46370)aws_route53_resolver_rule_association(#46349)aws_route_table(#46337)aws_s3_directory_bucket(#46373)aws_secretsmanager_secret(#46318)aws_secretsmanager_secret_version(#46342)aws_vpc_security_group_egress_rule(#46368)aws_vpc_security_group_ingress_rule(#46367)aws_ec2_secondary_network(#46408)aws_ec2_secondary_subnet(#46408)ENHANCEMENTS:
secondary_network_interfaceargument (#46408)use_asproperty to create special RLS rules dataset (#42687)BUG FIXES:
configuration.result_configurationor child attributes. (#46427)custom_error_responseis configured andcustom_error_response.response_codeandcustom_error_response.response_page_pathare omitted (#46375)network_access_controlis configured with emptyprefix_list_idsandvpce_ids(#45637)v6.31.0Compare Source
NOTES:
expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerandaclattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)FEATURES:
aws_account_regions(#41746)aws_ecrpublic_authorization_token(#45841)aws_cloudwatch_event_rule(#46304)aws_cloudwatch_event_target(#46297)aws_cloudwatch_metric_alarm(#46268)aws_iam_role_policy(#46293)aws_lambda_function(#46295)aws_s3_bucket_acl(#46305)aws_s3_bucket_policy(#46312)aws_s3_bucket_public_access_block(#46309)aws_ssoadmin_customer_managed_policy_attachments_exclusive(#46191)ENHANCEMENTS:
serverless_vector_accelerationtoaiml_options(#45882)BUG FIXES:
auth_token_update_strategyalways requiredauth_token, which caused an error when migrating from AUTH to RBAC. Now,auth_token_update_strategystill requiresauth_tokenexcept whenauth_token_update_strategyisDELETE. (#45518)aws_elasticache_replication_groupwhencluster_mode="enabled"andnum_node_groupsis reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes0001,0002,0003,0004, and0005exist, and a user manually removes0003and0005, then setsnum_node_groups = 2, terraform would attempt to delete0003,0004, and0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#45893)user_group_idremoval during modification. (#45571)UnauthorizedOperationerror when detaching resource that does not have an attachment (#46211)v6.30.0Compare Source
FEATURES:
aws_ssoadmin_managed_policy_attachments_exclusive(#46176)BUG FIXES:
global_secondary_indexorglobal_secondary_index.key_schemaaredynamic(#46195)v6.29.0Compare Source
NOTES:
return_organization_onlyargument to return only the results of theDescribeOrganizationAPI and avoid API limits (#40884)regionattribute, as the resource is global. (#46185)return_organization_onlyargument to return only the results of theDescribeOrganizationAPI and avoid API limits (#40884)FEATURES:
aws_arcregionswitch_plan(#43781)aws_arcregionswitch_route53_health_checks(#43781)aws_organizations_entity_path(#45890)aws_resourcegroupstaggingapi_required_tags(#45994)aws_s3_bucket_object_lock_configuration(#45990)aws_s3_bucket_replication_configuration(#42662)aws_s3control_access_points(#45949)aws_s3control_multi_region_access_points(#45974)aws_savingsplans_savings_plan(#45834)aws_wafv2_managed_rule_group(#45899)aws_appflow_connector_profile(#45983)aws_appflow_flow(#45980)aws_cleanrooms_collaboration(#45953)aws_cleanrooms_configured_table(#45956)aws_cloudfront_key_value_store(#45957)aws_opensearchserverless_collection(#46001)aws_route53_record(#46059)aws_s3_bucket(#46004)aws_s3_object(#46002)aws_security_group(#46062)aws_apigatewayv2_routing_rule(#42961)aws_arcregionswitch_plan(#43781)aws_cloudfront_anycast_ip_list(#43331)aws_notifications_managed_notification_account_contact_association(#45185)aws_notifications_managed_notification_additional_channel_association(#45186)aws_notifications_organizational_unit_association(#45197)aws_notifications_organizations_access(#45273)aws_opensearch_application(#43822)aws_ram_permission(#44114)aws_ram_resource_associations_exclusive(#45883)aws_sagemaker_labeling_job(#46041)aws_sagemaker_model_card(#45993)aws_sagemaker_model_card_export_job(#46009)aws_savingsplans_savings_plan(#45834)aws_sesv2_tenant_resource_association(#45904)aws_vpc_security_group_rules_exclusive(#45876)ENHANCEMENTS:
routing_modeargument to support dynamic routing via routing rules (#42961)routing_modeargument to support dynamic routing via routing rules (#42961)allow_privilege_escalationattribute toeks_properties.pod_properties.containers.security_context(#45896)global_secondary_index.key_schemaattribute (#46157)segment_actions.routing_policy_namesargument (#45928)body_base64anddownload_bodyattributes. For improved performance, setdownload_body = falseto ensure bodies are never downloaded (#46163)source_resourceattribute (#44705)allow_privilege_escalationattribute toeks_properties.pod_properties.containers.security_context(#45896)vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configurationblock (#45966)vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modalityargument (#46056)certificate_rotation_restartargument (#45984)stream_view_typeis set andstream_enabledis eitherfalseor unset. (#45934)BLOB_MOUNTINGaccount setting name withENABLEDandDISABLEDvalues (#46092)domain_join_service_account_secretargument toself_managed_active_directoryconfiguration block (#45852)self_managed_active_directory.passwordto Optional andself_managed_active_directory.usernameto Optional and Computed (#45852)rulesto a single element. (#46185)memory_sizefrom 10240 MB to 32768 MB (#46065)network_performance_optionsargument (#46071)pipeline_configuration_bodymaximum length validation to 2,621,440 bytes to align with AWS API specification. (#44881)monitoring_schedule_config.monitoring_job_definitionargument (#45951)monitoring_schedule_config.monitoring_job_definition_nameargument optional (#45951)source_resourceargument in support of provisioning of VPC Resource Planning Pools (#44705)organizational_unit_exclusionargument (#45890)ipv4_ipam_pool_id,ipv4_netmask_length,ipv6_ipam_pool_id, andipv6_netmask_lengtharguments in support of provisioning of subnets using IPAM (#44705)ipv6_cidr_blockto Optional and Computed (#44705)BUG FIXES:
rule.action.target_storage_classandrule.selection.storage_classto JSON serialization (#45909)catalog_id,data_location.catalog_id,database.catalog_id,lf_tag_policy.catalog_id,table.catalog_id, andtable_with_columns.catalog_idarguments (#43931)attachment_routing_policy_rules.action.associate_routing_policiesis empty (#46160)regiondefined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#45895)configuration.result_configuration.encryption_configurationargument (#46159)Provider produced inconsistent result after applyerror when queryingCARBON_EMISSIONStable withouttable_configurations(#45972)model_sourceis set (#45713)auto_deploymentwithpermission_modelset toSERVICE_MANAGED(#45992)runtime error: invalid memory address or nil pointer dereferencepanic when mistakenly importing a multi-tenant distribution (#45873)origin_groupto use correctidattribute name and fix field mapping to resolvemissing required fielderrors (#45921)InvalidRecordingGroupException: The recording group provided is not validerrors when therecording_group.exclusion_by_resource_typeorrecording_group.recording_strategyargument is removed during update (#46110)warm_throughputin global_secondary_index when not set in configuration. (#46094)nameis known after apply (#45917)kubernetes_network_configargument name in EKS Auto Mode validation error message (#45997)catalog_id,data_location.catalog_id,database.catalog_id,lf_tag_policy.catalog_id,table.catalog_id, andtable_with_columns.catalog_idarguments (#43931)health_check.protocolfromHTTPtoTCPwhenprotocolisTCP(#46036)firewall_policy.stateful_rule_group_reference.resource_arn(#46124)delete_associated_resourcesbeing set when value is unknown (#45636)partition_count(#45042)iam_database_authentication_enabledwhen restored from snapshot (#39461)portnow works. (#45870)ValidationException: Base capacity cannot be updated when PerformanceTarget is Enablederror when updatingprice_performance_targetandbase_capacity(#46137)regionsargument asComputedto fix an unexpectedregionsdiff when it is not specified (#45829)InvalidChangeBatcherrors during ForceNew operations when zone name changes (#45242)Invalid JSON String Valueerror on initial apply andConflictExceptionon subsequent apply when associating Route53 Resolver Query Log Configs (#45958)UnsupportedArgumenterrors during tag-on-create operations (#46122)MethodNotAllowederrors when S3 Control APIs are unavailable (#46122)ipv6_cidr_blockasForceNewwhen the existing IPv6 subnet was created withassign_ipv6_address_on_create = true(#46043)ip_address_type(#45947)v6.28.0Compare Source
NOTES:
FEATURES:
aws_cloudfront_connection_group(#44885)aws_cloudfront_distribution_tenant(#45088)aws_kms_alias(#45700)aws_sqs_queue(#45691)aws_cloudfront_connection_function(#45664)aws_cloudfront_connection_group(#44885)aws_cloudfront_distribution_tenant(#45088)aws_cloudfront_multitenant_distribution(#45535)aws_dynamodb_global_secondary_index(#44999)aws_ecr_pull_time_update_exclusion(#45765)aws_organizations_tag(#45730)aws_redshift_idc_application(#37345)aws_secretsmanager_tag(#45825)aws_sesv2_tenant(#45706)ENHANCEMENTS:
endpoint_access_modeattribute (#45741)endpoint_network_typeandtarget_connection_network_typeattributes (#45634)tagsattribute (#45766)rule.action.target_storage_classandrule.selection.storage_classarguments, and new valid values forrule.action.typeandrule.selection.count_typearguments (#45752)saml_provider_uuidattribute (#45707)response_streaming_invoke_arnattribute (#45652)code_signing_config_arnin AWS GovCloud (US) Regions (#45652)dns_threat_protection,confidence_threshold,firewall_threat_protection_id,firewall_domain_redirection_action, andq_typeattributes (#45711)target_ipsattribute (#45492)dns_options.private_dns_preferenceanddns_options.private_dns_specified_domainsattributes (#45679)service_regionandvpc_endpoint_typefrom attributes to arguments for filtering (#45679)elasticloadbalancing:loadbalancertag type (#45671)elasticloadbalancing:listenertag type (#45671)elasticloadbalancing:listener-ruletag type (#45671)elasticloadbalancing:targetgrouptag type (#45671)endpoint_access_modeargument and configurable timeout for create and update (#45741)customer_content_encryption_configurationargument (#45744)enable_minimum_encryption_configurationargument (#45744)monitoring_configurationargument (#45744)connection_function_associationandviewer_mtls_configarguments (#45847)owner_account_idargument tovpc_origin_configfor cross-account VPC origin support (#45011)apply_on_transformed_logsargument (#45826)emit_system_fieldsargument (#45760)endpoint_network_typeandtarget_connection_network_typearguments (#45634)rds:dbtag type (#45671)rds:global-clustertag type (#45671)tagsargument andtags_allattribute. This functionality requires thedirectconnect:TagResourceanddirectconnect:UntagResourceIAM permissions (#45766)CREATE_ON_PUSHas a valid value forapplied_for(#45720)managed_instances_provider.instance_launch_template.capacity_option_typeargument (#45667)fsx:file-systemtag type (#45671)fsx:file-systemtag type (#45671)fsx:file-systemtag type (#45671)fsx:snapshottag type (#45671)fsx:volumetag type (#45671)fsx:file-systemtag type (#45671)finding_criteria.criterion.matchesandfinding_criteria.criterion.not_matchesarguments (#45758)delay_after_policy_creation_in_msargument. This functionality requires theiam:SetDefaultPolicyVersionIAM permission (#42054)saml_provider_uuidattribute (#45707)serial_numberattribute (#45751)logging_configurationargument (#45749)logging_configurationargument (#45749)resource_group_arn(#45688)rules_package_arnsandtarget_arn(#45688)provisioned_poller_config.poller_group_nameargument (#45313)kafka://topic-name) fordestination_config.on_failure.destination_arnargument (#45802)response_streaming_invoke_arnattribute (#45652)code_signing_config_arnin AWS GovCloud (US) Regions (#45652)lambda:InvokeFunctionpermission, with theInvokedViaFunctionUrlflag set totrue, to the function on creation whenauthorization_typeisNONE(#44858)invoked_via_function_urlargument (#44858)quic_server_idargument (#45666)target_group_arn(#45666)rds:clustertag type (#45671)rds:dbtag type (#45671)rds:global-clustertag type (#45671)routing_policy_labelargument. This functionality requires thenetworkmanager: PutAttachmentRoutingPolicyLabelandnetworkmanager: RemoveAttachmentRoutingPolicyLabelIAM permissions (#45728)pipeline_role_arnargument to support specifying a IAM role at the pipeline level (#45806)rds:clustertag type (#45671)consumer_region(#45688)dns_threat_protection,confidence_threshold, andfirewall_threat_protection_idarguments to support DNS Firewall Advanced rules (#45711)endpoint_details.vpcconfiguration block to support VPC hosted Transfer Family web app (#45745)dns_options.private_dns_preferenceanddns_options.private_dns_specified_domainsarguments (#45679)private_dns_enabledargument (#45673)tunnel*_inside_cidrandtunnel*_inside_ipv6_cidrarguments (#45781)BUG FIXES:
proxy_endpointwhenregistry_idis specified (#45754)account-id, notaccount, as a valid value forattachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#45788)service_regionattribute (#45679)user_agentvalues where the product name contains a forward slash (#45715)node_propertieshasNodeRangeProperties.ecsPropertiesset (#45676)PutSubscriptionFilter: RetryValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role(#43762)reading EC2 VPC (...) default Security Group: empty resultandreading EC2 VPC (...) main Route Table: empty resulterrors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#45780)private_dns_enabledargument is now marked asForceNew(#45679)v6.27.0Compare Source
FEATURES:
aws_organizations_account(#45543)user_agent(#45464)aws_kms_key(#45514)aws_cloudfront_trust_store(#45534)ENHANCEMENTS:
root_domain_unit_idattribute (#44964)routing_policiesandattachment_routing_policy_rulesarguments (#45246)rni_enhanced_metrics_enabledattribute (#45630)target_name_server_metrics_enabledattribute (#45630)user_agentargument (#45464)provider_metablock is now supported. Theuser_agentargument enables module authors to include additional product information in theUser-Agentheader sent during all AWS API requests made during Create, Read, Update, and Delete operations. (#45464)knowledge_base_configuration.kendra_knowledge_base_configurationargument (#44388)knowledge_base_configuration.sql_knowledge_base_configurationandstorage_configuration.neptune_analytics_configurationarguments (#45465)storage_configuration.mongo_db_atlas_configurationargument (#37220)storage_configuration.opensearch_managed_cluster_configurationargument (#44060)storage_configuration.s3_vectors_configurationblock (#45468)knowledge_base_configuration.vector_knowledge_base_configurationand ``storage_configuration` optional (#44388)cache.cache_namespaceargument (#45584)root_domain_unit_idargument (#44964)code_sha256is now optional and computed (#45618)routing_policy_labelargument (#45246)bgp_options.peer_asn(#45246)configuration.bgp_configurations.peer_asn(#45639)routing_policy_labelargument (#45246)routing_policy_labelargument (#45246)routing_policy_labelargument (#45246)routing_policy_labelargument (#45246)rni_enhanced_metrics_enabledargument (#45630)target_name_server_metrics_enabledargument (#45630)private_dns_enabledanddns_optionsarguments (#45619)BUG FIXES:
attachment_policies.conditions.typeto allowaccountinstead ofaccount-id(#45246)knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configurationandknowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configurationasForceNew(#45465)global_secondary_indexwhen usingignore_changeslifecycle meta-argument (#41113)NoSuchEntityerrors whennameandtagsarguments are both updated (#45608)excluded_column_namesordering causing "Provider produced inconsistent result after apply" errors (#45453)bgp_optionsandbgp_options.peer_asnto Optional, Computed and ForceNew (#45639)endpoint rule error, AccountId must only contain a-z, A-Z, 0-9 and `-`errors when the provider is configured withskip_requesting_account_id = true. This fixes a regression introduced in v6.23.0 (#45576)v6.26.0Compare Source
FEATURES:
aws_batch_job_definition(#45401)aws_codebuild_project(#45400)aws_lambda_capacity_provider(#45467)aws_ssm_parameter(#45512)aws_iam_outbound_web_identity_federation(#45217)ENHANCEMENTS:
upgrade_rollout_orderattribute (#45527)update_configblock includingupdate_strategyattribute (#41487)upgrade_rollout_orderattribute (#45527)session_summary_configuration.max_recent_sessionsargument (#45449)upgrade_rollout_orderattribute (#45527)update_config.update_strategyattribute (#41487)application_configuration.application_encryption_configurationargument (#45356)FLINK-1_20as a valid value forruntime_environment(#45356)odb_network_arnfor resource sharing model. (#45509)upgrade_rollout_orderattribute (#45527)encryption_configurationblock (#45470)metadata_configurationblock (#45470)BUG FIXES:
encryption_support. This addresses a regression introduced in v6.25.0. (#45462)timeout_millisecondsvalidation to allow up to 900,000 ms whenresponse_transfer_modeisSTREAM(#45482)logging_config.s3_config.bucket_name,logging_config.cloudwatch_config.log_group_name,logging_config.cloudwatch_config.role_arn, andlogging_config.cloudwatch_config.large_data_delivery_s3_config.bucket_nameas Required (#45469)encryption_support. This addresses a regression introduced in v6.25.0. (#45462)image_confighasnullvalues set in config (#45511)event_patternargument is not specified in config (#45524)vpc_config.security_group_idsandvpc_config.subnetsasForceNew(#45491)v6.25.0Compare Source
FEATURES:
aws_cloudwatch_log_transformer(#44300)aws_eks_capability(#45326)ENHANCEMENTS:
rule.scan_actionandscan_settingattributes (#45392)deletion_protection_enabledattribute (#45298)encryption_supportattribute (#45317)durable_configattribute (#45359)health_check_logsattribute (#45269)target_control_portattribute (#45270)enable_accelerated_recoveryattribute (#45302)egress_configattribute to expose VPC Lattice connectivity configuration (#45314)tenancyattribute (#43134)integration_targetargument (#45311)response_transfer_modeargument (#45329)configuration.managed_query_results_configurationblock (#44273)rule.scan_actionandscan_settingconfiguration blocks (#45392)interceptor_configurationargument (#45344)deletion_protection_enabledargument (#45298)encryption_supportargument (#45317)regional_nat_gateway_idargument (#45380)plaintext_woandplaintext_wo_versionarguments to support write-only input (#43592)durable_configargument (#45359)health_check_logsconfiguration block (#45269)target_control_portargument to support the ALB Target Optimizer (#45270)accept_role_session_nameargument (#45391)managed_policy_arnsandrole_arns(#45391)enable_accelerated_recoveryargument (#45302)calendar_namesargument (#45363)egress_configargument to support VPC Lattice connectivity for SFTP connectors (#45314)urlargument optional to support VPC Lattice connectors (#45314)tenancyargument (#43134)v6.24.0Compare Source
FEATURES:
aws_lambda_capacity_provider(#45342)aws_s3tables_table_bucket_replication(#45360)aws_s3tables_table_replication(#45360)aws_s3vectors_index(#43393)aws_s3vectors_vector_bucket(#43393)aws_s3vectors_vector_bucket_policy(#43393)ENHANCEMENTS:
capacity_provider_configattribute (#45342)auto_provision_zones,auto_scaling_ips,availability_mode,availability_zone_address,regional_nat_gateway_address, androute_table_idattributes (#45240)target_logically_air_gapped_backup_vault_arnargument toruleblock (#45321)capacity_provider_configandpublish_toarguments (#45342)id. Usearninstead. (#45345)id. Usearninstead. (#45345)subnet_idargument optional to support regional NAT Gateways (#45420)availability_mode,availability_zone_address, andvpc_idarguments, andauto_provision_zones,auto_scaling_ips,regional_nat_gateway_address, androute_table_idattributes. This functionality requires theec2:DescribeAvailabilityZonesIAM permission (#45240)bgp_log_enabled,bgp_log_group_arn, andbgp_log_stream_arnarguments totunnel1_log_options.cloudwatch_log_optionsandtunnel2_log_options.cloudwatch_log_optionsblocks (#45271)v6.23.0Compare Source
NOTES:
TagResource,UntagResource, andListTagsForResourcefor read and update operations. The calling principal must have the correspondings3:TagResource,s3:UntagResource, ands3:ListTagsForResourceIAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIsPutBucketTagging,DeleteBucketTagging, andGetBucketTagginginstead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#45251)FEATURES:
aws_ecs_express_gateway_service(#45235)aws_s3_bucket_abac(#45251)aws_vpc_encryption_control(#45263)aws_vpn_concentrator(#45175)ENHANCEMENTS:
tenant_idargument (#45170)control_plane_scaling_configattribute (#45258)tenancy_configattribute (#45170)tenant_idargument (#45170)vpn_concentrator_idattribute (#45175)managed_instances_provider.infrastructure_optimizationargument (#45142)network_typeargument (#45140)supported_network_typesattribute (#45140)control_plane_scaling_configconfiguration block to support EKS Provisioned Control Plane (#45258)tenancy_configargument (#45170)tenant_idargument (#45170)s3:TagResourcepermission is present (#45251)s3:TagResource,s3:UntagResource, ands3:ListTagsForResourcepermissions are present (#45251)vpn_concentrator_idargument to support Site-to-Site VPN Concentrator (#45175)v6.22.1Compare Source
ENHANCEMENTS:
INTELLIGENT_TIERINGstorage type and addread_cache_configurationargument (#45159)rebalancingconfiguration block to support intelligent rebalancing for Express broker clusters (#45073)BUG FIXES:
interface conversion: interface {} is nil, not map[string]interface {}panics whenconfiguration.unused_access.analysis_rule.exclusion.resource_tagscontainsnullvalues (#45202)v6.22.0Compare Source
NOTES:
blocked_encryption_typesargument to manage this behavior for specific buckets. (#45105)FEATURES:
aws_ecr_authorization_token(#44949)Tag Policy Compliance(#45143)aws_billing_view(#45097)aws_vpclattice_domain_verification(#45085)ENHANCEMENTS:
default_action.jwt_validationattribute (#45089)action.jwt_validationattribute (#45089)tagsonly or byvpc_idonly (#39671)tag_policy_complianceprovider argument, or theTF_AWS_TAG_POLICY_COMPLIANCEenvironment variable. When enabled, the principal executing Terraform must have thetags:ListRequiredTagsIAM permission. (#45143)encryption_key_arnargument (#45020)input_action,input_enabled,input_modalities,output_action,output_enabled, andoutput_modalitiesarguments to thecontent_policy_config.filters_configblock (#45104)storage_configuration.rds_configuration.field_mapping.custom_metadata_fieldargument (#45075)agent_runtime_artifact.code_configurationblock (#45091)agent_runtime_artifact.container_configurationblock optional (#45091)global_table_witnessargument (#43908)scaling_strategyandutilization_performance_indexarguments (#45132)log_configuration.cloudwatch_logs_configuration.log_group_arn(#35941)Functionstoaction.*.target(#41209)jwt-validationas a validdefault_action.typeand adddefault_action.jwt_validationconfiguration block (#45089)jwt-validationas a validaction.typeand addaction.jwt_validationconfiguration block (#45089)SECURITYHUB_POLICYas a valid value forenabled_policy_typesargument (#45135)destination.cloudwatch_logs.log_group_arn(#35941)logging_configuration.log_group_arn(#35941)rule.blocked_encryption_typesargument (#45105)container.additional_model_data_sourceandprimary_container.additional_model_data_sourcearguments (#44407)logging_configuration.log_destination(#35941)engine_typeattribute (#44899)timestream-influxdb:GetDbParameterGroupIAM permission (#44899)custom_domain_nameanddomain_verification_idarguments anddomain_verification_arnanddomain_verification_statusattributes to support custom domain names for resource configurations (#45085)tunnel_bandwidthargument to support higher bandwidth tunnels (#45070)BUG FIXES:
storage-config-upgradeandstorage-initializationstatuses (#41275)ResourceNamefor option settings and preventing duplicate add/remove operations (#45077)regionargument (#45083)AWS resource not found during refreshwarnings causing resource replacement whenReadOnlys3express:SessionModeis enforced (#45086)target_typeargument to required (#45092)allocated_storage,bucket,organization,username, andpasswordoptional to support InfluxDB V3 clusters (#44899)v6.21.0Compare Source
BREAKING CHANGES:
network_configuration.network_mode_configtonetwork_configuration.vpc_config(#44828)FEATURES:
aws_dynamodb_create_backup(#45001)aws_networkflowmonitor_monitor(#44782)aws_networkflowmonitor_scope(#44782)aws_observabilityadmin_centralization_rule_for_organization(#44806)ENHANCEMENTS:
capacity_provider_strategy,created_at,created_by,deployment_configuration,deployment_controller,deployments,enable_ecs_managed_tags,enable_execute_command,events,health_check_grace_period_seconds,iam_role,network_configuration,ordered_placement_strategy,pending_count,placement_constraints,platform_family,platform_version,propagate_tags,running_count,service_connect_configuration,service_registries,status, andtask_setsattributes (#44842)target_configuration.mcp.mcp_serverblock (#44991)credential_provider_configurationblock optional (#44991)delivery_destination_typeanddelivery_destination_configurationoptional to support AWS X-Ray as a destination (#44995)LINEARandCANARYdeployment strategies withdeployment_configuration.linear_configurationanddeployment_configuration.canary_configurationblocks (#44842)java25runtimevalue (#45024)nodejs24.xruntimevalue (#45024)python3.14runtimevalue (#45024)java25compatible_runtimesvalue (#45024)nodejs24.xcompatible_runtimesvalue (#45024)python3.14compatible_runtimesvalue (#45024)execution_role_arnargument and makemodel_nameoptional inproduction_variantsandshadow_production_variantsblocks to support Inference Components (#44977)AuthorizationError ... is not authorized to perform: iam:PassRole on resource ...IAM eventual consistency errors on Create and Update (#45018)BUG FIXES:
regionargument (#45023)regionargument (#45064)ValidationException: Value null at 'jobTemplateData.configurationOverrides.monitoringConfiguration.cloudWatchMonitoringConfiguration.logGroupName' failed to satisfy constraint: Member must not be nullerror (#45029)setting job_template_data: job_template_data.0.configuration_overrides.0.application_configuration.0: '' expected a map, got 'slice'error (#45029)job_template_data.job_driver.configuration_overrides.monitoring_configuration.persistent_app_uiargument as computed (#45029)Provider returned invalid result object after applyerror occurred when updating the resource (#45030)domain_nametodomain_nameandaccountseparated by a comma (#44982)endpoint_config_namewas not correctly updated, causing the endpoint to retain the old configuration (#42843)redacted_fields.single_header.name(#44987)v6.20.0Compare Source
FEATURES:
aws_ec2_allowed_images_settings(#44800)aws_fis_target_account_configuration(#44875)aws_invoicing_invoice_unit(#44892)ENHANCEMENTS:
media_concurrencies.cross_channel_behaviorattribute (#44934)node_group_configurationattribute to expose node group details including availability zones, replica counts, and slot ranges (#44879)max_record_size_in_kibattribute (#44915)identity_center_optionsattribute (#44626)us-isob-west-1as a valid AWS Region (#44944)logging_v1_enabledattribute (#44838)media_concurrencies.cross_channel_behaviorargument (#44934)destination_cidr_block(#44926)ip_address_typeargument (#44616)max_parallel_nodes_repaired_count,max_parallel_nodes_repaired_percentage,max_unhealthy_node_threshold_count,max_unhealthy_node_threshold_percentage, andnode_repair_config_overridesto thenode_repair_configschema (#44894)node_group_configurationblock to support availability zone specification and snapshot restoration for cluster mode enabled replication groups (#44879)timeoutis unconfigured for Ray jobs (#35012)max_record_size_in_kibargument to support for Kinesis 10MiB payloads. This functionality requires thekinesis:UpdateMaxRecordSizeIAM permission (#44915)identity_center_optionsconfiguration block (#44626)TransferSecurityPolicy-AS2Restricted-2025-07security_policy_namevalue (#44865)TransferSecurityPolicy-AS2Restricted-2025-07as a valid value forsecurity_policy_name(#44652)BUG FIXES:
Source type "...cloudfront.stagingDistributionDNSNamesModel" does not implement attr.Valueerror. This fixes a regression introduced in v6.17.0 (#44972)logging_config.bucketargument fromRequiredtoOptional(#44838)logging_config.include_cookiesargument while keeping V1 logging disabled (#44838)Source type "...cloudfront.originSSLProtocolsModel" does not implement attr.Valueandmissing required field, CreateVpcOriginInput.VpcOriginEndpointConfigerrors. This fixes a regression introduced in v6.17.0 (#44861)0) value fortimeoutfor Apache Spark streaming ETL jobs. This allows the job to be configured with no timeout (#44920)catalog_id,database.catalog_id,table.catalog_id, andtable_with_columns.catalog_idarguments (#44890)"") value forblock_device_mappings.ebs.kms_key_id. This fixes a regression introduced in v6.16.0 (#44708)v6.19.0Compare Source
FEATURES:
aws_ecrpublic_images(#44795)aws_lakeformation_identity_center_configuration(#44867)ENHANCEMENTS:
log_typeisTail(#44843)ami_tagsattribute (#44731)regex_valuesattribute tocondition.host_header,condition.http_headerandcondition.path_patternblocks (#44741)transformattribute (#44702)authorizer_configurationandauthorizer_typeconfig (#44826)monitoring_configurationargument (#43317)runtime_configurationargument (#43302)arnattribute. (#44867)ami_tagsargument (#44731)regex_valuesargument tocondition.host_header,condition.http_headerandcondition.path_patternblocks (#44741)transformconfiguration block (#44702)valuesargument incondition.host_header,condition.http_headerandcondition.path_patternis now optional (#44741)physical_table_map.relational_table.namefrom 64 to 256 characters (#44807)notebook-al2023-v1to validplatform_identifiervalues (#44570)account_idandregionfrom Resource Identity schema (#44846)account_idandregionfrom Resource Identity schema (#44846)account_idandregionfrom Resource Identity schema (#44846)account_idandregionfrom Resource Identity schema (#44846)BUG FIXES:
principal. (#44867)authorizer_configurationblock fromRequiredtoOptional(#44812)authorizer_typeargument asForceNew(#44812)principal. (#44867)v6.18.0Compare Source
NOTES:
accounts.statusandnon_master_accounts.statusattributes are deprecated. Use theaccounts.stateandnon_master_accounts.stateattributes instead. (#44327)accounts.statusattribute is deprecated. Useaccounts.stateinstead. (#44327)accounts.statusattribute is deprecated. Useaccounts.stateinstead. (#44327)statusattribute is deprecated. Usestateinstead. (#44327)accounts.statusandnon_master_accounts.statusattributes are deprecated. Use theaccounts.stateandnon_master_accounts.stateattributes instead. (#44327)FEATURES:
aws_iam_policy(#44703)aws_iam_role_policy_attachment(#44739)aws_bedrockagentcore_memory(#44306)aws_bedrockagentcore_memory_strategy(#44306)aws_bedrockagentcore_oauth2_credential_provider(#44307)aws_bedrockagentcore_token_vault_cmk(#44606)aws_bedrockagentcore_workload_identity(#44308)ENHANCEMENTS:
path_prefixattribute (#44703)state,joined_method, andjoined_timestampattributes to theaccountsandnon_master_accountsblocks (#44327)state,joined_method, andjoined_timestampattributes to theaccountsblock (#44327)state,joined_method, andjoined_timestampattributes to theaccountsblock (#44327)certificate_based_auth_propertiesargument (#44679)pathattribute (#44703)delete_associated_resourcesattribute to enable practitioner to delete associated oci resource. (#44754)stateattribute (#44327)state,joined_method, andjoined_timestampattributes to theaccountsandnon_master_accountsblocks (#44327)BUG FIXES:
tagsattribute (#44761)additional_configurationblock to ignore ordering (#44627)v6.17.0Compare Source
NOTES:
FEATURES:
aws_rds_global_cluster(#37286)aws_vpn_connection(#44622)aws_subnet(#44671)aws_vpc(#44609)aws_bedrockagentcore_agent_runtime(#44301)aws_bedrockagentcore_agent_runtime_endpoint(#44301)aws_bedrockagentcore_api_key_credential_provider(#44302)aws_bedrockagentcore_browser(#44303)aws_bedrockagentcore_code_interpreter(#44304)aws_bedrockagentcore_gateway(#44305)aws_bedrockagentcore_gateway_target(#44305)ENHANCEMENTS:
throughputmaximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)throughputmaximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)throughputmaximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)admin_pro_group,author_pro_group, andreader_pro_grouparguments (#44638)BUG FIXES:
inconsistent final planerrors (#44542)source_code_hash,s3_bucket,s3_key,s3_object_versionandfilename) to their previous values when an update operation fails (#42829)v6.16.0Compare Source
FEATURES:
aws_transcribe_start_transcription_job(#44445)aws_odb_cloud_autonomous_vm_clusters(#44336)aws_odb_cloud_exadata_infrastructures(#44336)aws_odb_cloud_vm_clusters(#44336)aws_odb_network_peering_connections(#44336)aws_odb_networks(#44336)aws_prometheus_resource_policy(#44256)aws_transfer_host_key(#44559)aws_transfer_web_app(#42708)aws_transfer_web_app_customization(#42708)ENHANCEMENTS:
auto_retry_limitargument (#40035)scheduler_configurationblock (#44589)schema_registry_configconfiguration blocks toamazon_managed_kafka_event_source_configandself_managed_kafka_event_source_configblocks (#44540)ipv4_addresses_per_eniargument (#44560)BUG FIXES:
Missing Resource Identity After Updateerrors for non-refreshed and failed updates of Plugin Framework based resources (#44518)Unexpected Identity Changeerrors when fully-null identity values in state are updated to valid values for Plugin Framework based resources (#44518)glossary_terms. (#44491)unknown valueerror when optionalaccount_identifieris not specified. (#44491)unknown valueerror when optionalaccount_regionis not specified. (#44491)unexpected stateerror when deleting. (#44491)blueprint_identifieron creation. (#44491)user_parameterswhen importing. (#44491)user_parametersshould not be updateable. (#44491)LimitExceededException(#44576)maximum_message_rate_per_secondvalidation maximum to100(#44572)kms_key_idvalidation now accepts key ID, alias, and alias ARN in addition to key ARN (#44505)ThrottlingExceptionerrors (#24730)v6.15.0Compare Source
BREAKING CHANGES:
capacity_provider_strategyto avoid ECS service recreation after recent AWS changes (#43533)FEATURES:
aws_codebuild_start_build(#44444)aws_events_put_events(#44487)aws_sfn_start_execution(#44464)aws_appconfig_application(#44168)aws_odb_db_node(#43792)aws_odb_db_nodes(#43792)aws_odb_db_server(#43792)aws_odb_db_servers(#43792)aws_odb_db_system_shapes(#43825)aws_odb_gi_versions(#43825)aws_lakeformation_lf_tag_expression(#43883)ENHANCEMENTS:
mysql_settingsattribute (#44516)locationattribute (#44328)default_auth_schemeattribute (#44309)ip_address_typeargument toorigin.custom_origin_configblock (#44463)mysql_settingsconfiguration block (#44516)force_destroy. (#44406)throughputmaximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44514)clusterandmanaged_instances_providerarguments (#44509)auto_scaling_group_provideroptional (#44509)credential_age_days,service_credential_alias,service_credential_secret,create_date, andexpiration_dateattributes (#44299)enable_monitoring_dashboardargument (#44515)aiml_optionsargument (#44417)two_way_channel_arnargument to acceptconnect.[region].amazonaws.comin addition to ARNs (#44372)default_auth_schemeargument (#44309)authconfiguration block optional (#44309)network_typeargument (#44377)arnargument (#44408)BUG FIXES:
Invalid address to set: []string{"secondary_ips_auto_assigned_per_subnet"}errors (#44485)firewall_policy.stateful_rule_group_referenceattributes (#44482)quota_namewas provided (#44449)AttributeName("arn") still remains in the path: could not find attribute or block "arn" in schemaerrors when upgrading from a pre-v6.0.0 provider version (#44434)configuration_nameis modified (#43996)LimitExceededException(#44489)LimitExceededException(#44522)ipv6_cidr_blockwhen the VPC has multiple associated IPv6 CIDRs (#44362)postgres_settingsare updated (#44389)deletion_protection_enablednot set. (#44406)compute_config,kubernetes_network_config.elastic_load_balancing, andstorage_config.to Optional and Computed, allowing EKS Auto Mode settings to be enabled, disabled, and removed from configuration (#44334)inconsistent final planerror in some cases withsettingelements. (#44461)inconsistent final planerror in some cases withsettingelements. (#44461)provider produced unexpected valueforcache_usage_limitsargument. (#43841)metadata_configurationfirst to allow simultaneous increase ofmetadata_configuration.iopsandstorage_capacity(#44456)interface conversion: interface {} is nil, not map[string]interface {}panics whencapacity_reservation_targetis empty (#44459)application_configuration.run_configurationvalues are respected during update (#43490)database_insights_modewithglobal_cluster_identifier. (#44404)child_health_thresholdto properly accept explicitly specified zero value (#44006)noncurrent_version_expiration.newer_noncurrent_versionsandnoncurrent_version_transition.newer_noncurrent_versions. (#44442)ipv6_cidr_blockwhen the VPC has multiple associated IPv6 CIDRs (#44362)v6.14.1Compare Source
NOTES:
BUG FIXES:
Missing Resource Identity After Updateerrors for non-refreshed and failed updates (#44375)Unexpected Identity Changeerrors when fully-null identity values in state are updated to valid values (#44375)v6.14.0Compare Source
FEATURES:
aws_cloudfront_create_invalidation(#43955)aws_ec2_stop_instance(#43700)aws_lambda_invoke(#43972)aws_ses_send_email(#44214)aws_sns_publish(#44232)aws_billing_views(#44272)aws_odb_cloud_autonomous_vm_cluster(#43809)aws_odb_cloud_exadata_infrastructure(#43650)aws_odb_cloud_vm_cluster(#43790)aws_odb_network(#43715)aws_odb_network_peering_connection(#43757)aws_batch_job_queue(#43960)aws_cloudwatch_log_group(#44129)aws_iam_role(#44129)aws_instance(#44129)aws_controltower_baseline(#42397)aws_odb_cloud_autonomous_vm_cluster(#43809)aws_odb_cloud_exadata_infrastructure(#43650)aws_odb_cloud_vm_cluster(#43790)aws_odb_network(#43715)aws_odb_network_peering_connection(#43757)ENHANCEMENTS:
deployment_configuration.lifecycle_hook.hook_detailsargument (#44289)source_db_cluster_identifierandenginearguments (#44252)action_after_completionargument (#44264)BUG FIXES:
InvalidParameterValue: User xxx is not a member of user group xxxerrors during group modification (#43520)async_inference_config.output_config.notification_configblock is specified (#44310)v6.13.0Compare Source
ENHANCEMENTS:
billing_view_arnattribute (#44241)warm_throughputandglobal_secondary_index.warm_throughputattributes (#41308)ap-southeast-5,ap-southeast-7,eu-south-2, andme-central-1AWS Regions (#44132)ap-southeast-6AWS Region (#44132)ap-southeast-6AWS Region (#44132)ap-southeast-6AWS Region (#44132)predictive_scaling_policy_configurationargument (#44211)policy_type(#44211)step_scaling_policy_configuration.adjustment_typeandstep_scaling_policy_configuration.metric_aggregation_type(#44211)input_action,output_action,input_enabled, andoutput_enabledarguments toword_policy_config.managed_word_lists_configandword_policy_config.words_configconfiguration blocks (#44224)billing_view_arnargument (#44241)origin.response_completion_timeoutargument (#44163)pull_request_build_policyconfiguration block (#44201)warm_throughputandglobal_secondary_index.warm_throughputarguments (#41308)dualStackIPv6as a valid value forname(#44165)iceberg_configuration.run_rate_in_hoursargument toretention_configurationandorphan_file_deletion_configurationblocks (#44207)address_definitionarguments insourceanddestinationblocks withinrule_group.rules_source.stateless_rules_and_custom_actions.stateless_rule.rule_definition.match_attributes(#44215)options.dns_supportandoptions.security_group_referencing_supportarguments (#43742)optionsto Optional and Computed (#43742)engine_versionargument (#44155)schedule.retry_configconfiguration block (#44244)BUG FIXES:
interface conversion: interface {} is nil, not map[string]interface {}panics whenstep_scaling_policy_configurationis empty (#44211)reading Cognito Managed Login Branding by client ... couldn't find resourceerrors when a user pool contains multiple client apps (#44204)compute_config.node_role_arnwhen disabling auto mode or built-in node pools (#42483)Error decoding ... from prior state: unsupported attribute "log_group_name"errors when upgrading from a pre-v6.0.0 provider version (#44191)Error decoding ... from prior state: unsupported attribute "elastic_gpu_specifications"errors when upgrading from a pre-v6.0.0 provider version (#44195)feature_nameoptional (#44143)MethodNotAllowederrors when deleting non-existent lifecycle configurations (#44189)warningwhen remote policy is invalid (#44228)timeouts.readarguments removed in v6.12.0 (#44238)v6.12.0Compare Source
NOTES:
access_control_policy.grant.grantee.display_nameattribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)access_control_policy.owner.display_nameattribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)target_grant.grantee.display_nameattribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)FEATURES:
aws_cognito_managed_login_branding(#43817)ENHANCEMENTS:
ip_address_typeandipv6_addressattributes (#44079)placement_group_idattribute (#38527)source_kms_key_arnattribute (#44080)placement.group_idattribute (#44097)ap-southeast-6as a valid AWS Region (#44127)availability_zone_rebalancingand change the attribute to Optional and Computed. This allow ECS to default toENABLEDfor new resources compatible with AvailabilityZoneRebalancing and maintain an existing service'savailability_zone_rebalancingvalue during update when not configured. If an existing service never had anavailability_zone_rebalancingvalue configured and is updated, ECS will treat this asDISABLED(#43241)ip_address_typeandipv6_addressarguments to support IPv6 connectivity (#44079)user_and_group_quotasargument (#44120)user_and_group_quotasargument (#44118)placement_group_idargument (#38527)source_kms_key_arnargument (#44080)placement.group_idargument (#44097)run_config.ephemeral_storageargument. (#44105)BUG FIXES:
nameandnamespace(#44072)provisioning_parametersandprovisioning_artifact_idto the values from the last successful deployment when update fails (#43956)v6.11.0Compare Source
FEATURES:
aws_timestreaminfluxdb_db_cluster(#42382)aws_workspacesweb_browser_settings_association(#43735)aws_workspacesweb_data_protection_settings_association(#43773)aws_workspacesweb_identity_provider(#43729)aws_workspacesweb_ip_access_settings_association(#43774)aws_workspacesweb_network_settings_association(#43775)aws_workspacesweb_portal(#43444)aws_workspacesweb_session_logger(#43863)aws_workspacesweb_session_logger_association(#43866)aws_workspacesweb_trust_store(#43408)aws_workspacesweb_trust_store_association(#43778)aws_workspacesweb_user_access_logging_settings_association(#43776)aws_workspacesweb_user_settings_association(#43777)ENHANCEMENTS:
endpoint_ip_address_typeandtraffic_ip_address_typeattributes (#44059)attachment.network_card_indexattribute (#42188)verification_statusattribute (#44045)signing_materialandsigning_parametersattributes (#43921)metered_accountattribute (#43967)domain_versionandservice_rolearguments to support V2 domains (#44042)copy_tags,create_interval,exclusions,extend_deletion,policy_language,resource_typeandretain_intervalattributes topolicy_detailsconfiguration block (#41055)default_policyargument (#41055)policy_details.create_rule.scriptsargument (#41055)policy_details.schedule.cross_region_copy_rule.target_regionargument (#33796)policy_details.schedule.cross_region_copy_rule.targetoptional (#33796)policy_details.schedule.archive_ruleargument (#41055)modeargument in support of CloudWatch contributor insights modes (#43914)endpoint_ip_address_typeandtraffic_ip_address_typearguments to support IPv6 connectivity in Client VPN (#44059)client_cidr_blockoptional (#44059)sigint_rollbackargument (#43986)deployment_configurationto Optional and Computed (#43986)remote_network_configto be updated in-place, enabling support for EKS hybrid nodes on existing clusters (#42928)engineto Optional and Computed (#42636)code_repository_project_name,code_repository_provider_type,ecr_image_in_use_count, andecr_image_last_in_use_atinfilter_criteria(#43950)thing_principal_typeargument (#43916)key_specargument (#44011)key_usageto Optional and Computed (#44011)secondary_ips_auto_assigned_per_subnetargument for Network Load Balancers (#43699)worker_replacement_strategyargument (#43946)attachment.network_card_indexargument (#42188)network_card_indexargument (#42188)force_destroyargument (#43922)verification_statusattribute (#44045)signing_parametersargument (#43921)vpc_config.ipv6_allowed_for_dual_stackargument (#43989)metered_accountargument (#43967)BUG FIXES:
partition_keys.parametersattribute (#26702)email_mfa_configurationblock (#43926)database_insights_modewhen using custom KMS key (#44050)DescribeHostedConnections failed for connection dxcon-xxxx doesn't existby pointing to the correct connection ID when doing the describe. (#43499)partition_keys.parametersargument, fixingInvalid address to set: []string{"partition_keys", "0", "parameters"}errors (#26702)block_device_mapping.ebs.iopsfrom10000to100000(#43981)secondary_private_ip_addresses(#43708)network_interface.network_card_indexto Computed (#38336)nameinresponse_inspection.headerblocks forAWSManagedRulesATPRuleSetandAWSManagedRulesACFPRuleSetto avoid persistent plan diffs (#44032)v6.10.0Compare Source
NOTES:
network_interfaceblock has been deprecated. Useprimary_network_interfacefor the primary network interface andaws_network_interface_attachmentresources for other network interfaces. (#43953)network_interfaceblock has been deprecated. Useprimary_network_interfacefor the primary network interface andaws_network_interface_attachmentresources for other network interfaces. (#43953)ENHANCEMENTS:
image_tag_mutability_exclusion_filterattribute (#43886)image_tag_mutability_exclusion_filterattribute (#43886)image_tag_mutability_exclusion_filterconfiguration block (#43886)G.12X,G.16X,R.1X,R.2X,R.4X, andR.8Xas valid values forworker_type(#43988)BUG FIXES:
SPOT_PRICE_CAPACITY_OPTIMIZEDstrategy (#40148)Provider produced inconsistent result after applyerror whenpolicy_detail.exclusion_rules.amis.is_publicis omitted (#43925)primary_network_interfaceto allow importing resources with custom primary network interface. (#43953)database_insights_modewhen using custom KMS key (#43942)primary_network_interfaceto allow importing resources with custom primary network interface. (#43953)v6.9.0Compare Source
FEATURES:
aws_appsync_api(#43787)aws_appsync_channel_namespace(#43787)ENHANCEMENTS:
deletion_protectionattribute (#43779)replica.deletion_protection_enabledargument (#43240)deletion_protectionargument (#43779)BUG FIXES:
reserved_concurrent_executionsattribute when a published version exists. This functionality requires thelambda:GetFunctionConcurrencyIAM permission (#43753)firewall_policy.stateful_engine_options.flow_timeouts(#43852)account_takeover_risk_configuration.notify_configurationoptional (#33624)service_connect_configurationwhen deleted outside of Terraform (#43871)reserved_concurrent_executionsattribute when a published version exists. This functionality requires thelambda:GetFunctionConcurrencyIAM permission (#43753)runtime error: invalid memory address or nil pointer dereferencepanics whenGetTableMaintenanceConfigurationreturns an error (#43764)user_profile_name(#43807)create, to check if new value is less than current value of quota (#43545)InvalidGatewayRequestException: The specified gateway is not connectederrors during Read by using theListGatewaysAPI to return minimal information about a disconnected gateway. This functionality requires thestoragegateway:ListGatewaysIAM permission (#43819)netmask_lengthnot being saved and diffed correctly (#43262)v6.8.0Compare Source
FEATURES:
aws_networkfirewall_vpc_endpoint_association(#43675)aws_quicksight_custom_permissions(#43613)aws_quicksight_role_custom_permission(#43613)aws_quicksight_user_custom_permission(#43613)aws_wafv2_web_acl_rule_group_association(#43561)ENHANCEMENTS:
custom_permissions_nameattribute (#43613)resource_arnargument to enable finding web ACLs by resource ARN (#43597)CLOUDFRONTscopeweb ACLs usingresource_arn(#43597)input_action,output_action,input_enabled, andoutput_enabledattributes tosensitive_information_policy_config.pii_entities_configandsensitive_information_policy_config.regexes_configconfiguration blocks (#43702)AuroraDBClusterStorageas a validresource_type(#43677)serverless_v2_scaling_configurationargument in support of Amazon DocumentDB serverless (#43667)image_tag_mutability_exclusion_filterargument (#43642)IMMUTABLE_WITH_EXCLUSIONandMUTABLE_WITH_EXCLUSIONas valid values forimage_tag_mutability(#43642)force_destroyargument that allows destruction even whendisable_api_terminationanddisable_api_stoparetrue(#43722)iceberg_configuration.append_onlyargument (#43647)iam_arn(#43613)user_nameto Optional and Computed (#43613)IAM_IDENTITY_CENTERas a valid value foridentity_type(#43613)RESTRICTED_AUTHORandRESTRICTED_READERas valid values foruser_role(#43613)max_message_sizefrom 256 KiB to 1024 KiB (#43710)BUG FIXES:
inconsistent final planerror whencompute_resource.launch_template.versionis unknown during an update (#43337)created_atbecomingnullon Update (#43654)PrefixListVersionMismatch: The prefix list has the incorrect version numbererrors when updating entry description (#43661)disable_api_terminationistrue(#43722)maintenance_configurationread failure (#43707)image_nameregular expression validation (#43751)network_typeas ForceNew if the value is not configured. This fixes a problem withterraform apply -refresh=falseafter upgrade fromv5.90.0and below (#43534)regular_expressionargument (#43693)v6.7.0Compare Source
FEATURES:
aws_quicksight_ip_restriction(#43596)aws_quicksight_key_registration(#43587)ENHANCEMENTS:
instance_typeattribute incompute_configurationblock (#43449)volume_initialization_rateattribute (#43565)load_balancerattribute (#43582)tagsattribute. This functionality requires thes3:ListTagsForResourceIAM permission with S3 Access Points for general purpose buckets and thes3express:ListTagsForResourceIAM permission with S3 Access Points for directory buckets (#43630)deletion_protectionattribute (#43452)configuration.identity_center_configurationargument (#38717)analytics_engineargument (#43614)instance_typeargument incompute_configurationblock to support custom instance types (#43449)volume_initialization_rateargument (#43565)tagsargument andtags_allattribute. This functionality requires thes3:ListTagsForResource,s3:TagResource, ands3:UntagResourceIAM permissions with S3 Access Points for general purpose buckets and thes3express:ListTagsForResource,s3express:TagResource, ands3express:UntagResourceIAM permissions with S3 Access Points for directory buckets (#43630)deletion_protectionargument (#43452)BUG FIXES:
missing required field, CreateFlowInput.Definition.Nodes[0].Configuration[prompt].SourceConfiguration[resource].PromptArnerrors on Create (#43595)NoSuchTagSetErrorresponses from S3-compatible services (#43589)NoSuchTagSetErrorresponses from S3-compatible services (#43589)Provider produced inconsistent final planerrors when changing from usingvalueto usingvalue_wo(#42877)versionnot being updated whendescriptionchanges (#42595)v6.6.0Compare Source
FEATURES:
aws_connect_phone_number_contact_flow_association(#43557)aws_nat_gateway_eip_association(#42591)ENHANCEMENTS:
log_configattribute (#43453)available_security_updates_compliance_statusargument (#43560)cross_region_config,content_policy_config.tier_config, andtopic_policy_config.tier_configarguments (#43517)workgroupargument (#36628)compute_resources.ec2_configuration.image_kubernetes_versionargument (#43454)log_configargument (#43453)nameto be updated in-place (#41702)nameto be updated in-place (#42639)secondary_allocation_idsto Optional and Computed (#42591)available_security_updates_compliance_statusargument (#43560)/ssm/prefix) forsetting_id(#43562)BUG FIXES:
test_listener_ruleincorrectly being set as empty string inload_balancer.advanced_configurationblock (#43558)v6.5.0Compare Source
NOTES:
FEATURES:
aws_ecr_images(#42577)aws_cognito_log_delivery_configuration(#43396)aws_networkfirewall_firewall_transit_gateway_attachment_accepter(#43430)aws_s3_bucket_metadata_configuration(#41364)ENHANCEMENTS:
postgres_settings.authentication_methodandpostgres_settings.service_access_role_arnattributes (#43440)availability_zone_change_protection,availability_zone_mapping,firewall_status.sync_states.attachment.status_message,firewall_status.transit_gateway_attachment_sync_states,transit_gateway_id, andtransit_gateway_owner_account_idattributes (#43430)oracle_settingsconfiguration block for authentication method (#43125)postgres_settings.authentication_methodandpostgres_settings.service_access_role_arnarguments (#43440)postgres_settings.database_mode,postgres_settings.map_long_varchar_as, andpostgres_settings.plugin_namearguments (#43440)dns_name_serversattribute andkerberos_authentication_settingsconfiguration block for Kerberos authentication settings (#43125)transit_gateway_attachment_idattribute. This functionality requires theec2:DescribeTransitGatewayAttachmentsIAM permission (#43436)CODE_REPOSITORYas a valid value forresource_types(#43525)auto_enable.code_repositoryargument (#43525)availability_zone_change_protection,availability_zone_mapping, andtransit_gateway_idarguments andfirewall_status.transit_gateway_attachment_sync_statesandtransit_gateway_owner_account_idattributes (#43430)subnet_mappingandvpc_idas Optional (#43430)aws_account_idargument. (#43501)rules_jsonargument (#43397)statement.rate_based_statement.custom_key.asnargument (#43506)BUG FIXES:
forces replacementonregionfor numerous resource types when upgrading from a pre-v6.0.0 provider version and-refresh=falseis in effect (#43516)pathwhenpath_partis updated (#43215)definition.connectionanddefinition.nodelist length limits (#43471)ipv6_addresseswhenipv6_address_countis updated (#43158)v6.4.0Compare Source
FEATURES:
aws_s3_access_point(#43391)aws_bedrockagent_flow(#42201)aws_fsx_s3_access_point_attachment(#43391)ENHANCEMENTS:
typeargument (#43150)hybrid_access_enabled,with_federationandwith_privileged_accessattributes (#43377)options.exportargument to issue an exportable certificate (#43207)apply_on_transformed_logsargument (#43381)agent_arnsoptional (#43400)deployment_configurationargument (#43434)load_balancer.advanced_configurationargument (#43434)service.client_alias.test_traffic_rulesargument (#43434)deployment_controller.typechanges no longer force a replacement (#43434)with_privileged_accessargument (#43377)skip_destroyargument (#43415)BUG FIXES:
parent_action_group_signatureon Read (#43355)Inappropriate value for attribute "regional_parameters"errors during planning. This fixes a regression introduced in v6.0.0 (#43382)transit_gateway_attachment_idas ForceNew if the value is known not to change (#43405)waiting for Lambda Function (...) version publish: unexpected state '', wanted target 'Successful'errors on Update. This fixes a regression introduced in v6.2.0 (#43416)sub_slot_setting.slot_specification.value_elicitation_setting.prompt_specification.prompt_attempts_specificationandvalue_elicitation_setting.prompt_specification.prompt_attempts_specificationhave default values (#43358)meta_store_role_arnto be updated in-place (#36874)v6.3.0Compare Source
FEATURES:
aws_prometheus_query_logging_configuration(#43222)ENHANCEMENTS:
anycast_ip_list_idattribute (#43196)core_network_configuration.dns_supportandcore_network_configuration.security_group_referencing_supportarguments (#43277)anycast_ip_list_idargument (#43196)replica.consistency_modeargument in support of multi-Region strong consistency for Amazon DynamoDB global tables (#43236)BUG FIXES:
runtime error: invalid memory address or nil pointer dereferencepanics for numerous resource types when modifyingtags(#43324)operation can't be performed on Agent when it is in Preparing state.errors during agent action group base creation, update, and deletion. (#43232)operation can't be performed on Agent when it is in Preparing state.errors during agent knowledge base creation and disassociation (#43232)managed_login_versionfor custom Cognito domains (#43252)InvalidDBInstanceStateerrors on delete (#43303)interface conversion: interface {} is nil, not map[string]interface {}panics when configuration blocks are empty (#43308)InvalidDBClusterStateFaulterrors on delete (#43303)availability_zone_relocation_enabled(#43270)resource_propertiesto Computed to enablevpc_endpointassociations (#42562)arnwhen refreshing state. (#43273)v6.2.0Compare Source
NOTES:
idattribute has changed fromkeytobucket/key. All configurations usingidshould be updated to use thekeyattribute instead (#43119)idattribute has changed fromkeytobucket/key. All configurations usingidshould be updated to use thekeyattribute instead (#43119)ENHANCEMENTS:
tagsattribute. This functionality requires thekinesis:ListTagsForResourceIAM permission (#43173)firewall_policy.stateful_rule_group_reference.deep_threat_inspectionattribute (#43137)configuration.internal_accessargument (#43138)job_configargument (#43136)enable_skew_protectionargument (#43218)errorCode,eventType,sessionCredentialFromConsole, andvpcEndpointIdas valid values foradvanced_event_selector.field_selector.field(#43091)errorCode,eventType,sessionCredentialFromConsole, andvpcEndpointIdas valid values foradvanced_event_selector.field_selector.field(#43091)kms_key_identifierargument (#43139)DELIVERYas a valid value forlog_group_class(#42658)environment.docker_serverconfiguration block (#42982)disable_session_tagsandtarget_role_arnarguments andexternal_idattribute (#42979)os_release_labelargument (#43018)resource_tag_logical_operatorargument (#43031)job_modeargument (#42607)tagsargument andtags_allattribute. This functionality requires thekinesis:ListTagsForResource,kinesis:TagResource, andkinesis:UntagResourceIAM permissions (#43173)HMAC_224,HMAC_384,HMAC_512,ML_DSA_44,ML_DSA_65, andML_DSA_87as valid values forcustomer_master_key_spec(#43128)-1is now a valid value forport_info.from_portandport_info.to_port(#37703)firewall_policy.stateful_rule_group_reference.deep_threat_inspectionargument (#43137)exclude_resource_tagsargument (#43189)tagsargument andtags_allattribute. This functionality requires thes3express:ListTagsForResource,s3express:TagResource, ands3express:UntagResourceIAM permissions (#43256)metadataargument (#43112)aws_managed_rules_anti_ddos_rule_settomanaged_rule_group_configsconfiguration block in support of L7 DDoS protection (#43149)BUG FIXES:
Unexpected Identity Changeerrors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#43221)Exceeded the number of retries on OptLock failure. Too many concurrent requests.errors during update (#43179)Prepare operation can't be performed on Agent when it is in Preparing state.errors during prepare (#43179)Update operation can't be performed on Agent when it is in Preparing state.errors during update (#43179)operation can't be performed on Agent when it is in Preparing state.errors during agent collaborator update and disassociation (#43179)log_group_names(#43183)"") value fors3_prefix. This fixes a regression introduced in v6.0.0 (#43159)log_publishing_optionsremoved on Update. This prevents a perpetual diff (#43033)ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log streamIAM eventual consistency errors on Create (#43033)logging_configdiffs whenlog_formatis set toJSONandpublish = true(#42660)confirmation_setting.prompt_specification.prompt_attempts_specificationdefaults (#43147)log_publishing_optionsremoved on Update. This prevents a perpetual diff (#43033)ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log streamIAM eventual consistency errors on Create (#43033)WHOLEis now a valid value fordefinition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness(#37116)WHOLEis now a valid value fordefinition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness(#37116)WHOLEis now a valid value fordefinition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness(#37116)email(#43014)Value Conversion Errorerrors when upgrading existing resources to Terraform AWS Provider v6.0.0 (#43116)v6.1.0Compare Source
v6.0.0Compare Source
BREAKING CHANGES:
most_recentistrueand owner and image ID filter criteria has been increased to an error. Existing configurations which were previously receiving a warning diagnostic will now fail to apply. To prevent this error, set theownerargument or include afilterblock with animage-idorowner-idname/value pair. To continue using unsafe filter values withmost_recentset totrue, set the newallow_unsafe_filterargument totrue. This is not recommended. (#42114)inference_acceleratorattribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)inference_accelerator_overridesattribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)action.authenticate_cognito,action.authenticate_oidc,action.fixed_response,action.forward,action.forward.stickiness,action.redirect,condition.host_header,condition.http_header,condition.http_request_method,condition.path_pattern,condition.query_string, andcondition.source_ipattributes are now list nested blocks instead of single nested blocks (#42283)filterhas been removed (#42325)elastic_inference_acceleratorattribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)elastic_gpu_specificationshas been removed (#42312)kibana_endpointhas been removed (#42268)saml_optionsis now a list nested block instead of a single nested block (#42270)tags_allattribute (#42136)aws_opsworks_applicationresource has been removed (#41948)aws_opsworks_custom_layerresource has been removed (#41948)aws_opsworks_ecs_cluster_layerresource has been removed (#41948)aws_opsworks_ganglia_layerresource has been removed (#41948)aws_opsworks_haproxy_layerresource has been removed (#41948)aws_opsworks_instanceresource has been removed (#41948)aws_opsworks_java_app_layerresource has been removed (#41948)aws_opsworks_memcached_layerresource has been removed (#41948)aws_opsworks_mysql_layerresource has been removed (#41948)aws_opsworks_nodejs_app_layerresource has been removed (#41948)aws_opsworks_permissionresource has been removed (#41948)aws_opsworks_php_app_layerresource has been removed (#41948)aws_opsworks_rails_app_layerresource has been removed (#41948)aws_opsworks_rds_db_instanceresource has been removed (#41948)aws_opsworks_stackresource has been removed (#41948)aws_opsworks_static_web_layerresource has been removed (#41948)aws_opsworks_user_profileresource has been removed (#41948)aws_simpledb_domainresource has been removed. Add a constraint to v5 of the Terraform AWS Provider for continued use of this resource (#41775)aws_worklink_fleetresource has been removed (#42059)aws_worklink_website_certificate_authority_associationresource has been removed (#42059)aws_redshift_service_accountresource has been removed. AWS recommends that a service principal name should be used instead of an AWS account ID in any relevant IAM policy (#41941)endpoints.iotanalyticsandendpoints.ioteventsconfiguration arguments have been removed (#42703)endpoints.opsworksconfiguration argument has been removed (#41948)endpoints.simpledbandendpoints.sdbconfiguration arguments have been removed (#41775)endpoints.worklinkconfiguration argument has been removed (#42059)filter.existsnow only accepts one of""(empty string),true, orfalse(#42434)preserve_client_ipnow only accepts one of""(empty string),true, orfalse(#42434)reset_on_deleteargument has been removed (#42226)canary_settings,execution_arn,invoke_url,stage_description, andstage_namearguments. Instead, use theaws_api_gateway_stageresource to manage stages. (#42249)compute_environment_nametonameresource/aws_batch_compute_environment: Rename
compute_environment_name_prefixtoname_prefix(#38050)compute_environment_nametoname(#38050)compute_environmentsin place ofcompute_environment_order(#40751)logging_config,logging_config.cloudwatch_config,logging_config.cloudwatch_config.large_data_delivery_s3_config, andlogging_config.s3_configare now list nested blocks instead of single nested blocks (#42307)idis now set to remote object'sIdinstead ofname(#42230)etagargument is now computed only (#38448)suspendnow only accepts one of""(empty string),true, orfalse(#42434)idattribute is now a comma-delimited string concatenating theuser_pool_id,group_name, andusernamearguments (#34082)s3_prefixargument is now required (#38446)character_set_namenow cannot be set withreplicate_source_db,restore_to_point_in_time,s3_import, orsnapshot_identifier. (#42348)s3_settingsattribute. Useaws_dms_s3_endpointinstead (#42379)vpn_gateway_idhas been removed (#42323)terminate_instances_on_deletenow only accepts one of""(empty string),true, orfalse(#42434)block_duration_minutesattribute (#42060)inference_acceleratorattribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)vpchas been removed. Usedomaininstead. (#42340)resolve_conflictshas been removed. Useresolve_conflicts_on_createandresolve_conflicts_on_updateinstead. (#42318)auto_minor_version_upgradenow only accepts one of""(empty string),true, orfalse(#42434)at_rest_encryption_enabledandauto_minor_version_upgradenow only accept one of""(empty string),true, orfalse(#42434)auth_token_update_strategyno longer has a default value. Ifauth_tokenis set,auth_token_update_strategymust also be explicitly configured. (#42336)variations.value.bool_valuenow only accepts one of""(empty string),true, orfalse(#42434)log_group_namehas been removed. Uselog_destinationinstead. (#42333)idattribute is now computed only (#42097)datasources. Useaws_guardduty_detector_featureresources instead. (#42436)auto_enableattribute has been removed (#42251)filterhas been removed (#42325)instance_configuration.block_device_mapping.ebs.delete_on_terminationandinstance_configuration.block_device_mapping.ebs.encryptednow only accept one of""(empty string),true, orfalse(#42434)block_device_mapping.ebs.delete_on_terminationandblock_device_mapping.ebs.encryptednow only accept one of""(empty string),true, orfalse(#42434)cpu_core_countandcpu_threads_per_core. Instead, usecpu_options. (#42280)user_datanow displays cleartext instead of a hash. Base64 encoded content should useuser_data_base64instead. (#42078)block_device_mappings.ebs.delete_on_termination,block_device_mappings.ebs.encrypted,ebs_optimized,network_interfaces.associate_carrier_ip_address,network_interfaces.associate_public_ip_address,network_interfaces.delete_on_termination, andnetwork_interfaces.primary_ipv6now only accept one of""(empty string),true, orfalse(#42434)elastic_inference_acceleratorattribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)elastic_gpu_specificationshas been removed (#42312)mutual_authenticationattributesadvertise_trust_store_ca_names,ignore_client_certificate_expiry, andtrust_store_arnare only valid ifmodeisverify(#42326)preserve_client_ipnow only accepts one of""(empty string),true, orfalse(#42434)logs.auditnow only accepts one of""(empty string),true, orfalse(#42434)base_policy_regionargument has been removed. Usebase_policy_regionsinstead. (#38398)kibana_endpointhas been removed (#42268)saml_optionsis now a list nested block instead of a single nested block (#42270)key_attributesandkey_attributes.key_modes_of_useare now list nested blocks instead of single nested blocks. (#42264)tags_allhas been removed (#42260)cluster_public_key,cluster_revision_number, andendpointare now read only and should not be set (#42119)loggingattribute has been removed (#42013)publicly_accessibleattribute now defaults tofalse(#41978)snapshot_copyattribute has been removed (#41995)regions_of_interest.bounding_boxis now a list nested block instead of a single nested block (#41380)policy,policy.az,policy.hardware,policy.software, andpolicy.regionare now list nested blocks instead of single nested blocks (#42297)code_editor_app_image_config,jupyter_lab_image_config, orkernel_gateway_image_configblock must be configured (#42753)idis now a comma-delimited string concatenatingimage_nameandversion(#42536)accelerator_typesfrom your configuration—it no longer exists. Instead, useinstance_typeto use Inferentia. (#42099)instance_idargument (#42224)definitionis now a list nested block instead of a single nested block (#42305)rule.statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_bot_control_rule_set.enable_machine_learningnow defaults tofalse(#39858)NOTES:
nameattribute has been deprecated. All configurations usingnameshould be updated to use theregionattribute instead (#42131)bucket_regionattribute. Use of thebucket_regionattribute instead of theregionattribute is encouraged (#42014)regionattribute has been deprecated. All configurations usingregionshould be updated to use theaws_regionattribute instead (#42131)regionattribute has been deprecated. All configurations usingregionshould be updated to use theregionsattribute instead (#42014)regionattribute has been deprecated. All configurations usingregionshould be updated to use theservice_regionattribute instead (#42014)regionattribute has been deprecated. All configurations usingregionshould be updated to use therequester_regionattribute instead (#42014)s3_us_east_1_regional_endpointargument. The ability to use the global S3 endpoint will be removed inv7.0.0. (#42375)regionattribute has been deprecated. All configurations usingregionshould be updated to use thestack_set_instance_regionattribute instead (#42014)idin favor ofarn(#42232)regionattribute has been deprecated. All configurations usingregionshould be updated to use theauthorized_aws_regionattribute instead (#42014)regionattribute has been deprecated. All configurations usingregionshould be updated to use theconnection_regionattribute instead (#42014)enginevalue is deprecated (#42419)enginevalue is deprecated (#42419)enginevalue is deprecated (#42419)datasourcesnow returns a deprecation warning (#42251)aws_kinesisanalyticsv2_applicationresource instead (#42102)encryptedis nowtrueto match the AWS API. (#42631)bucket_regionattribute. Use of thebucket_regionattribute instead of theregionattribute is encouraged (#42014)health_check_custom_config.failure_thresholdis deprecated. The argument is no longer supported by AWS and is always set to 1 (#40777)regionattribute has been deprecated. All configurations usingregionshould be updated to use theaws_regionattribute instead (#42131)regionattribute has been deprecated. All configurations usingregionshould be updated to use theregionsattribute instead (#42014)ENHANCEMENTS:
allow_unsafe_filterargument (#42114)group_long_nameattribute (#42014)regionas Optional, allowing a value to be configured (#42014)roles.role_arnandroles.role_type(#42131)regionsupport to most resources, data sources, and ephemeral resources, allowing per-resource Region targeting without requiring multiple provider configurations. See the Enhanced Region Support guide for more information. (#43075)control_mapping_sources.source_frequency,control_mapping_sources.source_set_up_option, andcontrol_mapping_sources.source_type(#42131)destination_account(#42741)admin_account_id(#42741)arnattribute (#42733)finding_publishing_frequency. (#42436)mutual_authenticationattributetrust_store_arnis required ifmodeisverify(#42326)policy_arn(#42131)aliasesargument (#42610)access_typesource.aws_log_source_resource.source_name, andsubscriber_identity.external_id(#42131)BUG FIXES:
Provider produced inconsistent result after applyerrors (#42131)encryptedis not explicitly set totrue. (#42631)regions_of_interest.bounding_boxandregions_of_interest.polygonargument validation (#41380)access_typeto ForceNew (#42131)Configuration
📅 Schedule: (in timezone Europe/Warsaw)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.