systems/infrastructure

Fork 0

Update Terraform aws to v6 #247

Open

renovate wants to merge 1 commit from renovate/aws-6.x into master

renovate commented

2025-06-18 20:01:22 +01:00

Collaborator

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	`4.67.0` -> `6.19.0`

Release Notes

hashicorp/terraform-provider-aws (aws)

`v6.19.0`

Compare Source

FEATURES:

New Data Source: aws_ecrpublic_images (#44795)
New Resource: aws_lakeformation_identity_center_configuration (#44867)

ENHANCEMENTS:

action/aws_lambda_invoke: Output logs in a progress message when log_type is Tail (#44843)
data-source/aws_imagebuilder_image_recipe: Add ami_tags attribute (#44731)
data-source/aws_lb_listener_rule: Add regex_values attribute to condition.host_header, condition.http_header and condition.path_pattern blocks (#44741)
data-source/aws_lb_listener_rule: Add transform attribute (#44702)
resource/aws_bedrockagentcore_gateway: Add validator to ensure correct authorizer_configuration and authorizer_type config (#44826)
resource/aws_emrserverless_application: Add monitoring_configuration argument (#43317)
resource/aws_emrserverless_application: Add runtime_configuration argument (#43302)
resource/aws_identitystore_group: Adds arn attribute. (#44867)
resource/aws_imagebuilder_image_recipe: Add ami_tags argument (#44731)
resource/aws_lb_listener_rule: Add regex_values argument to condition.host_header, condition.http_header and condition.path_pattern blocks (#44741)
resource/aws_lb_listener_rule: Add transform configuration block (#44702)
resource/aws_lb_listener_rule: The values argument in condition.host_header, condition.http_header and condition.path_pattern is now optional (#44741)
resource/aws_quicksight_data_set: Increase upper limit of physical_table_map.relational_table.name from 64 to 256 characters (#44807)
resource/aws_sagemaker_notebook_instance: Add notebook-al2023-v1 to valid platform_identifier values (#44570)
resource/aws_sqs_queue: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_policy: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_redrive_allow_policy: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_redrive_policy: Remove account_id and region from Resource Identity schema (#44846)

BUG FIXES:

data-source/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#44867)
provider: Fix crash when setting override region during provider initialization (#44860)
resource/aws_bedrockagentcore_gateway: Change authorizer_configuration block from Required to Optional (#44812)
resource/aws_bedrockagentcore_gateway: Mark authorizer_type argument as ForceNew (#44812)
resource/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#44867)

`v6.18.0`

Compare Source

NOTES:

data-source/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#44327)
data-source/aws_organizations_organizational_unit_child_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#44327)
data-source/aws_organizations_organizational_unit_descendant_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#44327)
resource/aws_organizations_account: The status attribute is deprecated. Use state instead. (#44327)
resource/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#44327)

FEATURES:

New Resource: aws_bedrockagentcore_memory (#44306)
New Resource: aws_bedrockagentcore_memory_strategy (#44306)
New Resource: aws_bedrockagentcore_oauth2_credential_provider (#44307)
New Resource: aws_bedrockagentcore_token_vault_cmk (#44606)
New Resource: aws_bedrockagentcore_workload_identity (#44308)

ENHANCEMENTS:

data-source/aws_iam_policy: Adds validation for path_prefix attribute (#44703)
data-source/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#44327)
data-source/aws_organizations_organizational_unit_child_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#44327)
data-source/aws_organizations_organizational_unit_descendant_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#44327)
resource/aws_appstream_directory_config: Add certificate_based_auth_properties argument (#44679)
resource/aws_iam_policy: Adds List support (#44703)
resource/aws_iam_policy: Adds validation for path attribute (#44703)
resource/aws_iam_role_policy_attachment: Adds List support (#44739)
resource/aws_odb_network: Add delete_associated_resources attribute to enable practitioner to delete associated oci resource. (#44754)
resource/aws_organizations_account: Add state attribute (#44327)
resource/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#44327)

BUG FIXES:

data-source/aws_vpn_connection: Properly set tags attribute (#44761)
resource/aws_rds_cluster: Fix "When modifying Provisioned IOPS storage, specify a value for both allocated storage and iops" error when updating RDS clusters with Provisioned IOPS storage (#44706)
resource/guardduty_detector_feature: Fix additional_configuration block to ignore ordering (#44627)

`v6.17.0`

Compare Source

NOTES:

resource/aws_quicksight_account_subscription: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#44638)

FEATURES:

New Data Source: aws_rds_global_cluster (#37286)
New Data Source: aws_vpn_connection (#44622)
New Resource: aws_bedrockagentcore_agent_runtime (#44301)
New Resource: aws_bedrockagentcore_agent_runtime_endpoint (#44301)
New Resource: aws_bedrockagentcore_api_key_credential_provider (#44302)
New Resource: aws_bedrockagentcore_browser (#44303)
New Resource: aws_bedrockagentcore_code_interpreter (#44304)
New Resource: aws_bedrockagentcore_gateway (#44305)
New Resource: aws_bedrockagentcore_gateway_target (#44305)

ENHANCEMENTS:

resource/aws_imagebuilder_container_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_imagebuilder_image_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_launch_template: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_quicksight_account_subscription: Add admin_pro_group, author_pro_group, and reader_pro_group arguments (#44638)
resource/aws_subnet: Adds List support (#44671)
resource/aws_vpc: Adds List support (#44609)

BUG FIXES:

resource/aws_ec2_transit_gateway_route_table_propagation.test: Fix bug causing inconsistent final plan errors (#44542)
resource/aws_lambda_function: Reset non-API attributes (source_code_hash, s3_bucket, s3_key, s3_object_version and filename) to their previous values when an update operation fails (#42829)

`v6.16.0`

Compare Source

FEATURES:

New Action: aws_transcribe_start_transcription_job (#44445)
New Data Source: aws_odb_cloud_autonomous_vm_clusters (#44336)
New Data Source: aws_odb_cloud_exadata_infrastructures (#44336)
New Data Source: aws_odb_cloud_vm_clusters (#44336)
New Data Source: aws_odb_network_peering_connections (#44336)
New Data Source: aws_odb_networks (#44336)
New Resource: aws_prometheus_resource_policy (#44256)
New Resource: aws_transfer_host_key (#44559)
New Resource: aws_transfer_web_app (#42708)
New Resource: aws_transfer_web_app_customization (#42708)

ENHANCEMENTS:

resource/aws_codebuild_project: Add auto_retry_limit argument (#40035)
resource/aws_emrserverless_application: Add scheduler_configuration block (#44589)
resource/aws_lambda_event_source_mapping: Add schema_registry_config configuration blocks to amazon_managed_kafka_event_source_config and self_managed_kafka_event_source_config blocks (#44540)
resource/aws_ssmcontacts_contact: Add resource identity support (#44548)
resource/aws_vpclattice_resource_gateway: Add ipv4_addresses_per_eni argument (#44560)

BUG FIXES:

provider: Correctly validate AWS European Sovereign Cloud Regions in ARNs (#44573)
provider: Fix Missing Resource Identity After Update errors for non-refreshed and failed updates of Plugin Framework based resources (#44518)
provider: Fix Unexpected Identity Change errors when fully-null identity values in state are updated to valid values for Plugin Framework based resources (#44518)
resource/aws_datazone_environment: Correctly updates glossary_terms. (#44491)
resource/aws_datazone_environment: Prevents unknown value error when optional account_identifier is not specified. (#44491)
resource/aws_datazone_environment: Prevents unknown value error when optional account_region is not specified. (#44491)
resource/aws_datazone_environment: Prevents error when updating. (#44491)
resource/aws_datazone_environment: Prevents occasional unexpected state error when deleting. (#44491)
resource/aws_datazone_environment: Properly passes blueprint_identifier on creation. (#44491)
resource/aws_datazone_environment: Sets values for user_parameters when importing. (#44491)
resource/aws_datazone_environment: Values in user_parameters should not be updateable. (#44491)
resource/aws_datazone_project: No longer ignores errors when deleting. (#44491)
resource/aws_datazone_project: No longer returns error when already deleting. (#44491)
resource/aws_dynamodb_table: Do not retry on LimitExceededException (#44576)
resource/aws_ivschat_room: Set maximum_message_rate_per_second validation maximum to 100 (#44572)
resource/aws_launch_template: kms_key_id validation now accepts key ID, alias, and alias ARN in addition to key ARN (#44505)
resource/aws_servicecatalog_portfolio_share: Add global mutex lock around create and delete operations to prevent ThrottlingException errors (#24730)

`v6.15.0`

Compare Source

BREAKING CHANGES:

resource/aws_ecs_service: Fix behavior when updating capacity_provider_strategy to avoid ECS service recreation after recent AWS changes (#43533)

FEATURES:

New Action: aws_codebuild_start_build (#44444)
New Action: aws_events_put_events (#44487)
New Action: aws_sfn_start_execution (#44464)
New Data Source: aws_appconfig_application (#44168)
New Data Source: aws_odb_db_node (#43792)
New Data Source: aws_odb_db_nodes (#43792)
New Data Source: aws_odb_db_server (#43792)
New Data Source: aws_odb_db_servers (#43792)
New Data Source: aws_odb_db_system_shapes (#43825)
New Data Source: aws_odb_gi_versions (#43825)
New Resource: aws_lakeformation_lf_tag_expression (#43883)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Add mysql_settings attribute (#44516)
data-source/aws_ec2_instance_type_offering: Add location attribute (#44328)
data-source/aws_rds_proxy: Add default_auth_scheme attribute (#44309)
resource/aws_cleanrooms_configured_table: Add resource identity support (#44435)
resource/aws_cloudfront_distribution: Add ip_address_type argument to origin.custom_origin_config block (#44463)
resource/aws_connect_instance: Add resource identity support (#44346)
resource/aws_connect_phone_number: Add resource identity support (#44365)
resource/aws_dms_endpoint: Add mysql_settings configuration block (#44516)
resource/aws_dsql_cluster: Adds attribute force_destroy. (#44406)
resource/aws_ebs_volume: Update throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44514)
resource/aws_ecs_capacity_provider: Add cluster and managed_instances_provider arguments (#44509)
resource/aws_ecs_capacity_provider: Make auto_scaling_group_provider optional (#44509)
resource/aws_iam_service_specific_credential: Add support for Bedrock API keys with credential_age_days, service_credential_alias, service_credential_secret, create_date, and expiration_date attributes (#44299)
resource/aws_networkfirewall_logging_configuration: Add enable_monitoring_dashboard argument (#44515)
resource/aws_opensearch_domain: Add aiml_options argument (#44417)
resource/aws_pinpointsmsvoicev2_phone_number: Update two_way_channel_arn argument to accept connect.[region].amazonaws.com in addition to ARNs (#44372)
resource/aws_rds_proxy: Add default_auth_scheme argument (#44309)
resource/aws_rds_proxy: Make auth configuration block optional (#44309)
resource/aws_route53recoverycontrolconfig_cluster: Add network_type argument (#44377)
resource/aws_route53recoverycontrolconfig_cluster: Add tagging support (#44473)
resource/aws_route53recoverycontrolconfig_control_panel: Add tagging support (#44473)
resource/aws_route53recoverycontrolconfig_safety_rule: Add tagging support (#44473)
resource/aws_s3control_bucket: Add resource identity support (#44379)
resource/aws_sfn_activity: Add arn argument (#44408)
resource/aws_sfn_activity: Add resource identity support (#44408)
resource/aws_sfn_alias: Add resource identity support (#44408)
resource/aws_ssmcontacts_contact_channel: Add resource identity support (#44369)

BUG FIXES:

data-source/aws_lb: Fix Invalid address to set: []string{"secondary_ips_auto_assigned_per_subnet"} errors (#44485)
data-source/aws_networkfirewall_firewall_policy: Fix failure to retrieve multiple firewall_policy.stateful_rule_group_reference attributes (#44482)
data-source/aws_servicequotas_service_quota: Fixed a panic that occurred when a non-existing quota_name was provided (#44449)
resource/aws_bedrock_provisioned_model_throughput: Fix AttributeName("arn") still remains in the path: could not find attribute or block "arn" in schema errors when upgrading from a pre-v6.0.0 provider version (#44434)
resource/aws_chatbot_slack_channel_configuration: Force resource replacement when configuration_name is modified (#43996)
resource/aws_cloudwatch_event_rule: Do not retry on LimitExceededException (#44489)
resource/aws_cloudwatch_log_resource_policy: Do not retry on LimitExceededException (#44522)
resource/aws_default_vpc: Correctly set ipv6_cidr_block when the VPC has multiple associated IPv6 CIDRs (#44362)
resource/aws_dms_endpoint: Ensure that postgres_settings are updated (#44389)
resource/aws_dsql_cluster: Prevents error when optional attribute deletion_protection_enabled not set. (#44406)
resource/aws_eks_cluster: Change compute_config, kubernetes_network_config.elastic_load_balancing, and storage_config. to Optional and Computed, allowing EKS Auto Mode settings to be enabled, disabled, and removed from configuration (#44334)
resource/aws_elastic_beanstalk_configuration_template: Fix inconsistent final plan error in some cases with setting elements. (#44461)
resource/aws_elastic_beanstalk_environment: Fix inconsistent final plan error in some cases with setting elements. (#44461)
resource/aws_elasticache_cluster: Fix provider produced unexpected value for cache_usage_limits argument. (#43841)
resource/aws_fsx_lustre_file_system: Fixed to update metadata_configuration first to allow simultaneous increase of metadata_configuration.iops and storage_capacity (#44456)
resource/aws_instance: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when capacity_reservation_target is empty (#44459)
resource/aws_kinesisanalyticsv2_application: Ensure that configured application_configuration.run_configuration values are respected during update (#43490)
resource/aws_odb_cloud_autonomous_vm_cluster : Fixed planmodifier for computed attribute. (#44401)
resource/aws_odb_cloud_vm_cluster : Fixed planmodifier for computed attribute. Fixed planmodifier from display_name attribute. (#44401)
resource/aws_odb_cloud_vm_cluster : Fixed planmodifier for data_storage_size_in_tbs. Marked it mandatory. Fixed gi-version issue during creation (#44498)
resource/aws_odb_network_peering_connection : Fixed planmodifier for computed attribute. (#44401)
resource/aws_rds_cluster: Fixes error when setting database_insights_mode with global_cluster_identifier. (#44404)
resource/aws_route53_health_check: Fix child_health_threshold to properly accept explicitly specified zero value (#44006)
resource/aws_s3_bucket_lifecycle_configuration: Allows unsetting noncurrent_version_expiration.newer_noncurrent_versions and noncurrent_version_transition.newer_noncurrent_versions. (#44442)
resource/aws_s3_bucket_lifecycle_configuration: Do not warn if no filter element is set (#43590)
resource/aws_vpc: Correctly set ipv6_cidr_block when the VPC has multiple associated IPv6 CIDRs (#44362)

`v6.14.1`

Compare Source

NOTES:

provider: This release contains both internal provider fixes and a Terraform Plugin SDK V2 update related to a regression which may impact resources that support resource identity (#44375)

BUG FIXES:

provider: Fix Missing Resource Identity After Update errors for non-refreshed and failed updates (#44375)
provider: Fix Unexpected Identity Change errors when fully-null identity values in state are updated to valid values (#44375)

`v6.14.0`

Compare Source

FEATURES:

New Action: aws_cloudfront_create_invalidation (#43955)
New Action: aws_ec2_stop_instance (#43700)
New Action: aws_lambda_invoke (#43972)
New Action: aws_ses_send_email (#44214)
New Action: aws_sns_publish (#44232)
New Data Source: aws_billing_views (#44272)
New Data Source: aws_odb_cloud_autonomous_vm_cluster (#43809)
New Data Source: aws_odb_cloud_exadata_infrastructure (#43650)
New Data Source: aws_odb_cloud_vm_cluster (#43790)
New Data Source: aws_odb_network (#43715)
New Data Source: aws_odb_network_peering_connection (#43757)
New Resource: aws_controltower_baseline (#42397)
New Resource: aws_odb_cloud_autonomous_vm_cluster (#43809)
New Resource: aws_odb_cloud_exadata_infrastructure (#43650)
New Resource: aws_odb_cloud_vm_cluster (#43790)
New Resource: aws_odb_network (#43715)
New Resource: aws_odb_network_peering_connection (#43757)

ENHANCEMENTS:

resource/aws_batch_job_queue: Adds List support (#43960)
resource/aws_cloudwatch_log_group: Adds List support (#44129)
resource/aws_ecs_service: Add deployment_configuration.lifecycle_hook.hook_details argument (#44289)
resource/aws_iam_role: Adds List support (#44129)
resource/aws_instance: Adds List support (#44129)
resource/aws_rds_global_cluster: Remove provider-side conflict between source_db_cluster_identifier and engine arguments (#44252)
resource/aws_scheduler_schedule: Add action_after_completion argument (#44264)
resource/aws_sfn_state_machine: Add resource identity support (#44286)

BUG FIXES:

resource/aws_elasticache_user_group: Ignore InvalidParameterValue: User xxx is not a member of user group xxx errors during group modification (#43520)
resource/aws_sagemaker_endpoint_configuration: Fix panic when empty async_inference_config.output_config.notification_config block is specified (#44310)

`v6.13.0`

Compare Source

ENHANCEMENTS:

data-source/aws_budgets_budget: Add billing_view_arn attribute (#44241)
data-source/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput attributes (#41308)
data-source/aws_elastic_beanstalk_hosted_zone: Add hosted zone IDs for ap-southeast-5, ap-southeast-7, eu-south-2, and me-central-1 AWS Regions (#44132)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-southeast-6 AWS Region (#44132)
data-source/aws_s3_bucket: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
resource/aws_appautoscaling_policy: Add predictive_scaling_policy_configuration argument (#44211)
resource/aws_appautoscaling_policy: Add plan-time validation of policy_type (#44211)
resource/aws_appautoscaling_policy: Add plan-time validation of step_scaling_policy_configuration.adjustment_type and step_scaling_policy_configuration.metric_aggregation_type (#44211)
resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled arguments to word_policy_config.managed_word_lists_config and word_policy_config.words_config configuration blocks (#44224)
resource/aws_budgets_budget: Add billing_view_arn argument (#44241)
resource/aws_cloudfront_distribution: Add origin.response_completion_timeout argument (#44163)
resource/aws_codebuild_webhook: Add pull_request_build_policy configuration block (#44201)
resource/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput arguments (#41308)
resource/aws_ecs_account_setting_default: Support dualStackIPv6 as a valid value for name (#44165)
resource/aws_glue_catalog_table_optimizer: Add iceberg_configuration.run_rate_in_hours argument to retention_configuration and orphan_file_deletion_configuration blocks (#44207)
resource/aws_networkfirewall_rule_group: Add IPv6 CIDR block support to address_definition arguments in source and destination blocks within rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rule.rule_definition.match_attributes (#44215)
resource/aws_networkmanager_vpc_attachment: Add options.dns_support and options.security_group_referencing_support arguments (#43742)
resource/aws_networkmanager_vpc_attachment: Change options to Optional and Computed (#43742)
resource/aws_opensearch_package: Add engine_version argument (#44155)
resource/aws_opensearch_package: Add waiter to ensure package validation completes (#44155)
resource/aws_synthetics_canary: Add schedule.retry_config configuration block (#44244)
resource/aws_vpc_endpoint: Add resource identity support (#44194)
resource/aws_vpc_security_group_egress_rule: Add resource identity support (#44198)
resource/aws_vpc_security_group_ingress_rule: Add resource identity support (#44198)

BUG FIXES:

resource/aws_appautoscaling_policy: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when step_scaling_policy_configuration is empty (#44211)
resource/aws_cognito_managed_login_branding: Fix reading Cognito Managed Login Branding by client ... couldn't find resource errors when a user pool contains multiple client apps (#44204)
resource/aws_eks_cluster: Supports null compute_config.node_role_arn when disabling auto mode or built-in node pools (#42483)
resource/aws_flow_log: Fix Error decoding ... from prior state: unsupported attribute "log_group_name" errors when upgrading from a pre-v6.0.0 provider version (#44191)
resource/aws_launch_template: Fix Error decoding ... from prior state: unsupported attribute "elastic_gpu_specifications" errors when upgrading from a pre-v6.0.0 provider version (#44195)
resource/aws_rds_cluster_role_association: Make feature_name optional (#44143)
resource/aws_s3_bucket_lifecycle_configuration: Ignore MethodNotAllowed errors when deleting non-existent lifecycle configurations (#44189)
resource/aws_secretsmanager_secret: Return diagnostic warning when remote policy is invalid (#44228)
resource/aws_servicecatalog_provisioned_product: Restore timeouts.read arguments removed in v6.12.0 (#44238)

`v6.12.0`

Compare Source

NOTES:

resource/aws_s3_bucket_acl: The access_control_policy.grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
resource/aws_s3_bucket_acl: The access_control_policy.owner.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
resource/aws_s3_bucket_logging: The target_grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)

FEATURES:

New Resource: aws_cognito_managed_login_branding (#43817)

ENHANCEMENTS:

data-source/aws_efs_mount_target: Add ip_address_type and ipv6_address attributes (#44079)
data-source/aws_instance: Add placement_group_id attribute (#38527)
data-source/aws_lambda_function: Add source_kms_key_arn attribute (#44080)
data-source/aws_launch_template: Add placement.group_id attribute (#44097)
provider: Support ap-southeast-6 as a valid AWS Region (#44127)
resource/aws_ecs_service: Remove Terraform default for availability_zone_rebalancing and change the attribute to Optional and Computed. This allow ECS to default to ENABLED for new resources compatible with AvailabilityZoneRebalancing and maintain an existing service's availability_zone_rebalancing value during update when not configured. If an existing service never had an availability_zone_rebalancing value configured and is updated, ECS will treat this as DISABLED (#43241)
resource/aws_efs_mount_target: Add ip_address_type and ipv6_address arguments to support IPv6 connectivity (#44079)
resource/aws_fsx_openzfs_file_system: Remove maximum items limit on the user_and_group_quotas argument (#44120)
resource/aws_fsx_openzfs_volume: Remove maximum items limit on the user_and_group_quotas argument (#44118)
resource/aws_instance: Add placement_group_id argument (#38527)
resource/aws_instance: Add resource identity support (#44068)
resource/aws_lambda_function: Add source_kms_key_arn argument (#44080)
resource/aws_launch_template: Add placement.group_id argument (#44097)
resource/aws_ssm_association: Add resource identity support (#44075)
resource/aws_ssm_document: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window_target: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window_task: Add resource identity support (#44075)
resource/aws_ssm_patch_baseline: Add resource identity support (#44075)
resource/aws_synthetics_canary: Add run_config.ephemeral_storage argument. (#44105)

BUG FIXES:

resource/aws_s3tables_table_policy: Remove plan-time validation of name and namespace (#44072)
resource/aws_servicecatalog_provisioned_product: Set provisioning_parameters and provisioning_artifact_id to the values from the last successful deployment when update fails (#43956)
resource/aws_wafv2_web_acl: Fix performance of update when the WebACL has a large number of rules (#42740)

`v6.11.0`

Compare Source

FEATURES:

New Resource: aws_timestreaminfluxdb_db_cluster (#42382)
New Resource: aws_workspacesweb_browser_settings_association (#43735)
New Resource: aws_workspacesweb_data_protection_settings_association (#43773)
New Resource: aws_workspacesweb_identity_provider (#43729)
New Resource: aws_workspacesweb_ip_access_settings_association (#43774)
New Resource: aws_workspacesweb_network_settings_association (#43775)
New Resource: aws_workspacesweb_portal (#43444)
New Resource: aws_workspacesweb_session_logger (#43863)
New Resource: aws_workspacesweb_session_logger_association (#43866)
New Resource: aws_workspacesweb_trust_store (#43408)
New Resource: aws_workspacesweb_trust_store_association (#43778)
New Resource: aws_workspacesweb_user_access_logging_settings_association (#43776)
New Resource: aws_workspacesweb_user_settings_association (#43777)

ENHANCEMENTS:

data-source/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type attributes (#44059)
data-source/aws_network_interface: Add attachment.network_card_index attribute (#42188)
data-source/aws_sesv2_email_identity: Add verification_status attribute (#44045)
data-source/aws_signer_signing_profile: Add signing_material and signing_parameters attributes (#43921)
data-source/aws_vpc_ipam: Add metered_account attribute (#43967)
resource/aws_datazone_domain: Add domain_version and service_role arguments to support V2 domains (#44042)
resource/aws_dlm_lifecycle_policy: Add copy_tags, create_interval, exclusions, extend_deletion, policy_language, resource_type and retain_interval attributes to policy_details configuration block (#41055)
resource/aws_dlm_lifecycle_policy: Add default_policy argument (#41055)
resource/aws_dlm_lifecycle_policy: Add policy_details.create_rule.scripts argument (#41055)
resource/aws_dlm_lifecycle_policy: Add policy_details.schedule.cross_region_copy_rule.target_region argument (#33796)
resource/aws_dlm_lifecycle_policy: Make policy_details.schedule.cross_region_copy_rule.target optional (#33796)
resource/aws_dlm_lifecycle_policy:Add policy_details.schedule.archive_rule argument (#41055)
resource/aws_dynamodb_contributor_insights: Add mode argument in support of CloudWatch contributor insights modes (#43914)
resource/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type arguments to support IPv6 connectivity in Client VPN (#44059)
resource/aws_ec2_client_vpn_endpoint: Make client_cidr_block optional (#44059)
resource/aws_ecr_lifecycle_policy: Add resource identity support (#44041)
resource/aws_ecr_repository: Add resource identity support (#44041)
resource/aws_ecr_repository_policy: Add resource identity support (#44041)
resource/aws_ecs_service: Add sigint_rollback argument (#43986)
resource/aws_ecs_service: Change deployment_configuration to Optional and Computed (#43986)
resource/aws_eks_cluster: Allow remote_network_config to be updated in-place, enabling support for EKS hybrid nodes on existing clusters (#42928)
resource/aws_elasticache_global_replication_group: Change engine to Optional and Computed (#42636)
resource/aws_inspector2_filter: Support code_repository_project_name, code_repository_provider_type, ecr_image_in_use_count, and ecr_image_last_in_use_at in filter_criteria (#43950)
resource/aws_iot_thing_principal_attachment: Add thing_principal_type argument (#43916)
resource/aws_kms_alias: Add resource identity support (#44025)
resource/aws_kms_external_key: Add key_spec argument (#44011)
resource/aws_kms_external_key: Change key_usage to Optional and Computed (#44011)
resource/aws_kms_key: Add resource identity support (#44025)
resource/aws_lb: Add secondary_ips_auto_assigned_per_subnet argument for Network Load Balancers (#43699)
resource/aws_mwaa_environment: Add worker_replacement_strategy argument (#43946)
resource/aws_network_interface: Add attachment.network_card_index argument (#42188)
resource/aws_network_interface_attachment: Add network_card_index argument (#42188)
resource/aws_route53_resolver_rule: Add resource identity support (#44048)
resource/aws_route53_resolver_rule_association: Add resource identity support (#44048)
resource/aws_route: Add resource identity support (#43910)
resource/aws_route_table: Add resource identity support (#43990)
resource/aws_s3_bucket_acl: Add resource identity support (#44043)
resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_logging: Add resource identity support (#43976)
resource/aws_s3_bucket_notification: Add resource identity support (#43976)
resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43976)
resource/aws_s3_bucket_policy: Add resource identity support (#43976)
resource/aws_s3_bucket_public_access_block: Add resource identity support (#43976)
resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_versioning: Add resource identity support (#43976)
resource/aws_s3_bucket_website_configuration: Add resource identity support (#43976)
resource/aws_s3tables_table_bucket: Add force_destroy argument (#43922)
resource/aws_secretsmanager_secret_version: Add resource identity support (#44031)
resource/aws_sesv2_email_identity: Add verification_status attribute (#44045)
resource/aws_signer_signing_profile: Add signing_parameters argument (#43921)
resource/aws_synthetics_canary: Add vpc_config.ipv6_allowed_for_dual_stack argument (#43989)
resource/aws_vpc_ipam: Add metered_account argument (#43967)

BUG FIXES:

data-source/aws_glue_catalog_table: Add partition_keys.parameters attribute (#26702)
resource/aws_cognito_user_pool: Fixed to accept an empty email_mfa_configuration block (#43926)
resource/aws_db_instance: Fixes the behavior when modifying database_insights_mode when using custom KMS key (#44050)
resource/aws_dx_hosted_connection: Fix DescribeHostedConnections failed for connection dxcon-xxxx doesn't exist by pointing to the correct connection ID when doing the describe. (#43499)
resource/aws_glue_catalog_table: Add partition_keys.parameters argument, fixing Invalid address to set: []string{"partition_keys", "0", "parameters"} errors (#26702)
resource/aws_imagebuilder_image_recipe: Increase upper limit of block_device_mapping.ebs.iops from 10000 to 100000 (#43981)
resource/aws_nat_gateway: Fix inconsistent final plan for secondary_private_ip_addresses (#43708)
resource/aws_spot_instance_request: Change network_interface.network_card_index to Computed (#38336)
resource/aws_timestreaminfluxdb_db_instance: Fix tag-only update errors (#42382)
resource/aws_wafv2_web_acl: Add missing flattening of name in response_inspection.header blocks for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet to avoid persistent plan diffs (#44032)

`v6.10.0`

Compare Source

NOTES:

resource/aws_instance: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)
resource/aws_spot_instance_request: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)

ENHANCEMENTS:

data-source/aws_ecr_repository: Add image_tag_mutability_exclusion_filter attribute (#43886)
data-source/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter attribute (#43886)
resource/aws_cloudwatch_event_target: Add resource identity support (#43984)
resource/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter configuration block (#43886)
resource/aws_glue_job: Support G.12X, G.16X, R.1X, R.2X, R.4X, and R.8X as valid values for worker_type (#43988)
resource/aws_lambda_permission: Add resource identity support (#43954)
resource/aws_lightsail_static_ip_attachment: Support resource import (#43874)
resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_logging: Add resource identity support (#43976)
resource/aws_s3_bucket_notification: Add resource identity support (#43976)
resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43976)
resource/aws_s3_bucket_policy: Add resource identity support (#43976)
resource/aws_s3_bucket_public_access_block: Add resource identity support (#43976)
resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_versioning: Add resource identity support (#43976)
resource/aws_s3_bucket_website_configuration: Add resource identity support (#43976)
resource/aws_secretsmanager_secret: Add resource identity support (#43872)
resource/aws_secretsmanager_secret_policy: Add resource identity support (#43872)
resource/aws_secretsmanager_secret_rotation: Add resource identity support (#43872)
resource/aws_sqs_queue: Add resource identity support (#43918)
resource/aws_sqs_queue_policy: Add resource identity support (#43918)
resource/aws_sqs_queue_redrive_allow_policy: Add resource identity support (#43918)
resource/aws_sqs_queue_redrive_policy: Add resource identity support (#43918)

BUG FIXES:

resource/aws_batch_compute_environment: Allow in-place updates of compute environments that have the SPOT_PRICE_CAPACITY_OPTIMIZED strategy (#40148)
resource/aws_imagebuilder_lifecycle_policy: Fix Provider produced inconsistent result after apply error when policy_detail.exclusion_rules.amis.is_public is omitted (#43925)
resource/aws_instance: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)
resource/aws_rds_cluster: Fixes the behavior when enabling database_insights_mode="advanced" without changing performance insights retention window (#43919)
resource/aws_rds_cluster: Fixes the behavior when modifying database_insights_mode when using custom KMS key (#43942)
resource/aws_spot_instance_request: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)

`v6.9.0`

Compare Source

FEATURES:

New Resource: aws_appsync_api (#43787)
New Resource: aws_appsync_channel_namespace (#43787)

ENHANCEMENTS:

data-source/aws_eks_cluster: Add deletion_protection attribute (#43779)
resource/aws_cloudwatch_event_rule: Add resource identity support (#43758)
resource/aws_cloudwatch_metric_alarm: Add resource identity support (#43759)
resource/aws_dynamodb_table: Add replica.deletion_protection_enabled argument (#43240)
resource/aws_eks_cluster: Add deletion_protection argument (#43779)
resource/aws_lambda_function: Add resource identity support (#43821)
resource/aws_sns_topic_data_protection_policy: Add resource identity support (#43830)
resource/aws_sns_topic_policy: Add resource identity support (#43830)
resource/aws_sns_topic_subscription: Add resource identity support (#43830)
resource/aws_subnet: Add resource identity support (#43833)

BUG FIXES:

data-source/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
data-source/aws_networkfirewall_firewall_policy: Add missing schema definition for firewall_policy.stateful_engine_options.flow_timeouts (#43852)
resource/aws_cognito_risk_configuration: Make account_takeover_risk_configuration.notify_configuration optional (#33624)
resource/aws_ecs_service: Fix tagging failure after upgrading to v6 provider (#43816)
resource/aws_ecs_service: Fix refreshing service_connect_configuration when deleted outside of Terraform (#43871)
resource/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
resource/aws_s3tables_table: Fix runtime error: invalid memory address or nil pointer dereference panics when GetTableMaintenanceConfiguration returns an error (#43764)
resource/aws_sagemaker_user_profile: Fix incomplete regex for user_profile_name (#43807)
resource/aws_servicequotas_service_quota: Add validation, during create, to check if new value is less than current value of quota (#43545)
resource/aws_storagegateway_gateway: Handle InvalidGatewayRequestException: The specified gateway is not connected errors during Read by using the ListGateways API to return minimal information about a disconnected gateway. This functionality requires the storagegateway:ListGateways IAM permission (#43819)
resource/aws_vpc_ipam_pool_cidr: Fix netmask_length not being saved and diffed correctly (#43262)

`v6.8.0`

Compare Source

FEATURES:

New Resource: aws_networkfirewall_vpc_endpoint_association (#43675)
New Resource: aws_quicksight_custom_permissions (#43613)
New Resource: aws_quicksight_role_custom_permission (#43613)
New Resource: aws_quicksight_user_custom_permission (#43613)
New Resource: aws_wafv2_web_acl_rule_group_association (#43561)

ENHANCEMENTS:

data-source/aws_quicksight_user: Add custom_permissions_name attribute (#43613)
data-source/aws_wafv2_web_acl: Add resource_arn argument to enable finding web ACLs by resource ARN (#43597)
data-source/aws_wafv2_web_acl: Add support for CLOUDFRONT scope web ACLs using resource_arn (#43597)
resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled attributes to sensitive_information_policy_config.pii_entities_config and sensitive_information_policy_config.regexes_config configuration blocks (#43702)
resource/aws_cloudwatch_log_group: Add resource identity support (#43719)
resource/aws_computeoptimizer_recommendation_preferences: Add AuroraDBClusterStorage as a valid resource_type (#43677)
resource/aws_docdb_cluster: Add serverless_v2_scaling_configuration argument in support of Amazon DocumentDB serverless (#43667)
resource/aws_ecr_repository: Add image_tag_mutability_exclusion_filter argument (#43642)
resource/aws_ecr_repository: Support IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION as valid values for image_tag_mutability (#43642)
resource/aws_inspector2_enabler: Support resource import (#43673)
resource/aws_instance: Adds force_destroy argument that allows destruction even when disable_api_termination and disable_api_stop are true (#43722)
resource/aws_ivs_channel: Add resource identity support (#43704)
resource/aws_ivs_playback_key_pair: Add resource identity support (#43704)
resource/aws_ivs_recording_configuration: Add resource identity support (#43704)
resource/aws_ivschat_logging_configuration: Add resource identity support (#43697)
resource/aws_ivschat_room: Add resource identity support (#43697)
resource/aws_kinesis_firehose_delivery_stream: Add iceberg_configuration.append_only argument (#43647)
resource/aws_lightsail_static_ip: Support resource import (#43672)
resource/aws_opensearch_domain_policy: Support resource import (#43674)
resource/aws_quicksight_user: Add plan-time validation of iam_arn (#43613)
resource/aws_quicksight_user: Change user_name to Optional and Computed (#43613)
resource/aws_quicksight_user: Support IAM_IDENTITY_CENTER as a valid value for identity_type (#43613)
resource/aws_quicksight_user: Support RESTRICTED_AUTHOR and RESTRICTED_READER as valid values for user_role (#43613)
resource/aws_security_group: Add parameterized resource identity support (#43744)
resource/aws_sqs_queue: Increase upper limit of max_message_size from 256 KiB to 1024 KiB (#43710)
resource/aws_ssm_parameter: Add resource identity support (#43736)

BUG FIXES:

ephemeral-resource/aws_lambda_invocation: Fix plan inconsistency issue due to improperly assigned payload values (#43676)
provider: Fix failure to detect resources deleted outside of Terraform as missing for numerous resource types (#43659)
resource/aws_batch_compute_environment: Fix inconsistent final plan error when compute_resource.launch_template.version is unknown during an update (#43337)
resource/aws_bedrockagent_flow: Prevent created_at becoming null on Update (#43654)
resource/aws_ec2_managed_prefix_list: Fix PrefixListVersionMismatch: The prefix list has the incorrect version number errors when updating entry description (#43661)
resource/aws_fsx_lustre_file_system: Fix validation of SSD read cache size for file systems using the Intelligent-Tiering storage class (#43605)
resource/aws_instance: Prevent destruction of resource when disable_api_termination is true (#43722)
resource/aws_kms_key: Restore pre-v6.3.0 retry delay behavior when waiting for continuous target state occurrences. This fixes certain tag update timeouts (#43716)
resource/aws_s3tables_table_bucket: Fix crash on maintenance_configuration read failure (#43707)
resource/aws_sagemaker_image: Fix image_name regular expression validation (#43751)
resource/aws_timestreaminfluxdb_db_instance: Don't mark network_type as ForceNew if the value is not configured. This fixes a problem with terraform apply -refresh=false after upgrade from v5.90.0 and below (#43534)
resource/aws_wafv2_regex_pattern_set: Remove maximum items limit on the regular_expression argument (#43693)

`v6.7.0`

Compare Source

FEATURES:

New Resource: aws_quicksight_ip_restriction (#43596)
New Resource: aws_quicksight_key_registration (#43587)

ENHANCEMENTS:

data-source/aws_codebuild_fleet: Add instance_type attribute in compute_configuration block (#43449)
data-source/aws_ebs_volume: Add volume_initialization_rate attribute (#43565)
data-source/aws_ecs_service: Support load_balancer attribute (#43582)
data-source/aws_s3_access_point: Add tags attribute. This functionality requires the s3:ListTagsForResource IAM permission with S3 Access Points for general purpose buckets and the s3express:ListTagsForResource IAM permission with S3 Access Points for directory buckets (#43630)
data-source/aws_verifiedpermissions_policy_store: Add deletion_protection attribute (#43452)
resource/aws_athena_workgroup: Add configuration.identity_center_configuration argument (#38717)
resource/aws_cleanrooms_collaboration: Add analytics_engine argument (#43614)
resource/aws_codebuild_fleet: Add instance_type argument in compute_configuration block to support custom instance types (#43449)
resource/aws_ebs_volume: Add volume_initialization_rate argument (#43565)
resource/aws_s3_access_point: Add tags argument and tags_all attribute. This functionality requires the s3:ListTagsForResource, s3:TagResource, and s3:UntagResource IAM permissions with S3 Access Points for general purpose buckets and the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions with S3 Access Points for directory buckets (#43630)
resource/aws_verifiedpermissions_policy_store: Add deletion_protection argument (#43452)

BUG FIXES:

resource/aws_bedrockagent_flow: Fix missing required field, CreateFlowInput.Definition.Nodes[0].Configuration[prompt].SourceConfiguration[resource].PromptArn errors on Create (#43595)
resource/aws_s3_bucket: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
resource/aws_s3_object: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
resource/aws_servicequotas_service_quota: Fix error when updating a pending service quota request (#43606)
resource/aws_ssm_parameter: Fix Provider produced inconsistent final plan errors when changing from using value to using value_wo (#42877)
resource/aws_ssm_parameter: Fix version not being updated when description changes (#42595)

`v6.6.0`

Compare Source

FEATURES:

New Resource: aws_connect_phone_number_contact_flow_association (#43557)
New Resource: aws_nat_gateway_eip_association (#42591)

ENHANCEMENTS:

data-source/aws_cloudwatch_event_bus: Add log_config attribute (#43453)
data-source/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
feature/aws_bedrock_guardrail: Add cross_region_config, content_policy_config.tier_config, and topic_policy_config.tier_config arguments (#43517)
resource/aws_athena_database: Add workgroup argument (#36628)
resource/aws_batch_compute_environment: Add compute_resources.ec2_configuration.image_kubernetes_version argument (#43454)
resource/aws_cloudwatch_event_bus: Add log_config argument (#43453)
resource/aws_cognito_resource_server: Allow name to be updated in-place (#41702)
resource/aws_cognito_user_pool: Allow name to be updated in-place (#42639)
resource/aws_globalaccelerator_custom_routing_endpoint_group: Add resource identity support (#43539)
resource/aws_globalaccelerator_custom_routing_listener: Add resource identity support (#43539)
resource/aws_globalaccelerator_endpoint_group: Add resource identity support (#43539)
resource/aws_globalaccelerator_listener: Add resource identity support (#43539)
resource/aws_imagebuilder_container_recipe: Add resource identity support (#43540)
resource/aws_imagebuilder_distribution_configuration: Add resource identity support (#43540)
resource/aws_imagebuilder_image: Add resource identity support (#43540)
resource/aws_imagebuilder_image_pipeline: Add resource identity support (#43540)
resource/aws_imagebuilder_image_recipe: Add resource identity support (#43540)
resource/aws_imagebuilder_infrastructure_configuration: Add resource identity support (#43540)
resource/aws_imagebuilder_workflow: Add resource identity support (#43540)
resource/aws_inspector_assessment_target: Add resource identity support (#43542)
resource/aws_inspector_assessment_template: Add resource identity support (#43542)
resource/aws_inspector_resource_group: Add resource identity support (#43542)
resource/aws_nat_gateway: Change secondary_allocation_ids to Optional and Computed (#42591)
resource/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
resource/aws_ssm_service_setting: Support short format (with /ssm/ prefix) for setting_id (#43562)

BUG FIXES:

resource/aws_appsync_api_cache: Fix "missing required field" error during update (#43523)
resource/aws_cloudwatch_log_delivery_destination: Fix update failure when tags are set (#43576)
resource/aws_ecs_service: Fix unspecified test_listener_rule incorrectly being set as empty string in load_balancer.advanced_configuration block (#43558)

`v6.5.0`

Compare Source

NOTES:

resource/aws_cognito_log_delivery_configuration: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#43396)
resource/aws_ecs_service: Acceptance tests cannot fully reproduce scenarios with deployments older than 3 months. Community feedback on this fix is appreciated, particularly for long-running ECS services with in-place updates (#43502)

FEATURES:

New Data Source: aws_ecr_images (#42577)
New Resource: aws_cognito_log_delivery_configuration (#43396)
New Resource: aws_networkfirewall_firewall_transit_gateway_attachment_accepter (#43430)
New Resource: aws_s3_bucket_metadata_configuration (#41364)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn attributes (#43440)
data-source/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, firewall_status.sync_states.attachment.status_message, firewall_status.transit_gateway_attachment_sync_states, transit_gateway_id, and transit_gateway_owner_account_id attributes (#43430)
resource/aws_alb_listener: Add resource identity support (#43161)
resource/aws_alb_listener_rule: Add resource identity support (#43155)
resource/aws_alb_target_group: Add resource identity support (#43171)
resource/aws_dms_endpoint: Add oracle_settings configuration block for authentication method (#43125)
resource/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn arguments (#43440)
resource/aws_dms_endpoint: Add plan-time validation of postgres_settings.database_mode, postgres_settings.map_long_varchar_as, and postgres_settings.plugin_name arguments (#43440)
resource/aws_dms_replication_instance: Add dns_name_servers attribute and kerberos_authentication_settings configuration block for Kerberos authentication settings (#43125)
resource/aws_dx_gateway_association: Add transit_gateway_attachment_id attribute. This functionality requires the ec2:DescribeTransitGatewayAttachments IAM permission (#43436)
resource/aws_globalaccelerator_accelerator: Add resource identity support (#43200)
resource/aws_globalaccelerator_custom_routing_accelerator: Add resource identity support (#43423)
resource/aws_glue_registry: Add resource identity support (#43450)
resource/aws_glue_schema: Add resource identity support (#43450)
resource/aws_iam_openid_connect_provider: Add resource identity support (#43503)
resource/aws_iam_policy: Add resource identity support (#43503)
resource/aws_iam_saml_provider: Add resource identity support (#43503)
resource/aws_iam_service_linked_role: Add resource identity support (#43503)
resource/aws_inspector2_enabler: Support CODE_REPOSITORY as a valid value for resource_types (#43525)
resource/aws_inspector2_organization_configuration: Add auto_enable.code_repository argument (#43525)
resource/aws_lb_listener: Add resource identity support (#43161)
resource/aws_lb_listener_rule: Add resource identity support (#43155)
resource/aws_lb_target_group: Add resource identity support (#43171)
resource/aws_lb_trust_store: Add resource identity support (#43186)
resource/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, and transit_gateway_id arguments and firewall_status.transit_gateway_attachment_sync_states and transit_gateway_owner_account_id attributes (#43430)
resource/aws_networkfirewall_firewall: Mark subnet_mapping and vpc_id as Optional (#43430)
resource/aws_quicksight_account_subscription: Add import support. This resource can now be imported via the aws_account_id argument. (#43501)
resource/aws_sns_topic: Add resource identity support (#43202)
resource/aws_wafv2_rule_group: Add rules_json argument (#43397)
resource/aws_wafv2_web_acl: Add statement.rate_based_statement.custom_key.asn argument (#43506)

BUG FIXES:

provider: Prevent planned forces replacement on region for numerous resource types when upgrading from a pre-v6.0.0 provider version and -refresh=false is in effect (#43516)
resource/aws_api_gateway_resource: Recompute path when path_part is updated (#43215)
resource/aws_bedrockagent_flow: Remove definition.connection and definition.node list length limits (#43471)
resource/aws_ecs_service: Improve stabilization logic to handle both new deployments and in-place updates correctly. This fixes a regression introduced in v6.4.0 (#43502)
resource/aws_instance: Recompute ipv6_addresses when ipv6_address_count is updated (#43158)

`v6.4.0`

Compare Source

FEATURES:

New Data Source: aws_s3_access_point (#43391)
New Resource: aws_bedrockagent_flow (#42201)
New Resource: aws_fsx_s3_access_point_attachment (#43391)

ENHANCEMENTS:

data-source/aws_bedrock_inference_profiles: Add type argument (#43150)
data-source/aws_lakeformation_resource: Support hybrid_access_enabled, with_federation and with_privileged_access attributes (#43377)
resource/aws_acm_certificate: Support options.export argument to issue an exportable certificate (#43207)
resource/aws_cloudwatch_log_metric_filter: Add apply_on_transformed_logs argument (#43381)
resource/aws_datasync_location_object_storage: Make agent_arns optional (#43400)
resource/aws_ecs_service: Add deployment_configuration argument (#43434)
resource/aws_ecs_service: Add load_balancer.advanced_configuration argument (#43434)
resource/aws_ecs_service: Add service.client_alias.test_traffic_rules argument (#43434)
resource/aws_ecs_service: deployment_controller.type changes no longer force a replacement (#43434)
resource/aws_lakeformation_resource: Support with_privileged_access argument (#43377)
resource/aws_s3_bucket_public_access_block: Add skip_destroy argument (#43415)

BUG FIXES:

resource/aws_bedrockagent_agent_action_group: Correctly set parent_action_group_signature on Read (#43355)
resource/aws_datazone_environment_blueprint_configuration: Fix Inappropriate value for attribute "regional_parameters" errors during planning. This fixes a regression introduced in v6.0.0 (#43382)
resource/aws_ec2_transit_gateway_route_table_propagation: Don't mark transit_gateway_attachment_id as ForceNew if the value is known not to change (#43405)
resource/aws_lambda_function: Fix waiting for Lambda Function (...) version publish: unexpected state '', wanted target 'Successful' errors on Update. This fixes a regression introduced in v6.2.0 (#43416)
resource/aws_lexv2models_slot: Fix error when sub_slot_setting.slot_specification.value_elicitation_setting.prompt_specification.prompt_attempts_specification and value_elicitation_setting.prompt_specification.prompt_attempts_specification have default values (#43358)
resource/aws_securitylake_data_lake: Allow meta_store_role_arn to be updated in-place (#36874)

`v6.3.0`

Compare Source

FEATURES:

New Resource: aws_prometheus_query_logging_configuration (#43222)

ENHANCEMENTS:

data-source/aws_cloudfront_distribution: Add anycast_ip_list_id attribute (#43196)
data-source/aws_networkmanager_core_network_policy_document: Add core_network_configuration.dns_support and core_network_configuration.security_group_referencing_support arguments (#43277)
resource/aws_cloudfront_distribution: Add anycast_ip_list_id argument (#43196)
resource/aws_dynamodb_table: Add replica.consistency_mode argument in support of multi-Region strong consistency for Amazon DynamoDB global tables (#43236)

BUG FIXES:

provider: Fix runtime error: invalid memory address or nil pointer dereference panics for numerous resource types when modifying tags (#43324)
resource/aws_bedrockagent_agent_action_group: Add missing prepare agent call when deleting an action group (#43232)
resource/aws_bedrockagent_agent_action_group: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent action group base creation, update, and deletion. (#43232)
resource/aws_bedrockagent_agent_knowledge_base_association: Add missing prepare agent call when deleting a knowledge base association (#43232)
resource/aws_bedrockagent_agent_knowledge_base_association: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent knowledge base creation and disassociation (#43232)
resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix errant deletion of key value pairs when a value is changed (#43208)
resource/aws_cognito_user_pool_domain: Correctly update managed_login_version for custom Cognito domains (#43252)
resource/aws_db_instance_role_association: Retry InvalidDBInstanceState errors on delete (#43303)
resource/aws_medialive_channel: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration blocks are empty (#43308)
resource/aws_rds_cluster_role_association: Retry InvalidDBClusterStateFault errors on delete (#43303)
resource/aws_redshift_cluster: Correctly set availability_zone_relocation_enabled (#43270)
resource/aws_route53profiles_resource_association: Change resource_properties to Computed to enable vpc_endpoint associations (#42562)
resource/aws_ssoadmin_application: Updates value of arn when refreshing state. (#43273)

`v6.2.0`

Compare Source

NOTES:

resource/aws_s3_bucket_object: The format of the id attribute has changed from key to bucket/key. All configurations using id should be updated to use the key attribute instead (#43119)
resource/aws_s3_object: The format of the id attribute has changed from key to bucket/key. All configurations using id should be updated to use the key attribute instead (#43119)

ENHANCEMENTS:

data-source/aws_kinesis_stream_consumer: Add tags attribute. This functionality requires the kinesis:ListTagsForResource IAM permission (#43173)
data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection attribute (#43137)
resource/aws_accessanalyzer_analyzer: Add configuration.internal_access argument (#43138)
resource/aws_amplify_app: Add job_config argument (#43136)
resource/aws_amplify_branch: Add enable_skew_protection argument (#43218)
resource/aws_cloudtrail: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
resource/aws_cloudtrail_event_data_store: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
resource/aws_cloudwatch_event_archive: Add kms_key_identifier argument (#43139)
resource/aws_cloudwatch_log_group: Support DELIVERY as a valid value for log_group_class (#42658)
resource/aws_codebuild_project: Add environment.docker_server configuration block (#42982)
resource/aws_eks_pod_identity_association: Add disable_session_tags and target_role_arn arguments and external_id attribute (#42979)
resource/aws_emr_cluster: Add os_release_label argument (#43018)
resource/aws_fms_policy: Add resource_tag_logical_operator argument (#43031)
resource/aws_glue_job: Support job_mode argument (#42607)
resource/aws_kinesis_stream_consumer: Add tags argument and tags_all attribute. This functionality requires the kinesis:ListTagsForResource, kinesis:TagResource, and kinesis:UntagResource IAM permissions (#43173)
resource/aws_kms_key: Support HMAC_224, HMAC_384, HMAC_512, ML_DSA_44, ML_DSA_65, and ML_DSA_87 as valid values for customer_master_key_spec (#43128)
resource/aws_lightsail_instance_public_ports: -1 is now a valid value for port_info.from_port and port_info.to_port (#37703)
resource/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection argument (#43137)
resource/aws_rbin_rule: Add exclude_resource_tags argument (#43189)
resource/aws_s3_directory_bucket: Add tags argument and tags_all attribute. This functionality requires the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions (#43256)
resource/aws_s3tables_table: Add metadata argument (#43112)
resource/aws_wafv2_web_acl: Add aws_managed_rules_anti_ddos_rule_set to managed_rule_group_configs configuration block in support of L7 DDoS protection (#43149)

BUG FIXES:

provider: Fix Unexpected Identity Change errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#43221)
resource/aws_appflow_connector_profile: Fixes error refreshing resource state (#43221)
resource/aws_bcmdataexports_export: Fixes error when refreshing state with resources created before v6.0.0 (#43090)
resource/aws_bedrockagent_agent: Retry Exceeded the number of retries on OptLock failure. Too many concurrent requests. errors during update (#43179)
resource/aws_bedrockagent_agent: Retry Prepare operation can't be performed on Agent when it is in Preparing state. errors during prepare (#43179)
resource/aws_bedrockagent_agent: Retry Update operation can't be performed on Agent when it is in Preparing state. errors during update (#43179)
resource/aws_bedrockagent_agent_collaborator: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent collaborator update and disassociation (#43179)
resource/aws_cloudwatch_query_definition: Support ARNs as valid values for log_group_names (#43183)
resource/aws_cur_report_definition: Allow an empty ("") value for s3_prefix. This fixes a regression introduced in v6.0.0 (#43159)
resource/aws_elasticsearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
resource/aws_elasticsearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
resource/aws_lambda_function: Fix perpetual logging_config diffs when log_format is set to JSON and publish = true (#42660)
resource/aws_lexv2models_intent: Add semantic equality check for confirmation_setting.prompt_specification.prompt_attempts_specification defaults (#43147)
resource/aws_opensearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
resource/aws_opensearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
resource/aws_quicksight_analysis: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_dashboard: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_template: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_user: Remove ForceNew from email (#43014)
resource/aws_verifiedpermissions_schema: Fix Value Conversion Error errors when upgrading existing resources to Terraform AWS Provider v6.0.0 (#43116)

`v6.0.0`

Compare Source

BREAKING CHANGES:

data-source/aws_ami: The severity of the diagnostic returned when most_recent is true and owner and image ID filter criteria has been increased to an error. Existing configurations which were previously receiving a warning diagnostic will now fail to apply. To prevent this error, set the owner argument or include a filter block with an image-id or owner-id name/value pair. To continue using unsafe filter values with most_recent set to true, set the new allow_unsafe_filter argument to true. This is not recommended. (#42114)
data-source/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_ecs_task_execution: Remove inference_accelerator_overrides attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_elbv2_listener_rule: The action.authenticate_cognito, action.authenticate_oidc, action.fixed_response, action.forward, action.forward.stickiness, action.redirect, condition.host_header, condition.http_header, condition.http_request_method, condition.path_pattern, condition.query_string, and condition.source_ip attributes are now list nested blocks instead of single nested blocks (#42283)
data-source/aws_identitystore_user: filter has been removed (#42325)
data-source/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_launch_template: elastic_gpu_specifications has been removed (#42312)
data-source/aws_opensearch_domain: kibana_endpoint has been removed (#42268)
data-source/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#42270)
data-source/aws_service_discovery_service: Remove tags_all attribute (#42136)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_application resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_custom_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ecs_cluster_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ganglia_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_haproxy_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_instance resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_java_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_memcached_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_mysql_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_nodejs_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_permission resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_php_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rails_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rds_db_instance resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_stack resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_static_web_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_user_profile resource has been removed (#41948)
provider: As the AWS SDK for Go v2 does not support Amazon SimpleDB the aws_simpledb_domain resource has been removed. Add a constraint to v5 of the Terraform AWS Provider for continued use of this resource (#41775)
provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_fleet resource has been removed (#42059)
provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_website_certificate_authority_association resource has been removed (#42059)
provider: The aws_redshift_service_account resource has been removed. AWS recommends that a service principal name should be used instead of an AWS account ID in any relevant IAM policy (#41941)
provider: The endpoints.iotanalytics and endpoints.iotevents configuration arguments have been removed (#42703)
provider: The endpoints.opsworks configuration argument has been removed (#41948)
provider: The endpoints.simpledb and endpoints.sdb configuration arguments have been removed (#41775)
provider: The endpoints.worklink configuration argument has been removed (#42059)
resource/aws_accessanalyzer_archive_rule: filter.exists now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_alb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_api_gateway_account: The reset_on_delete argument has been removed (#42226)
resource/aws_api_gateway_deployment: Remove canary_settings, execution_arn, invoke_url, stage_description, and stage_name arguments. Instead, use the aws_api_gateway_stage resource to manage stages. (#42249)
resource/aws_batch_compute_environment: Rename compute_environment_name to name
resource/aws_batch_compute_environment: Rename compute_environment_name_prefix to name_prefix (#38050)
resource/aws_batch_compute_environment_data_source: Rename compute_environment_name to name (#38050)
resource/aws_batch_job_queue: Remove deprecated parameter compute_environments in place of compute_environment_order (#40751)
resource/aws_bedrock_model_invocation_logging_configuration: logging_config, logging_config.cloudwatch_config, logging_config.cloudwatch_config.large_data_delivery_s3_config, and logging_config.s3_config are now list nested blocks instead of single nested blocks (#42307)
resource/aws_cloudfront_key_value_store: Attribute id is now set to remote object's Id instead of name (#42230)
resource/aws_cloudfront_response_headers_policy: The etag argument is now computed only (#38448)
resource/aws_cloudtrail_event_data_store: suspend now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_cognito_user_in_group: The id attribute is now a comma-delimited string concatenating the user_pool_id, group_name, and username arguments (#34082)
resource/aws_cur_report_definition: The s3_prefix argument is now required (#38446)
resource/aws_db_instance: character_set_name now cannot be set with replicate_source_db, restore_to_point_in_time, s3_import, or snapshot_identifier. (#42348)
resource/aws_dms_endpoint: Remove s3_settings attribute. Use aws_dms_s3_endpoint instead (#42379)
resource/aws_dx_gateway_association: vpn_gateway_id has been removed (#42323)
resource/aws_ec2_spot_instance_fleet: terminate_instances_on_delete now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_ec2_spot_instance_request: Remove block_duration_minutes attribute (#42060)
resource/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
resource/aws_eip: vpc has been removed. Use domain instead. (#42340)
resource/aws_eks_addon: resolve_conflicts has been removed. Use resolve_conflicts_on_create and resolve_conflicts_on_update instead. (#42318)
resource/aws_elasticache_cluster: auto_minor_version_upgrade now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_elasticache_replication_group: at_rest_encryption_enabled and auto_minor_version_upgrade now only accept one of "" (empty string), true, or false (#42434)
resource/aws_elasticache_replication_group: auth_token_update_strategy no longer has a default value. If auth_token is set, auth_token_update_strategy must also be explicitly configured. (#42336)
resource/aws_evidently_feature: variations.value.bool_value now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_flow_log: log_group_name has been removed. Use log_destination instead. (#42333)
resource/aws_globalaccelerator_accelerator: The id attribute is now computed only (#42097)
resource/aws_guardduty_detector: Deprecates datasources. Use aws_guardduty_detector_feature resources instead. (#42436)
resource/aws_guardduty_organization_configuration: The auto_enable attribute has been removed (#42251)
resource/aws_identitystore_group: filter has been removed (#42325)
resource/aws_imagebuilder_container_recipe: instance_configuration.block_device_mapping.ebs.delete_on_termination and instance_configuration.block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#42434)
resource/aws_imagebuilder_image_recipe: block_device_mapping.ebs.delete_on_termination and block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#42434)
resource/aws_instance: Remove cpu_core_count and cpu_threads_per_core. Instead, use cpu_options. (#42280)
resource/aws_instance: user_data now displays cleartext instead of a hash. Base64 encoded content should use user_data_base64 instead. (#42078)
resource/aws_launch_template: block_device_mappings.ebs.delete_on_termination, block_device_mappings.ebs.encrypted, ebs_optimized, network_interfaces.associate_carrier_ip_address, network_interfaces.associate_public_ip_address, network_interfaces.delete_on_termination, and network_interfaces.primary_ipv6 now only accept one of "" (empty string), true, or false (#42434)
resource/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
resource/aws_launch_template: elastic_gpu_specifications has been removed (#42312)
resource/aws_lb_listener: mutual_authentication attributes advertise_trust_store_ca_names, ignore_client_certificate_expiry, and trust_store_arn are only valid if mode is verify (#42326)
resource/aws_lb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_mq_broker: logs.audit now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_networkmanager_core_network: The base_policy_region argument has been removed. Use base_policy_regions instead. (#38398)
resource/aws_opensearch_domain: kibana_endpoint has been removed (#42268)
resource/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#42270)
resource/aws_paymentcryptography_key: key_attributes and key_attributes.key_modes_of_use are now list nested blocks instead of single nested blocks. (#42264)
resource/aws_quicksight_data_set: tags_all has been removed (#42260)
resource/aws_redshift_cluster: Attributes cluster_public_key, cluster_revision_number, and endpoint are now read only and should not be set (#42119)
resource/aws_redshift_cluster: The logging attribute has been removed (#42013)
resource/aws_redshift_cluster: The publicly_accessible attribute now defaults to false (#41978)
resource/aws_redshift_cluster: The snapshot_copy attribute has been removed (#41995)
resource/aws_rekognition_stream_processor: regions_of_interest.bounding_box is now a list nested block instead of a single nested block (#41380)
resource/aws_resiliencehub_resiliency_policy: policy, policy.az, policy.hardware, policy.software, and policy.region are now list nested blocks instead of single nested blocks (#42297)
resource/aws_sagemaker_app_image_config: Exactly one code_editor_app_image_config, jupyter_lab_image_config, or kernel_gateway_image_config block must be configured (#42753)
resource/aws_sagemaker_image_version: id is now a comma-delimited string concatenating image_name and version (#42536)
resource/aws_sagemaker_notebook_instance: Remove accelerator_types from your configuration—it no longer exists. Instead, use instance_type to use Inferentia. (#42099)
resource/aws_ssm_association: Remove instance_id argument (#42224)
resource/aws_verifiedpermissions_schema: definition is now a list nested block instead of a single nested block (#42305)
resource/aws_wafv2_web_acl: rule.statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_bot_control_rule_set.enable_machine_learning now defaults to false (#39858)

NOTES:

data-source/aws_cloudtrail_service_account: This data source is deprecated. AWS recommends using a service principal name instead of an AWS account ID in any relevant IAM policy. (#42320)
data-source/aws_kms_secret: This data source will be removed in a future version (#42524)
data-source/aws_region: The name attribute has been deprecated. All configurations using name should be updated to use the region attribute instead (#42131)
data-source/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#42014)
data-source/aws_servicequotas_templates: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#42131)
data-source/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#42014)
data-source/aws_vpc_endpoint_service: The region attribute has been deprecated. All configurations using region should be updated to use the service_region attribute instead (#42014)
data-source/aws_vpc_peering_connection: The region attribute has been deprecated. All configurations using region should be updated to use the requester_region attribute instead (#42014)
provider: Support for the global S3 endpoint is deprecated, along with the s3_us_east_1_regional_endpoint argument. The ability to use the global S3 endpoint will be removed in v7.0.0. (#42375)
resource/aws_cloudformation_stack_set_instance: The region attribute has been deprecated. All configurations using region should be updated to use the stack_set_instance_region attribute instead (#42014)
resource/aws_codeconnections_host: Deprecates id in favor of arn (#42232)
resource/aws_config_aggregate_authorization: The region attribute has been deprecated. All configurations using region should be updated to use the authorized_aws_region attribute instead (#42014)
resource/aws_dx_hosted_connection: The region attribute has been deprecated. All configurations using region should be updated to use the connection_region attribute instead (#42014)
resource/aws_elasticache_replication_group: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elasticache_user: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elasticache_user_group: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elastictranscoder_pipeline: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#42313)
resource/aws_elastictranscoder_preset: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#42313)
resource/aws_evidently_feature: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_launch: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_project: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_segment: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_guardduty_organization_configuration: datasources now returns a deprecation warning (#42251)
resource/aws_kinesis_analytics_application: Effective January 27, 2026, AWS will no longer support Kinesis Data Analytics for SQL. This resource is deprecated and will be removed in a future version. Use the aws_kinesisanalyticsv2_application resource instead (#42102)
resource/aws_media_store_container: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#42265)
resource/aws_media_store_container_policy: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#42265)
resource/aws_redshift_cluster: The default value of encrypted is now true to match the AWS API. (#42631)
resource/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#42014)
resource/aws_service_discovery_service: health_check_custom_config.failure_threshold is deprecated. The argument is no longer supported by AWS and is always set to 1 (#40777)
resource/aws_servicequotas_template: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#42131)
resource/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#42014)

ENHANCEMENTS:

data-source/aws_ami: Add allow_unsafe_filter argument (#42114)
data-source/aws_availability_zone: Add group_long_name attribute (#42014)
data-source/aws_availability_zone: Mark region as Optional, allowing a value to be configured (#42014)
resource/aws_auditmanager_assessment: Add plan-time validation of roles.role_arn and roles.role_type (#42131)
provider: Add enhanced region support to most resources, data sources, and ephemeral resources, allowing per-resource Region targeting without requiring multiple provider configurations. See the Enhanced Region Support guide for more information. (#43075)
resource/aws_auditmanager_control: Add plan-time validation of control_mapping_sources.source_frequency, control_mapping_sources.source_set_up_option, and control_mapping_sources.source_type (#42131)
resource/aws_auditmanager_framework_share: Add plan-time validation of destination_account (#42741)
resource/aws_auditmanager_organization_admin_account_registration: Add plan-time validation of admin_account_id (#42741)
resource/aws_cognito_user_in_group: Add import support (#34082)
resource/aws_ecs_service: Add arn attribute (#42733)
resource/aws_guardduty_detector: Adds validation to finding_publishing_frequency. (#42436)
resource/aws_lb_listener: mutual_authentication attribute trust_store_arn is required if mode is verify (#42326)
resource/aws_quicksight_iam_policy_assignment: Add plan-time validation of policy_arn (#42131)
resource/aws_sagemaker_image_version: Add aliases argument (#42610)
resource/aws_securitylake_subscriber: Add plan-time validation of access_type source.aws_log_source_resource.source_name, and subscriber_identity.external_id (#42131)

BUG FIXES:

resource/aws_auditmanager_control: Fix Provider produced inconsistent result after apply errors (#42131)
resource/aws_redshift_cluster: Fixes permanent diff when encrypted is not explicitly set to true. (#42631)
resource/aws_rekognition_stream_processor: Fix regions_of_interest.bounding_box and regions_of_interest.polygon argument validation (#41380)
resource/aws_sagemaker_image_version: Read the correct image version after creation rather than always fetching the latest (#42536)
resource/aws_securitylake_subscriber: Change access_type to ForceNew (#42131)

`v5.100.0`

Compare Source

NOTES:

resource/aws_route53_vpc_association_authorization: Because we cannot easily replicate the highly concurrent environments in which these errors have been observed, this fix is best effort and we ask for community help in verifying the reported issues are resolved by this change (#42948)

FEATURES:

New Resource: aws_dsql_cluster (#41868)
New Resource: aws_dsql_cluster_peering (#41868)
New Resource: aws_prometheus_workspace_configuration (#42478)
New Resource: aws_s3control_directory_bucket_access_point_scope (#42338)
New Resource: aws_vpc_route_server (#42392)
New Resource: aws_vpc_route_server_endpoint (#42392)
New Resource: aws_vpc_route_server_peer (#42392)
New Resource: aws_vpc_route_server_propagation (#42392)
New Resource: aws_vpc_route_server_vpc_association (#42392)
New Resource: aws_workspacesweb_data_protection_settings (#42852)
New Resource: aws_workspacesweb_ip_access_settings (#42863)
New Resource: aws_workspacesweb_user_access_logging_settings (#42868)

ENHANCEMENTS:

data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-east-2 AWS Region (#42915)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-east-2 AWS Region (#42915)
data-source/aws_neptune_engine_version: Add several arguments and attributes to support dynamic selection of versions including latest, has_major_target, preferred_major_targets, and preferred_upgrade_targets (#42854)
data-source/aws_s3_bucket: Add hosted zone ID for ap-east-2 AWS Region (#42915)
provider: Support ap-east-2 as a valid AWS Region (#42906)
resource/aws_fsx_lustre_file_system: Add data_read_cache_configuration and throughput_capacity arguments in support of the Intelligent-Tiering storage class (#42839)
resource/aws_pinpointsmsvoicev2_phone_number: Add two_way_channel_role argument (#42950)
resource/aws_route53_vpc_association_authorization: Add configurable timeouts for create, read, and delete (#42948)
resource/aws_s3_access_point: Add support for S3 Directory Buckets (#42338)
resource/aws_s3control_access_point_policy: Add support for S3 Directory Buckets (#42338)
resource/aws_vpn_connection: Add preshared_key_storage argument and preshared_key_arn attribute (#42819)
resource/aws_wafv2_rule_group: Add statement.asn_match_statement configuration block (#42965)
resource/aws_wafv2_web_acl: Add statement.asn_match_statement configuration block (#42965)

BUG FIXES:

resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Batch update operations to stay under the Key Value Store Service Quota. The max_batch_size argument can be used to override the default value of 50 items. (#42795)
resource/aws_cloudwatch_log_destination: Fix to return the first matched destination name during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_cloudwatch_log_group: Fix to return the first matched group name during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_cloudwatch_log_metric_filter: Fix to return the first matched filter name during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_cloudwatch_log_query_definition: Fix to return the first matched query definition ID during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_cloudwatch_log_resource_policy: Fix to return the first matched policy name during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_cloudwatch_log_subscription_filter: Fix to return the first matched filter name during the read operation. This fixes a regression introduced in v5.83.0 (#42896)
resource/aws_dynamodb_table: Set new computed value for stream_arn attribute when changing stream_view_type (#42561)
resource/aws_neptune_cluster: Enable minor and major version upgrades by fixing various issues preventing them (#42854)
resource/aws_neptune_global_cluster: Enable minor and major version upgrades by fixing various issues preventing them (#42854)
resource/aws_route53_vpc_association_authorization: Retry InvalidPaginationToken errors on read (#42948)
resource/aws_verifiedaccess_endpoint: Fix InvalidParameterValue: The value of loadBalancerOptions.port you provided is not valid errors when creating TCP load balancer endpoints (#42736)
resource/aws_vpc_endpoint_subnet_association: Fix OperationInProgress: VpcEndpoint modify operation in progress errors when deleting multiple associations in parallel (#42884)

`v5.99.1`

Compare Source

BUG FIXES:

resource/aws_fms_admin_account: Fix panic: runtime error: invalid memory address or nil pointer dereference (#42813)
resource/aws_lb: Ignore InvalidAction exceptions for DescribeCapacityReservation operations. This fixes a regression introduced in v5.99.0 (#42812)
resource/aws_s3_bucket_lifecycle_configuration: Correctly handles switching child attributes of rule.filter. (#42655)

`v5.99.0`

Compare Source

FEATURES:

New Resource: aws_notifications_channel_association (#42575)
New Resource: aws_notifications_event_rule (#42575)
New Resource: aws_notifications_notification_configuration (#42575)
New Resource: aws_notifications_notification_hub (#42544)
New Resource: aws_notificationscontacts_email_contact (#42575)
New Resource: aws_quicksight_account_settings (#42185)
New Resource: aws_workspacesweb_browser_settings (#42681)
New Resource: aws_workspacesweb_network_settings (#42722)
New Resource: aws_workspacesweb_user_settings (#42783)

ENHANCEMENTS:

data-source/aws_ami: Add block_device_mappings.ebs["volume_initialization_rate"] attribute (#42684)
data-source/aws_launch_template: Add block_device_mappings.ebs.volume_initialization_rate attribute (#42684)
data-source/aws_verifiedpermissions_policy_store: Add tags attribute. This functionality requires the verifiedpermissions:ListTagsForResource IAM permission (#42663)
resource/aws_ecs_service: Add volume_configuration.managed_ebs_volume.volume_initialization_rate argument (#42750)
resource/aws_launch_template: Add block_device_mappings.ebs.volume_initialization_rate argument (#42684)
resource/aws_lb: Add minimum_load_balancer_capacity configuration block. This functionality requires the elasticloadbalancing:DescribeCapacityReservations and elasticloadbalancing:ModifyCapacityReservation IAM permissions (#42685)
resource/aws_organizations_account: Allow name to be updated in-place. This functionality requires the account:PutAccountName IAM permission (#42350)
resource/aws_securityhub_standards_subscription: Add configurable Create and Delete timeouts (#42759)
resource/aws_verifiedpermissions_policy_store: Add tags argument and tags_all attribute. This functionality requires the verifiedpermissions:ListTagsForResource, verifiedpermissions:TagResource, and verifiedpermissions:UntagResource IAM permissions (#42663)

BUG FIXES:

data-source/aws_ecr_repository_creation_template: prefix can now be up to 256 characters (#42723)
resource/aws_cloudwatch_log_stream: Fix to return the first matched stream name during the read operation. This fixes a regression introduced in v5.83.0 (#42719)
resource/aws_cognitoidp_user_pool: Fix crash when the user_pool_add_ons.advanced_security_additional_flows block is non-empty, but contains only a single nil value. (#42793)
resource/aws_ecr_repository_creation_template: prefix can now be up to 256 characters (#42723)
resource/aws_elasticache_replication_group: Fix crash during read operations where configuration endpoint and node groups are nil and empty, respectively (#42726)
resource/aws_s3_bucket: Ensure that HeadBucket S3 API calls are made using configured credentials. This fixes a regression introduced in v5.98.0 (#42786)
resource/aws_s3_bucket_lifecycle_configuration: No longer returns warning on empty rule.filter. (#42624)
resource/aws_vpc_endpoint: Fix issue where dns_options were not being updated correctly when private_dns_enabled was set to true (#42746)

`v5.98.0`

Compare Source

FEATURES:

New Data Source: aws_account_primary_contact (#42526)
New Data Source: aws_dynamodb_tables (#42339)
New Resource: aws_bedrockagent_prompt (#42211)
New Resource: aws_cloudfrontkeyvaluestore_keys_exclusive (#42246)
New Resource: aws_dataexchange_revision_assets (#42272)
New Resource: aws_inspector2_filter (#42374)
New Resource: aws_wafv2_api_key (#42525)

ENHANCEMENTS:

data-source/aws_cloudwatch_event_bus: Add dead_letter_config attribute (#42471)
data-source/aws_cloudwatch_event_connection: Add kms_key_identifier attribute (#42385)
data-source/aws_cognito_user_pool_client: Add refresh_token_rotation attribute (#42430)
data-source/aws_cognitoidp_user_pool: Add user_pool_add_ons attribute (#42470)
data-source/aws_dynamodb_table: Add point_in_time_recovery.recovery_period_in_days attribute (#41484)
data-source/aws_ec2_client_vpn_endpoint: Add client_route_enforcement_options attribute (#42424)
data-source/aws_imagebuilder_distribution_configuration: Add distribution.ssm_parameter_configuration attribute (#42604)
data-source/aws_redshiftserverless_workgroup: Add track_name attribute (#42451)
data-source/aws_workspaces_directory: Add active_directory_config, user_identity_type, workspace_directory_description, workspace_directory_name, and workspace_type attributes (#42330)
resource/aws_appflow_flow: Add destination_flow_config.destination_connector_properties.salesforce.data_transfer_api argument (#42479)
resource/aws_autoscaling_group: Add capacity_reservation_specification argument (#42380)
resource/aws_bedrockagent_agent: Add prepared_at attribute. (#42586)
resource/aws_bedrockagent_agent: Increase instruction max length for validation to 20000 (#42596)
resource/aws_cloudwatch_event_bus: Add dead_letter_config argument (#42471)
resource/aws_cloudwatch_event_connection: Add kms_key_identifier argument (#42385)
resource/aws_cognito_managed_user_pool_client: Add refresh_token_rotation argument (#42430)
resource/aws_cognito_user_pool_client: Add refresh_token_rotation argument (#42430)
resource/aws_cognitoidp_user_pool: Add user_pool_add_ons.advanced_security_additional_flows argument (#42470)
resource/aws_docdb_cluster: Add manage_master_user_password argument and master_user_secret attribute (#42563)
resource/aws_dynamodb_table: Add point_in_time_recovery.recovery_period_in_days argument (#41484)
resource/aws_ec2_client_vpn_endpoint: Add client_route_enforcement_options argument (#42424)
resource/aws_ecs_account_setting_default: Add support for defaultLogDriverMode value in Name argument (#42418)
resource/aws_imagebuilder_distribution_configuration: Add distribution.ssm_parameter_configuration argument (#42604)
resource/aws_iot_domain_configuration: Add application_protocol and authentication_type arguments (#42534)
resource/aws_msk_serverless_cluster: Add bootstrap_brokers_sasl_iam attribute. This functionality requires the kafka:GetBootstrapBrokers IAM permission (#42148)
resource/aws_redshiftserverless_workgroup: Add track_name argument (#42451)
resource/aws_rum_app_monitor: Add domain_list argument (#42456)
resource/aws_rum_app_monitor: Mark domain as Optional (#42456)
resource/aws_s3tables_table: Add encryption_configuration argument. This functionality requires the s3tables:GetTableEncryption IAM permission (#42356)
resource/aws_s3tables_table_bucket: Add encryption_configuration argument. This functionality requires the s3tables:GetTableBucketEncryption IAM permission (#42356)
resource/aws_securityhub_finding_aggregator: Support NO_REGIONS as a valid value for linking_mode (#42574)
resource/aws_sns_topic: Add fifo_throughput_scope argument (#42508)
resource/aws_wafv2_rule_group: Add uri_fragment to field_to_match configuration blocks (#42407)
resource/aws_wafv2_web_acl: Add data_protection_config argument (#42404)
resource/aws_wafv2_web_acl: Add uri_fragment to field_to_match configuration blocks (#42407)
resource/aws_workspaces_directory: Add active_directory_config, user_identity_type, workspace_directory_description, workspace_directory_name, and workspace_type arguments in support of WorkSpaces Pools (#42330)
resource/aws_workspaces_directory: Mark directory_id as Optional (#42330)

BUG FIXES:

aws_sagemaker_mlflow_tracking_server: Fix ValidationException: The provided MLflow version is not supported errors (#42435)
data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.policy_variables configuration block (#42473)
resource/aws_bedrockagent_agent_alias: Stop using state for unknown on routing_configuration so we only send it on update when explicility configured. This allows updates to aliases to create new versions. (#42603)
resource/aws_cloudwatch_metric_alarm: Support 20 as a valid value for metric_query.metric.period, metric_query.period, and period (#42390)
resource/aws_controltower_control: Fix handling ResourceNotFound exceptions during delete (#42494)
resource/aws_controltower_control: Fix handling of parameters block removal (#42494)
resource/aws_ec2_network_insights_path: Fix failure when filter_at_source.source_address is unspecified. (#42369)
resource/aws_instance: Fix InvalidNetworkInterface.InUse errors on Create (#42623)
resource/aws_lb_listener: Don't send zero value (false, 0 or "") for unconfigured listener attributes on Create (#41846)
resource/aws_rds_cluster_parameter_group: Fix InvalidParameterValue: collation_server '..' is not valid for character_set '...' errors on Create (#42559)

`v5.97.0`

Compare Source

FEATURES:

New Resource: aws_ec2_default_credit_specification (#42345)

ENHANCEMENTS:

data-source/aws_glue_connection: Support athena_properties attribute (#42262)
data-source/aws_imagebuilder_infrastructure_configuration: Add placement attribute (#42347)
data-source/aws_networkfirewall_firewall: Add enabled_analysis_types attribute (#42160)
data-source/aws_workspaces_directory: Add certificate_based_auth_properties attribute (#42269)
resource/aws_accessanalyzer_analyzer: Add configuration.unused_access.analysis_rule argument (#42332)
resource/aws_fis_experiment_template: Add support for ManagedResources to action.*.target (#42376)
resource/aws_glue_connection: Add athena_properties argument and allow DYNAMODB connection type. (#42262)
resource/aws_glue_connection: Support DYNAMODB as a valid value for connection_type (#42262)
resource/aws_imagebuilder_infrastructure_configuration: Add placement argument (#42347)
resource/aws_networkfirewall_firewall: Add enabled_analysis_types argument (#42160)
resource/aws_workspaces_directory: Add certificate_based_auth_properties configuration block (#42269)

BUG FIXES:

resource/aws_vpclattice_listener_rule: Prevents error when setting listener_identifier to ARN. (#42215)
resource/aws_vpclattice_listener_rule: Prevents error when setting service_identifier to ARN. (#42215)
resource/aws_vpclattice_listener_rule: Requires match.http_match. (#42215)
resource/aws_vpclattice_listener_rule: Requires exactly one of action.fixed_response or action.forward. (#42215)

`v5.96.0`

Compare Source

FEATURES:

New Data Source: aws_fis_experiment_templates (#37060)
New Data Source: aws_vpc_endpoint_associations (#41918)

ENHANCEMENTS:

data-source/aws_api_gateway_domain_name: Add endpoint_configuration.ip_address_type attribute (#42146)
data-source/aws_api_gateway_rest_api: Add endpoint_configuration.ip_address_type attribute (#42146)
data-source/aws_apigatewayv2_api: Add ip_address_type attribute (#42145)
data-source/aws_dms_endpoint: Add kinesis_settings.use_large_integer_value attribute (#42300)
data-source/aws_guardduty_detector: Add arn attribute (#42344)
data-source/aws_guardduty_detector: Add tags attribute (#42344)
resource/aws_api_gateway_domain_name: Add endpoint_configuration.ip_address_type argument to support dual-stack (IPv4 and IPv6) endpoints (#42146)
resource/aws_api_gateway_rest_api: Add endpoint_configuration.ip_address_type argument to support dual-stack (IPv4 and IPv6) endpoints (#42146)
resource/aws_apigatewayv2_api: Add ip_address_type argument to support dual-stack (IPv4 and IPv6) endpoints (#42145)
resource/aws_apigatewayv2_domain_name: Add domain_name_configuration.ip_address_type argument to support dual-stack (IPv4 and IPv6) endpoints (#42145)
resource/aws_dms_endpoint: Add kinesis_settings.use_large_integer_value argument (#42300)
resource/aws_fis_experiment_template: Add experiment_report_configuration argument (#41120)

BUG FIXES:

resource/aws_elasticache_replication_group: Fix malformed version error when parsing 7.x redis engine versions (#42346)
resource/aws_iam_user: Retry ConcurrentModificationExceptions during user creation (#42081)
resource/aws_rds_cluster: Fix InvalidParameterValue: SecondsUntilAutoPause can only be specified when minimum capacity is 0 errors when removing serverlessv2_scaling_configuration.seconds_until_auto_pause (#41180)

`v5.95.0`

Compare Source

NOTES:

resource/aws_api_gateway_deployment: Computed attributes invoke_url and execution_arn are deprecated. Use the invoke_url and execution_arn attributes of the aws_api_gateway_stage resource instead. (#42244)

FEATURES:

New Resource: aws_redshift_integration (#42105)

ENHANCEMENTS:

data-source/aws_ec2_network_insights_path: Support filter_at_destination and filter_at_source attributes (#42214)
resource/aws_amplify_app: Add compute_role_arn argument (#41650)
resource/aws_codebuild_webhook: Add manual_creation argument (#40155)
resource/aws_cognito_user_pool_domain: Add managed_login_version argument (#40855)
resource/aws_ec2_network_insights_path: Add filter_at_destination and filter_at_source configuration blocks (#42214)
resource/aws_eks_cluster: Add force_update_version argument (#42134)
resource/aws_prometheus_scraper: Allow alias, destination, role_configuration, and scrape_configuration to be updated in-place (#42109)
resource/aws_redshiftserverless_workgroup: Add price_performance_target argument (#40946)
resource/aws_sagemaker_image_version: Add horovod, job_type, ml_framework, processor, programming_lang, release_notes, and vendor_guidance arguments (#42143)
resource/aws_sagemaker_notebook_lifecycle_configuration: Add tags argument and tags_all attribute (#42141)
resource/aws_transfer_server: Add TransferSecurityPolicy-2025-03, TransferSecurityPolicy-FIPS-2025-03, and TransferSecurityPolicy-SshAuditCompliant-2025-02 as valid values for security_policy_name (#42164)

BUG FIXES:

resource/aws_elasticache_serverless_cache: Fix to allow in-place updates when engine is changed from redis to valkey (#42208)
resource/aws_kms_custom_key_store: Fix panic: runtime error: invalid memory address or nil pointer dereference when no XksProxyConfiguration is returned (#42241)
resource/aws_s3_bucket_lifecycle_configuration: Fix errors when removing rule from top of list (#42228)
resource/aws_s3_bucket_lifecycle_configuration: Fix potential eventual consistency errors in some regions (#41764)
resource/aws_s3_bucket_lifecycle_configuration: No longer allows empty rule.filter.and.tags (#42041)
resource/aws_sagemaker_domain: Allow default_user_settings.custom_file_system_config and default_space_settings.custom_file_system_config to be removed on Update (#42144)
resource/aws_sagemaker_user_profile: Allow user_settings.custom_file_system_config to be removed on Update (#42144)

`v5.94.1`

Compare Source

BUG FIXES:

resource/aws_sns_topic_subscription: Ignore AuthorizationError exceptions for ListSubscriptionByTopic operations. This fixes a regression introduced in v5.94.0. (#42117)

`v5.94.0`

Compare Source

NOTES:

resource/aws_ssm_parameter: The overwrite argument is no longer deprecated (#42030)

ENHANCEMENTS:

data-source/aws_ami: Add last_launched_time attribute (#42049)
resource/aws_ami: Add last_launched_time attribute (#42049)
resource/aws_ami_copy: Add last_launched_time attribute (#42049)
resource/aws_ami_from_instance: Add last_launched_time attribute (#42049)
resource/aws_glue_job: Add source_control_details argument (#42046)
resource/aws_lambda_function: Add support for ruby3.4 runtime value (#42052)
resource/aws_lambda_layer_version: Add support for ruby3.4 compatible_runtimes value (#42052)
resource/aws_prometheus_scraper: Add role_configuration argument (#42039)
resource/aws_s3_bucket_lifecycle_configuration: Adds warning if multiple attributes in rule.expiration are set (#42036)
resource/aws_s3_bucket_lifecycle_configuration: Adds warning if neither rule.prefix nor rule.filter is set (#42036)
resource/aws_s3_bucket_lifecycle_configuration: Adds warning if neither rule.transition.date nor rule.transition.days is set and error if both are set (#42036)
resource/aws_s3_bucket_lifecycle_configuration: Removes spurious "known after apply" notations in plan (#42036)

BUG FIXES:

resource/aws_cloudformation_type: Set the default version of an extension to the newly created version. This fixes CFNRegistryException: Version '...' is the default version and cannot be deregistered errors when deregistering an extension and the create_before_destroy meta-argument is true (#38855)
resource/aws_connect_queue: Fix API limitation when assigning more than 50 Quick Connects to a queue (#42108)
resource/aws_ecs_service: Fix missing volume_configuration and service_connect_configurations values from state read/refresh (#41998)
resource/aws_ecs_service: Mark service_connect_configuration.service.discovery_name and service_connect_configuration.service.client_alias.dns_name as Computed (#41998)
resource/aws_msk_cluster: Fix Provider produced inconsistent final plan errors when configuration_info.revision is unknown (#42037)
resource/aws_quicksight_data_set: Fix perpetual diff when refresh_properties is not configured (#42076)
resource/aws_s3_bucket_lifecycle_configuration: Removes incorrect warning for empty rule.filter (#42036)
resource/aws_sns_topic_subscription: Fix to handle eventually consistent subscription read operations (#42093)
resource/aws_sqs_queue: Fix waiting for SQS Queue... attributes create: timeout while waiting errors when sqs_managed_sse_enabled = false or omitted and kms_master_key_id is not set but kms_data_key_reuse_period_seconds is set to a non-default value. (#42062)
resource/aws_workspaces_workspace: Properly update workspace_properties.running_mode_auto_stop_timeout_in_minutes when modified (#40953)

`v5.93.0`

Compare Source

FEATURES:

New Resource: aws_api_gateway_rest_api_put (#41375)

ENHANCEMENTS:

data-source/aws_ecr_pull_through_cache_rule: Add custom_role_arn and upstream_repository_prefix attributes (#41933)
resource/aws_bedrockagent_agent: Add memory_configuration configuration block (#39970)
resource/aws_codepipeline: Adds trigger_all attribute (#42008)
resource/aws_codepipeline: Removal of trigger argument now properly removes custom trigger definitions (#42008)
resource/aws_cognitoidp_user_pool: Mark the username_configuration and username_configuration.case_sensitive arguments as optional and computed. This will future proof the provider against upstream API changes which may return a default value for the block when omitted during create operations. (#35439)
resource/aws_datasync_task: Add task_mode argument (#39979)
resource/aws_ecr_pull_through_cache_rule: Add custom_role_arn and upstream_repository_prefix arguments (#41933)
resource/aws_ecr_pull_through_cache_rule: Correct plan-time validation of ecr_repository_prefix to support a value of "ROOT" (#41933)
resource/aws_elasticache_cluster: Add configurable timeouts for create, update, and delete operations (#41940)
resource/aws_kinesisanalyticsv2_application: Allow runtime_environment to be updated in-place (#41935)
resource/aws_verified_access_endpoint: Add cidr_options, load_balancer.port_range, network_interface_options.port_range, and rds_options arguments (#41957)
resource/aws_verified_access_endpoint: Mark application_domain, domain_certificate_arn and endpoint_domain_prefix as Optional (#41957)
resource/aws_verified_access_endpoint: Support cidr and rds as valid values for endpoint_type (#41957)
resource/aws_verified_access_instance: Add cidr_endpoint_custom_subdomain argument and name_servers attribute (#41957)
resource/aws_verified_access_trust_provider: Add native_application_oidc_options and sse_specification arguments (#41957)

BUG FIXES:

resource/aws_db_instance: Fix InvalidParameterCombination: To enable the Advanced mode of Database Insights, modify your cluster to enable Performance Insights and set the retention period for Performance Insights to at least 465 days errors when enabling database_insights_mode on existing instances (#41960)
resource/aws_eip: Prevents application from failing when hitting "InvalidAction" error for specific regions (#41920)
resource/aws_elasticache_replication_group: Retry InvalidReplicationGroupState exceptions during tagging operations (#41954)
resource/aws_elasticache_replication_group: Wait for replication group to become available before all modification operations (#40320)
resource/aws_iot_domain_configuration: Change domain_name to Computed (#41985)
resource/aws_lakeformation_opt_in: Fix error when expanding resource_data.table_wildcard attribute (#41939)

`v5.92.0`

Compare Source

NOTES:

resource/aws_kendra_data_source: The configuration.s3_configuration argument is deprecated. Use configuration.template_configuration instead, which supports the upgraded Amazon S3 connector. Amazon has ended support for the older architecture as of June 2024, and resources created with this argument cannot be edited or updated. See the Amazon Kendra documentation for additional details. (#35437)
resource/aws_kendra_data_source: The configuration.web_crawler_configuration argument is deprecated. Use configuration.template_configuration instead, which supports the Amazon Kendra Web Crawler connector v2.0. See the Amazon Kendra documentation for additional details. (#35437)

FEATURES:

New Data Source: aws_api_gateway_api_keys (#39335)
New Data Source: aws_eks_cluster_versions (#40741)
New Data Source: aws_identitystore_group_memberships (#31589)
New Data Source: aws_identitystore_users (#31688)
New Resource: aws_athena_capacity_reservation (#41858)

ENHANCEMENTS:

data-source/aws_connect_user: Add identity_info.secondary_email attribute (#41001)
data-source/aws_db_instance: Add database_insights_mode attribute (#41607)
data-source/aws_ebs_volume: Add create_time attribute (#41839)
data-source/aws_lb: Add ipam_pools attribute (#41822)
provider: Support aws-marketplace as a valid account ID in ARNs (#41867)
resource/aws_appconfig_extension_association: Add plan-time validation of extension_arn and resource_arn (#41907)
resource/aws_connect_user: Add identity_info.secondary_email attribute (#41001)
resource/aws_db_instance: Add database_insights_mode argument (#41607)
resource/aws_ebs_volume: Add create_time attribute (#41839)
resource/aws_kendra_data_source: Add configuration.template_configuration argument (#35437)
resource/aws_lb: Add ipam_pools configuration block (#41822)

BUG FIXES:

resource/aws_api_gateway_rest_api: Avoid unnecessary remove and add operations for vpc_endpoint_ids (#41836)
resource/aws_bedrockagent_agent: Fix instruction validator to consider multi-byte chars so not to artificially limit instruction length (#41921)
resource/aws_eks_cluster: Allow compute_config.node_role_arn to update in place when previously unset (#41925)
resource/aws_rds_cluster: Ensure that performance_insights_enabled takes effect when creating a cluster that is a member of a global cluster (#41737)
resource/aws_rds_cluster: Fix InvalidParameterCombination: To enable the Advanced mode of Database Insights, modify your cluster to enable Performance Insights and set the retention period for Performance Insights to at least 465 days errors when enabling database_insights_mode on existing clusters (#41737)
resource/aws_timestreaminfluxdb_db_instance: Set new computed value for secondary_availability_zone attribute when changing deployment_type (#41849)

`v5.91.0`

Compare Source

NOTES:

resource/aws_network_interface_permission: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#40797)

FEATURES:

New Resource: aws_network_interface_permission (#40797)
New Resource: aws_route53_records_exclusive (#41741)

ENHANCEMENTS:

resource/aws_codebuild_project: Add secondary_sources.auth configuration block (#40191)
resource/aws_kinesis_firehose_delivery_stream: Add msk_source_configuration.read_from_timestamp argument (#41794)
resource/aws_route53_hosted_zone_dnssec: Add configurable operation timeouts (#41741)
resource/aws_route53_key_signing_key: Add configurable operation timeouts (#41741)
resource/aws_route53_record: Add configurable operation timeouts (#41741)
resource/aws_route53_zone: Add configurable operation timeouts (#41741)
resource/aws_route53_zone_association: Add configurable operation timeouts (#41741)
resource/aws_timestreaminfluxdb_db_instance: Add network_type and port attributes. The following can now be updated in place: allocated_storage, db_instance_type, db_storage_type and deployment_type (#40661)
resource/aws_vpc_ipv4_cidr_block_association: Support optional import of the ipv4_ipam_pool_id and ipv4_netmask_length attributes (#41779)
resource/aws_vpc_ipv6_cidr_block_association: Support optional import of the ipv6_ipam_pool_id and ipv6_netmask_length attributes (#41779)
resource/aws_wafv2_ip_set: Add name_prefix argument and plan-time validation of name (#40889)
resource/aws_wafv2_regex_pattern_set: Add name_prefix argument and plan-time validation of name (#40889)
resource/aws_wafv2_web_acl: Add name_prefix argument (#40889)
resource/aws_wafv2_web_acl: Add rule.challenge_config argument (#40123)

BUG FIXES:

resource/aws_msk_cluster: Ensure that storage_mode updates are actually applied to the cluster (#41773)

`v5.90.1`

Compare Source

NOTES:

provider: Restore the godebug tlskyber=0 directive in go.mod. This disables the experimental the post-quantum key exchange mechanism X25519Kyber768Draft00, fixing failed or hanging network connections to various AWS services. This fixes a regression introduced in v5.90.0 (#41740)

FEATURES:

New Data Source: aws_datazone_domain (#41480)

ENHANCEMENTS:

resource/aws_codepipeline: Add stage.before_entry, stage.on_success and stage.on_failure configuration blocks (#41663)
resource/aws_mskconnect_connector: Allow connector_configuration to be updated in-place (#41685)
resource/aws_wafv2_rule_group: Add ja3_fingerprint and ja4_fingerprint to custom_key configuration blocks (#41719)
resource/aws_wafv2_rule_group: Add ja4_fingerprint to field_to_match configuration blocks (#41719)
resource/aws_wafv2_web_acl: Add ja3_fingerprint and ja4_fingerprint to custom_key configuration blocks (#41719)
resource/aws_wafv2_web_acl: Add ja4_fingerprint to field_to_match configuration blocks (#41719)

`v5.90.0`

Compare Source

BREAKING CHANGES:

resource/aws_s3_bucket_lifecycle_configuration: rule.noncurrent_version_expiration.noncurrent_days and rule.noncurrent_version_transition.noncurrent_days are Required (#40796)

NOTES:

data-source/aws_launch_template: elastic_gpu_specifications and elastic_inference_accelerator are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. (#41677)
provider: In preparation for Go 1.24, we are re-enabling the experimental post-quantum key exchange mechanism, X25519Kyber768Draft00. Previously, in environments using AWS Network Firewall, the Provider would hang due to a handshake issue between Go 1.23 and Network Firewall, which supported Suricata 6.0.9. We had disabled the post-quantum key exchange to resolve the issue. Since November 2024, AWS Network Firewall has upgraded to Suricata 7.0, which no longer has this issue. However, if you use AWS Network Firewall, we’d appreciate your help in identifying any remaining issues related to this change. (#41655)
provider: On December 3, 2024, Amazon SageMaker was renamed to Amazon SageMaker AI. While resource and data source names remain the same in the provider, documentation and error messages have been updated to reflect the name change. (#41673)
resource/aws_ecs_task_execution: overrides.inference_accelerator_overrides is deprecated. AWS no longer provides the Elastic Inference service. (#41676)
resource/aws_launch_template: elastic_gpu_specifications and elastic_inference_accelerator are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. (#41677)
resource/aws_opsworks_application: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_custom_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_ecs_cluster_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_ganglia_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_haproxy_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_java_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_memcached_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_mysql_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_nodejs_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_permission: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_php_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_rails_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_rds_db_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_stack: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_static_web_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_opsworks_user_profile: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#41674)
resource/aws_sagemaker_notebook_instance: accelerator_types is deprecated and will be removed in a future version. Use instance_type instead. (#41673)

FEATURES:

New Resource: aws_dataexchange_event_action (#40552)
New Resource: aws_lakeformation_opt_in (#41611)

ENHANCEMENTS:

data-source/aws_cloudfront_cache_policy: Add arn attribute (#41660)
data-source/aws_cloudfront_origin_access_control: Add arn attribute (#41660)
data-source/aws_cloudfront_origin_access_identity: Add arn attribute (#41660)
data-source/aws_cloudfront_origin_request_policy: Add arn attribute (#41660)
data-source/aws_cloudfront_response_headers_policy: Add arn attribute (#41660)
data-source/aws_dx_connection: Add state attribute (#41575)
data-source/aws_opensearch_domain: Add cluster_config.node_options attribute (#40181)
resource/aws_account_region: Allow adoption of regions in an ENABLED or DISABLED state without an explicit import operation (#41678)
resource/aws_account_region: Prevent errors when the region is an ENABLING or DISABLING state during creation (#41678)
resource/aws_cloudfront_cache_policy: Add arn attribute (#41660)
resource/aws_cloudfront_continuous_deployment_policy: Add arn attribute (#41660)
resource/aws_cloudfront_field_level_encryption_config: Add arn attribute (#41660)
resource/aws_cloudfront_field_level_encryption_profile: Add arn attribute (#41660)
resource/aws_cloudfront_origin_access_control: Add arn attribute (#41660)
resource/aws_cloudfront_origin_access_identity: Add arn attribute (#41660)
resource/aws_cloudfront_origin_request_policy: Add arn attribute (#41660)
resource/aws_cloudfront_response_headers_policy: Add arn attribute (#41660)
resource/aws_ec2_client_vpn_endpoint: Add disconnect_on_session_timeout attribute (#41621)
resource/aws_mwaa_environment: Lower the minimum value of the max_webservers and min_webservers arguments from 2 to 1 in support of Amazon MWAA micro environments (#40244)
resource/aws_opensearch_domain: Add cluster_config.node_options configuration block in support of dedicated coordinator nodes (#40181)
resource/aws_osis_pipeline: Add vpc_options.vpc_endpoint_management argument (#38001)
resource/aws_prometheus_rule_group_namespace: Add arn attribute (#41645)
resource/aws_prometheus_rule_group_namespace: Add tags argument and tags_all attribute (#41645)
resource/aws_route53_traffic_policy: Add arn attribute (#41660)
resource/aws_route53_traffic_policy_instance: Add arn attribute (#41660)
resource/aws_s3_bucket_lifecycle_configuration: Adds warning validation to require exactly one of the elements of rule.filter (#41662)
resource/aws_s3_bucket_lifecycle_configuration: rule.noncurrent_version_expiration.noncurrent_days and rule.noncurrent_version_transition.noncurrent_days are Required. Technically this is a breaking change, but failure to configure this attribute would have led to InvalidArgument or MalformedXML errors (#40796)
resource/aws_waf_byte_match_set: Add arn attribute (#41660)
resource/aws_waf_sql_injection_match_set: Add arn attribute (#41660)

BUG FIXES:

ephemeral/aws_secrets_manager_random_password: Change exclude_characters from Bool to String (#41546)
resource/aws_ecs_service: Fix removal of all vpc_lattice_configurations blocks (#41594)
resource/aws_s3_bucket_lifecycle_configuration: Fix error when converting rule configuration from filter.prefix to filter.and.prefix (#41662)
resource/aws_s3_bucket_lifecycle_configuration: Fix error when converting rule configuration from prefix to filter.prefix or filter.and.prefix (#41662)
resource/aws_sagemaker_mlflow_tracking_server: Increased the timeout from 30 to 45 minutes (#41463)
resource/aws_vpclattice_target_group: Retry ConflictException errors on delete (#41594)

`v5.89.0`

Compare Source

FEATURES:

New Resource: aws_macie2_organization_configuration (#41475)
New Resource: aws_neptunegraph_graph (#41216)
New Resource: aws_quicksight_role_membership (#41589)
New Resource: aws_rds_shard_group (#41254)
New Resource: aws_xray_resource_policy (#41517)

ENHANCEMENTS:

data-source/aws_cloudwatch_log_data_protection_policy_document: Add configuration argument (#41524)
data-source/aws_rds_cluster: Add cluster_scalability_type attribute (#41254)
data-source/aws_rds_cluster: Add database_insights_mode attribute (#41254)
data-source/aws_s3_bucket_object: Add application/yaml to the list of Content-Types that return a body (#41443)
data-source/aws_s3_object: Add application/yaml to the list of Content-Types that return a body (#41443)
data-source/aws_s3_object: Add checksum_crc64nvme attribute (#41015)
resource/aws_autoscaling_policy: Add target_tracking_configuration.customized_metric_specification.period argument to support high-resolution metrics (#41385)
resource/aws_db_instance: Add RequiredWith validation password_wo and password_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_docdb_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_dx_connection: Add 25Gbps and 400Gbps as supported bandwidth values (#41547)
resource/aws_dx_hosted_connection: Add 25Gbps as a supported bandwidth value (#41547)
resource/aws_dx_lag: Add 400Gbps as a supported connections_bandwidth value (#41547)
resource/aws_launch_template: Add network_interfaces.ena_srd_specification configuration block (#41367)
resource/aws_lb: Add enable_zonal_shift support for Application Load Balancers (#41335)
resource/aws_macie2_classification_job: Allow tags to be updated in-place (#41266)
resource/aws_macie2_custom_data_identifier: Allow tags to be updated in-place (#41266)
resource/aws_macie2_findings_filter: Allow tags to be updated in-place (#41266)
resource/aws_macie2_member: Allow tags to be updated in-place (#41266)
resource/aws_nat_gateway: Make it possible to move from secondary_private_ip_address_count to secondary_private_ip_addresses for private NAT Gateways (#41403)
resource/aws_rds_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_rds_cluster: Add cluster_scalability_type argument (#41254)
resource/aws_rds_cluster: Add database_insights_mode argument (#41254)
resource/aws_rds_cluster: Support "" as a valid value for engine_mode (#41254)
resource/aws_rds_instance: Support iam-db-auth-error as a valid value for enabled_cloudwatch_logs_exports (#41408)
resource/aws_redshift_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_redshiftseverless_namespace: Add RequiredWith validation admin_user_password_wo and admin_user_password_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_s3_directory_bucket: The default value for data_redundancy is SingleLocalZone if location.type is LocalZone (#40944)
resource/aws_s3_object: Add checksum_crc64nvme attribute (#41015)
resource/aws_s3_object_copy: Add checksum_crc64nvme attribute (#41015)
resource/aws_secretsmanager_secret_version: Add RequiredWith validation secret_string_wo and secret_string_wo_version. Remove PreferWriteOnlyAttribute validation (#41562)
resource/aws_ssm_parameter: Remove PreferWriteOnlyAttribute validation (#41562)

BUG FIXES:

resource/aws_cloudwatch_log_delivery: Fix Provider produced inconsistent result error on s3_delivery_configuration.suffix_path (#41497)
resource/aws_ec2_fleet: Add spot_options.max_total_price, spot_options.min_target_capacity, spot_options.single_instance_type, and spot_options.single_availability_zone arguments (#41272)
resource/aws_lb_listener: Ensure that routing_http_response_server_enabled, routing_http_response_strict_transport_security_header_value, routing_http_response_access_control_allow_origin_header_value, routing_http_response_access_control_allow_methods_header_value, routing_http_response_access_control_allow_headers_header_value, routing_http_response_access_control_allow_credentials_header_value, routing_http_response_access_control_expose_headers_header_value, routing_http_response_access_control_max_age_header_value, routing_http_response_content_security_policy_header_value, routing_http_response_x_content_type_options_header_value, routing_http_response_x_frame_options_header_value, routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name, routing_http_request_x_amzn_mtls_clientcert_issuer_header_name, routing_http_request_x_amzn_mtls_clientcert_subject_header_name, routing_http_request_x_amzn_mtls_clientcert_validity_header_name, routing_http_request_x_amzn_mtls_clientcert_leaf_header_name, routing_http_request_x_amzn_mtls_clientcert_header_name, routing_http_request_x_amzn_tls_version_header_name, and routing_http_request_x_amzn_tls_cipher_suite_header_name are updated if tcp_idle_timeout_seconds does not change (#41299)
resource/aws_macie2_classification_job: Ensure that only status and tags can be updated in-place (#41266)
resource/aws_nat_gateway: Allow secondary_allocation_ids to be updated in-place (#41403)
resource/aws_redshift_cluster: Fix master_username validation (#41556)
resource/aws_s3_bucket_lifecycle_configuration: Prevents InvalidRequest error when rule.and.object_size_less_than not set. (#41542)
resource/aws_servicequotas_service_quota: Does not leave stuck resource in state when service quota not supported in current region. (#41509)

`v5.88.0`

Compare Source

NOTES:

resource/aws_s3_bucket_lifecycle_configuration: A warning diagnostic has been added for configurations where rule.expiration.expired_object_delete_marker is set with either rule.expiration.date or rule.expiration.days. While historically the provider allowed this invalid configuration, the migration of this resource to the Terraform Plugin Framework in v5.86.0 resulted in this misconfiguration surfacing as a hard inconsistent result after apply error. This diagnostic aims to direct users how to resolve the issue at plan time. See this issue comment for additional context. (#41462)

FEATURES:

New Data Source: aws_cloudwatch_contributor_managed_insight_rules (#41472)
New Resource: aws_cloudwatch_contributor_managed_insight_rule (#41449)
New Resource: aws_qbusiness_application (#35249)

ENHANCEMENTS:

resource/aws_bedrock_model_invocation_logging_configuration: Add video_data_delivery_enabled argument (#41317)
resource/aws_db_instance: Add password_wo write-only attribute (#41366)
resource/aws_docdb_cluster: Add master_password_wo write-only attribute (#41413)
resource/aws_glue_partition: Add storage_descriptor.additional_locations argument (#41434)
resource/aws_redshift_cluster: Add master_password_wo write-only attribute (#41411)
resource/aws_redshiftserverless_namespace: Add admin_user_password_wo write-only attribute (#41412)
resource/aws_secretsmanager_secret_version: Add secret_string_wo write-only attribute (#41371)

BUG FIXES:

data-source/aws_codebuild_fleet: Prevents panic when scaling_configuration is not empty. (#41377)
resource/aws_amplify_domain_association: Prevents unexpected state error when creating with multiple sub_domain (#36961)
resource/aws_bedrock_model_invocation_logging_configuration: Set embedding_data_delivery_enabled, image_data_delivery_enabled, and text_data_delivery_enabled arguments as optional with default value of true (#41317)
resource/aws_cloudwatch_contributor_insight_rule: Fix enable/disable rule state (#41449)
resource/aws_dynamodb_table: Fixes long delay in creation of replicas (#41451)

`v5.87.0`

Compare Source

FEATURES:

New Resource: aws_cloudwatch_contributor_insight_rule (#41373)

ENHANCEMENTS:

resource/aws_dynamodb_table_export: Add export_type and incremental_export_specification arguments (#41303)
resource/aws_quicksight_data_source: Add parameters.s3.role_arn argument to allow override an account-wide role for a specific S3 data source (#41284)
resource/aws_rds_cluster: Add master_password_wo write-only attribute (#41314)
resource/aws_rekognition_stream_processor: Deprecates stream_processor_arn in favor of arn. (#41271)
resource/aws_ssm_parameter: Add value_wo write-only attribute (#40952)
resource/aws_vpclattice_access_log_subscription: Add service_network_log_type argument (#41304)

BUG FIXES:

data-source/aws_dynamodb_table: Add missing on_demand_throughput and global_secondary_index.*.on_demand_throughput attributes to resolve read error (#41350)
resource/aws_cloudformation_stack_set_instance: Prevents overly-long creation times and possible OperationInProgress errors (#41388)
resource/aws_detective_member: No longer fails with unexpected status when adding Organization member accounts. (#41344)
resource/aws_ec2_transit_gateway_route_table_association: Fix deleting and recreating resource when dependencies changes don't require the resource be recreated. (#41292)
resource/aws_internet_gateway: Fix to continue deletion when attachment is not found (#41346)

`v5.86.1`

Compare Source

BUG FIXES:

data-source/aws_vpclattice_service: Fix regression resulting in AccessDeniedError attempting to list tags (#41295)
data-source/aws_vpclattice_service_network: Fix regression resulting in AccessDeniedError attempting to list tags (#41295)
resource/aws_cloudtrail: Fix regression issue where sns_topic_name shows perpectual diff when an ARN of a SNS topic from a different region is specified (#41279)
resource/aws_s3_bucket_lifecycle_configuration: Fixes "inconsistent result" error when rule[*].prefix is an empty string. (#41296)

`v5.86.0`

Compare Source

NOTES:

resource/aws_s3_bucket_lifecycle_configuration: When upgrading existing resources with no defined prefix, the Terraform plan will show the removal of prefix from state. This is expected, and should not occur on subsequent plans. (#41159)

ENHANCEMENTS:

data-source/aws_rds_cluster: Add monitoring_interval and monitoring_role_arn attributes (#41002)
provider: Support us-isof-east-1 and us-isof-south-1 as valid AWS Regions (#41243)
resource/aws_fms_policy: Add security_service_policy_data.policy_option.network_acl_common_policy argument to allow creation of FMS-managed NACL rules (#41219)
resource/aws_rds_cluster: Add monitoring_interval and monitoring_role_arn arguments (#41002)
resource/aws_sqs_queue: Accommodate accounts that take longer to process with customizable timeouts. (#41232)

BUG FIXES:

resource/aws_gamelift_game_server_group: Correctly plan tags_all value (#41256)
resource/aws_instance: Properly cancel spot instance requests on destroy when instance_lifecycle is spot (#41206)
resource/aws_route53_zone: Fix panic: runtime error: invalid memory address or nil pointer dereference when deleting the resource would otherwise return an error (#41260)
resource/aws_s3_bucket_lifecycle_configuration: Properly handle default value of transition_default_minimum_object_size (#41159)
resource/aws_wafv2_web_acl: Properly set rule during import (#41205)

`v5.85.0`

Compare Source

NOTES:

resource/aws_macie2_invitation_accepter: Maintainers are unable to acceptance test the regression fix included in this release. This patch is best effort, and we ask for community help in assessing the change. (#41163)

FEATURES:

New Data Source: aws_vpc_ipam (#40459)
New Data Source: aws_vpc_ipams (#40459)
New Ephemeral Resource: aws_secretsmanager_random_password (#41106)
New Resource: aws_guardduty_member_detector_feature (#35625)
New Resource: aws_route53domains_domain (#37885)
New Resource: aws_timestreamquery_scheduled_query (#41145)
New Resource: aws_vpclattice_resource_configuration (#41019)
New Resource: aws_vpclattice_service_network_resource_association (#41057)

ENHANCEMENTS:

data-source/aws_ec2_transit_gateway_dx_gateway_attachment: Add arn attribute (#41086)
data-source/aws_ec2_transit_gateway_peering_attachment: Add arn attribute (#41087)
data-source/aws_ec2_transit_gateway_vpc_attachment: Add arn attribute (#41084)
data-source/aws_ecs_task_definition: Add missing attributes (#41081)
data-source/aws_launch_template: Add network_interfaces.connection_tracking_specification attribute (#41184)
resource/aws_appflow_connector_profile: Add connector_profile_config.connector_profile_properties.salesforce.use_privatelink_for_metadata_and_authorization argument (#41175)
resource/aws_autoscaling_policy: Add target_tracking_configuration.customized_metric_specification.metrics.metric_stat.period argument to support high-resolution metrics (#41066)
resource/aws_bedrockagent_data_source: Add data_source_configuration.confluence_configuration, data_source_configuration.salesforce_configuration, data_source_configuration.share_point_configuration, and data_source_configuration.web_configuration arguments (#40711)
resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration and knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration arguments (#40737)
resource/aws_bedrockagent_knowledge_base: Improve retry handling for IAM propagation and OpenSearch data access propagation errors (#40737)
resource/aws_cloudtrail : Add sns_topic_arn attribute (#41168)
resource/aws_cloudtrail_event_data_store: Add suspend argument (#40607)
resource/aws_cloudwatch_event_connection: Add invocation_connectivity_parameters argument (#41144)
resource/aws_ec2_transit_gateway_peering_attachment: Add arn attribute (#41087)
resource/aws_ec2_transit_gateway_vpc_attachment: Add arn attribute (#41084)
resource/aws_ecs_task_definition: Add enable_fault_injection argument (#41078)
resource/aws_launch_template: Add network_interfaces.connection_tracking_specification argument (#41184)
resource/aws_media_convert_queue: Add concurrent_jobs argument (#41012)
resource/aws_medialive_multiplex_program: Add configurable create timeout (#40972)
resource/aws_organizations_account: Add configurable timeouts for Create and Delete (#41059)
resource/aws_pinpoint_email_channel: Add orchestration_sending_role_arn argument (#41043)
resource/aws_pipes_pipe: Add kms_key_identifier argument (#41082)
resource/aws_rds_cluster: Support instance as a valid value for enabled_cloudwatch_logs_exports (#41111)
resource/aws_rekognition_project: Add tags argument and tags_all attribute (#41192)
resource/aws_vpc_endpoint: Add resource_configuration_arn and service_network_arn arguments to support creating VPC Endpoints of type Resource and ServiceNetwork (#41116)
resource/aws_vpc_endpoint_security_group_association: Add import support (#41042)

BUG FIXES:

data-source/aws_opensearchserverless_collection: Prevent errant AutoFlex errors when setting created_date and last_modified_date attributes (#41105)
resource/aws_ami_ids: Fix sort_ascending to sort in ascending order (#40529)
resource/aws_bedrockagent_knowledge_base: Remove ForceNew behavior from role_arn argument (#41072)
resource/aws_cloudwatch_log_delivery: Fix Provider produced inconsistent result after apply errors for s3_delivery_configuration.enable_hive_compatible_path (#41122)
resource/aws_cloudwatch_log_delivery: Mark field_delimiter as Computed (#41122)
resource/aws_cognito_identity_provider: Correct plan-time validation of provider_name to count UTF-8 characters properly (#41187)
resource/aws_cognito_user_group: Correct plan-time validation of name to count UTF-8 characters properly (#41187)
resource/aws_cognito_user_pool_client: Correct plan-time validation of callback_urls, default_redirect_uri, logout_urls, and supported_identity_providers` to count UTF-8 characters properly (#41187)
resource/aws_dms_replication_task: Fix panic: interface conversion: interface {} is float64, not string (#41096)
resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error during update (#40969)
resource/aws_iam_server_certificate: Allow update of name, name_prefix, and path without forcing new resource (#41186)
resource/aws_macie2_invitation_accepter: Properly set invitation_id when calling the AcceptInvitation API (#41163)

`v5.84.0`

Compare Source

NOTES:

resource/aws_kms_custom_key_store: We cannot acceptance test the support for external key stores added in this release. The impementation is best effort and we ask for community help in testing. (#40557)

FEATURES:

New Ephemeral Resource: aws_eks_cluster_auth (#40660)
New Resource: aws_media_packagev2_channel_group (#38406)

ENHANCEMENTS:

data-source/aws_ami: Add uefi_data attribute (#40210)
data-source/aws_ec2_instance_type: Add bandwidth_weightings, boot_modes, default_network_card_index, efa_maximum_interfaces, ena_srd_supported, inference_accelerators.memory_size, media_accelerators, network_cards, neuron_devices, nitro_enclaves_support, nitro_tpm_support, nitro_tpm_supported_versions, phc_support, supported_cpu_features, total_inference_memory, total_media_memory, and total_neuron_device_memory attributes (#40717)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for mx-central-1 AWS Region (#40940)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for mx-central-1 AWS Region (#40940)
data-source/aws_s3_bucket: Add hosted zone ID for mx-central-1 AWS Region (#40940)
provider: Support mx-central-1 as a valid AWS Region (#40940)
resource/aws_ami: Add uefi_data argument (#40210)
resource/aws_ami_copy: Add uefi_data attribute (#40210)
resource/aws_ami_from_instance: Add uefi_data attribute (#40210)
resource/aws_cloudtrail: Add userIdentity.arn to advanced_event_selector.field_selector (#40629)
resource/aws_elasticache_user: engine is now case insensitive (#40794)
resource/aws_elasticache_user_group: engine is now case insensitive (#40794)
resource/aws_globalaccelerator_accelerator: Add arn attribute (#40930)
resource/aws_globalaccelerator_custom_routing_accelerator: Add arn attribute (#40930)
resource/aws_globalaccelerator_custom_routing_listener: Add arn attribute (#40930)
resource/aws_globalaccelerator_listener: Add arn attribute (#40930)
resource/aws_kms_custom_key_store: Add support for external key stores (#40557)
resource/aws_lb_listener: Add routing_http_response_server_enabled, routing_http_response_strict_transport_security_header_value, routing_http_response_access_control_allow_origin_header_value, routing_http_response_access_control_allow_methods_header_value, routing_http_response_access_control_allow_headers_header_value, routing_http_response_access_control_allow_credentials_header_value, routing_http_response_access_control_expose_headers_header_value, routing_http_response_access_control_max_age_header_value, routing_http_response_content_security_policy_header_value, routing_http_response_x_content_type_options_header_value, routing_http_response_x_frame_options_header_value, routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name, routing_http_request_x_amzn_mtls_clientcert_issuer_header_name, routing_http_request_x_amzn_mtls_clientcert_subject_header_name, routing_http_request_x_amzn_mtls_clientcert_validity_header_name, routing_http_request_x_amzn_mtls_clientcert_leaf_header_name, routing_http_request_x_amzn_mtls_clientcert_header_name, routing_http_request_x_amzn_tls_version_header_name, and routing_http_request_x_amzn_tls_cipher_suite_header_name arguments in support of HTTP header modification (#40736)
resource/aws_route53_health_check: Add triggers argument to support synchronization with upstream CloudWatch alarm changes (#40918)
resource/aws_sagemaker_endpoint_configuration: Support setting production_variants.managed_instance_scaling and shadow_production_variants.managed_instance_scaling to 0 (#40882)

BUG FIXES:

resource/aws_apprunner_vpc_ingress_connection: Change ingress_vpc_configuration, name, and service_arn to ForceNew (#40927)
resource/aws_datasync_location_s3: Fix location URI global ID and subdirectory (...) does not match pattern "..." errors on Read when s3_bucket_arn is an S3 on Outposts access point (#40929)
resource/aws_ecs_task_definition: Correctly detect differences in volume.configure_at_launch and volume.docker_volume_configuration (#40853)
resource/aws_lambda_invocation: Fix failed input transformations when upgrading from a version less than v5.1.0 with an input that cannot be marshaled into a map[string]interface{} (#40958)
resource/aws_lambda_invocation: Prevent a new invocation when upgrading from a version less than v5.1.0 with no configuration changes (#40958)
resource/aws_msk_cluster: Prevent persistent differences when broker_node_group_info.0.storage_info.0.ebs_storage_info.0.provisioned_throughput is unset (#40910)
resource/aws_msk_cluster: Properly disable provisioned throughput when a previously configured broker_node_group_info.0.storage_info.0.ebs_storage_info.0.provisioned_throughput block is removed (#40910)
resource/aws_ses_receipt_rule: Retry errors caused by IAM eventual consistency (#40873)

`v5.83.1`

Compare Source

BUG FIXES:

resource/aws_route53_record: Correct fdqn value if name is a wildcard domain name (the leftmost label is *). This fixes a regression introduced in v5.83.0 (#40868)

`v5.83.0`

Compare Source

NOTES:

provider: The retry handling in the apigatewayv2 client has been updated to more extensively match ConflictException error responses. This change should be transparent to users, but if any unexpected changes in behavior with apigatewayv2 resources occur following an upgrade to this release, please open a bug report. (#40840)
resource/aws_api_gateway_domain_name_access_association: Deprecates id in favor of arn. (#40626)
resource/aws_route53_cidr_location: Deprecates id. (#40626)
resource/aws_s3_directory_bucket: Deprecates id in favor of bucket. (#40626)

FEATURES:

New Data Source: aws_cloudwatch_event_buses (#40662)
New Data Source: aws_ecs_clusters (#40638)
New Data Source: aws_route53_records (#38186)
New Ephemeral Resource: aws_cognito_identity_openid_token_for_developer_identity (#40763)
New Resource: aws_bedrockagent_agent_collaborator (#40559)
New Resource: aws_cleanrooms_membership (#35165)
New Resource: aws_cloudwatch_log_delivery (#40731)
New Resource: aws_cloudwatch_log_delivery_destination (#40731)
New Resource: aws_cloudwatch_log_delivery_destination_policy (#40731)
New Resource: aws_cloudwatch_log_delivery_source (#40731)
New Resource: aws_cloudwatch_log_index_policy (#40594)
New Resource: aws_vpclattice_resource_gateway (#40821)

ENHANCEMENTS:

data-source/aws_codebuild_fleet: Add compute_configuration attribute (#40752)
data-source/aws_dms_endpoint: Add kafka_settings.sasl_mechanism attribute (#36918)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-southeast-7 AWS Region (#40850)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-southeast-7 AWS Region (#40850)
data-source/aws_rds_certificate: Add default_for_new_launches attribute (#40536)
data-source/aws_rds_engine_version: Add supports_certificate_rotation_without_restart, supports_integrations, and supports_local_write_forwarding attributes (#40700)
data-source/aws_s3_bucket: Add hosted zone ID for ap-southeast-7 AWS Region (#40850)
data-source/aws_vpc_endpoint_service: Add region attribute (#40795)
data-source/aws_vpc_endpoint_service: Add service_regions argument (#40795)
provider: Support ap-southeast-7 as a valid AWS Region (#40849)
resource/aws_appflow_flow: Add data_transfer_api attribute to destination_flow_config_list.destination_connector_properties.salesforce (#34937)
resource/aws_cloudfront_distribution: Add grpc_config argument to default_cache_behavior and ordered_cache_behavior configuration blocks (#40762)
resource/aws_codebuild_fleet: Add compute_configuration argument (#40752)
resource/aws_cognito_user_pool: Add email_mfa_configuration argument (#40734)
resource/aws_cognito_user_pool: Add sign_in_policy and web_authn_configuration arguments (#40765)
resource/aws_cognito_user_pool: Add user_pool_tier argument (#40633)
resource/aws_dms_endpoint: Add kafka_settings.sasl_mechanism argument (#36918)
resource/aws_ecr_account_setting: Add valid values for registry policy scope to name and value arguments (#40772)
resource/aws_eip_association: Adds validation to only allow one of instance_id or network_interface_id (#40769)
resource/aws_eks_node_group: Add node_repair_config configuration block (#40698)
resource/aws_elasticache_user: Add VALKEY as supported value for 'engine' argument (#40764)
resource/aws_elasticache_user_group: Add VALKEY as supported value for 'engine' argument (#40764)
resource/aws_emr_studio: Add encryption_key_arn argument (#40771)
resource/aws_quicksight_user: Add user_invitation_url attribute (#40775)
resource/aws_rds_cluster: Support iam-db-auth-error as a valid value for enabled_cloudwatch_logs_exports (#40789)
resource/aws_rds_integration: Add data_filter argument (#40816)
resource/aws_s3_object_copy: Add override_provider configuration block, allowing tags inherited from the provider default_tags configuration block to be ignored (#40689)

BUG FIXES:

resource/aws_api_gateway_domain_name: Fixed error when adding policy to existing private domain name (#40708)
resource/aws_apigatewayv2_api: Don't overwrite the configured values of description, name or version if they are not present in the OpenAPI definition body (#40707)
resource/aws_apigatewayv2_route: Fix retry handling of ConflictException error responses (#40840)
resource/aws_cloudfront_cache_policy: Fix panic: interface conversion: interface {} is nil, not map[string]interface {} when parameters_in_cache_key_and_forwarded_to_origin.cookies_config, parameters_in_cache_key_and_forwarded_to_origin.headers_config, or parameters_in_cache_key_and_forwarded_to_origin.query_strings_config are empty (#40815)
resource/aws_codebuild_fleet: Allow scaling_configuration to be removed on Update (#40773)
resource/aws_codebuild_project: Allow file_system_locations to be removed on Update (#40842)
resource/aws_ec2_instance_connect_endpoint: Set fips_dns_name to an empty value ("") when no value is returned from the EC2 API. This fixes known-after-apply loops in Regions that don't support FIPS endpoints (#37939)
resource/aws_emr_studio: Fix issue with IAM/KMS policy eventual consistency handling not working (#40771)
resource/aws_glue_catalog_database: Fix crash when expanding create_table_default_permission with a nil principal block (#40761)
resource/aws_instance: Always set http_tokens when metadata_options is updated (#40727)
resource/aws_instance: Set new computed value for public_dns and public_ip attributes when changing instance_type, user_data, or user_data_base64 (#40710)
resource/aws_internet_gateway: Handle operation error EC2: DetachInternetGateway, ..., api error InvalidInternetGatewayID.NotFound: ... errors on delete for resources deleted out-of-band (#40790)
resource/aws_internet_gateway_attachment: Handle operation error EC2: DetachInternetGateway, ..., api error InvalidInternetGatewayID.NotFound: ... errors on delete for resources deleted out-of-band (#40790)
resource/aws_quicksight_data_set: Correctly expand logical_table_map.tag_column_operation.tags.column_description (#40713)
resource/aws_rds_instance Fix manage_master_user_password being updated in state when update errors (#40538)
resource/aws_route53_record: Fix perpetual diff if alias.name contains characters that the Route 53 API escapes (#40154)
resource/aws_route53_zone: Fix perpetual diff if name contains characters that the Route 53 API escapes (#40154)
resource/aws_ses_identity_notification_topic: Prevent destroy failure when resource is already deleted outside of Terraform (#40684)
resource/aws_sesv2_configuration_set: Fix handling of delivery_options.max_delivery_seconds when not configured (#40670)
resource/aws_sesv2_configuration_set_event_destination: Retry IAM eventual consistency errors (#40843)
resource/aws_sqs_queue: Fix timeout error on creation if sqs_managed_sse_enabled=true and kms_data_key_reuse_period_seconds is configured (#40729)

`v5.82.2`

Compare Source

BUG FIXES:

data-source/aws_lb_listener: Add mutual_authentication.advertise_trust_store_ca_names attribute. This fixes a regression introduced in v5.82.0 causing setting mutual_authentication: Invalid address to set: []string{"mutual_authentication", "0", "advertise_trust_store_ca_names"} errors (#40658)

`v5.82.1`

Compare Source

ENHANCEMENTS:

resource/aws_autoscaling_group: Add availability_zone_distribution argument (#40634)

BUG FIXES:

data-source/aws_iam_policy_document: Reverts plan-time validation for statement sid (#40639)

`v5.82.0`

Compare Source

NOTES:

resource/aws_resourcegroups_resource: The format of the read-only id attribute has changed to prevent inconsistent parsing which resulted in provider crashes under certain conditions. The new format is a comma-delimited string combining group_arn and resource_arn in their entirety. Configuarations relying on the previous format may need to be updated to continue functioning correctly. (#40579)

FEATURES:

New Data Source: aws_servicecatalogappregistry_attribute_group_associations (#38306)
New Resource: aws_api_gateway_domain_name_access_association (#40566)
New Resource: aws_cloudfront_vpc_origin (#40239)
New Resource: aws_memorydb_multi_region_cluster (#40376)
New Resource: aws_networkmanager_dx_gateway_attachment (#40546)
New Resource: aws_rds_cluster_snapshot_copy (#40398)

ENHANCEMENTS:

data-source/aws_dx_gateway: Add arn attribute (#40546)
data-source/aws_iam_policy_document: Add plan-time validation that the statement sid is valid, including on alphanumeric characters (#40562)
data-source/aws_vpc_endpoint: Add service_region attribute (#40583)
resource/aws_bedrockagent_agent: Add agent_collaboration attribute to configure agent collaboration role (#40543)
resource/aws_cloudfront_distribution: Add origin.vpc_origin_config argument (#40239)
resource/aws_db_parameter_group: Support import of name_prefix argument (#40622)
resource/aws_dx_gateway: Add arn attribute (#40546)
resource/aws_fsx_lustre_file_system: Add efa_enabled argument (#40381)
resource/aws_lb_listener: Add advertise_trust_store_ca_names attribute to the mutual_authentication configuration block (#40550)
resource/aws_memorydb_cluster: Add multi_region_cluster_name argument (#40376)
resource/aws_networkmanager_attachment_accepter: Add edge_locations attribute (#40546)
resource/aws_resourcegroups_resource: Add import support (#40579)
resource/aws_vpc_endpoint: Add service_region argument (#40583)

BUG FIXES:

data-source/aws_acmpca_certificate_authority: Ignore AccessDeniedException: ... is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: ... errors for RAM-shared CAs (#39952)
data-source/aws_licensemanager_received_license: Fix setting entitlements: Invalid address to set: []string{"entitlements", "0", "overage"} errors (#40621)
resource/aws_amplify_domain_association: No longer ignores changes to certificate_settings when updating. (#40589)
resource/aws_amplify_domain_association: Prevent "unexpected state" error when setting certificate_settings.type to CUSTOM. (#40589)
resource/aws_amplify_domain_association: Prevent ValidationException when setting certificate_settings.type to AMPLIFY_MANAGED. (#40589)
resource/aws_amplify_domain_association: Prevent permanent diff when certificate_settings not set. (#40589)
resource/aws_amplify_domain_association: Prevents panic in some circumstances when certificate_settings is not set during update. (#40589)
resource/aws_api_gateway_domain_name: Correct arn for private custom domain names (#40566)
resource/aws_codeconnections_host: Mark vpc_configuration.tls_certificate as Optional (#40574)
resource/aws_elasticache_replication_group: Prevent perpetual diff which triggers resource replacement on at_rest_encryption_enabled when engine is valkey. (#40514)
resource/aws_lakeformation_permissions: Add support for IAMPrincipals principal group (#38600)
resource/aws_lakeformation_permissions: Fix refreshing state so order is not considered in permissions and permissions_with_grant_option attributes (#38047)
resource/aws_lakeformation_resource_lf_tag: Fix panic when resource tries to destroy a LFTag reference that does not exist (#40584)
resource/aws_lambda_invocation: Set new computed value for result attribute when changing input attribute, for lifecycle scope "CRUD" (#34263)
resource/aws_medialive_channel: Added missing teletext_destination_settings. (#33797)
resource/aws_rds_cluster: Fix issue with waiter when modifying allocated_storage (#40601)
resource/aws_resourcegroups_resource: Fix crash when parsing certain ARN formats (#40579)
resource/aws_s3_bucket: Destroying a bucket with force_destroy = true can now delete objects with non-XML-safe keys (#40537)
resource/aws_s3_directory_bucket: Destroying a directory bucket with force_destroy = true can now delete objects with non-XML-safe keys (#40537)
resource/aws_secretsmanager_secret_rotation: Fix bug where automatically_after_days was not being set properly when schedule_expression had been set previously (#34295)
resource/aws_secretsmanager_secret_rotation: Retry rotation in case it has not yet propagated when previously an error would occur: InvalidRequestException: A previous rotation isn't complete. That rotation will be reattempted. (#34295)
resource/aws_sqs_queue_redrive_allow_policy: Fix perpetual redrive_allow_policy diffs (#40604)

`v5.81.0`

Compare Source

FEATURES:

New Data Source: aws_servicecatalogappregistry_attribute_group (#38188)
New Ephemeral Resource: aws_ssm_parameter (#40313)
New Resource: aws_bedrock_inference_profile (#40294)
New Resource: aws_cloudwatch_log_anomaly_detector (#40437)
New Resource: aws_ecr_account_setting (#40219)
New Resource: aws_msk_single_scram_secret_association (#37056)
New Resource: aws_servicecatalogappregistry_attribute_group (#38183)
New Resource: aws_servicecatalogappregistry_attribute_group_association (#38290)

ENHANCEMENTS:

data-source/aws_api_gateway_domain_name: Add policy and domain_name_id attributes (#40364)
data-source/aws_servicecatalogappregistry_application: Add tags attribute (#38243)
data-source/aws_sesv2_configuration_set: Add delivery_options.max_delivery_seconds and tracking_options.https_policy attributes (#40194)
resource/aws_api_gateway_base_path_mapping: Add domain_name_id argument (#40447)
resource/aws_api_gateway_domain_name: Add policy argument and domain_name_id attribute (#40364)
resource/aws_api_gateway_domain_name: Support PRIVATE as a valid value for endpoint_configuration.types argument, enabling custom domain name support for private REST API endpoints (#40364)
resource/aws_ebs_snapshot_copy: Add completion_duration_minutes argument (#40336)
resource/aws_glue_catalog_table_optimizer: Add configuration.retention_configuration and configuration.orphan_file_deletion_configuration attributes. (#40199)
resource/aws_instance: Add enable_primary_ipv6 argument to add support for enabling primary IPv6 addresses on EC2 instances (#36425)
resource/aws_kinesis_stream: Add plan-time validation that shard_count would not exceed the AWS account's shard quota when the data stream capacity mode is PROVISIONED, preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the kinesis:DescribeLimits IAM permission (#40499)
resource/aws_kinesis_stream: Add plan-time validation that creation of an on-demand stream would not exceed the AWS account's data stream quota, preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the kinesis:DescribeLimits IAM permission (#40499)
resource/aws_msk_replicator: Add topic_replication.topic_name_configuration argument (#40101)
resource/aws_network_interface: Add enable_primary_ipv6 argument to add support for enabling primary IPv6 addresses for network interfaces (#36425)
resource/aws_networkfirewall_firewall_policy: Add stateful_engine_options.flow_timeouts argument (#39996)
resource/aws_rds_cluster: Add serverlessv2_scaling_configuration.seconds_until_auto_pause argument (#40441)
resource/aws_rds_global_cluster: Add tags argument and tags_all attribute (#40470)
resource/aws_sagemaker_notebook_instance: Support notebook-al2-v3 value for platform_identifier (#40484)
resource/aws_servicecatalogappregistry_application: Add tags argument and tags_all attribute (#38243)
resource/aws_sesv2_configuration_set: Add delivery_options.max_delivery_seconds and tracking_options.https_policy arguments (#40194)

BUG FIXES:

data-source/aws_kinesis_stream: Fix InvalidArgumentException: NextToken and StreamName cannot be provided together errors when the data stream has more than 1000 shards (#40499)
resource/aws_ce_cost_category: Change rule from TypeSet to TypeList as order is significant (#40521)
resource/aws_fsx_windows_file_system: Fix plan-time validation of throughput_capacity validation to allow values up to 12228 (#40468)
resource/aws_networkfirewall_logging_configuration: Correctly manage all configured logging_configuration.log_destination_configs (#40092)
resource/aws_rds_cluster: Fix InvalidDBClusterStateFault errors when deleting clusters that are members of a global cluster (#40333)
resource/aws_rds_cluster: Fix InvalidParameterValue: Serverless v2 maximum capacity 0.0 isn't valid. The maximum capacity must be at least 1.0. errors when removing serverlessv2_scaling_configuration in an update (#40511)
resource/aws_rds_cluster: Respect storage_type when restoring from S3 (#40471)
resource/aws_rds_cluster: Respect storage_type when restoring from snapshot (#40471)
resource/aws_rds_cluster: Respect storage_type when restoring to a point in time (#40471)
resource/aws_rds_global_cluster: Mark database_name as Computed. This prevents resource recreation when the source cluster specifies a database_name (#40469)

`v5.80.0`

Compare Source

FEATURES:

New Resource: aws_codeconnections_connection (#40300)
New Resource: aws_codeconnections_host (#40300)
New Resource: aws_s3tables_namespace (#40420)
New Resource: aws_s3tables_table (#40420)
New Resource: aws_s3tables_table_bucket (#40420)
New Resource: aws_s3tables_table_bucket_policy (#40420)
New Resource: aws_s3tables_table_policy (#40420)

ENHANCEMENTS:

resource/aws_bedrockagent_agent: Increase instruction max length for validation to 8000 (#40279)
resource/aws_dynamodb_table_replica: Add deletion_protection_enabled argument (#35359)
resource/aws_rds_cluster: Adjust serverlessv2_scaling_configuration.max_capacity and serverlessv2_scaling_configuration.min_capacity minimum values to 0 to support Amazon Aurora Serverless v2 scaling to 0 ACUs (#40230)
resource/aws_s3_directory_bucket: Support LocalZone as a valid value for location.type, enabling support for Amazon S3 Express One Zone in AWS Dedicated Local Zones (#40339)

BUG FIXES:

resource/aws_bedrock_provisioned_model_throughput: Properly manages tags_all when planning. (#40305)
resource/aws_connect_contact_flow: Fix deserialization failed, failed to decode response body with invalid JSON errors on Read (#40419)
resource/aws_rds_cluster_instance: Fix error when destroying from a read replica cluster (#40409)

`v5.79.0`

Compare Source

FEATURES:

New Resource: aws_vpc_block_public_access_exclusion (#40235)
New Resource: aws_vpc_block_public_access_options (#40233)

ENHANCEMENTS:

resource/aws_eks_cluster: Add compute_config, storage_config, and kubernetes_network_config.elastic_load_balancing arguments for EKS Auto Mode (#40370)
resource/aws_eks_cluster: Add remote_network_config argument for EKS Auto Mode (#40371)
resource/aws_lambda_event_source_mapping: Add metrics_config argument (#40322)
resource/aws_lambda_event_source_mapping: Add provisioned_poller_config argument (#40303)
resource/aws_rds_cluster: Add ability to promote read replica cluster to standalone (#40337)
resource/aws_vpc_endpoint_service: Add supported_regions argument (#40346)

BUG FIXES:

resource/aws_fsx_openzfs_file_system: Increase maximum value of disk_iops_configuration.iops from 350000 to 400000 for deployment_type = "SINGLE_AZ_2" (#40359)

`v5.78.0`

Compare Source

NOTES:

resource/aws_s3_bucket_lifecycle_configuration: Lifecycle configurations can now be applied to directory buckets (#40268)

FEATURES:

New Resource: aws_iam_organizations_features (#40164)

ENHANCEMENTS:

data-source/aws_memorydb_cluster: Add engine attribute (#40224)
data-source/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#40224)
resource/aws_memorydb_cluster: Add engine argument (#40224)
resource/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#40224)

BUG FIXES:

data-source/aws_rds_reserved_instance_offering: When product_description (e.g., "postgresql") is a substring of multiple products, fix Error: multiple RDS Reserved Instance Offerings matched; use additional constraints to reduce matches to a single RDS Reserved Instance Offering (#40281)
provider: Suppress Warning: AWS account ID not found for provider when skip_requesting_account_id is true (#40264)
resource/aws_batch_job_definition: Fix crash when specifying eksProperties or ecsProperties block (#40172)
resource/aws_bedrock_guardrail: Fix perpetual diff if multiple content_policy_config.filters_configs are specified. (#40304)
resource/aws_chatbot_slack_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#40253)
resource/aws_chatbot_teams_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#40291)
resource/aws_db_instance: When changing storage_type from io1 or io2 to gp3, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#37257)
resource/aws_db_instance: When changing a gp3 volume's allocated_storage to a value larger than the threshold value for engine, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#28847)

`v5.77.0`

Compare Source

NOTES:

New ephemeral resources aws_kms_secrets, aws_lambda_invocation, and aws_secretsmanager_secret_version now support ephemeral values. (#40009)

FEATURES:

New Ephemeral Resource: aws_kms_secrets (#40009)
New Ephemeral Resource: aws_lambda_invocation (#39988)
New Ephemeral Resource: aws_secretsmanager_secret_version (#40009)
New Resource: aws_rds_instance_state (#40180)

ENHANCEMENTS:

data-source/aws_ami: Add warning diagnostic when most_recent is true and certain filter criteria are missing (#40211)
data-source/aws_ecs_service: Add availability_zone_rebalancing attribute (#40225)
resource/aws_ecs_service: Add availability_zone_rebalancing attribute (#40225)
resource/aws_ecs_service: Add vpc_lattice_configurations argument (#40177)
resource/aws_ecs_task_definition: Add versionConsistency argument to container_definitions (#40216)
resource/aws_rds_global_cluster: Add endpoint argument to point to the writer DB instance in the current primary cluster (#39960)

BUG FIXES:

data-source/aws_subnet: Set tags from the DescribeSubnets response, removing the need for the ec2:DescribeTags IAM permission (#40144)
resource/aws_cognito_user_pool: Fix crash when hashing nil schema element (#40195)
resource/aws_eks_addon: Fix crash when pod_identity_association is modified (#40168)
resource/aws_eks_addon: Fix to prevent persistent differences when pod_identity_association is changed (#40168)

`v5.76.0`

Compare Source

FEATURES:

New Resource: aws_vpc_security_group_vpc_association (#40069)

ENHANCEMENTS:

resource/aws_medialive_channel: Add missing h265 codec settings (#40071)

BUG FIXES:

resource/aws_api_gateway_integration: Fix BadRequestException: Invalid mapping expression specified and NotFoundException: Invalid parameter name specified errors when making updates to request_parameters and/or cache_key_parameters (#40124)
resource/aws_api_gateway_method: Fix BadRequestException: Invalid mapping expression specified and NotFoundException: Invalid parameter name specified errors when making updates to request_parameters (#40124)
resource/aws_autoscaling_group: Handle eventual consistency issues that occur when using a launch_template that is updated causing ValidationError: You must use a valid fully-formed launch template. (#40088)
resource/aws_eip: Properly surface errors during deletion when ipam_pool_id is set (#40082)
resource/aws_elasticache_reserved_cache_node: Fix Provider returned invalid result object after apply errors (#40090)
resource/aws_iam_group_policies_exclusive: Add validation to prevent null values in policy_names (#40076)
resource/aws_iam_group_policy_attachments_exclusive: Add validation to prevent null values in policy_arns (#40076)
resource/aws_iam_instance_profile: Handle eventual consistency issues that occur when this resource is updated and has dependents (#40088)
resource/aws_iam_role_policies_exclusive: Add validation to prevent null values in policy_names (#40076)
resource/aws_iam_role_policy_attachments_exclusive: Add validation to prevent null values in policy_arns (#40076)
resource/aws_iam_user_policies_exclusive: Add validation to prevent null values in policy_names (#40076)
resource/aws_iam_user_policy_attachments_exclusive: Add validation to prevent null values in policy_arns (#40076)
resource/aws_launch_template: Handle eventual consistency issues that occur when this resource is updated and has dependents (#40088)

`v5.75.1`

Compare Source

ENHANCEMENTS:

data-source/aws_cloudwatch_event_bus: Add description attribute (#39980)
resource/aws_api_gateway_account: Add attribute reset_on_delete to properly reset CloudWatch Role ARN on deletion. (#40004)
resource/aws_cloudwatch_event_bus: Add description argument (#39980)

BUG FIXES:

resource/aws_api_gateway_deployment: Rolls back validation of canary_settings and stage_description when stage_name not set. (#40067)
resource/aws_dynamodb_table: Allow table TTL to be disabled by allowing ttl[0].attribute_name to be set when ttl[0].enabled is false (#40046)
resource/aws_sagemaker_domain: Fix issue causing a ValidationException on updates when RStudio is disabled on the domain (#40049)

`v5.75.0`

Compare Source

BREAKING CHANGES:

resource/aws_api_gateway_stage: Add canary_settings.deployment_id attribute as required (#39929)

NOTES:

provider: validation of arguments implementing the custom ARNType will properly surface validation errors (#40008)
resource/aws_api_gateway_stage: deployment_id was added to canary_settings as a required attribute. This breaking change was necessary to make canary_settings functional. Without this change all canary traffic was routed to the main deployment (#39929)

FEATURES:

New Data Source: aws_spot_datafeed_subscription (#39647)

ENHANCEMENTS:

data-source/aws_batch_job_definition: Add init_containers, share_process_namespace, and image_pull_secrets attributes (#40019)
resource/aws_batch_job_definition: Add init_containers and share_process_namespace arguments (#40019)
resource/aws_batch_job_definition: Increase maximum number of containers arguments to 10 (#40019)
resource/aws_eks_addon: Add pod_identity_association argument (#38357)
resource/aws_iam_user_login_profile: Mark the password argument as sensitive (#39991)

BUG FIXES:

resource/aws_api_gateway_deployment: Fix destroy error when canary stage still exists on resource (#39929)
resource/aws_codedeploy_deployment_group: Remove maximum items limit on the alarm_configuration.alarms argument (#39971)
resource/aws_eks_addon: Handle ResourceNotFound exceptions during resource destruction (#38357)
resource/aws_elasticache_reserved_cache_node: Fix Value Conversion Error during resource creation (#39945)
resource/aws_lb_listener: Fix errors when updating the tcp_idle_timeout_seconds argument for gateway load balancers (#40039)
resource/aws_lb_listener: Remove the default tcp_idle_timeout_seconds value, preventing ModifyListenerAttributes API calls when a value is not explicitly configured (#40039)
resource/aws_vpc_ipam_pool: Fix bug when public_ip_source = "amazon": The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip. (#40042)

`v5.74.0`

Compare Source

FEATURES:

New Data Source: aws_lb_listener_rule (#39865)
New Resource: aws_opensearch_authorize_vpc_endpoint_access (#39846)
New Resource: aws_ssmquicksetup_configuration_manager (#39931)

ENHANCEMENTS:

data-source/aws_imagebuilder_distribution_configuration: Add distribution.s3_export_configuration attribute (#35492)
data-source/aws_imagebuilder_image_recipe: Fix block_device_mapping.0.ebs.0.delete_on_termination: '' expected type 'bool', got unconvertible type 'string' errors (#39928)
resource/aws_codedeploy_deployment_group: Add termination_hook_enabled argument (#35482)
resource/aws_eks_cluster: Add zonal_shift_config argument (#39852)
resource/aws_imagebuilder_distribution_configuration: Add distribution.s3_export_configuration argument (#35492)
resource/aws_imagebuilder_image_pipeline: Allow container_recipe_arn and image_recipe_arn to be updated in-place (#39117)
resource/aws_keyspaces_keyspace: Add replication_specification argument (#36331)
resource/aws_launch_template: Add efa-only as a valid value for network_interfaces.interface_type (#39882)
resource/aws_transfer_server: Add TransferSecurityPolicy-Restricted-2024-06 as a valid value for security_policy_name (#39871)

BUG FIXES:

resource/aws_docdb_cluster: Use master_password on resource Create when snapshot_identifier is configured (#38193)
resource/aws_imagebuilder_container_recipe: Change component.parameter.name, component.parameter.value, target_repository.repository_name, and target_repository.service to ForceNew (#39117)
resource/aws_route53_record: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when geolocation_routing_policy is empty (#39944)
resource/aws_ssm_patch_baseline: Update approval_rule.approve_after_days validation to allow a maximum value of 360 (#39949)
resource/aws_wafv2_web_acl: Fix decoding JSON: unexpected end of JSON input errors when updating from using rule_json to using rule (#39283)
resource/aws_wafv2_web_acl: Fix unmarshal error for incompatible types in rule_json (#39878)

`v5.73.0`

Compare Source

FEATURES:

New Data Source: aws_ssm_patch_baselines (#39779)
New Resource: aws_imagebuilder_lifecycle_policy (#35674)
New Resource: aws_resiliencehub_resiliency_policy (#38913)
New Resource: aws_sagemaker_hub (#39807)
New Resource: aws_sagemaker_mlflow_tracking_server (#39796)

ENHANCEMENTS:

data-source/aws_elasticache_reserved_cache_node_offering: Support valkey as valid value for product_description (#39745)
data-source/aws_lakeformation_data_lake_settings: Add parameters map attribute to read CROSS_ACCOUNT_VERSION (#39826)
data-source/aws_lb: Add enable_zonal_shift attribute (#39585)
resource/aws_apprunner_auto_scaling_configuration_version: Remove the upper limit on min_size and max_size (#39843)
resource/aws_batch_job_definition: Ensure that new revisions are created with tags (#39797)
resource/aws_codedeploy_deployment_config: Add zonal_config argument (#34850)
resource/aws_dynamodb_kinesis_streaming_destination: Add approximate_creation_date_time_precision argument (#38098)
resource/aws_elasticache_cluster: Support valkey as valid value for engine (#39745)
resource/aws_elasticache_global_replication_group: Support Valkey versions for engine_version (#39745)
resource/aws_elasticache_replication_group: Support Valkey versions for engine_version (#39745)
resource/aws_elasticache_replication_group: Support valkey as valid value for engine (#39745)
resource/aws_elasticache_serverless_cache: Support valkey as valid value for engine (#39745)
resource/aws_kinesis_firehose_delivery_stream: Add iceberg_configuration argument (#39844)
resource/aws_lakeformation_data_lake_settings: Add parameters map argument enabling CROSS_ACCOUNT_VERSION to be set (#39826)
resource/aws_lb: Add enable_zonal_shift argument (#39585)
resource/aws_lb_listener: Add tcp_idle_timeout_seconds argument (#39585)
resource/aws_route53profiles_association: Add regex and string length validation for name argument (#39798)
resource/aws_s3_bucket_object: Remove the call to kms:DescribeKey for the S3 default AWS managed key (alias/aws/s3) on Read (#39782)
resource/aws_s3_object: Remove the call to kms:DescribeKey for the S3 default AWS managed key (alias/aws/s3) on Read (#39782)
resource/aws_s3_object_copy: Remove the call to kms:DescribeKey for the S3 default AWS managed key (alias/aws/s3) on Read (#39782)
resource/aws_sagemaker_domain: Add default_user_settings.jupyter_lab_app_settings.app_lifecycle_management, default_user_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn, default_user_settings.jupyter_lab_app_settings.emr_settings, default_space_settings.jupyter_lab_app_settings.app_lifecycle_management, default_space_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn, default_space_settings.jupyter_lab_app_settings.emr_settings, default_user_settings.auto_mount_home_efs, default_user_settings.canvas_app_settings.emr_serverless_settings, default_user_settings.studio_web_portal_settings.hidden_instance_types, default_user_settings.code_editor_app_settings.app_lifecycle_management, default_user_settings.code_editor_app_settings.built_in_lifecycle_config_arn, and tag_propagation arguments (#39774)
resource/aws_sagemaker_domain: Allow app_network_access_type and app_security_group_management to be updated in-place (#39774)
resource/aws_sagemaker_feature_group: Add feature_definition.collection_config, feature_definition.collection_type, and throughput_config arguments (#39805)
resource/aws_sagemaker_space: Add space_settings.code_editor_app_settings.app_lifecycle_management and space_settings.jupyter_lab_app_settings.app_lifecycle_management arguments (#39800)
resource/aws_sagemaker_user_profile: Add user_settings.auto_mount_home_efs, user_settings.canvas_app_settings.emr_serverless_settings, user_settings.code_editor_app_settings.app_lifecycle_management, user_settings.code_editor_app_settings.built_in_lifecycle_config_arn, user_settings.jupyter_lab_app_settings.app_lifecycle_management, user_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn, user_settings.jupyter_lab_app_settings.emr_settings and user_settings.studio_web_portal_settings.hidden_instance_types arguments (#39774)

BUG FIXES:

data-source/aws_workspaces_bundle: Return the first matching bundle when searching by name. This fixes a regression introduced in v5.72.0 causing multiple WorkSpaces Bundles matched; use additional constraints to reduce matches to a single WorkSpaces Bundle errors (#39777)
resource/aws_dynamodb_table: Fix validation error when optional attribute in on_demand_throughput is excluded (#39784)
resource/aws_ecr_repository_policy: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_elasticache_serverless_cache: Fix InvalidParameterValue: This API supports only cross-engine upgrades to Valkey engine currently errors on Update (#39745)
resource/aws_iam_policy: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_iam_role_policy: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_kms_key: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_quicksight_data_set: Fix InvalidParameterValueException: Invalid RowLevelPermissionDataSet. Namespace parameter should not be specified for Version 2 errors on Create and Update (#39778)
resource/aws_route53_record: Allow creation of records with ttl=0 (#39728)
resource/aws_s3_bucket_policy: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_secretsmanager_secret: Fix persistent validation errors when malformed policy content is written to state (#39842)
resource/aws_security_group_rule: Remove from state when rule not found. This fixes a regression introduced in v5.60.0 (#39834)

`v5.72.1`

Compare Source

FEATURES:

New Resource: aws_iam_group_policy_attachments_exclusive (#39732)
New Resource: aws_iam_user_policy_attachments_exclusive (#39731)

ENHANCEMENTS:

resource/aws_resourceexplorer2_view: Add scope argument (#39744)

BUG FIXES:

data-source/aws_batch_job_definition: Properly handles ignored tags. (#39734)
data-source/aws_cognito_user_pool: Properly handles ignored tags. (#39734)
resource/aws_cognito_user_pool: Properly handles ignored tags. (#39734)
resource/aws_dynamodb_table: Fix crash when billing_mode is set to PAY_PER_REQUEST without global_secondary_index updates (#39752)
resource/aws_dynamodb_table_replica: Properly handles default and ignored tags. (#39734)
resource/aws_resourceexplorer2_index: Correctly mark incomplete AGGREGATOR indexes as tainted on Create (#39744)

`v5.72.0`

Compare Source

NOTES:

This version contains all the features, enhancements, and bug fixes from the v5.71.0 release which was removed from the Terraform Registry (#39692)
resource/aws_iam_role: The managed_policy_arns argument is deprecated. Use the aws_iam_role_policy_attachments_exclusive resource instead. (#39718)

FEATURES:

New Resource: aws_iam_role_policy_attachments_exclusive (#39718)

ENHANCEMENTS:

data-source/aws_workspaces_directory: Add saml_properties attribute (#39060)
resource/aws_appflow_flow: Add source_flow_config.source_connector_properties.sapo_data.pagination_config and source_flow_config.source_connector_properties.sapo_data.parallelism_config attributes (#38932)
resource/aws_cloudwatch_event_rule: Add tags to AWS API request on Update to support ABAC aws:RequestTag conditions (#39648)
resource/aws_cloudwatch_event_target: Add appsync_target configuration block (#37773)
resource/aws_dynamodb_table: Add on_demand_throughput and global_secondary_index.on_demand_throughput arguments (#37799)
- resource/aws_lakeformation_permissions: Allow principal to be an AWS federated-user arn (#33298)
resource/aws_rds_cluster: Increase maximum value of serverlessv2_scaling_configuration.max_capacity and serverlessv2_scaling_configuration.min_capacity from 128 to 256 (#39697)
resource/aws_rds_cluster_instance: Treat storage-optimization status as success when creating or updating cluster DB instances (#39691)
resource/aws_workspaces_directory: Add saml_properties configuration block (#39060)

BUG FIXES:

data-source/aws_ssm_document: Correct arn for automation documents (#39705)
resource/aws_cognito_user_pool: Fixes error when schema has empty string_attribute_constraints or number_attribute_constraints (#20386)
resource/aws_ssm_document: Correct arn for automation documents (#39705)

`v5.70.0`

Compare Source

NOTES:

resource/aws_s3_bucket_lifecycle_configuration: Amazon S3 now applies a default minimum object size of 128 KB for S3 Lifecycle transition rules to any S3 storage class. This new default behavior will be applied to any new or modified S3 Lifecycle configuration. You can override this new default and customize the minimum object size for S3 Lifecycle transition rules to any value (#39578)
resource/aws_simpledb_domain: The aws_simpledb_domain resource has been deprecated and will be removed in a future version. Use Amazon DynamoDB instead (#39536)
resource/aws_worklink_fleet: The aws_worklink_fleet resource has been deprecated and will be removed in a future version. Use Amazon WorkSpaces Secure Browser instead (#39538)
resource/aws_worklink_website_certificate_authority_association: The aws_worklink_website_certificate_authority_association resource has been deprecated and will be removed in a future version. Use Amazon WorkSpaces Secure Browser instead (#39538)

FEATURES:

New Resource: aws_backup_logically_air_gapped_vault (#39098)
New Resource: aws_ec2_transit_gateway_default_route_table_association (#39496)
New Resource: aws_ec2_transit_gateway_default_route_table_propagation (#39517)
New Resource: aws_iam_group_policies_exclusive (#39554)
New Resource: aws_iam_user_policies_exclusive (#39544)
New Resource: aws_securityhub_standards_control_association (#39511)

ENHANCEMENTS:

data-source/aws_ebs_snapshot: Add start_time attribute (#39557)
resource/aws_bedrockagent_agent_action_group: Add prepare_agent argument (#39486)
resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.custom_transformation_configuration argument (#39556)
resource/aws_globalaccelerator_endpoint_group: Add endpoint_configuration.attachment_arn argument (#39507)
resource/aws_lambda_code_signing_config: Add tags argument and tags_all attribute (#39535)
resource/aws_lambda_event_source_mapping: Add arn attribute (#39535)
resource/aws_lambda_event_source_mapping: Add tags argument and tags_all attribute (#39535)
resource/aws_s3_bucket_lifecycle_configuration: Add transition_default_minimum_object_size argument (#39578)

BUG FIXES:

resource/aws_bedrockagent_agent: Fix "Provider produced inconsistent result after apply" error on update due to customer_encryption_key_arn not being passed during update (#39565)
resource/aws_bedrockagent_agent: Fix "Provider produced inconsistent result after apply" error on update due to prompt_override_configuration not being passed when not modified (#39565)
resource/aws_bedrockagent_knowledge_base: Change knowledge_base_configuration and storage_configuration to ForceNew (#39567)
resource/aws_ec2_transit_gateway_vpc_attachment: Remove default value for security_group_referencing_support argument and mark as Computed. This suppresses the diffs shown for resources created with v5.68.0 (or earlier) (#39519)
resource/aws_opensearchserverless_lifecycle_policy: Fix "Provider produced inconsistent result after apply" error on update due to policy_version computed attribute changing (#39528)
resource/aws_opensearchserverless_security_policy: Fix "Provider produced inconsistent result after apply" error on update due to policy_version computed attribute changing (#39528)
resource/aws_quicksight_dashboard: Fix mapping of sheets.filter_controls.list.cascading_control_configuration and sheets.parameter_controls.list.cascading_control_configuration attributes (#39453)

`v5.69.0`

Compare Source

NOTES:

provider: This release contains an upstream AWS SDK for Go v2 change to DynamoDB service endpoints. The Terraform AWS Provider will now connect to a DynamoDB endpoint in the format (account-id).ddb.(region).amazonaws.com instead of dynamodb.(region).amazonaws.com. If your network configuration blocks outgoing traffic to DynamoDB based on DNS names or endpoint URLs, you must adjust your configuration, because the service's DNS name will change. You may instead disable account-based endpoints for DynamoDB by setting account_id_endpoint_mode = disabled in a shared config file or setting the AWS_ACCOUNT_ID_ENDPOINT_MODE environment variable to disabled (#39505)
provider: Updates to Go 1.23.1. The issue with AWS Network Firewall dropping TLS handshake ClientHello messages after the v5.65.0 upgrade to Go 1.23.0, temporarily resolved by the v5.67.0 downgrade to Go 1.22.7, has been addressed by removing the X25519Kyber768Draft00 key exchange mechanism from the HTTP client used to make AWS API calls (#39432)
resource/aws_alb_listener: When importing a listener that has either a default action top-level target group ARN or a default action defining a forward action defining a target group with an ARN, include both in the configuration to avoid import differences (#39413)
resource/aws_lb_listener: When importing a listener that has either a default action top-level target group ARN or a default action defining a forward action defining a target group with an ARN, include both in the configuration to avoid import differences (#39413)

ENHANCEMENTS:

data-source/aws_connect_instance: Add tags attribute (#39402)
data-source/aws_ec2_transit_gateway: Add security_group_referencing_support attribute (#34542)
data-source/aws_ec2_transit_gateway_vpc_attachment: Add security_group_referencing_support attribute (#34542)
data-source/aws_opensearchserverless_collection: Add failure_code and failure_reason attributes (#38995)
resource/aws_bedrockagent_agent: Add guardrail_configuration argument (#39440)
resource/aws_connect_instance: Add tags argument and tags_all attribute (#39402)
resource/aws_ec2_transit_gateway: Add security_group_referencing_support argument (#34542)
resource/aws_ec2_transit_gateway_vpc_attachment: Add security_group_referencing_support argument (#34542)
resource/aws_ec2_transit_gateway_vpc_attachment_accepter: Add security_group_referencing_support argument (#34542)
resource/aws_ecs_service: Add volume_configuration.managed_ebs_volume.tag_specifications attribute (#38662)
resource/aws_identitystore_group: Allow display_name to be updated in-place (#39416)
resource/aws_kinesis_stream: Tag on Create to support attribute-based access control (ABAC) (#39504)
resource/aws_quicksight_data_source: Add credentials.secret_arn argument (#29034)

BUG FIXES:

data-source/aws_opensearchserverless_vpc_endpoint: Correctly set security_group_ids. This requires a call to the EC2 DescribeVpcEndpoints API (#39454)
data-source/aws_region: Fix lookups for the ap-southeast-5 Region (#39389)
resource/aws_alb_listener: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences (#39413)
resource/aws_alb_listener: Remove the limitation preventing setting both default_action.0.target_group_arn and default_action.0.forward to align with the AWS API which allows you to specify both a target group list and a top-level target group ARN if the ARNs match (#39413)
resource/aws_db_instance: Allow replica database to be added to domain on create (#39448)
resource/aws_db_instance_role_association: Fix intermittent failure when instance is not in an available state (#39457)
resource/aws_dynamodb_tag: Fix propagation timeout when multiple tags exist (#39491)
resource/aws_ecs_cluster: Fix validation error with name attribute. (#38993)
resource/aws_ecs_cluster_capacity_providers: Fix validation error with name attribute. (#38993)
resource/aws_iam_role: Retry ConcurrentModificationExceptions during role creation (#39429)
resource/aws_inspector2_enabler: Fix AccessDeniedException: Lambda code scanning is not supported in ... errors (#38254)
resource/aws_inspector2_member_association: Improve handling of AccessDeniedException errors during creation (#38254)
resource/aws_lb_listener: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences (#39413)
resource/aws_lb_listener: Remove the limitation preventing setting both default_action.0.target_group_arn and default_action.0.forward to align with the AWS API which allows you to specify both a target group list and a top-level target group ARN if the ARNs match (#39413)
resource/aws_lb_listener_rule: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences (#39413)
resource/aws_lb_target_group: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences (#39413)
resource/aws_medialive_multiplex: Fix to properly handle read failures during delete operations which were previously ignored (#39498)
resource/aws_opensearchserverless_vpc_endpoint: Change name and vpc_id to ForceNew (#39454)
resource/aws_opensearchserverless_vpc_endpoint: Correctly set security_group_ids. This requires a call to the EC2 DescribeVpcEndpoints API (#39454)
resource/aws_rds_cluster_role_association: Fix intermittent failure when cluster is not in an available state (#39457)
resource/aws_vpc_dhcp_options: Fix a bug causing a panic crash when an option is absent (#39427)

`v5.68.0`

Compare Source

NOTES:

resource/aws_iam_role: The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well. (#39203)
resource/aws_lexv2models_slot_type: Within the composite_slot_type_setting block, the subslots argument has been renamed sub_slots. See the linked pull request for additional justification on this change. The previous misnaming effectively made this argument unusable, therefore a breaking change in a minor version was deemed acceptable. (#39353)

FEATURES:

New Data Source: aws_elasticache_reserved_cache_node_offering (#29832)
New Data Source: aws_securityhub_standards_control_associations (#39334)
New Data Source: aws_synthetics_runtime_version (#39180)
New Data Source: aws_synthetics_runtime_versions (#39180)
New Resource: aws_appsync_source_api_association (#39323)
New Resource: aws_elasticache_reserved_cache_node (#29832)
New Resource: aws_iam_role_policies_exclusive (#39203)
New Resource: aws_pinpointsmsvoicev2_opt_out_list (#25036)
New Resource: aws_pinpointsmsvoicev2_phone_number (#25036)
New Resource: aws_sesv2_account_suppression_attributes (#39325)

ENHANCEMENTS:

resource/aws_s3_bucket_server_side_encryption_configuration: S3 directory buckets now support SSE-KMS (#39366)
resource/aws_ses_receipt_rule: Add iam_role_arn argument to s3_action configuration block (#39364)
resource/aws_synthetics_canary: Increase maximum name length to 255 characters (#39315)

BUG FIXES:

provider: Allows assume_role.role_arn to be an empty string when there is a single assume_role entry. (#39328)
resource/aws_amplify_app: Fix failure when unsetting the environment_variables argument (#39397)
resource/aws_dynamodb_table: Fix changing replicas to the default Managed by DynamoDB encryption setting (#31284)
resource/aws_dynamodb_table: Handle eventual consistency of tag creation and removal (#39326)
resource/aws_dynamodb_table_replica: Handle eventual consistency of tag creation and removal (#39326)
resource/aws_dynamodb_tag: Handle eventual consistency of tag creation and removal (#39326)
resource/aws_mq_broker: Fix engine_version mismatch with RabbitMQ 3.13 and ActiveMQ 5.18 and above (#39024)
resource/aws_mwaa_environment: Fix creating environments with endpoint_management = "CUSTOMER" (#39394)
resource/aws_opensearchserverless_access_policy: Fix incompatible type error when setting policy (#39322)

`v5.67.0`

Compare Source

BREAKING CHANGES:

resource/aws_lexv2models_slot_type: Within the value_selection_setting.advanced_recognition_setting block, the audio_recognition_setting argument has been renamed audio_recognition_strategy (#39254)

NOTES:

provider: Downgrades to Go 1.22.6. A small number of users have reported failed or hanging network connections using the version of the Terraform AWS provider which was first built with Go 1.23.0 (v5.65.0). At this point, maintainers have been unable to reproduce failures, but enough distinct users have reported issues that we are going to attempt downgrading to Go 1.22.6 for the next provider release. We will continue to coordinate with users and AWS in an attempt to identify the root cause, using this upcoming release with a reverted Go build version as a data point. (#39256)
resource/aws_lexv2models_slot_type: Within the value_selection_setting.advanced_recognition_setting block, the audio_recognition_setting argument has been renamed audio_recognition_strategy. See the linked pull request for additional justification on this change. The previous misnaming effectively made this argument unusable, therefore a breaking change in a minor version was deemed acceptable. (#39254)

FEATURES:

New Data Source: aws_codebuild_fleet (#39237)
New Resource: aws_cloudformation_stack_instances (#36794)
New Resource: aws_codebuild_fleet (#39237)
New Resource: aws_computeoptimizer_enrollment_status (#35349)
New Resource: aws_computeoptimizer_recommendation_preferences (#35349)
New Resource: aws_costoptimizationhub_enrollment_status (#36440)
New Resource: aws_costoptimizationhub_preferences (#36526)
New Resource: aws_datazone_asset_type (#38812)
New Resource: aws_datazone_environment_profile (#38581)
New Resource: aws_lambda_function_recursion_config (#39153)

ENHANCEMENTS:

data-source/aws_acm_certificate: Mark domain and tags as Optional. This enables certificates to be matched based on tags (#31453)
data-source/aws_kinesis_stream: Add encryption_type and kms_key_id attributes (#39212)
datasource/aws_cognito_user_pool: Deprecates user_pool_tags in favor of standard tags. (#39260)
provider: Adds support for IAM role chaining. The provider attribute assume_role now accepts multiple elements. (#39255)
resource/aws_amplify_app: Add cache_config argument (#39215)
resource/aws_cloudhsm_v2_cluster: Add mode argument (#39206)
resource/aws_cloudhsm_v2_cluster: Support hsm2m.medium as a valid value for hsm_type (#39206)
resource/aws_codebuild_project: Add fleet attribute in environment configuration block (#39237)
resource/aws_kinesis_firehose_delivery_stream: Add snowflake_configuration.buffering_internal and snowflake_configuration.buffering_size arguments (#39214)
resource/aws_quicksight_user: Add READER_PRO, AUTHOR_PRO, and ADMIN_PRO as valid values for the user_role argument (#39220)
resource/aws_sagemaker_domain: Add default_user_settings.domain_settings.docker_settings configuration block (#35416)
resource/aws_sagemaker_domain: Add default_user_settings.studio_web_portal_settings, default_space_settings.jupyter_lab_app_settings, default_space_settings.space_storage_settings, default_space_settings.custom_posix_user_config, and default_space_settings.custom_file_system_config configuration blocks (#38457)
resource/aws_sagemaker_endpoint_configuration: Add production_variants.managed_instance_scaling and shadow_production_variants.managed_instance_scaling configuration blocks (#35479)
resource/aws_sagemaker_model: Add primary_container.inference_specification_name and container.inference_specification_name arguments (#35873)
resource/aws_sagemaker_model: Add primary_container.model_data_source.s3_data_source.model_access_config, primary_container.multi_model_config, container.model_data_source.s3_data_source.model_access_config, and ``container.multi_model_config` configuration blocks (#35873)
resource/aws_sagemaker_user_profile: Add user_settings.studio_web_portal_settings configuration block (#38567)
resource/aws_sfn_state_machine: Add plan-time validation of definition using the AWS Step Functions Validation API (#39229)

BUG FIXES:

data-source/aws_eks_cluster: Return created_at as an RFC3339 formatted timestamp (#24183)
datasource/aws_cognito_user_pool: Fixes value conversion error. (#39260)
provider: Fix empty tags drift on fwprovider resources (#38636)
resource/aws_batch_job_queue: Fixes error in schema migration function. (#39257)
resource/aws_cognito_user_pool: Correctly unsets tags. (#39260)
resource/aws_ecr_repository_policy: Fix retry logic handling eventual consistency of newly created IAM roles (#39190)
resource/aws_eks_cluster: Return created_at as an RFC3339 formatted timestamp (#24183)
resource/aws_iam_role: Fix to reduce Terraform reporting differences when a role's ARN temporarily appears as the role's unique ID (#36794)
resource/aws_networkfirewall_tls_inspection_configuration: Fix issue where check_certificate_revovation_status is ignored due to bad autoflex field mapping (#39211)
resource/aws_networkmonitor_monitor: Fixes error when optional attribute aggregation_period not set. (#39279)
resource/aws_quicksight_data_set: Change permissions.actions MaxItems from 16 to 20. This fixes a regression introduced in v5.66.0 (#39226)
resource/aws_quicksight_vpc_connection: Remove vpc_connection_id regular expression validator. This fixes a regression introduced in v5.66.0 (#39231)
resource/aws_sagemaker_domain: Fix update for default_user_settings.domain_settings to include missing security_group_ids and r_studio_server_pro_domain_settings values (#35416)
resource/aws_sesv2_configuration_set: Allow suppression_options.suppressed_reasons to be an empty list ([]) in order to disable the suppression list (#29671)
resource/aws_sesv2_configuration_set_event_destination: Change event_destination.matching_event_types from TypeList to TypeSet as order is not significant (#36897)
resource/aws_verifiedaccess_endpoint: fix crash when updating load_balancer_options.subnet_ids (#39196)

`v5.66.0`

Compare Source

FEATURES:

New Data Source: aws_glue_registry (#37953)
New Data Source: aws_organizations_organizational_unit_descendant_organizational_units (#39120)
New Data Source: aws_quicksight_analysis (#31737)
New Resource: aws_datazone_environment (#38811)

ENHANCEMENTS:

data-source/aws_sns_topic: Add tags attribute (#38959)
data-source/aws_transfer_server: Add tags attribute (#39092)
resource/aws_appsync_graphql_api: Add api_type and merged_api_execution_role_arn arguments (#39159)
resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.chunking_configuration.semantic_chunking_configuration, vector_ingestion_configuration.chunking_configuration.hierarchical_chunking_configuration, and vector_ingestion_configuration.parsing_configuration configuration blocks (#39138)
resource/aws_datazone_domain: Add skip_deletion_protection attribute (#38811)
resource/aws_docdbelastic_cluster: Add backup_retention_period and preferred_backup_window attributes (#38452)
resource/aws_quicksight_data_source: Add parameters.databricks argument (#31737)
resource/aws_rolesanywhere_trust_anchor: Add notification_settings argument (#39108)
resource/aws_sagemaker_endpoint: Increase Create and Update InService timeouts to 60 minutes (#39090)
resource/aws_wafv2_rule_group: Reduce rate_based_statement.limit minimum from 100 to 10 (#39107)
resource/aws_wafv2_web_acl: Reduce rate_based_statement.limit minimum from 100 to 10 (#39107)

BUG FIXES:

data-source/aws_networkmanager_core_network_policy_document: Change segment_actions.via.with_edge_override.use_edge to be nested set of edges, matching JSON (#39142)
data-source/aws_networkmanager_core_network_policy_document: Deprecate segment_actions.via.with_edge_override.use_edge. Use segment_actions.via.with_edge_override.use_edge_location instead (#39142)
many resources: Fixes perpetual diff when tag has a null value. (#38869)
resource/aws_appconfig_extension: Mark role_arn as Optional (#38900)
resource/aws_lexv2models_slot_type: Fix slot_type_values validator which limited configurations to 1 element (#39126)
resource/aws_quicksight_analysis: Properly send theme_arn argument on create and update when configured (#31737)
resource/aws_rolesanywhere_profile: Mark role_arns as Optional and send an empty list if unconfigured (#39108)
resource/aws_synthetics_canary: Remove run_config.timeout_in_seconds default value to allow creation of resources with a frequency less than 14 minutes (#35177)

`v5.65.0`

Compare Source

NOTES:

provider: Updates to Go 1.23. We do not expect this change to impact most users. For macOS, Go 1.23 requires macOS 11 Big Sur or later; support for previous versions has been discontinued. (#38999)

FEATURES:

New Data Source: aws_shield_protection (#37524)
New Resource: aws_glue_catalog_table_optimizer (#38052)

ENHANCEMENTS:

data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-southeast-5 AWS Region (#39052)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-southeast-5 AWS Region (#39052)
data-source/aws_s3_bucket: Add hosted zone ID for ap-southeast-5 AWS Region (#39052)
provider: Support ap-southeast-5 as a valid AWS Region (#39049)
resource/aws_cognito_user_pool: Add password_policy.password_history_size argument (#39043)
resource/aws_elastic_beanstalk_application_version: Add process argument (#25468)
resource/aws_elasticsearch_domain: Treat SUCCEEDED_WITH_ISSUES status as success when upgrading cluster (#38086)
resource/aws_emr_cluster: Support io2 as a valid value for ebs_config.type (#37740)
resource/aws_emr_instance_fleet: Support io2 as a valid value for instance_type_configs.ebs_config.type (#37740)
resource/aws_emr_instance_group: Support io2 as a valid value for instance_type_configs.ebs_config.type (#37740)
resource/aws_glue_job: Add job_run_queuing_enabled argument (#39027)
resource/aws_lambda_event_source_mapping: Add kms_key_arn argument (#39055)
resource/aws_verifiedaccess_endpoint: Set PolicyEnabled flag to false on update if policy_document is empty (#38675)

BUG FIXES:

resource/aws_amplify_app: Fix crash updating auto_branch_creation_config (#39041)
resource/aws_elasticsearch_domain_policy: Change domain_name to ForceNew (#38086)
resource/aws_elbv2_listener: Fix crash when reading forward actions not configured in state (#39039)
resource/aws_emr_instance_group: Properly send an instance_count value of 0 on create when configured (#37740)
resource/aws_gamelift_game_server_group: Fix crash while reading server group with a nil auto scaling group ARN (#39022)
resource/aws_guardduty_invite_accepter: Fix BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter errors on resource Create (#39084)
resource/aws_lakeformation_permissions: Fix error when revoking data_cells_filter permissions (#39026)
resource/aws_neptune_cluster: Mark neptune_cluster_parameter_group_name as Computed (#38980)
resource/aws_neptune_cluster_instance: Mark neptune_parameter_group_name as Computed (#38980)
resource/aws_ssm_parameter: Fix ValidationException: Parameter ARN is not supported for this operation errors when deleting resources imported by ARN (#39067)

`v5.64.0`

Compare Source

ENHANCEMENTS:

data-source/aws_opensearch_domain: Add dashboard_endpoint_v2, domain_endpoint_v2_hosted_zone_id, and endpoint_v2 attributes (#38456)
resource/aws_appautoscaling_target: Add suspended_state configuration block (#38942)
resource/aws_dynamodb_table: Add restore_source_table_arn attribute (#38953)
resource/aws_opensearch_domain: Add dashboard_endpoint_v2, domain_endpoint_v2_hosted_zone_id, and endpoint_v2 attributes (#38456)

BUG FIXES:

resource/aws_bedrockagent_agent: Fixes consistency issues where only some prompts are overridden (#38944)
resource/aws_cloudformation_stack_set_instance: Fix crash during construction of the id attribute when deployment_targets does not include organizational unit IDs. (#38969)
resource/aws_glue_trigger: Fix crash when null action is configured (#38994)
resource/aws_rds_cluster: Allow Web Service Data API (enabled_http_endpoint) to be enabled and disabled for provisioned engine mode and serverlessv2 (#38997)

`v5.63.1`

Compare Source

FEATURES:

New Data Source: aws_route53_zones (#17457)
New Data Source: aws_ssoadmin_permission_sets (#38741)

ENHANCEMENTS:

data-source/aws_batch_job_queue: Add job_state_time_limit_action attribute (#38784)
resource/aws_batch_job_definition: Add ecs_properties argument (#37871)
resource/aws_batch_job_queue: Add job_state_time_limit_action argument (#38784)

BUG FIXES:

provider: Fix crash when flattening string pointer slices with nil items (#38886)
resource/aws_datazone_project: Properly surface import id parsing errors (#38924)
resource/aws_quicksight_data_set: Fix crash when setting logical_table_map.data_transforms.project_operation.projected_columns with null list elements (#38886)
resource/aws_ses_configuration_set: Fix crash when reputation_metrics_enabled is set to true (#38921)

`v5.63.0`

Compare Source

FEATURES:

New Data Source: aws_bedrockagent_agent_versions (#38792)
New Resource: aws_bedrock_guardrail (#38757)
New Resource: aws_cloudtrail_organization_delegated_admin_account (#38817)
New Resource: aws_datazone_environment_profile (#35603)
New Resource: aws_datazone_form_type (#38746)
New Resource: aws_datazone_glossary_term (#38706)
New Resource: aws_pinpoint_email_template (#33266)

ENHANCEMENTS:

resource/aws_networkfirewall_logging_configuration: Change logging_configuration.log_destination_config MaxItems from 2 to 3 (#38824)

BUG FIXES:

data-source/aws_acm_certificate: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_appstream_stack: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_bedrockagent_agent_knowledge_base_association: Prepare agent when associating a knowledge base so it can be used (#38799)
resource/aws_cloudwatch_event_connection: Fix various expander type assertions to prevent crashes (#38800)
resource/aws_controltower_landing_zone: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_db_event_subscription: Fix plan-time validation of name and name_prefix (#38194)
resource/aws_ecs_cluster_capacity_providers: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_ecs_service: Fix crash from nil service_registries item (#38883)
resource/aws_ecs_task_definition: Fix perpetual container_definitions diffs on healthCheck's default values (#38872)
resource/aws_ecs_task_definition: Prevent lowercasing of the first character of JSON keys in container_definitions.dockerLabels (#38804)
resource/aws_ecs_task_definition: Remove nulls from container_definition array fields (#38870)
resource/aws_elasticache_replication_group: Fix crash when setting replicas_per_node_group if node groups are empty (#38797)
resource/aws_fms_policy: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_grafana_workspace: Fix crash when empty network_access_control block is configured (#38775)
resource/aws_grafana_workspace: Fix crash when empty vpc_configuration block is configured (#38775)
resource/aws_iot_thing_group: Fix crash when empty attribute_payload block is configured (#38776)
resource/aws_lexv2models_slot_type: Fix slot_type_values to have sample_value attribute (#38856)
resource/aws_networkmanager_connect_peer: Set all configuration.bgp_configurations on Read (#38798)
resource/aws_redshift_cluster: Set encrypted on snapshot restore, when enabled (#38828)
resource/aws_rolesanywhere_profile: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_rolesanywhere_trust_anchor: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)
resource/aws_s3_bucket_lifecycle_configuration: Fix unreturned sdkdiags.AppendErrorf function calls (#38854)

`v5.62.0`

Compare Source

FEATURES:

New Data Source: aws_rds_cluster_parameter_group (#38416)
New Data Source: aws_secretsmanager_secret_versions (#35411)
New Resource: aws_ebs_snapshot_block_public_access (#38641)
New Resource: aws_rds_integration (#35199)

ENHANCEMENTS:

data-source/aws_s3_bucket_object: Expand content types that can be read from S3 to include include application/x-sql (#38737)
data-source/aws_s3_object: Expand content types that can be read from S3 to include application/x-sql (#38737)
provider: Allow default_tags to be set by environment variables (#33339)
provider: Allow ignore_tags.keys and ignore_tags.key_prefixes to be set by environment variables (#35264)
resource/aws_db_option_group: Add skip_destroy argument (#29663)
resource/aws_db_parameter_group: Add skip_destroy argument (#29663)
resource/aws_dx_macsec_key_association: Add plan-time validation of secret_arn (#37213)
resource/aws_ecs_service: Add force_delete argument (#38707)
resource/aws_grafana_license_association: Add grafana_token argument (#38743)
resource/aws_lb_target_group: Add target_health_state.unhealthy_draining_interval argument (#38654)
resource/aws_lexv2models_slot: Add sub_slot_setting attribute (#38698)

BUG FIXES:

data-source/aws_ecr_repository_creation_template: Support ROOT as a valid value for prefix (#38685)
data-source/aws_msk_broker_nodes: Filter out nodes with no broker info (#38042)
resource/aws_appconfig_configuration_profile: Increase name max length validation to 128 (#37539)
resource/aws_batch_job_definition: Fix panic when checking eks_properties for job updates (#38716)
resource/aws_batch_job_definition: Fix panic when checking retry_strategy for job updates (#38716)
resource/aws_batch_job_definition: Fix panic when checking timeout for job updates (#38716)
resource/aws_ec2_capacity_block_reservation: Fix error during apply for missing created_date attribute (#38689)
resource/aws_ecr_repository_creation_template: Support ROOT as a valid value for prefix (#38685)
resource/aws_elbv2_trust_store_revocation: Fix to properly return errors during resource creation (#38756)
resource/aws_emr_cluster: Fix panic when reading an instance fleet with an empty launch_specifications argument (#38773)
resource/aws_lexv2models_bot: Handle PreconditionFailedException on delete for resources deleted out-of-band (#38661)
resource/aws_lexv2models_bot_locale: Handle PreconditionFailedException on delete for resources deleted out-of-band (#38661)
resource/aws_lexv2models_bot_version: Handle PreconditionFailedException on delete for resources deleted out-of-band (#38661)
resource/aws_networkmanager_core_network: Fix $.network-function-groups: null found, array expected errors when creating resource with create_base_policy argument (#38642)
resource/aws_quicksight_account_subscription: Fix panic when read returns nil account info (#38752)
resource/aws_sfn_state_machine: Mark revision_id and state_machine_version_arn as Computed on update if publish is true (#38657)

`v5.61.0`

Compare Source

NOTES:

resource/aws_chatbot_teams_channel_configuration: This resource is provided on a best-effort basis, and we welcome the community's help in testing it. (#38630)

FEATURES:

New Data Source: aws_ecr_repository_creation_template (#38597)
New Resource: aws_chatbot_slack_channel_configuration (#38124)
New Resource: aws_chatbot_teams_channel_configuration (#38630)
New Resource: aws_datazone_glossary (#38602)
New Resource: aws_ecr_repository_creation_template (#38597)
New Resource: aws_timestreaminfluxdb_db_instance (#37963)

ENHANCEMENTS:

data-source/aws_eks_cluster: Add upgrade_policy attribute (#38573)
data-source/aws_sagemaker_prebuilt_ecr_image: Support additional repository_name values. See documentation for details (#38575)
resource/aws_appsync_graphql_api: Add enhanced_metrics_config configuration block (#38570)
resource/aws_db_instance: Add upgrade_storage_config argument (#36904)
resource/aws_default_vpc: Support ipv6_cidr_block sizes between /44 and /60 in increments of /4 (#35614)
resource/aws_default_vpc: Support ipv6_netmask_length values between 44 and 60 in increments of 4 (#35614)
resource/aws_eks_cluster: Add upgrade_policy configuration block (#38573)
resource/aws_elasticache_user_group_association: Add configurable create and delete timeouts (#38559)
resource/aws_pipes_pipe: Add log_configuration.include_execution_data argument (#38569)
resource/aws_rds_cluster: Add performance_insights_enabled, performance_insights_kms_key_id, and performance_insights_retention_period arguments (#29415)
resource/aws_rds_cluster: Add restore_to_point_in_time.source_cluster_resource_id argument (#38540)
resource/aws_rds_cluster: Mark restore_to_point_in_time.source_cluster_identifier as Optional (#38540)
resource/aws_sfn_activity: Add encryption_configuration configuration block to support the use of Customer Managed Keys with AWS KMS to encrypt Step Functions Activity resources (#38574)
resource/aws_sfn_state_machine: Add encryption_configuration configuration block to support the use of Customer Managed Keys with AWS KMS to encrypt Step Functions State Machine resources (#38574)
resource/aws_ssm_patch_baseline: Remove empty fields from json attribute value (#35950)
resource/aws_storagegateway_file_system_association: Add configurable timeouts (#38554)
resource/aws_vpc: Support ipv6_cidr_block sizes between /44 and /60 in increments of /4 (#35614)
resource/aws_vpc: Support ipv6_netmask_length values between 44 and 60 in increments of 4 (#35614)
resource/aws_vpc_ipv6_cidr_block_association: Add assign_generated_ipv6_cidr_block and ipv6_pool arguments (#27274)
resource/aws_vpc_ipv6_cidr_block_association: Support ipv6_cidr_block sizes between /44 and /60 in increments of /4 (#35614)
resource/aws_vpc_ipv6_cidr_block_association: Support ipv6_netmask_length values between 44 and 60 in increments of 4 (#35614)
resource/aws_vpc_security_group_egress_rule: Add tags to the AuthorizeSecurityGroupEgress EC2 API call instead of making a separate CreateTags call (#35614)
resource/aws_vpc_security_group_ingress_rule: Add tags to the AuthorizeSecurityGroupIngress EC2 API call instead of making a separate CreateTags call (#35614)
resource/aws_wafv2_web_acl: Add rule_json attribute to allow raw JSON for rules. (#38309)

BUG FIXES:

data-source/aws_appstream_image: Fix issue where the most recent image is not returned (#38571)
datasource/aws_networkmanager_core_network_policy_document: Fix CoreNetworkPolicyException when putting policy with single wildcard in when_sent_to (#38595)
resource/aws_cloudsearch_domain: Fix index_name character length validation (#38509)
resource/aws_ecs_task_definition: Ensure that JSON keys in container_definitions start with a lowercase letter (#38622)
resource/aws_iot_provisioning_template: Properly send type argument on create when configured (#38640)
resource/aws_opensearchserverless_security_policy: Normalize policy content to prevent persistent differences (#38604)
resource/aws_pipes_pipe: Don't reset target_parameters if the configured value has not changed (#38598)
resource/aws_rds_instance: Allow domain_dns_ips to use single DNS server IP (#36500)
resource/aws_sagemaker_domain: Properly send domain_settings.r_studio_server_pro_domain_settings.r_studio_package_manager_url argument on create (#38547)
resource/aws_vpc_ipam_pool_cidr_allocation: Set description on Read (#38618)
resource/aws_vpc_ipam_pool_cidr_allocation: Set netmask_length on Read (#38618)

`v5.60.0`

Compare Source

NOTES:

resource/aws_shield_subscription: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#37637)

FEATURES:

New Data Source: aws_service_principal (#38307)
New Resource: aws_shield_subscription (#37637)

ENHANCEMENTS:

data-source/aws_cloudwatch_event_bus: Add kms_key_identifier attribute (#38492)
data-source/aws_cur_report_definition: Add tags attribute (#38483)
resource/aws_appflow_flow: Add metadata_catalog_config attribute (#37566)
resource/aws_appflow_flow: Add prefix_hierarchy attribute to destination_flow_config.s3.s3_output_format_config (#37566)
resource/aws_batch_job_definition: Add eks_properties.*.pod_properties.*.image_pull_secret argument (#38517)
resource/aws_cloudformation_stack_set_instance: Add operation_preferences.concurrency_mode argument (#38498)
resource/aws_cloudwatch_event_bus: Add kms_key_identifier argument (#38492)
resource/aws_cur_report_definition: Add tags argument and tags_all attribute (#38483)
resource/aws_db_cluster_snapshot: Add shared_accounts argument (#34885)
resource/aws_db_snapshot_copy: Add shared_accounts argument (#34843)
resource/aws_glue_connection: Add AZURECOSMOS, AZURESQL, BIGQUERY, OPENSEARCH, and SNOWFLAKE as valid values for the connection_type argument and SparkProperties as a valid value for the connection_properties argument (#37731)
resource/aws_iam_role: Change from partial resource creation to resource creation failed if an inline_policy fails to create (#38477)
resource/aws_rds_cluster: Add scaling_configuration.seconds_before_timeout argument (#38451)
resource/aws_sesv2_configuration_set_event_destination: Add event_destination.event_bridge_destination configuration block (#38458)
resource/aws_timestreamwrite_table: Fix runtime error: invalid memory address or nil pointer dereference panic when reading a non-existent table (#38512)

BUG FIXES:

data-source/aws_fsx_ontap_storage_virtual_machine: Correctly set tags on Read (#38343)
data-source/aws_fsx_openzfs_snapshot: Correctly set tags on Read (#38343)
resource/aws_ce_cost_category: Fix perpetual diff with the rule argument on update (#38449)
resource/aws_codebuild_webhook: Remove errant validation on scope_configuration.domain argument (#38513)
resource/aws_ecs_service: Fix error marshaling prior state: a number is required when upgrading from v5.58.0 to v5.59.0 (#38490)
resource/aws_ecs_task_definition: Fix Provider produced inconsistent final plan errors when container_definitions is unknown (#38471)
resource/aws_elasticache_replication_group: Fix error marshaling prior state when upgrading from v4.67.0 to v5.59.0 (#38476)
resource/aws_fsx_openzfs_volume: Correctly set tags on Read (#38343)
resource/aws_rds_cluster: Mark ca_certificate_identifier as Computed (#38437)
resource/aws_rds_cluster: Use the configured copy_tags_to_snapshot value when restore_to_point_in_time is set (#34044)
resource/aws_rds_cluster: Wait for no pending modified values on Update if apply_immediately is true. This fixes InvalidParameterCombination errors when updating engine_version (#38437)

`v5.59.0`

Compare Source

FEATURES:

resource/aws_kinesis_firehose_delivery_stream: Add secrets_manager_configuration to redshift_configuration, snowflake_configuration, and splunk_configuration (#38151)
New Data Source: aws_cloudfront_origin_access_control (#36301)
New Data Source: aws_timestreamwrite_database (#36368)
New Data Source: aws_timestreamwrite_table (#36599)
New Resource: aws_datazone_project (#38345)
New Resource: aws_grafana_workspace_service_account (#38101)
New Resource: aws_grafana_workspace_service_account_token (#38101)
New Resource: aws_rds_certificate (#35003)
New Resource: aws_rekognition_stream_processor (#37536)

ENHANCEMENTS:

data-source/aws_elasticache_replication_group: Add cluster_mode attribute (#38002)
data-source/aws_lakeformation_data_lake_settings: Add allow_full_table_external_data_access attribute (#34474)
data-source/aws_msk_cluster: Add broker_node_group_info attribute (#37705)
resource/aws_bedrockagent_agent : Add skip_resource_in_use_check argument (#37586)
resource/aws_bedrockagent_agent_action_group: Add action_group_executor.custom_control argument (#37484)
resource/aws_bedrockagent_agent_action_group: Add function_schema configuration block (#37484)
resource/aws_bedrockagent_agent_alias : Add routing_configuration.provisioned_throughput argument (#37520)
resource/aws_codebuild_webhook: Add scope_configuration argument (#38199)
resource/aws_codepipeline: Add timeout_in_minutes argument to the action configuration block (#36316)
resource/aws_db_instance: Add engine_lifecycle_support argument (#37708)
resource/aws_ecs_cluster: Add configuration.managed_storage_configuration argument (#37932)
resource/aws_elasticache_replication_group: Add cluster_mode argument (#38002)
resource/aws_emrserverless_application: Add interactive_configuration argument (#37889)
resource/aws_fis_experiment_template: Add experiment_options configuration block (#36900)
resource/aws_fsx_lustre_file_system: Add final_backup_tags and skip_final_backup arguments (#37717)
resource/aws_fsx_ontap_volume: Add final_backup_tags argument (#37717)
resource/aws_fsx_openzfs_file_system: Add delete_options and final_backup_tags arguments (#37717)
resource/aws_fsx_windows_file_system: Add final_backup_tags argument (#37717)
resource/aws_imagebuilder_image_pipeline: Add execution_role and workflow arguments (#37317)
resource/aws_kinesis_firehose_delivery_stream: Add secrets_manager_configuration to http_endpoint_configuration (#38245)
resource/aws_kinesisanalyticsv2_application: Support FLINK-1_19 as a valid value for runtime_environment (#38350)
resource/aws_lakeformation_data_lake_settings: Add allow_full_table_external_data_access attribute (#34474)
resource/aws_lb_target_group: Add target_group_health configuration block (#37082)
resource/aws_msk_replicator: Add starting_position argument (#36968)
resource/aws_rds_cluster: Add engine_lifecycle_support argument (#37708)
resource/aws_rds_global_cluster: Add engine_lifecycle_support argument (#37708)
resource/aws_redshift_cluster_snapshot: Set arn from DescribeClusterSnapshots API response (#37996)
resource/aws_vpclattice_listener: Support TLS_PASSTHROUGH as a valid value for protocol (#37964)
resource/aws_wafv2_web_acl: Add enable_machine_learning to aws_managed_rules_bot_control_rule_set configuration block (#37006)

BUG FIXES:

data-source/aws_efs_access_point: Set id the the access point ID, not the file system ID. This fixes a regression introduced in v5.58.0 (#38372)
data-source/aws_lb_listener: Correctly set default_action.target_group_arn (#37348)
resource/aws_chime_voice_connector_group: Properly handle voice connector groups deleted out of band (#36774)
resource/aws_codebuild_project: Fix unsetting concurrent_build_limit (#37748)
resource/aws_codepipeline: Mark trigger as Computed (#36316)
resource/aws_ecs_service: Change volume_configuration.managed_ebs_volume.throughput from TypeString to TypeInt (#38109)
resource/aws_elasticache_replication_group: Allows setting replicas_per_node_group to 0 and sets the maximum to 5. (#38396)
resource/aws_elasticache_replication_group: Requires description. (#38396)
resource/aws_elasticache_replication_group: When num_cache_clusters is set, prevents setting replicas_per_node_group. (#38396)
resource/aws_elasticache_replication_group: num_cache_clusters must be at least 2 when automatic_failover_enabled is true. (#38396)
resource/aws_elastictranscoder_pipeline: Properly handle NotFound exceptions during deletion (#38018)
resource/aws_elastictranscoder_preset: Properly handle NotFound exceptions during deletion (#38018)
resource/aws_lb_target_group: Use the configured ip_address_type value when target_type is instance (#36423)
resource/aws_lb_trust_store: Wait until trust store is ACTIVE on resource Create (#38332)
resource/aws_pinpoint_app: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when campaign_hook is empty ({}) (#38323)
resource/aws_transfer_server: Add supported values TransferSecurityPolicy-FIPS-2024-05, TransferSecurityPolicy-Restricted-2018-11, and TransferSecurityPolicy-Restricted-2020-06 for the security_policy_name argument (#38425)

`v5.58.0`

Compare Source

FEATURES:

New Resource: aws_cloudwatch_log_account_policy (#38328)
New Resource: aws_verifiedpermissions_identity_source (#38181)

ENHANCEMENTS:

data-source/aws_launch_template: Add network_interfaces.primary_ipv6 attribute (#37142)
data-source/aws_mskconnect_connector: Add tags attribute (#38270)
data-source/aws_mskconnect_custom_plugin: Add tags attribute (#38270)
data-source/aws_mskconnect_worker_configuration: Add tags attribute (#38270)
data-source/aws_oam_link: Add link_configuration attribute (#38277)
resource/aws_cloudformation_stack_set_instance: Extend deployment_targets argument. (#37898)
resource/aws_cloudtrail_event_data_store: Add billing_mode argument (#38273)
resource/aws_db_instance: Fix InvalidParameterCombination: A parameter group can't be specified during Read Replica creation for the following DB engine: postgres errors (#38227)
resource/aws_ec2_capacity_reservation: Add configurable timeouts (#36754)
resource/aws_ec2_capacity_reservation: Retry InsufficientInstanceCapacity errors (#36754)
resource/aws_eks_cluster: Add bootstrap_self_managed_addons argument (#38162)
resource/aws_fms_policy: Add resource_set_ids attribute (#38161)
resource/aws_fsx_ontap_file_system: Add 384, 768, 1536, 3072, and 6144 as valid values for throughput_capacity (#38308)
resource/aws_fsx_ontap_file_system: Add 384, 768, and 1536 as valid values for throughput_capacity_per_ha_pair (#38308)
resource/aws_fsx_ontap_file_system: Add MULTI_AZ_2 as a valid value for deployment_type (#38308)
resource/aws_globalaccelerator_cross_account_attachment: Add cidr_block argument to resource configuration block (#38196)
resource/aws_iam_server_certificate: Add configurable delete timeout (#38212)
resource/aws_launch_template: Add network_interfaces.primary_ipv6 argument (#37142)
resource/aws_mskconnect_connector: Add tags argument and tags_all attribute (#38270)
resource/aws_mskconnect_custom_plugin: Add tags argument and tags_all attribute (#38270)
resource/aws_mskconnect_worker_configuration: Add tags argument and tags_all attribute (#38270)
resource/aws_mskconnect_worker_configuration: Add resource deletion logic (#38270)
resource/aws_oam_link: Add link_configuration argument (#38277)
resource/aws_rds_cluster: Add ca_certificate_identifier argument and ca_certificate_valid_till attribute (#37108)
resource/aws_ssm_association: Add tags argument and tags_all attribute (#38271)

BUG FIXES:

aws_dx_lag: Checks for errors other than NotFound when reading. (#38292)
aws_dynamodb_kinesis_streaming_destination: Checks for errors other than NotFound when reading. (#38292)
aws_ec2_capacity_block_reservation: Checks for errors other than NotFound when reading. (#38292)
aws_opensearchserverless_access_policy: Checks for errors other than NotFound when reading. (#38292)
aws_opensearchserverless_collection: Checks for errors other than NotFound when reading. (#38292)
aws_opensearchserverless_security_config: Checks for errors other than NotFound when reading. (#38292)
aws_opensearchserverless_security_policy: Checks for errors other than NotFound when reading. (#38292)
aws_opensearchserverless_vpc_endpoint: Checks for errors other than NotFound when reading. (#38292)
aws_ram_principal_association: Checks for errors other than NotFound when reading. (#38292)
aws_route_table: Checks for errors other than NotFound when reading. (#38292)
data-source/aws_ecr_repository: Fix issue where the tags attribute is not set (#38272)
data-source/aws_eks_cluster: Add access_config.bootstrap_cluster_creator_admin_permissions attribute (#38295)
resource/aws_appstream_fleet: Support 0 as a valid value for idle_disconnect_timeout_in_seconds (#38274)
resource/aws_cloudformation_stack_set_instance: Add ForceNew to deployment_targets attributes to ensure a new resource is recreated when the deployment_targets argument is changed, which was not the case previously. (#37898)
resource/aws_db_instance: Correctly mark incomplete instances as tainted during creation (#38252)
resource/aws_eks_cluster: Set access_config.bootstrap_cluster_creator_admin_permissions to true on Read for clusters with no access_config configured. This allows in-place updates of existing clusters when access_config is configured (#38295)
resource/aws_elasticache_serverless_cache: Allow cache_usage_limits.data_storage.maximum, cache_usage_limits.data_storage.minimum, cache_usage_limits.ecpu_per_second.maximum and cache_usage_limits.ecpu_per_second.minimum to be updated in-place (#38269)
resource/aws_mskconnect_connector: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when log_delivery.worker_log_delivery is empty ({}) (#38270)

`v5.57.0`

Compare Source

FEATURES:

New Data Source: aws_appstream_image (#38225)
New Data Source: aws_cognito_user_pool (#37399)
New Data Source: aws_ec2_transit_gateway_peering_attachments (#25743)
New Data Source: aws_transfer_connector (#38213)

ENHANCEMENTS:

data-source/aws_backup_plan: Add rule attribute (#37890)
resource/aws_amplify_domain_association: Add certificate_settings argument (#37105)
resource/aws_ec2_transit_gateway_peering_attachment: Add options argument (#36902)
resource/aws_iot_authorizer: Add tags argument (#37152)
resource/aws_iot_topic_rule: Add cloudwatch_logs.batch_mode and error_action.cloudwatch_logs.batch_mode arguments (#36772)
resource/aws_sagemaker_endpoint_configuration: Add support for InputAndOutput in capture_mode (#37726)

BUG FIXES:

resource/aws_iot_provisioning_template: Fix pre_provisioning_hook update operation (#37152)
resource/aws_iot_topic_rule: Retry IAM eventual consistency errors on Update (#36286)

`v5.56.1`

Compare Source

BUG FIXES:

data-source/aws_cognito_user_pool_client: Fix InvalidParameterException: 2 validation errors detected errors on Read (#38168)
resource/aws_cognito_user: Fix a bug that caused resource recreation for resources imported with certain import ID formats (#38182)
resource/aws_cognito_user_pool: Fix runtime error: index out of range [0] with length 0 panic when adding lambda_config (#38184)

`v5.56.0`

Compare Source

FEATURES:

New Resource: aws_appfabric_app_authorization_connection (#38084)
New Resource: aws_appfabric_ingestion (#37291)
New Resource: aws_appfabric_ingestion_destination (#37627)
New Resource: aws_networkfirewall_tls_inspection_configuration (#35168)
New Resource: aws_networkmonitor_monitor (#35722)
New Resource: aws_networkmonitor_probe (#35722)

ENHANCEMENTS:

resource/aws_controltower_control: Add parameters argument and arn attribute (#38071)
resource/aws_networkfirewall_logging_configuration: Add plan-time validation of firewall_arn (#35168)
resource/aws_quicksight_account_subscription: Add iam_identity_center_instance_arn attribute (#36830)
resource/aws_route53_resolver_firewall_rule: Add firewall_domain_redirection_action argument (#37242)
resource/aws_route53_resolver_firewall_rule: Add q_type argument (#38074)
resource/aws_sagemaker_domain: Add default_user_settings.canvas_app_settings.generative_ai_settings configuration block (#37139)
resource/aws_sagemaker_domain: Add default_user_settings.code_editor_app_settings.custom_image configuration block (#37153)
resource/aws_sagemaker_endpoint_configuration: Add production_variants.inference_ami_version and shadow_production_variants.inference_ami_version arguments (#38085)
resource/aws_sagemaker_user_profile: Add user_settings.canvas_app_settings.generative_ai_settings configuration block (#37139)
resource/aws_sagemaker_user_profile: Add user_settings.code_editor_app_settings.custom_image configuration block (#37153)
resource/aws_sagemaker_workforce: add oidc_config.authentication_request_extra_params and oidc_config.scope arguments (#38078)
resource/aws_sagemaker_workteam: Add worker_access_configuration attribute (#38087)
resource/aws_wafv2_web_acl: Add sensitivity_level argument to sqli_match_statement configuration block (#38077)

BUG FIXES:

data-source/aws_ecs_service: Correctly set tags (#38067)
resource/aws_drs_replication_configuration_template: Fix issues preventing creation and deletion (#38143)

`v5.55.0`

Compare Source

FEATURES:

New Resource: aws_drs_replication_configuration_template (#26399)

ENHANCEMENTS:

data-source/aws_autoscaling_group: Add mixed_instances_policy.launch_template.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price attribute (#38003)
data-source/aws_glue_catalog_table: Add additional_locations argument in storage_descriptor (#37891)
data-source/aws_launch_template: Add instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price attribute (#38003)
data-source/aws_networkmanager_core_network_policy_document: Add attachment_policies.action.add_to_network_function_group argument (#38013)
data-source/aws_networkmanager_core_network_policy_document: Add network_function_groups configuration block (#38013)
data-source/aws_networkmanager_core_network_policy_document: Add send-via and send-to as valid values for segment_actions.action (#38013)
data-source/aws_networkmanager_core_network_policy_document: Add single-hop and dual-hop as valid values for segment_actions.mode (#38013)
data-source/aws_networkmanager_core_network_policy_document: Add when_sent_to and via configuration blocks to segment_actions (#38013)
resource/aws_api_gateway_integration: Increase maximum value of timeout_milliseconds from 29000 (29 seconds) to 300000 (5 minutes) (#38010)
resource/aws_appsync_api_key: Add api_key_id attribute (#36568)
resource/aws_autoscaling_group: Add mixed_instances_policy.launch_template.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price argument (#38003)
resource/aws_autoscaling_group: Add plan-time validation of warm_pool.max_group_prepared_capacity and warm_pool.min_size (#37174)
resource/aws_docdb_cluster: Add restore_to_point_in_time argument (#37716)
resource/aws_dynamodb_table: Adds validation for ttl values. (#37991)
resource/aws_ec2_fleet: Add launch_template_config.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price argument (#38003)
resource/aws_glue_catalog_table: Add additional_locations argument in storage_descriptor (#37891)
resource/aws_glue_job: Add maintenance_window argument (#37760)
resource/aws_launch_template: Add instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price argument (#38003)

BUG FIXES:

data-source/aws_ami: Fix interface conversion: interface {} is types.ProductCodeValues, not string panic (#37977)
data-source/aws_networkmanager_core_network_policy_document: Add correct except values to the returned JSON document when segment_actions.share_with_except is configured (#38013)
provider: Now falls back to non-FIPS endpoint if use_fips_endpoint is set and no FIPS endpoint is available (#38057)
resource/aws_autoscaling_group: Fix bug updating warm_pool.max_group_prepared_capacity to 0 (#37174)
resource/aws_dynamodb_table: Fixes perpetual diff when ttl.attribute_name is set when ttl.enabled is not set. (#37991)
resource/aws_ec2_network_insights_path: Mark destination as Optional (#36966)
resource/aws_lambda_event_source_mapping: Remove the upper limit on scaling_config.maximum_concurrency (#37980)
service/transitgateway: Fix resource Read pagination regression causing NotFound errors (#38011)

`v5.54.1`

Compare Source

BUG FIXES:

data-source/aws_ami: Fix interface conversion: interface {} is types.ProductCodeValues, not string panic (######)
resource/aws_codebuild_project: Increase maximum values of build_batch_config.timeout_in_mins and build_timeout from 480 (8 hours) to 2160 (36 hours) (#37970)

`v5.54.0`

Compare Source

NOTES:

resource/aws_ec2_capacity_block_reservation: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#37528)

FEATURES:

New Data Source: aws_ec2_capacity_block_offering (#37528)
New Resource: aws_appfabric_app_authorization (#37468)
New Resource: aws_appfabric_app_bundle (#37542)
New Resource: aws_ec2_capacity_block_reservation (#37528)
New Resource: aws_fms_resource_set (#37767)
New Resource: aws_guardduty_malware_protection_plan (#37919)

ENHANCEMENTS:

data-source/aws_opensearch_domain: Add ip_address_type argument (#37237)
resource/aws_ec2_traffic_mirror_session: Mark packet_length as Computed (#36962)
resource/aws_opensearch_domain: Add ip_address_type argument (#37237)
resource/aws_vpc_endpoint: Add subnet_configuration argument to support user defined IP addresses (#37226)

BUG FIXES:

data-source/aws_ami: Fix query returning no results (#37958)
provider: Fixes an error where some data sources were not returning tags (#37966)
resource/aws_applicationinsights_application: Change resource_group_name to ForceNew (#36962)
resource/aws_dynamodb_table: Fix UnknownOperationException: Tagging is not currently supported in DynamoDB Local errors on resource Read (#37924)
resource/aws_ec2_capacity_reservation: Fix InvalidCapacityReservationId.NotFound errors during Read and Delete when resource is manually deleted (#37127)
resource/aws_route53_zone: Fix InvalidInput: 1 validation error detected: Value '...' at 'resourceId' failed to satisfy constraint: Member must have length less than or equal to 32 errors for resources imported with a /hostedzone/ prefix (#37893)
service/apigatewayv2: Retry on ConflictException: Unable to complete operation due to concurrent modification errors (#37902)

`v5.53.0`

Compare Source

FEATURES:

New Resource: aws_paymentcryptography_key (#37017)
New Resource: aws_paymentcryptography_key_alias (#37020)

ENHANCEMENTS:

data-source/aws_customer_gateway: Add bgp_asn_extended argument (#37815)
data-source/aws_rds_engine_version: Add supports_limitless_database attribute (#37271)
provider: The use_fips_endpoint flag is now ignored for any service with a custom endpoint configured in endpoints. (#34233)
resource/aws_apigatewayv2_authorizer: Add configurable delete timeout (#37732)
resource/aws_customer_gateway: Add bgp_asn_extended argument (#37815)
resource/aws_fsx_lustre_file_system: Add metadata_configuration argument (#37868)
resource/aws_lb: Add support for IPv6-only Application Load Balancers (#37700)
resource/aws_mwaa_environment: Add max_webservers and min_webservers attributes (#37632)
resource/aws_pipes_pipe: Add log_configuration argument (#37135)
resource/aws_route53_record: Fix InvalidChangeBatch errors on resource Delete (#37850)
resource/aws_s3_bucket: Ignore UnsupportedOperation errors when reading acceleration_status, server_side_encryption_configuration and tags (#37801)
resource/aws_transfer_ssh_key: Add ssh_key_id attribute (#37548)

BUG FIXES:

resource/aws_apigatewayv2_authorizer: Fix ConflictException errors on resource Delete (#37732)
resource/aws_bedrockagent_agent: Increase instruction max length for validation to 4000 (#37758)
resource/aws_cloudwatch_log_group: Correctly handles tag updates with empty string tags (#37668)
resource/aws_kms_external_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
resource/aws_kms_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
resource/aws_kms_replica_external_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
resource/aws_kms_replica_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
resource/aws_mq_broker: Do not reboot on changes to maintenance_window_start_time or auto_minor_version_upgrade (#36506)
resource/aws_pipes_pipe: Mark source_parameters.self_managed_kafka_parameters.credentials.basic_auth as Optional (#34293)
resource/aws_secretsmanager_secret: Tags with empty values no longer remove all tags. (#37743)
resource/aws_ssm_parameter: Fix Cannot import non-existent remote object errors when importing resources with version (#37832)
resource/aws_vpc_endpoint: Restore pre-v5.51.0 default of false for private_dns_enabled (#37715)
service/chatbot: Correctly overrides region when using custom endpoint. (#37851)
service/costoptimizationhub: Correctly overrides region when using custom endpoint. (#37851)
service/cur: Correctly overrides region when using custom endpoint. (#37851)
service/globalaccelerator: Correctly overrides region when using custom endpoint. (#37851)
service/route53: Correctly overrides region when using custom endpoint. (#37851)
service/route53domains: Correctly overrides region when using custom endpoint. (#37851)
service/shield: Correctly overrides region when using custom endpoint. (#37851)

`v5.52.0`

Compare Source

ENHANCEMENTS:

resource/aws_kinesisanalyticsv2_application: Add application_mode argument (#37714)
resource/aws_lightsail_bucket: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_certificate: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_container_service: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_database: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_distribution: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_key_pair: Add support to ListTags function for proper key-only tag handling (#37711)
resource/aws_lightsail_lb: Add support to ListTags function for proper key-only tag handling (#37711)

BUG FIXES:

resource/aws_lightsail_database: Prevent destroy failure when resource is already deleted outside Terraform (#37711)
resource/aws_lightsail_instance: Fix crash when reading a resource that has a key-only tag (#37587)
resource/aws_lightsail_key_pair: Prevent destroy failure when resource is already deleted outside Terraform (#37711)
resource/aws_lightsail_lb: Prevent destroy failure when resource is already deleted outside Terraform (#37711)

`v5.51.1`

Compare Source

ENHANCEMENTS:

resource/aws_ecs_service: Add volume_configuration argument (#37019)
resource/aws_ecs_task_definition: Add configure_at_launch parameter in volume argument (#37019)

BUG FIXES:

data-source/aws_route53_zone: Fix incorrect name_servers values (#37685)
data-source/aws_route53_zone: Permit both name and zone_id arguments when one is an empty string (#37686)
resource/aws_route53_zone: Fix incorrect name_servers values (#37685)

`v5.51.0`

Compare Source

NOTES:

data-source/aws_lambda_function: source_code_hash attribute has been deprecated in favor of code_sha256. Will be removed in a future major version (#37669)
data-source/aws_lambda_layer_version: source_code_hash attribute has been deprecated in favor of code_sha256. Will be removed in a future major version (#37646)

FEATURES:

New Data Source: aws_chatbot_slack_workspace (#37218)
New Resource: aws_lambda_runtime_management_config (#37643)
New Resource: aws_vpc_endpoint_private_dns (#37628)
New Resource: aws_vpc_endpoint_service_private_dns_verification (#37176)

ENHANCEMENTS:

data-source/aws_lambda_function: Add code_sha256 attribute (#37669)
data-source/aws_lambda_layer_version: Add code_sha256 attribute (#37646)
data-source/aws_route53_traffic_policy_document: Add support for application-load-balancer, elastic-beanstalk and network-load-balancer endpoint.type values (#37618)
resource/aws_api_gateway_deployment: Add canary_settings attribute (#37573)
resource/aws_iam_openid_connect_provider: Allow client_id_list to be updated in-place (#37612)
resource/aws_lambda_function: Add code_sha256 attribute (#37669)
resource/aws_lambda_function: Remove replace_security_group_on_destroy and replacement_security_group_ids deprecations, re-implement with alternate workflow (#37624)
resource/aws_lambda_layer_version: Add code_sha256 attribute (#37646)
resource/aws_route53_health_check: Add plan-time validation of cloudwatch_alarm_region (#37510)
resource/aws_route53_record: Add plan-time validation of latency_routing_policy.region (#37510)
resource/aws_route53_vpc_association_authorization: Add plan-time validation of vpc_region (#37510)
resource/aws_route53_zone_association: Add plan-time validation of vpc_region (#37510)
resource/aws_wafv2_web_acl: Add api_gateway, app_runner_service, cognito_user_pool, and verified_access_instance configuration blocks to association_config.request_body (#37588)

BUG FIXES:

resource/aws_dynamodb_table_replica: Correctly set kms_key_arn on Read (#37570)
resource/aws_kms_grant: Change grant_token to Sensitive (#37593)
resource/aws_lambda_function: Fix issue when source_code_hash causes drift even if source code has not changed (#37669)
resource/aws_lambda_layer_version: Fix issue when source_code_hash forces a replacement even if source code has not changed (#37646)
resource/aws_m2_deployment: Fix state error on deployment_id during start/stop update (#37581)
resource/aws_storagegateway_smb_file_share: Fix crash when cache_attributes is removed on update (#37611)

`v5.50.0`

Compare Source

ENHANCEMENTS:

data-source/aws_budgets_budget: Add tags attribute (#37361)
data-source/aws_instance: Add launch_time attribute (#37002)
resource/aws_budgets_budget: Add tags argument (#37361)
resource/aws_budgets_budget_action: Add tags argument (#37361)
resource/aws_ecs_account_setting_default: Add support for fargateTaskRetirementWaitPeriod value in Name argument (#37018)
resource/aws_ssm_resource_data_sync: Add plan-time validation of s3_destination.kms_key_arn, s3_destination.region and s3_destination.sync_format (#37481)

BUG FIXES:

data-source/aws_bedrock_foundation_models: Fix validation regex for the by_provider argument (#37306)
resource/aws_dynamodb_table: Fix UnknownOperationException: Tagging is not currently supported in DynamoDB Local errors on resource Read (#37472)
resource/aws_glue_job: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when notify_delay_after is empty (null) (#37347)
resource/aws_iam_server_certificate: Now correctly reads tags after update and on read. (#37483)
resource/aws_lakeformation_data_cells_filter: Fix inconsistent state error when using row_filter.all_rows_wildcard (#37433)
resource/aws_organizations_account: Allow import of accounts with IAM access to the AWS Billing and Cost Management console (#35662)
resource/aws_ram_principal_association: Correct plan-time validation of principal to fix panic: unexpected format for ID parts ([...]), the following id parts indexes are blank ([1]) (#37450)
resource/aws_route53_record: Change region default to us-east-1 (#37565)
resource/aws_vpc_endpoint_service: Fix destroy error when endpoint service is deleted out-of-band (#37534)

`v5.49.0`

Compare Source

FEATURES:

New Data Source: aws_datazone_environment_blueprint (#36600)
New Resource: aws_bedrockagent_data_source (#37158)
New Resource: aws_datazone_domain (#36600)
New Resource: aws_datazone_environment_blueprint_configuration (#36600)

ENHANCEMENTS:

data-source/aws_iam_policy_document: Add minified_json attribute (#35677)
resource/aws_dynamodb_table_export: Add plan-time validation of table_arn (#37288)
resource/aws_kms_key: Add rotation_period_in_days argument (#37140)
resource/aws_securitylake_subscriber_notification: Better handles importing resource (#37332)
resource/aws_securitylake_subscriber_notification: Deprecates endpoint_id in favor of subscriber_endpoint (#37332)
resource/aws_securitylake_subscriber_notification: Handles configuration.https_notification_configuration.authorization_api_key_value as sensitive value (#37332)

BUG FIXES:

data-source/aws_fsx_ontap_storage_virtual_machine: Correctly set tags on Read (#37353)
data-source/aws_rds_orderable_db_instance: Fix InvalidParameterValue: Invalid value 3412 for MaxRecords. Must be between 20 and 1000 errors (#37251)
data-source/aws_resourceexplorer2_search: Fix 401 unauthorized error due to missing view_arn in the AWS API request (#36778)
data-source/aws_resourceexplorer2_search: Fix panic caused by bad mappping between Terraform and AWS schemas (#36778)
data-source/aws_resourceexplorer2_search: Fix state persistence and data types (#36778)
resource/aws_bedrockagent_agent: Fix to use the configured prepare_agent value (or default value of true when omitted) for all create and update operations (#37405)
resource/aws_elasticsearch_domain: Fix handling of unset auto_tune_options.rollback_on_disable argument (#37394)
resource/aws_fsx_ontap_storage_virtual_machine: Correctly set tags and tags_all on resource Read (#37353)
resource/aws_fsx_openzfs_file_system: Correctly set tags and tags_all on resource Read (#37353)
resource/aws_kms_custom_key_store: Change trust_anchor_certificate to ForceNew (#37092)
resource/aws_opensearch_domain: Fix handling of unset auto_tune_options.rollback_on_disable argument (#37394)
resource/aws_opensearch_domain: Wait for auto_tune_options to be applied during creation (#37394)
resource/aws_securitylake_aws_log_source: Correctly handles unspecified source_version (#36268)
resource/aws_securitylake_aws_log_source: Prevents errors when creating multiple log sources concurrently (#36268)
resource/aws_securitylake_custom_log_source: Prevents errors when creating multiple log sources concurrently (#36268)
resource/aws_securitylake_custom_log_source: Validates length of source_name parameter (#36268)
resource/aws_securitylake_subscriber: Allow more than one log source (#36268)
resource/aws_securitylake_subscriber: Correctly handles unspecified access_type (#36268)
resource/aws_securitylake_subscriber: Correctly handles unspecified source_version parameter for aws_log_source_resource and custom_log_source_resource (#36268)
resource/aws_securitylake_subscriber: Correctly requires source_name parameter for aws_log_source_resource and custom_log_source_resource (#36268)
resource/aws_securitylake_subscriber_notification: No longer recreates resource when not needed (#37332)
resource/aws_securitylake_subscriber_notification: Requires value for configuration.https_notification_configuration.endpoint (#37332)
resource/provider: Change the AWS SDK for Go v2 API client BackoffDelayer to maintain behavioral compatibility with AWS SDK for Go v1 (#37404)

`v5.48.0`

Compare Source

FEATURES:

New Resource: aws_bedrockagent_agent_knowledge_base_association (#37185)

ENHANCEMENTS:

resource/aws_cloudwatch_event_target: Add force_destroy argument (#37130)
resource/aws_elasticache_replication_group: Increase default Delete timeout to 45 minutes (#37182)
resource/aws_elasticache_replication_group: Use the configured Delete timeout when detaching from any global replication group (#37182)
resource/aws_fsx_ontap_file_system: Add support for specifying 1 ha_pair with SINGLE_AZ_1 and MULTI_AZ_1 deployment types (#36511)
resource/aws_fsx_ontap_file_system: Increase storage_capacity maximum to 1PiB (#36511)
resource/aws_fsx_ontap_file_system: Support up to 12 ha_pairs (#36511)
resource/aws_fsx_ontap_file_system: Update throughput_capacity_per_ha_pair to support all values from throughput_capacity (#36511)
resource/aws_fsx_ontap_volume: Add aggregate_configuration configuration block (#36511)
resource/aws_fsx_ontap_volume: Add size_in_bytes and volume_style arguments (#36511)

BUG FIXES:

resource/aws_bcmdataexports_export: Fix table_configurations expand/flatten (#37205)
resource/aws_cloudwatch_event_connection: Add plan-time validation preventing empty auth_parameters.oauth.oauth_http_parameters or auth_parameters.invocation_http_parameters
body, header and query_string configuration blocks (#26755)
resource/aws_elasticache_replication_group: Decrease replica count after other updates (#34819)
resource/aws_elasticache_replication_group: Fix unexpected state 'snapshotting' errors when increasing or decreasing replica count (#30493)

`v5.47.0`

Compare Source

NOTES:

provider: Updates to Go 1.22. This is the last Go release that will run on macOS 10.15 Catalina (#36996)
resource/aws_bedrockagent_knowledge_base: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#36783)

FEATURES:

New Data Source: aws_identitystore_groups (#36993)
New Resource: aws_bcmdataexports_export (#36847)
New Resource: aws_bedrockagent_agent (#36851)
New Resource: aws_bedrockagent_agent_action_group (#36935)
New Resource: aws_bedrockagent_agent_alias (#36905)
New Resource: aws_bedrockagent_knowledge_base (#36783)
New Resource: aws_globalaccelerator_cross_account_attachment (#35991)
New Resource: aws_verifiedpermissions_policy (#35413)

ENHANCEMENTS:

data-source/aws_eip: Add arn attribute (#35991)
resource/aws_api_gateway_rest_api: Correctly set root_resource_id on resource Read (#37040)
resource/aws_appmesh_mesh: Add spec.service_discovery argument (#37042)
resource/aws_cloudformation_stack_set: Adds guidance on permissions when using delegated administrator account (#37069)
resource/aws_db_instance: Add dedicated_log_volume argument (#36503)
resource/aws_eip: Add arn attribute (#35991)
resource/aws_elasticache_replication_group: Add transit_encryption_mode argument (#30403)
resource/aws_elasticache_replication_group: Changes to the transit_encryption_enabled argument can now be done in-place for engine versions > 7.0.5 (#30403)
resource/aws_kinesis_firehose_delivery_stream: Add snowflake_configuration argument (#36646)
resource/aws_memorydb_user: Support IAM authentication mode (#32027)
resource/aws_sagemaker_app_image_config: Add code_editor_app_image_config and jupyter_lab_image_config.jupyter_lab_image_config arguments (#37059)
resource/aws_sagemaker_app_image_config: Change kernel_gateway_image_config.kernel_spec MaxItems to 5 (#37059)
resource/aws_transfer_server: Add sftp_authentication_methods argument (#37015)

BUG FIXES:

resource/aws_batch_job_definition: Fix issues where changes causing a new revision do not trigger changes in dependent resources and/or cause an error, "Provider produced inconsistent final plan" (#37111)
resource/aws_ce_cost_category: Allow up to 3 levels of and, not and or operand nesting for the rule argument (#30862)
resource/aws_elasticache_replication_group: Fix excessive delay on read (#30403)
resource/aws_servicecatalog_portfolio: Fixes error where deletion fails if resource was deleted out of band. (#37066)
resource/aws_servicecatalog_provisioned_product: Fixes error where tag values are not applied to products when tag values don't change. (#37066)

`v5.46.0`

Compare Source

NOTES:

provider: When using YAML or JSON documents, such as in template_body of aws_cloudformation_stack, CRLF was previously treated as different from LF but these are now treated as equivalent in many situations (#14270)

FEATURES:

New Resource: aws_eip_domain_name (#36963)

ENHANCEMENTS:

data-source/aws_alb: Add client_keep_alive argument (#36969)
data-source/aws_eip: Add ptr_record attribute (#36963)
data-source/aws_iam_policy: Add attachment_count attribute (#36759)
data-source/aws_lb: Add client_keep_alive argument (#36969)
data-source/aws_organizations_organization: Add master_account_name attribute (#36797)
data-source/aws_vpc_dhcp_options: Add ipv6_address_preferred_lease_time attribute (#36934)
resource/aws_alb: Add client_keep_alive argument (#36969)
resource/aws_autoscaling_group: Add alarm_specification to the instance_refresh.preferences configuration block (#36954)
resource/aws_cloudformation_stack_set: Add retry when creating to potentially help with eventual consistency problems (#36982)
resource/aws_cloudfront_origin_access_control: Add lambda and mediapackagev2 as valid values for origin_access_control_origin_type (#34362)
resource/aws_cloudwatch_event_rule: Add force_destroy attribute (#34905)
resource/aws_codebuild_project: Add GitLab and GitLab Self Managed support to the report_build_status and build_status_config arguments (#36942)
resource/aws_default_vpc_dhcp_options: Add ipv6_address_preferred_lease_time as Computed attribute (#36934)
resource/aws_dms_replication_task: Add resource_identifier argument (#36901)
resource/aws_eip: Add ptr_record attribute (#36963)
resource/aws_elasticache_serverless_cache: Add minimum attribute in cache_usage_limits.data_storage and cache_usage_limits.ecpu_per_second (#36766)
resource/aws_fsx_openzfs_file_system: Add endpoint_ip_address attribute (#36767)
resource/aws_iam_policy: Add attachment_count attribute (#36759)
resource/aws_imagebuilder_image: Add execution_role and workflow arguments (#36953)
resource/aws_lb: Add client_keep_alive argument (#36969)
resource/aws_mwaa_environment: Add database_vpc_endpoint_service and webserver_vpc_endpoint_service attributes (#36903)
resource/aws_organizations_organization: Add master_account_name attribute (#36797)
resource/aws_transfer_connector: Add security_policy_name argument (#36893)
resource/aws_vpc_dhcp_options: Add ipv6_address_preferred_lease_time attribute (#36934)
resource/aws_vpc_ipam_pool: Add cascade argument (#36898)

BUG FIXES:

data-source/aws_iam_policy_document: When using multiple principals, sort them to avoid differences based only on order (#25967)
resource/aws_appconfig_deployment: Fix ConflictException errors on resource Create (#36980)
resource/aws_ce_anomaly_monitor: Change monitor_dimension to ForceNew (#36773)
resource/aws_ce_anomaly_subscription: Change account_id to ForceNew (#36773)
resource/aws_cloudformation_stack: CRLF line endings in template_body no longer cause erroneous diffs (#14270)
resource/aws_db_proxy: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when auth is empty ({}) (#36967)
resource/aws_dms_replication_config: Adds validation to replication_settings to disallow Logging.CloudWatchLogGroup and Logging.CloudWatchLogStream. (#36936)
resource/aws_dms_replication_config: Suppresses differences in partial replication_settings JSON documents. (#36936)
resource/aws_dms_replication_task: Adds validation to replication_task_settings to disallow Logging.CloudWatchLogGroup and Logging.CloudWatchLogStream. (#36936)
resource/aws_dms_replication_task: Allows leaving replication_task_settings unset to use default settings. (#36936)
resource/aws_dms_replication_task: Suppresses differences in partial replication_task_settings JSON documents. (#36936)
resource/aws_fsx_windows_file_system: Fix error BadRequest: AuditLogDestination must not be provided when auditing is disabled when updating audit_log_configuration.0.file_access_audit_log_level and audit_log_configuration.0.file_share_access_audit_log_level to "DISABLED" (#36928)
resource/aws_glue_job: Mark number_of_workers and worker_type as optional/computed, preventing persistent differences when max_capacity is set. (#36770)
resource/aws_iam_user_login_profile: Fix forced re-creation when password_reset_required is true and initial password reset is completed (#36926)
resource/aws_lightsail_distribution: Fix to properly set certificate_name on create and update (#36888)
resource/aws_vpc_dhcp_options: Fix NotFound error handling on delete (#36933)

`v5.45.0`

Compare Source

NOTES:

resource/aws_redshift_cluster: The logging argument is now deprecated. Use the aws_redshift_logging resource instead. (#36862)
resource/aws_redshift_cluster: The snapshot_copy argument is now deprecated. Use the aws_redshift_snapshot_copy resource instead. (#36810)

FEATURES:

New Resource: aws_redshift_logging (#36862)
New Resource: aws_redshift_snapshot_copy (#36810)

ENHANCEMENTS:

data-source/aws_sagemaker_prebuilt_ecr_image: Add registry_id for af-south-1 AWS Region (#36803)
resource/aws_api_gateway_documentation_part: Add documentation_part_id attribute (#36445)
resource/aws_wafregional_web_acl_association: Add configurable timeouts (#36445)
resource/aws_wafregional_web_acl_association: Add plan-time validation of resource_arn (#36445)

BUG FIXES:

provider: Change the default AWS SDK for Go v2 API client MaxBackoff value to 300 seconds so that services migrated to AWS SDK for Go v2 maintain behavioral compatibility with AWS SDK for Go v1 (#36855)
resource/aws_datasync_location_object_storage: Allow update to agent_arns (#36819)
resource/aws_devopsguru_notification_channel: Fix persistent diff when filters.message_types or filters.severities contains multiple elements (#36804)
resource/aws_securityhub_configuration_policy: Mark configuration_policy.enabled_standard_arns as Optional, fixing InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled errors (#36740)

`v5.44.0`

Compare Source

FEATURES:

New Data Source: aws_devopsguru_notification_channel (#36656)
New Data Source: aws_devopsguru_resource_collection (#36657)
New Data Source: aws_ecr_lifecycle_policy_document (#6133)
New Function: trim_iam_role_path (#36723)
New Resource: aws_devopsguru_service_integration (#36694)

ENHANCEMENTS:

data-source/aws_servicecatalogappregistry_application: Add application_tag attribute (#36647)
data/aws_glue_data_catalog_encryption_settings: Add data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_service_role attribute (#35978)
resource/aws_appstream_fleet: Add desired_sessions argument to the compute_capacity block. (#34266)
resource/aws_appstream_fleet: Add max_sessions_per_instance argument. (#34266)
resource/aws_batch_job_definition: Add update functions instead of ForceNew. Add deregister_on_new_revision to allow keeping prior versions ACTIVE when a new revision is published. (#35149)
resource/aws_db_instance: Adds warning when setting character_set_name when replicate_source_db, restore_to_point_in_time, or snapshot_identifier is set (#36518)
resource/aws_emr_cluster: Add unhealthy_node_replacement argument (#36523)
resource/aws_glue_data_catalog_encryption_settings: Add data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_service_role argument (#35978)
resource/aws_servicecatalogappregistry_application: Add application_tag attribute (#36647)
resource/aws_transfer_server: Add s3_storage_options configuration block (#36664)
resource/aws_wafv2_web_acl: Add address_fields and phone_number_fields to statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_acfp_rule_set.request_inspection (#36685)

BUG FIXES:

Correctly handles user agents passed using TF_APPEND_USER_AGENT which contain /, (, ), or space. (#36738)
resource/aws_batch_scheduling_policy: Fixes error where tags could not be updated (#36517)
resource/aws_cloudfront_key_value_store: Serialize CloudFront KeyValueStore access (#36734)
resource/aws_cloudfrontkeyvaluestore_key: Serialize CloudFront KeyValueStore access (#36734)
resource/aws_cognito_user_pool: Correct plan-time validation of email_verification_message, email_verification_subject, admin_create_user_config.invite_message_template.email_message, admin_create_user_config.invite_message_template.email_subject, admin_create_user_config.invite_message_template.sms_message, sms_authentication_message, sms_verification_message, verification_message_template.email_message, verification_message_template.email_message_by_link, verification_message_template.email_subject, verification_message_template.email_subject_by_link, and verification_message_template.sms_message to count UTF-8 characters properly (#36661)
resource/aws_ecr_lifecycle_policy: Add missing tagPatternList change detection in policy JSON (#35231)
resource/aws_ecs_service: Correctly set alarms.rollback on resource Create and Update (#36691)
resource/aws_iam_user: When force_destroy is used and there are inline or attached policies, allow resource to be destroyed (#36640)
resource/aws_imagebuilder_distribution_configuration: Fix validation regex for ami_distribution_configuration.name (#36659)
resource/aws_redshift_cluster: Fix error preventing modification of a configured snapshot_copy block (#36655)
resource/aws_route53_record: Fix to correctly interpret alias names with wildcards (#36699)

`v5.43.0`

Compare Source

FEATURES:

New Data Source: aws_resourceexplorer2_search (#36560)
New Data Source: aws_servicecatalogappregistry_application (#36596)
New Resource: aws_cloudfrontkeyvaluestore_key (#36534)
New Resource: aws_devopsguru_notification_channel (#36557)
New Resource: aws_ec2_instance_metadata_defaults (#36589)
New Resource: aws_lakeformation_resource_lf_tag (#36537)
New Resource: aws_m2_application (#35399)
New Resource: aws_m2_deployment (#35408)
New Resource: aws_m2_environment (#35311)
New Resource: aws_redshiftserverless_custom_domain_association (#35865)
New Resource: aws_servicecatalogappregistry_application (#36277)

ENHANCEMENTS:

data-source/aws_cloudfront_function: Add key_value_store_associations attribute (#36585)
data-source/aws_db_snapshot: Add original_snapshot_create_time attribute (#36544)
resource/aws_cloudfront_function: Add key_value_store_associations argument (#36585)
resource/aws_ec2_host: Add user configurable timeouts (#36538)
resource/aws_glacier_vault_lock: Allow policy to have leading whitespace (#36597)
resource/aws_iam_group_policy: Allow policy to have leading whitespace (#36597)
resource/aws_iam_policy: Allow policy to have leading whitespace (#36597)
resource/aws_iam_role: Allow assume_role_policy and inline_policy.*.policy to have leading whitespace (#36597)
resource/aws_iam_role_policy: Allow policy to have leading whitespace (#36597)
resource/aws_iam_user_policy: Allow policy to have leading whitespace (#36597)
resource/aws_kinesisanalyticsv2_application: Add support for FLINK-1_18 runtime_environment value (#36562)
resource/aws_media_store_container_policy: Allow policy to have leading whitespace (#36597)
resource/aws_ssoadmin_permission_set_inline_policy: Allow inline_policy to have leading whitespace (#36597)
resource/aws_transfer_access: Allow policy to have leading whitespace (#36597)
resource/aws_transfer_user: Allow policy to have leading whitespace (#36597)
resource/aws_vpc_ipam: Add tier argument (#36504)

BUG FIXES:

data-source/aws_cur_report_definition: Direct all API calls to the us-east-1 endpoint as this is the only Region in which AWS Cost and Usage Reports is available (#36540)
resource/aws_applicationinsights_application: Make ACTIVE a valid create target status (#36615)
resource/aws_autoscaling_group: Don't attempt to remove scale-in protection from instances that don't have the feature enabled (#36586)
resource/aws_cur_report_definition: Direct all API calls to the us-east-1 endpoint as this is the only Region in which AWS Cost and Usage Reports is available (#36540)
resource/aws_elasticsearch_domain_policy: Handle delayed domain status propagation, preventing a ValidationException. (#36592)
resource/aws_iam_instance_profile: Detect when the associated role no longer exists (#34099)
resource/aws_instance: Replace an instance when an instance_type change also requires an architecture change, such as x86_64 to arm64 (#36590)
resource/aws_opensearch_domain_policy: Handle delayed domain status propagation, preventing a ValidationException. (#36592)
resource/aws_quicksight_dashboard: Fix failure when updating a dashboard takes a while (#34227)
resource/aws_quicksight_template: Fix "Invalid address to set" errors (#34227)
resource/aws_quicksight_template: Fix "a number is required" errors when state contains an empty string (#34227)
resource/aws_redshift_cluster: Fix InvalidParameterCombination errors when updating only skip_final_snapshot (#36635)
resource/aws_route53_zone: Prevent re-creation when name casing changes (#36563)
resource/aws_secretsmanager_secret_version: Fix to handle versions deleted out-of-band without raising an InvalidRequestException (#36609)
resource/aws_ssm_parameter: force create a new SSM parameter when data_type is updated. (#35960)

`v5.42.0`

Compare Source

FEATURES:

New Data Source: aws_redshift_producer_data_shares (#36481)
New Resource: aws_devopsguru_event_sources_config (#36485)
New Resource: aws_devopsguru_resource_collection (#36489)
New Resource: aws_dynamodb_table_export (#30399)

ENHANCEMENTS:

data-source/aws_vpc_peering_connection: Add ipv6_cidr_block_set and peer_ipv6_cidr_block_set attributes (#36391)
resource/aws_datasync_location_hdfs: Add kerberos_keytab_base64 and kerberos_krb5_conf_base64 arguments (#36072)
resource/aws_finspace_kx_dataview: Add read_write and segment_configuration.on_demand arguments (#36486)
resource/aws_rds_cluster: Add enable_local_write_forwarding argument to support Aurora MySQL local write forwarding (#34370)

BUG FIXES:

provider: Change the default AWS SDK for Go v2 API client RateLimiter to ratelimit.None so that services migrated to AWS SDK for Go v2 maintain behavioral compatibility with AWS SDK for Go v1 (#36467)
resource/aws_appautoscaling_policy: Fix errors when importing an MSK storage autoscaling policy (#34934)
resource/aws_appautoscaling_scheduled_action: Always send start_time and end_time values on update when configured (#33713)
resource/aws_appautoscaling_scheduled_action: Read correct resource by using scalable_dimension as an additional filter (#34382)
resource/aws_datasync_location_azure_blob: Fix missing container_url attribute value and bad subdirectory attribute value from state read/refresh (#36072)
resource/aws_datasync_location_efs: Fix missing efs_file_system_arn attribute value from state read/refresh (#36072)
resource/aws_datasync_location_hdfs: Mark qop_configuration as Computed (#36072)
resource/aws_datasync_location_nfs: Fix missing server_hostname attribute value from state read/refresh (#36072)
resource/aws_datasync_location_s3: Fix missing s3_bucket_arn attribute value from state read/refresh (#36072)
resource/aws_datasync_location_smb: Fix missing server_hostname attribute value from state read/refresh (#36072)
resource/aws_dms_replication_config: Fix persistent change in replication_settings (#35670)
resource/aws_dms_replication_task: Fix persistent change in replication_task_settings (#35670)
resource/aws_eks_access_entry: Always send kubernetes_groups and user_name values on update when configured (#36484)
resource/aws_glue_job: Adjust number_of_workers minimum value to 1 (#36458)
resource/aws_lexv2models_slot: Fix custom_payload typo (#36488)
resource/aws_route: Allow resource creation if a propagated route to the same destination exists (#36512)
resource/aws_vpn_connection: local_ipv6_network_cidr, remote_ipv6_network_cidr, tunnel1_inside_ipv6_cidr, and tunnel2_inside_ipv6_cidr no longer require transit_gateway_id to be specified (#36405)

`v5.41.0`

Compare Source

FEATURES:

New Data Source: aws_apprunner_hosted_zone_id (#36288)
New Data Source: aws_medialive_input (#36307)
New Resource: aws_lakeformation_data_cells_filter (#36264)
New Resource: aws_securityhub_configuration_policy (#35752)
New Resource: aws_securityhub_configuration_policy_association (#35752)
New Resource: aws_securitylake_subscriber_notification (#36323)

ENHANCEMENTS:

data-source/aws_ec2_transit_gateway_peering_attachment: Add state attribute (#36304)
data-source/aws_lakeformation_permissions: Add data_cells_filter attribute (#36264)
data-source/aws_ram_resource_share: name is Optional (#36062)
resource/aws_cognito_user_pool: Add pre_token_generation_config configuration block (#35236)
resource/aws_ec2_transit_gateway_peering_attachment: Add state attribute (#36304)
resource/aws_ecs_cluster: Add default value (DEFAULT) for configuration.execute_command_configuration.logging (#36341)
resource/aws_lakeformation_permissions: Add data_cells_filter attribute (#36264)
resource/aws_ram_resource_association: Add plan-time validation of resource_arn and resource_share_arn (#36062)
resource/aws_route53domains_registered_domain: Add billing_contact and billing_privacy arguments (#36285)
resource/aws_securityhub_organization_configuration: Add organization_configuration configuration block to support central configuration (#35752)
resource/aws_securityhub_organization_configuration: Set auto_enable to false, auto_enable_standards to NONE, and organization_configuration.configuration_type to LOCAL on resource Delete (#35752)

BUG FIXES:

data-source/aws_iam_policy_document: Fix Failed to marshal state to json: unsupported attribute "override_json" and Failed to marshal state to json: unsupported attribute "source_json" errors when running terraform show -json or terraform state rm (#36383)
data-source/aws_opensearch_domain : Add auto_tune_options.use_off_peak_window attribute. This fixes a regression introduced in v5.40.0 causing Invalid address to set errors (#36298)
resource/aws_cognito_identity_pool: Fix handling of resources deleted out of band (#36100)
resource/aws_cognito_identity_provider: Fix InvalidParameterException: ActiveEncryptionCertificate is not a valid key for SAML identity provider details errors on resource Update (#36311)
resource/aws_ec2_instance: Remove ForceNew from ipv6_address_count (#36308)
resource/aws_ecs_cluster: Fix panic: interface conversion: interface {} is nil, not map[string]interface {} when configuration, configuration.execute_command_configuration, or configuration.execute_command_configuration.log_configuration are empty (#36341)
resource/aws_ecs_service: Fix panic: interface conversion: interface {} is nil, not map[string]interface {} when service_connect_configuration.service.timeout is empty (#36309)
resource/aws_ecs_service: service_connect_configuration.service.tls.issuer_cert_authority.aws_pca_authority_arn is Required (#36309)
resource/aws_elasticache_replication_group: Fix bugs causing errors like InvalidReplicationGroupState: Cluster not in available state to perform tagging operations. (#36310)
resource/aws_finspace_kx_cluster: Prevent command_line_arguments and initialization_script updates from overwriting one another (#36361)
resource/aws_network_acl_rule: Fix InvalidNetworkAclID.NotFound errors on resource Delete (#36326)
resource/aws_network_acl_rule: Prevent creation of duplicate Terraform resources (#36326)
resource/aws_ram_principal_association: Prevent creation of duplicate Terraform resources (#36062)
resource/aws_ram_principal_association: Remove from state on resource Read if principal is disassociated outside of Terraform (#36062)
resource/aws_ram_resource_association: Prevent creation of duplicate Terraform resources (#36062)
resource/aws_route: Prevent creation of duplicate Terraform resources (#36326)
resource/aws_route_table: Fix couldn't find resource errors on resource Delete (#36326)
resource/aws_vpn_connection: Correct plan-time validation of tunnel1_inside_ipv6_cidr and tunnel2_inside_ipv6_cidr (#36236)

`v5.40.0`

Compare Source

FEATURES:

New Function: arn_build (#34952)
New Function: arn_parse (#34952)
New Resource: aws_account_region (#35739)
New Resource: aws_securitylake_subscriber (#35981)

ENHANCEMENTS:

data-source/aws_rds_engine_version: Add has_major_target and has_minor_target optional arguments and valid_major_targets and valid_minor_targets attributes (#36246)
resource/aws_batch_job_queue: added parameter compute_environment_order which conflicts with compute_environments but aligns with AWS API. compute_environments has been deprecated. (#34750)
resource/aws_cloudfront_distribution: Remove the upper limit on origin.custom_origin_config.origin_read_timeout (#36088)
resource/aws_db_instance: Add io2 as a valid value for storage_type (#36252)
resource/aws_elasticache_serverless_cache: Add plan-time validation of cache_usage_limits.ecpu_per_second.maximum (#35927)
resource/aws_iot_policy: Add tagging support (#36102)
resource/aws_iot_role_alias: Add tagging support (#36255)
resource/aws_opensearch_domain: Add use_off_peak_window argument to the auto_tune_options configuration block (#36067)
resource/aws_rds_cluster: Add io2 as a valid value for storage_type (#36252)
resource/aws_s3_bucket_object: Adds attribute arn. (#35710)
resource/aws_s3_object: Adds attribute arn. (#35710)
resource/aws_s3_object_copy: Adds attribute arn. (#35710)
resource/aws_wafv2_rule_group: Add evaluation_window_sec argument to the rate_based_statement configuration block (#36045)
resource/aws_wafv2_web_acl: Add evaluation_window_sec argument to the rate_based_statement configuration block (#36045)

BUG FIXES:

data-source/aws_rds_engine_version: Fix bugs that could limit engine version to a default version even when not appropriate (#36246)
resource/aws_db_instance: Correctly sets parameter_group_name when replicate_source_db is in different region. (#36080)
resource/aws_elastic_beanstalk_environment: Fix InvalidParameterValue: Environment named ... is in an invalid state for this operation. Must be Ready errors when tags are updated along with other attributes (#36074)
resource/aws_elasticache_serverless_cache: Change cache_usage_limits.data_storage.maximum and cache_usage_limits.ecpu_per_second.maximum to ForceNew (#35927)
resource/aws_medialive_channel: Fix handling of optional encoder_settings.audio_descriptions arguments (#36097)
resource/aws_rds_global_cluster: Fix bugs and delays that could occur when performing major or minor version upgrades (#36246)
resource/aws_s3_bucket: Tags with empty values no longer remove all tags. (#35710)
resource/aws_s3_bucket_object: Tags with empty values no longer remove all tags. (#35710)
resource/aws_s3_object: Tags with empty values no longer remove all tags. (#35710)
resource/aws_s3_object_copy: Tags with empty values no longer remove all tags. (#35710)
resource/aws_vpclattice_listener_rule: Remove action.forward.target_groups maximum item limit (#36095)

`v5.39.1`

Compare Source

BUG FIXES:

data-source/aws_instance: Fix panic: Invalid address to set related to root_block_device.0.tags_all (#36054)

`v5.39.0`

Compare Source

FEATURES:

New Data Source: aws_redshift_data_shares (#35937)
New Resource: aws_apprunner_deployment (#35758)
New Resource: aws_config_retention_configuration (#15136)
New Resource: aws_securityhub_automation_rule (#34781)
New Resource: aws_shield_proactive_engagement (#34667)

ENHANCEMENTS:

aws_kinesis_firehose_delivery_stream: Add custom_time_zone and file_extension arguments to the extended_S3_configuration configuration block (#35969)
resource/aws_appflow_flow: Allow task.source_fields to be a null value (#35993)
resource/aws_codepipeline: Add trigger configuration block (#35475)
resource/aws_config_configuration_recorder: Add plan-time validation of aws_config_organization_custom_rule.lambda_function_arn (#15136)
resource/aws_instance: Add configurable read timeout (#35955)
resource/aws_instance: Apply default tags to volumes/block devices managed through an aws_instance, add ebs_block_device.*.tags_all and root_block_device.*.tags_all attributes which include default tags (#33769)
resource/aws_mq_broker: Add data_replication_mode and data_replication_primary_broker_arn arguments, enabling support for cross-region data replication (#35990)
resource/aws_mwaa_environment: Add endpoint_management attribute (#35961)
resource/aws_redshiftserverless_namespace:
Add attributes admin_password_secret_kms_key_id and manage_admin_password (#35965)
resource/aws_shield_drt_access_log_bucket_association: Support resource import (#34667)
resource/aws_shield_drt_access_role_arn_association: Support resource import (#34667)
resource/aws_spot_instance_request: Add configurable read timeout (#35955)
resource/aws_wafv2_web_acl: Add application_integration_url attribute (#35974)

BUG FIXES:

data/aws_redshiftserverless_namespace: Properly set iam_roles attribute on read (#35965)
resource/aws_appflow_flow: Fix perpetual diff when task.task_type is set to Map_all (#35993)
resource/aws_config_configuration_recorder: Fix panic: interface conversion: interface {} is nil, not map[string]interface {} when recording_group.exclusion_by_resource_types is empty (#15136)
resource/aws_config_rule: Change name to ForceNew (#15136)
resource/aws_config_rule: Fix InvalidParameterValueException: PolicyText is required when Owner is CUSTOM_POLICY errors on resource Update (#15136)
resource/aws_ecs_task_definition: Fix perpetual container_definitions diffs when Names are ordered differently (#36029)
resource/aws_msk_replicator: Fix incorrect detect_and_copy_new_topics attribute value from state read/refresh (#35966)
resource/aws_redshiftserverless_workgroup: Fix max_capacity removal (#36032)
resource/aws_redshiftserverless_workgroup: Fix updating both base_capacity and max_capacity (#36032)
resource/aws_shield_drt_access_log_bucket_association: Change log_bucket and role_arn_association_id to ForceNew (#34667)

`v5.38.0`

Compare Source

FEATURES:

New Data Source: aws_batch_job_definition (#34663)
New Data Source: aws_cognito_user_group (#34046)
New Data Source: aws_cognito_user_groups (#34046)

ENHANCEMENTS:

data-source/aws_alb_target_group: Add load_balancer_arns attribute (#34364)
data-source/aws_ec2_instance_type: Add maximum_network_cards attribute (#35840)
data-source/aws_elasticache_subnet_group: Add vpc_id attribute (#35887)
data-source/aws_lb_target_group: Add load_balancer_arns attribute (#34364)
provider: Add token_bucket_rate_limiter_capacity parameter (#35926)
resource/aws_alb_target_group: Add load_balancer_arns attribute (#34364)
resource/aws_codedeploy_deployment_config: Add arn attribute (#35888)
resource/aws_codepipeline: Add execution_mode argument (#35875)
resource/aws_config_configuration_recorder: Add recording_mode configuration block (#35527)
resource/aws_db_instance: Add plan-time validation of performance_insights_retention_period (#35870)
resource/aws_elasticache_subnet_group: Add vpc_id attribute (#35887)
resource/aws_lb_target_group: Add load_balancer_arns attribute (#34364)
resource/aws_redshiftserverless_workgroup: Add max_capacity argument (#35720)
resource/aws_transfer_server: Add TransferSecurityPolicy-2024-01 and TransferSecurityPolicy-FIPS-2024-01 as valid values for security_policy_name (#35879)

BUG FIXES:

data-source/aws_caller_identity: Fix authentication signature error when alternate sts_region is specified (#35860)
data-source/aws_eks_access_entry: Fix cluster_name plan-time validation, allowing single-character names (#35874)
data-source/aws_eks_addon: Fix cluster_name plan-time validation, allowing single-character names (#35874)
data-source/aws_eks_cluster: Fix name plan-time validation, allowing single-character names (#35874)
resource/aws_cloudsearch_domain: Prevent panic when reading nil index_field options response values (#35900)
resource/aws_eks_access_entry: Fix cluster_name plan-time validation, allowing single-character names (#35874)
resource/aws_eks_access_policy_association: Fix cluster_name plan-time validation, allowing single-character names (#35874)
resource/aws_eks_addon: Fix cluster_name plan-time validation, allowing single-character names (#35874)
resource/aws_eks_cluster: Fix name plan-time validation, allowing single-character names (#35874)
resource/aws_eks_fargate_profile: Fix cluster_name plan-time validation, allowing single-character names (#35874)
resource/aws_eks_node_group: Fix cluster_name plan-time validation, allowing single-character names (#35874)
resource/aws_prometheus_scraper: Fixes invalid result after apply error. (#35844)
resource/aws_sqs_queue_policy: Retry IAM eventual consistency errors (#35861)

`v5.37.0`

Compare Source

NOTES:

provider: Updates to Go 1.21 (used by Terraform starting with v1.6.0), which, for Windows, requires at least Windows 10 or Windows Server 2016--support for previous versions has been discontinued--and, for macOS, requires macOS 10.15 Catalina or later--support for previous versions has been discontinued. (#35832)
resource/aws_bedrock_provisioned_model_throughput: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#35689)

FEATURES:

New Data Source: aws_db_parameter_group (#35698)
New Resource: aws_bedrock_provisioned_model_throughput (#35689)
New Resource: aws_cloudfront_key_value_store (#35663)
New Resource: aws_redshift_data_share_consumer_association (#35771)

ENHANCEMENTS:

data-source/aws_ecr_pull_through_cache_rule: Add credential_arn attribute (#34475)
data-source/aws_ecs_task_execution: Add client_token argument (#34402)
data-source/aws_neptune_cluster_instance: Add skip_final_snapshot argument (#35698)
data-source/aws_rds_engine_version: Improve search functionality and options by adding latest, preferred_major_targets, and preferred_upgrade_targets. Add version_actual attribute (#35698)
data-source/aws_rds_orderable_db_instance: Improve search functionality and options by adding engine_latest_version and supports_clusters arguments and converting read_replica_capable, supported_engine_modes, supported_network_types, and supports_multi_az to arguments for use as search criteria (#35698)
resource/aws_appsync_graphql_api: Add introspection_config, query_depth_limit, and resolver_count_limit arguments (#35631)
resource/aws_codeartifact_domain: Add s3_bucket_arn attribute (#35760)
resource/aws_ecr_pull_through_cache_rule: Add credential_arn argument (#34475)
resource/aws_ecs_service: Add service_connect_configuration.service.timeout and service_connect_configuration.service.tls configuration blocks (#35684)
resource/aws_ecs_task_definition: Add track_latest argument (#30154)
resource/aws_glue_catalog_database: Add federated_database argument (#35799)
resource/aws_glue_trigger: Add configurable timeouts (#35542)
resource/aws_rds_cluster: Add domain and domain_iam_role_name arguments to support Kerberos authentication (#35753)
resource/aws_route53_record: Add geoproximity_routing_policy configuration block to support geoproximity routing (#35565)
resource/aws_route53_resolver_rule: Add target_ip.protocol argument (#35744)
resource/aws_sagemaker_endpoint_configuration: Add routing_config argument. Enables the specification of a routing_strategy. (#34777)
resource/aws_sagemaker_space: Add ownership_settings, space_sharing_settings, space_settings.app_type, space_settings.code_editor_app_settings, space_settings.custom_file_system, space_settings.jupyter_lab_app_settings, and space_settings.space_storage_settings arguments (#35116)

BUG FIXES:

provider: Fix failed to get rate limit token, retry quota exceeded errors (#35817)
resource/aws_apigateway_domain_name: Properly send changes to ownership_verification_certificate_arn on update (#35777)
resource/aws_apigatewayv2_route: Fix BadRequestException: Unable to update route. Authorizer type is invalid or null errors when updating authorizer_id (#35821)
resource/aws_autoscaling_group: Fix version to computed for inconsistent final plan issue (#35774)
resource/aws_datasync_task: Fix crash when reading empty report_override values (#35778)
resource/aws_datasync_task: Prevent ValidationErrors when empty values are sent with report_override arguments (#35778)
resource/aws_db_proxy: Change auth from TypeList to TypeSet as order is not significant (#35819)
resource/aws_ecs_account_setting_default: Remove plan-time validation of value (#33393)
resource/aws_ecs_task_definition: Fix perpetual container_definitions diffs when Secrets are ordered differently (#35792)
resource/aws_eks_access_policy_association: Retry IAM eventual consistency errors on create (#35736)
resource/aws_instance: Fix ReservationCapacityExceeded errors when updating instance_type and capacity_reservation_specification.capacity_reservation_target.capacity_reservation_id (#33412)
resource/aws_lakeformation_resource: Properly handle configured false values for use_service_linked_role (#35799)
resource/aws_medialive_channel: Added client_cache to hls_group_settings. (#35738)
resource/aws_ram_resource_share_accepter: Fix handling of out-of-band resource share deletion (#35800)
resource/aws_redshift_data_share_authorization: Fix read operation to properly handle shares in ACTIVE status (#35771)
resource/aws_s3_bucket_acl: Correctly updates access_control_policy when switching configuration to acl. (#35775)
resource/resource_share_acceptor: Wait until RAM resource share available after accepting the invitation (#34753)

`v5.36.0`

Compare Source

NOTES:

data-source/aws_media_convert_queue: The AWS Elemental MediaConvert service has been converted to use standard Regional endpoints instead of deprecated per-account endpoints (#35615)
resource/aws_controltower_landing_zone: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#34595)
resource/aws_media_convert_queue: The AWS Elemental MediaConvert service has been converted to use standard Regional endpoints instead of deprecated per-account endpoints (#35615)

FEATURES:

New Resource: aws_controltower_landing_zone (#34595)
New Resource: aws_osis_pipeline (#35582)
New Resource: aws_redshift_data_share_authorization (#35703)
New Resource: aws_securitylake_custom_log_source (#35354)

ENHANCEMENTS:

resource/aws_cloudwatch_metric_stream: Add plan-time validation of output_format (#35569)
resource/aws_db_instance: Add diag.log and notify.log as valid values for enabled_cloudwatch_logs_exports (#35626)
resource/aws_db_instance: Add domain_auth_secret_arn, domain_dns_ips, domain_fqdn, and domain_ou arguments to support self-managed Active Directory (#35500)
resource/aws_s3_bucket_metric: Add filter.access_point argument (#35590)
resource/aws_verifiedaccess_group: Add sse_configuration argument (#34055)

BUG FIXES:

resource/aws_db_instance: Creating resource from point-in-time recovery now handles password attribute correctly (#35589)
resource/aws_dynamodb_table: Ensure that replicas are always set on Read (#35630)
resource/aws_emr_cluster: Properly normalize launch_specifications.on_demand_specification.allocation_strategy and launch_specifications.spot_specification.allocation_strategy values to fix perpetual state differences (#34367)
resource/aws_kinesis_firehose_delivery_stream: Change extended_s3_configuration.processing_configuration.processors.parameters from TypeList to TypeSet as order is not significant (#35672)
resource/aws_lambda_function: Resolve consecutive diff issue in logging_config when values for application_log_level or system_log_level are not specified (#35694)
resource/aws_lb_listener: Fixes unexpected diff when using default_action parameters which don't match the type. (#35678)
resource/aws_lb_listener: Was incorrectly reporting conflicting default_action[].target_group_arn when ignore_changes was set. (#35671)
resource/aws_lb_listener: Was not storing default_action[].forward in state if only a single target_group was set. (#35671)
resource/aws_lb_listener_rule: Fixes unexpected diff when using action parameters which don't match the type. (#35678)
resource/aws_lb_listener_rule: Was incorrectly reporting conflicting action[].target_group_arn when ignore_changes was set. (#35671)
resource/aws_lb_listener_rule: Was not storing action[].forward in state if only a single target_group was set. (#35671)
resource/aws_ssm_patch_baseline: Mark json as Computed if there are content changes (#35606)

`v5.35.0`

Compare Source

FEATURES:

New Data Source: aws_bedrock_custom_model (#34310)
New Data Source: aws_bedrock_custom_models (#34310)
New Data Source: aws_ssmcontacts_rotation (#32710)
New Resource: aws_bedrock_custom_model (#34310)
New Resource: aws_lexv2models_slot (#34617)
New Resource: aws_lexv2models_slot_type (#35555)
New Resource: aws_rekognition_collection (#35407)
New Resource: aws_sesv2_email_identity_policy (#35486)
New Resource: aws_ssmcontacts_rotation (#32710)

ENHANCEMENTS:

data-source/aws_redshift_cluster: Add multi_az attribute (#35508)
resource/aws_lakeformation_resource: Add hybrid_access_enabled argument (#35571)
resource/aws_lakeformation_resource: Add with_federation argument (#35154)
resource/aws_redshift_cluster: Add multi_az argument (#35508)
resource/aws_redshiftserverless_endpoint_access: Add owner_account argument (#35509)
resource/aws_wafv2_rule_group: Add header_order to field_to_match configuration blocks (#35521)
resource/aws_wafv2_web_acl: Add header_orderto field_to_match configuration blocks (#35521)

BUG FIXES:

data-source/aws_networkmanager_core_network_policy_document: Remove core_network_configuration.edge_locations maximum item limit (#35585)
resource/aws_backup_plan: Fix InvalidParameterValueException: Invalid lifecycle. EBS Cold Tier is not yet supported errors on resource Create in AWS GovCloud (US) (#35560)
resource/aws_cognito_user_group: Allow import of user groups with names containing / (#35501)
resource/aws_dms_event_subscription: Mark source_ids as Optional. This fixes a regression introduced in v5.31.0 (#35541)
resource/aws_efs_file_system: Increase lifecycle_policy maximum item limit to 3 (#35522)
resource/aws_eks_access_entry: Retry IAM eventual consistency errors on create (#35535)
resource/aws_finspace_kx_cluster: Increase command_line_arguments max length restriction from 50 to 1024. (#35581)

`v5.34.0`

Compare Source

FEATURES:

New Resource: aws_rekognition_project (#35429)
New Resource: aws_route53domains_delegation_signer_record (#33596)

ENHANCEMENTS:

data-source/aws_codecommit_repository: Add kms_key_id attribute (#35095)
data-source/aws_imagebuilder_components: Add support for ThirdParty owner value (#35286)
data-source/aws_imagebuilder_container_recipes: Add support for ThirdParty owner value (#35286)
data-source/aws_imagebuilder_image_recipes: Add support for ThirdParty owner value (#35286)
data-source/aws_ssm_patch_baseline: Add json attribute to facilitate use with S3 buckets (#33402)
resource/aws_accessanalyzer_analyzer: Add configuration configuration block (#35310)
resource/aws_appflow_flow: Add flow_status attribute (#34948)
resource/aws_codecommit_repository: Add kms_key_id argument (#35095)
resource/aws_codecommit_trigger: Add plan-time validation of trigger.destination_arn and trigger.events (#35095)
resource/aws_ecs_capacity_provider: Add auto_scaling_group_provider.managed_draining argument (#35421)
resource/aws_fis_experiment_template: Add support for AutoScalingGroups, Buckets, ReplicationGroups, Tables and TransitGateways to action.*.target (#35300)
resource/aws_fsx_openzfs_file_system: Add skip_final_backup argument (#35320)
resource/aws_network_interface_sg_attachment: Increase default timeouts to 3 minutes and allow them to be configured (#35435)
resource/aws_prometheus_scraper: Add role_arn attribute (#35453)
resource/aws_route53domains_registered_domain: Support resource import (#33596)
resource/aws_ssm_patch_baseline: Add json attribute to facilitate use with S3 buckets (#33402)
resource/aws_wafv2_web_acl: Add challenge_config argument (#35367)

BUG FIXES:

resource/aws_codebuild_project: Allow build_batch_config to be removed on Update (#34121)
resource/aws_eks_access_entry: Mark kubernetes_groups as Computed (#35391)
resource/aws_eks_access_entry: Mark type and user_name as Optional, allowing values to be configured (#35391)
resource/aws_grafana_license_association: Fix missing workspace_id attribute after import (#35290)
resource/aws_security_group_rule: Fix UnsupportedOperation: The functionality you requested is not available in this region errors on Read in certain partitions (#33484)

`v5.33.0`

Compare Source

FEATURES:

New Data Source: aws_eks_access_entry (#35037)
New Resource: aws_eks_access_entry (#35037)
New Resource: aws_eks_access_policy_association (#35037)
New Resource: aws_lexv2models_intent (#34891)

ENHANCEMENTS:

data-source/aws_eks_cluster: Add access_config attribute (#35037)
data-source/aws_secretsmanager_secret: Add created_date and last_changed_date attributes (#35117)
data-source/aws_secretsmanager_secret_version: Add created_date attribute (#35117)
resource/aws_backup_plan: Add rule.lifecycle.opt_in_to_archive_for_supported_resources and rule.copy_action.lifecycle.opt_in_to_archive_for_supported_resources and arguments (#34994)
resource/aws_eks_cluster: Add access_config configuration block (#35037)
resource/aws_lakeformation_resource: Add use_service_linked_role argument (#35284)
resource/aws_secretsmanager_secret_rotation: Add rotate_immediately argument (#35105)

BUG FIXES:

resource/aws_datasync_task: Allow schedule to be removed successfully (#35282)
resource/aws_fis_experiment_template: Fix validation error when not using target.resource_arns or target.resource_tag attributes. (#35254)
resource/aws_lb_listener: Fix ValidationError: Mutual Authentication mode passthrough does not support ignoring certificate expiry errors when mutual_authentication.mode is set to passthrough (#35289)
resource/aws_secretsmanager_secret_version: Fix InvalidParameterException: The parameter RemoveFromVersionId can't be empty. Staging label AWSCURRENT is currently attached to version ..., so you must explicitly reference that version in RemoveFromVersionId errors when a secret is updated outside Terraform (#19943)

`v5.32.1`

Compare Source

BUG FIXES:

data-source/aws_ecr_image: Fix error when most_recent is not also latest (#35269)
resource/aws_iot_ca_certificate: Change registration_config.role_arn from TypeBool to TypeString, fixing Inappropriate value for attribute "role_arn": a bool is required errors (#35234)
resource/aws_mq_broker: Fix interface conversion: interface {} is *schema.Set, not []string panic (#35265)

`v5.32.0`

Compare Source

FEATURES:

New Data Source: aws_mq_broker_engine_types (#34232)
New Data Source: aws_msk_bootstrap_brokers (#32484)
New Data Source: aws_verifiedpermissions_policy_store (#32204)
New Resource: aws_ebs_fast_snapshot_restore (#35211)
New Resource: aws_elasticache_serverless_cache (#34951)
New Resource: aws_imagebuilder_workflow (#35097)
New Resource: aws_kinesis_resource_policy (#35167)
New Resource: aws_prometheus_scraper (#34749)
New Resource: aws_securitylake_aws_log_source (#34974)
New Resource: aws_ssoadmin_application_access_scope (#34811)
New Resource: aws_verifiedpermissions_policy_store (#32204)
New Resource: aws_verifiedpermissions_policy_template (#32205)
New Resource: aws_verifiedpermissions_schema (#32204)

ENHANCEMENTS:

data-source/aws_batch_compute_environment: Add update_policy attribute (#34353)
data-source/aws_ecr_image: Add image_uri attribute (#24526)
data-source/aws_efs_file_system: Add lifecycle_policy.transition_to_archive attribute (#35096)
data-source/aws_efs_file_system: Add protection attribute (#35029)
data-source/aws_elastic_beanstalk_hosted_zone: Add hosted zone ID for il-central-1 AWS Region (#35131)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ca-west-1 AWS Region (#35131)
data-source/aws_fsx_ontap_file_system: Add ha_pairs and throughput_capacity_per_ha_pair attributes (#34993)
data-source/aws_glue_catalog_table: Add region attribute to target_table block. (#34817)
data-source/aws_lambda_function: Add logging_config attribute (#35050)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ca-west-1 AWS Region (#35131)
data-source/aws_lb_target_group: Add load_balancing_anomaly_mitigation attribute (#35083)
data-source/aws_msk_configuration: Remove name length validation (#34399)
data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.tls_inspection_configuration_arn attribute (#35094)
data-source/aws_prometheus_workspace: Add kms_key_arn attribute (#35062)
data-source/aws_route53_resolver_endpoint: Add protocols attribute (#35098)
data-source/aws_route53_resolver_endpoint: Add resolver_endpoint_type attribute (#34798)
data-source/aws_s3_bucket: Add hosted zone ID for ca-west-1 AWS Region (#35131)
provider: Support ca-west-1 as a valid AWS Region (#35131)
resource/aws_appflow_flow: Add destination_connector_properties.s3.s3_output_format_config.target_file_size argument (#35215)
resource/aws_appstream_fleet: Increase idle_disconnect_timeout_in_seconds max value for validation to 360000 (#35173)
resource/aws_autoscaling_group: Add instance_refresh.preferences.max_healthy_percentage attribute (#34929)
resource/aws_autoscaling_group: Fix ValidationError: The instance ... is not part of Auto Scaling group ... errors on resource Delete when disabling scale-in protection for instances that are already fully terminated (#35071)
resource/aws_batch_compute_environment: Add update_policy parameter (#34353)
resource/aws_batch_job_definition: Add scheduling_priority argument and arn_prefix attribute (#34997)
resource/aws_cloud9_environment_ec2: Add amazonlinux-2023-x86_64 and resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2023-x86_64 as valid values for image_id (#35020)
resource/aws_codepipeline: Add pipeline_type argument and variable configuration block (#34841)
resource/aws_dms_replication_task: Allow cdc_start_time to use RFC3339 formatted dates in addition to UNIX timestamps (#31917)
resource/aws_dms_replication_task: Remove ForceNew from replication_instance_arn, allowing in-place migration between DMS instances (#30721)
resource/aws_efs_file_system: Add lifecycle_policy.transition_to_archive argument (#35096)
resource/aws_efs_file_system: Add protection configuration block (#35029)
resource/aws_efs_replication_configuration: Increase Create timeout to 20 minutes (#34955)
resource/aws_efs_replication_configuration: Mark destination.file_system_id as Optional, enabling EFS replication fallback (#34955)
resource/aws_finspace_kx_dataview: Increase default create, update, and delete timeouts to 4 hours (#35207)
resource/aws_finspace_kx_scaling_group: Increase default create, delete timeouts to 4 hours (#35206)
resource/aws_fsx_lustre_file_system: Allow per_unit_storage_throughput to be updated in-place (#34932)
resource/aws_fsx_ontap_file_system: Add ha_pairs and throughput_capacity_per_ha_pair arguments (#34993)
resource/aws_fsx_ontap_file_system: Increase maximum value of disk_iops_configuration.iops to 2400000 (#34993)
resource/aws_fsx_ontap_file_system: throughput_capacity is Optional (#34993)
resource/aws_glue_catalog_table: Add region attribute to target_table block. (#34817)
resource/aws_glue_classifier: Add csv_classifier.serde argument (#34251)
resource/aws_kinesis_firehose_delivery_stream: Add opensearch_configuration.document_id_options configuration block (#35137)
resource/aws_kinesis_firehose_delivery_stream: Add splunk_configuration.buffering_interval and splunk_configuration.buffering_size arguments (#35137)
resource/aws_kinesis_firehose_delivery_stream: Adjust elasticsearch_configuration.buffering_interval, http_endpoint_configuration.buffering_interval, opensearch_configuration.buffering_interval, opensearchserverless_configuration.buffering_interval, redshift_configuration.s3_backup_configuration.buffering_interval,extended_s3_configuration.s3_backup_configuration.buffering_interval, elasticsearch_configuration.s3_configuration.buffering_interval, http_endpoint_configuration.s3_configuration.buffering_interval, opensearch_configuration.s3_configuration.buffering_interval, opensearchserverless_configuration.s3_configuration.buffering_interval, redshift_configuration.s3_configuration.buffering_interval and splunk_configuration.s3_configuration.buffering_interval minimum values to 0 to support zero buffering (#35137)
resource/aws_kms_key: Add xks_key_id attribute (#31216)
resource/aws_lambda_function: Add logging_config configuration block in support of advanced logging controls (#35050)
resource/aws_lambda_function: Add support for python3.12 runtime value (#35049)
resource/aws_lambda_layer_version: Add support for python3.12 compatible_runtimes value (#35049)
resource/aws_lb_target_group: Add load_balancing_anomaly_mitigation argument (#35083)
resource/aws_lb_target_group: Add weighted_random as a valid value for load_balancing_algorithm_type (#35083)
resource/aws_neptune_cluster: Add storage_type argument (#34985)
resource/aws_neptune_cluster_instance: Add storage_type attribute (#34985)
resource/aws_networkfirewall_firewall: Add configurable timeouts (#34918)
resource/aws_networkfirewall_firewall_policy: Add firewall_policy.tls_inspection_configuration_arn argument (#35094)
resource/aws_prometheus_workspace: Add kms_key_arn argument, enabling encryption at-rest using AWS KMS Customer Managed Keys (CMK) (#35062)
resource/aws_redshiftserverless_workgroup: Add port argument (#34925)
resource/aws_route53_resolver_endpoint: Add protocols argument (#35098)
resource/aws_route53_resolver_endpoint: Add resolver_endpoint_type argument (#34798)
resource/aws_s3_bucket: Modify resource Read to support third-party S3 API implementations. Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#35035)
resource/aws_s3_bucket: Modify server-side encryption configuration error handling, enabling support for NetApp StorageGRID (#34890)
resource/aws_transfer_server: Add TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 and TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 as valid values for security_policy_name (#35129)
resource/aws_verifiedaccess_endpoint: Add policy_document argument (#34264)

BUG FIXES:

data-source/aws_lb_target_group: Change deregistration_delay from TypeInt to TypeString (#31436)
data-source/aws_s3_bucket_object: Remove any leading ./ from key to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility (#35223)
data-source/aws_s3_object: Remove any leading ./ from key to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility (#35223)
resource/aws_cloud9_environment_ec2: image_id is Required (#35020)
resource/aws_codebuild_project: Prevent erroneous diffs on build_timeout and queued_timeout for Lambda compute types (#35043)
resource/aws_datasync_agent: Fix import of agents created with activation_key by removing requirement for one of ip_address or activation_key to be set (#35150)
resource/aws_dms_replication_config: Prevent erroneous diffs on replication_settings (#34356)
resource/aws_dms_replication_task: Prevent erroneous diffs on replication_task_settings (#34356)
resource/aws_dynamodb_table: Fix error when waiting for snapshot to be created (#34848)
resource/aws_finspace_kx_dataview: Properly set arn attribute on read, resolving persistent differences when tags are configured (#34998)
resource/aws_glue_catalog_database: Properly handle out-of-band resource deletion (#35195)
resource/aws_iot_indexing_configuration: Correct plan-time validation of thing_indexing_configuration.filter.named_shadow_names (#35225)
resource/aws_kinesis_firehose_delivery_stream: Fix InvalidArgumentException: Both BufferSizeInMBs and BufferIntervalInSeconds are required to configure buffering for lambda processor errors on resource Update (#26964)
resource/aws_kinesis_firehose_delivery_stream: Fix perpetual extended_s3_configuration.processing_configuration.processors.parameters diffs when processor type is Lambda (#35137)
resource/aws_lambda_function: Ensure lambda does not get deployed if source_code_hash does not change. (#29921)
resource/aws_lb: Fix ValidationError: Attributes cannot be empty errors (#35228)
resource/aws_lb_target_group: Fix diff on stickiness.cookie_name when stickiness.type is lb_cookie (#31436)
resource/aws_memorydb_cluster: Treat snapshotting status as pending when creating cluster (#31077)
resource/aws_ram_principal_association: Fix reading RAM Resource Share (...) Principal Association (...): couldn't find resource (21 retries) errors when a high number of principals are associated with a resource share (#34738)
resource/aws_s3_bucket_object: Remove any leading ./ from key to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility (#35223)
resource/aws_s3_object: Remove any leading ./ from key to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility (#35223)
resource/aws_s3_object_copy: Remove any leading ./ from key to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility (#35223)
resource/aws_secretsmanager_secret_rotation: No longer ignores changes to rotation_rules.automatically_after_days when rotation_rules.schedule_expression is set. (#35024)
resource/aws_ses_configuration_set: Fix tracking_options being omitted from state and resulting in persistent diff (#35056)
resource/aws_ssoadmin_application: Fix portal_options.sign_in_options.application_url triggering ValidationError when unset (#34967)

`v5.31.0`

Compare Source

FEATURES:

New Data Source: aws_polly_voices (#34916)
New Data Source: aws_ssoadmin_application_assignments (#34796)
New Data Source: aws_ssoadmin_principal_application_assignments (#34815)
New Resource: aws_finspace_kx_dataview (#34828)
New Resource: aws_finspace_kx_scaling_group (#34832)
New Resource: aws_finspace_kx_volume (#34833)
New Resource: aws_ssoadmin_trusted_token_issuer (#34839)

ENHANCEMENTS:

data-source/aws_cloudwatch_log_group: Add log_group_class attribute (#34812)
data-source/aws_dms_endpoint: Add postgres_settings attribute (#34724)
data-source/aws_lb: Add connection_logs attribute (#34864)
data-source/aws_lb: Add dns_record_client_routing_policy attribute (#34135)
data-source/aws_opensearchserverless_collection: Add standby_replicas attribute (#34677)
resource/aws_db_instance: Add support for IBM Db2 databases (#34834)
resource/aws_dms_endpoint: Add elasticsearch_settings.use_new_mapping_type argument (#29470)
resource/aws_dms_endpoint: Add postgres_settings configuration block (#34724)
resource/aws_finspace_kx_cluster: Add database.dataview_name, scaling_group_configuration, and tickerplant_log_configuration arguments. (#34831)
resource/aws_finspace_kx_cluster: The capacity_configuration argument is now optional. (#34831)
resource/aws_lb: Add connection_logs configuration block (#34864)
resource/aws_lb: Add plan-time validation that exactly one of either subnets or subnet_mapping is configured (#33205)
resource/aws_lb: Allow the number of subnet_mappings for Application Load Balancers to be changed without recreating the resource (#33205)
resource/aws_lb: Allow the number of subnet_mappings for Network Load Balancers to be increased without recreating the resource (#33205)
resource/aws_lb: Allow the number of subnets for Network Load Balancers to be increased without recreating the resource (#33205)
resource/aws_opensearchserverless_collection: Add standby_replicas attribute (#34677)

BUG FIXES:

data-source/aws_ecr_pull_through_cache_rule: Fix plan time validation for ecr_repository_prefix (#34716)
provider: Always use the S3 regional endpoint in us-east-1 for S3 directory bucket operations. This fixes no such host errors (#34893)
resource/aws_appmesh_virtual_node: Remove limit of 50 backends per virtual node (#34774)
resource/aws_cloudwatch_log_group: Fix invalid new value for .skip_destroy: was cty.False, but now null errors (#30354)
resource/aws_cloudwatch_log_group: Remove default value (STANDARD) for log_group_class argument and mark as Computed. This fixes InvalidParameterException: Only Standard log class is supported errors in AWS Regions other than AWS Commercial (#34812)
resource/aws_db_instance: Fix error where Terraform loses track of resource if Blue/Green Deployment is applied outside of Terraform (#34728)
resource/aws_dms_event_subscription: source_ids and source_type are Required (#33731)
resource/aws_ecr_pull_through_cache_rule: Fix plan time validation for ecr_repository_prefix (#34716)
resource/aws_lb: Correct in-place update of security_groups for Network Load Balancers when the new value is Computed (#33205)
resource/aws_lb: Fix InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network' errors on resource Create in AWS GovCloud (US) (#34135)
resource/aws_medialive_channel: Fixed errors related to setting the failover_condition argument (#33410)
resource/aws_securitylake_data_lake: Fix reflect.Set: value of type basetypes.StringValue is not assignable to type types.ARN panic when importing resources with nil ARN fields (#34820)
resource/aws_vpc: Increase IPAM pool allocation deletion timeout from 20 minutes to 35 minutes (#34859)

`v5.30.0`

Compare Source

FEATURES:

New Data Source: aws_codeguruprofiler_profiling_group (#34672)
New Data Source: aws_ecr_repositories (#34446)
New Data Source: aws_lb_trust_store (#34584)
New Data Source: aws_ssoadmin_application (#34773)
New Data Source: aws_ssoadmin_application_providers (#34670)
New Resource: aws_codeguruprofiler_profiling_group (#34672)
New Resource: aws_customerprofiles_domain (#34622)
New Resource: aws_customerprofiles_profile (#34622)
New Resource: aws_lb_trust_store (#34584)
New Resource: aws_lb_trust_store_revocation (#34584)
New Resource: aws_securitylake_data_lake (#34521)
New Resource: aws_ssoadmin_application (#34723)
New Resource: aws_ssoadmin_application_assignment (#34741)
New Resource: aws_ssoadmin_application_assignment_configuration (#34752)

ENHANCEMENTS:

data-source/aws_appconfig_configuration_profile: Add kms_key_identifier attribute (#34725)
data-source/aws_lb: Add enforce_security_group_inbound_rules_on_private_link_traffic attribute (#33767)
data-source/aws_lb_listener: Add mutual_authentication attribute (#34584)
resource/aws_appconfig_configuration_profile: Add kms_key_identifier attribute (#34725)
resource/aws_appconfig_deployment: Add kms_key_identifier attribute (#34739)
resource/aws_cloudwatch_log_group: Add log_group_class argument (#34679)
resource/aws_lb: Add enforce_security_group_inbound_rules_on_private_link_traffic argument (#33767)
resource/aws_lb_listener: Add mutual_authentication configuration block (#34584)
resource/aws_s3_bucket: Fix stack overflow fatal errors on resource Delete when force_destroy is true and the bucket contains delete markers (#34712)
resource/aws_sagemaker_app: Add resource_spec.sagemaker_image_version_alias argument (#34729)
resource/aws_sagemaker_app_image_config: Add jupyter_lab_image_config configuration block (#34696)
resource/aws_sagemaker_domain: Add default_user_settings.code_editor_app_settings, default_user_settings.custom_file_system_config, default_user_settings.custom_posix_user_config, default_user_settings.default_landing_uri, default_user_settings.jupyter_lab_app_settings, default_user_settings.space_storage_settings, default_user_settings.studio_web_portal arguments (#34729)
resource/aws_sagemaker_domain: Add sagemaker_image_version_alias argument under all default_resource_spec blocks (#34729)
resource/aws_sagemaker_domain: Add single_sign_on_application_arn attribute (#34729)
resource/aws_sagemaker_space: Add sagemaker_image_version_alias argument under all default_resource_spec blocks (#34729)
resource/aws_sagemaker_space: Add space_display_name argument (#34729)
resource/aws_sagemaker_space: Add url attribute (#34729)
resource/aws_sagemaker_user_profile: Add sagemaker_image_version_alias argument under all default_resource_spec blocks (#34729)
resource/aws_sagemaker_user_profile: Add user_settings.code_editor_app_settings, user_settings.custom_file_system_config, user_settings.custom_posix_user_config, user_settings.default_landing_uri, user_settings.jupyter_lab_app_settings, user_settings.space_storage_settings, user_settings.studio_web_portal arguments (#34729)
resource/aws_transfer_server: Add support for TransferSecurityPolicy-FIPS-2023-05 security_policy_name value (#34709)

BUG FIXES:

resource/aws_ami: Correctly sets deprecation_time on creation and update due to eventual consistency (#34691)
resource/aws_ami: Correctly sets description on update due to eventual consistency (#34691)
resource/aws_ami: Now allows removing deprecation_time (#34691)
resource/aws_appflow_flow: Fix perpetual diff on destination_flow_config (#34770)
resource/aws_backup_vault_policy: Fix eventual consistency error when waiting for IAM (#34671)
resource/aws_eks_pod_identity_association: Retry IAM eventual consistency errors on create and update (#34717)
resource/aws_glue_connection: Fix crash while creating resource with empty physical_connection_requirements configuration block (#34737)

`v5.29.0`

Compare Source

FEATURES:

New Resource: aws_docdbelastic_cluster (#31033)
New Resource: aws_eks_pod_identity_association (#34566)

ENHANCEMENTS:

resource/aws_docdb_cluster: Add storage_type argument (#34637)
resource/aws_neptune_parameter_group: Add name_prefix argument (#34500)

BUG FIXES:

resource/aws_networkmanager_attachment_accepter: Now revokes attachment on deletion for VPC Attachments (#34547)
resource/aws_networkmanager_vpc_attachment: Fixes error when modifying options fields while waiting for acceptance (#34547)
resource/aws_networkmanager_vpc_attachment: Fixes error where VPC Attachments waiting for acceptance could not be deleted (#34547)
resource/aws_s3_directory_bucket: Fix NotImplemented: This bucket does not support Object Versioning errors on resource Delete when force_destroy is true (#34647)

`v5.28.0`

Compare Source

FEATURES:

New Data Source: aws_s3_directory_buckets (#34612)
New Resource: aws_s3_directory_bucket (#34612)

ENHANCEMENTS:

resource/aws_s3control_access_grants_instance: Add identity_center_arn argument and identity_center_application_arn attribute (#34582)

BUG FIXES:

resource/aws_elaticache_replication_group: Fix regression caused by the introduction of the auth_token_update_strategy argument with a default value (#34600)

`v5.27.0`

Compare Source

NOTES:

provider: This release includes an update to the AWS SDK for Go v2 with breaking type changes to several services: internetmonitor, ivschat, pipes, and s3. These changes primarily affect how arguments with default values are serialized for outbound requests, changing scalar types to pointers. See this AWS SDK for Go V2 issue for additional context. The corresponding provider changes should make this breakfix transparent to users, but as with any breaking change there is the potential for missed edge cases. If errors are observed in the impacted resources, please link to this dependency update pull request in the bug report (#34476)

FEATURES:

New Data Source: aws_emr_supported_instance_types (#34481)
New Resource: aws_apprunner_default_auto_scaling_configuration_version (#34292)
New Resource: aws_lexv2models_bot_version (#33858)
New Resource: aws_s3control_access_grant (#34564)
New Resource: aws_s3control_access_grants_instance (#34564)
New Resource: aws_s3control_access_grants_instance_resource_policy (#34564)
New Resource: aws_s3control_access_grants_location (#34564)

ENHANCEMENTS:

resource/aws_apprunner_auto_scaling_configuration_version: Add has_associated_service and is_default attributes (#34292)
resource/aws_apprunner_service: Add network_configuration.ip_address_type argument (#34292)
resource/aws_apprunner_service: Add source_configuration.code_repository.source_directory argument to support monorepos (#34292)
resource/aws_apprunner_service: Allow health_check_configuration to be updated in-place (#34292)
resource/aws_cloudwatch_event_rule: Add state parameter and deprecate is_enabled parameter (#34510)
resource/aws_elaticache_replication_group: Add auth_token_update_strategy argument (#34460)
resource/aws_lambda_function: Add support for java21 runtime value (#34476)
resource/aws_lambda_function: Add support for python3.12 runtime value (#34533)
resource/aws_lambda_layer_version: Add support for java21 compatible_runtimes value (#34476)
resource/aws_lambda_layer_version: Add support for python3.12 compatible_runtimes value (#34533)
resource/aws_s3_bucket_logging: Add target_object_key_format configuration block to support automatic date-based partitioning (#34504)

BUG FIXES:

resource/aws_appflow_flow: Fix InvalidParameter: 2 validation error(s) found error when destination_flow_config or task is updated (#34456)
resource/aws_appflow_flow: Fix interface conversion: interface {} is nil, not map[string]interface {} panic (#34456)
resource/aws_apprunner_service: Correctly set service_url for private services (#34292)
resource/aws_glue_trigger: Fix ConcurrentModificationException: Workflow <workflowName> was modified while adding trigger <triggerName> errors (#34530)
resource/aws_lb_target_group: Adds plan- and apply-time validation for invalid parameter combinations (#34488)
resource/aws_lexv2_bot_locale: Fix voice_settings.engine validation, value conversion errors (#34532)
resource/aws_lexv2models_bot: Properly send type argument on create and update when configured (#34524)
resource/aws_pipes_pipe: Fix error when zero value is sent to source_parameters on update (#34487)

`v5.26.0`

Compare Source

FEATURES:

New Data Source: aws_iot_registration_code (#15098)
New Resource: aws_iot_billing_group (#31237)
New Resource: aws_iot_ca_certificate (#15098)
New Resource: aws_iot_event_configurations (#31237)

ENHANCEMENTS:

data-source/aws_autoscaling_group: Add instance_maintenance_policy attribute (#34430)
provider: Adds https_proxy and no_proxy parameters. (#34243)
resource/aws_autoscaling_group: Add instance_maintenance_policy configuration block (#34430)
resource/aws_finspace_kx_cluster: Increase default create and update timeouts to 4 hours to allow for increased startup times with large volumes of cached data (#34398)
resource/aws_finspace_kx_environment: Increase default delete timeout to 75 minutes (#34398)
resource/aws_iam_group_policy_attachment: Add plan-time validation of policy_arn (#34378)
resource/aws_iam_policy_attachment: Add plan-time validation of policy_arn (#34378)
resource/aws_iam_role_policy_attachment: Add plan-time validation of policy_arn (#34378)
resource/aws_iam_user_policy_attachment: Add plan-time validation of policy_arn (#34378)
resource/aws_iot_ca_certificate: Add ca_certificate_id attribute (#15098)
resource/aws_iot_policy: Add configurable timeouts (#34329)
resource/aws_iot_policy: When updating the resource, delete the oldest non-default version of the policy if creating a new version would exceed the maximum number of versions (5) (#34329)
resource/aws_lambda_function: Add support for nodejs20.x and provided.al2023 runtime values (#34401)
resource/aws_lambda_layer_version: Add support for nodejs20.x and provided.al2023 compatible_runtimes values (#34401)
resource/aws_quicksight_analysis: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline attribute (#33931)
resource/aws_quicksight_analysis: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options attribute (#33931)
resource/aws_quicksight_analysis: Add number_display_format_configuration and percentage_display_format_configuration to nested numeric_format_configuration argument (#33931)
resource/aws_quicksight_dashboard: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline attribute (#33931)
resource/aws_quicksight_dashboard: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options attribute (#33931)
resource/aws_quicksight_dashboard: Add number_display_format_configuration and percentage_display_format_configuration to nested numeric_format_configuration argument (#33931)
resource/aws_quicksight_template: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline attribute (#33931)
resource/aws_quicksight_template: Add definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options attribute (#33931)
resource/aws_quicksight_template: Add number_display_format_configuration and percentage_display_format_configuration to nested numeric_format_configuration argument (#33931)
resource/aws_rds_cluster: Add delete_automated_backups argument (#34309)

BUG FIXES:

resource/aws_chime_voice_connector: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chime_voice_connector_group: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chime_voice_connector_logging: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chime_voice_connector_origination: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chime_voice_connector_termination: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chime_voice_connector_termination_credentials: Fix read error when resource is not created in us-east-1 (#34334)
resource/aws_chimesdkmediapipelines_media_insights_pipeline_configuration: Fix eventual consistency error when resource is not created in us-east-1 (#34334)
resource/aws_chimesdkvoice_sip_media_application: Fix eventual consistency errors when not using us-east-1 (#34426)
resource/aws_chimesdkvoice_sip_rule: Fix eventual consistency errors when not using us-east-1 (#34426)
resource/aws_elasticache_user: Fix UserNotFound: ... is not available for tagging errors on resource Read when there is a concurrent update to the user (#34396)
resource/aws_grafana_workspace_api_key: Change key to Sensitive (#34105)
resource/aws_iam_group_policy_attachment: Retry ConcurrentModificationException errors on create and delete (#34378)
resource/aws_iam_policy_attachment: Retry ConcurrentModificationException errors on create and delete (#34378)
resource/aws_iam_role_policy_attachment: Retry ConcurrentModificationException errors on create and delete (#34378)
resource/aws_iam_user_policy_attachment: Retry ConcurrentModificationException errors on create and delete (#34378)
resource/aws_inspector2_delegated_admin_account: Fix errors: *target must be interface or implement error panic (#34424)
resource/aws_inspector2_enabler: Fix interface conversion: interface {} is nil, not map[string]inspector2.AccountResourceStatus panic (#34424)
resource/aws_iot_ca_certificate: Change ca_pem and certificate_pem to ForceNew (#15098)
resource/aws_iot_policy: Retry DeleteConflictException errors on delete (#34329)
resource/aws_quicksight_analysis: Fix handling of the nested number_scale, prefix, and suffix integer arguments (#33931)
resource/aws_quicksight_analysis: Fix handling of the nested rolling_date argument (#33931)
resource/aws_quicksight_analysis: Fix handling of the nested select_all_options argument (#33931)
resource/aws_quicksight_analysis: Fix handling of the nested visual_ids argument (#33931)
resource/aws_quicksight_analysis: Fixes to various optional blocks utilizing the shared column schema definition (#33931)
resource/aws_quicksight_analysis: Nested column_index and row_index arguments now properly handle zero values (#33931)
resource/aws_quicksight_dashboard: Fix handling of the nested number_scale, prefix, and suffix integer arguments (#33931)
resource/aws_quicksight_dashboard: Fix handling of the nested rolling_date argument (#33931)
resource/aws_quicksight_dashboard: Fix handling of the nested select_all_options argument (#33931)
resource/aws_quicksight_dashboard: Fix handling of the nested visual_ids argument (#33931)
resource/aws_quicksight_dashboard: Fixes to various optional blocks utilizing the shared column schema definition (#33931)
resource/aws_quicksight_dashboard: Nested column_index and row_index arguments now properly handle zero values (#33931)
resource/aws_quicksight_data_set: Increase permissions.actions maximum item limit to 20, aligning with the AWS API limits (#33931)
resource/aws_quicksight_data_source: Set all parameters to update aws_quicksight_data_source (#33061)
resource/aws_quicksight_template: Fix handling of the nested number_scale, prefix, and suffix integer arguments (#33931)
resource/aws_quicksight_template: Fix handling of the nested rolling_date argument (#33931)
resource/aws_quicksight_template: Fix handling of the nested select_all_options argument (#33931)
resource/aws_quicksight_template: Fix handling of the nested visual_ids argument (#33931)
resource/aws_quicksight_template: Fixes to various optional blocks utilizing the shared column schema definition (#33931)
resource/aws_quicksight_template: Nested column_index and row_index arguments now properly handle zero values (#33931)
resource/aws_sagemaker_user_profile: Change default_user_settings.canvas_app_settings.identity_provider_oauth_settings from TypeSet to TypeList, preventing interface conversion: interface {} is *schema.Set, not []interface {} panics (#34418)
resource/aws_synthetics_canary: Fix to properly suppress differences when expression is rate(0 minutes) (#34084)
resource/aws_vpn_connection: Fix UnsupportedOperation: The tunnel inside ip version parameter is not currently supported in this region error when creating connections in certain partitions and Regions (#34420)

`v5.25.0`

Compare Source

NOTES:

resource/aws_cloudtrail: The resource's import ID has changed from name to arn (#30758)

FEATURES:

New Data Source: aws_apigatewayv2_vpc_link (#33974)
New Data Source: aws_athena_named_query (#24815)
New Data Source: aws_bedrock_foundation_model (#34148)
New Data Source: aws_bedrock_foundation_models (#34148)
New Resource: aws_athena_prepared_statement (#33417)
New Resource: aws_lexv2models_bot_locale (#33949)

ENHANCEMENTS:

provider: Adds SSO API endpoint override parameter endpoints.sso (#34302)
resource/aws_appflow_connector_profile: Add jwt_token and oauth2_grant_type arguments to the connector_profile_config.connector_profile_credentials.salesforce block. (#34248)
resource/aws_autoscaling_group: Add plan-time validation of initial_lifecycle_hook.default_result, initial_lifecycle_hook.heartbeat_timeout, initial_lifecycle_hook.lifecycle_transition, initial_lifecycle_hook.name, initial_lifecycle_hook.notification_target_arn and initial_lifecycle_hook.role_arn (#12145)
resource/aws_autoscaling_lifecycle_hook: Add plan-time validation of default_result, heartbeat_timeout, lifecycle_transition, name, notification_target_arn and role_arn (#12145)
resource/aws_datasync_task: Add task_report_config argument (#33861)
resource/aws_db_instance: Add postgres as a valid engine value for blue/green deployments (#34216)
resource/aws_dms_endpoint: Add pause_replication_tasks, which when set to true, pauses associated running replication tasks, regardless if they are managed by Terraform, prior to modifying the endpoint (only tasks paused by the resource will be restarted after the modification completes) (#34316)
resource/aws_eks_cluster: Allow vpc_config.security_group_ids and vpc_config.subnet_ids to be updated in-place (#32409)
resource/aws_inspector2_organization_configuration: Add lambda_code argument to the auto_enable configuration block (#34261)
resource/aws_route53_record: Allow import of records with an empty record name. (#34212)
resource/aws_sagemaker_domain: Add default_user_settings.canvas_app_settings.direct_deploy_settings, default_user_settings.canvas_app_settings.identity_provider_oauth_settings and default_user_settings.canvas_app_settings.kendra_settings arguments (#34265)
resource/aws_sagemaker_domain: Change default_space_settings.kernel_gateway_app_settings.custom_image, default_user_settings.kernel_gateway_app_settings.custom_image and default_user_settings.r_session_app_settings.custom_image MaxItems from 30 to 200 (#34265)
resource/aws_sagemaker_feature_group: Add offline_store_config.s3_storage_config.resolved_output_s3_uri, online_store_config.storage_type and online_store_config.ttl_duration arguments (#34283)
resource/aws_sagemaker_feature_group: Allow online_store_config.ttl_duration to be updated in-place (#34283)
resource/aws_sagemaker_model: Add container.model_data_source and primary_container.model_data_source configuration blocks (#34158)
resource/aws_sagemaker_space: Change space_settings.kernel_gateway_app_settings.custom_image MaxItems from 30 to 200 (#34265)
resource/aws_sagemaker_user_profile: Add default_user_settings.canvas_app_settings.direct_deploy_settings, default_user_settings.canvas_app_settings.identity_provider_oauth_settings and default_user_settings.canvas_app_settings.kendra_settings arguments (#34265)
resource/aws_sns_topic: Add archive_policy argument and beginning_archive_time attribute to support message archiving (#34252)
resource/aws_sns_topic: Add replay_policy argument (#34252)

BUG FIXES:

provider: Fix Value Conversion Error panic for certain resources when null tag values are specified (#34319)
provider: Fixes parsing error in AWS shared config files with extra whitespace (#34300)
provider: Fixes poor performance when parsing AWS shared config files (#34300)
resource/aws_autoscaling_group: Change all initial_lifecycle_hook configuration block attributes to ForceNew (#34260)
resource/aws_cloudtrail: Change the id attribute from the trail's name to its ARN to support organization trails (#30758)
resource/aws_cloudwatch_event_rule: Increase event_pattern max length for validation to 4096 (#34270)
resource/aws_sagemaker_domain: Fix updating default_space_settings.r_studio_server_pro_app_settings.access_status from ENABLED to DISABLED (#34265)

`v5.24.0`

Compare Source

NOTES:

resource/aws_detective_organization_admin_account: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#25237)
resource/aws_detective_organization_configuration: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#25237)

FEATURES:

New Data Source: aws_opensearchserverless_lifecycle_policy (#34144)
New Resource: aws_detective_organization_admin_account (#25237)
New Resource: aws_detective_organization_configuration (#25237)
New Resource: aws_opensearchserverless_lifecycle_policy (#34144)
New Resource: aws_redshift_resource_policy (#34149)
New Resource: aws_verifiedaccess_endpoint (#30763)

ENHANCEMENTS:

resource/aws_amplify_app: Add custom_headers argument (#31561)
resource/aws_batch_job_definition: Add node_properties argument (#34153)
resource/aws_finspace_kx_cluster: In-place updates are now supported for the code, database, and initialization_script arguments. The update timeout has been increased to 30 minutes. (#34220)
resource/aws_iot_topic_rule: Add kafka.header and error_action.kafka.header arguments (#34191)
resource/aws_networkmanager_connect_attachment: Add NO_ENCAP as a valid options.protocol value (#34109)
resource/aws_networkmanager_connect_peer: Add subnet_arn argument to support Tunnel-less Connect attachments (#34109)
resource/aws_networkmanager_connect_peer: inside_cidr_blocks is Optional (#34109)
resource/aws_rds_cluster: Remove the provider default (previously, "1") and use the AWS default for backup_retention_period (also, "1") to allow integration with AWS Backup (#34187)
resource/aws_redshift_cluster: Add snapshot_arn argument (#34181)
resource/aws_redshift_cluster: Add the manage_master_password and master_password_secret_kms_key_id arguments to support managed admin credentials (#34182)
resource/aws_s3_object: Add override_provider configuration block, allowing tags inherited from the provider default_tags configuration block to be ignored (#33262)
resource/aws_secretsmanager_secret_rotation: The rotation_lambda_arn argument is now optional to support modifying the rotation schedule of AWS-managed secrets. (#34180)

BUG FIXES:

data-source/aws_vpc_ipam_pools: Add id attribute for individual IPAM pools (#32133)
resource/aws_alb_listener_rule: Fixed the action.forward.target_group argument minimum item requirement. Previously this was set to 2, but the AWS API allows specifying a single target group. (#33727)
resource/aws_amplify_branch: Remove ForceNew from enable_performance_mode (#34141)
resource/aws_lb_listener_rule: Fixed the action.forward.target_group argument minimum item requirement. Previously this was set to 2, but the AWS API allows specifying a single target group. (#33727)
resource/aws_quicksight_analysis: Fix "expected type to be integer" errors in window_options.bounds.* argument validatation functions (#34230)
resource/aws_quicksight_dashboard: Fix "expected type to be integer" errors in window_options.bounds.* argument validatation functions (#34230)
resource/aws_quicksight_template: Fix "expected type to be integer" errors in window_options.bounds.* argument validatation functions (#34230)
resource/aws_rds_cluster: Avoid an error on delete related to unexpected state 'scaling-compute' (#34187)

`v5.23.1`

Compare Source

BUG FIXES:

data-source/aws_lambda_function: Add vpc_config.ipv6_allowed_for_dual_stack attribute, fixing Invalid address to set: []string{"vpc_config", "0", "ipv6_allowed_for_dual_stack"} errors (#34134)

`v5.23.0`

Compare Source

NOTES:

provider: This release includes an update to the AWS SDK for Go v2 with breaking type changes to several services: finspace, kafka, medialive, rds, s3control, timestreamwrite, and xray. These changes primarily affect how arguments with default values are serialized for outbound requests, changing scalar types to pointers. See this AWS SDK for Go V2 issue for additional context. The corresponding provider changes should make this breakfix transparent to users, but as with any breaking change there is the potential for missed edge cases. If errors are observed in the impacted resources, please link to this dependency update pull request in the bug report. (#34096)

FEATURES:

New Resource: aws_iot_domain_configuration (#24765)

ENHANCEMENTS:

data-source/aws_imagebuilder_image: Add image_scanning_configuration attribute (#34049)
resource/aws_config_config_rule: Add evaluation_mode attribute (#34033)
resource/aws_elasticache_replication_group: Add ip_discovery and network_type arguments (#34019)
resource/aws_imagebuilder_image: Add image_scanning_configuration configuration block (#34049)
resource/aws_kms_key: Add configurable timeouts (#34112)
resource/aws_lambda_function: Add vpc_config.ipv6_allowed_for_dual_stack argument (#34045)
resource/aws_lb: Add dns_record_client_routing_policy attribute to configure Availability Zonal DNS affinity on Network Load Balancer (NLB) (#33992)
resource/aws_lb_target_group: Add target_health_state configuration block (#34070)
resource/aws_lb_target_group: Remove default value (false) for connection_termination argument and mark as Computed, to support new default behavior for UDP/TCP_UDP target groups (#34070)
resource/aws_neptune_cluster: Add slowquery as a valid enable_cloudwatch_logs_exports value (#34053)

BUG FIXES:

provider/tags: Prevent crash when tags_all is null (#34073)
resource/aws_autoscaling_group: Fix error when launch_template name is updated. (#34086)
resource/aws_dms_s3_endpoint: Don't send the default value of false for add_trailing_padding_character, maintaining compatibility with older (pre-3.4.7) DMS engine versions (#34048)
resource/aws_ecs_task_definition: Add 0 as a valid value for volume.efs_volume_configuration.transit_encryption_port, preventing unexpected drift (#34020)
resource/aws_identitystore_group: Fix updating description attribute when it is changed (#34037)
resource/aws_iot_indexing_configuration: Add thing_indexing_configuration.filter attribute, resolving InvalidRequestException: NamedShadowNames Filter must not be empty for enabling NamedShadowIndexingMode errors (#26859)
resource/aws_storagegateway_gateway: Support the value 0 (representing Sunday) for maintenance_start_time.day_of_week (#34015)
resource/aws_verifiedaccess_group: Fix InvalidParameterValue: Policy Document cannot be provided when Policy Enabled is false or missing errors when updating policy_document (#34054)

`v5.22.0`

Compare Source

FEATURES:

New Data Source: aws_media_convert_queue (#27075)
New Resource: aws_elasticsearch_vpc_endpoint (#33925)
New Resource: aws_msk_replicator (#33973)

ENHANCEMENTS:

data-source/aws_ec2_client_vpn_endpoint: Add self_service_portal_url attribute (#34007)
resource/aws_alb: Support import of name_prefix argument (#33852)
resource/aws_alb_target_group: Support import of name_prefix argument (#33852)
resource/aws_cloudfront_public_key: Support import of name_prefix argument (#33852)
resource/aws_db_option_group: Support import of name_prefix argument (#33852)
resource/aws_docdb_cluster: Support import of cluster_identifier_prefix argument (#33852)
resource/aws_docdb_cluster_instance: Support import of identifier_prefix argument (#33852)
resource/aws_docdb_cluster_parameter_group: Support import of name_prefix argument (#33852)
resource/aws_docdb_subnet_group: Support import of name_prefix argument (#33852)
resource/aws_ec2_client_vpn_endpoint: Add self_service_portal_url attribute (#34007)
resource/aws_elb: Support import of name_prefix argument (#33852)
resource/aws_emr_security_configuration: Support import of name_prefix argument (#33852)
resource/aws_iam_group_policy: Support import of name_prefix argument (#33852)
resource/aws_iam_role_policy: Support import of name_prefix argument (#33852)
resource/aws_iam_user_policy: Support import of name_prefix argument (#33852)
resource/aws_iot_provisioning_template: Add type attribute (#33950)
resource/aws_lb: Support import of name_prefix argument (#33852)
resource/aws_lb_target_group: Support import of name_prefix argument (#33852)
resource/aws_neptune_cluster: Support import of cluster_identifier_prefix argument (#33852)
resource/aws_neptune_cluster_instance: Support import of identifier_prefix argument (#33852)
resource/aws_neptune_cluster_parameter_group: Support import of name_prefix argument (#33852)
resource/aws_neptune_event_subscription: Support import of name_prefix argument (#33852)
resource/aws_pinpoint_app: Support import of name_prefix argument (#33852)
resource/aws_rds_cluster: Support import of cluster_identifier_prefix argument (#33852)
resource/aws_rds_cluster_instance: Support import of identifier_prefix argument (#33852)
resource/aws_signer_signing_profile: Support import of name_prefix argument (#33852)
resource/aws_signer_signing_profile_permission: Add signer:SignPayload as a valid action value (#33852)
resource/aws_signer_signing_profile_permission: Support import of statement_id_prefix argument (#33852)
resource/aws_transfer_server: Change pre_authentication_login_banner and post_authentication_login_banner length limits to 4096 (#33937)
resource/aws_wafv2_web_acl: Add ja3_fingerprint to field_to_match configuration blocks (#33933)

BUG FIXES:

data-source/aws_dms_certificate: Fix crash when certificate not found (#34012)
resource/aws_cloudformation_stack: Fix error when computed values are not set when there is no update (#33969)
resource/aws_codecommit_repository: Doesn't force replacement when renaming (#32207)
resource/aws_db_instance: Creating resource from snapshot or point-in-time recovery now handles manage_master_user_password and master_user_secret_kms_key_id attributes correctly (#33699)
resource/aws_elasticache_replication_group: Fix error when switching engine_version from 6.x to a specific 6.<digit> version number (#33954)
resource/aws_iam_role: Fix refreshing permission_boundary when deleted outside of Terraform (#33963)
resource/aws_iam_user: Fix refreshing permission_boundary when deleted outside of Terraform (#33963)
resource/aws_inspector2_enabler: Fix Value at 'resourceTypes' failed to satisfy constraint errors (#33348)
resource/aws_neptune_cluster_instance: Remove ForceNew from engine_version (#33487)
resource/aws_neptune_cluster_parameter_group: Fix condition where defined cluster parameters with system default values are seen as updates (#33487)
resource/aws_s3_bucket_object_lock_configuration: Fix found resource errors on Delete (#33966)

`v5.21.0`

Compare Source

FEATURES:

New Data Source: aws_servicequotas_templates (#33871)
New Resource: aws_ec2_image_block_public_access (#33810)
New Resource: aws_guardduty_organization_configuration_feature (#33913)
New Resource: aws_servicequotas_template_association (#33725)
New Resource: aws_verifiedaccess_group (#33297)
New Resource: aws_verifiedaccess_instance_logging_configuration (#33864)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Add s3_settings.glue_catalog_generation attribute (#33778)
data-source/aws_msk_cluster: Add cluster_uuid attribute (#33805)
resource/aws_codedeploy_deployment_group: Add outdated_instances_strategy argument (#33844)
resource/aws_dms_endpoint: Add s3_settings.glue_catalog_generation attribute (#33778)
resource/aws_dms_s3_endpoint: Add glue_catalog_generation attribute (#33778)
resource/aws_docdb_cluster: Add allow_major_version_upgrade argument (#33790)
resource/aws_docdb_cluster_instance: Add copy_tags_to_snapshot argument (#31022)
resource/aws_dynamodb_table: Add import_table configuration block (#33802)
resource/aws_msk_cluster: Add cluster_uuid attribute (#33805)
resource/aws_msk_serverless_cluster: Add cluster_uuid attribute (#33805)
resource/aws_networkmanager_core_network: Add base_policy_document argument (#33712)
resource/aws_redshiftserverless_workgroup: Allow require_ssl and use_fips_ssl config_parameters keys (#33916)
resource/aws_s3_bucket: Use configurable timeout for resource Delete (#33845)
resource/aws_verifiedaccess_instance: Add fips_enabled argument (#33880)
resource/aws_vpclattice_target_group: Add config.lambda_event_structure_version argument (#33804)
resource/aws_vpclattice_target_group: Make config.port, config.protocol and config.vpc_identifier optional (#33804)
resource/aws_wafv2_web_acl: Add aws_managed_rules_acfp_rule_set to managed_rule_group_configs configuration block (#33915)

BUG FIXES:

provider: Respect valid values for the AWS_S3_US_EAST_1_REGIONAL_ENDPOINT environment variable when configuring the S3 API client (#33874)
resource/aws_appflow_connector_profile: Fix various crashes (#33856)
resource/aws_db_parameter_group: Group names containing periods (.) no longer fail validation (#33704)
resource/aws_opensearchserverless_collection: Fix crash when error is returned (#33918)
resource/aws_rds_cluster_parameter_group: Group names containing periods (.) no longer fail validation (#33704)

`v5.20.1`

Compare Source

NOTES:

provider: Build with Terraform Plugin Framework v1.4.1, fixing potential initialization errors when using v1.6 of the Terraform CLI.

`v5.20.0`

Compare Source

FEATURES:

New Resource: aws_guardduty_detector_feature (#31463)
New Resource: aws_servicequotas_template (#33688)
New Resource: aws_sesv2_account_vdm_attributes (#33705)
New Resource: aws_verifiedaccess_instance_trust_provider_attachment (#33734)

ENHANCEMENTS:

data-source/aws_guardduty_detector: Add features attribute (#31463)
resource/aws_finspace_kx_cluster: Increase default creation timeout to 45 minutes, default deletion timeout to 60 minutes (#33745)
resource/aws_finspace_kx_environment: Increase default deletion timeout to 45 minutes (#33745)
resource/aws_guardduty_filter: Add plan-time validation of name (#21030)
resource/aws_kinesis_firehose_delivery_stream: Add opensearchserverless_configuration and msk_source_configuration configuration blocks (#33101)
resource/aws_kinesis_firehose_delivery_stream: Add opensearchserverless as a valid destination value (#33101)

BUG FIXES:

data-source/aws_fsx_ontap_storage_virtual_machine: Fix crash when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is not configured (#33800)
resource/aws_ec2_transit_gateway_route : Fix TGW route search filter to avoid routes being missed when more than 1,000 static routes are in a TGW route table (#33765)
resource/aws_fsx_ontap_storage_virtual_machine: Fix crash when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is not configured (#33800)
resource/aws_medialive_channel: Fix VPC settings flatten/expand/docs. (#33558)
resource/aws_vpc_endpoint: Set dns_options.dns_record_ip_type to Computed to prevent diffs (#33743)

`v5.19.0`

Compare Source

BREAKING CHANGES:

data-source/aws_s3_bucket_object: Following migration to AWS SDK for Go v2, the metadata attribute's keys are always returned in lowercase (#33660)
data-source/aws_s3_object: Following migration to AWS SDK for Go v2, the metadata attribute's keys are always returned in lowercase (#33660)

NOTES:

data-source/aws_s3_bucket_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#33660)
data-source/aws_s3_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#33660)
resource/aws_iam_*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. (#33570)

FEATURES:

New Resource: aws_cleanrooms_configured_table (#33602)
New Resource: aws_dms_replication_config (#32908)
New Resource: aws_lexv2models_bot (#33475)
New Resource: aws_rds_custom_db_engine_version (#33285)
New Resource: aws_vpclattice_service_network (#30482)

ENHANCEMENTS:

data-source/aws_opensearch_domain: Add off_peak_window_options attribute (#30965)
resource/aws_cloud9_environment_ec2: Add ubuntu-22.04-x86_64 and resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64 as valid values for image_id (#33662)
resource/aws_fsx_ontap_volume: Add bypass_snaplock_enterprise_retention argument and snaplock_configuration configuration block to support SnapLock (#32530)
resource/aws_fsx_ontap_volume: Add copy_tags_to_backups and snapshot_policy arguments (#32530)
resource/aws_fsx_openzfs_volume: Add delete_volume_options argument (#32530)
resource/aws_lightsail_bucket: Add force_delete argument (#33586)
resource/aws_opensearch_domain: Add off_peak_window_options configuration block (#30965)
resource/aws_opensearch_outbound_connection: Add connection_properties, connection_mode and accept_connection arguments (#32990)
resource/aws_schemas_schema: Add JSONSchemaDraft4 schema type support (#33442)
resource/aws_wafv2_rule_group: Add rate_based_statement.custom_key configuration block (#33594)
resource/aws_wafv2_web_acl: Add rate_based_statement.custom_key configuration block (#33594)

BUG FIXES:

resource/aws_batch_job_queue: Correctly validates elements of compute_environments as ARNs (#33577)
resource/aws_cloudfront_continuous_deployment_policy: Fix IllegalUpdate errors when updating a staging aws_cloudfront_distribution that is part of continuous deployment (#33578)
resource/aws_cloudfront_distribution: Fix IllegalUpdate errors when updating a staging distribution associated with an aws_cloudfront_continuous_deployment_policy (#33578)
resource/aws_cloudfront_distribution: Fix PreconditionFailed errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#33578)
resource/aws_cloudfront_distribution: Fix StagingDistributionInUse errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#33578)
resource/aws_datasync_location_fsx_ontap_file_system: Correct handling of protocol.smb.domain, protocol.smb.user and protocol.smb.password (#33641)
resource/aws_glacier_vault_lock: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_iam_group_policy: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_iam_policy: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_iam_role: Fail validation if duplicated keys are found in assume_role_policy (#33570)
resource/aws_iam_role_policy: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_iam_user_policy: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_mediastore_container_policy: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_s3_bucket_policy: Fix intermittent couldn't find resource errors on resource Create (#33537)
resource/aws_ssoadmin_permission_set_inline_policy: Fail validation if duplicated keys are found in inline_policy (#33570)
resource/aws_transfer_access: Fail validation if duplicated keys are found in policy (#33570)
resource/aws_transfer_user: Fail validation if duplicated keys are found in policy (#33570)

`v5.18.1`

Compare Source

NOTES:

documentation: Duplicate CDKTF guides with differing file extensions have been removed to resolve failures in the provider release workflow. (#33630)

`v5.18.0`

Compare Source

FEATURES:

New Data Source: aws_fsx_ontap_file_system (#32503)
New Data Source: aws_fsx_ontap_storage_virtual_machine (#32621)
New Data Source: aws_fsx_ontap_storage_virtual_machines (#32624)
New Data Source: aws_organizations_organizational_unit (#33408)
New Resource: aws_opensearch_package (#33227)
New Resource: aws_opensearch_package_association (#33227)

ENHANCEMENTS:

resource/aws_fsx_ontap_storage_virtual_machine: Remove ForceNew from active_directory_configuration.self_managed_active_directory_configuration.domain_name, active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group and active_directory_configuration.self_managed_active_directory_configuration.organizational_unit_distinguished_name allowing an SVM to join AD after creation (#33466)

BUG FIXES:

data-source/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#33477)
resource/aws_db_instance: Fix so that storage_throughput can be changed when iops and allocated_storage are not changed (#33529)
resource/aws_db_option_group: Avoid erroneous differences being reported when an option port and/or version is not set (#33511)
resource/aws_fsx_ontap_storage_virtual_machine: Avoid recreating resource when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is configured (#33466)
resource/aws_fsx_ontap_storage_virtual_machine: Change file_system_id to ForceNew (#32621)
resource/aws_s3_bucket_accelerate_configuration: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#33531)
resource/aws_s3_bucket_policy: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#33531)
resource/aws_s3_bucket_versioning: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#33531)
resource/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#33477)

`v5.17.0`

Compare Source

NOTES:

data-source/aws_s3_object: Migration to AWS SDK for Go v2 means that the edge case of specifying a single / as the value for key is no longer supported (#33358)

FEATURES:

New Resource: aws_shield_application_layer_automatic_response (#33432)
New Resource: aws_verifiedaccess_instance (#33459)

ENHANCEMENTS:

data-source/aws_s3_object: Add checksum_mode argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#33358)
data-source/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id attribute (#33416)
resource/aws_s3_object: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#33358)
resource/aws_s3_object_copy: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#33358)
resource/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id argument to support cross-account Multi-Region Access Points (#33416)
resource/aws_s3control_multi_region_access_point: Add details.region.region attribute (#33416)
resource/aws_schemas_schema: Add JSONSchemaDraft4 schema type support (#35971)
resource/aws_transfer_connector: Add sftp_config argument and make as2_config optional (#32741)
resource/aws_wafv2_web_acl: Retry resource Update on WAFOptimisticLockException errors (#33432)

BUG FIXES:

resource/aws_dms_replication_task: Fix error when replication_task_settings is nil (#33456)
resource/aws_elasticache_cluster: Fix regression for redis engine types caused by the new transit_encryption_enabled argument (#33451)
resource/aws_neptune_cluster: Fix ignored kms_key_arn on restore from DB cluster snapshot (#33413)
resource/aws_servicecatalog_product: Allow import on provisioning_artifact_parameters attribute (#33448)
resource/aws_subnet: Fix destroy error when there is a lingering ENI for DMS (#33375)

`v5.16.2`

Compare Source

FEATURES:

New Data Source: aws_cognito_identity_pool (#33053)
New Resource: aws_verifiedaccess_trust_provider (#33195)

ENHANCEMENTS:

resource/aws_autoscaling_group: Change the default values of instance_refresh.preferences.scale_in_protected_instances and instance_refresh.preferences.standby_instances from Wait to the Amazon EC2 Auto Scaling console recommended value of Ignore (#33382)
resource/aws_s3control_object_lambda_access_point: Add alias attribute (#33388)

BUG FIXES:

resource/aws_autoscaling_group: Fix ValidationError errors when starting Auto Scaling group instance refresh (#33382)
resource/aws_iot_topic_rule: Fix InvalidParameter errors on Update with Kafka destinations (#33360)
resource/aws_lightsail_certificate: Fix validation of name (#33405)
resource/aws_lightsail_database: Fix validation of name (#33405)
resource/aws_lightsail_disk: Fix validation of name (#33405)
resource/aws_lightsail_instance: Fix validation of name (#33405)
resource/aws_lightsail_lb: Fix validation of lb_name (#33405)
resource/aws_lightsail_lb_attachment: Fix validation of lb_name (#33405)
resource/aws_lightsail_lb_certificate: Fix validation of lb_name (#33405)
resource/aws_lightsail_lb_certificate_attachment: Fix validation of lb_name (#33405)
resource/aws_lightsail_lb_https_redirection_policy: Fix validation of lb_name (#33405)
resource/aws_lightsail_lb_stickiness_policy: Fix validation of lb_name (#33405)

`v5.16.1`

Compare Source

BUG FIXES:

data-source/aws_efs_file_system: Fix Search returned 0 results errors when there are more than 101 file systems in the configured Region (#33336)
resource/aws_db_instance_automated_backups_replication: Fix unexpected state errors on resource Create (#33369)
resource/aws_glue_catalog_table: Fix removal of metadata_location and table_type parameters when updating Iceberg tables (#33374)
resource/aws_service_discovery_instance: Fix validation error "expected to match regular expression" (#33371)

`v5.16.0`

Compare Source

NOTES:

provider: Performance regression introduced in v5.14.0 should be largely mitigated (#33317)

FEATURES:

New Resource: aws_shield_drt_access_log_bucket_association (#33328)
New Resource: aws_shield_drt_access_role_arn_association (#33328)

ENHANCEMENTS:

data-source/aws_api_gateway_api_key: Add customer_id attribute (#33281)
data-source/aws_fsx_windows_file_system: Add disk_iops_configuration attribute (#33303)
data-source/aws_opensearch_domain: Add software_update_options attribute (#32234)
data-source/aws_s3_objects: Add request_payer argument and request_charged attribute (#33304)
data-source/aws_s3_objects: Add plan-time validation of encoding_type (#33304)
resource/aws_api_gateway_account: Add api_key_version and features attributes (#33279)
resource/aws_api_gateway_api_key: Add customer_id argument (#33281)
resource/aws_api_gateway_api_key: Allow updating name (#33281)
resource/aws_autoscaling_group: Add scale_in_protected_instances and standby_instances attributes to instance_refresh.preferences configuration block (#33310)
resource/aws_dms_endpoint: Add redshift-serverless as valid value for engine_name (#33316)
resource/aws_elasticache_cluster: Add transit_encryption_enabled argument, enabling in-transit encryption for Memcached clusters inside a VPC (#26987)
resource/aws_fsx_windows_file_system: Add disk_iops_configuration configuration block (#33303)
resource/aws_glue_catalog_table: Add open_table_format_input configuration block to support open table formats such as Apache Iceberg (#33274)
resource/aws_medialive_channel: Implement expand/flatten functions for automatic_input_failover_settings in input_attachments (#33129)
resource/aws_opensearch_domain: Add software_update_options attribute (#32234)
resource/aws_ssm_association: Add sync_compliance attribute (#23515)

BUG FIXES:

data-source/aws_identitystore_group: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#33311)
data-source/aws_identitystore_user: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#33311)
data-source/aws_s3_objects: Respect configured max_keys value if it's greater than 1000 (#33304)
resource/aws_api_gateway_account: Allow setting cloudwatch_role_arn to an empty value and set it correctly on Read, allowing its value to be determined on import (#33279)
resource/aws_fsx_ontap_file_system: Increase maximum value of disk_iops_configuration.iops to 160000 (#33263)
resource/aws_servicecatalog_principal_portfolio_association: Fix ResourceNotFoundException errors on resource Delete when configured principal_type is IAM_PATTERN (#32243)

`v5.15.0`

Compare Source

ENHANCEMENTS:

data-source/aws_efs_file_system: Add name attribute (#33243)
data-source/aws_lakeformation_data_lake_settings: Add read_only_admins attribute (#33189)
data-source/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled attribute (#33031)
resource/aws_cloudformation_stack_set: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,CallAs syntax for import block or terraform import command (#19092)
resource/aws_cloudformation_stack_set_instance: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,AccountID,Region,CallAs syntax for import block or terraform import command (#19092)
resource/aws_datasync_location_fsx_openzfs_file_system: Fix setting protocol: Invalid address to set errors (#33225)
resource/aws_efs_file_system: Add name attribute (#33243)
resource/aws_fsx_openzfs_file_system: Add endpoint_ip_address_range, preferred_subnet_id and route_table_ids arguments to support the Multi-AZ deployment type (#33245)
resource/aws_lakeformation_data_lake_settings: Add read_only_admins argument (#33189)
resource/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled argument (#33031)
resource/aws_wafv2_rule_group: Add name_prefix argument (#33206)
resource/aws_wafv2_web_acl: Add statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_atp_rule_set.enable_regex_in_path argument (#33217)

BUG FIXES:

provider: Correctly use old and new tag values when updating tags that are computed (#33226)
resource/aws_appflow_connector_profile: Fix validation on oauth2 in custom_connector_profile (#33192)
resource/aws_cloudformation_stack_set: Fix Can only set RetainStacksOnAccountRemoval if AutoDeployment is enabled errors (#19092)
resource/aws_cloudwatch_event_bus_policy: Fix error during plan when the associated aws_cloudwatch_event_bus resource is manually deleted (#33203)
resource/aws_codeartifact_domain: Change the type of asset_size_bytes to TypeString instead of TypeInt to prevent value out of range panic (#33220)
resource/aws_efs_file_system_policy: Retry IAM eventual consistency errors (#21734)
resource/aws_fsx_openzfs_file_system: Wait for administrative action completion when updating root volume (#33245)
resource/aws_iot_thing_type: Fix error during plan when resource is manually deleted (#33203)
resource/aws_kms_key: Fix tag propagation: timeout while waiting for state to become 'TRUE' errors when any tag value is empty ("") (#33226)
resource/aws_wafv2_web_acl: Prevent deletion of the AWS-managed ShieldMitigationRuleGroup rule on resource Update (#33216)

`v5.14.0`

Compare Source

NOTES:

data-source/aws_iam_policy_document: In some cases, statement.*.condition blocks with the same test and variable arguments were incorrectly handled by the provider. Since this results in unexpected IAM Policies being submitted to AWS, we have updated the logic to merge values lists in this case. This may cause existing IAM Policy documents to report a difference. However, those policies are likely not what was originally intended. (#33093)

FEATURES:

New Resource: aws_datasync_location_azure_blob (#32632)
New Resource: aws_datasync_location_fsx_ontap_file_system (#32632)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Fix crash when specified endpoint not found (#33158)
data-source/aws_dms_replication_instance: Add network_type attribute (#33158)
data-source/aws_ec2_network_insights_path: Add destination_arn and source_arn attributes (#33168)
resource/aws_dms_replication_instance: Add network_type argument (#33158)
resource/aws_ec2_network_insights_path: Add destination_arn and source_arn attributes (#33168)
resource/aws_finspace_kx_environment: Add transit_gateway_configuration.*.attachment_network_acl_configuration argument. (#33123)
resource/aws_medialive_channel: Updates schemas for selector_settings for audio_selector and selector_settings for caption_selector (#32714)
resource/aws_ssoadmin_account_assignment: Add configurable timeouts (#33121)
resource/aws_ssoadmin_customer_managed_policy_attachment: Add configurable timeouts (#33121)
resource/aws_ssoadmin_managed_policy_attachment: Add configurable timeouts (#33121)
resource/aws_ssoadmin_permission_set: Add configurable timeouts (#33121)
resource/aws_ssoadmin_permission_set_inline_policy: Add configurable timeouts (#33121)
resource/aws_ssoadmin_permissions_boundary_attachment: Add configurable timeouts (#33121)

BUG FIXES:

data-source/aws_iam_policy_document: Fix inconsistent handling of condition blocks with duplicated test and variable arguments (#33093)
resource/aws_ec2_host: Fixed a bug that caused resource recreation when specifying an outpost_arn without an asset_id (#33142)
resource/aws_ec2_network_insights_analysis: Fix setting forward_path_components: Invalid address to set errors (#33168)
resource/aws_ec2_network_insights_path: Avoid recreating resource when passing an ARN as source or destination (#33168)
resource/aws_ec2_network_insights_path: Retry AnalysisExistsForNetworkInsightsPath errors on resource Delete (#33168)
resource/aws_kms_key: Fix tag propagation: timeout while waiting for state to become 'TRUE' errors when ignore_tags has been configured (#33167)
resource/aws_licensemanager_license_configuration: Surface InvalidParameterValueException errors during resource Delete (#32845)
resource/aws_msk_cluster_policy: Fix Current cluster policy version needed for Update errors (#33118)
resource/aws_quicksight_analysis: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#33120)
resource/aws_quicksight_analysis: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#33122)
resource/aws_quicksight_analysis: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#33161)
resource/aws_quicksight_dashboard: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#33120)
resource/aws_quicksight_dashboard: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#33122)
resource/aws_quicksight_dashboard: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#33161)
resource/aws_quicksight_template: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#33120)
resource/aws_quicksight_template: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#33122)
resource/aws_quicksight_template: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#33161)
resource/aws_route53_zone: Skip disabling DNS SEC in unsupported partitions (#33103)
resource/aws_s3_object: Mark acl as Computed. This suppresses the diffs shown when migrating resources with no configured acl attribute value from v4.67.0 (or earlier) (#33138)
resource/aws_s3_object_copy: Mark acl as Computed. This suppresses the diffs shown when migrating resources with no configured acl attribute value from v4.67.0 (or earlier) (#33138)
resource/aws_securityhub_account: Remove default value (SECURITY_CONTROL) for control_finding_generator argument and mark as Computed (#33095)

`v5.13.1`

Compare Source

BUG FIXES:

resource/aws_lambda_layer_version: Change source_code_hash back to ForceNew. This fixes doesn't support update errors (#33097)
resource/aws_organizations_organization: Fix current Organization ID (o-xxxxxxxxxx) does not match errors on resource Read (#33091)

`v5.13.0`

Compare Source

FEATURES:

New Resource: aws_msk_cluster_policy (#32848)
New Resource: aws_opensearch_vpc_endpoint (#32435)
New Resource: aws_ram_sharing_with_organization (#25433)

ENHANCEMENTS:

data-source/aws_imagebuilder_image_pipeline: Add image_scanning_configuration attribute (#33005)
data-source/aws_ram_resource_share: Add resource_arns attribute (#22591)
provider: Adds the s3_us_east_1_regional_endpoint attribute to support using the regional S3 API endpoint in us-east-1. (#33024)
resource/aws_appstream_fleet: Retry ConcurrentModificationException errors during creation (#32958)
resource/aws_dms_endpoint: Add babelfish as an engine_name option (#32975)
resource/aws_imagebuilder_image_pipeline: Add image_scanning_configuration configuration block (#33005)
resource/aws_lb: Changes to security_groups for Network Load Balancers force a new resource if either the old or new set of security group IDs is empty (#32987)
resource/aws_rds_global_cluster: Add plan-time validation of global_cluster_identifier (#30996)

BUG FIXES:

data-source/aws_ecr_repository: Correctly set most_recent_image_tags when only a single image is found (#31757)
resource/aws_budgets_budget_action: No longer times out when creating a non-triggered action (#33015)
resource/aws_cloudformation_stack: Marks outputs as Computed when there are potential changes. (#33059)
resource/aws_cloudwatch_event_rule: Fix ARN-based partner event bus rule ID parsing error (#30293)
resource/aws_ecr_registry_scanning_configuration: Correctly delete rules on resource Update (#31449)
resource/aws_lambda_layer_version: Fix bug causing new version to be created on every apply when source_code_hash is used but not changed (#32535)
resource/aws_lb_listener_certificate: Remove from state when listener not found (#32412)
resource/aws_organizations_organization: Ensure that the Organization ID specified in terraform import is the current Organization (#31796)
resource/aws_quicksight_analysis: Adjust max length of definition.*.calculated_fields.*.expression to 32000 characters (#33012)
resource/aws_quicksight_analysis: Convert definition.*.calculated_fields to a set type, preventing persistent differences (#33040)
resource/aws_quicksight_analysis: Convert permissions argument to TypeSet, preventing persistent differences (#33023)
resource/aws_quicksight_analysis: Enable font_configuration to be set for table header styles (#33018)
resource/aws_quicksight_analysis: Enable font_configuration to be set for table header styles (#33018)
resource/aws_quicksight_analysis: Enable font_configuration to be set for table header styles (#33018)
resource/aws_quicksight_analysis: Raise limit for maximum allowed visuals blocks per sheet to 50 (#32856)
resource/aws_quicksight_dashboard: Adjust max length of definition.*.calculated_fields.*.expression to 32000 characters (#33012)
resource/aws_quicksight_dashboard: Convert definition.*.calculated_fields to a set type, preventing persistent differences (#33040)
resource/aws_quicksight_dashboard: Convert permissions argument to TypeSet, preventing persistent differences (#33023)
resource/aws_quicksight_data_set: Change permission attribute type from TypeList to TypeSet (#32984)
resource/aws_quicksight_template: Adjust max items of definition.*.calculated_fields to 500 (#33012)
resource/aws_quicksight_template: Adjust max length of definition.*.calculated_fields.*.expression to 32000 characters (#33012)
resource/aws_quicksight_template: Convert definition.*.calculated_fields to a set type, preventing persistent differences (#33040)
resource/aws_quicksight_template: Convert permissions argument to TypeSet, preventing persistent differences (#33023)
resource/aws_s3_bucket_logging: Fix perpetual drift when expected_bucket_owner is configured (#32989)
resource/aws_sagemaker_domain: Fix validation on s3_kms_key_id in sharing_settings and kms_key_id (#32661)
resource/aws_subnet: Fix allowing IPv6 to be enabled in an update after initial creation with IPv4 only (#32896)
resource/aws_wafv2_web_acl: Adds rule_group_reference_statement.rule_action_override.action_to_use.challenge argument (#31127)

`v5.12.0`

Compare Source

NOTES:

data-source/aws_codecatalyst_dev_environment: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#32886)
resource/aws_codecatalyst_dev_environment: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#32366)
resource/aws_codecatalyst_project: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#32883)
resource/aws_codecatalyst_source_repository: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#32899)

FEATURES:

New Data Source: aws_codecatalyst_dev_environment (#32886)
New Data Source: aws_ec2_transit_gateway_route_table_routes (#30771)
New Data Source: aws_msk_vpc_connection (#31062)
New Resource: aws_cloudfront_continuous_deployment_policy (#32936)
New Resource: aws_codecatalyst_dev_environment (#32366)
New Resource: aws_codecatalyst_project (#32883)
New Resource: aws_codecatalyst_source_repository (#32899)
New Resource: aws_msk_vpc_connection (#31062)

ENHANCEMENTS:

data-source/aws_instance: Add metadata_options.http_protocol_ipv6 attribute (#32759)
data-source/aws_rds_cluster: Add db_system_id attribute (#32846)
provider: Support il-central-1 as a valid AWS Region (#32878)
resource/aws_autoscaling_group: Add ignore_failed_scaling_activities argument (#32914)
resource/aws_cloudfront_distribution: Add continuous_deployment_policy_id and staging arguments to support continuous deployments (#32936)
resource/aws_cloudwatch_composite_alarm: Add actions_suppressor configuration block (#32751)
resource/aws_cloudwatch_events_target: Add sagemaker_pipeline_target argument (#32882)
resource/aws_fms_admin_account: Add configurable timeouts (#32860)
resource/aws_glue_crawler: Add hudi_target argument (#32898)
resource/aws_instance: Add http_protocol_ipv6 attribute to metadata_options configuration block (#32759)
resource/aws_lambda_event_source_mapping: Increased the maximum number of filters to 10 (#32890)
resource/aws_msk_broker: Add bootstrap_brokers_vpc_connectivity_sasl_iam, bootstrap_brokers_vpc_connectivity_sasl_scram and bootstrap_brokers_vpc_connectivity_tls attributes (#31062)
resource/aws_msk_broker: Add vpc_connectivity attribute to the broker_node_group_info.connectivity_info configuration block (#31062)
resource/aws_rds_cluster: Add db_system_id argument to support RDS Custom engine types (#32846)
resource/aws_rds_cluster_instance: Add custom_iam_instance_profile argument to allow RDS Custom users to specify an IAM Instance Profile for the RDS Cluster Instance (#32846)
resource/aws_rds_cluster_instance: Update engine plan-time validation to allow for RDS Custom engine types (#32846)

BUG FIXES:

data-source/aws_vpclattice_service: Avoid listing tags when the service has been shared to the current account via AWS Resource Access Manager (RAM) (#32939)
data-source/aws_vpclattice_service_network: Avoid listing tags when the service network has been shared to the current account via AWS Resource Access Manager (RAM) (#32939)
resource/aws_appstream_fleet: Increased upper limit of max_user_duration_in_seconds to 432000 (#32933)
resource/aws_cloudfront_distribution: Don't call UpdateDistribution API if only tags are updated (#32865)
resource/aws_db_instance: Fix crash creating resource with empty restore_to_point_in_time configuration block (#32928)
resource/aws_emr_cluster: Fix to allow empty args for bootstrap_action (#32956)
resource/aws_emr_instance_fleet: Fix fleet deletion failing for terminated clusters (#32866)
resource/aws_fms_policy: Prevent erroneous diffs on security_service_policy_data.managed_service_data (#32860)
resource/aws_instance: Fix InvalidParameterCombination: Network interfaces and an instance-level security groups may not be specified on the same request errors creating Instances with subnet_id configured and launch_template referencing an aws_launch_template with configured vpc_security_group_ids (#32854)
resource/aws_lb: Fix to avoid creating a load balancer with same name as an existing load balancer (#32941)

`v5.11.0`

Compare Source

FEATURES:

New Resource: aws_sagemaker_pipeline (#32527)

ENHANCEMENTS:

data-source/aws_cloudtrail_service_account: Add service account ID for il-central-1 AWS Region (#32840)
data-source/aws_db_cluster_snapshot: Add tags argument (#31602)
data-source/aws_db_instance: Add ability to filter by tags (#32740)
data-source/aws_db_instances: Add ability to filter by tags (#32740)
data-source/aws_db_snapshot: Add tags argument (#31600)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for il-central-1 AWS Region (#32840)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for il-central-1 AWS Region (#32840)
data-source/aws_s3_bucket: Add hosted zone ID for il-central-1 AWS Region (#32840)
data-source/aws_vpclattice_service: Add ability to find by name (#32177)
resource/aws_finspace_kx_cluster: Adjusted savedown_storage_configuration.size minimum value to 10 GB. (#32800)
resource/aws_lambda_function: Add support for python3.11 runtime value (#32729)
resource/aws_lambda_layer_version: Add support for python3.11 compatible_runtimes value (#32729)
resource/aws_networkfirewall_rule_group: Add support for REJECT action in stateful rule actions (#32746)
resource/aws_route_table: Allow an existing local route to be adopted or imported and the target to be updated (#32794)
resource/aws_sagemaker_endpoint: Add deployment_config.rolling_update_policy argument (#32418)
resource/aws_sagemaker_endpoint: Make deployment_config.blue_green_update_policy optional (#32418)

BUG FIXES:

data-source/aws_ecs_task_execution: Fixed bug that incorrectly mapped the value of container_overrides.memory to container_overrides.memory_reservation (#32793)
resource/aws_db_instance_automated_backups_replication: Fix unexpected state 'Pending' errors on resource Create (#31600)
resource/aws_ec2_transit_gateway_vpc_attachment: Change transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation to Computed (#32821)
resource/aws_emr_studio_session_mapping: Fix InvalidRequestException: IdentityId is invalid errors reading resources created with identity_name (#32416)
resource/aws_quicksight_analysis: Fix an error related to setting the value for definition.sheets.visuals.insight_visual.insight_configuration.computation (#32791)
resource/aws_quicksight_analysis: Fixed a bug that incorrectly determined the valid select_all_options values for custom_filter_configuration, custom_filter_list_configuration, filter_list_configuration, numeric_equality_filter, and numeric_range_filter (#32822)
resource/aws_quicksight_dashboard: Fix an error related to setting the value for definition.sheets.visuals.insight_visual.insight_configuration.computation (#32791)
resource/aws_quicksight_template: Fix an error related to setting the value for definition.sheets.visuals.insight_visual.insight_configuration.computation (#32791)
resource/aws_quicksight_template: Fixed a bug that incorrectly determined the valid select_all_options values for custom_filter_configuration, custom_filter_list_configuration, filter_list_configuration, numeric_equality_filter, and numeric_range_filter (#32822)
resource/aws_sfn_state_machine: Fix Provider produced inconsistent final plan errors for publish (#32844)

`v5.10.0`

Compare Source

FEATURES:

New Resource: aws_iam_security_token_service_preferences (#32091)

ENHANCEMENTS:

data-source/aws_nat_gateway: Add secondary_allocation_ids, secondary_private_ip_addresses and secondary_private_ip_address_count attributes (#31778)
data-source/aws_transfer_server: Add structured_log_destinations attribute (#32654)
resource/aws_batch_compute_environment: compute_resources.allocation_strategy, compute_resources.bid_percentage, compute_resources.ec2_configuration.image_id_override, compute_resources.ec2_configuration.image_type, compute_resources.ec2_key_pair, compute_resources.image_id, compute_resources.instance_role, compute_resources.launch_template.launch_template_id
, compute_resources.launch_template.launch_template_name, compute_resources.tags and compute_resources.type can now be updated in-place (#30438)
resource/aws_glue_job: Add command.runtime attribute (#32528)
resource/aws_grafana_workspace: Allow grafana_version to be updated in-place (#32679)
resource/aws_kms_grant: Allow usage of service principal as grantee and revoker (#32595)
resource/aws_medialive_channel: Adds schemas for caption_descriptions, global_configuration, motion_graphics_configuration, and nielsen_configuration support to encoder settings (#32233)
resource/aws_nat_gateway: Add secondary_allocation_ids, secondary_private_ip_addresses and secondary_private_ip_address_count arguments (#31778)
resource/aws_nat_gateway: Add configurable timeouts (#31778)
resource/aws_networkfirewall_firewall_policy: Add firewall_policy.policy_variables configuration block to support Suricata HOME_NET variable override (#32400)
resource/aws_sagemaker_domain: Add default_user_settings.canvas_app_settings.workspace_settings attribute (#32526)
resource/aws_sagemaker_user_profile: Add user_settings.canvas_app_settings.workspace_settings attribute (#32526)
resource/aws_transfer_server: Add structured_log_destinations argument (#32654)

BUG FIXES:

resource/aws_account_primary_contact: Correct plan-time validation of phone_number (#32715)
resource/aws_apigatewayv2_authorizer: Skip setting authorizer TTL when there are no identity sources (#32629)
resource/aws_elasticache_parameter_group: Remove from state on resource Read if deleted outside of Terraform (#32669)
resource/aws_elasticsearch_domain: Omit ebs_options.throughput and ebs_options.iops for unsupported volume types (#32659)
resource/aws_finspace_kx_cluster: database.cache_configurations.db_paths argument is now optional (#32579)
resource/aws_finspace_kx_cluster: database.cache_configurations argument is now optional (#32579)
resource/aws_lambda_invocation: Fix plan failing with deferred input values (#32706)
resource/aws_lightsail_domain_entry: Add support for AAAA type value (#32664)
resource/aws_opensearch_domain: Correctly handle off_peak_window_options.off_peak_window.window_start_time value of 00:00 (#32716)
resource/aws_quicksight_analysis: Fix exception thrown when setting the value for definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility (#32668)
resource/aws_quicksight_analysis: Grid layout optimized_view_port_width argument changed to Optional (#32644)
resource/aws_quicksight_dashboard: Fix exception thrown when setting the value for definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility (#32668)
resource/aws_quicksight_dashboard: Grid layout optimized_view_port_width argument changed to Optional (#32644)
resource/aws_quicksight_template: Fix exception thrown when setting the value for definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility (#32668)
resource/aws_quicksight_template: Grid layout optimized_view_port_width argument changed to Optional (#32644)
resource/aws_vpclattice_access_log_subscription: Avoid recreating resource when passing a non-wildcard CloudWatch Logs log group ARN as destination_arn (#32186)
resource/aws_vpclattice_access_log_subscription: Avoid recreating resource when passing an ARN as resource_identifier (#32186)
resource/aws_vpclattice_service_network_service_association: Avoid recreating resource when passing an ARN as service_identifier or service_network_identifier (#32658)
resource/aws_vpclattice_service_network_vpc_association: Avoid recreating resource when passing an ARN as service_network_identifier (#32658)

`v5.9.0`

Compare Source

FEATURES:

New Resource: aws_workspaces_connection_alias (#32482)

ENHANCEMENTS:

data-source/aws_appmesh_gateway_route: Add path to the spec.http_route.action.rewrite and spec.http2_route.action.rewrite configuration blocks (#32449)
data-source/aws_db_instance: Add max_allocated_storage attribute (#32477)
data-source/aws_ec2_host: Add asset_id attribute (#32388)
resource/aws_appmesh_gateway_route: Add path to the spec.http_route.action.rewrite and spec.http2_route.action.rewrite configuration blocks (#32449)
resource/aws_cloudformation_stack_set_instance: Added the stack_instance_summaries attribute to track all account and stack IDs for deployments to organizational units. (#24523)
resource/aws_cloudformation_stack_set_instance: Changes to deployment_targets now force a new resource. (#24523)
resource/aws_connect_queue: add delete function (#32538)
resource/aws_connect_routing_profile: add delete function (#32540)
resource/aws_db_instance: Add backup_target attribute (#32609)
resource/aws_ec2_host: Add asset_id argument (#32388)
resource/aws_ec2_traffic_mirror_filter_rule: Fix crash when updating rule_number (#32594)
resource/aws_lightsail_key_pair: Add tags attribute (#32606)
resource/aws_signer_signing_profile: Add signing_material attribute. (#32414)
resource/aws_signer_signing_profile: Update platform_id validation. (#32414)
resource/aws_wafv2_web_acl: Add association_config argument (#31668)

BUG FIXES:

data-source/aws_dms_replication_instance: Fixed bug that caused replication_instance_private_ips, replication_instance_public_ips, and vpc_security_group_ids to always return null (#32551)
data-source/aws_mq_broker: Fix setting user: Invalid address to set errors (#32593)
data-source/aws_vpc_endpoint: Add dns_options.private_dns_only_for_inbound_resolver_endpoint (#32517)
resource/aws_appflow_flow: Fix tasks not updating properly due to empty task being processed (#26614)
resource/aws_cloudformation_stack_set_instance: Fix error when deploying to organizational units with no accounts. (#24523)
resource/aws_cognito_user_pool: Suppress diff when schema.string_attribute_constraints is omitted for String attribute types (#32445)
resource/aws_config_config_rule: Prevent crash from unhandled read error (#32520)
resource/aws_datasync_agent: Prevent persistent diffs when private_link_endpoint is not explicitly configured. (#32546)
resource/aws_globalaccelerator_custom_routing_endpoint_group: Respect configured endpoint_group_region value on resource Create (#32393)
resource/aws_pipes_pipe: Fix Error: setting target_parameters: Invalid address to set errors when creating pipes with ecs task targets (#32432)
resource/aws_pipes_pipe: Fix ValidationException errors when updating pipe (#32622)
resource/aws_quicksight_analysis: Correctly expand comparison method (#32285)
resource/aws_quicksight_group_membership: Allow non default value for namespace (#32494)
resource/aws_route53_cidr_location: Fix Value Conversion Error errors (#32596)
resource/aws_wafv2_web_acl: Fixed error handling response_inspection parameters (#31111)

`v5.8.0`

Compare Source

ENHANCEMENTS:

data-source/aws_ssm_parameter: Add insecure_value attribute (#30817)
resource/aws_fms_policy: Add policy_option attribute for security_service_policy_data block (#25362)
resource/aws_iam_virtual_mfa_device: Add enable_date and user_name attributes (#32462)

BUG FIXES:

resource/aws_config_config_rule: Prevent crash on nil describe output (#32439)
resource/aws_mq_broker: default replication_user to false (#32454)
resource/aws_quicksight_analysis: Fix exception thrown when specifying definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range (#32464)
resource/aws_quicksight_analysis: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility (#32464)
resource/aws_quicksight_analysis: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows (#32464)
resource/aws_quicksight_dashboard: Fix exception thrown when specifying definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range (#32464)
resource/aws_quicksight_dashboard: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility (#32464)
resource/aws_quicksight_dashboard: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows (#32464)
resource/aws_quicksight_template: Fix exception thrown when specifying definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range (#32464)
resource/aws_quicksight_template: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility (#32464)
resource/aws_quicksight_template: Fix exception thrown when specifying definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows (#32464)

`v5.7.0`

Compare Source

FEATURES:

New Data Source: aws_opensearchserverless_security_config (#32321)
New Data Source: aws_opensearchserverless_security_policy (#32226)
New Data Source: aws_opensearchserverless_vpc_endpoint (#32276)
New Resource: aws_cleanrooms_collaboration (#31680)

ENHANCEMENTS:

resource/aws_aws_keyspaces_table: Add client_side_timestamps configuration block (#32339)
resource/aws_glue_catalog_database: Add target_database.region argument (#32283)
resource/aws_glue_crawler: Add iceberg_target configuration block (#32332)
resource/aws_internetmonitor_monitor: Add health_events_config configuration block (#32343)
resource/aws_lambda_function: Support code_signing_config_arn in the ap-east-1 AWS Region (#32327)
resource/aws_qldb_stream: Add configurable Create and Delete timeouts (#32345)
resource/aws_service_discovery_private_dns_namespace: Allow description to be updated in-place (#32342)
resource/aws_service_discovery_public_dns_namespace: Allow description to be updated in-place (#32342)
resource/aws_timestreamwrite_table: Add schema configuration block (#32354)

BUG FIXES:

provider: Correctly handle forbidden_account_ids (#32352)
resource/aws_kms_external_key: Correctly remove all tags (#32371)
resource/aws_kms_key: Correctly remove all tags (#32371)
resource/aws_kms_replica_external_key: Correctly remove all tags (#32371)
resource/aws_kms_replica_key: Correctly remove all tags (#32371)
resource/aws_secretsmanager_secret_rotation: Fix InvalidParameterException: You cannot specify both rotation frequency and schedule expression together errors on resource Update (#31915)
resource/aws_ssm_parameter: Skip Update if only overwrite parameter changes (#32372)
resource/aws_vpc_endpoint: Fix InvalidParameter: PrivateDnsOnlyForInboundResolverEndpoint not supported for this service errors creating S3 Interface VPC endpoints (#32355)

`v5.6.2`

Compare Source

BUG FIXES:

resource/aws_s3_bucket: Fix InvalidArgument: Invalid attribute name specified errors when listing S3 Bucket objects, caused by an AWS SDK for Go regression (#32317)

`v5.6.1`

Compare Source

BUG FIXES:

provider: Prevent resource recreation if tags or tags_all are updated (#32297)

`v5.6.0`

Compare Source

FEATURES:

New Data Source: aws_opensearchserverless_access_policy (#32231)
New Data Source: aws_opensearchserverless_collection (#32247)
New Data Source: aws_sfn_alias (#32176)
New Data Source: aws_sfn_state_machine_versions (#32176)
New Resource: aws_ec2_instance_connect_endpoint (#31858)
New Resource: aws_sfn_alias (#32176)
New Resource: aws_transfer_agreement (#32203)
New Resource: aws_transfer_certificate (#32203)
New Resource: aws_transfer_connector (#32203)
New Resource: aws_transfer_profile (#32203)

ENHANCEMENTS:

resource/aws_batch_compute_environment: Add placement_group attribute to the compute_resources configuration block (#32200)
resource/aws_emrserverless_application: Do not recreate the resource if release_label changes (#32278)
resource/aws_fis_experiment_template: Add log_configuration configuration block (#32102)
resource/aws_fis_experiment_template: Add parameters attribute to the target configuration block (#32160)
resource/aws_fis_experiment_template: Add support for Pods and Tasks to action.*.target (#32152)
resource/aws_lambda_event_source_mapping: The queues argument has changed from a set to a list with a maximum of one element. (#31931)
resource/aws_pipes_pipe: Add activemq_broker_parameters, dynamodb_stream_parameters, kinesis_stream_parameters, managed_streaming_kafka_parameters, rabbitmq_broker_parameters, self_managed_kafka_parameters and sqs_queue_parameters attributes to the source_parameters configuration block. NOTE: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#31607)
resource/aws_pipes_pipe: Add batch_job_parameters, cloudwatch_logs_parameters, ecs_task_parameters, eventbridge_event_bus_parameters, http_parameters, kinesis_stream_parameters, lambda_function_parameters, redshift_data_parameters, sagemaker_pipeline_parameters, sqs_queue_parameters and step_function_state_machine_parameters attributes to the target_parameters configuration block. NOTE: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#31607)
resource/aws_pipes_pipe: Add enrichment_parameters argument (#31607)
resource/aws_resourcegroups_group: resource_query no longer conflicts with configuration (#30242)
resource/aws_s3_bucket_logging: Retry on empty read of logging config (#30916)
resource/aws_sfn_state_machine: Add description, publish, revision_id, state_machine_version_arn and version_description attributes (#32176)

BUG FIXES:

resource/aws_db_instance: Fix resource Create returning instances not in the available state when identifier_prefix is specified (#32287)
resource/aws_resourcegroups_resource: Fix crash when resource Create fails (#30242)
resource/aws_route: Fix reading Route in Route Table (rtb-1234abcd) with destination (1.2.3.4/5): couldn't find resource errors when reading new resource (#32196)
resource/aws_vpc_security_group_egress_rule: security_group_id is Required (#32148)
resource/aws_vpc_security_group_ingress_rule: security_group_id is Required (#32148)

`v5.5.0`

Compare Source

NOTES:

provider: Updates to Go 1.20, the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. A future release will update to Go 1.21, and these platforms will no longer be supported. (#32108)
provider: Updates to Go 1.20, the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. A future release will update to Go 1.21, and these platforms will no longer be supported. (#32108)
provider: Updates to Go 1.20. The provider will now notice the trust-ad option in /etc/resolv.conf and, if set, will set the "authentic data" option in outgoing DNS requests in order to better match the behavior of the GNU libc resolver. (#32108)

FEATURES:

New Data Source: aws_sesv2_email_identity (#32026)
New Data Source: aws_sesv2_email_identity_mail_from_attributes (#32026)
New Resource: aws_chimesdkvoice_sip_rule (#32070)
New Resource: aws_organizations_resource_policy (#32056)

ENHANCEMENTS:

data-source/aws_organizations_organization: Return the full set of attributes when running as a delegated administrator for AWS Organizations (#32056)
provider: Mask all sensitive values that appear when TF_LOG level is TRACE (#32174)
resource/aws_config_configuration_recorder: Add exclusion_by_resource_types and recording_strategy attributes to the recording_group configuration block (#32007)
resource/aws_datasync_task: Add object_tags attribute to options configuration block (#27811)
resource/aws_networkmanager_attachment_accepter: Added support for Transit Gateway route table attachments (#32023)
resource/aws_ses_active_receipt_rule_set: Support import (#27604)

BUG FIXES:

resource/aws_api_gateway_rest_api: Fix crash when binary_media_types is null (#32169)
resource/aws_datasync_location_object_storage: Don't ignore server_certificate argument (#27811)
resource/aws_eip: Fix reading EC2 EIP (eipalloc-abcd1234): couldn't find resource errors when reading new resource (#32016)
resource/aws_quicksight_analysis: Fix schema mapping for string set elements (#31903)
resource/aws_redshiftserverless_workgroup: Fix waiting for completion: unexpected state 'AVAILABLE' errors when deleting resource (#32067)
resource/aws_route_table: Fix reading Route Table (rtb-abcd1234): couldn't find resource errors when reading new resource (#30999)
resource/aws_storagegateway_smb_file_share: Fix update error when kms_encrypted is true but kms_key_arn is not sent in the request (#32171)

`v5.4.0`

Compare Source

FEATURES:

New Data Source: aws_organizations_policies (#31545)
New Data Source: aws_organizations_policies_for_target (#31682)
New Resource: aws_chimesdkvoice_sip_media_application (#31937)
New Resource: aws_opensearchserverless_collection (#31091)
New Resource: aws_opensearchserverless_security_config (#28776)
New Resource: aws_opensearchserverless_vpc_endpoint (#28651)

ENHANCEMENTS:

resource/aws_elb: Add configurable Create and Update timeouts (#31976)
resource/aws_glue_data_quality_ruleset: Add catalog_id argument to target_table block (#31926)

BUG FIXES:

provider: Fix index out of range [0] with length 0 panic (#32004)
resource/aws_elb: Recreate the resource if subnets is updated to an empty list (#31976)
resource/aws_lambda_provisioned_concurrency_config: The function_name argument now properly handles ARN values (#31933)
resource/aws_quicksight_data_set: Allow physical table map to be optional (#31863)
resource/aws_ssm_default_patch_baseline: Fix *conns.AWSClient is not ssm.ssmClient: missing method SSMClient panic (#31928)

`v5.3.0`

Compare Source

NOTES:

resource/aws_instance: The metadata_options.http_endpoint argument now correctly defaults to enabled. (#24774)
resource/aws_lambda_function: The replace_security_groups_on_destroy and replacement_security_group_ids attributes are being deprecated as AWS no longer supports this operation. These attributes now have no effect, and will be removed in a future major version. (#31904)

FEATURES:

New Data Source: aws_quicksight_theme (#31900)
New Resource: aws_opensearchserverless_access_policy (#28518)
New Resource: aws_opensearchserverless_security_policy (#28470)
New Resource: aws_quicksight_theme (#31900)

ENHANCEMENTS:

data-source/aws_redshift_cluster: Add cluster_namespace_arn attribute (#31884)
resource/aws_redshift_cluster: Add cluster_namespace_arn attribute (#31884)
resource/aws_vpc_endpoint: Add private_dns_only_for_inbound_resolver_endpoint attribute to the dns_options configuration block (#31873)

BUG FIXES:

resource/aws_ecs_task_definition: Fix to prevent persistent diff when efs_volume_configuration has both root_volume and authorization_config set. (#26880)
resource/aws_instance: Fix default for metadata_options.http_endpoint argument. (#24774)
resource/aws_keyspaces_keyspace: Correct plan time validation for name (#31352)
resource/aws_keyspaces_table: Correct plan time validation for keyspace_name, table_name and column names (#31352)
resource/aws_quicksight_analysis: Fix assignment of KPI visual field well target values (#31901)
resource/aws_redshift_cluster: Allow availability_zone_relocation_enabled to be true when publicly_accessible is true (#31886)
resource/aws_vpc: Fix reading EC2 VPC (vpc-abcd1234) Attribute (enableDnsSupport): couldn't find resource errors when reading new resource (#31877)

`v5.2.0`

Compare Source

NOTES:

resource/aws_mwaa_environment: Upgrading your environment to a new major version of Apache Airflow forces replacement of the resource (#31833)

FEATURES:

New Data Source: aws_budgets_budget (#31691)
New Data Source: aws_ecr_pull_through_cache_rule (#31696)
New Data Source: aws_guardduty_finding_ids (#31711)
New Data Source: aws_iam_principal_policy_simulation (#25569)
New Resource: aws_chimesdkvoice_global_settings (#31365)
New Resource: aws_finspace_kx_cluster (#31806)
New Resource: aws_finspace_kx_database (#31803)
New Resource: aws_finspace_kx_environment (#31802)
New Resource: aws_finspace_kx_user (#31804)

ENHANCEMENTS:

data/aws_ec2_transit_gateway_connect_peer: Add bgp_peer_address and bgp_transit_gateway_addresses attributes (#31752)
provider: Adds retry_mode parameter (#31745)
resource/aws_chime_voice_connector: Add tagging support (#31746)
resource/aws_ec2_transit_gateway_connect_peer: Add bgp_peer_address and bgp_transit_gateway_addresses attributes (#31752)
resource/aws_ec2_transit_gateway_route_table_association: Add replace_existing_association argument (#31452)
resource/aws_fis_experiment_template: Add support for Volumes to actions.*.target (#31499)
resource/aws_instance: Add instance_market_options configuration block and instance_lifecycle and spot_instance_request_id attributes (#31495)
resource/aws_lambda_function: Add support for ruby3.2 runtime value (#31842)
resource/aws_lambda_layer_version: Add support for ruby3.2 compatible_runtimes value (#31842)
resource/aws_mwaa_environment: Consider CREATING_SNAPSHOT a valid pending state for resource update (#31833)
resource/aws_networkfirewall_firewall_policy: Add stream_exception_policy option to firewall_policy.stateful_engine_options (#31541)
resource/aws_redshiftserverless_workgroup: Additional supported values for config_parameter.parameter_key (#31747)
resource/aws_sagemaker_model: Add container.model_package_name and primary_container.model_package_name arguments (#31755)

BUG FIXES:

data-source/aws_redshift_cluster: Fix crash reading clusters in modifying state (#31772)
provider/default_tags: Fix perpetual diff when identical tags are moved from default_tags to resource tags, and vice versa (#31826)
resource/aws_autoscaling_group: Ignore any Failed scaling activities due to IAM eventual consistency (#31282)
resource/aws_dx_connection: Convert vlan_id from TypeString to TypeInt in Terraform state for existing resources. This fixes a regression introduced in v5.1.0 causing a number is required errors (#31735)
resource/aws_globalaccelerator_endpoint_group: Fix bug updating endpoint_configuration.weight to 0 (#31767)
resource/aws_medialive_channel: Fix spelling in hls_cdn_settings expander. (#31844)
resource/aws_redshiftserverless_namespace: Fix perpetual iam_roles diffs when the namespace contains a workgroup (#31749)
resource/aws_redshiftserverless_workgroup: Change config_parameter from TypeList to TypeSet as order is not significant (#31747)
resource/aws_redshiftserverless_workgroup: Fix ValidationException: Can't update multiple configurations at the same time errors (#31747)
resource/aws_vpc_endpoint: Fix tagging error preventing use in ISO partitions (#31801)

`v5.1.0`

Compare Source

BREAKING CHANGES:

resource/aws_iam_role: The role_last_used attribute has been removed. Use the aws_iam_role data source instead. (#31656)

NOTES:

resource/aws_autoscaling_group: The load_balancers and target_group_arns attributes have been changed to Computed. This means that omitting this argument is interpreted as ignoring any existing load balancer or target group attachments. To remove all load balancer or target group attachments an empty list should be specified. (#31527)
resource/aws_iam_role: The role_last_used attribute has been removed. Use the aws_iam_role data source instead. See the community feedback provided in the linked issue for additional justification on this change. As the attribute is read-only, unlikely to be used as an input to another resource, and available in the corresponding data source, a breaking change in a minor version was deemed preferable to a long deprecation/removal cycle in this circumstance. (#31656)
resource/aws_redshift_cluster: Ignores the parameter aqua_configuration_status, since the AWS API ignores it. Now always returns auto. (#31612)

FEATURES:

New Data Source: aws_vpclattice_resource_policy (#31372)
New Resource: aws_autoscaling_traffic_source_attachment (#31527)
New Resource: aws_emrcontainers_job_template (#31399)
New Resource: aws_glue_data_quality_ruleset (#31604)
New Resource: aws_quicksight_analysis (#31542)
New Resource: aws_quicksight_dashboard (#31448)
New Resource: aws_resourcegroups_resource (#31430)

ENHANCEMENTS:

data-source/aws_autoscaling_group: Add traffic_source attribute (#31527)
data-source/aws_opensearch_domain: Add off_peak_window_options attribute (#35970)
provider: Increases size of HTTP request bodies in logs to 1 KB (#31718)
resource/aws_appsync_graphql_api: Add visibility argument (#31369)
resource/aws_appsync_graphql_api: Add plan time validation for log_config.cloudwatch_logs_role_arn (#31369)
resource/aws_autoscaling_group: Add traffic_source configuration block (#31527)
resource/aws_cloudformation_stack_set: Add managed_execution argument (#25210)
resource/aws_fsx_ontap_volume: Add skip_final_backup argument (#31544)
resource/aws_fsx_ontap_volume: Remove default value for security_style argument and mark as Computed (#31544)
resource/aws_fsx_ontap_volume: Update ontap_volume_type attribute to be configurable (#31544)
resource/aws_fsx_ontap_volume: junction_path is Optional (#31544)
resource/aws_fsx_ontap_volume: storage_efficiency_enabled is Optional (#31544)
resource/aws_grafana_workspace: Increase default Create and Update timeouts to 30 minutes (#31422)
resource/aws_lambda_invocation: Add lifecycle_scope CRUD to invoke on each resource state transition (#29367)
resource/aws_lambda_layer_version_permission: Add skip_destroy attribute (#29571)
resource/aws_lambda_provisioned_concurrency_configuration: Add skip_destroy argument (#31646)
resource/aws_opensearch_domain: Add off_peak_window_options configuration block (#35970)
resource/aws_sagemaker_endpoint_configuration: Add and shadow_production_variants.serverless_config.provisioned_concurrency arguments (#31398)
resource/aws_transfer_server: Add support for TransferSecurityPolicy-2023-05 security_policy_name value (#31536)

BUG FIXES:

data-source/aws_dx_connection: Fix the vlan_id being returned as null (#31480)
provider/tags: Fix crash when some tags are null and others are computed (#31687)
provider: Limits size of HTTP response bodies in logs to 4 KB (#31718)
resource/aws_autoscaling_group: Fix The AutoRollback parameter cannot be set to true when the DesiredConfiguration parameter is empty errors when refreshing instances (#31715)
resource/aws_autoscaling_group: Now ignores previous failed scaling activities (#31551)
resource/aws_cloudfront_distribution: Remove the upper limit on origin_keepalive_timeout (#31608)
resource/aws_connect_instance: Fix crash when reading instances with CREATION_FAILED status (#31689)
resource/aws_connect_security_profile: Set correct tags in state (#31716)
resource/aws_dx_connection: Fix the vlan_id being returned as null (#31480)
resource/aws_ecs_service: Fix crash when just alarms is updated (#31683)
resource/aws_fsx_ontap_volume: Change storage_virtual_machine_id to ForceNew (#31544)
resource/aws_fsx_ontap_volume: Change volume_type to ForceNew (#31544)
resource/aws_kendra_index: Persist user_group_resolution_mode value to state after creation (#31669)
resource/aws_medialive_channel: Fix attribute spelling in hls_cdn_settings expand (#31647)
resource/aws_quicksight_data_set: Fix join_instruction not applied when creating dataset (#31424)
resource/aws_quicksight_data_set: Ignore failure to read refresh properties for non-SPICE datasets (#31488)
resource/aws_rbin_rule: Fix crash when multiple resource_tags blocks are configured (#31393)
resource/aws_rds_cluster: Correctly update db_cluster_instance_class (#31709)
resource/aws_redshift_cluster: No longer errors on deletion when status is Maintenance (#31612)
resource/aws_route53_vpc_association_authorization: Fix ConcurrentModification error (#31588)
resource/aws_s3_bucket_replication_configuration: Replication configs sometimes need more than a second or two. This resolves a race condition and adds retry logic when reading them. (#30995)

`v5.0.1`

Compare Source

BUG FIXES:

provider/tags: Fix crash when tags are null (#31587)

`v5.0.0`

Compare Source

BREAKING CHANGES:

data-source/aws_api_gateway_rest_api: minimum_compression_size is now a string type to allow values set via the body attribute to be properly computed. (#30969)
data-source/aws_connect_hours_of_operation: The hours_of_operation_arn attribute has been removed (#31484)
data-source/aws_db_instance: With the retirement of EC2-Classic the db_security_groups attribute has been removed (#30966)
data-source/aws_elasticache_cluster: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
data-source/aws_elasticache_replication_group: Remove number_cache_clusters, replication_group_description arguments -- use num_cache_clusters, and description, respectively, instead (#31008)
data-source/aws_iam_policy_document: Don't add empty statement.sid values to json attribute value (#28539)
data-source/aws_iam_policy_document: source_json and override_json have been removed -- use source_policy_documents and override_policy_documents, respectively, instead (#30829)
data-source/aws_identitystore_group: The filter argument has been removed (#31312)
data-source/aws_identitystore_user: The filter argument has been removed (#31312)
data-source/aws_launch_configuration: With the retirement of EC2-Classic the vpc_classic_link_id and vpc_classic_link_security_groups attributes have been removed (#30966)
data-source/aws_redshift_cluster: With the retirement of EC2-Classic the cluster_security_groups attribute has been removed (#30966)
data-source/aws_secretsmanager_secret: The rotation_enabled, rotation_lambda_arn and rotation_rules attributes have been removed (#31487)
data-source/aws_vpc_peering_connection: With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc and allow_vpc_to_remote_classic_link attributes have been removed (#30966)
provider: The assume_role.duration_seconds, assume_role_with_web_identity.duration_seconds, s3_force_path_style, shared_credentials_file and skip_get_ec2_platforms attributes have been removed (#31155)
provider: The aws_subnet_ids data source has been removed (#31140)
provider: With the retirement of EC2-Classic the aws_db_security_group resource has been removed (#30966)
provider: With the retirement of EC2-Classic the aws_elasticache_security_group resource has been removed (#30966)
provider: With the retirement of EC2-Classic the aws_redshift_security_group resource has been removed (#30966)
provider: With the retirement of Macie Classic the aws_macie_member_account_association resource has been removed (#31058)
provider: With the retirement of Macie Classic the aws_macie_s3_bucket_association resource has been removed (#31058)
resource/aws_acmpca_certificate_authority: The status attribute has been removed (#31084)
resource/aws_api_gateway_rest_api: minimum_compression_size is now a string type to allow values set via the body attribute to be properly computed. (#30969)
resource/aws_autoscaling_attachment: alb_target_group_arn has been removed -- use lb_target_group_arn instead (#30828)
resource/aws_autoscaling_group: Remove deprecated tags attribute (#30842)
resource/aws_budgets_budget: The cost_filters attribute has been removed (#31395)
resource/aws_ce_anomaly_subscription: The threshold attribute has been removed (#30374)
resource/aws_cloudwatch_event_target: The ecs_target.propagate_tags attribute now has no default value (#25233)
resource/aws_codebuild_project: The secondary_sources.auth and source.auth attributes have been removed (#31483)
resource/aws_connect_hours_of_operation: The hours_of_operation_arn attribute has been removed (#31484)
resource/aws_connect_queue: The quick_connect_ids_associated attribute has been removed (#31376)
resource/aws_connect_routing_profile: The queue_configs_associated attribute has been removed (#31376)
resource/aws_db_instance: Remove name - use db_name instead (#31232)
resource/aws_db_instance: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
resource/aws_db_instance: id is no longer the AWS database identifier - id is now the dbi-resource-id. Refer to identifier instead of id to use the database's identifier (#31232)
resource/aws_default_vpc: With the retirement of EC2-Classic the enable_classiclink and enable_classiclink_dns_support attributes have been removed (#30966)
resource/aws_dms_endpoint: s3_settings.ignore_headers_row has been removed (#30452)
resource/aws_docdb_cluster: snapshot_identifier change now properly forces replacement (#29409)
resource/aws_ec2_client_vpn_endpoint: The status attribute has been removed (#31223)
resource/aws_ec2_client_vpn_network_association: The security_groups attribute has been removed (#31396)
resource/aws_ec2_client_vpn_network_association: The status attribute has been removed (#31223)
resource/aws_ecs_cluster: The capacity_providers and default_capacity_provider_strategy attributes have been removed (#31346)
resource/aws_eip: With the retirement of EC2-Classic the standard domain is no longer supported (#30966)
resource/aws_eip_association: With the retirement of EC2-Classic the standard domain is no longer supported (#30966)
resource/aws_elasticache_cluster: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
resource/aws_elasticache_replication_group: Remove availability_zones, number_cache_clusters, replication_group_description arguments -- use preferred_cache_cluster_azs, num_cache_clusters, and description, respectively, instead (#31008)
resource/aws_elasticache_replication_group: Remove cluster_mode configuration block -- use top-level num_node_groups and replicas_per_node_group instead (#31008)
resource/aws_kinesis_firehose_delivery_stream: Remove s3_configuration attribute from the root of the resource. s3_configuration is now a part of the following blocks: elasticsearch_configuration, opensearch_configuration, redshift_configuration, splunk_configuration, and http_endpoint_configuration (#31138)
resource/aws_kinesis_firehose_delivery_stream: Remove s3 as an option for destination. Use extended_s3 instead (#31138)
resource/aws_kinesis_firehose_delivery_stream: Rename extended_s3_configuration.0.s3_backup_configuration.0.buffer_size and extended_s3_configuration.0.s3_backup_configuration.0.buffer_interval to extended_s3_configuration.0.s3_backup_configuration.0.buffering_size and extended_s3_configuration.0.s3_backup_configuration.0.buffering_interval, respectively (#31141)
resource/aws_kinesis_firehose_delivery_stream: Rename redshift_configuration.0.s3_backup_configuration.0.buffer_size and redshift_configuration.0.s3_backup_configuration.0.buffer_interval to redshift_configuration.0.s3_backup_configuration.0.buffering_size and redshift_configuration.0.s3_backup_configuration.0.buffering_interval, respectively (#31141)
resource/aws_kinesis_firehose_delivery_stream: Rename s3_configuration.0.buffer_size and s3_configuration.0.buffer_internval to s3_configuration.0.buffering_size and s3_configuration.0.buffering_internval, respectively (#31141)
resource/aws_launch_configuration: With the retirement of EC2-Classic the vpc_classic_link_id and vpc_classic_link_security_groups attributes have been removed (#30966)
resource/aws_lightsail_instance: The ipv6_address attribute has been removed (#31489)
resource/aws_medialive_multiplex_program: The statemux_settings attribute has been removed. Use statmux_settings argument instead (#31034)
resource/aws_msk_cluster: The broker_node_group_info.ebs_volume_size attribute has been removed (#31324)
resource/aws_neptune_cluster: snapshot_identifier change now properly forces replacement (#29409)
resource/aws_networkmanager_core_network: Removed policy_document argument -- use aws_networkmanager_core_network_policy_attachment resource instead (#30875)
resource/aws_rds_cluster: The engine argument is now required and has no default (#31112)
resource/aws_rds_cluster: snapshot_identifier change now properly forces replacement (#29409)
resource/aws_rds_cluster_instance: The engine argument is now required and has no default (#31112)
resource/aws_redshift_cluster: With the retirement of EC2-Classic the cluster_security_groups attribute has been removed (#30966)
resource/aws_route: instance_id can no longer be set in configurations. Use network_interface_id instead, for example, setting network_interface_id to aws_instance.test.primary_network_interface_id. (#30804)
resource/aws_route_table: route.*.instance_id can no longer be set in configurations. Use route.*.network_interface_id instead, for example, setting network_interface_id to aws_instance.test.primary_network_interface_id. (#30804)
resource/aws_secretsmanager_secret: The rotation_enabled, rotation_lambda_arn and rotation_rules attributes have been removed (#31487)
resource/aws_security_group: With the retirement of EC2-Classic non-VPC security groups are no longer supported (#30966)
resource/aws_security_group_rule: With the retirement of EC2-Classic non-VPC security groups are no longer supported (#30966)
resource/aws_servicecatalog_product: Changes to any provisioning_artifact_parameters arguments now properly trigger a replacement. This fixes incorrect behavior, but may technically be breaking for configurations expecting non-functional in-place updates. (#31061)
resource/aws_vpc: With the retirement of EC2-Classic the enable_classiclink and enable_classiclink_dns_support attributes have been removed (#30966)
resource/aws_vpc_peering_connection: With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc and allow_vpc_to_remote_classic_link attributes have been removed (#30966)
resource/aws_vpc_peering_connection_accepter: With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc and allow_vpc_to_remote_classic_link attributes have been removed (#30966)
resource/aws_vpc_peering_connection_options: With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc and allow_vpc_to_remote_classic_link attributes have been removed (#30966)
resource/aws_wafv2_web_acl: The statement.managed_rule_group_statement.excluded_rule and statement.rule_group_reference_statement.excluded_rule attributes have been removed (#31374)
resource/aws_wafv2_web_acl_logging_configuration: The redacted_fields.all_query_arguments, redacted_fields.body and redacted_fields.single_query_argument attributes have been removed (#31486)

NOTES:

data-source/aws_elasticache_replication_group: Update configurations to use description instead of the replication_group_description argument (#31008)
data-source/aws_elasticache_replication_group: Update configurations to use num_cache_clusters instead of the number_cache_clusters argument (#31008)
data-source/aws_opensearch_domain: The kibana_endpoint attribute has been deprecated. All configurations using kibana_endpoint should be updated to use the dashboard_endpoint attribute instead (#31490)
data-source/aws_quicksight_data_set: The tags_all attribute has been deprecated and will be removed in a future version (#31162)
data-source/aws_redshift_service_account: The aws_redshift_service_account data source has been deprecated and will be removed in a future version. AWS documentation states that a service principal name should be used instead of an AWS account ID in any relevant IAM policy (#31006)
data-source/aws_service_discovery_service: The tags_all attribute has been deprecated and will be removed in a future version (#31162)
resource/aws_api_gateway_rest_api: Update configurations with minimum_compression_size set to pass the value as a string. Valid values remain the same. (#30969)
resource/aws_autoscaling_attachment: Update configurations to use lb_target_group_arn instead of alb_target_group_arn which has been removed (#30828)
resource/aws_db_event_subscription: Configurations that define source_ids using the id attribute of aws_db_instance must be updated to use identifier instead - for example, source_ids = [aws_db_instance.example.id] must be updated to source_ids = [aws_db_instance.example.identifier] (#31232)
resource/aws_db_instance: Configurations that define replicate_source_db using the id attribute of aws_db_instance must be updated to use identifier instead - for example, replicate_source_db = aws_db_instance.example.id must be updated to replicate_source_db = aws_db_instance.example.identifier (#31232)
resource/aws_db_instance: The change of what id is, namely, a DBI Resource ID now versus DB Identifier previously, has far-reaching consequences. Configurations that refer to, for example, aws_db_instance.example.id will now have errors and must be changed to use identifier instead, for example, aws_db_instance.example.identifier (#31232)
resource/aws_db_instance_role_association: Configurations that define db_instance_identifier using the id attribute of aws_db_instance must be updated to use identifier instead - for example, db_instance_identifier = aws_db_instance.example.id must be updated to db_instance_identifier = aws_db_instance.example.identifier (#31232)
resource/aws_db_proxy_target: Configurations that define db_instance_identifier using the id attribute of aws_db_instance must be updated to use identifier instead - for example, db_instance_identifier = aws_db_instance.example.id must be updated to db_instance_identifier = aws_db_instance.example.identifier (#31232)
resource/aws_db_snapshot: Configurations that define db_instance_identifier using the id attribute of aws_db_instance must be updated to use identifier instead - for example, db_instance_identifier = aws_db_instance.example.id must be updated to db_instance_identifier = aws_db_instance.example.identifier (#31232)
resource/aws_docdb_cluster: Changes to the snapshot_identifier attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. (#29409)
resource/aws_dx_gateway_association: The vpn_gateway_id attribute has been deprecated. All configurations using vpn_gateway_id should be updated to use the associated_gateway_id attribute instead (#31384)
resource/aws_elasticache_replication_group: Update configurations to use description instead of the replication_group_description argument (#31008)
resource/aws_elasticache_replication_group: Update configurations to use num_cache_clusters instead of the number_cache_clusters argument (#31008)
resource/aws_elasticache_replication_group: Update configurations to use preferred_cache_cluster_azs instead of the availability_zones argument (#31008)
resource/aws_elasticache_replication_group: Update configurations to use top-level num_node_groups and replicas_per_node_group instead of cluster_mode.0.num_node_groups and cluster_mode.0.replicas_per_node_group, respectively (#31008)
resource/aws_flow_log: The log_group_name attribute has been deprecated. All configurations using log_group_name should be updated to use the log_destination attribute instead (#31382)
resource/aws_guardduty_organization_configuration: The auto_enable argument has been deprecated. Use the auto_enable_organization_members argument instead. (#30736)
resource/aws_neptune_cluster: Changes to the snapshot_identifier attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. (#29409)
resource/aws_networkmanager_core_network: Update configurations to use the aws_networkmanager_core_network_policy_attachment resource instead of the policy_document argument (#30875)
resource/aws_opensearch_domain: The engine_version attribute no longer has a default value. When omitted, the underlying AWS API will use the latest OpenSearch engine version. (#31568)
resource/aws_opensearch_domain: The kibana_endpoint attribute has been deprecated. All configurations using kibana_endpoint should be updated to use the dashboard_endpoint attribute instead (#31490)
resource/aws_rds_cluster: Changes to the snapshot_identifier attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. (#29409)
resource/aws_rds_cluster: Configurations not including the engine argument must be updated to include engine as it is now required. Previously, not including engine was equivalent to engine = "aurora" and created a MySQL-5.6-compatible cluster (#31112)
resource/aws_rds_cluster_instance: Configurations not including the engine argument must be updated to include engine as it is now required. Previously, not including engine was equivalent to engine = "aurora" and created a MySQL-5.6-compatible cluster instance (#31112)
resource/aws_route: Since instance_id can no longer be set in configurations, use network_interface_id instead. For example, set network_interface_id to aws_instance.test.primary_network_interface_id. (#30804)
resource/aws_route_table: Since route.*.instance_id can no longer be set in configurations, use route.*.network_interface_id instead. For example, set network_interface_id to aws_instance.test.primary_network_interface_id. (#30804)
resource/aws_ssm_association: The instance_id attribute has been deprecated. All configurations using instance_id should be updated to use the targets attribute instead (#31380)

ENHANCEMENTS:

provider: Allow computed tags on resources (#30793)
provider: Allow default_tags and resource tags to include zero values "" (#30793)
provider: Duplicate default_tags can now be included and will be overwritten by resource tags (#30793)
resource/aws_db_instance: Updates to identifier and identifier_prefix will no longer cause the database instance to be destroyed and recreated (#31232)
resource/aws_eip: Deprecate vpc attribute. Use domain instead (#31567)
resource/aws_guardduty_organization_configuration: Add auto_enable_organization_members attribute (#30736)
resource/aws_kinesis_firehose_delivery_stream: Add s3_configuration to elasticsearch_configuration, opensearch_configuration, redshift_configuration, splunk_configuration, and http_endpoint_configuration (#31138)
resource/aws_opensearch_domain: Removed engine_version default value (#31568)
resource/aws_wafv2_web_acl: Support rule_action_override on rule_group_reference_statement (#31374)

BUG FIXES:

resource/aws_ecs_capacity_provider: Allow an instance_warmup_period of 0 in the auto_scaling_group_provider.managed_scaling configuration block (#24005)
resource/aws_launch_template: Remove default values in metadata_options to allow default condition (#30545)
resource/aws_s3_bucket: Fix bucket_regional_domain_name not including region for buckets in us-east-1 (#25724)
resource/aws_s3_object: Remove acl default in order to work with S3 buckets that have ACL disabled (#27197)
resource/aws_s3_object_copy: Remove acl default in order to work with S3 buckets that have ACL disabled (#27197)
resource/aws_servicecatalog_product: Changes to provisioning_artifact_parameters arguments now properly trigger a replacement (#31061)
resource/aws_vpc_peering_connection: Fix crash in vpcPeeringConnectionOptionsEqual (#30966)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://github.com/hashicorp/terraform-provider-aws)) | required_provider | major | `4.67.0` -> `6.19.0` | --- ### Release Notes <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.19.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6190-October-30-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.18.0...v6.19.0) FEATURES: - **New Data Source:** `aws_ecrpublic_images` ([#44795](https://github.com/hashicorp/terraform-provider-aws/issues/44795)) - **New Resource:** `aws_lakeformation_identity_center_configuration` ([#44867](https://github.com/hashicorp/terraform-provider-aws/issues/44867)) ENHANCEMENTS: - action/aws\_lambda\_invoke: Output logs in a progress message when `log_type` is `Tail` ([#44843](https://github.com/hashicorp/terraform-provider-aws/issues/44843)) - data-source/aws\_imagebuilder\_image\_recipe: Add `ami_tags` attribute ([#44731](https://github.com/hashicorp/terraform-provider-aws/issues/44731)) - data-source/aws\_lb\_listener\_rule: Add `regex_values` attribute to `condition.host_header`, `condition.http_header` and `condition.path_pattern` blocks ([#44741](https://github.com/hashicorp/terraform-provider-aws/issues/44741)) - data-source/aws\_lb\_listener\_rule: Add `transform` attribute ([#44702](https://github.com/hashicorp/terraform-provider-aws/issues/44702)) - resource/aws\_bedrockagentcore\_gateway: Add validator to ensure correct `authorizer_configuration` and `authorizer_type` config ([#44826](https://github.com/hashicorp/terraform-provider-aws/issues/44826)) - resource/aws\_emrserverless\_application: Add `monitoring_configuration` argument ([#43317](https://github.com/hashicorp/terraform-provider-aws/issues/43317)) - resource/aws\_emrserverless\_application: Add `runtime_configuration` argument ([#43302](https://github.com/hashicorp/terraform-provider-aws/issues/43302)) - resource/aws\_identitystore\_group: Adds `arn` attribute. ([#44867](https://github.com/hashicorp/terraform-provider-aws/issues/44867)) - resource/aws\_imagebuilder\_image\_recipe: Add `ami_tags` argument ([#44731](https://github.com/hashicorp/terraform-provider-aws/issues/44731)) - resource/aws\_lb\_listener\_rule: Add `regex_values` argument to `condition.host_header`, `condition.http_header` and `condition.path_pattern` blocks ([#44741](https://github.com/hashicorp/terraform-provider-aws/issues/44741)) - resource/aws\_lb\_listener\_rule: Add `transform` configuration block ([#44702](https://github.com/hashicorp/terraform-provider-aws/issues/44702)) - resource/aws\_lb\_listener\_rule: The `values` argument in `condition.host_header`, `condition.http_header` and `condition.path_pattern` is now optional ([#44741](https://github.com/hashicorp/terraform-provider-aws/issues/44741)) - resource/aws\_quicksight\_data\_set: Increase upper limit of `physical_table_map.relational_table.name` from 64 to 256 characters ([#44807](https://github.com/hashicorp/terraform-provider-aws/issues/44807)) - resource/aws\_sagemaker\_notebook\_instance: Add `notebook-al2023-v1` to valid `platform_identifier` values ([#44570](https://github.com/hashicorp/terraform-provider-aws/issues/44570)) - resource/aws\_sqs\_queue: Remove `account_id` and `region` from Resource Identity schema ([#44846](https://github.com/hashicorp/terraform-provider-aws/issues/44846)) - resource/aws\_sqs\_queue\_policy: Remove `account_id` and `region` from Resource Identity schema ([#44846](https://github.com/hashicorp/terraform-provider-aws/issues/44846)) - resource/aws\_sqs\_queue\_redrive\_allow\_policy: Remove `account_id` and `region` from Resource Identity schema ([#44846](https://github.com/hashicorp/terraform-provider-aws/issues/44846)) - resource/aws\_sqs\_queue\_redrive\_policy: Remove `account_id` and `region` from Resource Identity schema ([#44846](https://github.com/hashicorp/terraform-provider-aws/issues/44846)) BUG FIXES: - data-source/aws\_lakeformation\_permissions: Allows IAM Identity Center Groups as `principal`. ([#44867](https://github.com/hashicorp/terraform-provider-aws/issues/44867)) - provider: Fix crash when setting override region during provider initialization ([#44860](https://github.com/hashicorp/terraform-provider-aws/issues/44860)) - resource/aws\_bedrockagentcore\_gateway: Change `authorizer_configuration` block from `Required` to `Optional` ([#44812](https://github.com/hashicorp/terraform-provider-aws/issues/44812)) - resource/aws\_bedrockagentcore\_gateway: Mark `authorizer_type` argument as `ForceNew` ([#44812](https://github.com/hashicorp/terraform-provider-aws/issues/44812)) - resource/aws\_lakeformation\_permissions: Allows IAM Identity Center Groups as `principal`. ([#44867](https://github.com/hashicorp/terraform-provider-aws/issues/44867)) ### [`v6.18.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6180-October-23-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.17.0...v6.18.0) NOTES: - data-source/aws\_organizations\_organization: The `accounts.status` and `non_master_accounts.status` attributes are deprecated. Use the `accounts.state` and `non_master_accounts.state` attributes instead. ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - data-source/aws\_organizations\_organizational\_unit\_child\_accounts: The `accounts.status` attribute is deprecated. Use `accounts.state` instead. ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - data-source/aws\_organizations\_organizational\_unit\_descendant\_accounts: The `accounts.status` attribute is deprecated. Use `accounts.state` instead. ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - resource/aws\_organizations\_account: The `status` attribute is deprecated. Use `state` instead. ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - resource/aws\_organizations\_organization: The `accounts.status` and `non_master_accounts.status` attributes are deprecated. Use the `accounts.state` and `non_master_accounts.state` attributes instead. ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) FEATURES: - **New Resource:** `aws_bedrockagentcore_memory` ([#44306](https://github.com/hashicorp/terraform-provider-aws/issues/44306)) - **New Resource:** `aws_bedrockagentcore_memory_strategy` ([#44306](https://github.com/hashicorp/terraform-provider-aws/issues/44306)) - **New Resource:** `aws_bedrockagentcore_oauth2_credential_provider` ([#44307](https://github.com/hashicorp/terraform-provider-aws/issues/44307)) - **New Resource:** `aws_bedrockagentcore_token_vault_cmk` ([#44606](https://github.com/hashicorp/terraform-provider-aws/issues/44606)) - **New Resource:** `aws_bedrockagentcore_workload_identity` ([#44308](https://github.com/hashicorp/terraform-provider-aws/issues/44308)) ENHANCEMENTS: - data-source/aws\_iam\_policy: Adds validation for `path_prefix` attribute ([#44703](https://github.com/hashicorp/terraform-provider-aws/issues/44703)) - data-source/aws\_organizations\_organization: Add `state`, `joined_method`, and `joined_timestamp` attributes to the `accounts` and `non_master_accounts` blocks ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - data-source/aws\_organizations\_organizational\_unit\_child\_accounts: Add `state`, `joined_method`, and `joined_timestamp` attributes to the `accounts` block ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - data-source/aws\_organizations\_organizational\_unit\_descendant\_accounts: Add `state`, `joined_method`, and `joined_timestamp` attributes to the `accounts` block ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - resource/aws\_appstream\_directory\_config: Add `certificate_based_auth_properties` argument ([#44679](https://github.com/hashicorp/terraform-provider-aws/issues/44679)) - resource/aws\_iam\_policy: Adds List support ([#44703](https://github.com/hashicorp/terraform-provider-aws/issues/44703)) - resource/aws\_iam\_policy: Adds validation for `path` attribute ([#44703](https://github.com/hashicorp/terraform-provider-aws/issues/44703)) - resource/aws\_iam\_role\_policy\_attachment: Adds List support ([#44739](https://github.com/hashicorp/terraform-provider-aws/issues/44739)) - resource/aws\_odb\_network: Add `delete_associated_resources` attribute to enable practitioner to delete associated oci resource. ([#44754](https://github.com/hashicorp/terraform-provider-aws/issues/44754)) - resource/aws\_organizations\_account: Add `state` attribute ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) - resource/aws\_organizations\_organization: Add `state`, `joined_method`, and `joined_timestamp` attributes to the `accounts` and `non_master_accounts` blocks ([#44327](https://github.com/hashicorp/terraform-provider-aws/issues/44327)) BUG FIXES: - data-source/aws\_vpn\_connection: Properly set `tags` attribute ([#44761](https://github.com/hashicorp/terraform-provider-aws/issues/44761)) - resource/aws\_rds\_cluster: Fix "When modifying Provisioned IOPS storage, specify a value for both allocated storage and iops" error when updating RDS clusters with Provisioned IOPS storage ([#44706](https://github.com/hashicorp/terraform-provider-aws/issues/44706)) - resource/guardduty\_detector\_feature: Fix `additional_configuration` block to ignore ordering ([#44627](https://github.com/hashicorp/terraform-provider-aws/issues/44627)) ### [`v6.17.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6170-October-16-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.16.0...v6.17.0) NOTES: - resource/aws\_quicksight\_account\_subscription: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing ([#44638](https://github.com/hashicorp/terraform-provider-aws/issues/44638)) FEATURES: - **New Data Source:** `aws_rds_global_cluster` ([#37286](https://github.com/hashicorp/terraform-provider-aws/issues/37286)) - **New Data Source:** `aws_vpn_connection` ([#44622](https://github.com/hashicorp/terraform-provider-aws/issues/44622)) - **New Resource:** `aws_bedrockagentcore_agent_runtime` ([#44301](https://github.com/hashicorp/terraform-provider-aws/issues/44301)) - **New Resource:** `aws_bedrockagentcore_agent_runtime_endpoint` ([#44301](https://github.com/hashicorp/terraform-provider-aws/issues/44301)) - **New Resource:** `aws_bedrockagentcore_api_key_credential_provider` ([#44302](https://github.com/hashicorp/terraform-provider-aws/issues/44302)) - **New Resource:** `aws_bedrockagentcore_browser` ([#44303](https://github.com/hashicorp/terraform-provider-aws/issues/44303)) - **New Resource:** `aws_bedrockagentcore_code_interpreter` ([#44304](https://github.com/hashicorp/terraform-provider-aws/issues/44304)) - **New Resource:** `aws_bedrockagentcore_gateway` ([#44305](https://github.com/hashicorp/terraform-provider-aws/issues/44305)) - **New Resource:** `aws_bedrockagentcore_gateway_target` ([#44305](https://github.com/hashicorp/terraform-provider-aws/issues/44305)) ENHANCEMENTS: - resource/aws\_imagebuilder\_container\_recipe: Update EBS `throughput` maximum validation from 1000 to 2000 MiB/s for gp3 volumes ([#44604](https://github.com/hashicorp/terraform-provider-aws/issues/44604)) - resource/aws\_imagebuilder\_image\_recipe: Update EBS `throughput` maximum validation from 1000 to 2000 MiB/s for gp3 volumes ([#44604](https://github.com/hashicorp/terraform-provider-aws/issues/44604)) - resource/aws\_launch\_template: Update EBS `throughput` maximum validation from 1000 to 2000 MiB/s for gp3 volumes ([#44604](https://github.com/hashicorp/terraform-provider-aws/issues/44604)) - resource/aws\_quicksight\_account\_subscription: Add `admin_pro_group`, `author_pro_group`, and `reader_pro_group` arguments ([#44638](https://github.com/hashicorp/terraform-provider-aws/issues/44638)) - resource/aws\_subnet: Adds List support ([#44671](https://github.com/hashicorp/terraform-provider-aws/issues/44671)) - resource/aws\_vpc: Adds List support ([#44609](https://github.com/hashicorp/terraform-provider-aws/issues/44609)) BUG FIXES: - resource/aws\_ec2\_transit\_gateway\_route\_table\_propagation.test: Fix bug causing `inconsistent final plan` errors ([#44542](https://github.com/hashicorp/terraform-provider-aws/issues/44542)) - resource/aws\_lambda\_function: Reset non-API attributes (`source_code_hash`, `s3_bucket`, `s3_key`, `s3_object_version` and `filename`) to their previous values when an update operation fails ([#42829](https://github.com/hashicorp/terraform-provider-aws/issues/42829)) ### [`v6.16.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6160-October-9-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.15.0...v6.16.0) FEATURES: - **New Action:** `aws_transcribe_start_transcription_job` ([#44445](https://github.com/hashicorp/terraform-provider-aws/issues/44445)) - **New Data Source:** `aws_odb_cloud_autonomous_vm_clusters` ([#44336](https://github.com/hashicorp/terraform-provider-aws/issues/44336)) - **New Data Source:** `aws_odb_cloud_exadata_infrastructures` ([#44336](https://github.com/hashicorp/terraform-provider-aws/issues/44336)) - **New Data Source:** `aws_odb_cloud_vm_clusters` ([#44336](https://github.com/hashicorp/terraform-provider-aws/issues/44336)) - **New Data Source:** `aws_odb_network_peering_connections` ([#44336](https://github.com/hashicorp/terraform-provider-aws/issues/44336)) - **New Data Source:** `aws_odb_networks` ([#44336](https://github.com/hashicorp/terraform-provider-aws/issues/44336)) - **New Resource:** `aws_prometheus_resource_policy` ([#44256](https://github.com/hashicorp/terraform-provider-aws/issues/44256)) - **New Resource:** `aws_transfer_host_key` ([#44559](https://github.com/hashicorp/terraform-provider-aws/issues/44559)) - **New Resource:** `aws_transfer_web_app` ([#42708](https://github.com/hashicorp/terraform-provider-aws/issues/42708)) - **New Resource:** `aws_transfer_web_app_customization` ([#42708](https://github.com/hashicorp/terraform-provider-aws/issues/42708)) ENHANCEMENTS: - resource/aws\_codebuild\_project: Add `auto_retry_limit` argument ([#40035](https://github.com/hashicorp/terraform-provider-aws/issues/40035)) - resource/aws\_emrserverless\_application: Add `scheduler_configuration` block ([#44589](https://github.com/hashicorp/terraform-provider-aws/issues/44589)) - resource/aws\_lambda\_event\_source\_mapping: Add `schema_registry_config` configuration blocks to `amazon_managed_kafka_event_source_config` and `self_managed_kafka_event_source_config` blocks ([#44540](https://github.com/hashicorp/terraform-provider-aws/issues/44540)) - resource/aws\_ssmcontacts\_contact: Add resource identity support ([#44548](https://github.com/hashicorp/terraform-provider-aws/issues/44548)) - resource/aws\_vpclattice\_resource\_gateway: Add `ipv4_addresses_per_eni` argument ([#44560](https://github.com/hashicorp/terraform-provider-aws/issues/44560)) BUG FIXES: - provider: Correctly validate AWS European Sovereign Cloud Regions in ARNs ([#44573](https://github.com/hashicorp/terraform-provider-aws/issues/44573)) - provider: Fix `Missing Resource Identity After Update` errors for non-refreshed and failed updates of Plugin Framework based resources ([#44518](https://github.com/hashicorp/terraform-provider-aws/issues/44518)) - provider: Fix `Unexpected Identity Change` errors when fully-null identity values in state are updated to valid values for Plugin Framework based resources ([#44518](https://github.com/hashicorp/terraform-provider-aws/issues/44518)) - resource/aws\_datazone\_environment: Correctly updates `glossary_terms`. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Prevents `unknown value` error when optional `account_identifier` is not specified. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Prevents `unknown value` error when optional `account_region` is not specified. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Prevents error when updating. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Prevents occasional `unexpected state` error when deleting. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Properly passes `blueprint_identifier` on creation. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Sets values for `user_parameters` when importing. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_environment: Values in `user_parameters` should not be updateable. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_project: No longer ignores errors when deleting. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_datazone\_project: No longer returns error when already deleting. ([#44491](https://github.com/hashicorp/terraform-provider-aws/issues/44491)) - resource/aws\_dynamodb\_table: Do not retry on `LimitExceededException` ([#44576](https://github.com/hashicorp/terraform-provider-aws/issues/44576)) - resource/aws\_ivschat\_room: Set `maximum_message_rate_per_second` validation maximum to `100` ([#44572](https://github.com/hashicorp/terraform-provider-aws/issues/44572)) - resource/aws\_launch\_template: `kms_key_id` validation now accepts key ID, alias, and alias ARN in addition to key ARN ([#44505](https://github.com/hashicorp/terraform-provider-aws/issues/44505)) - resource/aws\_servicecatalog\_portfolio\_share: Add global mutex lock around create and delete operations to prevent `ThrottlingException` errors ([#24730](https://github.com/hashicorp/terraform-provider-aws/issues/24730)) ### [`v6.15.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6150-October-2-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.14.1...v6.15.0) BREAKING CHANGES: - resource/aws\_ecs\_service: Fix behavior when updating `capacity_provider_strategy` to avoid ECS service recreation after recent AWS changes ([#43533](https://github.com/hashicorp/terraform-provider-aws/issues/43533)) FEATURES: - **New Action:** `aws_codebuild_start_build` ([#44444](https://github.com/hashicorp/terraform-provider-aws/issues/44444)) - **New Action:** `aws_events_put_events` ([#44487](https://github.com/hashicorp/terraform-provider-aws/issues/44487)) - **New Action:** `aws_sfn_start_execution` ([#44464](https://github.com/hashicorp/terraform-provider-aws/issues/44464)) - **New Data Source:** `aws_appconfig_application` ([#44168](https://github.com/hashicorp/terraform-provider-aws/issues/44168)) - **New Data Source:** `aws_odb_db_node` ([#43792](https://github.com/hashicorp/terraform-provider-aws/issues/43792)) - **New Data Source:** `aws_odb_db_nodes` ([#43792](https://github.com/hashicorp/terraform-provider-aws/issues/43792)) - **New Data Source:** `aws_odb_db_server` ([#43792](https://github.com/hashicorp/terraform-provider-aws/issues/43792)) - **New Data Source:** `aws_odb_db_servers` ([#43792](https://github.com/hashicorp/terraform-provider-aws/issues/43792)) - **New Data Source:** `aws_odb_db_system_shapes` ([#43825](https://github.com/hashicorp/terraform-provider-aws/issues/43825)) - **New Data Source:** `aws_odb_gi_versions` ([#43825](https://github.com/hashicorp/terraform-provider-aws/issues/43825)) - **New Resource:** `aws_lakeformation_lf_tag_expression` ([#43883](https://github.com/hashicorp/terraform-provider-aws/issues/43883)) ENHANCEMENTS: - data-source/aws\_dms\_endpoint: Add `mysql_settings` attribute ([#44516](https://github.com/hashicorp/terraform-provider-aws/issues/44516)) - data-source/aws\_ec2\_instance\_type\_offering: Add `location` attribute ([#44328](https://github.com/hashicorp/terraform-provider-aws/issues/44328)) - data-source/aws\_rds\_proxy: Add `default_auth_scheme` attribute ([#44309](https://github.com/hashicorp/terraform-provider-aws/issues/44309)) - resource/aws\_cleanrooms\_configured\_table: Add resource identity support ([#44435](https://github.com/hashicorp/terraform-provider-aws/issues/44435)) - resource/aws\_cloudfront\_distribution: Add `ip_address_type` argument to `origin.custom_origin_config` block ([#44463](https://github.com/hashicorp/terraform-provider-aws/issues/44463)) - resource/aws\_connect\_instance: Add resource identity support ([#44346](https://github.com/hashicorp/terraform-provider-aws/issues/44346)) - resource/aws\_connect\_phone\_number: Add resource identity support ([#44365](https://github.com/hashicorp/terraform-provider-aws/issues/44365)) - resource/aws\_dms\_endpoint: Add `mysql_settings` configuration block ([#44516](https://github.com/hashicorp/terraform-provider-aws/issues/44516)) - resource/aws\_dsql\_cluster: Adds attribute `force_destroy`. ([#44406](https://github.com/hashicorp/terraform-provider-aws/issues/44406)) - resource/aws\_ebs\_volume: Update `throughput` maximum validation from 1000 to 2000 MiB/s for gp3 volumes ([#44514](https://github.com/hashicorp/terraform-provider-aws/issues/44514)) - resource/aws\_ecs\_capacity\_provider: Add `cluster` and `managed_instances_provider` arguments ([#44509](https://github.com/hashicorp/terraform-provider-aws/issues/44509)) - resource/aws\_ecs\_capacity\_provider: Make `auto_scaling_group_provider` optional ([#44509](https://github.com/hashicorp/terraform-provider-aws/issues/44509)) - resource/aws\_iam\_service\_specific\_credential: Add support for Bedrock API keys with `credential_age_days`, `service_credential_alias`, `service_credential_secret`, `create_date`, and `expiration_date` attributes ([#44299](https://github.com/hashicorp/terraform-provider-aws/issues/44299)) - resource/aws\_networkfirewall\_logging\_configuration: Add `enable_monitoring_dashboard` argument ([#44515](https://github.com/hashicorp/terraform-provider-aws/issues/44515)) - resource/aws\_opensearch\_domain: Add `aiml_options` argument ([#44417](https://github.com/hashicorp/terraform-provider-aws/issues/44417)) - resource/aws\_pinpointsmsvoicev2\_phone\_number: Update `two_way_channel_arn` argument to accept `connect.[region].amazonaws.com` in addition to ARNs ([#44372](https://github.com/hashicorp/terraform-provider-aws/issues/44372)) - resource/aws\_rds\_proxy: Add `default_auth_scheme` argument ([#44309](https://github.com/hashicorp/terraform-provider-aws/issues/44309)) - resource/aws\_rds\_proxy: Make `auth` configuration block optional ([#44309](https://github.com/hashicorp/terraform-provider-aws/issues/44309)) - resource/aws\_route53recoverycontrolconfig\_cluster: Add `network_type` argument ([#44377](https://github.com/hashicorp/terraform-provider-aws/issues/44377)) - resource/aws\_route53recoverycontrolconfig\_cluster: Add tagging support ([#44473](https://github.com/hashicorp/terraform-provider-aws/issues/44473)) - resource/aws\_route53recoverycontrolconfig\_control\_panel: Add tagging support ([#44473](https://github.com/hashicorp/terraform-provider-aws/issues/44473)) - resource/aws\_route53recoverycontrolconfig\_safety\_rule: Add tagging support ([#44473](https://github.com/hashicorp/terraform-provider-aws/issues/44473)) - resource/aws\_s3control\_bucket: Add resource identity support ([#44379](https://github.com/hashicorp/terraform-provider-aws/issues/44379)) - resource/aws\_sfn\_activity: Add `arn` argument ([#44408](https://github.com/hashicorp/terraform-provider-aws/issues/44408)) - resource/aws\_sfn\_activity: Add resource identity support ([#44408](https://github.com/hashicorp/terraform-provider-aws/issues/44408)) - resource/aws\_sfn\_alias: Add resource identity support ([#44408](https://github.com/hashicorp/terraform-provider-aws/issues/44408)) - resource/aws\_ssmcontacts\_contact\_channel: Add resource identity support ([#44369](https://github.com/hashicorp/terraform-provider-aws/issues/44369)) BUG FIXES: - data-source/aws\_lb: Fix `Invalid address to set: []string{"secondary_ips_auto_assigned_per_subnet"}` errors ([#44485](https://github.com/hashicorp/terraform-provider-aws/issues/44485)) - data-source/aws\_networkfirewall\_firewall\_policy: Fix failure to retrieve multiple `firewall_policy.stateful_rule_group_reference` attributes ([#44482](https://github.com/hashicorp/terraform-provider-aws/issues/44482)) - data-source/aws\_servicequotas\_service\_quota: Fixed a panic that occurred when a non-existing `quota_name` was provided ([#44449](https://github.com/hashicorp/terraform-provider-aws/issues/44449)) - resource/aws\_bedrock\_provisioned\_model\_throughput: Fix `AttributeName("arn") still remains in the path: could not find attribute or block "arn" in schema` errors when upgrading from a pre-v6.0.0 provider version ([#44434](https://github.com/hashicorp/terraform-provider-aws/issues/44434)) - resource/aws\_chatbot\_slack\_channel\_configuration: Force resource replacement when `configuration_name` is modified ([#43996](https://github.com/hashicorp/terraform-provider-aws/issues/43996)) - resource/aws\_cloudwatch\_event\_rule: Do not retry on `LimitExceededException` ([#44489](https://github.com/hashicorp/terraform-provider-aws/issues/44489)) - resource/aws\_cloudwatch\_log\_resource\_policy: Do not retry on `LimitExceededException` ([#44522](https://github.com/hashicorp/terraform-provider-aws/issues/44522)) - resource/aws\_default\_vpc: Correctly set `ipv6_cidr_block` when the VPC has multiple associated IPv6 CIDRs ([#44362](https://github.com/hashicorp/terraform-provider-aws/issues/44362)) - resource/aws\_dms\_endpoint: Ensure that `postgres_settings` are updated ([#44389](https://github.com/hashicorp/terraform-provider-aws/issues/44389)) - resource/aws\_dsql\_cluster: Prevents error when optional attribute `deletion_protection_enabled` not set. ([#44406](https://github.com/hashicorp/terraform-provider-aws/issues/44406)) - resource/aws\_eks\_cluster: Change `compute_config`, `kubernetes_network_config.elastic_load_balancing`, and `storage_config.` to Optional and Computed, allowing EKS Auto Mode settings to be enabled, disabled, and removed from configuration ([#44334](https://github.com/hashicorp/terraform-provider-aws/issues/44334)) - resource/aws\_elastic\_beanstalk\_configuration\_template: Fix `inconsistent final plan` error in some cases with `setting` elements. ([#44461](https://github.com/hashicorp/terraform-provider-aws/issues/44461)) - resource/aws\_elastic\_beanstalk\_environment: Fix `inconsistent final plan` error in some cases with `setting` elements. ([#44461](https://github.com/hashicorp/terraform-provider-aws/issues/44461)) - resource/aws\_elasticache\_cluster: Fix `provider produced unexpected value` for `cache_usage_limits` argument. ([#43841](https://github.com/hashicorp/terraform-provider-aws/issues/43841)) - resource/aws\_fsx\_lustre\_file\_system: Fixed to update `metadata_configuration` first to allow simultaneous increase of `metadata_configuration.iops` and `storage_capacity` ([#44456](https://github.com/hashicorp/terraform-provider-aws/issues/44456)) - resource/aws\_instance: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panics when `capacity_reservation_target` is empty ([#44459](https://github.com/hashicorp/terraform-provider-aws/issues/44459)) - resource/aws\_kinesisanalyticsv2\_application: Ensure that configured `application_configuration.run_configuration` values are respected during update ([#43490](https://github.com/hashicorp/terraform-provider-aws/issues/43490)) - resource/aws\_odb\_cloud\_autonomous\_vm\_cluster : Fixed planmodifier for computed attribute. ([#44401](https://github.com/hashicorp/terraform-provider-aws/issues/44401)) - resource/aws\_odb\_cloud\_vm\_cluster : Fixed planmodifier for computed attribute. Fixed planmodifier from display\_name attribute. ([#44401](https://github.com/hashicorp/terraform-provider-aws/issues/44401)) - resource/aws\_odb\_cloud\_vm\_cluster : Fixed planmodifier for data\_storage\_size\_in\_tbs. Marked it mandatory. Fixed gi-version issue during creation ([#44498](https://github.com/hashicorp/terraform-provider-aws/issues/44498)) - resource/aws\_odb\_network\_peering\_connection : Fixed planmodifier for computed attribute. ([#44401](https://github.com/hashicorp/terraform-provider-aws/issues/44401)) - resource/aws\_rds\_cluster: Fixes error when setting `database_insights_mode` with `global_cluster_identifier`. ([#44404](https://github.com/hashicorp/terraform-provider-aws/issues/44404)) - resource/aws\_route53\_health\_check: Fix `child_health_threshold` to properly accept explicitly specified zero value ([#44006](https://github.com/hashicorp/terraform-provider-aws/issues/44006)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Allows unsetting `noncurrent_version_expiration.newer_noncurrent_versions` and `noncurrent_version_transition.newer_noncurrent_versions`. ([#44442](https://github.com/hashicorp/terraform-provider-aws/issues/44442)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Do not warn if no filter element is set ([#43590](https://github.com/hashicorp/terraform-provider-aws/issues/43590)) - resource/aws\_vpc: Correctly set `ipv6_cidr_block` when the VPC has multiple associated IPv6 CIDRs ([#44362](https://github.com/hashicorp/terraform-provider-aws/issues/44362)) ### [`v6.14.1`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6141-September-22-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.14.0...v6.14.1) NOTES: - provider: This release contains both internal provider fixes and a Terraform Plugin SDK V2 update related to a [regression](https://github.com/hashicorp/terraform-provider-aws/issues/44366) which may impact resources that support resource identity ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375)) BUG FIXES: - provider: Fix `Missing Resource Identity After Update` errors for non-refreshed and failed updates ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375)) - provider: Fix `Unexpected Identity Change` errors when fully-null identity values in state are updated to valid values ([#44375](https://github.com/hashicorp/terraform-provider-aws/issues/44375)) ### [`v6.14.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6140-September-18-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.13.0...v6.14.0) FEATURES: - **New Action:** `aws_cloudfront_create_invalidation` ([#43955](https://github.com/hashicorp/terraform-provider-aws/issues/43955)) - **New Action:** `aws_ec2_stop_instance` ([#43700](https://github.com/hashicorp/terraform-provider-aws/issues/43700)) - **New Action:** `aws_lambda_invoke` ([#43972](https://github.com/hashicorp/terraform-provider-aws/issues/43972)) - **New Action:** `aws_ses_send_email` ([#44214](https://github.com/hashicorp/terraform-provider-aws/issues/44214)) - **New Action:** `aws_sns_publish` ([#44232](https://github.com/hashicorp/terraform-provider-aws/issues/44232)) - **New Data Source:** `aws_billing_views` ([#44272](https://github.com/hashicorp/terraform-provider-aws/issues/44272)) - **New Data Source:** `aws_odb_cloud_autonomous_vm_cluster` ([#43809](https://github.com/hashicorp/terraform-provider-aws/issues/43809)) - **New Data Source:** `aws_odb_cloud_exadata_infrastructure` ([#43650](https://github.com/hashicorp/terraform-provider-aws/issues/43650)) - **New Data Source:** `aws_odb_cloud_vm_cluster` ([#43790](https://github.com/hashicorp/terraform-provider-aws/issues/43790)) - **New Data Source:** `aws_odb_network` ([#43715](https://github.com/hashicorp/terraform-provider-aws/issues/43715)) - **New Data Source:** `aws_odb_network_peering_connection` ([#43757](https://github.com/hashicorp/terraform-provider-aws/issues/43757)) - **New Resource:** `aws_controltower_baseline` ([#42397](https://github.com/hashicorp/terraform-provider-aws/issues/42397)) - **New Resource:** `aws_odb_cloud_autonomous_vm_cluster` ([#43809](https://github.com/hashicorp/terraform-provider-aws/issues/43809)) - **New Resource:** `aws_odb_cloud_exadata_infrastructure` ([#43650](https://github.com/hashicorp/terraform-provider-aws/issues/43650)) - **New Resource:** `aws_odb_cloud_vm_cluster` ([#43790](https://github.com/hashicorp/terraform-provider-aws/issues/43790)) - **New Resource:** `aws_odb_network` ([#43715](https://github.com/hashicorp/terraform-provider-aws/issues/43715)) - **New Resource:** `aws_odb_network_peering_connection` ([#43757](https://github.com/hashicorp/terraform-provider-aws/issues/43757)) ENHANCEMENTS: - resource/aws\_batch\_job\_queue: Adds List support ([#43960](https://github.com/hashicorp/terraform-provider-aws/issues/43960)) - resource/aws\_cloudwatch\_log\_group: Adds List support ([#44129](https://github.com/hashicorp/terraform-provider-aws/issues/44129)) - resource/aws\_ecs\_service: Add `deployment_configuration.lifecycle_hook.hook_details` argument ([#44289](https://github.com/hashicorp/terraform-provider-aws/issues/44289)) - resource/aws\_iam\_role: Adds List support ([#44129](https://github.com/hashicorp/terraform-provider-aws/issues/44129)) - resource/aws\_instance: Adds List support ([#44129](https://github.com/hashicorp/terraform-provider-aws/issues/44129)) - resource/aws\_rds\_global\_cluster: Remove provider-side conflict between `source_db_cluster_identifier` and `engine` arguments ([#44252](https://github.com/hashicorp/terraform-provider-aws/issues/44252)) - resource/aws\_scheduler\_schedule: Add `action_after_completion` argument ([#44264](https://github.com/hashicorp/terraform-provider-aws/issues/44264)) - resource/aws\_sfn\_state\_machine: Add resource identity support ([#44286](https://github.com/hashicorp/terraform-provider-aws/issues/44286)) BUG FIXES: - resource/aws\_elasticache\_user\_group: Ignore `InvalidParameterValue: User xxx is not a member of user group xxx` errors during group modification ([#43520](https://github.com/hashicorp/terraform-provider-aws/issues/43520)) - resource/aws\_sagemaker\_endpoint\_configuration: Fix panic when empty `async_inference_config.output_config.notification_config` block is specified ([#44310](https://github.com/hashicorp/terraform-provider-aws/issues/44310)) ### [`v6.13.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6130-September-11-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.12.0...v6.13.0) ENHANCEMENTS: - data-source/aws\_budgets\_budget: Add `billing_view_arn` attribute ([#44241](https://github.com/hashicorp/terraform-provider-aws/issues/44241)) - data-source/aws\_dynamodb\_table: Add `warm_throughput` and `global_secondary_index.warm_throughput` attributes ([#41308](https://github.com/hashicorp/terraform-provider-aws/issues/41308)) - data-source/aws\_elastic\_beanstalk\_hosted\_zone: Add hosted zone IDs for `ap-southeast-5`, `ap-southeast-7`, `eu-south-2`, and `me-central-1` AWS Regions ([#44132](https://github.com/hashicorp/terraform-provider-aws/issues/44132)) - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `ap-southeast-6` AWS Region ([#44132](https://github.com/hashicorp/terraform-provider-aws/issues/44132)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `ap-southeast-6` AWS Region ([#44132](https://github.com/hashicorp/terraform-provider-aws/issues/44132)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `ap-southeast-6` AWS Region ([#44132](https://github.com/hashicorp/terraform-provider-aws/issues/44132)) - resource/aws\_appautoscaling\_policy: Add `predictive_scaling_policy_configuration` argument ([#44211](https://github.com/hashicorp/terraform-provider-aws/issues/44211)) - resource/aws\_appautoscaling\_policy: Add plan-time validation of `policy_type` ([#44211](https://github.com/hashicorp/terraform-provider-aws/issues/44211)) - resource/aws\_appautoscaling\_policy: Add plan-time validation of `step_scaling_policy_configuration.adjustment_type` and `step_scaling_policy_configuration.metric_aggregation_type` ([#44211](https://github.com/hashicorp/terraform-provider-aws/issues/44211)) - resource/aws\_bedrock\_guardrail: Add `input_action`, `output_action`, `input_enabled`, and `output_enabled` arguments to `word_policy_config.managed_word_lists_config` and `word_policy_config.words_config` configuration blocks ([#44224](https://github.com/hashicorp/terraform-provider-aws/issues/44224)) - resource/aws\_budgets\_budget: Add `billing_view_arn` argument ([#44241](https://github.com/hashicorp/terraform-provider-aws/issues/44241)) - resource/aws\_cloudfront\_distribution: Add `origin.response_completion_timeout` argument ([#44163](https://github.com/hashicorp/terraform-provider-aws/issues/44163)) - resource/aws\_codebuild\_webhook: Add `pull_request_build_policy` configuration block ([#44201](https://github.com/hashicorp/terraform-provider-aws/issues/44201)) - resource/aws\_dynamodb\_table: Add `warm_throughput` and `global_secondary_index.warm_throughput` arguments ([#41308](https://github.com/hashicorp/terraform-provider-aws/issues/41308)) - resource/aws\_ecs\_account\_setting\_default: Support `dualStackIPv6` as a valid value for `name` ([#44165](https://github.com/hashicorp/terraform-provider-aws/issues/44165)) - resource/aws\_glue\_catalog\_table\_optimizer: Add `iceberg_configuration.run_rate_in_hours` argument to `retention_configuration` and `orphan_file_deletion_configuration` blocks ([#44207](https://github.com/hashicorp/terraform-provider-aws/issues/44207)) - resource/aws\_networkfirewall\_rule\_group: Add IPv6 CIDR block support to `address_definition` arguments in `source` and `destination` blocks within `rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rule.rule_definition.match_attributes` ([#44215](https://github.com/hashicorp/terraform-provider-aws/issues/44215)) - resource/aws\_networkmanager\_vpc\_attachment: Add `options.dns_support` and `options.security_group_referencing_support` arguments ([#43742](https://github.com/hashicorp/terraform-provider-aws/issues/43742)) - resource/aws\_networkmanager\_vpc\_attachment: Change `options` to Optional and Computed ([#43742](https://github.com/hashicorp/terraform-provider-aws/issues/43742)) - resource/aws\_opensearch\_package: Add `engine_version` argument ([#44155](https://github.com/hashicorp/terraform-provider-aws/issues/44155)) - resource/aws\_opensearch\_package: Add waiter to ensure package validation completes ([#44155](https://github.com/hashicorp/terraform-provider-aws/issues/44155)) - resource/aws\_synthetics\_canary: Add `schedule.retry_config` configuration block ([#44244](https://github.com/hashicorp/terraform-provider-aws/issues/44244)) - resource/aws\_vpc\_endpoint: Add resource identity support ([#44194](https://github.com/hashicorp/terraform-provider-aws/issues/44194)) - resource/aws\_vpc\_security\_group\_egress\_rule: Add resource identity support ([#44198](https://github.com/hashicorp/terraform-provider-aws/issues/44198)) - resource/aws\_vpc\_security\_group\_ingress\_rule: Add resource identity support ([#44198](https://github.com/hashicorp/terraform-provider-aws/issues/44198)) BUG FIXES: - resource/aws\_appautoscaling\_policy: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panics when `step_scaling_policy_configuration` is empty ([#44211](https://github.com/hashicorp/terraform-provider-aws/issues/44211)) - resource/aws\_cognito\_managed\_login\_branding: Fix `reading Cognito Managed Login Branding by client ... couldn't find resource` errors when a user pool contains multiple client apps ([#44204](https://github.com/hashicorp/terraform-provider-aws/issues/44204)) - resource/aws\_eks\_cluster: Supports null `compute_config.node_role_arn` when disabling auto mode or built-in node pools ([#42483](https://github.com/hashicorp/terraform-provider-aws/issues/42483)) - resource/aws\_flow\_log: Fix `Error decoding ... from prior state: unsupported attribute "log_group_name"` errors when upgrading from a pre-v6.0.0 provider version ([#44191](https://github.com/hashicorp/terraform-provider-aws/issues/44191)) - resource/aws\_launch\_template: Fix `Error decoding ... from prior state: unsupported attribute "elastic_gpu_specifications"` errors when upgrading from a pre-v6.0.0 provider version ([#44195](https://github.com/hashicorp/terraform-provider-aws/issues/44195)) - resource/aws\_rds\_cluster\_role\_association: Make `feature_name` optional ([#44143](https://github.com/hashicorp/terraform-provider-aws/issues/44143)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Ignore `MethodNotAllowed` errors when deleting non-existent lifecycle configurations ([#44189](https://github.com/hashicorp/terraform-provider-aws/issues/44189)) - resource/aws\_secretsmanager\_secret: Return diagnostic `warning` when remote policy is invalid ([#44228](https://github.com/hashicorp/terraform-provider-aws/issues/44228)) - resource/aws\_servicecatalog\_provisioned\_product: Restore `timeouts.read` arguments removed in v6.12.0 ([#44238](https://github.com/hashicorp/terraform-provider-aws/issues/44238)) ### [`v6.12.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6120-September-4-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.11.0...v6.12.0) NOTES: - resource/aws\_s3\_bucket\_acl: The `access_control_policy.grant.grantee.display_name` attribute is deprecated. AWS has [ended support for this attribute](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Grantee.html). API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. ([#44090](https://github.com/hashicorp/terraform-provider-aws/issues/44090)) - resource/aws\_s3\_bucket\_acl: The `access_control_policy.owner.display_name` attribute is deprecated. AWS has [ended support for this attribute](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Owner.html). API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. ([#44090](https://github.com/hashicorp/terraform-provider-aws/issues/44090)) - resource/aws\_s3\_bucket\_logging: The `target_grant.grantee.display_name` attribute is deprecated. AWS has [ended support for this attribute](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Grantee.html). API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. ([#44090](https://github.com/hashicorp/terraform-provider-aws/issues/44090)) FEATURES: - **New Resource:** `aws_cognito_managed_login_branding` ([#43817](https://github.com/hashicorp/terraform-provider-aws/issues/43817)) ENHANCEMENTS: - data-source/aws\_efs\_mount\_target: Add `ip_address_type` and `ipv6_address` attributes ([#44079](https://github.com/hashicorp/terraform-provider-aws/issues/44079)) - data-source/aws\_instance: Add `placement_group_id` attribute ([#38527](https://github.com/hashicorp/terraform-provider-aws/issues/38527)) - data-source/aws\_lambda\_function: Add `source_kms_key_arn` attribute ([#44080](https://github.com/hashicorp/terraform-provider-aws/issues/44080)) - data-source/aws\_launch\_template: Add `placement.group_id` attribute ([#44097](https://github.com/hashicorp/terraform-provider-aws/issues/44097)) - provider: Support `ap-southeast-6` as a valid AWS Region ([#44127](https://github.com/hashicorp/terraform-provider-aws/issues/44127)) - resource/aws\_ecs\_service: Remove Terraform default for `availability_zone_rebalancing` and change the attribute to Optional and Computed. This allow ECS to default to `ENABLED` for new resources compatible with *AvailabilityZoneRebalancing* and maintain an existing service's `availability_zone_rebalancing` value during update when not configured. If an existing service never had an `availability_zone_rebalancing` value configured and is updated, ECS will treat this as `DISABLED` ([#43241](https://github.com/hashicorp/terraform-provider-aws/issues/43241)) - resource/aws\_efs\_mount\_target: Add `ip_address_type` and `ipv6_address` arguments to support IPv6 connectivity ([#44079](https://github.com/hashicorp/terraform-provider-aws/issues/44079)) - resource/aws\_fsx\_openzfs\_file\_system: Remove maximum items limit on the `user_and_group_quotas` argument ([#44120](https://github.com/hashicorp/terraform-provider-aws/issues/44120)) - resource/aws\_fsx\_openzfs\_volume: Remove maximum items limit on the `user_and_group_quotas` argument ([#44118](https://github.com/hashicorp/terraform-provider-aws/issues/44118)) - resource/aws\_instance: Add `placement_group_id` argument ([#38527](https://github.com/hashicorp/terraform-provider-aws/issues/38527)) - resource/aws\_instance: Add resource identity support ([#44068](https://github.com/hashicorp/terraform-provider-aws/issues/44068)) - resource/aws\_lambda\_function: Add `source_kms_key_arn` argument ([#44080](https://github.com/hashicorp/terraform-provider-aws/issues/44080)) - resource/aws\_launch\_template: Add `placement.group_id` argument ([#44097](https://github.com/hashicorp/terraform-provider-aws/issues/44097)) - resource/aws\_ssm\_association: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_ssm\_document: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_ssm\_maintenance\_window: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_ssm\_maintenance\_window\_target: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_ssm\_maintenance\_window\_task: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_ssm\_patch\_baseline: Add resource identity support ([#44075](https://github.com/hashicorp/terraform-provider-aws/issues/44075)) - resource/aws\_synthetics\_canary: Add `run_config.ephemeral_storage` argument. ([#44105](https://github.com/hashicorp/terraform-provider-aws/issues/44105)) BUG FIXES: - resource/aws\_s3tables\_table\_policy: Remove plan-time validation of `name` and `namespace` ([#44072](https://github.com/hashicorp/terraform-provider-aws/issues/44072)) - resource/aws\_servicecatalog\_provisioned\_product: Set `provisioning_parameters` and `provisioning_artifact_id` to the values from the last successful deployment when update fails ([#43956](https://github.com/hashicorp/terraform-provider-aws/issues/43956)) - resource/aws\_wafv2\_web\_acl: Fix performance of update when the WebACL has a large number of rules ([#42740](https://github.com/hashicorp/terraform-provider-aws/issues/42740)) ### [`v6.11.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6110-August-28-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.10.0...v6.11.0) FEATURES: - **New Resource:** `aws_timestreaminfluxdb_db_cluster` ([#42382](https://github.com/hashicorp/terraform-provider-aws/issues/42382)) - **New Resource:** `aws_workspacesweb_browser_settings_association` ([#43735](https://github.com/hashicorp/terraform-provider-aws/issues/43735)) - **New Resource:** `aws_workspacesweb_data_protection_settings_association` ([#43773](https://github.com/hashicorp/terraform-provider-aws/issues/43773)) - **New Resource:** `aws_workspacesweb_identity_provider` ([#43729](https://github.com/hashicorp/terraform-provider-aws/issues/43729)) - **New Resource:** `aws_workspacesweb_ip_access_settings_association` ([#43774](https://github.com/hashicorp/terraform-provider-aws/issues/43774)) - **New Resource:** `aws_workspacesweb_network_settings_association` ([#43775](https://github.com/hashicorp/terraform-provider-aws/issues/43775)) - **New Resource:** `aws_workspacesweb_portal` ([#43444](https://github.com/hashicorp/terraform-provider-aws/issues/43444)) - **New Resource:** `aws_workspacesweb_session_logger` ([#43863](https://github.com/hashicorp/terraform-provider-aws/issues/43863)) - **New Resource:** `aws_workspacesweb_session_logger_association` ([#43866](https://github.com/hashicorp/terraform-provider-aws/issues/43866)) - **New Resource:** `aws_workspacesweb_trust_store` ([#43408](https://github.com/hashicorp/terraform-provider-aws/issues/43408)) - **New Resource:** `aws_workspacesweb_trust_store_association` ([#43778](https://github.com/hashicorp/terraform-provider-aws/issues/43778)) - **New Resource:** `aws_workspacesweb_user_access_logging_settings_association` ([#43776](https://github.com/hashicorp/terraform-provider-aws/issues/43776)) - **New Resource:** `aws_workspacesweb_user_settings_association` ([#43777](https://github.com/hashicorp/terraform-provider-aws/issues/43777)) ENHANCEMENTS: - data-source/aws\_ec2\_client\_vpn\_endpoint: Add `endpoint_ip_address_type` and `traffic_ip_address_type` attributes ([#44059](https://github.com/hashicorp/terraform-provider-aws/issues/44059)) - data-source/aws\_network\_interface: Add `attachment.network_card_index` attribute ([#42188](https://github.com/hashicorp/terraform-provider-aws/issues/42188)) - data-source/aws\_sesv2\_email\_identity: Add `verification_status` attribute ([#44045](https://github.com/hashicorp/terraform-provider-aws/issues/44045)) - data-source/aws\_signer\_signing\_profile: Add `signing_material` and `signing_parameters` attributes ([#43921](https://github.com/hashicorp/terraform-provider-aws/issues/43921)) - data-source/aws\_vpc\_ipam: Add `metered_account` attribute ([#43967](https://github.com/hashicorp/terraform-provider-aws/issues/43967)) - resource/aws\_datazone\_domain: Add `domain_version` and `service_role` arguments to support V2 domains ([#44042](https://github.com/hashicorp/terraform-provider-aws/issues/44042)) - resource/aws\_dlm\_lifecycle\_policy: Add `copy_tags`, `create_interval`, `exclusions`, `extend_deletion`, `policy_language`, `resource_type` and `retain_interval` attributes to `policy_details` configuration block ([#41055](https://github.com/hashicorp/terraform-provider-aws/issues/41055)) - resource/aws\_dlm\_lifecycle\_policy: Add `default_policy` argument ([#41055](https://github.com/hashicorp/terraform-provider-aws/issues/41055)) - resource/aws\_dlm\_lifecycle\_policy: Add `policy_details.create_rule.scripts` argument ([#41055](https://github.com/hashicorp/terraform-provider-aws/issues/41055)) - resource/aws\_dlm\_lifecycle\_policy: Add `policy_details.schedule.cross_region_copy_rule.target_region` argument ([#33796](https://github.com/hashicorp/terraform-provider-aws/issues/33796)) - resource/aws\_dlm\_lifecycle\_policy: Make `policy_details.schedule.cross_region_copy_rule.target` optional ([#33796](https://github.com/hashicorp/terraform-provider-aws/issues/33796)) - resource/aws\_dlm\_lifecycle\_policy:Add `policy_details.schedule.archive_rule` argument ([#41055](https://github.com/hashicorp/terraform-provider-aws/issues/41055)) - resource/aws\_dynamodb\_contributor\_insights: Add `mode` argument in support of [CloudWatch contributor insights modes](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/contributorinsights_HowItWorks.html#contributorinsights_HowItWorks.Modes) ([#43914](https://github.com/hashicorp/terraform-provider-aws/issues/43914)) - resource/aws\_ec2\_client\_vpn\_endpoint: Add `endpoint_ip_address_type` and `traffic_ip_address_type` arguments to support IPv6 connectivity in Client VPN ([#44059](https://github.com/hashicorp/terraform-provider-aws/issues/44059)) - resource/aws\_ec2\_client\_vpn\_endpoint: Make `client_cidr_block` optional ([#44059](https://github.com/hashicorp/terraform-provider-aws/issues/44059)) - resource/aws\_ecr\_lifecycle\_policy: Add resource identity support ([#44041](https://github.com/hashicorp/terraform-provider-aws/issues/44041)) - resource/aws\_ecr\_repository: Add resource identity support ([#44041](https://github.com/hashicorp/terraform-provider-aws/issues/44041)) - resource/aws\_ecr\_repository\_policy: Add resource identity support ([#44041](https://github.com/hashicorp/terraform-provider-aws/issues/44041)) - resource/aws\_ecs\_service: Add `sigint_rollback` argument ([#43986](https://github.com/hashicorp/terraform-provider-aws/issues/43986)) - resource/aws\_ecs\_service: Change `deployment_configuration` to Optional and Computed ([#43986](https://github.com/hashicorp/terraform-provider-aws/issues/43986)) - resource/aws\_eks\_cluster: Allow `remote_network_config` to be updated in-place, enabling support for EKS hybrid nodes on existing clusters ([#42928](https://github.com/hashicorp/terraform-provider-aws/issues/42928)) - resource/aws\_elasticache\_global\_replication\_group: Change `engine` to Optional and Computed ([#42636](https://github.com/hashicorp/terraform-provider-aws/issues/42636)) - resource/aws\_inspector2\_filter: Support `code_repository_project_name`, `code_repository_provider_type`, `ecr_image_in_use_count`, and `ecr_image_last_in_use_at` in `filter_criteria` ([#43950](https://github.com/hashicorp/terraform-provider-aws/issues/43950)) - resource/aws\_iot\_thing\_principal\_attachment: Add `thing_principal_type` argument ([#43916](https://github.com/hashicorp/terraform-provider-aws/issues/43916)) - resource/aws\_kms\_alias: Add resource identity support ([#44025](https://github.com/hashicorp/terraform-provider-aws/issues/44025)) - resource/aws\_kms\_external\_key: Add `key_spec` argument ([#44011](https://github.com/hashicorp/terraform-provider-aws/issues/44011)) - resource/aws\_kms\_external\_key: Change `key_usage` to Optional and Computed ([#44011](https://github.com/hashicorp/terraform-provider-aws/issues/44011)) - resource/aws\_kms\_key: Add resource identity support ([#44025](https://github.com/hashicorp/terraform-provider-aws/issues/44025)) - resource/aws\_lb: Add `secondary_ips_auto_assigned_per_subnet` argument for Network Load Balancers ([#43699](https://github.com/hashicorp/terraform-provider-aws/issues/43699)) - resource/aws\_mwaa\_environment: Add `worker_replacement_strategy` argument ([#43946](https://github.com/hashicorp/terraform-provider-aws/issues/43946)) - resource/aws\_network\_interface: Add `attachment.network_card_index` argument ([#42188](https://github.com/hashicorp/terraform-provider-aws/issues/42188)) - resource/aws\_network\_interface\_attachment: Add `network_card_index` argument ([#42188](https://github.com/hashicorp/terraform-provider-aws/issues/42188)) - resource/aws\_route53\_resolver\_rule: Add resource identity support ([#44048](https://github.com/hashicorp/terraform-provider-aws/issues/44048)) - resource/aws\_route53\_resolver\_rule\_association: Add resource identity support ([#44048](https://github.com/hashicorp/terraform-provider-aws/issues/44048)) - resource/aws\_route: Add resource identity support ([#43910](https://github.com/hashicorp/terraform-provider-aws/issues/43910)) - resource/aws\_route\_table: Add resource identity support ([#43990](https://github.com/hashicorp/terraform-provider-aws/issues/43990)) - resource/aws\_s3\_bucket\_acl: Add resource identity support ([#44043](https://github.com/hashicorp/terraform-provider-aws/issues/44043)) - resource/aws\_s3\_bucket\_cors\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_logging: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_notification: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_ownership\_controls: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_policy: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_public\_access\_block: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_server\_side\_encryption\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_versioning: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_website\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3tables\_table\_bucket: Add `force_destroy` argument ([#43922](https://github.com/hashicorp/terraform-provider-aws/issues/43922)) - resource/aws\_secretsmanager\_secret\_version: Add resource identity support ([#44031](https://github.com/hashicorp/terraform-provider-aws/issues/44031)) - resource/aws\_sesv2\_email\_identity: Add `verification_status` attribute ([#44045](https://github.com/hashicorp/terraform-provider-aws/issues/44045)) - resource/aws\_signer\_signing\_profile: Add `signing_parameters` argument ([#43921](https://github.com/hashicorp/terraform-provider-aws/issues/43921)) - resource/aws\_synthetics\_canary: Add `vpc_config.ipv6_allowed_for_dual_stack` argument ([#43989](https://github.com/hashicorp/terraform-provider-aws/issues/43989)) - resource/aws\_vpc\_ipam: Add `metered_account` argument ([#43967](https://github.com/hashicorp/terraform-provider-aws/issues/43967)) BUG FIXES: - data-source/aws\_glue\_catalog\_table: Add `partition_keys.parameters` attribute ([#26702](https://github.com/hashicorp/terraform-provider-aws/issues/26702)) - resource/aws\_cognito\_user\_pool: Fixed to accept an empty `email_mfa_configuration` block ([#43926](https://github.com/hashicorp/terraform-provider-aws/issues/43926)) - resource/aws\_db\_instance: Fixes the behavior when modifying `database_insights_mode` when using custom KMS key ([#44050](https://github.com/hashicorp/terraform-provider-aws/issues/44050)) - resource/aws\_dx\_hosted\_connection: Fix `DescribeHostedConnections failed for connection dxcon-xxxx doesn't exist` by pointing to the correct connection ID when doing the describe. ([#43499](https://github.com/hashicorp/terraform-provider-aws/issues/43499)) - resource/aws\_glue\_catalog\_table: Add `partition_keys.parameters` argument, fixing `Invalid address to set: []string{"partition_keys", "0", "parameters"}` errors ([#26702](https://github.com/hashicorp/terraform-provider-aws/issues/26702)) - resource/aws\_imagebuilder\_image\_recipe: Increase upper limit of `block_device_mapping.ebs.iops` from `10000` to `100000` ([#43981](https://github.com/hashicorp/terraform-provider-aws/issues/43981)) - resource/aws\_nat\_gateway: Fix inconsistent final plan for `secondary_private_ip_addresses` ([#43708](https://github.com/hashicorp/terraform-provider-aws/issues/43708)) - resource/aws\_spot\_instance\_request: Change `network_interface.network_card_index` to Computed ([#38336](https://github.com/hashicorp/terraform-provider-aws/issues/38336)) - resource/aws\_timestreaminfluxdb\_db\_instance: Fix tag-only update errors ([#42382](https://github.com/hashicorp/terraform-provider-aws/issues/42382)) - resource/aws\_wafv2\_web\_acl: Add missing flattening of `name` in `response_inspection.header` blocks for `AWSManagedRulesATPRuleSet` and `AWSManagedRulesACFPRuleSet` to avoid persistent plan diffs ([#44032](https://github.com/hashicorp/terraform-provider-aws/issues/44032)) ### [`v6.10.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6100-August-21-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.9.0...v6.10.0) NOTES: - resource/aws\_instance: The `network_interface` block has been deprecated. Use `primary_network_interface` for the primary network interface and `aws_network_interface_attachment` resources for other network interfaces. ([#43953](https://github.com/hashicorp/terraform-provider-aws/issues/43953)) - resource/aws\_spot\_instance\_request: The `network_interface` block has been deprecated. Use `primary_network_interface` for the primary network interface and `aws_network_interface_attachment` resources for other network interfaces. ([#43953](https://github.com/hashicorp/terraform-provider-aws/issues/43953)) ENHANCEMENTS: - data-source/aws\_ecr\_repository: Add `image_tag_mutability_exclusion_filter` attribute ([#43886](https://github.com/hashicorp/terraform-provider-aws/issues/43886)) - data-source/aws\_ecr\_repository\_creation\_template: Add `image_tag_mutability_exclusion_filter` attribute ([#43886](https://github.com/hashicorp/terraform-provider-aws/issues/43886)) - resource/aws\_cloudwatch\_event\_target: Add resource identity support ([#43984](https://github.com/hashicorp/terraform-provider-aws/issues/43984)) - resource/aws\_ecr\_repository\_creation\_template: Add `image_tag_mutability_exclusion_filter` configuration block ([#43886](https://github.com/hashicorp/terraform-provider-aws/issues/43886)) - resource/aws\_glue\_job: Support `G.12X`, `G.16X`, `R.1X`, `R.2X`, `R.4X`, and `R.8X` as valid values for `worker_type` ([#43988](https://github.com/hashicorp/terraform-provider-aws/issues/43988)) - resource/aws\_lambda\_permission: Add resource identity support ([#43954](https://github.com/hashicorp/terraform-provider-aws/issues/43954)) - resource/aws\_lightsail\_static\_ip\_attachment: Support resource import ([#43874](https://github.com/hashicorp/terraform-provider-aws/issues/43874)) - resource/aws\_s3\_bucket\_cors\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_logging: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_notification: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_ownership\_controls: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_policy: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_public\_access\_block: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_server\_side\_encryption\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_versioning: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_s3\_bucket\_website\_configuration: Add resource identity support ([#43976](https://github.com/hashicorp/terraform-provider-aws/issues/43976)) - resource/aws\_secretsmanager\_secret: Add resource identity support ([#43872](https://github.com/hashicorp/terraform-provider-aws/issues/43872)) - resource/aws\_secretsmanager\_secret\_policy: Add resource identity support ([#43872](https://github.com/hashicorp/terraform-provider-aws/issues/43872)) - resource/aws\_secretsmanager\_secret\_rotation: Add resource identity support ([#43872](https://github.com/hashicorp/terraform-provider-aws/issues/43872)) - resource/aws\_sqs\_queue: Add resource identity support ([#43918](https://github.com/hashicorp/terraform-provider-aws/issues/43918)) - resource/aws\_sqs\_queue\_policy: Add resource identity support ([#43918](https://github.com/hashicorp/terraform-provider-aws/issues/43918)) - resource/aws\_sqs\_queue\_redrive\_allow\_policy: Add resource identity support ([#43918](https://github.com/hashicorp/terraform-provider-aws/issues/43918)) - resource/aws\_sqs\_queue\_redrive\_policy: Add resource identity support ([#43918](https://github.com/hashicorp/terraform-provider-aws/issues/43918)) BUG FIXES: - resource/aws\_batch\_compute\_environment: Allow in-place updates of compute environments that have the `SPOT_PRICE_CAPACITY_OPTIMIZED` strategy ([#40148](https://github.com/hashicorp/terraform-provider-aws/issues/40148)) - resource/aws\_imagebuilder\_lifecycle\_policy: Fix `Provider produced inconsistent result after apply` error when `policy_detail.exclusion_rules.amis.is_public` is omitted ([#43925](https://github.com/hashicorp/terraform-provider-aws/issues/43925)) - resource/aws\_instance: Adds `primary_network_interface` to allow importing resources with custom primary network interface. ([#43953](https://github.com/hashicorp/terraform-provider-aws/issues/43953)) - resource/aws\_rds\_cluster: Fixes the behavior when enabling database\_insights\_mode="advanced" without changing performance insights retention window ([#43919](https://github.com/hashicorp/terraform-provider-aws/issues/43919)) - resource/aws\_rds\_cluster: Fixes the behavior when modifying `database_insights_mode` when using custom KMS key ([#43942](https://github.com/hashicorp/terraform-provider-aws/issues/43942)) - resource/aws\_spot\_instance\_request: Adds `primary_network_interface` to allow importing resources with custom primary network interface. ([#43953](https://github.com/hashicorp/terraform-provider-aws/issues/43953)) ### [`v6.9.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#690-August-14-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.8.0...v6.9.0) FEATURES: - **New Resource:** `aws_appsync_api` ([#43787](https://github.com/hashicorp/terraform-provider-aws/issues/43787)) - **New Resource:** `aws_appsync_channel_namespace` ([#43787](https://github.com/hashicorp/terraform-provider-aws/issues/43787)) ENHANCEMENTS: - data-source/aws\_eks\_cluster: Add `deletion_protection` attribute ([#43779](https://github.com/hashicorp/terraform-provider-aws/issues/43779)) - resource/aws\_cloudwatch\_event\_rule: Add resource identity support ([#43758](https://github.com/hashicorp/terraform-provider-aws/issues/43758)) - resource/aws\_cloudwatch\_metric\_alarm: Add resource identity support ([#43759](https://github.com/hashicorp/terraform-provider-aws/issues/43759)) - resource/aws\_dynamodb\_table: Add `replica.deletion_protection_enabled` argument ([#43240](https://github.com/hashicorp/terraform-provider-aws/issues/43240)) - resource/aws\_eks\_cluster: Add `deletion_protection` argument ([#43779](https://github.com/hashicorp/terraform-provider-aws/issues/43779)) - resource/aws\_lambda\_function: Add resource identity support ([#43821](https://github.com/hashicorp/terraform-provider-aws/issues/43821)) - resource/aws\_sns\_topic\_data\_protection\_policy: Add resource identity support ([#43830](https://github.com/hashicorp/terraform-provider-aws/issues/43830)) - resource/aws\_sns\_topic\_policy: Add resource identity support ([#43830](https://github.com/hashicorp/terraform-provider-aws/issues/43830)) - resource/aws\_sns\_topic\_subscription: Add resource identity support ([#43830](https://github.com/hashicorp/terraform-provider-aws/issues/43830)) - resource/aws\_subnet: Add resource identity support ([#43833](https://github.com/hashicorp/terraform-provider-aws/issues/43833)) BUG FIXES: - data-source/aws\_lambda\_function: Fix missing value for `reserved_concurrent_executions` attribute when a published version exists. This functionality requires the `lambda:GetFunctionConcurrency` IAM permission ([#43753](https://github.com/hashicorp/terraform-provider-aws/issues/43753)) - data-source/aws\_networkfirewall\_firewall\_policy: Add missing schema definition for `firewall_policy.stateful_engine_options.flow_timeouts` ([#43852](https://github.com/hashicorp/terraform-provider-aws/issues/43852)) - resource/aws\_cognito\_risk\_configuration: Make `account_takeover_risk_configuration.notify_configuration` optional ([#33624](https://github.com/hashicorp/terraform-provider-aws/issues/33624)) - resource/aws\_ecs\_service: Fix tagging failure after upgrading to v6 provider ([#43816](https://github.com/hashicorp/terraform-provider-aws/issues/43816)) - resource/aws\_ecs\_service: Fix refreshing `service_connect_configuration` when deleted outside of Terraform ([#43871](https://github.com/hashicorp/terraform-provider-aws/issues/43871)) - resource/aws\_lambda\_function: Fix missing value for `reserved_concurrent_executions` attribute when a published version exists. This functionality requires the `lambda:GetFunctionConcurrency` IAM permission ([#43753](https://github.com/hashicorp/terraform-provider-aws/issues/43753)) - resource/aws\_s3tables\_table: Fix `runtime error: invalid memory address or nil pointer dereference` panics when `GetTableMaintenanceConfiguration` returns an error ([#43764](https://github.com/hashicorp/terraform-provider-aws/issues/43764)) - resource/aws\_sagemaker\_user\_profile: Fix incomplete regex for `user_profile_name` ([#43807](https://github.com/hashicorp/terraform-provider-aws/issues/43807)) - resource/aws\_servicequotas\_service\_quota: Add validation, during `create`, to check if new value is less than current value of quota ([#43545](https://github.com/hashicorp/terraform-provider-aws/issues/43545)) - resource/aws\_storagegateway\_gateway: Handle `InvalidGatewayRequestException: The specified gateway is not connected` errors during Read by using the [`ListGateways` API](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_ListGateways.html) to return minimal information about a disconnected gateway. This functionality requires the `storagegateway:ListGateways` IAM permission ([#43819](https://github.com/hashicorp/terraform-provider-aws/issues/43819)) - resource/aws\_vpc\_ipam\_pool\_cidr: Fix `netmask_length` not being saved and diffed correctly ([#43262](https://github.com/hashicorp/terraform-provider-aws/issues/43262)) ### [`v6.8.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#680-August-7-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.7.0...v6.8.0) FEATURES: - **New Resource:** `aws_networkfirewall_vpc_endpoint_association` ([#43675](https://github.com/hashicorp/terraform-provider-aws/issues/43675)) - **New Resource:** `aws_quicksight_custom_permissions` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - **New Resource:** `aws_quicksight_role_custom_permission` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - **New Resource:** `aws_quicksight_user_custom_permission` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - **New Resource:** `aws_wafv2_web_acl_rule_group_association` ([#43561](https://github.com/hashicorp/terraform-provider-aws/issues/43561)) ENHANCEMENTS: - data-source/aws\_quicksight\_user: Add `custom_permissions_name` attribute ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - data-source/aws\_wafv2\_web\_acl: Add `resource_arn` argument to enable finding web ACLs by resource ARN ([#43597](https://github.com/hashicorp/terraform-provider-aws/issues/43597)) - data-source/aws\_wafv2\_web\_acl: Add support for `CLOUDFRONT` `scope` web ACLs using `resource_arn` ([#43597](https://github.com/hashicorp/terraform-provider-aws/issues/43597)) - resource/aws\_bedrock\_guardrail: Add `input_action`, `output_action`, `input_enabled`, and `output_enabled` attributes to `sensitive_information_policy_config.pii_entities_config` and `sensitive_information_policy_config.regexes_config` configuration blocks ([#43702](https://github.com/hashicorp/terraform-provider-aws/issues/43702)) - resource/aws\_cloudwatch\_log\_group: Add resource identity support ([#43719](https://github.com/hashicorp/terraform-provider-aws/issues/43719)) - resource/aws\_computeoptimizer\_recommendation\_preferences: Add `AuroraDBClusterStorage` as a valid `resource_type` ([#43677](https://github.com/hashicorp/terraform-provider-aws/issues/43677)) - resource/aws\_docdb\_cluster: Add `serverless_v2_scaling_configuration` argument in support of [Amazon DocumentDB serverless](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-serverless.html) ([#43667](https://github.com/hashicorp/terraform-provider-aws/issues/43667)) - resource/aws\_ecr\_repository: Add `image_tag_mutability_exclusion_filter` argument ([#43642](https://github.com/hashicorp/terraform-provider-aws/issues/43642)) - resource/aws\_ecr\_repository: Support `IMMUTABLE_WITH_EXCLUSION` and `MUTABLE_WITH_EXCLUSION` as valid values for `image_tag_mutability` ([#43642](https://github.com/hashicorp/terraform-provider-aws/issues/43642)) - resource/aws\_inspector2\_enabler: Support resource import ([#43673](https://github.com/hashicorp/terraform-provider-aws/issues/43673)) - resource/aws\_instance: Adds `force_destroy` argument that allows destruction even when `disable_api_termination` and `disable_api_stop` are `true` ([#43722](https://github.com/hashicorp/terraform-provider-aws/issues/43722)) - resource/aws\_ivs\_channel: Add resource identity support ([#43704](https://github.com/hashicorp/terraform-provider-aws/issues/43704)) - resource/aws\_ivs\_playback\_key\_pair: Add resource identity support ([#43704](https://github.com/hashicorp/terraform-provider-aws/issues/43704)) - resource/aws\_ivs\_recording\_configuration: Add resource identity support ([#43704](https://github.com/hashicorp/terraform-provider-aws/issues/43704)) - resource/aws\_ivschat\_logging\_configuration: Add resource identity support ([#43697](https://github.com/hashicorp/terraform-provider-aws/issues/43697)) - resource/aws\_ivschat\_room: Add resource identity support ([#43697](https://github.com/hashicorp/terraform-provider-aws/issues/43697)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `iceberg_configuration.append_only` argument ([#43647](https://github.com/hashicorp/terraform-provider-aws/issues/43647)) - resource/aws\_lightsail\_static\_ip: Support resource import ([#43672](https://github.com/hashicorp/terraform-provider-aws/issues/43672)) - resource/aws\_opensearch\_domain\_policy: Support resource import ([#43674](https://github.com/hashicorp/terraform-provider-aws/issues/43674)) - resource/aws\_quicksight\_user: Add plan-time validation of `iam_arn` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - resource/aws\_quicksight\_user: Change `user_name` to Optional and Computed ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - resource/aws\_quicksight\_user: Support `IAM_IDENTITY_CENTER` as a valid value for `identity_type` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - resource/aws\_quicksight\_user: Support `RESTRICTED_AUTHOR` and `RESTRICTED_READER` as valid values for `user_role` ([#43613](https://github.com/hashicorp/terraform-provider-aws/issues/43613)) - resource/aws\_security\_group: Add parameterized resource identity support ([#43744](https://github.com/hashicorp/terraform-provider-aws/issues/43744)) - resource/aws\_sqs\_queue: Increase upper limit of `max_message_size` from 256 KiB to 1024 KiB ([#43710](https://github.com/hashicorp/terraform-provider-aws/issues/43710)) - resource/aws\_ssm\_parameter: Add resource identity support ([#43736](https://github.com/hashicorp/terraform-provider-aws/issues/43736)) BUG FIXES: - ephemeral-resource/aws\_lambda\_invocation: Fix plan inconsistency issue due to improperly assigned payload values ([#43676](https://github.com/hashicorp/terraform-provider-aws/issues/43676)) - provider: Fix failure to detect resources deleted outside of Terraform as missing for numerous resource types ([#43659](https://github.com/hashicorp/terraform-provider-aws/issues/43659)) - resource/aws\_batch\_compute\_environment: Fix `inconsistent final plan` error when `compute_resource.launch_template.version` is unknown during an update ([#43337](https://github.com/hashicorp/terraform-provider-aws/issues/43337)) - resource/aws\_bedrockagent\_flow: Prevent `created_at` becoming `null` on Update ([#43654](https://github.com/hashicorp/terraform-provider-aws/issues/43654)) - resource/aws\_ec2\_managed\_prefix\_list: Fix `PrefixListVersionMismatch: The prefix list has the incorrect version number` errors when updating entry description ([#43661](https://github.com/hashicorp/terraform-provider-aws/issues/43661)) - resource/aws\_fsx\_lustre\_file\_system: Fix validation of SSD read cache size for file systems using the Intelligent-Tiering storage class ([#43605](https://github.com/hashicorp/terraform-provider-aws/issues/43605)) - resource/aws\_instance: Prevent destruction of resource when `disable_api_termination` is `true` ([#43722](https://github.com/hashicorp/terraform-provider-aws/issues/43722)) - resource/aws\_kms\_key: Restore pre-v6.3.0 retry delay behavior when waiting for continuous target state occurrences. This fixes certain tag update timeouts ([#43716](https://github.com/hashicorp/terraform-provider-aws/issues/43716)) - resource/aws\_s3tables\_table\_bucket: Fix crash on `maintenance_configuration` read failure ([#43707](https://github.com/hashicorp/terraform-provider-aws/issues/43707)) - resource/aws\_sagemaker\_image: Fix `image_name` regular expression validation ([#43751](https://github.com/hashicorp/terraform-provider-aws/issues/43751)) - resource/aws\_timestreaminfluxdb\_db\_instance: Don't mark `network_type` as [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) if the value is not configured. This fixes a problem with `terraform apply -refresh=false` after upgrade from `v5.90.0` and below ([#43534](https://github.com/hashicorp/terraform-provider-aws/issues/43534)) - resource/aws\_wafv2\_regex\_pattern\_set: Remove maximum items limit on the `regular_expression` argument ([#43693](https://github.com/hashicorp/terraform-provider-aws/issues/43693)) ### [`v6.7.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#670-July-31-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.6.0...v6.7.0) FEATURES: - **New Resource:** `aws_quicksight_ip_restriction` ([#43596](https://github.com/hashicorp/terraform-provider-aws/issues/43596)) - **New Resource:** `aws_quicksight_key_registration` ([#43587](https://github.com/hashicorp/terraform-provider-aws/issues/43587)) ENHANCEMENTS: - data-source/aws\_codebuild\_fleet: Add `instance_type` attribute in `compute_configuration` block ([#43449](https://github.com/hashicorp/terraform-provider-aws/issues/43449)) - data-source/aws\_ebs\_volume: Add `volume_initialization_rate` attribute ([#43565](https://github.com/hashicorp/terraform-provider-aws/issues/43565)) - data-source/aws\_ecs\_service: Support `load_balancer` attribute ([#43582](https://github.com/hashicorp/terraform-provider-aws/issues/43582)) - data-source/aws\_s3\_access\_point: Add `tags` attribute. This functionality requires the `s3:ListTagsForResource` IAM permission with S3 Access Points for general purpose buckets and the `s3express:ListTagsForResource` IAM permission with S3 Access Points for directory buckets ([#43630](https://github.com/hashicorp/terraform-provider-aws/issues/43630)) - data-source/aws\_verifiedpermissions\_policy\_store: Add `deletion_protection` attribute ([#43452](https://github.com/hashicorp/terraform-provider-aws/issues/43452)) - resource/aws\_athena\_workgroup: Add `configuration.identity_center_configuration` argument ([#38717](https://github.com/hashicorp/terraform-provider-aws/issues/38717)) - resource/aws\_cleanrooms\_collaboration: Add `analytics_engine` argument ([#43614](https://github.com/hashicorp/terraform-provider-aws/issues/43614)) - resource/aws\_codebuild\_fleet: Add `instance_type` argument in `compute_configuration` block to support custom instance types ([#43449](https://github.com/hashicorp/terraform-provider-aws/issues/43449)) - resource/aws\_ebs\_volume: Add `volume_initialization_rate` argument ([#43565](https://github.com/hashicorp/terraform-provider-aws/issues/43565)) - resource/aws\_s3\_access\_point: Add `tags` argument and `tags_all` attribute. This functionality requires the `s3:ListTagsForResource`, `s3:TagResource`, and `s3:UntagResource` IAM permissions with S3 Access Points for general purpose buckets and the `s3express:ListTagsForResource`, `s3express:TagResource`, and `s3express:UntagResource` IAM permissions with S3 Access Points for directory buckets ([#43630](https://github.com/hashicorp/terraform-provider-aws/issues/43630)) - resource/aws\_verifiedpermissions\_policy\_store: Add `deletion_protection` argument ([#43452](https://github.com/hashicorp/terraform-provider-aws/issues/43452)) BUG FIXES: - resource/aws\_bedrockagent\_flow: Fix `missing required field, CreateFlowInput.Definition.Nodes[0].Configuration[prompt].SourceConfiguration[resource].PromptArn` errors on Create ([#43595](https://github.com/hashicorp/terraform-provider-aws/issues/43595)) - resource/aws\_s3\_bucket: Accept `NoSuchTagSetError` responses from S3-compatible services ([#43589](https://github.com/hashicorp/terraform-provider-aws/issues/43589)) - resource/aws\_s3\_object: Accept `NoSuchTagSetError` responses from S3-compatible services ([#43589](https://github.com/hashicorp/terraform-provider-aws/issues/43589)) - resource/aws\_servicequotas\_service\_quota: Fix error when updating a pending service quota request ([#43606](https://github.com/hashicorp/terraform-provider-aws/issues/43606)) - resource/aws\_ssm\_parameter: Fix `Provider produced inconsistent final plan` errors when changing from using `value` to using `value_wo` ([#42877](https://github.com/hashicorp/terraform-provider-aws/issues/42877)) - resource/aws\_ssm\_parameter: Fix `version` not being updated when `description` changes ([#42595](https://github.com/hashicorp/terraform-provider-aws/issues/42595)) ### [`v6.6.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#660-July-28-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.5.0...v6.6.0) FEATURES: - **New Resource:** `aws_connect_phone_number_contact_flow_association` ([#43557](https://github.com/hashicorp/terraform-provider-aws/issues/43557)) - **New Resource:** `aws_nat_gateway_eip_association` ([#42591](https://github.com/hashicorp/terraform-provider-aws/issues/42591)) ENHANCEMENTS: - data-source/aws\_cloudwatch\_event\_bus: Add `log_config` attribute ([#43453](https://github.com/hashicorp/terraform-provider-aws/issues/43453)) - data-source/aws\_ssm\_patch\_baseline: Add `available_security_updates_compliance_status` argument ([#43560](https://github.com/hashicorp/terraform-provider-aws/issues/43560)) - feature/aws\_bedrock\_guardrail: Add `cross_region_config`, `content_policy_config.tier_config`, and `topic_policy_config.tier_config` arguments ([#43517](https://github.com/hashicorp/terraform-provider-aws/issues/43517)) - resource/aws\_athena\_database: Add `workgroup` argument ([#36628](https://github.com/hashicorp/terraform-provider-aws/issues/36628)) - resource/aws\_batch\_compute\_environment: Add `compute_resources.ec2_configuration.image_kubernetes_version` argument ([#43454](https://github.com/hashicorp/terraform-provider-aws/issues/43454)) - resource/aws\_cloudwatch\_event\_bus: Add `log_config` argument ([#43453](https://github.com/hashicorp/terraform-provider-aws/issues/43453)) - resource/aws\_cognito\_resource\_server: Allow `name` to be updated in-place ([#41702](https://github.com/hashicorp/terraform-provider-aws/issues/41702)) - resource/aws\_cognito\_user\_pool: Allow `name` to be updated in-place ([#42639](https://github.com/hashicorp/terraform-provider-aws/issues/42639)) - resource/aws\_globalaccelerator\_custom\_routing\_endpoint\_group: Add resource identity support ([#43539](https://github.com/hashicorp/terraform-provider-aws/issues/43539)) - resource/aws\_globalaccelerator\_custom\_routing\_listener: Add resource identity support ([#43539](https://github.com/hashicorp/terraform-provider-aws/issues/43539)) - resource/aws\_globalaccelerator\_endpoint\_group: Add resource identity support ([#43539](https://github.com/hashicorp/terraform-provider-aws/issues/43539)) - resource/aws\_globalaccelerator\_listener: Add resource identity support ([#43539](https://github.com/hashicorp/terraform-provider-aws/issues/43539)) - resource/aws\_imagebuilder\_container\_recipe: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_distribution\_configuration: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_image: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_image\_pipeline: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_image\_recipe: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_infrastructure\_configuration: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_imagebuilder\_workflow: Add resource identity support ([#43540](https://github.com/hashicorp/terraform-provider-aws/issues/43540)) - resource/aws\_inspector\_assessment\_target: Add resource identity support ([#43542](https://github.com/hashicorp/terraform-provider-aws/issues/43542)) - resource/aws\_inspector\_assessment\_template: Add resource identity support ([#43542](https://github.com/hashicorp/terraform-provider-aws/issues/43542)) - resource/aws\_inspector\_resource\_group: Add resource identity support ([#43542](https://github.com/hashicorp/terraform-provider-aws/issues/43542)) - resource/aws\_nat\_gateway: Change `secondary_allocation_ids` to Optional and Computed ([#42591](https://github.com/hashicorp/terraform-provider-aws/issues/42591)) - resource/aws\_ssm\_patch\_baseline: Add `available_security_updates_compliance_status` argument ([#43560](https://github.com/hashicorp/terraform-provider-aws/issues/43560)) - resource/aws\_ssm\_service\_setting: Support short format (with `/ssm/` prefix) for `setting_id` ([#43562](https://github.com/hashicorp/terraform-provider-aws/issues/43562)) BUG FIXES: - resource/aws\_appsync\_api\_cache: Fix "missing required field" error during update ([#43523](https://github.com/hashicorp/terraform-provider-aws/issues/43523)) - resource/aws\_cloudwatch\_log\_delivery\_destination: Fix update failure when tags are set ([#43576](https://github.com/hashicorp/terraform-provider-aws/issues/43576)) - resource/aws\_ecs\_service: Fix unspecified `test_listener_rule` incorrectly being set as empty string in `load_balancer.advanced_configuration` block ([#43558](https://github.com/hashicorp/terraform-provider-aws/issues/43558)) ### [`v6.5.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#650-July-24-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.4.0...v6.5.0) NOTES: - resource/aws\_cognito\_log\_delivery\_configuration: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing ([#43396](https://github.com/hashicorp/terraform-provider-aws/issues/43396)) - resource/aws\_ecs\_service: Acceptance tests cannot fully reproduce scenarios with deployments older than 3 months. Community feedback on this fix is appreciated, particularly for long-running ECS services with in-place updates ([#43502](https://github.com/hashicorp/terraform-provider-aws/issues/43502)) FEATURES: - **New Data Source:** `aws_ecr_images` ([#42577](https://github.com/hashicorp/terraform-provider-aws/issues/42577)) - **New Resource:** `aws_cognito_log_delivery_configuration` ([#43396](https://github.com/hashicorp/terraform-provider-aws/issues/43396)) - **New Resource:** `aws_networkfirewall_firewall_transit_gateway_attachment_accepter` ([#43430](https://github.com/hashicorp/terraform-provider-aws/issues/43430)) - **New Resource:** `aws_s3_bucket_metadata_configuration` ([#41364](https://github.com/hashicorp/terraform-provider-aws/issues/41364)) ENHANCEMENTS: - data-source/aws\_dms\_endpoint: Add `postgres_settings.authentication_method` and `postgres_settings.service_access_role_arn` attributes ([#43440](https://github.com/hashicorp/terraform-provider-aws/issues/43440)) - data-source/aws\_networkfirewall\_firewall: Add `availability_zone_change_protection`, `availability_zone_mapping`, `firewall_status.sync_states.attachment.status_message`, `firewall_status.transit_gateway_attachment_sync_states`, `transit_gateway_id`, and `transit_gateway_owner_account_id` attributes ([#43430](https://github.com/hashicorp/terraform-provider-aws/issues/43430)) - resource/aws\_alb\_listener: Add resource identity support ([#43161](https://github.com/hashicorp/terraform-provider-aws/issues/43161)) - resource/aws\_alb\_listener\_rule: Add resource identity support ([#43155](https://github.com/hashicorp/terraform-provider-aws/issues/43155)) - resource/aws\_alb\_target\_group: Add resource identity support ([#43171](https://github.com/hashicorp/terraform-provider-aws/issues/43171)) - resource/aws\_dms\_endpoint: Add `oracle_settings` configuration block for authentication method ([#43125](https://github.com/hashicorp/terraform-provider-aws/issues/43125)) - resource/aws\_dms\_endpoint: Add `postgres_settings.authentication_method` and `postgres_settings.service_access_role_arn` arguments ([#43440](https://github.com/hashicorp/terraform-provider-aws/issues/43440)) - resource/aws\_dms\_endpoint: Add plan-time validation of `postgres_settings.database_mode`, `postgres_settings.map_long_varchar_as`, and `postgres_settings.plugin_name` arguments ([#43440](https://github.com/hashicorp/terraform-provider-aws/issues/43440)) - resource/aws\_dms\_replication\_instance: Add `dns_name_servers` attribute and `kerberos_authentication_settings` configuration block for Kerberos authentication settings ([#43125](https://github.com/hashicorp/terraform-provider-aws/issues/43125)) - resource/aws\_dx\_gateway\_association: Add `transit_gateway_attachment_id` attribute. This functionality requires the `ec2:DescribeTransitGatewayAttachments` IAM permission ([#43436](https://github.com/hashicorp/terraform-provider-aws/issues/43436)) - resource/aws\_globalaccelerator\_accelerator: Add resource identity support ([#43200](https://github.com/hashicorp/terraform-provider-aws/issues/43200)) - resource/aws\_globalaccelerator\_custom\_routing\_accelerator: Add resource identity support ([#43423](https://github.com/hashicorp/terraform-provider-aws/issues/43423)) - resource/aws\_glue\_registry: Add resource identity support ([#43450](https://github.com/hashicorp/terraform-provider-aws/issues/43450)) - resource/aws\_glue\_schema: Add resource identity support ([#43450](https://github.com/hashicorp/terraform-provider-aws/issues/43450)) - resource/aws\_iam\_openid\_connect\_provider: Add resource identity support ([#43503](https://github.com/hashicorp/terraform-provider-aws/issues/43503)) - resource/aws\_iam\_policy: Add resource identity support ([#43503](https://github.com/hashicorp/terraform-provider-aws/issues/43503)) - resource/aws\_iam\_saml\_provider: Add resource identity support ([#43503](https://github.com/hashicorp/terraform-provider-aws/issues/43503)) - resource/aws\_iam\_service\_linked\_role: Add resource identity support ([#43503](https://github.com/hashicorp/terraform-provider-aws/issues/43503)) - resource/aws\_inspector2\_enabler: Support `CODE_REPOSITORY` as a valid value for `resource_types` ([#43525](https://github.com/hashicorp/terraform-provider-aws/issues/43525)) - resource/aws\_inspector2\_organization\_configuration: Add `auto_enable.code_repository` argument ([#43525](https://github.com/hashicorp/terraform-provider-aws/issues/43525)) - resource/aws\_lb\_listener: Add resource identity support ([#43161](https://github.com/hashicorp/terraform-provider-aws/issues/43161)) - resource/aws\_lb\_listener\_rule: Add resource identity support ([#43155](https://github.com/hashicorp/terraform-provider-aws/issues/43155)) - resource/aws\_lb\_target\_group: Add resource identity support ([#43171](https://github.com/hashicorp/terraform-provider-aws/issues/43171)) - resource/aws\_lb\_trust\_store: Add resource identity support ([#43186](https://github.com/hashicorp/terraform-provider-aws/issues/43186)) - resource/aws\_networkfirewall\_firewall: Add `availability_zone_change_protection`, `availability_zone_mapping`, and `transit_gateway_id` arguments and `firewall_status.transit_gateway_attachment_sync_states` and `transit_gateway_owner_account_id` attributes ([#43430](https://github.com/hashicorp/terraform-provider-aws/issues/43430)) - resource/aws\_networkfirewall\_firewall: Mark `subnet_mapping` and `vpc_id` as Optional ([#43430](https://github.com/hashicorp/terraform-provider-aws/issues/43430)) - resource/aws\_quicksight\_account\_subscription: Add import support. This resource can now be imported via the `aws_account_id` argument. ([#43501](https://github.com/hashicorp/terraform-provider-aws/issues/43501)) - resource/aws\_sns\_topic: Add resource identity support ([#43202](https://github.com/hashicorp/terraform-provider-aws/issues/43202)) - resource/aws\_wafv2\_rule\_group: Add `rules_json` argument ([#43397](https://github.com/hashicorp/terraform-provider-aws/issues/43397)) - resource/aws\_wafv2\_web\_acl: Add `statement.rate_based_statement.custom_key.asn` argument ([#43506](https://github.com/hashicorp/terraform-provider-aws/issues/43506)) BUG FIXES: - provider: Prevent planned `forces replacement` on `region` for numerous resource types when upgrading from a pre-v6.0.0 provider version and `-refresh=false` is in effect ([#43516](https://github.com/hashicorp/terraform-provider-aws/issues/43516)) - resource/aws\_api\_gateway\_resource: Recompute `path` when `path_part` is updated ([#43215](https://github.com/hashicorp/terraform-provider-aws/issues/43215)) - resource/aws\_bedrockagent\_flow: Remove `definition.connection` and `definition.node` list length limits ([#43471](https://github.com/hashicorp/terraform-provider-aws/issues/43471)) - resource/aws\_ecs\_service: Improve stabilization logic to handle both new deployments and in-place updates correctly. This fixes a regression introduced in [v6.4.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#640-july-17-2025) ([#43502](https://github.com/hashicorp/terraform-provider-aws/issues/43502)) - resource/aws\_instance: Recompute `ipv6_addresses` when `ipv6_address_count` is updated ([#43158](https://github.com/hashicorp/terraform-provider-aws/issues/43158)) ### [`v6.4.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#640-July-17-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.3.0...v6.4.0) FEATURES: - **New Data Source:** `aws_s3_access_point` ([#43391](https://github.com/hashicorp/terraform-provider-aws/issues/43391)) - **New Resource:** `aws_bedrockagent_flow` ([#42201](https://github.com/hashicorp/terraform-provider-aws/issues/42201)) - **New Resource:** `aws_fsx_s3_access_point_attachment` ([#43391](https://github.com/hashicorp/terraform-provider-aws/issues/43391)) ENHANCEMENTS: - data-source/aws\_bedrock\_inference\_profiles: Add `type` argument ([#43150](https://github.com/hashicorp/terraform-provider-aws/issues/43150)) - data-source/aws\_lakeformation\_resource: Support `hybrid_access_enabled`, `with_federation` and `with_privileged_access` attributes ([#43377](https://github.com/hashicorp/terraform-provider-aws/issues/43377)) - resource/aws\_acm\_certificate: Support `options.export` argument to issue an exportable certificate ([#43207](https://github.com/hashicorp/terraform-provider-aws/issues/43207)) - resource/aws\_cloudwatch\_log\_metric\_filter: Add `apply_on_transformed_logs` argument ([#43381](https://github.com/hashicorp/terraform-provider-aws/issues/43381)) - resource/aws\_datasync\_location\_object\_storage: Make `agent_arns` optional ([#43400](https://github.com/hashicorp/terraform-provider-aws/issues/43400)) - resource/aws\_ecs\_service: Add `deployment_configuration` argument ([#43434](https://github.com/hashicorp/terraform-provider-aws/issues/43434)) - resource/aws\_ecs\_service: Add `load_balancer.advanced_configuration` argument ([#43434](https://github.com/hashicorp/terraform-provider-aws/issues/43434)) - resource/aws\_ecs\_service: Add `service.client_alias.test_traffic_rules` argument ([#43434](https://github.com/hashicorp/terraform-provider-aws/issues/43434)) - resource/aws\_ecs\_service: `deployment_controller.type` changes no longer force a replacement ([#43434](https://github.com/hashicorp/terraform-provider-aws/issues/43434)) - resource/aws\_lakeformation\_resource: Support `with_privileged_access` argument ([#43377](https://github.com/hashicorp/terraform-provider-aws/issues/43377)) - resource/aws\_s3\_bucket\_public\_access\_block: Add `skip_destroy` argument ([#43415](https://github.com/hashicorp/terraform-provider-aws/issues/43415)) BUG FIXES: - resource/aws\_bedrockagent\_agent\_action\_group: Correctly set `parent_action_group_signature` on Read ([#43355](https://github.com/hashicorp/terraform-provider-aws/issues/43355)) - resource/aws\_datazone\_environment\_blueprint\_configuration: Fix `Inappropriate value for attribute "regional_parameters"` errors during planning. This fixes a regression introduced in [v6.0.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#600-june-18-2025) ([#43382](https://github.com/hashicorp/terraform-provider-aws/issues/43382)) - resource/aws\_ec2\_transit\_gateway\_route\_table\_propagation: Don't mark `transit_gateway_attachment_id` as [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) if the value is known not to change ([#43405](https://github.com/hashicorp/terraform-provider-aws/issues/43405)) - resource/aws\_lambda\_function: Fix `waiting for Lambda Function (...) version publish: unexpected state '', wanted target 'Successful'` errors on Update. This fixes a regression introduced in [v6.2.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#620-july--2-2025) ([#43416](https://github.com/hashicorp/terraform-provider-aws/issues/43416)) - resource/aws\_lexv2models\_slot: Fix error when `sub_slot_setting.slot_specification.value_elicitation_setting.prompt_specification.prompt_attempts_specification` and `value_elicitation_setting.prompt_specification.prompt_attempts_specification` have default values ([#43358](https://github.com/hashicorp/terraform-provider-aws/issues/43358)) - resource/aws\_securitylake\_data\_lake: Allow `meta_store_role_arn` to be updated in-place ([#36874](https://github.com/hashicorp/terraform-provider-aws/issues/36874)) ### [`v6.3.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#630-July-10-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.2.0...v6.3.0) FEATURES: - **New Resource:** `aws_prometheus_query_logging_configuration` ([#43222](https://github.com/hashicorp/terraform-provider-aws/issues/43222)) ENHANCEMENTS: - data-source/aws\_cloudfront\_distribution: Add `anycast_ip_list_id` attribute ([#43196](https://github.com/hashicorp/terraform-provider-aws/issues/43196)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `core_network_configuration.dns_support` and `core_network_configuration.security_group_referencing_support` arguments ([#43277](https://github.com/hashicorp/terraform-provider-aws/issues/43277)) - resource/aws\_cloudfront\_distribution: Add `anycast_ip_list_id` argument ([#43196](https://github.com/hashicorp/terraform-provider-aws/issues/43196)) - resource/aws\_dynamodb\_table: Add `replica.consistency_mode` argument in support of [multi-Region strong consistency](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2globaltables_HowItWorks.html#V2globaltables_HowItWorks.choosing-consistency-mode) for Amazon DynamoDB global tables ([#43236](https://github.com/hashicorp/terraform-provider-aws/issues/43236)) BUG FIXES: - provider: Fix `runtime error: invalid memory address or nil pointer dereference` panics for numerous resource types when modifying `tags` ([#43324](https://github.com/hashicorp/terraform-provider-aws/issues/43324)) - resource/aws\_bedrockagent\_agent\_action\_group: Add missing prepare agent call when deleting an action group ([#43232](https://github.com/hashicorp/terraform-provider-aws/issues/43232)) - resource/aws\_bedrockagent\_agent\_action\_group: Retry `operation can't be performed on Agent when it is in Preparing state.` errors during agent action group base creation, update, and deletion. ([#43232](https://github.com/hashicorp/terraform-provider-aws/issues/43232)) - resource/aws\_bedrockagent\_agent\_knowledge\_base\_association: Add missing prepare agent call when deleting a knowledge base association ([#43232](https://github.com/hashicorp/terraform-provider-aws/issues/43232)) - resource/aws\_bedrockagent\_agent\_knowledge\_base\_association: Retry `operation can't be performed on Agent when it is in Preparing state.` errors during agent knowledge base creation and disassociation ([#43232](https://github.com/hashicorp/terraform-provider-aws/issues/43232)) - resource/aws\_cloudfrontkeyvaluestore\_keys\_exclusive: Fix errant deletion of key value pairs when a value is changed ([#43208](https://github.com/hashicorp/terraform-provider-aws/issues/43208)) - resource/aws\_cognito\_user\_pool\_domain: Correctly update `managed_login_version` for custom Cognito domains ([#43252](https://github.com/hashicorp/terraform-provider-aws/issues/43252)) - resource/aws\_db\_instance\_role\_association: Retry `InvalidDBInstanceState` errors on delete ([#43303](https://github.com/hashicorp/terraform-provider-aws/issues/43303)) - resource/aws\_medialive\_channel: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panics when configuration blocks are empty ([#43308](https://github.com/hashicorp/terraform-provider-aws/issues/43308)) - resource/aws\_rds\_cluster\_role\_association: Retry `InvalidDBClusterStateFault` errors on delete ([#43303](https://github.com/hashicorp/terraform-provider-aws/issues/43303)) - resource/aws\_redshift\_cluster: Correctly set `availability_zone_relocation_enabled` ([#43270](https://github.com/hashicorp/terraform-provider-aws/issues/43270)) - resource/aws\_route53profiles\_resource\_association: Change `resource_properties` to Computed to enable `vpc_endpoint` associations ([#42562](https://github.com/hashicorp/terraform-provider-aws/issues/42562)) - resource/aws\_ssoadmin\_application: Updates value of `arn` when refreshing state. ([#43273](https://github.com/hashicorp/terraform-provider-aws/issues/43273)) ### [`v6.2.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#620-July-2-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.0.0...v6.2.0) NOTES: - resource/aws\_s3\_bucket\_object: The format of the `id` attribute has changed from `key` to `bucket`**/**`key`. All configurations using `id` should be updated to use the `key` attribute instead ([#43119](https://github.com/hashicorp/terraform-provider-aws/issues/43119)) - resource/aws\_s3\_object: The format of the `id` attribute has changed from `key` to `bucket`**/**`key`. All configurations using `id` should be updated to use the `key` attribute instead ([#43119](https://github.com/hashicorp/terraform-provider-aws/issues/43119)) ENHANCEMENTS: - data-source/aws\_kinesis\_stream\_consumer: Add `tags` attribute. This functionality requires the `kinesis:ListTagsForResource` IAM permission ([#43173](https://github.com/hashicorp/terraform-provider-aws/issues/43173)) - data-source/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.stateful_rule_group_reference.deep_threat_inspection` attribute ([#43137](https://github.com/hashicorp/terraform-provider-aws/issues/43137)) - resource/aws\_accessanalyzer\_analyzer: Add `configuration.internal_access` argument ([#43138](https://github.com/hashicorp/terraform-provider-aws/issues/43138)) - resource/aws\_amplify\_app: Add `job_config` argument ([#43136](https://github.com/hashicorp/terraform-provider-aws/issues/43136)) - resource/aws\_amplify\_branch: Add `enable_skew_protection` argument ([#43218](https://github.com/hashicorp/terraform-provider-aws/issues/43218)) - resource/aws\_cloudtrail: Support `errorCode`, `eventType`, `sessionCredentialFromConsole`, and `vpcEndpointId` as valid values for `advanced_event_selector.field_selector.field` ([#43091](https://github.com/hashicorp/terraform-provider-aws/issues/43091)) - resource/aws\_cloudtrail\_event\_data\_store: Support `errorCode`, `eventType`, `sessionCredentialFromConsole`, and `vpcEndpointId` as valid values for `advanced_event_selector.field_selector.field` ([#43091](https://github.com/hashicorp/terraform-provider-aws/issues/43091)) - resource/aws\_cloudwatch\_event\_archive: Add `kms_key_identifier` argument ([#43139](https://github.com/hashicorp/terraform-provider-aws/issues/43139)) - resource/aws\_cloudwatch\_log\_group: Support `DELIVERY` as a valid value for `log_group_class` ([#42658](https://github.com/hashicorp/terraform-provider-aws/issues/42658)) - resource/aws\_codebuild\_project: Add `environment.docker_server` configuration block ([#42982](https://github.com/hashicorp/terraform-provider-aws/issues/42982)) - resource/aws\_eks\_pod\_identity\_association: Add `disable_session_tags` and `target_role_arn` arguments and `external_id` attribute ([#42979](https://github.com/hashicorp/terraform-provider-aws/issues/42979)) - resource/aws\_emr\_cluster: Add `os_release_label` argument ([#43018](https://github.com/hashicorp/terraform-provider-aws/issues/43018)) - resource/aws\_fms\_policy: Add `resource_tag_logical_operator` argument ([#43031](https://github.com/hashicorp/terraform-provider-aws/issues/43031)) - resource/aws\_glue\_job: Support `job_mode` argument ([#42607](https://github.com/hashicorp/terraform-provider-aws/issues/42607)) - resource/aws\_kinesis\_stream\_consumer: Add `tags` argument and `tags_all` attribute. This functionality requires the `kinesis:ListTagsForResource`, `kinesis:TagResource`, and `kinesis:UntagResource` IAM permissions ([#43173](https://github.com/hashicorp/terraform-provider-aws/issues/43173)) - resource/aws\_kms\_key: Support `HMAC_224`, `HMAC_384`, `HMAC_512`, `ML_DSA_44`, `ML_DSA_65`, and `ML_DSA_87` as valid values for `customer_master_key_spec` ([#43128](https://github.com/hashicorp/terraform-provider-aws/issues/43128)) - resource/aws\_lightsail\_instance\_public\_ports: `-1` is now a valid value for `port_info.from_port` and `port_info.to_port` ([#37703](https://github.com/hashicorp/terraform-provider-aws/issues/37703)) - resource/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.stateful_rule_group_reference.deep_threat_inspection` argument ([#43137](https://github.com/hashicorp/terraform-provider-aws/issues/43137)) - resource/aws\_rbin\_rule: Add `exclude_resource_tags` argument ([#43189](https://github.com/hashicorp/terraform-provider-aws/issues/43189)) - resource/aws\_s3\_directory\_bucket: Add `tags` argument and `tags_all` attribute. This functionality requires the `s3express:ListTagsForResource`, `s3express:TagResource`, and `s3express:UntagResource` IAM permissions ([#43256](https://github.com/hashicorp/terraform-provider-aws/issues/43256)) - resource/aws\_s3tables\_table: Add `metadata` argument ([#43112](https://github.com/hashicorp/terraform-provider-aws/issues/43112)) - resource/aws\_wafv2\_web\_acl: Add `aws_managed_rules_anti_ddos_rule_set` to `managed_rule_group_configs` configuration block in support of L7 DDoS protection ([#43149](https://github.com/hashicorp/terraform-provider-aws/issues/43149)) BUG FIXES: - provider: Fix `Unexpected Identity Change` errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 ([#43221](https://github.com/hashicorp/terraform-provider-aws/issues/43221)) - resource/aws\_appflow\_connector\_profile: Fixes error refreshing resource state ([#43221](https://github.com/hashicorp/terraform-provider-aws/issues/43221)) - resource/aws\_bcmdataexports\_export: Fixes error when refreshing state with resources created before v6.0.0 ([#43090](https://github.com/hashicorp/terraform-provider-aws/issues/43090)) - resource/aws\_bedrockagent\_agent: Retry `Exceeded the number of retries on OptLock failure. Too many concurrent requests.` errors during update ([#43179](https://github.com/hashicorp/terraform-provider-aws/issues/43179)) - resource/aws\_bedrockagent\_agent: Retry `Prepare operation can't be performed on Agent when it is in Preparing state.` errors during prepare ([#43179](https://github.com/hashicorp/terraform-provider-aws/issues/43179)) - resource/aws\_bedrockagent\_agent: Retry `Update operation can't be performed on Agent when it is in Preparing state.` errors during update ([#43179](https://github.com/hashicorp/terraform-provider-aws/issues/43179)) - resource/aws\_bedrockagent\_agent\_collaborator: Retry `operation can't be performed on Agent when it is in Preparing state.` errors during agent collaborator update and disassociation ([#43179](https://github.com/hashicorp/terraform-provider-aws/issues/43179)) - resource/aws\_cloudwatch\_query\_definition: Support ARNs as valid values for `log_group_names` ([#43183](https://github.com/hashicorp/terraform-provider-aws/issues/43183)) - resource/aws\_cur\_report\_definition: Allow an empty (`""`) value for `s3_prefix`. This fixes a regression introduced in [v6.0.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#600-june-18-2025) ([#43159](https://github.com/hashicorp/terraform-provider-aws/issues/43159)) - resource/aws\_elasticsearch\_domain: Disable publishing for `log_publishing_options` removed on Update. This prevents a perpetual diff ([#43033](https://github.com/hashicorp/terraform-provider-aws/issues/43033)) - resource/aws\_elasticsearch\_domain: Fix `ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream` IAM eventual consistency errors on Create ([#43033](https://github.com/hashicorp/terraform-provider-aws/issues/43033)) - resource/aws\_lambda\_function: Fix perpetual `logging_config` diffs when `log_format` is set to `JSON` and `publish = true` ([#42660](https://github.com/hashicorp/terraform-provider-aws/issues/42660)) - resource/aws\_lexv2models\_intent: Add semantic equality check for `confirmation_setting.prompt_specification.prompt_attempts_specification` defaults ([#43147](https://github.com/hashicorp/terraform-provider-aws/issues/43147)) - resource/aws\_opensearch\_domain: Disable publishing for `log_publishing_options` removed on Update. This prevents a perpetual diff ([#43033](https://github.com/hashicorp/terraform-provider-aws/issues/43033)) - resource/aws\_opensearch\_domain: Fix `ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream` IAM eventual consistency errors on Create ([#43033](https://github.com/hashicorp/terraform-provider-aws/issues/43033)) - resource/aws\_quicksight\_analysis: `WHOLE` is now a valid value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness` ([#37116](https://github.com/hashicorp/terraform-provider-aws/issues/37116)) - resource/aws\_quicksight\_dashboard: `WHOLE` is now a valid value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness` ([#37116](https://github.com/hashicorp/terraform-provider-aws/issues/37116)) - resource/aws\_quicksight\_template: `WHOLE` is now a valid value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness` ([#37116](https://github.com/hashicorp/terraform-provider-aws/issues/37116)) - resource/aws\_quicksight\_user: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `email` ([#43014](https://github.com/hashicorp/terraform-provider-aws/issues/43014)) - resource/aws\_verifiedpermissions\_schema: Fix `Value Conversion Error` errors when upgrading existing resources to Terraform AWS Provider v6.0.0 ([#43116](https://github.com/hashicorp/terraform-provider-aws/issues/43116)) ### [`v6.0.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#600-June-18-2025) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.100.0...v6.0.0) BREAKING CHANGES: - data-source/aws\_ami: The severity of the diagnostic returned when `most_recent` is `true` and owner and image ID filter criteria has been increased to an error. Existing configurations which were previously receiving a warning diagnostic will now fail to apply. To prevent this error, set the `owner` argument or include a `filter` block with an `image-id` or `owner-id` name/value pair. To continue using unsafe filter values with `most_recent` set to `true`, set the new `allow_unsafe_filter` argument to `true`. This is not recommended. ([#42114](https://github.com/hashicorp/terraform-provider-aws/issues/42114)) - data-source/aws\_ecs\_task\_definition: Remove `inference_accelerator` attribute. Amazon Elastic Inference reached end of life on April, 2024. ([#42137](https://github.com/hashicorp/terraform-provider-aws/issues/42137)) - data-source/aws\_ecs\_task\_execution: Remove `inference_accelerator_overrides` attribute. Amazon Elastic Inference reached end of life on April, 2024. ([#42137](https://github.com/hashicorp/terraform-provider-aws/issues/42137)) - data-source/aws\_elbv2\_listener\_rule: The `action.authenticate_cognito`, `action.authenticate_oidc`, `action.fixed_response`, `action.forward`, `action.forward.stickiness`, `action.redirect`, `condition.host_header`, `condition.http_header`, `condition.http_request_method`, `condition.path_pattern`, `condition.query_string`, and `condition.source_ip` attributes are now list nested blocks instead of single nested blocks ([#42283](https://github.com/hashicorp/terraform-provider-aws/issues/42283)) - data-source/aws\_identitystore\_user: `filter` has been removed ([#42325](https://github.com/hashicorp/terraform-provider-aws/issues/42325)) - data-source/aws\_launch\_template: Remove `elastic_inference_accelerator` attribute. Amazon Elastic Inference reached end of life on April, 2024. ([#42137](https://github.com/hashicorp/terraform-provider-aws/issues/42137)) - data-source/aws\_launch\_template: `elastic_gpu_specifications` has been removed ([#42312](https://github.com/hashicorp/terraform-provider-aws/issues/42312)) - data-source/aws\_opensearch\_domain: `kibana_endpoint` has been removed ([#42268](https://github.com/hashicorp/terraform-provider-aws/issues/42268)) - data-source/aws\_opensearchserverless\_security\_config: `saml_options` is now a list nested block instead of a single nested block ([#42270](https://github.com/hashicorp/terraform-provider-aws/issues/42270)) - data-source/aws\_service\_discovery\_service: Remove `tags_all` attribute ([#42136](https://github.com/hashicorp/terraform-provider-aws/issues/42136)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_application` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_custom_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_ecs_cluster_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_ganglia_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_haproxy_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_instance` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_java_app_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_memcached_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_mysql_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_nodejs_app_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_permission` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_php_app_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_rails_app_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_rds_db_instance` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_stack` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_static_web_layer` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the AWS OpsWorks Stacks service has reached [End Of Life](https://docs.aws.amazon.com/opsworks/latest/userguide/stacks-eol-faqs.html), the `aws_opsworks_user_profile` resource has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: As the [AWS SDK for Go v2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html) does not support Amazon SimpleDB the `aws_simpledb_domain` resource has been removed. Add a [constraint](https://developer.hashicorp.com/terraform/language/providers/requirements#version-constraints) to v5 of the Terraform AWS Provider for continued use of this resource ([#41775](https://github.com/hashicorp/terraform-provider-aws/issues/41775)) - provider: As the [AWS SDK for Go v2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html) does not support Amazon Worklink, the `aws_worklink_fleet` resource has been removed ([#42059](https://github.com/hashicorp/terraform-provider-aws/issues/42059)) - provider: As the [AWS SDK for Go v2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html) does not support Amazon Worklink, the `aws_worklink_website_certificate_authority_association` resource has been removed ([#42059](https://github.com/hashicorp/terraform-provider-aws/issues/42059)) - provider: The `aws_redshift_service_account` resource has been removed. AWS [recommends](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) that a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy ([#41941](https://github.com/hashicorp/terraform-provider-aws/issues/41941)) - provider: The `endpoints.iotanalytics` and `endpoints.iotevents` configuration arguments have been removed ([#42703](https://github.com/hashicorp/terraform-provider-aws/issues/42703)) - provider: The `endpoints.opsworks` configuration argument has been removed ([#41948](https://github.com/hashicorp/terraform-provider-aws/issues/41948)) - provider: The `endpoints.simpledb` and `endpoints.sdb` configuration arguments have been removed ([#41775](https://github.com/hashicorp/terraform-provider-aws/issues/41775)) - provider: The `endpoints.worklink` configuration argument has been removed ([#42059](https://github.com/hashicorp/terraform-provider-aws/issues/42059)) - resource/aws\_accessanalyzer\_archive\_rule: `filter.exists` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_alb\_target\_group: `preserve_client_ip` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_api\_gateway\_account: The `reset_on_delete` argument has been removed ([#42226](https://github.com/hashicorp/terraform-provider-aws/issues/42226)) - resource/aws\_api\_gateway\_deployment: Remove `canary_settings`, `execution_arn`, `invoke_url`, `stage_description`, and `stage_name` arguments. Instead, use the `aws_api_gateway_stage` resource to manage stages. ([#42249](https://github.com/hashicorp/terraform-provider-aws/issues/42249)) - resource/aws\_batch\_compute\_environment: Rename `compute_environment_name` to `name` resource/aws\_batch\_compute\_environment: Rename `compute_environment_name_prefix` to `name_prefix` ([#38050](https://github.com/hashicorp/terraform-provider-aws/issues/38050)) - resource/aws\_batch\_compute\_environment\_data\_source: Rename `compute_environment_name` to `name` ([#38050](https://github.com/hashicorp/terraform-provider-aws/issues/38050)) - resource/aws\_batch\_job\_queue: Remove deprecated parameter `compute_environments` in place of `compute_environment_order` ([#40751](https://github.com/hashicorp/terraform-provider-aws/issues/40751)) - resource/aws\_bedrock\_model\_invocation\_logging\_configuration: `logging_config`, `logging_config.cloudwatch_config`, `logging_config.cloudwatch_config.large_data_delivery_s3_config`, and `logging_config.s3_config` are now list nested blocks instead of single nested blocks ([#42307](https://github.com/hashicorp/terraform-provider-aws/issues/42307)) - resource/aws\_cloudfront\_key\_value\_store: Attribute `id` is now set to remote object's `Id` instead of `name` ([#42230](https://github.com/hashicorp/terraform-provider-aws/issues/42230)) - resource/aws\_cloudfront\_response\_headers\_policy: The `etag` argument is now computed only ([#38448](https://github.com/hashicorp/terraform-provider-aws/issues/38448)) - resource/aws\_cloudtrail\_event\_data\_store: `suspend` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_cognito\_user\_in\_group: The `id` attribute is now a comma-delimited string concatenating the `user_pool_id`, `group_name`, and `username` arguments ([#34082](https://github.com/hashicorp/terraform-provider-aws/issues/34082)) - resource/aws\_cur\_report\_definition: The `s3_prefix` argument is now required ([#38446](https://github.com/hashicorp/terraform-provider-aws/issues/38446)) - resource/aws\_db\_instance: `character_set_name` now cannot be set with `replicate_source_db`, `restore_to_point_in_time`, `s3_import`, or `snapshot_identifier`. ([#42348](https://github.com/hashicorp/terraform-provider-aws/issues/42348)) - resource/aws\_dms\_endpoint: Remove `s3_settings` attribute. Use `aws_dms_s3_endpoint` instead ([#42379](https://github.com/hashicorp/terraform-provider-aws/issues/42379)) - resource/aws\_dx\_gateway\_association: `vpn_gateway_id` has been removed ([#42323](https://github.com/hashicorp/terraform-provider-aws/issues/42323)) - resource/aws\_ec2\_spot\_instance\_fleet: `terminate_instances_on_delete` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_ec2\_spot\_instance\_request: Remove `block_duration_minutes` attribute ([#42060](https://github.com/hashicorp/terraform-provider-aws/issues/42060)) - resource/aws\_ecs\_task\_definition: Remove `inference_accelerator` attribute. Amazon Elastic Inference reached end of life on April, 2024. ([#42137](https://github.com/hashicorp/terraform-provider-aws/issues/42137)) - resource/aws\_eip: `vpc` has been removed. Use `domain` instead. ([#42340](https://github.com/hashicorp/terraform-provider-aws/issues/42340)) - resource/aws\_eks\_addon: `resolve_conflicts` has been removed. Use `resolve_conflicts_on_create` and `resolve_conflicts_on_update` instead. ([#42318](https://github.com/hashicorp/terraform-provider-aws/issues/42318)) - resource/aws\_elasticache\_cluster: `auto_minor_version_upgrade` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_elasticache\_replication\_group: `at_rest_encryption_enabled` and `auto_minor_version_upgrade` now only accept one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_elasticache\_replication\_group: `auth_token_update_strategy` no longer has a default value. If `auth_token` is set, `auth_token_update_strategy` must also be explicitly configured. ([#42336](https://github.com/hashicorp/terraform-provider-aws/issues/42336)) - resource/aws\_evidently\_feature: `variations.value.bool_value` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_flow\_log: `log_group_name` has been removed. Use `log_destination` instead. ([#42333](https://github.com/hashicorp/terraform-provider-aws/issues/42333)) - resource/aws\_globalaccelerator\_accelerator: The `id` attribute is now computed only ([#42097](https://github.com/hashicorp/terraform-provider-aws/issues/42097)) - resource/aws\_guardduty\_detector: Deprecates `datasources`. Use `aws_guardduty_detector_feature` resources instead. ([#42436](https://github.com/hashicorp/terraform-provider-aws/issues/42436)) - resource/aws\_guardduty\_organization\_configuration: The `auto_enable` attribute has been removed ([#42251](https://github.com/hashicorp/terraform-provider-aws/issues/42251)) - resource/aws\_identitystore\_group: `filter` has been removed ([#42325](https://github.com/hashicorp/terraform-provider-aws/issues/42325)) - resource/aws\_imagebuilder\_container\_recipe: `instance_configuration.block_device_mapping.ebs.delete_on_termination` and `instance_configuration.block_device_mapping.ebs.encrypted` now only accept one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_imagebuilder\_image\_recipe: `block_device_mapping.ebs.delete_on_termination` and `block_device_mapping.ebs.encrypted` now only accept one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_instance: Remove `cpu_core_count` and `cpu_threads_per_core`. Instead, use `cpu_options`. ([#42280](https://github.com/hashicorp/terraform-provider-aws/issues/42280)) - resource/aws\_instance: `user_data` now displays cleartext instead of a hash. Base64 encoded content should use `user_data_base64` instead. ([#42078](https://github.com/hashicorp/terraform-provider-aws/issues/42078)) - resource/aws\_launch\_template: `block_device_mappings.ebs.delete_on_termination`, `block_device_mappings.ebs.encrypted`, `ebs_optimized`, `network_interfaces.associate_carrier_ip_address`, `network_interfaces.associate_public_ip_address`, `network_interfaces.delete_on_termination`, and `network_interfaces.primary_ipv6` now only accept one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_launch\_template: Remove `elastic_inference_accelerator` attribute. Amazon Elastic Inference reached end of life on April, 2024. ([#42137](https://github.com/hashicorp/terraform-provider-aws/issues/42137)) - resource/aws\_launch\_template: `elastic_gpu_specifications` has been removed ([#42312](https://github.com/hashicorp/terraform-provider-aws/issues/42312)) - resource/aws\_lb\_listener: `mutual_authentication` attributes `advertise_trust_store_ca_names`, `ignore_client_certificate_expiry`, and `trust_store_arn` are only valid if `mode` is `verify` ([#42326](https://github.com/hashicorp/terraform-provider-aws/issues/42326)) - resource/aws\_lb\_target\_group: `preserve_client_ip` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_mq\_broker: `logs.audit` now only accepts one of `""` (empty string), `true`, or `false` ([#42434](https://github.com/hashicorp/terraform-provider-aws/issues/42434)) - resource/aws\_networkmanager\_core\_network: The `base_policy_region` argument has been removed. Use `base_policy_regions` instead. ([#38398](https://github.com/hashicorp/terraform-provider-aws/issues/38398)) - resource/aws\_opensearch\_domain: `kibana_endpoint` has been removed ([#42268](https://github.com/hashicorp/terraform-provider-aws/issues/42268)) - resource/aws\_opensearchserverless\_security\_config: `saml_options` is now a list nested block instead of a single nested block ([#42270](https://github.com/hashicorp/terraform-provider-aws/issues/42270)) - resource/aws\_paymentcryptography\_key: `key_attributes` and `key_attributes.key_modes_of_use` are now list nested blocks instead of single nested blocks. ([#42264](https://github.com/hashicorp/terraform-provider-aws/issues/42264)) - resource/aws\_quicksight\_data\_set: `tags_all` has been removed ([#42260](https://github.com/hashicorp/terraform-provider-aws/issues/42260)) - resource/aws\_redshift\_cluster: Attributes `cluster_public_key`, `cluster_revision_number`, and `endpoint` are now read only and should not be set ([#42119](https://github.com/hashicorp/terraform-provider-aws/issues/42119)) - resource/aws\_redshift\_cluster: The `logging` attribute has been removed ([#42013](https://github.com/hashicorp/terraform-provider-aws/issues/42013)) - resource/aws\_redshift\_cluster: The `publicly_accessible` attribute now defaults to `false` ([#41978](https://github.com/hashicorp/terraform-provider-aws/issues/41978)) - resource/aws\_redshift\_cluster: The `snapshot_copy` attribute has been removed ([#41995](https://github.com/hashicorp/terraform-provider-aws/issues/41995)) - resource/aws\_rekognition\_stream\_processor: `regions_of_interest.bounding_box` is now a list nested block instead of a single nested block ([#41380](https://github.com/hashicorp/terraform-provider-aws/issues/41380)) - resource/aws\_resiliencehub\_resiliency\_policy: `policy`, `policy.az`, `policy.hardware`, `policy.software`, and `policy.region` are now list nested blocks instead of single nested blocks ([#42297](https://github.com/hashicorp/terraform-provider-aws/issues/42297)) - resource/aws\_sagemaker\_app\_image\_config: Exactly one `code_editor_app_image_config`, `jupyter_lab_image_config`, or `kernel_gateway_image_config` block must be configured ([#42753](https://github.com/hashicorp/terraform-provider-aws/issues/42753)) - resource/aws\_sagemaker\_image\_version: `id` is now a comma-delimited string concatenating `image_name` and `version` ([#42536](https://github.com/hashicorp/terraform-provider-aws/issues/42536)) - resource/aws\_sagemaker\_notebook\_instance: Remove `accelerator_types` from your configuration—it no longer exists. Instead, use `instance_type` to use [Inferentia](https://docs.aws.amazon.com/sagemaker/latest/dg/neo-supported-cloud.html). ([#42099](https://github.com/hashicorp/terraform-provider-aws/issues/42099)) - resource/aws\_ssm\_association: Remove `instance_id` argument ([#42224](https://github.com/hashicorp/terraform-provider-aws/issues/42224)) - resource/aws\_verifiedpermissions\_schema: `definition` is now a list nested block instead of a single nested block ([#42305](https://github.com/hashicorp/terraform-provider-aws/issues/42305)) - resource/aws\_wafv2\_web\_acl: `rule.statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_bot_control_rule_set.enable_machine_learning` now defaults to `false` ([#39858](https://github.com/hashicorp/terraform-provider-aws/issues/39858)) NOTES: - data-source/aws\_cloudtrail\_service\_account: This data source is deprecated. AWS recommends using a service principal name instead of an AWS account ID in any relevant IAM policy. ([#42320](https://github.com/hashicorp/terraform-provider-aws/issues/42320)) - data-source/aws\_kms\_secret: This data source will be removed in a future version ([#42524](https://github.com/hashicorp/terraform-provider-aws/issues/42524)) - data-source/aws\_region: The `name` attribute has been deprecated. All configurations using `name` should be updated to use the `region` attribute instead ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - data-source/aws\_s3\_bucket: Add `bucket_region` attribute. Use of the `bucket_region` attribute instead of the `region` attribute is encouraged ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - data-source/aws\_servicequotas\_templates: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `aws_region` attribute instead ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - data-source/aws\_ssmincidents\_replication\_set: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `regions` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - data-source/aws\_vpc\_endpoint\_service: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `service_region` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - data-source/aws\_vpc\_peering\_connection: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `requester_region` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - provider: Support for the global S3 endpoint is deprecated, along with the `s3_us_east_1_regional_endpoint` argument. The ability to use the global S3 endpoint will be removed in `v7.0.0`. ([#42375](https://github.com/hashicorp/terraform-provider-aws/issues/42375)) - resource/aws\_cloudformation\_stack\_set\_instance: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `stack_set_instance_region` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - resource/aws\_codeconnections\_host: Deprecates `id` in favor of `arn` ([#42232](https://github.com/hashicorp/terraform-provider-aws/issues/42232)) - resource/aws\_config\_aggregate\_authorization: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `authorized_aws_region` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - resource/aws\_dx\_hosted\_connection: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `connection_region` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - resource/aws\_elasticache\_replication\_group: The ability to provide an uppercase `engine` value is deprecated ([#42419](https://github.com/hashicorp/terraform-provider-aws/issues/42419)) - resource/aws\_elasticache\_user: The ability to provide an uppercase `engine` value is deprecated ([#42419](https://github.com/hashicorp/terraform-provider-aws/issues/42419)) - resource/aws\_elasticache\_user\_group: The ability to provide an uppercase `engine` value is deprecated ([#42419](https://github.com/hashicorp/terraform-provider-aws/issues/42419)) - resource/aws\_elastictranscoder\_pipeline: This resource is deprecated. Use [AWS Elemental MediaConvert](https://aws.amazon.com/blogs/media/migrating-workflows-from-amazon-elastic-transcoder-to-aws-elemental-mediaconvert/) instead. ([#42313](https://github.com/hashicorp/terraform-provider-aws/issues/42313)) - resource/aws\_elastictranscoder\_preset: This resource is deprecated. Use [AWS Elemental MediaConvert](https://aws.amazon.com/blogs/media/migrating-workflows-from-amazon-elastic-transcoder-to-aws-elemental-mediaconvert/) instead. ([#42313](https://github.com/hashicorp/terraform-provider-aws/issues/42313)) - resource/aws\_evidently\_feature: This resource is deprecated. Use [AWS AppConfig feature flags](https://aws.amazon.com/blogs/mt/using-aws-appconfig-feature-flags/) instead. ([#42227](https://github.com/hashicorp/terraform-provider-aws/issues/42227)) - resource/aws\_evidently\_launch: This resource is deprecated. Use [AWS AppConfig feature flags](https://aws.amazon.com/blogs/mt/using-aws-appconfig-feature-flags/) instead. ([#42227](https://github.com/hashicorp/terraform-provider-aws/issues/42227)) - resource/aws\_evidently\_project: This resource is deprecated. Use [AWS AppConfig feature flags](https://aws.amazon.com/blogs/mt/using-aws-appconfig-feature-flags/) instead. ([#42227](https://github.com/hashicorp/terraform-provider-aws/issues/42227)) - resource/aws\_evidently\_segment: This resource is deprecated. Use [AWS AppConfig feature flags](https://aws.amazon.com/blogs/mt/using-aws-appconfig-feature-flags/) instead. ([#42227](https://github.com/hashicorp/terraform-provider-aws/issues/42227)) - resource/aws\_guardduty\_organization\_configuration: `datasources` now returns a deprecation warning ([#42251](https://github.com/hashicorp/terraform-provider-aws/issues/42251)) - resource/aws\_kinesis\_analytics\_application: Effective January 27, 2026, AWS will no longer support Kinesis Data Analytics for SQL. This resource is deprecated and will be removed in a future version. Use the `aws_kinesisanalyticsv2_application` resource instead ([#42102](https://github.com/hashicorp/terraform-provider-aws/issues/42102)) - resource/aws\_media\_store\_container: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. ([#42265](https://github.com/hashicorp/terraform-provider-aws/issues/42265)) - resource/aws\_media\_store\_container\_policy: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. ([#42265](https://github.com/hashicorp/terraform-provider-aws/issues/42265)) - resource/aws\_redshift\_cluster: The default value of `encrypted` is now `true` to match the AWS API. ([#42631](https://github.com/hashicorp/terraform-provider-aws/issues/42631)) - resource/aws\_s3\_bucket: Add `bucket_region` attribute. Use of the `bucket_region` attribute instead of the `region` attribute is encouraged ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - resource/aws\_service\_discovery\_service: `health_check_custom_config.failure_threshold` is deprecated. The argument is no longer supported by AWS and is always set to 1 ([#40777](https://github.com/hashicorp/terraform-provider-aws/issues/40777)) - resource/aws\_servicequotas\_template: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `aws_region` attribute instead ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - resource/aws\_ssmincidents\_replication\_set: The `region` attribute has been deprecated. All configurations using `region` should be updated to use the `regions` attribute instead ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) ENHANCEMENTS: - data-source/aws\_ami: Add `allow_unsafe_filter` argument ([#42114](https://github.com/hashicorp/terraform-provider-aws/issues/42114)) - data-source/aws\_availability\_zone: Add `group_long_name` attribute ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - data-source/aws\_availability\_zone: Mark `region` as Optional, allowing a value to be configured ([#42014](https://github.com/hashicorp/terraform-provider-aws/issues/42014)) - resource/aws\_auditmanager\_assessment: Add plan-time validation of `roles.role_arn` and `roles.role_type` ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - provider: Add enhanced `region` support to most resources, data sources, and ephemeral resources, allowing per-resource Region targeting without requiring multiple provider configurations. See the [Enhanced Region Support guide](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/enhanced-region-support) for more information. ([#43075](https://github.com/hashicorp/terraform-provider-aws/issues/43075)) - resource/aws\_auditmanager\_control: Add plan-time validation of `control_mapping_sources.source_frequency`, `control_mapping_sources.source_set_up_option`, and `control_mapping_sources.source_type` ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - resource/aws\_auditmanager\_framework\_share: Add plan-time validation of `destination_account` ([#42741](https://github.com/hashicorp/terraform-provider-aws/issues/42741)) - resource/aws\_auditmanager\_organization\_admin\_account\_registration: Add plan-time validation of `admin_account_id` ([#42741](https://github.com/hashicorp/terraform-provider-aws/issues/42741)) - resource/aws\_cognito\_user\_in\_group: Add import support ([#34082](https://github.com/hashicorp/terraform-provider-aws/issues/34082)) - resource/aws\_ecs\_service: Add `arn` attribute ([#42733](https://github.com/hashicorp/terraform-provider-aws/issues/42733)) - resource/aws\_guardduty\_detector: Adds validation to `finding_publishing_frequency`. ([#42436](https://github.com/hashicorp/terraform-provider-aws/issues/42436)) - resource/aws\_lb\_listener: `mutual_authentication` attribute `trust_store_arn` is required if `mode` is `verify` ([#42326](https://github.com/hashicorp/terraform-provider-aws/issues/42326)) - resource/aws\_quicksight\_iam\_policy\_assignment: Add plan-time validation of `policy_arn` ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - resource/aws\_sagemaker\_image\_version: Add `aliases` argument ([#42610](https://github.com/hashicorp/terraform-provider-aws/issues/42610)) - resource/aws\_securitylake\_subscriber: Add plan-time validation of `access_type` `source.aws_log_source_resource.source_name`, and `subscriber_identity.external_id` ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) BUG FIXES: - resource/aws\_auditmanager\_control: Fix `Provider produced inconsistent result after apply` errors ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) - resource/aws\_redshift\_cluster: Fixes permanent diff when `encrypted` is not explicitly set to `true`. ([#42631](https://github.com/hashicorp/terraform-provider-aws/issues/42631)) - resource/aws\_rekognition\_stream\_processor: Fix `regions_of_interest.bounding_box` and `regions_of_interest.polygon` argument validation ([#41380](https://github.com/hashicorp/terraform-provider-aws/issues/41380)) - resource/aws\_sagemaker\_image\_version: Read the correct image version after creation rather than always fetching the latest ([#42536](https://github.com/hashicorp/terraform-provider-aws/issues/42536)) - resource/aws\_securitylake\_subscriber: Change `access_type` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#42131](https://github.com/hashicorp/terraform-provider-aws/issues/42131)) ### [`v5.100.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.100.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.99.1...v5.100.0) NOTES: - resource/aws\_route53\_vpc\_association\_authorization: Because we cannot easily replicate the highly concurrent environments in which these errors have been observed, this fix is best effort and we ask for community help in verifying the reported issues are resolved by this change ([#42948](https://github.com/hashicorp/terraform-provider-aws/issues/42948)) FEATURES: - **New Resource:** `aws_dsql_cluster` ([#41868](https://github.com/hashicorp/terraform-provider-aws/issues/41868)) - **New Resource:** `aws_dsql_cluster_peering` ([#41868](https://github.com/hashicorp/terraform-provider-aws/issues/41868)) - **New Resource:** `aws_prometheus_workspace_configuration` ([#42478](https://github.com/hashicorp/terraform-provider-aws/issues/42478)) - **New Resource:** `aws_s3control_directory_bucket_access_point_scope` ([#42338](https://github.com/hashicorp/terraform-provider-aws/issues/42338)) - **New Resource:** `aws_vpc_route_server` ([#42392](https://github.com/hashicorp/terraform-provider-aws/issues/42392)) - **New Resource:** `aws_vpc_route_server_endpoint` ([#42392](https://github.com/hashicorp/terraform-provider-aws/issues/42392)) - **New Resource:** `aws_vpc_route_server_peer` ([#42392](https://github.com/hashicorp/terraform-provider-aws/issues/42392)) - **New Resource:** `aws_vpc_route_server_propagation` ([#42392](https://github.com/hashicorp/terraform-provider-aws/issues/42392)) - **New Resource:** `aws_vpc_route_server_vpc_association` ([#42392](https://github.com/hashicorp/terraform-provider-aws/issues/42392)) - **New Resource:** `aws_workspacesweb_data_protection_settings` ([#42852](https://github.com/hashicorp/terraform-provider-aws/issues/42852)) - **New Resource:** `aws_workspacesweb_ip_access_settings` ([#42863](https://github.com/hashicorp/terraform-provider-aws/issues/42863)) - **New Resource:** `aws_workspacesweb_user_access_logging_settings` ([#42868](https://github.com/hashicorp/terraform-provider-aws/issues/42868)) ENHANCEMENTS: - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `ap-east-2` AWS Region ([#42915](https://github.com/hashicorp/terraform-provider-aws/issues/42915)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `ap-east-2` AWS Region ([#42915](https://github.com/hashicorp/terraform-provider-aws/issues/42915)) - data-source/aws\_neptune\_engine\_version: Add several arguments and attributes to support dynamic selection of versions including `latest`, `has_major_target`, `preferred_major_targets`, and `preferred_upgrade_targets` ([#42854](https://github.com/hashicorp/terraform-provider-aws/issues/42854)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `ap-east-2` AWS Region ([#42915](https://github.com/hashicorp/terraform-provider-aws/issues/42915)) - provider: Support `ap-east-2` as a valid AWS Region ([#42906](https://github.com/hashicorp/terraform-provider-aws/issues/42906)) - resource/aws\_fsx\_lustre\_file\_system: Add `data_read_cache_configuration` and `throughput_capacity` arguments in support of the [Intelligent-Tiering storage class](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#how-INT-tiering-works) ([#42839](https://github.com/hashicorp/terraform-provider-aws/issues/42839)) - resource/aws\_pinpointsmsvoicev2\_phone\_number: Add `two_way_channel_role` argument ([#42950](https://github.com/hashicorp/terraform-provider-aws/issues/42950)) - resource/aws\_route53\_vpc\_association\_authorization: Add configurable timeouts for create, read, and delete ([#42948](https://github.com/hashicorp/terraform-provider-aws/issues/42948)) - resource/aws\_s3\_access\_point: Add support for S3 Directory Buckets ([#42338](https://github.com/hashicorp/terraform-provider-aws/issues/42338)) - resource/aws\_s3control\_access\_point\_policy: Add support for S3 Directory Buckets ([#42338](https://github.com/hashicorp/terraform-provider-aws/issues/42338)) - resource/aws\_vpn\_connection: Add `preshared_key_storage` argument and `preshared_key_arn` attribute ([#42819](https://github.com/hashicorp/terraform-provider-aws/issues/42819)) - resource/aws\_wafv2\_rule\_group: Add `statement.asn_match_statement` configuration block ([#42965](https://github.com/hashicorp/terraform-provider-aws/issues/42965)) - resource/aws\_wafv2\_web\_acl: Add `statement.asn_match_statement` configuration block ([#42965](https://github.com/hashicorp/terraform-provider-aws/issues/42965)) BUG FIXES: - resource/aws\_cloudfrontkeyvaluestore\_keys\_exclusive: Batch update operations to stay under the Key Value Store Service Quota. The `max_batch_size` argument can be used to override the default value of `50` items. ([#42795](https://github.com/hashicorp/terraform-provider-aws/issues/42795)) - resource/aws\_cloudwatch\_log\_destination: Fix to return the first matched destination name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_cloudwatch\_log\_group: Fix to return the first matched group name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_cloudwatch\_log\_metric\_filter: Fix to return the first matched filter name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_cloudwatch\_log\_query\_definition: Fix to return the first matched query definition ID during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_cloudwatch\_log\_resource\_policy: Fix to return the first matched policy name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_cloudwatch\_log\_subscription\_filter: Fix to return the first matched filter name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42896](https://github.com/hashicorp/terraform-provider-aws/issues/42896)) - resource/aws\_dynamodb\_table: Set new computed value for `stream_arn` attribute when changing `stream_view_type` ([#42561](https://github.com/hashicorp/terraform-provider-aws/issues/42561)) - resource/aws\_neptune\_cluster: Enable minor and major version upgrades by fixing various issues preventing them ([#42854](https://github.com/hashicorp/terraform-provider-aws/issues/42854)) - resource/aws\_neptune\_global\_cluster: Enable minor and major version upgrades by fixing various issues preventing them ([#42854](https://github.com/hashicorp/terraform-provider-aws/issues/42854)) - resource/aws\_route53\_vpc\_association\_authorization: Retry `InvalidPaginationToken` errors on read ([#42948](https://github.com/hashicorp/terraform-provider-aws/issues/42948)) - resource/aws\_verifiedaccess\_endpoint: Fix `InvalidParameterValue: The value of loadBalancerOptions.port you provided is not valid` errors when creating TCP load balancer endpoints ([#42736](https://github.com/hashicorp/terraform-provider-aws/issues/42736)) - resource/aws\_vpc\_endpoint\_subnet\_association: Fix `OperationInProgress: VpcEndpoint modify operation in progress` errors when deleting multiple associations in parallel ([#42884](https://github.com/hashicorp/terraform-provider-aws/issues/42884)) ### [`v5.99.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.99.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.99.0...v5.99.1) BUG FIXES: - resource/aws\_fms\_admin\_account: Fix `panic: runtime error: invalid memory address or nil pointer dereference` ([#42813](https://github.com/hashicorp/terraform-provider-aws/issues/42813)) - resource/aws\_lb: Ignore `InvalidAction` exceptions for `DescribeCapacityReservation` operations. This fixes a regression introduced in [v5.99.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5990-may-29-2025) ([#42812](https://github.com/hashicorp/terraform-provider-aws/issues/42812)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Correctly handles switching child attributes of `rule.filter`. ([#42655](https://github.com/hashicorp/terraform-provider-aws/issues/42655)) ### [`v5.99.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.99.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.98.0...v5.99.0) FEATURES: - **New Resource:** `aws_notifications_channel_association` ([#42575](https://github.com/hashicorp/terraform-provider-aws/issues/42575)) - **New Resource:** `aws_notifications_event_rule` ([#42575](https://github.com/hashicorp/terraform-provider-aws/issues/42575)) - **New Resource:** `aws_notifications_notification_configuration` ([#42575](https://github.com/hashicorp/terraform-provider-aws/issues/42575)) - **New Resource:** `aws_notifications_notification_hub` ([#42544](https://github.com/hashicorp/terraform-provider-aws/issues/42544)) - **New Resource:** `aws_notificationscontacts_email_contact` ([#42575](https://github.com/hashicorp/terraform-provider-aws/issues/42575)) - **New Resource:** `aws_quicksight_account_settings` ([#42185](https://github.com/hashicorp/terraform-provider-aws/issues/42185)) - **New Resource:** `aws_workspacesweb_browser_settings` ([#42681](https://github.com/hashicorp/terraform-provider-aws/issues/42681)) - **New Resource:** `aws_workspacesweb_network_settings` ([#42722](https://github.com/hashicorp/terraform-provider-aws/issues/42722)) - **New Resource:** `aws_workspacesweb_user_settings` ([#42783](https://github.com/hashicorp/terraform-provider-aws/issues/42783)) ENHANCEMENTS: - data-source/aws\_ami: Add `block_device_mappings.ebs["volume_initialization_rate"]` attribute ([#42684](https://github.com/hashicorp/terraform-provider-aws/issues/42684)) - data-source/aws\_launch\_template: Add `block_device_mappings.ebs.volume_initialization_rate` attribute ([#42684](https://github.com/hashicorp/terraform-provider-aws/issues/42684)) - data-source/aws\_verifiedpermissions\_policy\_store: Add `tags` attribute. This functionality requires the `verifiedpermissions:ListTagsForResource` IAM permission ([#42663](https://github.com/hashicorp/terraform-provider-aws/issues/42663)) - resource/aws\_ecs\_service: Add `volume_configuration.managed_ebs_volume.volume_initialization_rate` argument ([#42750](https://github.com/hashicorp/terraform-provider-aws/issues/42750)) - resource/aws\_launch\_template: Add `block_device_mappings.ebs.volume_initialization_rate` argument ([#42684](https://github.com/hashicorp/terraform-provider-aws/issues/42684)) - resource/aws\_lb: Add `minimum_load_balancer_capacity` configuration block. This functionality requires the `elasticloadbalancing:DescribeCapacityReservations` and `elasticloadbalancing:ModifyCapacityReservation` IAM permissions ([#42685](https://github.com/hashicorp/terraform-provider-aws/issues/42685)) - resource/aws\_organizations\_account: Allow `name` to be updated in-place. This functionality requires the `account:PutAccountName` IAM permission ([#42350](https://github.com/hashicorp/terraform-provider-aws/issues/42350)) - resource/aws\_securityhub\_standards\_subscription: Add configurable Create and Delete timeouts ([#42759](https://github.com/hashicorp/terraform-provider-aws/issues/42759)) - resource/aws\_verifiedpermissions\_policy\_store: Add `tags` argument and `tags_all` attribute. This functionality requires the `verifiedpermissions:ListTagsForResource`, `verifiedpermissions:TagResource`, and `verifiedpermissions:UntagResource` IAM permissions ([#42663](https://github.com/hashicorp/terraform-provider-aws/issues/42663)) BUG FIXES: - data-source/aws\_ecr\_repository\_creation\_template: `prefix` can now be up to 256 characters ([#42723](https://github.com/hashicorp/terraform-provider-aws/issues/42723)) - resource/aws\_cloudwatch\_log\_stream: Fix to return the first matched stream name during the read operation. This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#42719](https://github.com/hashicorp/terraform-provider-aws/issues/42719)) - resource/aws\_cognitoidp\_user\_pool: Fix crash when the `user_pool_add_ons.advanced_security_additional_flows` block is non-empty, but contains only a single `nil` value. ([#42793](https://github.com/hashicorp/terraform-provider-aws/issues/42793)) - resource/aws\_ecr\_repository\_creation\_template: `prefix` can now be up to 256 characters ([#42723](https://github.com/hashicorp/terraform-provider-aws/issues/42723)) - resource/aws\_elasticache\_replication\_group: Fix crash during read operations where configuration endpoint and node groups are nil and empty, respectively ([#42726](https://github.com/hashicorp/terraform-provider-aws/issues/42726)) - resource/aws\_s3\_bucket: Ensure that `HeadBucket` S3 API calls are made using configured credentials. This fixes a regression introduced in [v5.98.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5980-may-15-2025) ([#42786](https://github.com/hashicorp/terraform-provider-aws/issues/42786)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: No longer returns warning on empty `rule.filter`. ([#42624](https://github.com/hashicorp/terraform-provider-aws/issues/42624)) - resource/aws\_vpc\_endpoint: Fix issue where `dns_options` were not being updated correctly when `private_dns_enabled` was set to true ([#42746](https://github.com/hashicorp/terraform-provider-aws/issues/42746)) ### [`v5.98.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.98.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.97.0...v5.98.0) FEATURES: - **New Data Source:** `aws_account_primary_contact` ([#42526](https://github.com/hashicorp/terraform-provider-aws/issues/42526)) - **New Data Source:** `aws_dynamodb_tables` ([#42339](https://github.com/hashicorp/terraform-provider-aws/issues/42339)) - **New Resource:** `aws_bedrockagent_prompt` ([#42211](https://github.com/hashicorp/terraform-provider-aws/issues/42211)) - **New Resource:** `aws_cloudfrontkeyvaluestore_keys_exclusive` ([#42246](https://github.com/hashicorp/terraform-provider-aws/issues/42246)) - **New Resource:** `aws_dataexchange_revision_assets` ([#42272](https://github.com/hashicorp/terraform-provider-aws/issues/42272)) - **New Resource:** `aws_inspector2_filter` ([#42374](https://github.com/hashicorp/terraform-provider-aws/issues/42374)) - **New Resource:** `aws_wafv2_api_key` ([#42525](https://github.com/hashicorp/terraform-provider-aws/issues/42525)) ENHANCEMENTS: - data-source/aws\_cloudwatch\_event\_bus: Add `dead_letter_config` attribute ([#42471](https://github.com/hashicorp/terraform-provider-aws/issues/42471)) - data-source/aws\_cloudwatch\_event\_connection: Add `kms_key_identifier` attribute ([#42385](https://github.com/hashicorp/terraform-provider-aws/issues/42385)) - data-source/aws\_cognito\_user\_pool\_client: Add `refresh_token_rotation` attribute ([#42430](https://github.com/hashicorp/terraform-provider-aws/issues/42430)) - data-source/aws\_cognitoidp\_user\_pool: Add `user_pool_add_ons` attribute ([#42470](https://github.com/hashicorp/terraform-provider-aws/issues/42470)) - data-source/aws\_dynamodb\_table: Add `point_in_time_recovery.recovery_period_in_days` attribute ([#41484](https://github.com/hashicorp/terraform-provider-aws/issues/41484)) - data-source/aws\_ec2\_client\_vpn\_endpoint: Add `client_route_enforcement_options` attribute ([#42424](https://github.com/hashicorp/terraform-provider-aws/issues/42424)) - data-source/aws\_imagebuilder\_distribution\_configuration: Add `distribution.ssm_parameter_configuration` attribute ([#42604](https://github.com/hashicorp/terraform-provider-aws/issues/42604)) - data-source/aws\_redshiftserverless\_workgroup: Add `track_name` attribute ([#42451](https://github.com/hashicorp/terraform-provider-aws/issues/42451)) - data-source/aws\_workspaces\_directory: Add `active_directory_config`, `user_identity_type`, `workspace_directory_description`, `workspace_directory_name`, and `workspace_type` attributes ([#42330](https://github.com/hashicorp/terraform-provider-aws/issues/42330)) - resource/aws\_appflow\_flow: Add `destination_flow_config.destination_connector_properties.salesforce.data_transfer_api` argument ([#42479](https://github.com/hashicorp/terraform-provider-aws/issues/42479)) - resource/aws\_autoscaling\_group: Add `capacity_reservation_specification` argument ([#42380](https://github.com/hashicorp/terraform-provider-aws/issues/42380)) - resource/aws\_bedrockagent\_agent: Add `prepared_at` attribute. ([#42586](https://github.com/hashicorp/terraform-provider-aws/issues/42586)) - resource/aws\_bedrockagent\_agent: Increase `instruction` max length for validation to 20000 ([#42596](https://github.com/hashicorp/terraform-provider-aws/issues/42596)) - resource/aws\_cloudwatch\_event\_bus: Add `dead_letter_config` argument ([#42471](https://github.com/hashicorp/terraform-provider-aws/issues/42471)) - resource/aws\_cloudwatch\_event\_connection: Add `kms_key_identifier` argument ([#42385](https://github.com/hashicorp/terraform-provider-aws/issues/42385)) - resource/aws\_cognito\_managed\_user\_pool\_client: Add `refresh_token_rotation` argument ([#42430](https://github.com/hashicorp/terraform-provider-aws/issues/42430)) - resource/aws\_cognito\_user\_pool\_client: Add `refresh_token_rotation` argument ([#42430](https://github.com/hashicorp/terraform-provider-aws/issues/42430)) - resource/aws\_cognitoidp\_user\_pool: Add `user_pool_add_ons.advanced_security_additional_flows` argument ([#42470](https://github.com/hashicorp/terraform-provider-aws/issues/42470)) - resource/aws\_docdb\_cluster: Add `manage_master_user_password` argument and `master_user_secret` attribute ([#42563](https://github.com/hashicorp/terraform-provider-aws/issues/42563)) - resource/aws\_dynamodb\_table: Add `point_in_time_recovery.recovery_period_in_days` argument ([#41484](https://github.com/hashicorp/terraform-provider-aws/issues/41484)) - resource/aws\_ec2\_client\_vpn\_endpoint: Add `client_route_enforcement_options` argument ([#42424](https://github.com/hashicorp/terraform-provider-aws/issues/42424)) - resource/aws\_ecs\_account\_setting\_default: Add support for `defaultLogDriverMode` value in `Name` argument ([#42418](https://github.com/hashicorp/terraform-provider-aws/issues/42418)) - resource/aws\_imagebuilder\_distribution\_configuration: Add `distribution.ssm_parameter_configuration` argument ([#42604](https://github.com/hashicorp/terraform-provider-aws/issues/42604)) - resource/aws\_iot\_domain\_configuration: Add `application_protocol` and `authentication_type` arguments ([#42534](https://github.com/hashicorp/terraform-provider-aws/issues/42534)) - resource/aws\_msk\_serverless\_cluster: Add `bootstrap_brokers_sasl_iam` attribute. This functionality requires the `kafka:GetBootstrapBrokers` IAM permission ([#42148](https://github.com/hashicorp/terraform-provider-aws/issues/42148)) - resource/aws\_redshiftserverless\_workgroup: Add `track_name` argument ([#42451](https://github.com/hashicorp/terraform-provider-aws/issues/42451)) - resource/aws\_rum\_app\_monitor: Add `domain_list` argument ([#42456](https://github.com/hashicorp/terraform-provider-aws/issues/42456)) - resource/aws\_rum\_app\_monitor: Mark `domain` as Optional ([#42456](https://github.com/hashicorp/terraform-provider-aws/issues/42456)) - resource/aws\_s3tables\_table: Add `encryption_configuration` argument. This functionality requires the `s3tables:GetTableEncryption` IAM permission ([#42356](https://github.com/hashicorp/terraform-provider-aws/issues/42356)) - resource/aws\_s3tables\_table\_bucket: Add `encryption_configuration` argument. This functionality requires the `s3tables:GetTableBucketEncryption` IAM permission ([#42356](https://github.com/hashicorp/terraform-provider-aws/issues/42356)) - resource/aws\_securityhub\_finding\_aggregator: Support `NO_REGIONS` as a valid value for `linking_mode` ([#42574](https://github.com/hashicorp/terraform-provider-aws/issues/42574)) - resource/aws\_sns\_topic: Add `fifo_throughput_scope` argument ([#42508](https://github.com/hashicorp/terraform-provider-aws/issues/42508)) - resource/aws\_wafv2\_rule\_group: Add `uri_fragment` to `field_to_match` configuration blocks ([#42407](https://github.com/hashicorp/terraform-provider-aws/issues/42407)) - resource/aws\_wafv2\_web\_acl: Add `data_protection_config` argument ([#42404](https://github.com/hashicorp/terraform-provider-aws/issues/42404)) - resource/aws\_wafv2\_web\_acl: Add `uri_fragment` to `field_to_match` configuration blocks ([#42407](https://github.com/hashicorp/terraform-provider-aws/issues/42407)) - resource/aws\_workspaces\_directory: Add `active_directory_config`, `user_identity_type`, `workspace_directory_description`, `workspace_directory_name`, and `workspace_type` arguments in support of [WorkSpaces Pools](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-pools-directory.html) ([#42330](https://github.com/hashicorp/terraform-provider-aws/issues/42330)) - resource/aws\_workspaces\_directory: Mark `directory_id` as Optional ([#42330](https://github.com/hashicorp/terraform-provider-aws/issues/42330)) BUG FIXES: - aws\_sagemaker\_mlflow\_tracking\_server: Fix `ValidationException: The provided MLflow version is not supported` errors ([#42435](https://github.com/hashicorp/terraform-provider-aws/issues/42435)) - data-source/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.policy_variables` configuration block ([#42473](https://github.com/hashicorp/terraform-provider-aws/issues/42473)) - resource/aws\_bedrockagent\_agent\_alias: Stop using state for unknown on `routing_configuration` so we only send it on update when explicility configured. This allows updates to aliases to create new versions. ([#42603](https://github.com/hashicorp/terraform-provider-aws/issues/42603)) - resource/aws\_cloudwatch\_metric\_alarm: Support `20` as a valid value for `metric_query.metric.period`, `metric_query.period`, and `period` ([#42390](https://github.com/hashicorp/terraform-provider-aws/issues/42390)) - resource/aws\_controltower\_control: Fix handling `ResourceNotFound` exceptions during delete ([#42494](https://github.com/hashicorp/terraform-provider-aws/issues/42494)) - resource/aws\_controltower\_control: Fix handling of `parameters` block removal ([#42494](https://github.com/hashicorp/terraform-provider-aws/issues/42494)) - resource/aws\_ec2\_network\_insights\_path: Fix failure when `filter_at_source.source_address` is unspecified. ([#42369](https://github.com/hashicorp/terraform-provider-aws/issues/42369)) - resource/aws\_instance: Fix `InvalidNetworkInterface.InUse` errors on Create ([#42623](https://github.com/hashicorp/terraform-provider-aws/issues/42623)) - resource/aws\_lb\_listener: Don't send zero value (`false`, `0` or `""`) for unconfigured listener attributes on Create ([#41846](https://github.com/hashicorp/terraform-provider-aws/issues/41846)) - resource/aws\_rds\_cluster\_parameter\_group: Fix `InvalidParameterValue: collation_server '..' is not valid for character_set '...'` errors on Create ([#42559](https://github.com/hashicorp/terraform-provider-aws/issues/42559)) ### [`v5.97.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.97.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.96.0...v5.97.0) FEATURES: - **New Resource:** `aws_ec2_default_credit_specification` ([#42345](https://github.com/hashicorp/terraform-provider-aws/issues/42345)) ENHANCEMENTS: - data-source/aws\_glue\_connection: Support `athena_properties` attribute ([#42262](https://github.com/hashicorp/terraform-provider-aws/issues/42262)) - data-source/aws\_imagebuilder\_infrastructure\_configuration: Add `placement` attribute ([#42347](https://github.com/hashicorp/terraform-provider-aws/issues/42347)) - data-source/aws\_networkfirewall\_firewall: Add `enabled_analysis_types` attribute ([#42160](https://github.com/hashicorp/terraform-provider-aws/issues/42160)) - data-source/aws\_workspaces\_directory: Add `certificate_based_auth_properties` attribute ([#42269](https://github.com/hashicorp/terraform-provider-aws/issues/42269)) - resource/aws\_accessanalyzer\_analyzer: Add `configuration.unused_access.analysis_rule` argument ([#42332](https://github.com/hashicorp/terraform-provider-aws/issues/42332)) - resource/aws\_fis\_experiment\_template: Add support for `ManagedResources` to `action.*.target` ([#42376](https://github.com/hashicorp/terraform-provider-aws/issues/42376)) - resource/aws\_glue\_connection: Add `athena_properties` argument and allow `DYNAMODB` connection type. ([#42262](https://github.com/hashicorp/terraform-provider-aws/issues/42262)) - resource/aws\_glue\_connection: Support `DYNAMODB` as a valid value for `connection_type` ([#42262](https://github.com/hashicorp/terraform-provider-aws/issues/42262)) - resource/aws\_imagebuilder\_infrastructure\_configuration: Add `placement` argument ([#42347](https://github.com/hashicorp/terraform-provider-aws/issues/42347)) - resource/aws\_networkfirewall\_firewall: Add `enabled_analysis_types` argument ([#42160](https://github.com/hashicorp/terraform-provider-aws/issues/42160)) - resource/aws\_workspaces\_directory: Add `certificate_based_auth_properties` configuration block ([#42269](https://github.com/hashicorp/terraform-provider-aws/issues/42269)) BUG FIXES: - resource/aws\_vpclattice\_listener\_rule: Prevents error when setting `listener_identifier` to ARN. ([#42215](https://github.com/hashicorp/terraform-provider-aws/issues/42215)) - resource/aws\_vpclattice\_listener\_rule: Prevents error when setting `service_identifier` to ARN. ([#42215](https://github.com/hashicorp/terraform-provider-aws/issues/42215)) - resource/aws\_vpclattice\_listener\_rule: Requires `match.http_match`. ([#42215](https://github.com/hashicorp/terraform-provider-aws/issues/42215)) - resource/aws\_vpclattice\_listener\_rule: Requires exactly one of `action.fixed_response` or `action.forward`. ([#42215](https://github.com/hashicorp/terraform-provider-aws/issues/42215)) ### [`v5.96.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.96.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.95.0...v5.96.0) FEATURES: - **New Data Source:** `aws_fis_experiment_templates` ([#37060](https://github.com/hashicorp/terraform-provider-aws/issues/37060)) - **New Data Source:** `aws_vpc_endpoint_associations` ([#41918](https://github.com/hashicorp/terraform-provider-aws/issues/41918)) ENHANCEMENTS: - data-source/aws\_api\_gateway\_domain\_name: Add `endpoint_configuration.ip_address_type` attribute ([#42146](https://github.com/hashicorp/terraform-provider-aws/issues/42146)) - data-source/aws\_api\_gateway\_rest\_api: Add `endpoint_configuration.ip_address_type` attribute ([#42146](https://github.com/hashicorp/terraform-provider-aws/issues/42146)) - data-source/aws\_apigatewayv2\_api: Add `ip_address_type` attribute ([#42145](https://github.com/hashicorp/terraform-provider-aws/issues/42145)) - data-source/aws\_dms\_endpoint: Add `kinesis_settings.use_large_integer_value` attribute ([#42300](https://github.com/hashicorp/terraform-provider-aws/issues/42300)) - data-source/aws\_guardduty\_detector: Add `arn` attribute ([#42344](https://github.com/hashicorp/terraform-provider-aws/issues/42344)) - data-source/aws\_guardduty\_detector: Add `tags` attribute ([#42344](https://github.com/hashicorp/terraform-provider-aws/issues/42344)) - resource/aws\_api\_gateway\_domain\_name: Add `endpoint_configuration.ip_address_type` argument to support dual-stack (IPv4 and IPv6) endpoints ([#42146](https://github.com/hashicorp/terraform-provider-aws/issues/42146)) - resource/aws\_api\_gateway\_rest\_api: Add `endpoint_configuration.ip_address_type` argument to support dual-stack (IPv4 and IPv6) endpoints ([#42146](https://github.com/hashicorp/terraform-provider-aws/issues/42146)) - resource/aws\_apigatewayv2\_api: Add `ip_address_type` argument to support dual-stack (IPv4 and IPv6) endpoints ([#42145](https://github.com/hashicorp/terraform-provider-aws/issues/42145)) - resource/aws\_apigatewayv2\_domain\_name: Add `domain_name_configuration.ip_address_type` argument to support dual-stack (IPv4 and IPv6) endpoints ([#42145](https://github.com/hashicorp/terraform-provider-aws/issues/42145)) - resource/aws\_dms\_endpoint: Add `kinesis_settings.use_large_integer_value` argument ([#42300](https://github.com/hashicorp/terraform-provider-aws/issues/42300)) - resource/aws\_fis\_experiment\_template: Add `experiment_report_configuration` argument ([#41120](https://github.com/hashicorp/terraform-provider-aws/issues/41120)) BUG FIXES: - resource/aws\_elasticache\_replication\_group: Fix `malformed version` error when parsing 7.x redis engine versions ([#42346](https://github.com/hashicorp/terraform-provider-aws/issues/42346)) - resource/aws\_iam\_user: Retry `ConcurrentModificationException`s during user creation ([#42081](https://github.com/hashicorp/terraform-provider-aws/issues/42081)) - resource/aws\_rds\_cluster: Fix `InvalidParameterValue: SecondsUntilAutoPause can only be specified when minimum capacity is 0` errors when removing `serverlessv2_scaling_configuration.seconds_until_auto_pause` ([#41180](https://github.com/hashicorp/terraform-provider-aws/issues/41180)) ### [`v5.95.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.95.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.94.1...v5.95.0) NOTES: - resource/aws\_api\_gateway\_deployment: Computed attributes `invoke_url` and `execution_arn` are deprecated. Use the `invoke_url` and `execution_arn` attributes of the `aws_api_gateway_stage` resource instead. ([#42244](https://github.com/hashicorp/terraform-provider-aws/issues/42244)) FEATURES: - **New Resource:** `aws_redshift_integration` ([#42105](https://github.com/hashicorp/terraform-provider-aws/issues/42105)) ENHANCEMENTS: - data-source/aws\_ec2\_network\_insights\_path: Support `filter_at_destination` and `filter_at_source` attributes ([#42214](https://github.com/hashicorp/terraform-provider-aws/issues/42214)) - resource/aws\_amplify\_app: Add `compute_role_arn` argument ([#41650](https://github.com/hashicorp/terraform-provider-aws/issues/41650)) - resource/aws\_codebuild\_webhook: Add `manual_creation` argument ([#40155](https://github.com/hashicorp/terraform-provider-aws/issues/40155)) - resource/aws\_cognito\_user\_pool\_domain: Add `managed_login_version` argument ([#40855](https://github.com/hashicorp/terraform-provider-aws/issues/40855)) - resource/aws\_ec2\_network\_insights\_path: Add `filter_at_destination` and `filter_at_source` configuration blocks ([#42214](https://github.com/hashicorp/terraform-provider-aws/issues/42214)) - resource/aws\_eks\_cluster: Add `force_update_version` argument ([#42134](https://github.com/hashicorp/terraform-provider-aws/issues/42134)) - resource/aws\_prometheus\_scraper: Allow `alias`, `destination`, `role_configuration`, and `scrape_configuration` to be updated in-place ([#42109](https://github.com/hashicorp/terraform-provider-aws/issues/42109)) - resource/aws\_redshiftserverless\_workgroup: Add `price_performance_target` argument ([#40946](https://github.com/hashicorp/terraform-provider-aws/issues/40946)) - resource/aws\_sagemaker\_image\_version: Add `horovod`, `job_type`, `ml_framework`, `processor`, `programming_lang`, `release_notes`, and `vendor_guidance` arguments ([#42143](https://github.com/hashicorp/terraform-provider-aws/issues/42143)) - resource/aws\_sagemaker\_notebook\_lifecycle\_configuration: Add `tags` argument and `tags_all` attribute ([#42141](https://github.com/hashicorp/terraform-provider-aws/issues/42141)) - resource/aws\_transfer\_server: Add `TransferSecurityPolicy-2025-03`, `TransferSecurityPolicy-FIPS-2025-03`, and `TransferSecurityPolicy-SshAuditCompliant-2025-02` as valid values for `security_policy_name` ([#42164](https://github.com/hashicorp/terraform-provider-aws/issues/42164)) BUG FIXES: - resource/aws\_elasticache\_serverless\_cache: Fix to allow in-place updates when `engine` is changed from `redis` to `valkey` ([#42208](https://github.com/hashicorp/terraform-provider-aws/issues/42208)) - resource/aws\_kms\_custom\_key\_store: Fix `panic: runtime error: invalid memory address or nil pointer dereference` when no `XksProxyConfiguration` is returned ([#42241](https://github.com/hashicorp/terraform-provider-aws/issues/42241)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix errors when removing `rule` from top of list ([#42228](https://github.com/hashicorp/terraform-provider-aws/issues/42228)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix potential eventual consistency errors in some regions ([#41764](https://github.com/hashicorp/terraform-provider-aws/issues/41764)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: No longer allows empty `rule.filter.and.tags` ([#42041](https://github.com/hashicorp/terraform-provider-aws/issues/42041)) - resource/aws\_sagemaker\_domain: Allow `default_user_settings.custom_file_system_config` and `default_space_settings.custom_file_system_config` to be removed on Update ([#42144](https://github.com/hashicorp/terraform-provider-aws/issues/42144)) - resource/aws\_sagemaker\_user\_profile: Allow `user_settings.custom_file_system_config` to be removed on Update ([#42144](https://github.com/hashicorp/terraform-provider-aws/issues/42144)) ### [`v5.94.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.94.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.94.0...v5.94.1) BUG FIXES: - resource/aws\_sns\_topic\_subscription: Ignore `AuthorizationError` exceptions for `ListSubscriptionByTopic` operations. This fixes a regression introduced in [`v5.94.0`](https://github.com/hashicorp/terraform-provider-aws/pull/42093). ([#42117](https://github.com/hashicorp/terraform-provider-aws/issues/42117)) ### [`v5.94.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.94.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.93.0...v5.94.0) NOTES: - resource/aws\_ssm\_parameter: The `overwrite` argument is no longer deprecated ([#42030](https://github.com/hashicorp/terraform-provider-aws/issues/42030)) ENHANCEMENTS: - data-source/aws\_ami: Add `last_launched_time` attribute ([#42049](https://github.com/hashicorp/terraform-provider-aws/issues/42049)) - resource/aws\_ami: Add `last_launched_time` attribute ([#42049](https://github.com/hashicorp/terraform-provider-aws/issues/42049)) - resource/aws\_ami\_copy: Add `last_launched_time` attribute ([#42049](https://github.com/hashicorp/terraform-provider-aws/issues/42049)) - resource/aws\_ami\_from\_instance: Add `last_launched_time` attribute ([#42049](https://github.com/hashicorp/terraform-provider-aws/issues/42049)) - resource/aws\_glue\_job: Add `source_control_details` argument ([#42046](https://github.com/hashicorp/terraform-provider-aws/issues/42046)) - resource/aws\_lambda\_function: Add support for `ruby3.4` `runtime` value ([#42052](https://github.com/hashicorp/terraform-provider-aws/issues/42052)) - resource/aws\_lambda\_layer\_version: Add support for `ruby3.4` `compatible_runtimes` value ([#42052](https://github.com/hashicorp/terraform-provider-aws/issues/42052)) - resource/aws\_prometheus\_scraper: Add `role_configuration` argument ([#42039](https://github.com/hashicorp/terraform-provider-aws/issues/42039)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Adds warning if multiple attributes in `rule.expiration` are set ([#42036](https://github.com/hashicorp/terraform-provider-aws/issues/42036)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Adds warning if neither `rule.prefix` nor `rule.filter` is set ([#42036](https://github.com/hashicorp/terraform-provider-aws/issues/42036)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Adds warning if neither `rule.transition.date` nor `rule.transition.days` is set and error if both are set ([#42036](https://github.com/hashicorp/terraform-provider-aws/issues/42036)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Removes spurious "known after apply" notations in plan ([#42036](https://github.com/hashicorp/terraform-provider-aws/issues/42036)) BUG FIXES: - resource/aws\_cloudformation\_type: Set the default version of an extension to the newly created version. This fixes `CFNRegistryException: Version '...' is the default version and cannot be deregistered` errors when deregistering an extension and the [`create_before_destroy` meta-argument](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#create_before_destroy) is `true` ([#38855](https://github.com/hashicorp/terraform-provider-aws/issues/38855)) - resource/aws\_connect\_queue: Fix API limitation when assigning more than 50 Quick Connects to a queue ([#42108](https://github.com/hashicorp/terraform-provider-aws/issues/42108)) - resource/aws\_ecs\_service: Fix missing `volume_configuration` and `service_connect_configurations` values from state read/refresh ([#41998](https://github.com/hashicorp/terraform-provider-aws/issues/41998)) - resource/aws\_ecs\_service: Mark `service_connect_configuration.service.discovery_name` and `service_connect_configuration.service.client_alias.dns_name` as Computed ([#41998](https://github.com/hashicorp/terraform-provider-aws/issues/41998)) - resource/aws\_msk\_cluster: Fix `Provider produced inconsistent final plan` errors when `configuration_info.revision` is [unknown](https://developer.hashicorp.com/terraform/language/expressions/references#values-not-yet-known) ([#42037](https://github.com/hashicorp/terraform-provider-aws/issues/42037)) - resource/aws\_quicksight\_data\_set: Fix perpetual diff when `refresh_properties` is not configured ([#42076](https://github.com/hashicorp/terraform-provider-aws/issues/42076)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Removes incorrect warning for empty `rule.filter` ([#42036](https://github.com/hashicorp/terraform-provider-aws/issues/42036)) - resource/aws\_sns\_topic\_subscription: Fix to handle eventually consistent subscription read operations ([#42093](https://github.com/hashicorp/terraform-provider-aws/issues/42093)) - resource/aws\_sqs\_queue: Fix `waiting for SQS Queue... attributes create: timeout while waiting` errors when `sqs_managed_sse_enabled = false` or omitted and `kms_master_key_id` is not set but `kms_data_key_reuse_period_seconds` is set to a non-default value. ([#42062](https://github.com/hashicorp/terraform-provider-aws/issues/42062)) - resource/aws\_workspaces\_workspace: Properly update `workspace_properties.running_mode_auto_stop_timeout_in_minutes` when modified ([#40953](https://github.com/hashicorp/terraform-provider-aws/issues/40953)) ### [`v5.93.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.93.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.92.0...v5.93.0) FEATURES: - **New Resource:** `aws_api_gateway_rest_api_put` ([#41375](https://github.com/hashicorp/terraform-provider-aws/issues/41375)) ENHANCEMENTS: - data-source/aws\_ecr\_pull\_through\_cache\_rule: Add `custom_role_arn` and `upstream_repository_prefix` attributes ([#41933](https://github.com/hashicorp/terraform-provider-aws/issues/41933)) - resource/aws\_bedrockagent\_agent: Add `memory_configuration` configuration block ([#39970](https://github.com/hashicorp/terraform-provider-aws/issues/39970)) - resource/aws\_codepipeline: Adds `trigger_all` attribute ([#42008](https://github.com/hashicorp/terraform-provider-aws/issues/42008)) - resource/aws\_codepipeline: Removal of `trigger` argument now properly removes custom trigger definitions ([#42008](https://github.com/hashicorp/terraform-provider-aws/issues/42008)) - resource/aws\_cognitoidp\_user\_pool: Mark the `username_configuration` and `username_configuration.case_sensitive` arguments as optional and computed. This will future proof the provider against upstream API changes which may return a default value for the block when omitted during create operations. ([#35439](https://github.com/hashicorp/terraform-provider-aws/issues/35439)) - resource/aws\_datasync\_task: Add `task_mode` argument ([#39979](https://github.com/hashicorp/terraform-provider-aws/issues/39979)) - resource/aws\_ecr\_pull\_through\_cache\_rule: Add `custom_role_arn` and `upstream_repository_prefix` arguments ([#41933](https://github.com/hashicorp/terraform-provider-aws/issues/41933)) - resource/aws\_ecr\_pull\_through\_cache\_rule: Correct plan-time validation of `ecr_repository_prefix` to support a value of `"ROOT"` ([#41933](https://github.com/hashicorp/terraform-provider-aws/issues/41933)) - resource/aws\_elasticache\_cluster: Add configurable timeouts for create, update, and delete operations ([#41940](https://github.com/hashicorp/terraform-provider-aws/issues/41940)) - resource/aws\_kinesisanalyticsv2\_application: Allow `runtime_environment` to be updated in-place ([#41935](https://github.com/hashicorp/terraform-provider-aws/issues/41935)) - resource/aws\_verified\_access\_endpoint: Add `cidr_options`, `load_balancer.port_range`, `network_interface_options.port_range`, and `rds_options` arguments ([#41957](https://github.com/hashicorp/terraform-provider-aws/issues/41957)) - resource/aws\_verified\_access\_endpoint: Mark `application_domain`, `domain_certificate_arn` and `endpoint_domain_prefix` as Optional ([#41957](https://github.com/hashicorp/terraform-provider-aws/issues/41957)) - resource/aws\_verified\_access\_endpoint: Support `cidr` and `rds` as valid values for `endpoint_type` ([#41957](https://github.com/hashicorp/terraform-provider-aws/issues/41957)) - resource/aws\_verified\_access\_instance: Add `cidr_endpoint_custom_subdomain` argument and `name_servers` attribute ([#41957](https://github.com/hashicorp/terraform-provider-aws/issues/41957)) - resource/aws\_verified\_access\_trust\_provider: Add `native_application_oidc_options` and `sse_specification` arguments ([#41957](https://github.com/hashicorp/terraform-provider-aws/issues/41957)) BUG FIXES: - resource/aws\_db\_instance: Fix `InvalidParameterCombination: To enable the Advanced mode of Database Insights, modify your cluster to enable Performance Insights and set the retention period for Performance Insights to at least 465 days` errors when enabling `database_insights_mode` on existing instances ([#41960](https://github.com/hashicorp/terraform-provider-aws/issues/41960)) - resource/aws\_eip: Prevents application from failing when hitting "InvalidAction" error for specific regions ([#41920](https://github.com/hashicorp/terraform-provider-aws/issues/41920)) - resource/aws\_elasticache\_replication\_group: Retry `InvalidReplicationGroupState` exceptions during tagging operations ([#41954](https://github.com/hashicorp/terraform-provider-aws/issues/41954)) - resource/aws\_elasticache\_replication\_group: Wait for replication group to become available before all modification operations ([#40320](https://github.com/hashicorp/terraform-provider-aws/issues/40320)) - resource/aws\_iot\_domain\_configuration: Change `domain_name` to Computed ([#41985](https://github.com/hashicorp/terraform-provider-aws/issues/41985)) - resource/aws\_lakeformation\_opt\_in: Fix error when expanding `resource_data.table_wildcard` attribute ([#41939](https://github.com/hashicorp/terraform-provider-aws/issues/41939)) ### [`v5.92.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.92.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.91.0...v5.92.0) NOTES: - resource/aws\_kendra\_data\_source: The `configuration.s3_configuration` argument is deprecated. Use `configuration.template_configuration` instead, which supports the upgraded Amazon S3 connector. Amazon has ended support for the older architecture as of June 2024, and resources created with this argument cannot be edited or updated. See the [Amazon Kendra documentation](https://docs.aws.amazon.com/kendra/latest/dg/data-source-s3.html) for additional details. ([#35437](https://github.com/hashicorp/terraform-provider-aws/issues/35437)) - resource/aws\_kendra\_data\_source: The `configuration.web_crawler_configuration` argument is deprecated. Use `configuration.template_configuration` instead, which supports the Amazon Kendra Web Crawler connector v2.0. See the [Amazon Kendra documentation](https://docs.aws.amazon.com/kendra/latest/dg/data-source-web-crawler.html) for additional details. ([#35437](https://github.com/hashicorp/terraform-provider-aws/issues/35437)) FEATURES: - **New Data Source:** `aws_api_gateway_api_keys` ([#39335](https://github.com/hashicorp/terraform-provider-aws/issues/39335)) - **New Data Source:** `aws_eks_cluster_versions` ([#40741](https://github.com/hashicorp/terraform-provider-aws/issues/40741)) - **New Data Source:** `aws_identitystore_group_memberships` ([#31589](https://github.com/hashicorp/terraform-provider-aws/issues/31589)) - **New Data Source:** `aws_identitystore_users` ([#31688](https://github.com/hashicorp/terraform-provider-aws/issues/31688)) - **New Resource:** `aws_athena_capacity_reservation` ([#41858](https://github.com/hashicorp/terraform-provider-aws/issues/41858)) ENHANCEMENTS: - data-source/aws\_connect\_user: Add `identity_info.secondary_email` attribute ([#41001](https://github.com/hashicorp/terraform-provider-aws/issues/41001)) - data-source/aws\_db\_instance: Add `database_insights_mode` attribute ([#41607](https://github.com/hashicorp/terraform-provider-aws/issues/41607)) - data-source/aws\_ebs\_volume: Add `create_time` attribute ([#41839](https://github.com/hashicorp/terraform-provider-aws/issues/41839)) - data-source/aws\_lb: Add `ipam_pools` attribute ([#41822](https://github.com/hashicorp/terraform-provider-aws/issues/41822)) - provider: Support `aws-marketplace` as a valid account ID in ARNs ([#41867](https://github.com/hashicorp/terraform-provider-aws/issues/41867)) - resource/aws\_appconfig\_extension\_association: Add plan-time validation of `extension_arn` and `resource_arn` ([#41907](https://github.com/hashicorp/terraform-provider-aws/issues/41907)) - resource/aws\_connect\_user: Add `identity_info.secondary_email` attribute ([#41001](https://github.com/hashicorp/terraform-provider-aws/issues/41001)) - resource/aws\_db\_instance: Add `database_insights_mode` argument ([#41607](https://github.com/hashicorp/terraform-provider-aws/issues/41607)) - resource/aws\_ebs\_volume: Add `create_time` attribute ([#41839](https://github.com/hashicorp/terraform-provider-aws/issues/41839)) - resource/aws\_kendra\_data\_source: Add `configuration.template_configuration` argument ([#35437](https://github.com/hashicorp/terraform-provider-aws/issues/35437)) - resource/aws\_lb: Add `ipam_pools` configuration block ([#41822](https://github.com/hashicorp/terraform-provider-aws/issues/41822)) BUG FIXES: - resource/aws\_api\_gateway\_rest\_api: Avoid unnecessary remove and add operations for `vpc_endpoint_ids` ([#41836](https://github.com/hashicorp/terraform-provider-aws/issues/41836)) - resource/aws\_bedrockagent\_agent: Fix `instruction` validator to consider multi-byte chars so not to artificially limit instruction length ([#41921](https://github.com/hashicorp/terraform-provider-aws/issues/41921)) - resource/aws\_eks\_cluster: Allow `compute_config.node_role_arn` to update in place when previously unset ([#41925](https://github.com/hashicorp/terraform-provider-aws/issues/41925)) - resource/aws\_rds\_cluster: Ensure that `performance_insights_enabled` takes effect when creating a cluster that is a member of a global cluster ([#41737](https://github.com/hashicorp/terraform-provider-aws/issues/41737)) - resource/aws\_rds\_cluster: Fix `InvalidParameterCombination: To enable the Advanced mode of Database Insights, modify your cluster to enable Performance Insights and set the retention period for Performance Insights to at least 465 days` errors when enabling `database_insights_mode` on existing clusters ([#41737](https://github.com/hashicorp/terraform-provider-aws/issues/41737)) - resource/aws\_timestreaminfluxdb\_db\_instance: Set new computed value for `secondary_availability_zone` attribute when changing `deployment_type` ([#41849](https://github.com/hashicorp/terraform-provider-aws/issues/41849)) ### [`v5.91.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.91.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.90.1...v5.91.0) NOTES: - resource/aws\_network\_interface\_permission: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#40797](https://github.com/hashicorp/terraform-provider-aws/issues/40797)) FEATURES: - **New Resource:** `aws_network_interface_permission` ([#40797](https://github.com/hashicorp/terraform-provider-aws/issues/40797)) - **New Resource:** `aws_route53_records_exclusive` ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) ENHANCEMENTS: - resource/aws\_codebuild\_project: Add `secondary_sources.auth` configuration block ([#40191](https://github.com/hashicorp/terraform-provider-aws/issues/40191)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `msk_source_configuration.read_from_timestamp` argument ([#41794](https://github.com/hashicorp/terraform-provider-aws/issues/41794)) - resource/aws\_route53\_hosted\_zone\_dnssec: Add configurable operation timeouts ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) - resource/aws\_route53\_key\_signing\_key: Add configurable operation timeouts ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) - resource/aws\_route53\_record: Add configurable operation timeouts ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) - resource/aws\_route53\_zone: Add configurable operation timeouts ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) - resource/aws\_route53\_zone\_association: Add configurable operation timeouts ([#41741](https://github.com/hashicorp/terraform-provider-aws/issues/41741)) - resource/aws\_timestreaminfluxdb\_db\_instance: Add `network_type` and `port` attributes. The following can now be updated in place: `allocated_storage`, `db_instance_type`, `db_storage_type` and `deployment_type` ([#40661](https://github.com/hashicorp/terraform-provider-aws/issues/40661)) - resource/aws\_vpc\_ipv4\_cidr\_block\_association: Support optional import of the `ipv4_ipam_pool_id` and `ipv4_netmask_length` attributes ([#41779](https://github.com/hashicorp/terraform-provider-aws/issues/41779)) - resource/aws\_vpc\_ipv6\_cidr\_block\_association: Support optional import of the `ipv6_ipam_pool_id` and `ipv6_netmask_length` attributes ([#41779](https://github.com/hashicorp/terraform-provider-aws/issues/41779)) - resource/aws\_wafv2\_ip\_set: Add `name_prefix` argument and plan-time validation of `name` ([#40889](https://github.com/hashicorp/terraform-provider-aws/issues/40889)) - resource/aws\_wafv2\_regex\_pattern\_set: Add `name_prefix` argument and plan-time validation of `name` ([#40889](https://github.com/hashicorp/terraform-provider-aws/issues/40889)) - resource/aws\_wafv2\_web\_acl: Add `name_prefix` argument ([#40889](https://github.com/hashicorp/terraform-provider-aws/issues/40889)) - resource/aws\_wafv2\_web\_acl: Add `rule.challenge_config` argument ([#40123](https://github.com/hashicorp/terraform-provider-aws/issues/40123)) BUG FIXES: - resource/aws\_msk\_cluster: Ensure that `storage_mode` updates are actually applied to the cluster ([#41773](https://github.com/hashicorp/terraform-provider-aws/issues/41773)) ### [`v5.90.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.90.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.90.0...v5.90.1) NOTES: - provider: Restore the `godebug tlskyber=0` directive in `go.mod`. This disables the experimental the post-quantum key exchange mechanism `X25519Kyber768Draft00`, fixing failed or hanging network connections to various AWS services. This fixes a regression introduced in [v5.90.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5900-march--6-2025) ([#41740](https://github.com/hashicorp/terraform-provider-aws/issues/41740)) FEATURES: - **New Data Source:** `aws_datazone_domain` ([#41480](https://github.com/hashicorp/terraform-provider-aws/issues/41480)) ENHANCEMENTS: - resource/aws\_codepipeline: Add `stage.before_entry`, `stage.on_success` and `stage.on_failure` configuration blocks ([#41663](https://github.com/hashicorp/terraform-provider-aws/issues/41663)) - resource/aws\_mskconnect\_connector: Allow `connector_configuration` to be updated in-place ([#41685](https://github.com/hashicorp/terraform-provider-aws/issues/41685)) - resource/aws\_wafv2\_rule\_group: Add `ja3_fingerprint` and `ja4_fingerprint` to `custom_key` configuration blocks ([#41719](https://github.com/hashicorp/terraform-provider-aws/issues/41719)) - resource/aws\_wafv2\_rule\_group: Add `ja4_fingerprint` to `field_to_match` configuration blocks ([#41719](https://github.com/hashicorp/terraform-provider-aws/issues/41719)) - resource/aws\_wafv2\_web\_acl: Add `ja3_fingerprint` and `ja4_fingerprint` to `custom_key` configuration blocks ([#41719](https://github.com/hashicorp/terraform-provider-aws/issues/41719)) - resource/aws\_wafv2\_web\_acl: Add `ja4_fingerprint` to `field_to_match` configuration blocks ([#41719](https://github.com/hashicorp/terraform-provider-aws/issues/41719)) ### [`v5.90.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.90.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.89.0...v5.90.0) BREAKING CHANGES: - resource/aws\_s3\_bucket\_lifecycle\_configuration: `rule.noncurrent_version_expiration.noncurrent_days` and `rule.noncurrent_version_transition.noncurrent_days` are Required ([#40796](https://github.com/hashicorp/terraform-provider-aws/issues/40796)) NOTES: - data-source/aws\_launch\_template: `elastic_gpu_specifications` and `elastic_inference_accelerator` are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. ([#41677](https://github.com/hashicorp/terraform-provider-aws/issues/41677)) - provider: In preparation for Go 1.24, we are re-enabling the experimental post-quantum key exchange mechanism, `X25519Kyber768Draft00`. Previously, in environments using AWS Network Firewall, the Provider would hang due to a handshake issue between Go 1.23 and Network Firewall, which supported Suricata 6.0.9. We had disabled the post-quantum key exchange to resolve the issue. Since November 2024, AWS Network Firewall has upgraded to Suricata 7.0, which no longer has this issue. However, if you use AWS Network Firewall, we’d appreciate your help in identifying any remaining issues related to this change. ([#41655](https://github.com/hashicorp/terraform-provider-aws/issues/41655)) - provider: On December 3, 2024, Amazon SageMaker was renamed to Amazon SageMaker AI. While resource and data source names remain the same in the provider, documentation and error messages have been updated to reflect the name change. ([#41673](https://github.com/hashicorp/terraform-provider-aws/issues/41673)) - resource/aws\_ecs\_task\_execution: `overrides.inference_accelerator_overrides` is deprecated. AWS no longer provides the Elastic Inference service. ([#41676](https://github.com/hashicorp/terraform-provider-aws/issues/41676)) - resource/aws\_launch\_template: `elastic_gpu_specifications` and `elastic_inference_accelerator` are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. ([#41677](https://github.com/hashicorp/terraform-provider-aws/issues/41677)) - resource/aws\_opsworks\_application: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_custom\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_ecs\_cluster\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_ganglia\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_haproxy\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_java\_app\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_memcached\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_mysql\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_nodejs\_app\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_permission: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_php\_app\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_rails\_app\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_rds\_db\_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_stack: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_static\_web\_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_opsworks\_user\_profile: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. ([#41674](https://github.com/hashicorp/terraform-provider-aws/issues/41674)) - resource/aws\_sagemaker\_notebook\_instance: `accelerator_types` is deprecated and will be removed in a future version. Use `instance_type` instead. ([#41673](https://github.com/hashicorp/terraform-provider-aws/issues/41673)) FEATURES: - **New Resource:** `aws_dataexchange_event_action` ([#40552](https://github.com/hashicorp/terraform-provider-aws/issues/40552)) - **New Resource:** `aws_lakeformation_opt_in` ([#41611](https://github.com/hashicorp/terraform-provider-aws/issues/41611)) ENHANCEMENTS: - data-source/aws\_cloudfront\_cache\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - data-source/aws\_cloudfront\_origin\_access\_control: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - data-source/aws\_cloudfront\_origin\_access\_identity: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - data-source/aws\_cloudfront\_origin\_request\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - data-source/aws\_cloudfront\_response\_headers\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - data-source/aws\_dx\_connection: Add `state` attribute ([#41575](https://github.com/hashicorp/terraform-provider-aws/issues/41575)) - data-source/aws\_opensearch\_domain: Add `cluster_config.node_options` attribute ([#40181](https://github.com/hashicorp/terraform-provider-aws/issues/40181)) - resource/aws\_account\_region: Allow adoption of regions in an ENABLED or DISABLED state without an explicit import operation ([#41678](https://github.com/hashicorp/terraform-provider-aws/issues/41678)) - resource/aws\_account\_region: Prevent errors when the region is an ENABLING or DISABLING state during creation ([#41678](https://github.com/hashicorp/terraform-provider-aws/issues/41678)) - resource/aws\_cloudfront\_cache\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_continuous\_deployment\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_field\_level\_encryption\_config: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_field\_level\_encryption\_profile: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_origin\_access\_control: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_origin\_access\_identity: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_origin\_request\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_cloudfront\_response\_headers\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_ec2\_client\_vpn\_endpoint: Add `disconnect_on_session_timeout` attribute ([#41621](https://github.com/hashicorp/terraform-provider-aws/issues/41621)) - resource/aws\_mwaa\_environment: Lower the minimum value of the `max_webservers` and `min_webservers` arguments from `2` to `1` in support of Amazon MWAA micro environments ([#40244](https://github.com/hashicorp/terraform-provider-aws/issues/40244)) - resource/aws\_opensearch\_domain: Add `cluster_config.node_options` configuration block in support of [dedicated coordinator nodes](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/Dedicated-coordinator-nodes.html) ([#40181](https://github.com/hashicorp/terraform-provider-aws/issues/40181)) - resource/aws\_osis\_pipeline: Add `vpc_options.vpc_endpoint_management` argument ([#38001](https://github.com/hashicorp/terraform-provider-aws/issues/38001)) - resource/aws\_prometheus\_rule\_group\_namespace: Add `arn` attribute ([#41645](https://github.com/hashicorp/terraform-provider-aws/issues/41645)) - resource/aws\_prometheus\_rule\_group\_namespace: Add `tags` argument and `tags_all` attribute ([#41645](https://github.com/hashicorp/terraform-provider-aws/issues/41645)) - resource/aws\_route53\_traffic\_policy: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_route53\_traffic\_policy\_instance: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Adds warning validation to require exactly one of the elements of `rule.filter` ([#41662](https://github.com/hashicorp/terraform-provider-aws/issues/41662)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: `rule.noncurrent_version_expiration.noncurrent_days` and `rule.noncurrent_version_transition.noncurrent_days` are Required. Technically this is a breaking change, but failure to configure this attribute would have led to `InvalidArgument` or `MalformedXML` errors ([#40796](https://github.com/hashicorp/terraform-provider-aws/issues/40796)) - resource/aws\_waf\_byte\_match\_set: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) - resource/aws\_waf\_sql\_injection\_match\_set: Add `arn` attribute ([#41660](https://github.com/hashicorp/terraform-provider-aws/issues/41660)) BUG FIXES: - ephemeral/aws\_secrets\_manager\_random\_password: Change `exclude_characters` from `Bool` to `String` ([#41546](https://github.com/hashicorp/terraform-provider-aws/issues/41546)) - resource/aws\_ecs\_service: Fix removal of all `vpc_lattice_configurations` blocks ([#41594](https://github.com/hashicorp/terraform-provider-aws/issues/41594)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix error when converting `rule` configuration from `filter.prefix` to `filter.and.prefix` ([#41662](https://github.com/hashicorp/terraform-provider-aws/issues/41662)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix error when converting `rule` configuration from `prefix` to `filter.prefix` or `filter.and.prefix` ([#41662](https://github.com/hashicorp/terraform-provider-aws/issues/41662)) - resource/aws\_sagemaker\_mlflow\_tracking\_server: Increased the timeout from 30 to 45 minutes ([#41463](https://github.com/hashicorp/terraform-provider-aws/issues/41463)) - resource/aws\_vpclattice\_target\_group: Retry `ConflictException` errors on delete ([#41594](https://github.com/hashicorp/terraform-provider-aws/issues/41594)) ### [`v5.89.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.89.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.88.0...v5.89.0) FEATURES: - **New Resource:** `aws_macie2_organization_configuration` ([#41475](https://github.com/hashicorp/terraform-provider-aws/issues/41475)) - **New Resource:** `aws_neptunegraph_graph` ([#41216](https://github.com/hashicorp/terraform-provider-aws/issues/41216)) - **New Resource:** `aws_quicksight_role_membership` ([#41589](https://github.com/hashicorp/terraform-provider-aws/issues/41589)) - **New Resource:** `aws_rds_shard_group` ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - **New Resource:** `aws_xray_resource_policy` ([#41517](https://github.com/hashicorp/terraform-provider-aws/issues/41517)) ENHANCEMENTS: - data-source/aws\_cloudwatch\_log\_data\_protection\_policy\_document: Add `configuration` argument ([#41524](https://github.com/hashicorp/terraform-provider-aws/issues/41524)) - data-source/aws\_rds\_cluster: Add `cluster_scalability_type` attribute ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - data-source/aws\_rds\_cluster: Add `database_insights_mode` attribute ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - data-source/aws\_s3\_bucket\_object: Add `application/yaml` to the list of `Content-Type`s that return a body ([#41443](https://github.com/hashicorp/terraform-provider-aws/issues/41443)) - data-source/aws\_s3\_object: Add `application/yaml` to the list of `Content-Type`s that return a body ([#41443](https://github.com/hashicorp/terraform-provider-aws/issues/41443)) - data-source/aws\_s3\_object: Add `checksum_crc64nvme` attribute ([#41015](https://github.com/hashicorp/terraform-provider-aws/issues/41015)) - resource/aws\_autoscaling\_policy: Add `target_tracking_configuration.customized_metric_specification.period` argument to support [high-resolution metrics](https://docs.aws.amazon.com/autoscaling/ec2/userguide/policy-creating-high-resolution-metrics.html) ([#41385](https://github.com/hashicorp/terraform-provider-aws/issues/41385)) - resource/aws\_db\_instance: Add `RequiredWith` validation `password_wo` and `password_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_docdb\_cluster: Add `RequiredWith` validation `master_password_wo` and `master_password_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_dx\_connection: Add `25Gbps` and `400Gbps` as supported `bandwidth` values ([#41547](https://github.com/hashicorp/terraform-provider-aws/issues/41547)) - resource/aws\_dx\_hosted\_connection: Add `25Gbps` as a supported `bandwidth` value ([#41547](https://github.com/hashicorp/terraform-provider-aws/issues/41547)) - resource/aws\_dx\_lag: Add `400Gbps` as a supported `connections_bandwidth` value ([#41547](https://github.com/hashicorp/terraform-provider-aws/issues/41547)) - resource/aws\_launch\_template: Add `network_interfaces.ena_srd_specification` configuration block ([#41367](https://github.com/hashicorp/terraform-provider-aws/issues/41367)) - resource/aws\_lb: Add `enable_zonal_shift` support for Application Load Balancers ([#41335](https://github.com/hashicorp/terraform-provider-aws/issues/41335)) - resource/aws\_macie2\_classification\_job: Allow `tags` to be updated in-place ([#41266](https://github.com/hashicorp/terraform-provider-aws/issues/41266)) - resource/aws\_macie2\_custom\_data\_identifier: Allow `tags` to be updated in-place ([#41266](https://github.com/hashicorp/terraform-provider-aws/issues/41266)) - resource/aws\_macie2\_findings\_filter: Allow `tags` to be updated in-place ([#41266](https://github.com/hashicorp/terraform-provider-aws/issues/41266)) - resource/aws\_macie2\_member: Allow `tags` to be updated in-place ([#41266](https://github.com/hashicorp/terraform-provider-aws/issues/41266)) - resource/aws\_nat\_gateway: Make it possible to move from `secondary_private_ip_address_count` to `secondary_private_ip_addresses` for private NAT Gateways ([#41403](https://github.com/hashicorp/terraform-provider-aws/issues/41403)) - resource/aws\_rds\_cluster: Add `RequiredWith` validation `master_password_wo` and `master_password_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_rds\_cluster: Add `cluster_scalability_type` argument ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - resource/aws\_rds\_cluster: Add `database_insights_mode` argument ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - resource/aws\_rds\_cluster: Support `""` as a valid value for `engine_mode` ([#41254](https://github.com/hashicorp/terraform-provider-aws/issues/41254)) - resource/aws\_rds\_instance: Support `iam-db-auth-error` as a valid value for `enabled_cloudwatch_logs_exports` ([#41408](https://github.com/hashicorp/terraform-provider-aws/issues/41408)) - resource/aws\_redshift\_cluster: Add `RequiredWith` validation `master_password_wo` and `master_password_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_redshiftseverless\_namespace: Add `RequiredWith` validation `admin_user_password_wo` and `admin_user_password_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_s3\_directory\_bucket: The default value for `data_redundancy` is `SingleLocalZone` if `location.type` is `LocalZone` ([#40944](https://github.com/hashicorp/terraform-provider-aws/issues/40944)) - resource/aws\_s3\_object: Add `checksum_crc64nvme` attribute ([#41015](https://github.com/hashicorp/terraform-provider-aws/issues/41015)) - resource/aws\_s3\_object\_copy: Add `checksum_crc64nvme` attribute ([#41015](https://github.com/hashicorp/terraform-provider-aws/issues/41015)) - resource/aws\_secretsmanager\_secret\_version: Add `RequiredWith` validation `secret_string_wo` and `secret_string_wo_version`. Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) - resource/aws\_ssm\_parameter: Remove `PreferWriteOnlyAttribute` validation ([#41562](https://github.com/hashicorp/terraform-provider-aws/issues/41562)) BUG FIXES: - resource/aws\_cloudwatch\_log\_delivery: Fix Provider produced inconsistent result error on `s3_delivery_configuration.suffix_path` ([#41497](https://github.com/hashicorp/terraform-provider-aws/issues/41497)) - resource/aws\_ec2\_fleet: Add `spot_options.max_total_price`, `spot_options.min_target_capacity`, `spot_options.single_instance_type`, and `spot_options.single_availability_zone` arguments ([#41272](https://github.com/hashicorp/terraform-provider-aws/issues/41272)) - resource/aws\_lb\_listener: Ensure that `routing_http_response_server_enabled`, `routing_http_response_strict_transport_security_header_value`, `routing_http_response_access_control_allow_origin_header_value`, `routing_http_response_access_control_allow_methods_header_value`, `routing_http_response_access_control_allow_headers_header_value`, `routing_http_response_access_control_allow_credentials_header_value`, `routing_http_response_access_control_expose_headers_header_value`, `routing_http_response_access_control_max_age_header_value`, `routing_http_response_content_security_policy_header_value`, `routing_http_response_x_content_type_options_header_value`, `routing_http_response_x_frame_options_header_value`, `routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name`, `routing_http_request_x_amzn_mtls_clientcert_issuer_header_name`, `routing_http_request_x_amzn_mtls_clientcert_subject_header_name`, `routing_http_request_x_amzn_mtls_clientcert_validity_header_name`, `routing_http_request_x_amzn_mtls_clientcert_leaf_header_name`, `routing_http_request_x_amzn_mtls_clientcert_header_name`, `routing_http_request_x_amzn_tls_version_header_name`, and `routing_http_request_x_amzn_tls_cipher_suite_header_name` are updated if `tcp_idle_timeout_seconds` does not change ([#41299](https://github.com/hashicorp/terraform-provider-aws/issues/41299)) - resource/aws\_macie2\_classification\_job: Ensure that only `status` and `tags` can be updated in-place ([#41266](https://github.com/hashicorp/terraform-provider-aws/issues/41266)) - resource/aws\_nat\_gateway: Allow `secondary_allocation_ids` to be updated in-place ([#41403](https://github.com/hashicorp/terraform-provider-aws/issues/41403)) - resource/aws\_redshift\_cluster: Fix `master_username` validation ([#41556](https://github.com/hashicorp/terraform-provider-aws/issues/41556)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Prevents `InvalidRequest` error when `rule.and.object_size_less_than` not set. ([#41542](https://github.com/hashicorp/terraform-provider-aws/issues/41542)) - resource/aws\_servicequotas\_service\_quota: Does not leave stuck resource in state when service quota not supported in current region. ([#41509](https://github.com/hashicorp/terraform-provider-aws/issues/41509)) ### [`v5.88.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.88.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.87.0...v5.88.0) NOTES: - resource/aws\_s3\_bucket\_lifecycle\_configuration: A warning diagnostic has been added for configurations where `rule.expiration.expired_object_delete_marker` is set with either `rule.expiration.date` or `rule.expiration.days`. While historically the provider allowed this invalid configuration, the migration of this resource to the Terraform Plugin Framework in `v5.86.0` resulted in this misconfiguration surfacing as a hard `inconsistent result after apply` error. This diagnostic aims to direct users how to resolve the issue at plan time. See [this issue comment](https://github.com/hashicorp/terraform-provider-aws/issues/41277#issuecomment-2654728812) for additional context. ([#41462](https://github.com/hashicorp/terraform-provider-aws/issues/41462)) FEATURES: - **New Data Source:** `aws_cloudwatch_contributor_managed_insight_rules` ([#41472](https://github.com/hashicorp/terraform-provider-aws/issues/41472)) - **New Resource:** `aws_cloudwatch_contributor_managed_insight_rule` ([#41449](https://github.com/hashicorp/terraform-provider-aws/issues/41449)) - **New Resource:** `aws_qbusiness_application` ([#35249](https://github.com/hashicorp/terraform-provider-aws/issues/35249)) ENHANCEMENTS: - resource/aws\_bedrock\_model\_invocation\_logging\_configuration: Add `video_data_delivery_enabled` argument ([#41317](https://github.com/hashicorp/terraform-provider-aws/issues/41317)) - resource/aws\_db\_instance: Add `password_wo` write-only attribute ([#41366](https://github.com/hashicorp/terraform-provider-aws/issues/41366)) - resource/aws\_docdb\_cluster: Add `master_password_wo` write-only attribute ([#41413](https://github.com/hashicorp/terraform-provider-aws/issues/41413)) - resource/aws\_glue\_partition: Add `storage_descriptor.additional_locations` argument ([#41434](https://github.com/hashicorp/terraform-provider-aws/issues/41434)) - resource/aws\_redshift\_cluster: Add `master_password_wo` write-only attribute ([#41411](https://github.com/hashicorp/terraform-provider-aws/issues/41411)) - resource/aws\_redshiftserverless\_namespace: Add `admin_user_password_wo` write-only attribute ([#41412](https://github.com/hashicorp/terraform-provider-aws/issues/41412)) - resource/aws\_secretsmanager\_secret\_version: Add `secret_string_wo` write-only attribute ([#41371](https://github.com/hashicorp/terraform-provider-aws/issues/41371)) BUG FIXES: - data-source/aws\_codebuild\_fleet: Prevents panic when `scaling_configuration` is not empty. ([#41377](https://github.com/hashicorp/terraform-provider-aws/issues/41377)) - resource/aws\_amplify\_domain\_association: Prevents unexpected state error when creating with multiple `sub_domain` ([#36961](https://github.com/hashicorp/terraform-provider-aws/issues/36961)) - resource/aws\_bedrock\_model\_invocation\_logging\_configuration: Set `embedding_data_delivery_enabled`, `image_data_delivery_enabled`, and `text_data_delivery_enabled` arguments as optional with default value of `true` ([#41317](https://github.com/hashicorp/terraform-provider-aws/issues/41317)) - resource/aws\_cloudwatch\_contributor\_insight\_rule: Fix enable/disable rule state ([#41449](https://github.com/hashicorp/terraform-provider-aws/issues/41449)) - resource/aws\_dynamodb\_table: Fixes long delay in creation of replicas ([#41451](https://github.com/hashicorp/terraform-provider-aws/issues/41451)) ### [`v5.87.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.87.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.86.1...v5.87.0) FEATURES: - **New Resource:** `aws_cloudwatch_contributor_insight_rule` ([#41373](https://github.com/hashicorp/terraform-provider-aws/issues/41373)) ENHANCEMENTS: - resource/aws\_dynamodb\_table\_export: Add `export_type` and `incremental_export_specification` arguments ([#41303](https://github.com/hashicorp/terraform-provider-aws/issues/41303)) - resource/aws\_quicksight\_data\_source: Add `parameters.s3.role_arn` argument to allow override an account-wide role for a specific S3 data source ([#41284](https://github.com/hashicorp/terraform-provider-aws/issues/41284)) - resource/aws\_rds\_cluster: Add `master_password_wo` write-only attribute ([#41314](https://github.com/hashicorp/terraform-provider-aws/issues/41314)) - resource/aws\_rekognition\_stream\_processor: Deprecates `stream_processor_arn` in favor of `arn`. ([#41271](https://github.com/hashicorp/terraform-provider-aws/issues/41271)) - resource/aws\_ssm\_parameter: Add `value_wo` write-only attribute ([#40952](https://github.com/hashicorp/terraform-provider-aws/issues/40952)) - resource/aws\_vpclattice\_access\_log\_subscription: Add `service_network_log_type` argument ([#41304](https://github.com/hashicorp/terraform-provider-aws/issues/41304)) BUG FIXES: - data-source/aws\_dynamodb\_table: Add missing `on_demand_throughput` and `global_secondary_index.*.on_demand_throughput` attributes to resolve read error ([#41350](https://github.com/hashicorp/terraform-provider-aws/issues/41350)) - resource/aws\_cloudformation\_stack\_set\_instance: Prevents overly-long creation times and possible `OperationInProgress` errors ([#41388](https://github.com/hashicorp/terraform-provider-aws/issues/41388)) - resource/aws\_detective\_member: No longer fails with unexpected status when adding Organization member accounts. ([#41344](https://github.com/hashicorp/terraform-provider-aws/issues/41344)) - resource/aws\_ec2\_transit\_gateway\_route\_table\_association: Fix deleting and recreating resource when dependencies changes don't require the resource be recreated. ([#41292](https://github.com/hashicorp/terraform-provider-aws/issues/41292)) - resource/aws\_internet\_gateway: Fix to continue deletion when attachment is not found ([#41346](https://github.com/hashicorp/terraform-provider-aws/issues/41346)) ### [`v5.86.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.86.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.86.0...v5.86.1) BUG FIXES: - data-source/aws\_vpclattice\_service: Fix regression resulting in `AccessDeniedError` attempting to list tags ([#41295](https://github.com/hashicorp/terraform-provider-aws/issues/41295)) - data-source/aws\_vpclattice\_service\_network: Fix regression resulting in `AccessDeniedError` attempting to list tags ([#41295](https://github.com/hashicorp/terraform-provider-aws/issues/41295)) - resource/aws\_cloudtrail: Fix regression issue where `sns_topic_name` shows perpectual diff when an ARN of a SNS topic from a different region is specified ([#41279](https://github.com/hashicorp/terraform-provider-aws/issues/41279)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fixes "inconsistent result" error when `rule[*].prefix` is an empty string. ([#41296](https://github.com/hashicorp/terraform-provider-aws/issues/41296)) ### [`v5.86.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.86.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.85.0...v5.86.0) NOTES: - resource/aws\_s3\_bucket\_lifecycle\_configuration: When upgrading existing resources with no defined `prefix`, the Terraform plan will show the removal of `prefix` from state. This is expected, and should not occur on subsequent plans. ([#41159](https://github.com/hashicorp/terraform-provider-aws/issues/41159)) ENHANCEMENTS: - data-source/aws\_rds\_cluster: Add `monitoring_interval` and `monitoring_role_arn` attributes ([#41002](https://github.com/hashicorp/terraform-provider-aws/issues/41002)) - provider: Support `us-isof-east-1` and `us-isof-south-1` as valid AWS Regions ([#41243](https://github.com/hashicorp/terraform-provider-aws/issues/41243)) - resource/aws\_fms\_policy: Add `security_service_policy_data.policy_option.network_acl_common_policy` argument to allow creation of FMS-managed NACL rules ([#41219](https://github.com/hashicorp/terraform-provider-aws/issues/41219)) - resource/aws\_rds\_cluster: Add `monitoring_interval` and `monitoring_role_arn` arguments ([#41002](https://github.com/hashicorp/terraform-provider-aws/issues/41002)) - resource/aws\_sqs\_queue: Accommodate accounts that take longer to process with customizable `timeouts`. ([#41232](https://github.com/hashicorp/terraform-provider-aws/issues/41232)) BUG FIXES: - resource/aws\_gamelift\_game\_server\_group: Correctly plan `tags_all` value ([#41256](https://github.com/hashicorp/terraform-provider-aws/issues/41256)) - resource/aws\_instance: Properly cancel spot instance requests on destroy when `instance_lifecycle` is `spot` ([#41206](https://github.com/hashicorp/terraform-provider-aws/issues/41206)) - resource/aws\_route53\_zone: Fix `panic: runtime error: invalid memory address or nil pointer dereference` when deleting the resource would otherwise return an error ([#41260](https://github.com/hashicorp/terraform-provider-aws/issues/41260)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Properly handle default value of `transition_default_minimum_object_size` ([#41159](https://github.com/hashicorp/terraform-provider-aws/issues/41159)) - resource/aws\_wafv2\_web\_acl: Properly set `rule` during import ([#41205](https://github.com/hashicorp/terraform-provider-aws/issues/41205)) ### [`v5.85.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.85.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.84.0...v5.85.0) NOTES: - resource/aws\_macie2\_invitation\_accepter: Maintainers are unable to acceptance test the regression fix included in this release. This patch is best effort, and we ask for community help in assessing the change. ([#41163](https://github.com/hashicorp/terraform-provider-aws/issues/41163)) FEATURES: - **New Data Source:** `aws_vpc_ipam` ([#40459](https://github.com/hashicorp/terraform-provider-aws/issues/40459)) - **New Data Source:** `aws_vpc_ipams` ([#40459](https://github.com/hashicorp/terraform-provider-aws/issues/40459)) - **New Ephemeral Resource:** `aws_secretsmanager_random_password` ([#41106](https://github.com/hashicorp/terraform-provider-aws/issues/41106)) - **New Resource:** `aws_guardduty_member_detector_feature` ([#35625](https://github.com/hashicorp/terraform-provider-aws/issues/35625)) - **New Resource:** `aws_route53domains_domain` ([#37885](https://github.com/hashicorp/terraform-provider-aws/issues/37885)) - **New Resource:** `aws_timestreamquery_scheduled_query` ([#41145](https://github.com/hashicorp/terraform-provider-aws/issues/41145)) - **New Resource:** `aws_vpclattice_resource_configuration` ([#41019](https://github.com/hashicorp/terraform-provider-aws/issues/41019)) - **New Resource:** `aws_vpclattice_service_network_resource_association` ([#41057](https://github.com/hashicorp/terraform-provider-aws/issues/41057)) ENHANCEMENTS: - data-source/aws\_ec2\_transit\_gateway\_dx\_gateway\_attachment: Add `arn` attribute ([#41086](https://github.com/hashicorp/terraform-provider-aws/issues/41086)) - data-source/aws\_ec2\_transit\_gateway\_peering\_attachment: Add `arn` attribute ([#41087](https://github.com/hashicorp/terraform-provider-aws/issues/41087)) - data-source/aws\_ec2\_transit\_gateway\_vpc\_attachment: Add `arn` attribute ([#41084](https://github.com/hashicorp/terraform-provider-aws/issues/41084)) - data-source/aws\_ecs\_task\_definition: Add missing attributes ([#41081](https://github.com/hashicorp/terraform-provider-aws/issues/41081)) - data-source/aws\_launch\_template: Add `network_interfaces.connection_tracking_specification` attribute ([#41184](https://github.com/hashicorp/terraform-provider-aws/issues/41184)) - resource/aws\_appflow\_connector\_profile: Add `connector_profile_config.connector_profile_properties.salesforce.use_privatelink_for_metadata_and_authorization` argument ([#41175](https://github.com/hashicorp/terraform-provider-aws/issues/41175)) - resource/aws\_autoscaling\_policy: Add `target_tracking_configuration.customized_metric_specification.metrics.metric_stat.period` argument to support [high-resolution metrics](https://docs.aws.amazon.com/autoscaling/ec2/userguide/policy-creating-high-resolution-metrics.html) ([#41066](https://github.com/hashicorp/terraform-provider-aws/issues/41066)) - resource/aws\_bedrockagent\_data\_source: Add `data_source_configuration.confluence_configuration`, `data_source_configuration.salesforce_configuration`, `data_source_configuration.share_point_configuration`, and `data_source_configuration.web_configuration` arguments ([#40711](https://github.com/hashicorp/terraform-provider-aws/issues/40711)) - resource/aws\_bedrockagent\_knowledge\_base: Add `knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration` and `knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration` arguments ([#40737](https://github.com/hashicorp/terraform-provider-aws/issues/40737)) - resource/aws\_bedrockagent\_knowledge\_base: Improve retry handling for IAM propagation and OpenSearch data access propagation errors ([#40737](https://github.com/hashicorp/terraform-provider-aws/issues/40737)) - resource/aws\_cloudtrail : Add `sns_topic_arn` attribute ([#41168](https://github.com/hashicorp/terraform-provider-aws/issues/41168)) - resource/aws\_cloudtrail\_event\_data\_store: Add `suspend` argument ([#40607](https://github.com/hashicorp/terraform-provider-aws/issues/40607)) - resource/aws\_cloudwatch\_event\_connection: Add `invocation_connectivity_parameters` argument ([#41144](https://github.com/hashicorp/terraform-provider-aws/issues/41144)) - resource/aws\_ec2\_transit\_gateway\_peering\_attachment: Add `arn` attribute ([#41087](https://github.com/hashicorp/terraform-provider-aws/issues/41087)) - resource/aws\_ec2\_transit\_gateway\_vpc\_attachment: Add `arn` attribute ([#41084](https://github.com/hashicorp/terraform-provider-aws/issues/41084)) - resource/aws\_ecs\_task\_definition: Add `enable_fault_injection` argument ([#41078](https://github.com/hashicorp/terraform-provider-aws/issues/41078)) - resource/aws\_launch\_template: Add `network_interfaces.connection_tracking_specification` argument ([#41184](https://github.com/hashicorp/terraform-provider-aws/issues/41184)) - resource/aws\_media\_convert\_queue: Add `concurrent_jobs` argument ([#41012](https://github.com/hashicorp/terraform-provider-aws/issues/41012)) - resource/aws\_medialive\_multiplex\_program: Add configurable `create` timeout ([#40972](https://github.com/hashicorp/terraform-provider-aws/issues/40972)) - resource/aws\_organizations\_account: Add configurable timeouts for Create and Delete ([#41059](https://github.com/hashicorp/terraform-provider-aws/issues/41059)) - resource/aws\_pinpoint\_email\_channel: Add `orchestration_sending_role_arn` argument ([#41043](https://github.com/hashicorp/terraform-provider-aws/issues/41043)) - resource/aws\_pipes\_pipe: Add `kms_key_identifier` argument ([#41082](https://github.com/hashicorp/terraform-provider-aws/issues/41082)) - resource/aws\_rds\_cluster: Support `instance` as a valid value for `enabled_cloudwatch_logs_exports` ([#41111](https://github.com/hashicorp/terraform-provider-aws/issues/41111)) - resource/aws\_rekognition\_project: Add `tags` argument and `tags_all` attribute ([#41192](https://github.com/hashicorp/terraform-provider-aws/issues/41192)) - resource/aws\_vpc\_endpoint: Add `resource_configuration_arn` and `service_network_arn` arguments to support creating VPC Endpoints of type `Resource` and `ServiceNetwork` ([#41116](https://github.com/hashicorp/terraform-provider-aws/issues/41116)) - resource/aws\_vpc\_endpoint\_security\_group\_association: Add import support ([#41042](https://github.com/hashicorp/terraform-provider-aws/issues/41042)) BUG FIXES: - data-source/aws\_opensearchserverless\_collection: Prevent errant AutoFlex errors when setting `created_date` and `last_modified_date` attributes ([#41105](https://github.com/hashicorp/terraform-provider-aws/issues/41105)) - resource/aws\_ami\_ids: Fix `sort_ascending` to sort in ascending order ([#40529](https://github.com/hashicorp/terraform-provider-aws/issues/40529)) - resource/aws\_bedrockagent\_knowledge\_base: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) behavior from `role_arn` argument ([#41072](https://github.com/hashicorp/terraform-provider-aws/issues/41072)) - resource/aws\_cloudwatch\_log\_delivery: Fix `Provider produced inconsistent result after apply` errors for `s3_delivery_configuration.enable_hive_compatible_path` ([#41122](https://github.com/hashicorp/terraform-provider-aws/issues/41122)) - resource/aws\_cloudwatch\_log\_delivery: Mark `field_delimiter` as Computed ([#41122](https://github.com/hashicorp/terraform-provider-aws/issues/41122)) - resource/aws\_cognito\_identity\_provider: Correct plan-time validation of `provider_name` to count UTF-8 characters properly ([#41187](https://github.com/hashicorp/terraform-provider-aws/issues/41187)) - resource/aws\_cognito\_user\_group: Correct plan-time validation of `name` to count UTF-8 characters properly ([#41187](https://github.com/hashicorp/terraform-provider-aws/issues/41187)) - resource/aws\_cognito\_user\_pool\_client: Correct plan-time validation of `callback_urls, `default\_redirect\_uri`, `logout\_urls`, and `supported\_identity\_providers\` to count UTF-8 characters properly ([#41187](https://github.com/hashicorp/terraform-provider-aws/issues/41187)) - resource/aws\_dms\_replication\_task: Fix `panic: interface conversion: interface {} is float64, not string` ([#41096](https://github.com/hashicorp/terraform-provider-aws/issues/41096)) - resource/aws\_elasticache\_serverless\_cache: Fix `InvalidParameterCombination` error during update ([#40969](https://github.com/hashicorp/terraform-provider-aws/issues/40969)) - resource/aws\_iam\_server\_certificate: Allow update of `name`, `name_prefix`, and `path` without forcing new resource ([#41186](https://github.com/hashicorp/terraform-provider-aws/issues/41186)) - resource/aws\_macie2\_invitation\_accepter: Properly set `invitation_id` when calling the `AcceptInvitation` API ([#41163](https://github.com/hashicorp/terraform-provider-aws/issues/41163)) ### [`v5.84.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.84.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.83.1...v5.84.0) NOTES: - resource/aws\_kms\_custom\_key\_store: We cannot acceptance test the support for external key stores added in this release. The impementation is best effort and we ask for community help in testing. ([#40557](https://github.com/hashicorp/terraform-provider-aws/issues/40557)) FEATURES: - **New Ephemeral Resource:** `aws_eks_cluster_auth` ([#40660](https://github.com/hashicorp/terraform-provider-aws/issues/40660)) - **New Resource:** `aws_media_packagev2_channel_group` ([#38406](https://github.com/hashicorp/terraform-provider-aws/issues/38406)) ENHANCEMENTS: - data-source/aws\_ami: Add `uefi_data` attribute ([#40210](https://github.com/hashicorp/terraform-provider-aws/issues/40210)) - data-source/aws\_ec2\_instance\_type: Add `bandwidth_weightings`, `boot_modes`, `default_network_card_index`, `efa_maximum_interfaces`, `ena_srd_supported`, `inference_accelerators.memory_size`, `media_accelerators`, `network_cards`, `neuron_devices`, `nitro_enclaves_support`, `nitro_tpm_support`, `nitro_tpm_supported_versions`, `phc_support`, `supported_cpu_features`, `total_inference_memory`, `total_media_memory`, and `total_neuron_device_memory` attributes ([#40717](https://github.com/hashicorp/terraform-provider-aws/issues/40717)) - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `mx-central-1` AWS Region ([#40940](https://github.com/hashicorp/terraform-provider-aws/issues/40940)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `mx-central-1` AWS Region ([#40940](https://github.com/hashicorp/terraform-provider-aws/issues/40940)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `mx-central-1` AWS Region ([#40940](https://github.com/hashicorp/terraform-provider-aws/issues/40940)) - provider: Support `mx-central-1` as a valid AWS Region ([#40940](https://github.com/hashicorp/terraform-provider-aws/issues/40940)) - resource/aws\_ami: Add `uefi_data` argument ([#40210](https://github.com/hashicorp/terraform-provider-aws/issues/40210)) - resource/aws\_ami\_copy: Add `uefi_data` attribute ([#40210](https://github.com/hashicorp/terraform-provider-aws/issues/40210)) - resource/aws\_ami\_from\_instance: Add `uefi_data` attribute ([#40210](https://github.com/hashicorp/terraform-provider-aws/issues/40210)) - resource/aws\_cloudtrail: Add `userIdentity.arn` to advanced\_event\_selector.field\_selector ([#40629](https://github.com/hashicorp/terraform-provider-aws/issues/40629)) - resource/aws\_elasticache\_user: `engine` is now case insensitive ([#40794](https://github.com/hashicorp/terraform-provider-aws/issues/40794)) - resource/aws\_elasticache\_user\_group: `engine` is now case insensitive ([#40794](https://github.com/hashicorp/terraform-provider-aws/issues/40794)) - resource/aws\_globalaccelerator\_accelerator: Add `arn` attribute ([#40930](https://github.com/hashicorp/terraform-provider-aws/issues/40930)) - resource/aws\_globalaccelerator\_custom\_routing\_accelerator: Add `arn` attribute ([#40930](https://github.com/hashicorp/terraform-provider-aws/issues/40930)) - resource/aws\_globalaccelerator\_custom\_routing\_listener: Add `arn` attribute ([#40930](https://github.com/hashicorp/terraform-provider-aws/issues/40930)) - resource/aws\_globalaccelerator\_listener: Add `arn` attribute ([#40930](https://github.com/hashicorp/terraform-provider-aws/issues/40930)) - resource/aws\_kms\_custom\_key\_store: Add support for external key stores ([#40557](https://github.com/hashicorp/terraform-provider-aws/issues/40557)) - resource/aws\_lb\_listener: Add `routing_http_response_server_enabled`, `routing_http_response_strict_transport_security_header_value`, `routing_http_response_access_control_allow_origin_header_value`, `routing_http_response_access_control_allow_methods_header_value`, `routing_http_response_access_control_allow_headers_header_value`, `routing_http_response_access_control_allow_credentials_header_value`, `routing_http_response_access_control_expose_headers_header_value`, `routing_http_response_access_control_max_age_header_value`, `routing_http_response_content_security_policy_header_value`, `routing_http_response_x_content_type_options_header_value`, `routing_http_response_x_frame_options_header_value`, `routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name`, `routing_http_request_x_amzn_mtls_clientcert_issuer_header_name`, `routing_http_request_x_amzn_mtls_clientcert_subject_header_name`, `routing_http_request_x_amzn_mtls_clientcert_validity_header_name`, `routing_http_request_x_amzn_mtls_clientcert_leaf_header_name`, `routing_http_request_x_amzn_mtls_clientcert_header_name`, `routing_http_request_x_amzn_tls_version_header_name`, and `routing_http_request_x_amzn_tls_cipher_suite_header_name` arguments in support of [HTTP header modification](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/header-modification.html) ([#40736](https://github.com/hashicorp/terraform-provider-aws/issues/40736)) - resource/aws\_route53\_health\_check: Add `triggers` argument to support synchronization with upstream CloudWatch alarm changes ([#40918](https://github.com/hashicorp/terraform-provider-aws/issues/40918)) - resource/aws\_sagemaker\_endpoint\_configuration: Support setting `production_variants.managed_instance_scaling` and `shadow_production_variants.managed_instance_scaling` to `0` ([#40882](https://github.com/hashicorp/terraform-provider-aws/issues/40882)) BUG FIXES: - resource/aws\_apprunner\_vpc\_ingress\_connection: Change `ingress_vpc_configuration`, `name`, and `service_arn` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#40927](https://github.com/hashicorp/terraform-provider-aws/issues/40927)) - resource/aws\_datasync\_location\_s3: Fix `location URI global ID and subdirectory (...) does not match pattern "..."` errors on Read when `s3_bucket_arn` is an S3 on Outposts access point ([#40929](https://github.com/hashicorp/terraform-provider-aws/issues/40929)) - resource/aws\_ecs\_task\_definition: Correctly detect differences in `volume.configure_at_launch` and `volume.docker_volume_configuration` ([#40853](https://github.com/hashicorp/terraform-provider-aws/issues/40853)) - resource/aws\_lambda\_invocation: Fix failed input transformations when upgrading from a version less than `v5.1.0` with an `input` that cannot be marshaled into a `map[string]interface{}` ([#40958](https://github.com/hashicorp/terraform-provider-aws/issues/40958)) - resource/aws\_lambda\_invocation: Prevent a new invocation when upgrading from a version less than `v5.1.0` with no configuration changes ([#40958](https://github.com/hashicorp/terraform-provider-aws/issues/40958)) - resource/aws\_msk\_cluster: Prevent persistent differences when `broker_node_group_info.0.storage_info.0.ebs_storage_info.0.provisioned_throughput` is unset ([#40910](https://github.com/hashicorp/terraform-provider-aws/issues/40910)) - resource/aws\_msk\_cluster: Properly disable provisioned throughput when a previously configured `broker_node_group_info.0.storage_info.0.ebs_storage_info.0.provisioned_throughput` block is removed ([#40910](https://github.com/hashicorp/terraform-provider-aws/issues/40910)) - resource/aws\_ses\_receipt\_rule: Retry errors caused by IAM eventual consistency ([#40873](https://github.com/hashicorp/terraform-provider-aws/issues/40873)) ### [`v5.83.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.83.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.83.0...v5.83.1) BUG FIXES: - resource/aws\_route53\_record: Correct `fdqn` value if `name` is a wildcard domain name (the leftmost label is `*`). This fixes a regression introduced in [v5.83.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5830-january--9-2025) ([#40868](https://github.com/hashicorp/terraform-provider-aws/issues/40868)) ### [`v5.83.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.83.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.82.2...v5.83.0) NOTES: - provider: The retry handling in the `apigatewayv2` client has been updated to more extensively match `ConflictException` error responses. This change should be transparent to users, but if any unexpected changes in behavior with `apigatewayv2` resources occur following an upgrade to this release, please open a bug report. ([#40840](https://github.com/hashicorp/terraform-provider-aws/issues/40840)) - resource/aws\_api\_gateway\_domain\_name\_access\_association: Deprecates `id` in favor of `arn`. ([#40626](https://github.com/hashicorp/terraform-provider-aws/issues/40626)) - resource/aws\_route53\_cidr\_location: Deprecates `id`. ([#40626](https://github.com/hashicorp/terraform-provider-aws/issues/40626)) - resource/aws\_s3\_directory\_bucket: Deprecates `id` in favor of `bucket`. ([#40626](https://github.com/hashicorp/terraform-provider-aws/issues/40626)) FEATURES: - **New Data Source:** `aws_cloudwatch_event_buses` ([#40662](https://github.com/hashicorp/terraform-provider-aws/issues/40662)) - **New Data Source:** `aws_ecs_clusters` ([#40638](https://github.com/hashicorp/terraform-provider-aws/issues/40638)) - **New Data Source:** `aws_route53_records` ([#38186](https://github.com/hashicorp/terraform-provider-aws/issues/38186)) - **New Ephemeral Resource:** `aws_cognito_identity_openid_token_for_developer_identity` ([#40763](https://github.com/hashicorp/terraform-provider-aws/issues/40763)) - **New Resource:** `aws_bedrockagent_agent_collaborator` ([#40559](https://github.com/hashicorp/terraform-provider-aws/issues/40559)) - **New Resource:** `aws_cleanrooms_membership` ([#35165](https://github.com/hashicorp/terraform-provider-aws/issues/35165)) - **New Resource:** `aws_cloudwatch_log_delivery` ([#40731](https://github.com/hashicorp/terraform-provider-aws/issues/40731)) - **New Resource:** `aws_cloudwatch_log_delivery_destination` ([#40731](https://github.com/hashicorp/terraform-provider-aws/issues/40731)) - **New Resource:** `aws_cloudwatch_log_delivery_destination_policy` ([#40731](https://github.com/hashicorp/terraform-provider-aws/issues/40731)) - **New Resource:** `aws_cloudwatch_log_delivery_source` ([#40731](https://github.com/hashicorp/terraform-provider-aws/issues/40731)) - **New Resource:** `aws_cloudwatch_log_index_policy` ([#40594](https://github.com/hashicorp/terraform-provider-aws/issues/40594)) - **New Resource:** `aws_vpclattice_resource_gateway` ([#40821](https://github.com/hashicorp/terraform-provider-aws/issues/40821)) ENHANCEMENTS: - data-source/aws\_codebuild\_fleet: Add `compute_configuration` attribute ([#40752](https://github.com/hashicorp/terraform-provider-aws/issues/40752)) - data-source/aws\_dms\_endpoint: Add `kafka_settings.sasl_mechanism` attribute ([#36918](https://github.com/hashicorp/terraform-provider-aws/issues/36918)) - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `ap-southeast-7` AWS Region ([#40850](https://github.com/hashicorp/terraform-provider-aws/issues/40850)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `ap-southeast-7` AWS Region ([#40850](https://github.com/hashicorp/terraform-provider-aws/issues/40850)) - data-source/aws\_rds\_certificate: Add `default_for_new_launches` attribute ([#40536](https://github.com/hashicorp/terraform-provider-aws/issues/40536)) - data-source/aws\_rds\_engine\_version: Add `supports_certificate_rotation_without_restart`, `supports_integrations`, and `supports_local_write_forwarding` attributes ([#40700](https://github.com/hashicorp/terraform-provider-aws/issues/40700)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `ap-southeast-7` AWS Region ([#40850](https://github.com/hashicorp/terraform-provider-aws/issues/40850)) - data-source/aws\_vpc\_endpoint\_service: Add `region` attribute ([#40795](https://github.com/hashicorp/terraform-provider-aws/issues/40795)) - data-source/aws\_vpc\_endpoint\_service: Add `service_regions` argument ([#40795](https://github.com/hashicorp/terraform-provider-aws/issues/40795)) - provider: Support `ap-southeast-7` as a valid AWS Region ([#40849](https://github.com/hashicorp/terraform-provider-aws/issues/40849)) - resource/aws\_appflow\_flow: Add `data_transfer_api` attribute to destination\_flow\_config\_list.destination\_connector\_properties.salesforce ([#34937](https://github.com/hashicorp/terraform-provider-aws/issues/34937)) - resource/aws\_cloudfront\_distribution: Add `grpc_config` argument to `default_cache_behavior` and `ordered_cache_behavior` configuration blocks ([#40762](https://github.com/hashicorp/terraform-provider-aws/issues/40762)) - resource/aws\_codebuild\_fleet: Add `compute_configuration` argument ([#40752](https://github.com/hashicorp/terraform-provider-aws/issues/40752)) - resource/aws\_cognito\_user\_pool: Add `email_mfa_configuration` argument ([#40734](https://github.com/hashicorp/terraform-provider-aws/issues/40734)) - resource/aws\_cognito\_user\_pool: Add `sign_in_policy` and `web_authn_configuration` arguments ([#40765](https://github.com/hashicorp/terraform-provider-aws/issues/40765)) - resource/aws\_cognito\_user\_pool: Add `user_pool_tier` argument ([#40633](https://github.com/hashicorp/terraform-provider-aws/issues/40633)) - resource/aws\_dms\_endpoint: Add `kafka_settings.sasl_mechanism` argument ([#36918](https://github.com/hashicorp/terraform-provider-aws/issues/36918)) - resource/aws\_ecr\_account\_setting: Add valid values for registry policy scope to `name` and `value` arguments ([#40772](https://github.com/hashicorp/terraform-provider-aws/issues/40772)) - resource/aws\_eip\_association: Adds validation to only allow one of `instance_id` or `network_interface_id` ([#40769](https://github.com/hashicorp/terraform-provider-aws/issues/40769)) - resource/aws\_eks\_node\_group: Add `node_repair_config` configuration block ([#40698](https://github.com/hashicorp/terraform-provider-aws/issues/40698)) - resource/aws\_elasticache\_user: Add `VALKEY` as supported value for 'engine' argument ([#40764](https://github.com/hashicorp/terraform-provider-aws/issues/40764)) - resource/aws\_elasticache\_user\_group: Add `VALKEY` as supported value for 'engine' argument ([#40764](https://github.com/hashicorp/terraform-provider-aws/issues/40764)) - resource/aws\_emr\_studio: Add `encryption_key_arn` argument ([#40771](https://github.com/hashicorp/terraform-provider-aws/issues/40771)) - resource/aws\_quicksight\_user: Add `user_invitation_url` attribute ([#40775](https://github.com/hashicorp/terraform-provider-aws/issues/40775)) - resource/aws\_rds\_cluster: Support `iam-db-auth-error` as a valid value for `enabled_cloudwatch_logs_exports` ([#40789](https://github.com/hashicorp/terraform-provider-aws/issues/40789)) - resource/aws\_rds\_integration: Add `data_filter` argument ([#40816](https://github.com/hashicorp/terraform-provider-aws/issues/40816)) - resource/aws\_s3\_object\_copy: Add `override_provider` configuration block, allowing tags inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) to be ignored ([#40689](https://github.com/hashicorp/terraform-provider-aws/issues/40689)) BUG FIXES: - resource/aws\_api\_gateway\_domain\_name: Fixed error when adding policy to existing private domain name ([#40708](https://github.com/hashicorp/terraform-provider-aws/issues/40708)) - resource/aws\_apigatewayv2\_api: Don't overwrite the configured values of `description`, `name` or `version` if they are not present in the OpenAPI definition `body` ([#40707](https://github.com/hashicorp/terraform-provider-aws/issues/40707)) - resource/aws\_apigatewayv2\_route: Fix retry handling of `ConflictException` error responses ([#40840](https://github.com/hashicorp/terraform-provider-aws/issues/40840)) - resource/aws\_cloudfront\_cache\_policy: Fix `panic: interface conversion: interface {} is nil, not map[string]interface {}` when `parameters_in_cache_key_and_forwarded_to_origin.cookies_config`, `parameters_in_cache_key_and_forwarded_to_origin.headers_config`, or `parameters_in_cache_key_and_forwarded_to_origin.query_strings_config` are empty ([#40815](https://github.com/hashicorp/terraform-provider-aws/issues/40815)) - resource/aws\_codebuild\_fleet: Allow `scaling_configuration` to be removed on Update ([#40773](https://github.com/hashicorp/terraform-provider-aws/issues/40773)) - resource/aws\_codebuild\_project: Allow `file_system_locations` to be removed on Update ([#40842](https://github.com/hashicorp/terraform-provider-aws/issues/40842)) - resource/aws\_ec2\_instance\_connect\_endpoint: Set `fips_dns_name` to an empty value (`""`) when no value is returned from the EC2 API. This fixes known-after-apply loops in Regions that don't support FIPS endpoints ([#37939](https://github.com/hashicorp/terraform-provider-aws/issues/37939)) - resource/aws\_emr\_studio: Fix issue with IAM/KMS policy eventual consistency handling not working ([#40771](https://github.com/hashicorp/terraform-provider-aws/issues/40771)) - resource/aws\_glue\_catalog\_database: Fix crash when expanding `create_table_default_permission` with a nil `principal` block ([#40761](https://github.com/hashicorp/terraform-provider-aws/issues/40761)) - resource/aws\_instance: Always set `http_tokens` when `metadata_options` is updated ([#40727](https://github.com/hashicorp/terraform-provider-aws/issues/40727)) - resource/aws\_instance: Set new computed value for `public_dns` and `public_ip` attributes when changing `instance_type`, `user_data`, or `user_data_base64` ([#40710](https://github.com/hashicorp/terraform-provider-aws/issues/40710)) - resource/aws\_internet\_gateway: Handle `operation error EC2: DetachInternetGateway, ..., api error InvalidInternetGatewayID.NotFound: ...` errors on delete for resources deleted out-of-band ([#40790](https://github.com/hashicorp/terraform-provider-aws/issues/40790)) - resource/aws\_internet\_gateway\_attachment: Handle `operation error EC2: DetachInternetGateway, ..., api error InvalidInternetGatewayID.NotFound: ...` errors on delete for resources deleted out-of-band ([#40790](https://github.com/hashicorp/terraform-provider-aws/issues/40790)) - resource/aws\_quicksight\_data\_set: Correctly expand `logical_table_map.tag_column_operation.tags.column_description` ([#40713](https://github.com/hashicorp/terraform-provider-aws/issues/40713)) - resource/aws\_rds\_instance Fix `manage_master_user_password` being updated in state when update errors ([#40538](https://github.com/hashicorp/terraform-provider-aws/issues/40538)) - resource/aws\_route53\_record: Fix perpetual diff if `alias.name` contains characters that the [Route 53 API escapes](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html#domain-name-format-hosted-zones) ([#40154](https://github.com/hashicorp/terraform-provider-aws/issues/40154)) - resource/aws\_route53\_zone: Fix perpetual diff if `name` contains characters that the [Route 53 API escapes](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html#domain-name-format-hosted-zones) ([#40154](https://github.com/hashicorp/terraform-provider-aws/issues/40154)) - resource/aws\_ses\_identity\_notification\_topic: Prevent destroy failure when resource is already deleted outside of Terraform ([#40684](https://github.com/hashicorp/terraform-provider-aws/issues/40684)) - resource/aws\_sesv2\_configuration\_set: Fix handling of `delivery_options.max_delivery_seconds` when not configured ([#40670](https://github.com/hashicorp/terraform-provider-aws/issues/40670)) - resource/aws\_sesv2\_configuration\_set\_event\_destination: Retry IAM eventual consistency errors ([#40843](https://github.com/hashicorp/terraform-provider-aws/issues/40843)) - resource/aws\_sqs\_queue: Fix timeout error on creation if `sqs_managed_sse_enabled=true` and `kms_data_key_reuse_period_seconds` is configured ([#40729](https://github.com/hashicorp/terraform-provider-aws/issues/40729)) ### [`v5.82.2`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.82.2) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.82.1...v5.82.2) BUG FIXES: - data-source/aws\_lb\_listener: Add `mutual_authentication.advertise_trust_store_ca_names` attribute. This fixes a regression introduced in [v5.82.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5820-december-19-2024) causing `setting mutual_authentication: Invalid address to set: []string{"mutual_authentication", "0", "advertise_trust_store_ca_names"}` errors ([#40658](https://github.com/hashicorp/terraform-provider-aws/issues/40658)) ### [`v5.82.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.82.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.82.0...v5.82.1) ENHANCEMENTS: - resource/aws\_autoscaling\_group: Add `availability_zone_distribution` argument ([#40634](https://github.com/hashicorp/terraform-provider-aws/issues/40634)) BUG FIXES: - data-source/aws\_iam\_policy\_document: Reverts plan-time validation for `statement` `sid` ([#40639](https://github.com/hashicorp/terraform-provider-aws/issues/40639)) ### [`v5.82.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.82.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.81.0...v5.82.0) NOTES: - resource/aws\_resourcegroups\_resource: The format of the read-only `id` attribute has changed to prevent inconsistent parsing which resulted in provider crashes under certain conditions. The new format is a comma-delimited string combining `group_arn` and `resource_arn` in their entirety. Configuarations relying on the previous format may need to be updated to continue functioning correctly. ([#40579](https://github.com/hashicorp/terraform-provider-aws/issues/40579)) FEATURES: - **New Data Source:** `aws_servicecatalogappregistry_attribute_group_associations` ([#38306](https://github.com/hashicorp/terraform-provider-aws/issues/38306)) - **New Resource:** `aws_api_gateway_domain_name_access_association` ([#40566](https://github.com/hashicorp/terraform-provider-aws/issues/40566)) - **New Resource:** `aws_cloudfront_vpc_origin` ([#40239](https://github.com/hashicorp/terraform-provider-aws/issues/40239)) - **New Resource:** `aws_memorydb_multi_region_cluster` ([#40376](https://github.com/hashicorp/terraform-provider-aws/issues/40376)) - **New Resource:** `aws_networkmanager_dx_gateway_attachment` ([#40546](https://github.com/hashicorp/terraform-provider-aws/issues/40546)) - **New Resource:** `aws_rds_cluster_snapshot_copy` ([#40398](https://github.com/hashicorp/terraform-provider-aws/issues/40398)) ENHANCEMENTS: - data-source/aws\_dx\_gateway: Add `arn` attribute ([#40546](https://github.com/hashicorp/terraform-provider-aws/issues/40546)) - data-source/aws\_iam\_policy\_document: Add plan-time validation that the `statement` `sid` is valid, including on alphanumeric characters ([#40562](https://github.com/hashicorp/terraform-provider-aws/issues/40562)) - data-source/aws\_vpc\_endpoint: Add `service_region` attribute ([#40583](https://github.com/hashicorp/terraform-provider-aws/issues/40583)) - resource/aws\_bedrockagent\_agent: Add `agent_collaboration` attribute to configure agent collaboration role ([#40543](https://github.com/hashicorp/terraform-provider-aws/issues/40543)) - resource/aws\_cloudfront\_distribution: Add `origin.vpc_origin_config` argument ([#40239](https://github.com/hashicorp/terraform-provider-aws/issues/40239)) - resource/aws\_db\_parameter\_group: Support import of `name_prefix` argument ([#40622](https://github.com/hashicorp/terraform-provider-aws/issues/40622)) - resource/aws\_dx\_gateway: Add `arn` attribute ([#40546](https://github.com/hashicorp/terraform-provider-aws/issues/40546)) - resource/aws\_fsx\_lustre\_file\_system: Add `efa_enabled` argument ([#40381](https://github.com/hashicorp/terraform-provider-aws/issues/40381)) - resource/aws\_lb\_listener: Add `advertise_trust_store_ca_names` attribute to the `mutual_authentication` configuration block ([#40550](https://github.com/hashicorp/terraform-provider-aws/issues/40550)) - resource/aws\_memorydb\_cluster: Add `multi_region_cluster_name` argument ([#40376](https://github.com/hashicorp/terraform-provider-aws/issues/40376)) - resource/aws\_networkmanager\_attachment\_accepter: Add `edge_locations` attribute ([#40546](https://github.com/hashicorp/terraform-provider-aws/issues/40546)) - resource/aws\_resourcegroups\_resource: Add import support ([#40579](https://github.com/hashicorp/terraform-provider-aws/issues/40579)) - resource/aws\_vpc\_endpoint: Add `service_region` argument ([#40583](https://github.com/hashicorp/terraform-provider-aws/issues/40583)) BUG FIXES: - data-source/aws\_acmpca\_certificate\_authority: Ignore `AccessDeniedException: ... is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: ...` errors for RAM-shared CAs ([#39952](https://github.com/hashicorp/terraform-provider-aws/issues/39952)) - data-source/aws\_licensemanager\_received\_license: Fix `setting entitlements: Invalid address to set: []string{"entitlements", "0", "overage"}` errors ([#40621](https://github.com/hashicorp/terraform-provider-aws/issues/40621)) - resource/aws\_amplify\_domain\_association: No longer ignores changes to `certificate_settings` when updating. ([#40589](https://github.com/hashicorp/terraform-provider-aws/issues/40589)) - resource/aws\_amplify\_domain\_association: Prevent "unexpected state" error when setting `certificate_settings.type` to `CUSTOM`. ([#40589](https://github.com/hashicorp/terraform-provider-aws/issues/40589)) - resource/aws\_amplify\_domain\_association: Prevent `ValidationException` when setting `certificate_settings.type` to `AMPLIFY_MANAGED`. ([#40589](https://github.com/hashicorp/terraform-provider-aws/issues/40589)) - resource/aws\_amplify\_domain\_association: Prevent permanent diff when `certificate_settings` not set. ([#40589](https://github.com/hashicorp/terraform-provider-aws/issues/40589)) - resource/aws\_amplify\_domain\_association: Prevents panic in some circumstances when `certificate_settings` is not set during update. ([#40589](https://github.com/hashicorp/terraform-provider-aws/issues/40589)) - resource/aws\_api\_gateway\_domain\_name: Correct `arn` for private custom domain names ([#40566](https://github.com/hashicorp/terraform-provider-aws/issues/40566)) - resource/aws\_codeconnections\_host: Mark `vpc_configuration.tls_certificate` as Optional ([#40574](https://github.com/hashicorp/terraform-provider-aws/issues/40574)) - resource/aws\_elasticache\_replication\_group: Prevent perpetual diff which triggers resource replacement on `at_rest_encryption_enabled` when `engine` is `valkey`. ([#40514](https://github.com/hashicorp/terraform-provider-aws/issues/40514)) - resource/aws\_lakeformation\_permissions: Add support for `IAMPrincipals` principal group ([#38600](https://github.com/hashicorp/terraform-provider-aws/issues/38600)) - resource/aws\_lakeformation\_permissions: Fix refreshing state so order is not considered in `permissions` and `permissions_with_grant_option` attributes ([#38047](https://github.com/hashicorp/terraform-provider-aws/issues/38047)) - resource/aws\_lakeformation\_resource\_lf\_tag: Fix panic when resource tries to destroy a LFTag reference that does not exist ([#40584](https://github.com/hashicorp/terraform-provider-aws/issues/40584)) - resource/aws\_lambda\_invocation: Set new computed value for `result` attribute when changing `input` attribute, for lifecycle scope "CRUD" ([#34263](https://github.com/hashicorp/terraform-provider-aws/issues/34263)) - resource/aws\_medialive\_channel: Added missing `teletext_destination_settings`. ([#33797](https://github.com/hashicorp/terraform-provider-aws/issues/33797)) - resource/aws\_rds\_cluster: Fix issue with waiter when modifying `allocated_storage` ([#40601](https://github.com/hashicorp/terraform-provider-aws/issues/40601)) - resource/aws\_resourcegroups\_resource: Fix crash when parsing certain ARN formats ([#40579](https://github.com/hashicorp/terraform-provider-aws/issues/40579)) - resource/aws\_s3\_bucket: Destroying a bucket with `force_destroy = true` can now delete objects with non-XML-safe keys ([#40537](https://github.com/hashicorp/terraform-provider-aws/issues/40537)) - resource/aws\_s3\_directory\_bucket: Destroying a directory bucket with `force_destroy = true` can now delete objects with non-XML-safe keys ([#40537](https://github.com/hashicorp/terraform-provider-aws/issues/40537)) - resource/aws\_secretsmanager\_secret\_rotation: Fix bug where `automatically_after_days` was not being set properly when `schedule_expression` had been set previously ([#34295](https://github.com/hashicorp/terraform-provider-aws/issues/34295)) - resource/aws\_secretsmanager\_secret\_rotation: Retry rotation in case it has not yet propagated when previously an error would occur: `InvalidRequestException: A previous rotation isn't complete. That rotation will be reattempted.` ([#34295](https://github.com/hashicorp/terraform-provider-aws/issues/34295)) - resource/aws\_sqs\_queue\_redrive\_allow\_policy: Fix perpetual `redrive_allow_policy` diffs ([#40604](https://github.com/hashicorp/terraform-provider-aws/issues/40604)) ### [`v5.81.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.81.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.80.0...v5.81.0) FEATURES: - **New Data Source:** `aws_servicecatalogappregistry_attribute_group` ([#38188](https://github.com/hashicorp/terraform-provider-aws/issues/38188)) - **New Ephemeral Resource:** `aws_ssm_parameter` ([#40313](https://github.com/hashicorp/terraform-provider-aws/issues/40313)) - **New Resource:** `aws_bedrock_inference_profile` ([#40294](https://github.com/hashicorp/terraform-provider-aws/issues/40294)) - **New Resource:** `aws_cloudwatch_log_anomaly_detector` ([#40437](https://github.com/hashicorp/terraform-provider-aws/issues/40437)) - **New Resource:** `aws_ecr_account_setting` ([#40219](https://github.com/hashicorp/terraform-provider-aws/issues/40219)) - **New Resource:** `aws_msk_single_scram_secret_association` ([#37056](https://github.com/hashicorp/terraform-provider-aws/issues/37056)) - **New Resource:** `aws_servicecatalogappregistry_attribute_group` ([#38183](https://github.com/hashicorp/terraform-provider-aws/issues/38183)) - **New Resource:** `aws_servicecatalogappregistry_attribute_group_association` ([#38290](https://github.com/hashicorp/terraform-provider-aws/issues/38290)) ENHANCEMENTS: - data-source/aws\_api\_gateway\_domain\_name: Add `policy` and `domain_name_id` attributes ([#40364](https://github.com/hashicorp/terraform-provider-aws/issues/40364)) - data-source/aws\_servicecatalogappregistry\_application: Add `tags` attribute ([#38243](https://github.com/hashicorp/terraform-provider-aws/issues/38243)) - data-source/aws\_sesv2\_configuration\_set: Add `delivery_options.max_delivery_seconds` and `tracking_options.https_policy` attributes ([#40194](https://github.com/hashicorp/terraform-provider-aws/issues/40194)) - resource/aws\_api\_gateway\_base\_path\_mapping: Add `domain_name_id` argument ([#40447](https://github.com/hashicorp/terraform-provider-aws/issues/40447)) - resource/aws\_api\_gateway\_domain\_name: Add `policy` argument and `domain_name_id` attribute ([#40364](https://github.com/hashicorp/terraform-provider-aws/issues/40364)) - resource/aws\_api\_gateway\_domain\_name: Support `PRIVATE` as a valid value for `endpoint_configuration.types` argument, enabling custom domain name support for private REST API endpoints ([#40364](https://github.com/hashicorp/terraform-provider-aws/issues/40364)) - resource/aws\_ebs\_snapshot\_copy: Add `completion_duration_minutes` argument ([#40336](https://github.com/hashicorp/terraform-provider-aws/issues/40336)) - resource/aws\_glue\_catalog\_table\_optimizer: Add `configuration.retention_configuration` and `configuration.orphan_file_deletion_configuration` attributes. ([#40199](https://github.com/hashicorp/terraform-provider-aws/issues/40199)) - resource/aws\_instance: Add `enable_primary_ipv6` argument to add support for enabling primary IPv6 addresses on EC2 instances ([#36425](https://github.com/hashicorp/terraform-provider-aws/issues/36425)) - resource/aws\_kinesis\_stream: Add plan-time validation that `shard_count` would not exceed the AWS account's [shard quota](https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html) when the data stream capacity mode is `PROVISIONED`, preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the `kinesis:DescribeLimits` IAM permission ([#40499](https://github.com/hashicorp/terraform-provider-aws/issues/40499)) - resource/aws\_kinesis\_stream: Add plan-time validation that creation of an on-demand stream would not exceed the AWS account's [data stream quota](https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html), preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the `kinesis:DescribeLimits` IAM permission ([#40499](https://github.com/hashicorp/terraform-provider-aws/issues/40499)) - resource/aws\_msk\_replicator: Add `topic_replication.topic_name_configuration` argument ([#40101](https://github.com/hashicorp/terraform-provider-aws/issues/40101)) - resource/aws\_network\_interface: Add `enable_primary_ipv6` argument to add support for enabling primary IPv6 addresses for network interfaces ([#36425](https://github.com/hashicorp/terraform-provider-aws/issues/36425)) - resource/aws\_networkfirewall\_firewall\_policy: Add `stateful_engine_options.flow_timeouts` argument ([#39996](https://github.com/hashicorp/terraform-provider-aws/issues/39996)) - resource/aws\_rds\_cluster: Add `serverlessv2_scaling_configuration.seconds_until_auto_pause` argument ([#40441](https://github.com/hashicorp/terraform-provider-aws/issues/40441)) - resource/aws\_rds\_global\_cluster: Add `tags` argument and `tags_all` attribute ([#40470](https://github.com/hashicorp/terraform-provider-aws/issues/40470)) - resource/aws\_sagemaker\_notebook\_instance: Support `notebook-al2-v3` value for `platform_identifier` ([#40484](https://github.com/hashicorp/terraform-provider-aws/issues/40484)) - resource/aws\_servicecatalogappregistry\_application: Add `tags` argument and `tags_all` attribute ([#38243](https://github.com/hashicorp/terraform-provider-aws/issues/38243)) - resource/aws\_sesv2\_configuration\_set: Add `delivery_options.max_delivery_seconds` and `tracking_options.https_policy` arguments ([#40194](https://github.com/hashicorp/terraform-provider-aws/issues/40194)) BUG FIXES: - data-source/aws\_kinesis\_stream: Fix `InvalidArgumentException: NextToken and StreamName cannot be provided together` errors when the data stream has more than 1000 shards ([#40499](https://github.com/hashicorp/terraform-provider-aws/issues/40499)) - resource/aws\_ce\_cost\_category: Change `rule` from `TypeSet` to `TypeList` as order is significant ([#40521](https://github.com/hashicorp/terraform-provider-aws/issues/40521)) - resource/aws\_fsx\_windows\_file\_system: Fix plan-time validation of `throughput_capacity` validation to allow values up to `12228` ([#40468](https://github.com/hashicorp/terraform-provider-aws/issues/40468)) - resource/aws\_networkfirewall\_logging\_configuration: Correctly manage all configured `logging_configuration.log_destination_config`s ([#40092](https://github.com/hashicorp/terraform-provider-aws/issues/40092)) - resource/aws\_rds\_cluster: Fix `InvalidDBClusterStateFault` errors when deleting clusters that are members of a global cluster ([#40333](https://github.com/hashicorp/terraform-provider-aws/issues/40333)) - resource/aws\_rds\_cluster: Fix `InvalidParameterValue: Serverless v2 maximum capacity 0.0 isn't valid. The maximum capacity must be at least 1.0.` errors when removing `serverlessv2_scaling_configuration` in an update ([#40511](https://github.com/hashicorp/terraform-provider-aws/issues/40511)) - resource/aws\_rds\_cluster: Respect `storage_type` when restoring from S3 ([#40471](https://github.com/hashicorp/terraform-provider-aws/issues/40471)) - resource/aws\_rds\_cluster: Respect `storage_type` when restoring from snapshot ([#40471](https://github.com/hashicorp/terraform-provider-aws/issues/40471)) - resource/aws\_rds\_cluster: Respect `storage_type` when restoring to a point in time ([#40471](https://github.com/hashicorp/terraform-provider-aws/issues/40471)) - resource/aws\_rds\_global\_cluster: Mark `database_name` as Computed. This prevents resource recreation when the source cluster specifies a `database_name` ([#40469](https://github.com/hashicorp/terraform-provider-aws/issues/40469)) ### [`v5.80.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.80.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.79.0...v5.80.0) FEATURES: - **New Resource:** `aws_codeconnections_connection` ([#40300](https://github.com/hashicorp/terraform-provider-aws/issues/40300)) - **New Resource:** `aws_codeconnections_host` ([#40300](https://github.com/hashicorp/terraform-provider-aws/issues/40300)) - **New Resource:** `aws_s3tables_namespace` ([#40420](https://github.com/hashicorp/terraform-provider-aws/issues/40420)) - **New Resource:** `aws_s3tables_table` ([#40420](https://github.com/hashicorp/terraform-provider-aws/issues/40420)) - **New Resource:** `aws_s3tables_table_bucket` ([#40420](https://github.com/hashicorp/terraform-provider-aws/issues/40420)) - **New Resource:** `aws_s3tables_table_bucket_policy` ([#40420](https://github.com/hashicorp/terraform-provider-aws/issues/40420)) - **New Resource:** `aws_s3tables_table_policy` ([#40420](https://github.com/hashicorp/terraform-provider-aws/issues/40420)) ENHANCEMENTS: - resource/aws\_bedrockagent\_agent: Increase `instruction` max length for validation to 8000 ([#40279](https://github.com/hashicorp/terraform-provider-aws/issues/40279)) - resource/aws\_dynamodb\_table\_replica: Add `deletion_protection_enabled` argument ([#35359](https://github.com/hashicorp/terraform-provider-aws/issues/35359)) - resource/aws\_rds\_cluster: Adjust `serverlessv2_scaling_configuration.max_capacity` and `serverlessv2_scaling_configuration.min_capacity` minimum values to `0` to support Amazon Aurora Serverless v2 scaling to 0 ACUs ([#40230](https://github.com/hashicorp/terraform-provider-aws/issues/40230)) - resource/aws\_s3\_directory\_bucket: Support `LocalZone` as a valid value for `location.type`, enabling support for [Amazon S3 Express One Zone in AWS Dedicated Local Zones](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-data-residency.html) ([#40339](https://github.com/hashicorp/terraform-provider-aws/issues/40339)) BUG FIXES: - resource/aws\_bedrock\_provisioned\_model\_throughput: Properly manages `tags_all` when planning. ([#40305](https://github.com/hashicorp/terraform-provider-aws/issues/40305)) - resource/aws\_connect\_contact\_flow: Fix `deserialization failed, failed to decode response body with invalid JSON` errors on Read ([#40419](https://github.com/hashicorp/terraform-provider-aws/issues/40419)) - resource/aws\_rds\_cluster\_instance: Fix error when destroying from a read replica cluster ([#40409](https://github.com/hashicorp/terraform-provider-aws/issues/40409)) ### [`v5.79.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.79.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.78.0...v5.79.0) FEATURES: - **New Resource:** `aws_vpc_block_public_access_exclusion` ([#40235](https://github.com/hashicorp/terraform-provider-aws/issues/40235)) - **New Resource:** `aws_vpc_block_public_access_options` ([#40233](https://github.com/hashicorp/terraform-provider-aws/issues/40233)) ENHANCEMENTS: - resource/aws\_eks\_cluster: Add `compute_config`, `storage_config`, and `kubernetes_network_config.elastic_load_balancing` arguments for EKS Auto Mode ([#40370](https://github.com/hashicorp/terraform-provider-aws/issues/40370)) - resource/aws\_eks\_cluster: Add `remote_network_config` argument for EKS Auto Mode ([#40371](https://github.com/hashicorp/terraform-provider-aws/issues/40371)) - resource/aws\_lambda\_event\_source\_mapping: Add `metrics_config` argument ([#40322](https://github.com/hashicorp/terraform-provider-aws/issues/40322)) - resource/aws\_lambda\_event\_source\_mapping: Add `provisioned_poller_config` argument ([#40303](https://github.com/hashicorp/terraform-provider-aws/issues/40303)) - resource/aws\_rds\_cluster: Add ability to promote read replica cluster to standalone ([#40337](https://github.com/hashicorp/terraform-provider-aws/issues/40337)) - resource/aws\_vpc\_endpoint\_service: Add `supported_regions` argument ([#40346](https://github.com/hashicorp/terraform-provider-aws/issues/40346)) BUG FIXES: - resource/aws\_fsx\_openzfs\_file\_system: Increase maximum value of `disk_iops_configuration.iops` from `350000` to `400000` for `deployment_type = "SINGLE_AZ_2"` ([#40359](https://github.com/hashicorp/terraform-provider-aws/issues/40359)) ### [`v5.78.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.78.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.77.0...v5.78.0) NOTES: - resource/aws\_s3\_bucket\_lifecycle\_configuration: Lifecycle configurations can now be applied to directory buckets ([#40268](https://github.com/hashicorp/terraform-provider-aws/issues/40268)) FEATURES: - **New Resource:** `aws_iam_organizations_features` ([#40164](https://github.com/hashicorp/terraform-provider-aws/issues/40164)) ENHANCEMENTS: - data-source/aws\_memorydb\_cluster: Add `engine` attribute ([#40224](https://github.com/hashicorp/terraform-provider-aws/issues/40224)) - data-source/aws\_memorydb\_snapshot: Add `cluster_configuration.engine` attribute ([#40224](https://github.com/hashicorp/terraform-provider-aws/issues/40224)) - resource/aws\_memorydb\_cluster: Add `engine` argument ([#40224](https://github.com/hashicorp/terraform-provider-aws/issues/40224)) - resource/aws\_memorydb\_snapshot: Add `cluster_configuration.engine` attribute ([#40224](https://github.com/hashicorp/terraform-provider-aws/issues/40224)) BUG FIXES: - data-source/aws\_rds\_reserved\_instance\_offering: When `product_description` (e.g., "postgresql") is a substring of multiple products, fix `Error: multiple RDS Reserved Instance Offerings matched; use additional constraints to reduce matches to a single RDS Reserved Instance Offering` ([#40281](https://github.com/hashicorp/terraform-provider-aws/issues/40281)) - provider: Suppress `Warning: AWS account ID not found for provider` when `skip_requesting_account_id` is `true` ([#40264](https://github.com/hashicorp/terraform-provider-aws/issues/40264)) - resource/aws\_batch\_job\_definition: Fix crash when specifying `eksProperties` or `ecsProperties` block ([#40172](https://github.com/hashicorp/terraform-provider-aws/issues/40172)) - resource/aws\_bedrock\_guardrail: Fix perpetual diff if multiple `content_policy_config.filters_config`s are specified. ([#40304](https://github.com/hashicorp/terraform-provider-aws/issues/40304)) - resource/aws\_chatbot\_slack\_channel\_configuration: Fix inconsistent provider result when order of `sns_topic_arns`changes ([#40253](https://github.com/hashicorp/terraform-provider-aws/issues/40253)) - resource/aws\_chatbot\_teams\_channel\_configuration: Fix inconsistent provider result when order of `sns_topic_arns`changes ([#40291](https://github.com/hashicorp/terraform-provider-aws/issues/40291)) - resource/aws\_db\_instance: When changing `storage_type` from `io1` or `io2` to `gp3`, fix bug causing error `InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops` ([#37257](https://github.com/hashicorp/terraform-provider-aws/issues/37257)) - resource/aws\_db\_instance: When changing a `gp3` volume's `allocated_storage` to a value larger than the [threshold value for `engine`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage), fix bug causing error `InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops` ([#28847](https://github.com/hashicorp/terraform-provider-aws/issues/28847)) ### [`v5.77.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.77.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.76.0...v5.77.0) NOTES: - New [ephemeral resources](https://developer.hashicorp.com/terraform/language/v1.10.x/resources/ephemeral) `aws_kms_secrets`, `aws_lambda_invocation`, and `aws_secretsmanager_secret_version` now support [ephemeral values](https://developer.hashicorp.com/terraform/language/v1.10.x/values/variables#exclude-values-from-state). ([#40009](https://github.com/hashicorp/terraform-provider-aws/issues/40009)) FEATURES: - **New Ephemeral Resource:** `aws_kms_secrets` ([#40009](https://github.com/hashicorp/terraform-provider-aws/issues/40009)) - **New Ephemeral Resource:** `aws_lambda_invocation` ([#39988](https://github.com/hashicorp/terraform-provider-aws/issues/39988)) - **New Ephemeral Resource:** `aws_secretsmanager_secret_version` ([#40009](https://github.com/hashicorp/terraform-provider-aws/issues/40009)) - **New Resource:** `aws_rds_instance_state` ([#40180](https://github.com/hashicorp/terraform-provider-aws/issues/40180)) ENHANCEMENTS: - data-source/aws\_ami: Add warning diagnostic when `most_recent` is true and certain filter criteria are missing ([#40211](https://github.com/hashicorp/terraform-provider-aws/issues/40211)) - data-source/aws\_ecs\_service: Add `availability_zone_rebalancing` attribute ([#40225](https://github.com/hashicorp/terraform-provider-aws/issues/40225)) - resource/aws\_ecs\_service: Add `availability_zone_rebalancing` attribute ([#40225](https://github.com/hashicorp/terraform-provider-aws/issues/40225)) - resource/aws\_ecs\_service: Add vpc\_lattice\_configurations argument ([#40177](https://github.com/hashicorp/terraform-provider-aws/issues/40177)) - resource/aws\_ecs\_task\_definition: Add `versionConsistency` argument to `container_definitions` ([#40216](https://github.com/hashicorp/terraform-provider-aws/issues/40216)) - resource/aws\_rds\_global\_cluster: Add `endpoint` argument to point to the writer DB instance in the current primary cluster ([#39960](https://github.com/hashicorp/terraform-provider-aws/issues/39960)) BUG FIXES: - data-source/aws\_subnet: Set `tags` from the `DescribeSubnets` response, removing the need for the `ec2:DescribeTags` IAM permission ([#40144](https://github.com/hashicorp/terraform-provider-aws/issues/40144)) - resource/aws\_cognito\_user\_pool: Fix crash when hashing nil `schema` element ([#40195](https://github.com/hashicorp/terraform-provider-aws/issues/40195)) - resource/aws\_eks\_addon: Fix crash when `pod_identity_association` is modified ([#40168](https://github.com/hashicorp/terraform-provider-aws/issues/40168)) - resource/aws\_eks\_addon: Fix to prevent persistent differences when `pod_identity_association` is changed ([#40168](https://github.com/hashicorp/terraform-provider-aws/issues/40168)) ### [`v5.76.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.76.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.75.1...v5.76.0) FEATURES: - **New Resource:** `aws_vpc_security_group_vpc_association` ([#40069](https://github.com/hashicorp/terraform-provider-aws/issues/40069)) ENHANCEMENTS: - resource/aws\_medialive\_channel: Add missing h265 codec settings ([#40071](https://github.com/hashicorp/terraform-provider-aws/issues/40071)) BUG FIXES: - resource/aws\_api\_gateway\_integration: Fix `BadRequestException: Invalid mapping expression specified` and `NotFoundException: Invalid parameter name specified` errors when making updates to `request_parameters` and/or `cache_key_parameters` ([#40124](https://github.com/hashicorp/terraform-provider-aws/issues/40124)) - resource/aws\_api\_gateway\_method: Fix `BadRequestException: Invalid mapping expression specified` and `NotFoundException: Invalid parameter name specified` errors when making updates to `request_parameters` ([#40124](https://github.com/hashicorp/terraform-provider-aws/issues/40124)) - resource/aws\_autoscaling\_group: Handle eventual consistency issues that occur when using a `launch_template` that is updated causing `ValidationError: You must use a valid fully-formed launch template.` ([#40088](https://github.com/hashicorp/terraform-provider-aws/issues/40088)) - resource/aws\_eip: Properly surface errors during deletion when `ipam_pool_id` is set ([#40082](https://github.com/hashicorp/terraform-provider-aws/issues/40082)) - resource/aws\_elasticache\_reserved\_cache\_node: Fix `Provider returned invalid result object after apply` errors ([#40090](https://github.com/hashicorp/terraform-provider-aws/issues/40090)) - resource/aws\_iam\_group\_policies\_exclusive: Add validation to prevent null values in `policy_names` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_iam\_group\_policy\_attachments\_exclusive: Add validation to prevent null values in `policy_arns` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_iam\_instance\_profile: Handle eventual consistency issues that occur when this resource is updated and has dependents ([#40088](https://github.com/hashicorp/terraform-provider-aws/issues/40088)) - resource/aws\_iam\_role\_policies\_exclusive: Add validation to prevent null values in `policy_names` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_iam\_role\_policy\_attachments\_exclusive: Add validation to prevent null values in `policy_arns` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_iam\_user\_policies\_exclusive: Add validation to prevent null values in `policy_names` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_iam\_user\_policy\_attachments\_exclusive: Add validation to prevent null values in `policy_arns` ([#40076](https://github.com/hashicorp/terraform-provider-aws/issues/40076)) - resource/aws\_launch\_template: Handle eventual consistency issues that occur when this resource is updated and has dependents ([#40088](https://github.com/hashicorp/terraform-provider-aws/issues/40088)) ### [`v5.75.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.75.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.75.0...v5.75.1) ENHANCEMENTS: - data-source/aws\_cloudwatch\_event\_bus: Add `description` attribute ([#39980](https://github.com/hashicorp/terraform-provider-aws/issues/39980)) - resource/aws\_api\_gateway\_account: Add attribute `reset_on_delete` to properly reset CloudWatch Role ARN on deletion. ([#40004](https://github.com/hashicorp/terraform-provider-aws/issues/40004)) - resource/aws\_cloudwatch\_event\_bus: Add `description` argument ([#39980](https://github.com/hashicorp/terraform-provider-aws/issues/39980)) BUG FIXES: - resource/aws\_api\_gateway\_deployment: Rolls back validation of `canary_settings` and `stage_description` when `stage_name` not set. ([#40067](https://github.com/hashicorp/terraform-provider-aws/issues/40067)) - resource/aws\_dynamodb\_table: Allow table TTL to be disabled by allowing `ttl[0].attribute_name` to be set when `ttl[0].enabled` is false ([#40046](https://github.com/hashicorp/terraform-provider-aws/issues/40046)) - resource/aws\_sagemaker\_domain: Fix issue causing a `ValidationException` on updates when RStudio is disabled on the domain ([#40049](https://github.com/hashicorp/terraform-provider-aws/issues/40049)) ### [`v5.75.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.75.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.74.0...v5.75.0) BREAKING CHANGES: - resource/aws\_api\_gateway\_stage: Add `canary_settings.deployment_id` attribute as `required` ([#39929](https://github.com/hashicorp/terraform-provider-aws/issues/39929)) NOTES: - provider: validation of arguments implementing the custom `ARNType` will properly surface validation errors ([#40008](https://github.com/hashicorp/terraform-provider-aws/issues/40008)) - resource/aws\_api\_gateway\_stage: `deployment_id` was added to `canary_settings` as a `required` attribute. This breaking change was necessary to make `canary_settings` functional. Without this change all canary traffic was routed to the main deployment ([#39929](https://github.com/hashicorp/terraform-provider-aws/issues/39929)) FEATURES: - **New Data Source:** `aws_spot_datafeed_subscription` ([#39647](https://github.com/hashicorp/terraform-provider-aws/issues/39647)) ENHANCEMENTS: - data-source/aws\_batch\_job\_definition: Add `init_containers`, `share_process_namespace`, and `image_pull_secrets` attributes ([#40019](https://github.com/hashicorp/terraform-provider-aws/issues/40019)) - resource/aws\_batch\_job\_definition: Add `init_containers` and `share_process_namespace` arguments ([#40019](https://github.com/hashicorp/terraform-provider-aws/issues/40019)) - resource/aws\_batch\_job\_definition: Increase maximum number of `containers` arguments to 10 ([#40019](https://github.com/hashicorp/terraform-provider-aws/issues/40019)) - resource/aws\_eks\_addon: Add `pod_identity_association` argument ([#38357](https://github.com/hashicorp/terraform-provider-aws/issues/38357)) - resource/aws\_iam\_user\_login\_profile: Mark the `password` argument as sensitive ([#39991](https://github.com/hashicorp/terraform-provider-aws/issues/39991)) BUG FIXES: - resource/aws\_api\_gateway\_deployment: Fix destroy error when canary stage still exists on resource ([#39929](https://github.com/hashicorp/terraform-provider-aws/issues/39929)) - resource/aws\_codedeploy\_deployment\_group: Remove maximum items limit on the `alarm_configuration.alarms` argument ([#39971](https://github.com/hashicorp/terraform-provider-aws/issues/39971)) - resource/aws\_eks\_addon: Handle `ResourceNotFound` exceptions during resource destruction ([#38357](https://github.com/hashicorp/terraform-provider-aws/issues/38357)) - resource/aws\_elasticache\_reserved\_cache\_node: Fix `Value Conversion Error` during resource creation ([#39945](https://github.com/hashicorp/terraform-provider-aws/issues/39945)) - resource/aws\_lb\_listener: Fix errors when updating the `tcp_idle_timeout_seconds` argument for gateway load balancers ([#40039](https://github.com/hashicorp/terraform-provider-aws/issues/40039)) - resource/aws\_lb\_listener: Remove the default `tcp_idle_timeout_seconds` value, preventing `ModifyListenerAttributes` API calls when a value is not explicitly configured ([#40039](https://github.com/hashicorp/terraform-provider-aws/issues/40039)) - resource/aws\_vpc\_ipam\_pool: Fix bug when `public_ip_source = "amazon"`: `The request can only contain PubliclyAdvertisable if the AddressFamily is IPv6 and PublicIpSource is byoip.` ([#40042](https://github.com/hashicorp/terraform-provider-aws/issues/40042)) ### [`v5.74.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.74.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.73.0...v5.74.0) FEATURES: - **New Data Source:** `aws_lb_listener_rule` ([#39865](https://github.com/hashicorp/terraform-provider-aws/issues/39865)) - **New Resource:** `aws_opensearch_authorize_vpc_endpoint_access` ([#39846](https://github.com/hashicorp/terraform-provider-aws/issues/39846)) - **New Resource:** `aws_ssmquicksetup_configuration_manager` ([#39931](https://github.com/hashicorp/terraform-provider-aws/issues/39931)) ENHANCEMENTS: - data-source/aws\_imagebuilder\_distribution\_configuration: Add `distribution.s3_export_configuration` attribute ([#35492](https://github.com/hashicorp/terraform-provider-aws/issues/35492)) - data-source/aws\_imagebuilder\_image\_recipe: Fix `block_device_mapping.0.ebs.0.delete_on_termination: '' expected type 'bool', got unconvertible type 'string'` errors ([#39928](https://github.com/hashicorp/terraform-provider-aws/issues/39928)) - resource/aws\_codedeploy\_deployment\_group: Add `termination_hook_enabled` argument ([#35482](https://github.com/hashicorp/terraform-provider-aws/issues/35482)) - resource/aws\_eks\_cluster: Add `zonal_shift_config` argument ([#39852](https://github.com/hashicorp/terraform-provider-aws/issues/39852)) - resource/aws\_imagebuilder\_distribution\_configuration: Add `distribution.s3_export_configuration` argument ([#35492](https://github.com/hashicorp/terraform-provider-aws/issues/35492)) - resource/aws\_imagebuilder\_image\_pipeline: Allow `container_recipe_arn` and `image_recipe_arn` to be updated in-place ([#39117](https://github.com/hashicorp/terraform-provider-aws/issues/39117)) - resource/aws\_keyspaces\_keyspace: Add `replication_specification` argument ([#36331](https://github.com/hashicorp/terraform-provider-aws/issues/36331)) - resource/aws\_launch\_template: Add `efa-only` as a valid value for `network_interfaces.interface_type` ([#39882](https://github.com/hashicorp/terraform-provider-aws/issues/39882)) - resource/aws\_transfer\_server: Add `TransferSecurityPolicy-Restricted-2024-06` as a valid value for `security_policy_name` ([#39871](https://github.com/hashicorp/terraform-provider-aws/issues/39871)) BUG FIXES: - resource/aws\_docdb\_cluster: Use `master_password` on resource Create when `snapshot_identifier` is configured ([#38193](https://github.com/hashicorp/terraform-provider-aws/issues/38193)) - resource/aws\_imagebuilder\_container\_recipe: Change `component.parameter.name`, `component.parameter.value`, `target_repository.repository_name`, and `target_repository.service` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#39117](https://github.com/hashicorp/terraform-provider-aws/issues/39117)) - resource/aws\_route53\_record: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic when `geolocation_routing_policy` is empty ([#39944](https://github.com/hashicorp/terraform-provider-aws/issues/39944)) - resource/aws\_ssm\_patch\_baseline: Update `approval_rule.approve_after_days` validation to allow a maximum value of `360` ([#39949](https://github.com/hashicorp/terraform-provider-aws/issues/39949)) - resource/aws\_wafv2\_web\_acl: Fix `decoding JSON: unexpected end of JSON input` errors when updating from using `rule_json` to using `rule` ([#39283](https://github.com/hashicorp/terraform-provider-aws/issues/39283)) - resource/aws\_wafv2\_web\_acl: Fix unmarshal error for incompatible types in `rule_json` ([#39878](https://github.com/hashicorp/terraform-provider-aws/issues/39878)) ### [`v5.73.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.73.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.72.1...v5.73.0) FEATURES: - **New Data Source:** `aws_ssm_patch_baselines` ([#39779](https://github.com/hashicorp/terraform-provider-aws/issues/39779)) - **New Resource:** `aws_imagebuilder_lifecycle_policy` ([#35674](https://github.com/hashicorp/terraform-provider-aws/issues/35674)) - **New Resource:** `aws_resiliencehub_resiliency_policy` ([#38913](https://github.com/hashicorp/terraform-provider-aws/issues/38913)) - **New Resource:** `aws_sagemaker_hub` ([#39807](https://github.com/hashicorp/terraform-provider-aws/issues/39807)) - **New Resource:** `aws_sagemaker_mlflow_tracking_server` ([#39796](https://github.com/hashicorp/terraform-provider-aws/issues/39796)) ENHANCEMENTS: - data-source/aws\_elasticache\_reserved\_cache\_node\_offering: Support `valkey` as valid value for `product_description` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - data-source/aws\_lakeformation\_data\_lake\_settings: Add `parameters` map attribute to read `CROSS_ACCOUNT_VERSION` ([#39826](https://github.com/hashicorp/terraform-provider-aws/issues/39826)) - data-source/aws\_lb: Add `enable_zonal_shift` attribute ([#39585](https://github.com/hashicorp/terraform-provider-aws/issues/39585)) - resource/aws\_apprunner\_auto\_scaling\_configuration\_version: Remove the upper limit on `min_size` and `max_size` ([#39843](https://github.com/hashicorp/terraform-provider-aws/issues/39843)) - resource/aws\_batch\_job\_definition: Ensure that new revisions are created with tags ([#39797](https://github.com/hashicorp/terraform-provider-aws/issues/39797)) - resource/aws\_codedeploy\_deployment\_config: Add `zonal_config` argument ([#34850](https://github.com/hashicorp/terraform-provider-aws/issues/34850)) - resource/aws\_dynamodb\_kinesis\_streaming\_destination: Add `approximate_creation_date_time_precision` argument ([#38098](https://github.com/hashicorp/terraform-provider-aws/issues/38098)) - resource/aws\_elasticache\_cluster: Support `valkey` as valid value for `engine` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_elasticache\_global\_replication\_group: Support Valkey versions for `engine_version` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_elasticache\_replication\_group: Support Valkey versions for `engine_version` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_elasticache\_replication\_group: Support `valkey` as valid value for `engine` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_elasticache\_serverless\_cache: Support `valkey` as valid value for `engine` ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `iceberg_configuration` argument ([#39844](https://github.com/hashicorp/terraform-provider-aws/issues/39844)) - resource/aws\_lakeformation\_data\_lake\_settings: Add `parameters` map argument enabling `CROSS_ACCOUNT_VERSION` to be set ([#39826](https://github.com/hashicorp/terraform-provider-aws/issues/39826)) - resource/aws\_lb: Add `enable_zonal_shift` argument ([#39585](https://github.com/hashicorp/terraform-provider-aws/issues/39585)) - resource/aws\_lb\_listener: Add `tcp_idle_timeout_seconds` argument ([#39585](https://github.com/hashicorp/terraform-provider-aws/issues/39585)) - resource/aws\_route53profiles\_association: Add regex and string length validation for `name` argument ([#39798](https://github.com/hashicorp/terraform-provider-aws/issues/39798)) - resource/aws\_s3\_bucket\_object: Remove the call to `kms:DescribeKey` for the S3 default AWS managed key (`alias/aws/s3`) on Read ([#39782](https://github.com/hashicorp/terraform-provider-aws/issues/39782)) - resource/aws\_s3\_object: Remove the call to `kms:DescribeKey` for the S3 default AWS managed key (`alias/aws/s3`) on Read ([#39782](https://github.com/hashicorp/terraform-provider-aws/issues/39782)) - resource/aws\_s3\_object\_copy: Remove the call to `kms:DescribeKey` for the S3 default AWS managed key (`alias/aws/s3`) on Read ([#39782](https://github.com/hashicorp/terraform-provider-aws/issues/39782)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.jupyter_lab_app_settings.app_lifecycle_management`, `default_user_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn`, `default_user_settings.jupyter_lab_app_settings.emr_settings`, `default_space_settings.jupyter_lab_app_settings.app_lifecycle_management`, `default_space_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn`, `default_space_settings.jupyter_lab_app_settings.emr_settings`, `default_user_settings.auto_mount_home_efs`, `default_user_settings.canvas_app_settings.emr_serverless_settings`, `default_user_settings.studio_web_portal_settings.hidden_instance_types`, `default_user_settings.code_editor_app_settings.app_lifecycle_management`, `default_user_settings.code_editor_app_settings.built_in_lifecycle_config_arn`, and `tag_propagation` arguments ([#39774](https://github.com/hashicorp/terraform-provider-aws/issues/39774)) - resource/aws\_sagemaker\_domain: Allow `app_network_access_type` and `app_security_group_management` to be updated in-place ([#39774](https://github.com/hashicorp/terraform-provider-aws/issues/39774)) - resource/aws\_sagemaker\_feature\_group: Add `feature_definition.collection_config`, `feature_definition.collection_type`, and `throughput_config` arguments ([#39805](https://github.com/hashicorp/terraform-provider-aws/issues/39805)) - resource/aws\_sagemaker\_space: Add `space_settings.code_editor_app_settings.app_lifecycle_management` and `space_settings.jupyter_lab_app_settings.app_lifecycle_management` arguments ([#39800](https://github.com/hashicorp/terraform-provider-aws/issues/39800)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.auto_mount_home_efs`, `user_settings.canvas_app_settings.emr_serverless_settings`, `user_settings.code_editor_app_settings.app_lifecycle_management`, `user_settings.code_editor_app_settings.built_in_lifecycle_config_arn`, `user_settings.jupyter_lab_app_settings.app_lifecycle_management`, `user_settings.jupyter_lab_app_settings.built_in_lifecycle_config_arn`, `user_settings.jupyter_lab_app_settings.emr_settings` and `user_settings.studio_web_portal_settings.hidden_instance_types` arguments ([#39774](https://github.com/hashicorp/terraform-provider-aws/issues/39774)) BUG FIXES: - data-source/aws\_workspaces\_bundle: Return the first matching bundle when searching by `name`. This fixes a regression introduced in [v5.72.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5720-october-15-2024) causing `multiple WorkSpaces Bundles matched; use additional constraints to reduce matches to a single WorkSpaces Bundle` errors ([#39777](https://github.com/hashicorp/terraform-provider-aws/issues/39777)) - resource/aws\_dynamodb\_table: Fix validation error when optional attribute in `on_demand_throughput` is excluded ([#39784](https://github.com/hashicorp/terraform-provider-aws/issues/39784)) - resource/aws\_ecr\_repository\_policy: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_elasticache\_serverless\_cache: Fix `InvalidParameterValue: This API supports only cross-engine upgrades to Valkey engine currently` errors on Update ([#39745](https://github.com/hashicorp/terraform-provider-aws/issues/39745)) - resource/aws\_iam\_policy: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_iam\_role\_policy: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_kms\_key: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_quicksight\_data\_set: Fix `InvalidParameterValueException: Invalid RowLevelPermissionDataSet. Namespace parameter should not be specified for Version 2` errors on Create and Update ([#39778](https://github.com/hashicorp/terraform-provider-aws/issues/39778)) - resource/aws\_route53\_record: Allow creation of records with `ttl=0` ([#39728](https://github.com/hashicorp/terraform-provider-aws/issues/39728)) - resource/aws\_s3\_bucket\_policy: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_secretsmanager\_secret: Fix persistent validation errors when malformed `policy` content is written to state ([#39842](https://github.com/hashicorp/terraform-provider-aws/issues/39842)) - resource/aws\_security\_group\_rule: Remove from state when rule not found. This fixes a regression introduced in [v5.60.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5600-july-25-2024) ([#39834](https://github.com/hashicorp/terraform-provider-aws/issues/39834)) ### [`v5.72.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.72.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.72.0...v5.72.1) FEATURES: - **New Resource:** `aws_iam_group_policy_attachments_exclusive` ([#39732](https://github.com/hashicorp/terraform-provider-aws/issues/39732)) - **New Resource:** `aws_iam_user_policy_attachments_exclusive` ([#39731](https://github.com/hashicorp/terraform-provider-aws/issues/39731)) ENHANCEMENTS: - resource/aws\_resourceexplorer2\_view: Add `scope` argument ([#39744](https://github.com/hashicorp/terraform-provider-aws/issues/39744)) BUG FIXES: - data-source/aws\_batch\_job\_definition: Properly handles ignored tags. ([#39734](https://github.com/hashicorp/terraform-provider-aws/issues/39734)) - data-source/aws\_cognito\_user\_pool: Properly handles ignored tags. ([#39734](https://github.com/hashicorp/terraform-provider-aws/issues/39734)) - resource/aws\_cognito\_user\_pool: Properly handles ignored tags. ([#39734](https://github.com/hashicorp/terraform-provider-aws/issues/39734)) - resource/aws\_dynamodb\_table: Fix crash when `billing_mode` is set to `PAY_PER_REQUEST` without `global_secondary_index` updates ([#39752](https://github.com/hashicorp/terraform-provider-aws/issues/39752)) - resource/aws\_dynamodb\_table\_replica: Properly handles default and ignored tags. ([#39734](https://github.com/hashicorp/terraform-provider-aws/issues/39734)) - resource/aws\_resourceexplorer2\_index: Correctly mark incomplete `AGGREGATOR` indexes as [tainted](https://developer.hashicorp.com/terraform/cli/state/taint#the-tainted-status) on Create ([#39744](https://github.com/hashicorp/terraform-provider-aws/issues/39744)) ### [`v5.72.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.72.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.70.0...v5.72.0) NOTES: - This version contains all the features, enhancements, and bug fixes from the [v5.71.0 release](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5710-october-11-2024) which was removed from the Terraform Registry ([#39692](https://github.com/hashicorp/terraform-provider-aws/issues/39692)) - resource/aws\_iam\_role: The `managed_policy_arns` argument is deprecated. Use the `aws_iam_role_policy_attachments_exclusive` resource instead. ([#39718](https://github.com/hashicorp/terraform-provider-aws/issues/39718)) FEATURES: - **New Resource:** `aws_iam_role_policy_attachments_exclusive` ([#39718](https://github.com/hashicorp/terraform-provider-aws/issues/39718)) ENHANCEMENTS: - data-source/aws\_workspaces\_directory: Add `saml_properties` attribute ([#39060](https://github.com/hashicorp/terraform-provider-aws/issues/39060)) - resource/aws\_appflow\_flow: Add `source_flow_config.source_connector_properties.sapo_data.pagination_config` and `source_flow_config.source_connector_properties.sapo_data.parallelism_config` attributes ([#38932](https://github.com/hashicorp/terraform-provider-aws/issues/38932)) - resource/aws\_cloudwatch\_event\_rule: Add tags to AWS API request on Update to support [ABAC `aws:RequestTag` conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests) ([#39648](https://github.com/hashicorp/terraform-provider-aws/issues/39648)) - resource/aws\_cloudwatch\_event\_target: Add `appsync_target` configuration block ([#37773](https://github.com/hashicorp/terraform-provider-aws/issues/37773)) - resource/aws\_dynamodb\_table: Add `on_demand_throughput` and `global_secondary_index.on_demand_throughput` arguments ([#37799](https://github.com/hashicorp/terraform-provider-aws/issues/37799)) - - resource/aws\_lakeformation\_permissions: Allow `principal` to be an AWS federated-user arn ([#33298](https://github.com/hashicorp/terraform-provider-aws/issues/33298)) - resource/aws\_rds\_cluster: Increase maximum value of `serverlessv2_scaling_configuration.max_capacity` and `serverlessv2_scaling_configuration.min_capacity` from `128` to `256` ([#39697](https://github.com/hashicorp/terraform-provider-aws/issues/39697)) - resource/aws\_rds\_cluster\_instance: Treat `storage-optimization` status as success when creating or updating cluster DB instances ([#39691](https://github.com/hashicorp/terraform-provider-aws/issues/39691)) - resource/aws\_workspaces\_directory: Add `saml_properties` configuration block ([#39060](https://github.com/hashicorp/terraform-provider-aws/issues/39060)) BUG FIXES: - data-source/aws\_ssm\_document: Correct `arn` for automation documents ([#39705](https://github.com/hashicorp/terraform-provider-aws/issues/39705)) - resource/aws\_cognito\_user\_pool: Fixes error when `schema` has empty `string_attribute_constraints` or `number_attribute_constraints` ([#20386](https://github.com/hashicorp/terraform-provider-aws/issues/20386)) - resource/aws\_ssm\_document: Correct `arn` for automation documents ([#39705](https://github.com/hashicorp/terraform-provider-aws/issues/39705)) ### [`v5.70.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.70.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.69.0...v5.70.0) NOTES: - resource/aws\_s3\_bucket\_lifecycle\_configuration: Amazon S3 now applies a default minimum object size of 128 KB for S3 Lifecycle transition rules to any S3 storage class. This new default behavior will be applied to any new or modified S3 Lifecycle configuration. You can override this new default and customize the minimum object size for S3 Lifecycle transition rules to any value ([#39578](https://github.com/hashicorp/terraform-provider-aws/issues/39578)) - resource/aws\_simpledb\_domain: The `aws_simpledb_domain` resource has been deprecated and will be removed in a future version. Use Amazon DynamoDB instead ([#39536](https://github.com/hashicorp/terraform-provider-aws/issues/39536)) - resource/aws\_worklink\_fleet: The `aws_worklink_fleet` resource has been deprecated and will be removed in a future version. Use Amazon WorkSpaces Secure Browser instead ([#39538](https://github.com/hashicorp/terraform-provider-aws/issues/39538)) - resource/aws\_worklink\_website\_certificate\_authority\_association: The `aws_worklink_website_certificate_authority_association` resource has been deprecated and will be removed in a future version. Use Amazon WorkSpaces Secure Browser instead ([#39538](https://github.com/hashicorp/terraform-provider-aws/issues/39538)) FEATURES: - **New Resource:** `aws_backup_logically_air_gapped_vault` ([#39098](https://github.com/hashicorp/terraform-provider-aws/issues/39098)) - **New Resource:** `aws_ec2_transit_gateway_default_route_table_association` ([#39496](https://github.com/hashicorp/terraform-provider-aws/issues/39496)) - **New Resource:** `aws_ec2_transit_gateway_default_route_table_propagation` ([#39517](https://github.com/hashicorp/terraform-provider-aws/issues/39517)) - **New Resource:** `aws_iam_group_policies_exclusive` ([#39554](https://github.com/hashicorp/terraform-provider-aws/issues/39554)) - **New Resource:** `aws_iam_user_policies_exclusive` ([#39544](https://github.com/hashicorp/terraform-provider-aws/issues/39544)) - **New Resource:** `aws_securityhub_standards_control_association` ([#39511](https://github.com/hashicorp/terraform-provider-aws/issues/39511)) ENHANCEMENTS: - data-source/aws\_ebs\_snapshot: Add `start_time` attribute ([#39557](https://github.com/hashicorp/terraform-provider-aws/issues/39557)) - resource/aws\_bedrockagent\_agent\_action\_group: Add `prepare_agent` argument ([#39486](https://github.com/hashicorp/terraform-provider-aws/issues/39486)) - resource/aws\_bedrockagent\_data\_source: Add `vector_ingestion_configuration.custom_transformation_configuration` argument ([#39556](https://github.com/hashicorp/terraform-provider-aws/issues/39556)) - resource/aws\_globalaccelerator\_endpoint\_group: Add `endpoint_configuration.attachment_arn` argument ([#39507](https://github.com/hashicorp/terraform-provider-aws/issues/39507)) - resource/aws\_lambda\_code\_signing\_config: Add `tags` argument and `tags_all` attribute ([#39535](https://github.com/hashicorp/terraform-provider-aws/issues/39535)) - resource/aws\_lambda\_event\_source\_mapping: Add `arn` attribute ([#39535](https://github.com/hashicorp/terraform-provider-aws/issues/39535)) - resource/aws\_lambda\_event\_source\_mapping: Add `tags` argument and `tags_all` attribute ([#39535](https://github.com/hashicorp/terraform-provider-aws/issues/39535)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Add `transition_default_minimum_object_size` argument ([#39578](https://github.com/hashicorp/terraform-provider-aws/issues/39578)) BUG FIXES: - resource/aws\_bedrockagent\_agent: Fix "Provider produced inconsistent result after apply" error on update due to `customer_encryption_key_arn` not being passed during update ([#39565](https://github.com/hashicorp/terraform-provider-aws/issues/39565)) - resource/aws\_bedrockagent\_agent: Fix "Provider produced inconsistent result after apply" error on update due to `prompt_override_configuration` not being passed when not modified ([#39565](https://github.com/hashicorp/terraform-provider-aws/issues/39565)) - resource/aws\_bedrockagent\_knowledge\_base: Change `knowledge_base_configuration` and `storage_configuration` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#39567](https://github.com/hashicorp/terraform-provider-aws/issues/39567)) - resource/aws\_ec2\_transit\_gateway\_vpc\_attachment: Remove default value for `security_group_referencing_support` argument and mark as Computed. This suppresses the diffs shown for resources created with v5.68.0 (or earlier) ([#39519](https://github.com/hashicorp/terraform-provider-aws/issues/39519)) - resource/aws\_opensearchserverless\_lifecycle\_policy: Fix "Provider produced inconsistent result after apply" error on update due to `policy_version` computed attribute changing ([#39528](https://github.com/hashicorp/terraform-provider-aws/issues/39528)) - resource/aws\_opensearchserverless\_security\_policy: Fix "Provider produced inconsistent result after apply" error on update due to `policy_version` computed attribute changing ([#39528](https://github.com/hashicorp/terraform-provider-aws/issues/39528)) - resource/aws\_quicksight\_dashboard: Fix mapping of `sheets.filter_controls.list.cascading_control_configuration` and `sheets.parameter_controls.list.cascading_control_configuration` attributes ([#39453](https://github.com/hashicorp/terraform-provider-aws/issues/39453)) ### [`v5.69.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.69.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.68.0...v5.69.0) NOTES: - provider: This release contains an upstream AWS SDK for Go v2 [change](https://github.com/aws/aws-sdk-go-v2/issues/2807) to DynamoDB service endpoints. The Terraform AWS Provider will now connect to a DynamoDB endpoint in the format [`(account-id).ddb.(region).amazonaws.com`](https://docs.aws.amazon.com/sdkref/latest/guide/feature-account-endpoints.html) instead of `dynamodb.(region).amazonaws.com`. If your network configuration blocks outgoing traffic to DynamoDB based on DNS names or endpoint URLs, you must adjust your configuration, because the service's DNS name will change. You may instead disable account-based endpoints for DynamoDB by setting `account_id_endpoint_mode = disabled` in a [shared config file](https://docs.aws.amazon.com/sdkref/latest/guide/settings-reference.html#ConfigFileSettings) or setting the `AWS_ACCOUNT_ID_ENDPOINT_MODE` [environment variable](https://docs.aws.amazon.com/sdkref/latest/guide/settings-reference.html#EVarSettings) to `disabled` ([#39505](https://github.com/hashicorp/terraform-provider-aws/issues/39505)) - provider: Updates to Go `1.23.1`. The issue with AWS Network Firewall dropping TLS handshake `ClientHello` messages after the **v5.65.0** upgrade to Go `1.23.0`, temporarily resolved by the **v5.67.0** downgrade to Go `1.22.7`, has been addressed by removing the `X25519Kyber768Draft00` key exchange mechanism from the HTTP client used to make AWS API calls ([#39432](https://github.com/hashicorp/terraform-provider-aws/issues/39432)) - resource/aws\_alb\_listener: When importing a listener that has either a default action top-level target group ARN or a default action defining a forward action defining a target group with an ARN, include both in the configuration to avoid import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_lb\_listener: When importing a listener that has either a default action top-level target group ARN or a default action defining a forward action defining a target group with an ARN, include both in the configuration to avoid import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) ENHANCEMENTS: - data-source/aws\_connect\_instance: Add `tags` attribute ([#39402](https://github.com/hashicorp/terraform-provider-aws/issues/39402)) - data-source/aws\_ec2\_transit\_gateway: Add `security_group_referencing_support` attribute ([#34542](https://github.com/hashicorp/terraform-provider-aws/issues/34542)) - data-source/aws\_ec2\_transit\_gateway\_vpc\_attachment: Add `security_group_referencing_support` attribute ([#34542](https://github.com/hashicorp/terraform-provider-aws/issues/34542)) - data-source/aws\_opensearchserverless\_collection: Add `failure_code` and `failure_reason` attributes ([#38995](https://github.com/hashicorp/terraform-provider-aws/issues/38995)) - resource/aws\_bedrockagent\_agent: Add `guardrail_configuration` argument ([#39440](https://github.com/hashicorp/terraform-provider-aws/issues/39440)) - resource/aws\_connect\_instance: Add `tags` argument and `tags_all` attribute ([#39402](https://github.com/hashicorp/terraform-provider-aws/issues/39402)) - resource/aws\_ec2\_transit\_gateway: Add `security_group_referencing_support` argument ([#34542](https://github.com/hashicorp/terraform-provider-aws/issues/34542)) - resource/aws\_ec2\_transit\_gateway\_vpc\_attachment: Add `security_group_referencing_support` argument ([#34542](https://github.com/hashicorp/terraform-provider-aws/issues/34542)) - resource/aws\_ec2\_transit\_gateway\_vpc\_attachment\_accepter: Add `security_group_referencing_support` argument ([#34542](https://github.com/hashicorp/terraform-provider-aws/issues/34542)) - resource/aws\_ecs\_service: Add `volume_configuration.managed_ebs_volume.tag_specifications` attribute ([#38662](https://github.com/hashicorp/terraform-provider-aws/issues/38662)) - resource/aws\_identitystore\_group: Allow `display_name` to be updated in-place ([#39416](https://github.com/hashicorp/terraform-provider-aws/issues/39416)) - resource/aws\_kinesis\_stream: Tag on Create to support attribute-based access control (ABAC) ([#39504](https://github.com/hashicorp/terraform-provider-aws/issues/39504)) - resource/aws\_quicksight\_data\_source: Add `credentials.secret_arn` argument ([#29034](https://github.com/hashicorp/terraform-provider-aws/issues/29034)) BUG FIXES: - data-source/aws\_opensearchserverless\_vpc\_endpoint: Correctly set `security_group_ids`. This requires a call to the EC2 `DescribeVpcEndpoints` API ([#39454](https://github.com/hashicorp/terraform-provider-aws/issues/39454)) - data-source/aws\_region: Fix lookups for the `ap-southeast-5` Region ([#39389](https://github.com/hashicorp/terraform-provider-aws/issues/39389)) - resource/aws\_alb\_listener: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_alb\_listener: Remove the limitation preventing setting both default\_action.0.target\_group\_arn and default\_action.0.forward to align with the AWS API which allows you to specify both a target group list and a top-level target group ARN if the ARNs match ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_db\_instance: Allow replica database to be added to domain on create ([#39448](https://github.com/hashicorp/terraform-provider-aws/issues/39448)) - resource/aws\_db\_instance\_role\_association: Fix intermittent failure when instance is not in an available state ([#39457](https://github.com/hashicorp/terraform-provider-aws/issues/39457)) - resource/aws\_dynamodb\_tag: Fix propagation timeout when multiple tags exist ([#39491](https://github.com/hashicorp/terraform-provider-aws/issues/39491)) - resource/aws\_ecs\_cluster: Fix validation error with `name` attribute. ([#38993](https://github.com/hashicorp/terraform-provider-aws/issues/38993)) - resource/aws\_ecs\_cluster\_capacity\_providers: Fix validation error with `name` attribute. ([#38993](https://github.com/hashicorp/terraform-provider-aws/issues/38993)) - resource/aws\_iam\_role: Retry `ConcurrentModificationException`s during role creation ([#39429](https://github.com/hashicorp/terraform-provider-aws/issues/39429)) - resource/aws\_inspector2\_enabler: Fix `AccessDeniedException: Lambda code scanning is not supported in ...` errors ([#38254](https://github.com/hashicorp/terraform-provider-aws/issues/38254)) - resource/aws\_inspector2\_member\_association: Improve handling of `AccessDeniedException` errors during creation ([#38254](https://github.com/hashicorp/terraform-provider-aws/issues/38254)) - resource/aws\_lb\_listener: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_lb\_listener: Remove the limitation preventing setting both default\_action.0.target\_group\_arn and default\_action.0.forward to align with the AWS API which allows you to specify both a target group list and a top-level target group ARN if the ARNs match ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_lb\_listener\_rule: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_lb\_target\_group: Fix several of the arguments to avoiding setting zero-values in situations where they shouldn't causing warnings and import differences ([#39413](https://github.com/hashicorp/terraform-provider-aws/issues/39413)) - resource/aws\_medialive\_multiplex: Fix to properly handle read failures during delete operations which were previously ignored ([#39498](https://github.com/hashicorp/terraform-provider-aws/issues/39498)) - resource/aws\_opensearchserverless\_vpc\_endpoint: Change `name` and `vpc_id` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#39454](https://github.com/hashicorp/terraform-provider-aws/issues/39454)) - resource/aws\_opensearchserverless\_vpc\_endpoint: Correctly set `security_group_ids`. This requires a call to the EC2 `DescribeVpcEndpoints` API ([#39454](https://github.com/hashicorp/terraform-provider-aws/issues/39454)) - resource/aws\_rds\_cluster\_role\_association: Fix intermittent failure when cluster is not in an available state ([#39457](https://github.com/hashicorp/terraform-provider-aws/issues/39457)) - resource/aws\_vpc\_dhcp\_options: Fix a bug causing a panic crash when an option is absent ([#39427](https://github.com/hashicorp/terraform-provider-aws/issues/39427)) ### [`v5.68.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.68.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.67.0...v5.68.0) NOTES: - resource/aws\_iam\_role: The `inline_policy` argument is deprecated. Use the `aws_iam_role_policy` resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the `aws_iam_role_policies_exclusive` resource as well. ([#39203](https://github.com/hashicorp/terraform-provider-aws/issues/39203)) - resource/aws\_lexv2models\_slot\_type: Within the `composite_slot_type_setting` block, the `subslots` argument has been renamed `sub_slots`. See the [linked pull request](https://github.com/hashicorp/terraform-provider-aws/pull/39353) for additional justification on this change. The previous misnaming effectively made this argument unusable, therefore a breaking change in a minor version was deemed acceptable. ([#39353](https://github.com/hashicorp/terraform-provider-aws/issues/39353)) FEATURES: - **New Data Source:** `aws_elasticache_reserved_cache_node_offering` ([#29832](https://github.com/hashicorp/terraform-provider-aws/issues/29832)) - **New Data Source:** `aws_securityhub_standards_control_associations` ([#39334](https://github.com/hashicorp/terraform-provider-aws/issues/39334)) - **New Data Source:** `aws_synthetics_runtime_version` ([#39180](https://github.com/hashicorp/terraform-provider-aws/issues/39180)) - **New Data Source:** `aws_synthetics_runtime_versions` ([#39180](https://github.com/hashicorp/terraform-provider-aws/issues/39180)) - **New Resource:** `aws_appsync_source_api_association` ([#39323](https://github.com/hashicorp/terraform-provider-aws/issues/39323)) - **New Resource:** `aws_elasticache_reserved_cache_node` ([#29832](https://github.com/hashicorp/terraform-provider-aws/issues/29832)) - **New Resource:** `aws_iam_role_policies_exclusive` ([#39203](https://github.com/hashicorp/terraform-provider-aws/issues/39203)) - **New Resource:** `aws_pinpointsmsvoicev2_opt_out_list` ([#25036](https://github.com/hashicorp/terraform-provider-aws/issues/25036)) - **New Resource:** `aws_pinpointsmsvoicev2_phone_number` ([#25036](https://github.com/hashicorp/terraform-provider-aws/issues/25036)) - **New Resource:** `aws_sesv2_account_suppression_attributes` ([#39325](https://github.com/hashicorp/terraform-provider-aws/issues/39325)) ENHANCEMENTS: - resource/aws\_s3\_bucket\_server\_side\_encryption\_configuration: S3 directory buckets now support SSE-KMS ([#39366](https://github.com/hashicorp/terraform-provider-aws/issues/39366)) - resource/aws\_ses\_receipt\_rule: Add `iam_role_arn` argument to `s3_action` configuration block ([#39364](https://github.com/hashicorp/terraform-provider-aws/issues/39364)) - resource/aws\_synthetics\_canary: Increase maximum `name` length to 255 characters ([#39315](https://github.com/hashicorp/terraform-provider-aws/issues/39315)) BUG FIXES: - provider: Allows `assume_role.role_arn` to be an empty string when there is a single `assume_role` entry. ([#39328](https://github.com/hashicorp/terraform-provider-aws/issues/39328)) - resource/aws\_amplify\_app: Fix failure when unsetting the `environment_variables` argument ([#39397](https://github.com/hashicorp/terraform-provider-aws/issues/39397)) - resource/aws\_dynamodb\_table: Fix changing replicas to the default `Managed by DynamoDB` encryption setting ([#31284](https://github.com/hashicorp/terraform-provider-aws/issues/31284)) - resource/aws\_dynamodb\_table: Handle eventual consistency of tag creation and removal ([#39326](https://github.com/hashicorp/terraform-provider-aws/issues/39326)) - resource/aws\_dynamodb\_table\_replica: Handle eventual consistency of tag creation and removal ([#39326](https://github.com/hashicorp/terraform-provider-aws/issues/39326)) - resource/aws\_dynamodb\_tag: Handle eventual consistency of tag creation and removal ([#39326](https://github.com/hashicorp/terraform-provider-aws/issues/39326)) - resource/aws\_mq\_broker: Fix `engine_version` mismatch with RabbitMQ 3.13 and ActiveMQ 5.18 and above ([#39024](https://github.com/hashicorp/terraform-provider-aws/issues/39024)) - resource/aws\_mwaa\_environment: Fix creating environments with `endpoint_management = "CUSTOMER"` ([#39394](https://github.com/hashicorp/terraform-provider-aws/issues/39394)) - resource/aws\_opensearchserverless\_access\_policy: Fix incompatible type error when setting `policy` ([#39322](https://github.com/hashicorp/terraform-provider-aws/issues/39322)) ### [`v5.67.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.67.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.66.0...v5.67.0) BREAKING CHANGES: - resource/aws\_lexv2models\_slot\_type: Within the `value_selection_setting.advanced_recognition_setting` block, the `audio_recognition_setting` argument has been renamed `audio_recognition_strategy` ([#39254](https://github.com/hashicorp/terraform-provider-aws/issues/39254)) NOTES: - provider: Downgrades to Go `1.22.6`. A small number of users have reported failed or hanging network connections using the version of the Terraform AWS provider which was first built with Go `1.23.0` (`v5.65.0`). At this point, maintainers have been unable to reproduce failures, but enough distinct users have reported issues that we are going to attempt downgrading to Go `1.22.6` for the next provider release. We will continue to coordinate with users and AWS in an attempt to identify the root cause, using this upcoming release with a reverted Go build version as a data point. ([#39256](https://github.com/hashicorp/terraform-provider-aws/issues/39256)) - resource/aws\_lexv2models\_slot\_type: Within the `value_selection_setting.advanced_recognition_setting` block, the `audio_recognition_setting` argument has been renamed `audio_recognition_strategy`. See the [linked pull request](https://github.com/hashicorp/terraform-provider-aws/pull/39254) for additional justification on this change. The previous misnaming effectively made this argument unusable, therefore a breaking change in a minor version was deemed acceptable. ([#39254](https://github.com/hashicorp/terraform-provider-aws/issues/39254)) FEATURES: - **New Data Source:** `aws_codebuild_fleet` ([#39237](https://github.com/hashicorp/terraform-provider-aws/issues/39237)) - **New Resource:** `aws_cloudformation_stack_instances` ([#36794](https://github.com/hashicorp/terraform-provider-aws/issues/36794)) - **New Resource:** `aws_codebuild_fleet` ([#39237](https://github.com/hashicorp/terraform-provider-aws/issues/39237)) - **New Resource:** `aws_computeoptimizer_enrollment_status` ([#35349](https://github.com/hashicorp/terraform-provider-aws/issues/35349)) - **New Resource:** `aws_computeoptimizer_recommendation_preferences` ([#35349](https://github.com/hashicorp/terraform-provider-aws/issues/35349)) - **New Resource:** `aws_costoptimizationhub_enrollment_status` ([#36440](https://github.com/hashicorp/terraform-provider-aws/issues/36440)) - **New Resource:** `aws_costoptimizationhub_preferences` ([#36526](https://github.com/hashicorp/terraform-provider-aws/issues/36526)) - **New Resource:** `aws_datazone_asset_type` ([#38812](https://github.com/hashicorp/terraform-provider-aws/issues/38812)) - **New Resource:** `aws_datazone_environment_profile` ([#38581](https://github.com/hashicorp/terraform-provider-aws/issues/38581)) - **New Resource:** `aws_lambda_function_recursion_config` ([#39153](https://github.com/hashicorp/terraform-provider-aws/issues/39153)) ENHANCEMENTS: - data-source/aws\_acm\_certificate: Mark `domain` and `tags` as Optional. This enables certificates to be matched based on tags ([#31453](https://github.com/hashicorp/terraform-provider-aws/issues/31453)) - data-source/aws\_kinesis\_stream: Add `encryption_type` and `kms_key_id` attributes ([#39212](https://github.com/hashicorp/terraform-provider-aws/issues/39212)) - datasource/aws\_cognito\_user\_pool: Deprecates `user_pool_tags` in favor of standard `tags`. ([#39260](https://github.com/hashicorp/terraform-provider-aws/issues/39260)) - provider: Adds support for IAM role chaining. The provider attribute `assume_role` now accepts multiple elements. ([#39255](https://github.com/hashicorp/terraform-provider-aws/issues/39255)) - resource/aws\_amplify\_app: Add `cache_config` argument ([#39215](https://github.com/hashicorp/terraform-provider-aws/issues/39215)) - resource/aws\_cloudhsm\_v2\_cluster: Add `mode` argument ([#39206](https://github.com/hashicorp/terraform-provider-aws/issues/39206)) - resource/aws\_cloudhsm\_v2\_cluster: Support `hsm2m.medium` as a valid value for `hsm_type` ([#39206](https://github.com/hashicorp/terraform-provider-aws/issues/39206)) - resource/aws\_codebuild\_project: Add `fleet` attribute in `environment` configuration block ([#39237](https://github.com/hashicorp/terraform-provider-aws/issues/39237)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `snowflake_configuration.buffering_internal` and `snowflake_configuration.buffering_size` arguments ([#39214](https://github.com/hashicorp/terraform-provider-aws/issues/39214)) - resource/aws\_quicksight\_user: Add `READER_PRO`, `AUTHOR_PRO`, and `ADMIN_PRO` as valid values for the `user_role` argument ([#39220](https://github.com/hashicorp/terraform-provider-aws/issues/39220)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.domain_settings.docker_settings` configuration block ([#35416](https://github.com/hashicorp/terraform-provider-aws/issues/35416)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.studio_web_portal_settings`, `default_space_settings.jupyter_lab_app_settings`, `default_space_settings.space_storage_settings`, `default_space_settings.custom_posix_user_config`, and `default_space_settings.custom_file_system_config` configuration blocks ([#38457](https://github.com/hashicorp/terraform-provider-aws/issues/38457)) - resource/aws\_sagemaker\_endpoint\_configuration: Add `production_variants.managed_instance_scaling` and `shadow_production_variants.managed_instance_scaling` configuration blocks ([#35479](https://github.com/hashicorp/terraform-provider-aws/issues/35479)) - resource/aws\_sagemaker\_model: Add `primary_container.inference_specification_name` and `container.inference_specification_name` arguments ([#35873](https://github.com/hashicorp/terraform-provider-aws/issues/35873)) - resource/aws\_sagemaker\_model: Add `primary_container.model_data_source.s3_data_source.model_access_config`, `primary_container.multi_model_config`, `container.model_data_source.s3_data_source.model_access_config`, and \`\`container.multi\_model\_config\` configuration blocks ([#35873](https://github.com/hashicorp/terraform-provider-aws/issues/35873)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.studio_web_portal_settings` configuration block ([#38567](https://github.com/hashicorp/terraform-provider-aws/issues/38567)) - resource/aws\_sfn\_state\_machine: Add plan-time validation of `definition` using the AWS Step Functions [Validation API](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ValidateStateMachineDefinition.html) ([#39229](https://github.com/hashicorp/terraform-provider-aws/issues/39229)) BUG FIXES: - data-source/aws\_eks\_cluster: Return `created_at` as an [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) formatted timestamp ([#24183](https://github.com/hashicorp/terraform-provider-aws/issues/24183)) - datasource/aws\_cognito\_user\_pool: Fixes value conversion error. ([#39260](https://github.com/hashicorp/terraform-provider-aws/issues/39260)) - provider: Fix empty tags drift on fwprovider resources ([#38636](https://github.com/hashicorp/terraform-provider-aws/issues/38636)) - resource/aws\_batch\_job\_queue: Fixes error in schema migration function. ([#39257](https://github.com/hashicorp/terraform-provider-aws/issues/39257)) - resource/aws\_cognito\_user\_pool: Correctly unsets tags. ([#39260](https://github.com/hashicorp/terraform-provider-aws/issues/39260)) - resource/aws\_ecr\_repository\_policy: Fix retry logic handling eventual consistency of newly created IAM roles ([#39190](https://github.com/hashicorp/terraform-provider-aws/issues/39190)) - resource/aws\_eks\_cluster: Return `created_at` as an [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) formatted timestamp ([#24183](https://github.com/hashicorp/terraform-provider-aws/issues/24183)) - resource/aws\_iam\_role: Fix to reduce Terraform reporting differences when a role's ARN temporarily appears as the role's unique ID ([#36794](https://github.com/hashicorp/terraform-provider-aws/issues/36794)) - resource/aws\_networkfirewall\_tls\_inspection\_configuration: Fix issue where `check_certificate_revovation_status` is ignored due to bad autoflex field mapping ([#39211](https://github.com/hashicorp/terraform-provider-aws/issues/39211)) - resource/aws\_networkmonitor\_monitor: Fixes error when optional attribute `aggregation_period` not set. ([#39279](https://github.com/hashicorp/terraform-provider-aws/issues/39279)) - resource/aws\_quicksight\_data\_set: Change `permissions.actions` `MaxItems` from `16` to `20`. This fixes a regression introduced in [v5.66.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5660-september--5-2024) ([#39226](https://github.com/hashicorp/terraform-provider-aws/issues/39226)) - resource/aws\_quicksight\_vpc\_connection: Remove `vpc_connection_id` regular expression validator. This fixes a regression introduced in [v5.66.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5660-september--5-2024) ([#39231](https://github.com/hashicorp/terraform-provider-aws/issues/39231)) - resource/aws\_sagemaker\_domain: Fix update for `default_user_settings.domain_settings` to include missing `security_group_ids` and `r_studio_server_pro_domain_settings` values ([#35416](https://github.com/hashicorp/terraform-provider-aws/issues/35416)) - resource/aws\_sesv2\_configuration\_set: Allow `suppression_options.suppressed_reasons` to be an empty list (`[]`) in order to disable the suppression list ([#29671](https://github.com/hashicorp/terraform-provider-aws/issues/29671)) - resource/aws\_sesv2\_configuration\_set\_event\_destination: Change `event_destination.matching_event_types` from `TypeList` to `TypeSet` as order is not significant ([#36897](https://github.com/hashicorp/terraform-provider-aws/issues/36897)) - resource/aws\_verifiedaccess\_endpoint: fix crash when updating `load_balancer_options.subnet_ids` ([#39196](https://github.com/hashicorp/terraform-provider-aws/issues/39196)) ### [`v5.66.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.66.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.65.0...v5.66.0) FEATURES: - **New Data Source:** `aws_glue_registry` ([#37953](https://github.com/hashicorp/terraform-provider-aws/issues/37953)) - **New Data Source:** `aws_organizations_organizational_unit_descendant_organizational_units` ([#39120](https://github.com/hashicorp/terraform-provider-aws/issues/39120)) - **New Data Source:** `aws_quicksight_analysis` ([#31737](https://github.com/hashicorp/terraform-provider-aws/issues/31737)) - **New Resource:** `aws_datazone_environment` ([#38811](https://github.com/hashicorp/terraform-provider-aws/issues/38811)) ENHANCEMENTS: - data-source/aws\_sns\_topic: Add `tags` attribute ([#38959](https://github.com/hashicorp/terraform-provider-aws/issues/38959)) - data-source/aws\_transfer\_server: Add `tags` attribute ([#39092](https://github.com/hashicorp/terraform-provider-aws/issues/39092)) - resource/aws\_appsync\_graphql\_api: Add `api_type` and `merged_api_execution_role_arn` arguments ([#39159](https://github.com/hashicorp/terraform-provider-aws/issues/39159)) - resource/aws\_bedrockagent\_data\_source: Add `vector_ingestion_configuration.chunking_configuration.semantic_chunking_configuration`, `vector_ingestion_configuration.chunking_configuration.hierarchical_chunking_configuration`, and `vector_ingestion_configuration.parsing_configuration` configuration blocks ([#39138](https://github.com/hashicorp/terraform-provider-aws/issues/39138)) - resource/aws\_datazone\_domain: Add `skip_deletion_protection` attribute ([#38811](https://github.com/hashicorp/terraform-provider-aws/issues/38811)) - resource/aws\_docdbelastic\_cluster: Add `backup_retention_period` and `preferred_backup_window` attributes ([#38452](https://github.com/hashicorp/terraform-provider-aws/issues/38452)) - resource/aws\_quicksight\_data\_source: Add `parameters.databricks` argument ([#31737](https://github.com/hashicorp/terraform-provider-aws/issues/31737)) - resource/aws\_rolesanywhere\_trust\_anchor: Add `notification_settings` argument ([#39108](https://github.com/hashicorp/terraform-provider-aws/issues/39108)) - resource/aws\_sagemaker\_endpoint: Increase Create and Update `InService` timeouts to 60 minutes ([#39090](https://github.com/hashicorp/terraform-provider-aws/issues/39090)) - resource/aws\_wafv2\_rule\_group: Reduce `rate_based_statement.limit` minimum from `100` to `10` ([#39107](https://github.com/hashicorp/terraform-provider-aws/issues/39107)) - resource/aws\_wafv2\_web\_acl: Reduce `rate_based_statement.limit` minimum from `100` to `10` ([#39107](https://github.com/hashicorp/terraform-provider-aws/issues/39107)) BUG FIXES: - data-source/aws\_networkmanager\_core\_network\_policy\_document: Change `segment_actions.via.with_edge_override.use_edge` to be nested set of edges, matching JSON ([#39142](https://github.com/hashicorp/terraform-provider-aws/issues/39142)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Deprecate `segment_actions.via.with_edge_override.use_edge`. Use `segment_actions.via.with_edge_override.use_edge_location` instead ([#39142](https://github.com/hashicorp/terraform-provider-aws/issues/39142)) - many resources: Fixes perpetual diff when tag has a `null` value. ([#38869](https://github.com/hashicorp/terraform-provider-aws/issues/38869)) - resource/aws\_appconfig\_extension: Mark `role_arn` as Optional ([#38900](https://github.com/hashicorp/terraform-provider-aws/issues/38900)) - resource/aws\_lexv2models\_slot\_type: Fix `slot_type_values` validator which limited configurations to 1 element ([#39126](https://github.com/hashicorp/terraform-provider-aws/issues/39126)) - resource/aws\_quicksight\_analysis: Properly send `theme_arn` argument on create and update when configured ([#31737](https://github.com/hashicorp/terraform-provider-aws/issues/31737)) - resource/aws\_rolesanywhere\_profile: Mark `role_arns` as Optional and send an empty list if unconfigured ([#39108](https://github.com/hashicorp/terraform-provider-aws/issues/39108)) - resource/aws\_synthetics\_canary: Remove `run_config.timeout_in_seconds` default value to allow creation of resources with a frequency less than 14 minutes ([#35177](https://github.com/hashicorp/terraform-provider-aws/issues/35177)) ### [`v5.65.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.65.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.64.0...v5.65.0) NOTES: - provider: Updates to Go 1.23. We do not expect this change to impact most users. For macOS, Go 1.23 requires macOS 11 Big Sur or later; support for previous versions has been discontinued. ([#38999](https://github.com/hashicorp/terraform-provider-aws/issues/38999)) FEATURES: - **New Data Source:** `aws_shield_protection` ([#37524](https://github.com/hashicorp/terraform-provider-aws/issues/37524)) - **New Resource:** `aws_glue_catalog_table_optimizer` ([#38052](https://github.com/hashicorp/terraform-provider-aws/issues/38052)) ENHANCEMENTS: - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `ap-southeast-5` AWS Region ([#39052](https://github.com/hashicorp/terraform-provider-aws/issues/39052)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `ap-southeast-5` AWS Region ([#39052](https://github.com/hashicorp/terraform-provider-aws/issues/39052)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `ap-southeast-5` AWS Region ([#39052](https://github.com/hashicorp/terraform-provider-aws/issues/39052)) - provider: Support `ap-southeast-5` as a valid AWS Region ([#39049](https://github.com/hashicorp/terraform-provider-aws/issues/39049)) - resource/aws\_cognito\_user\_pool: Add `password_policy.password_history_size` argument ([#39043](https://github.com/hashicorp/terraform-provider-aws/issues/39043)) - resource/aws\_elastic\_beanstalk\_application\_version: Add `process` argument ([#25468](https://github.com/hashicorp/terraform-provider-aws/issues/25468)) - resource/aws\_elasticsearch\_domain: Treat `SUCCEEDED_WITH_ISSUES` status as success when upgrading cluster ([#38086](https://github.com/hashicorp/terraform-provider-aws/issues/38086)) - resource/aws\_emr\_cluster: Support `io2` as a valid value for `ebs_config.type` ([#37740](https://github.com/hashicorp/terraform-provider-aws/issues/37740)) - resource/aws\_emr\_instance\_fleet: Support `io2` as a valid value for `instance_type_configs.ebs_config.type` ([#37740](https://github.com/hashicorp/terraform-provider-aws/issues/37740)) - resource/aws\_emr\_instance\_group: Support `io2` as a valid value for `instance_type_configs.ebs_config.type` ([#37740](https://github.com/hashicorp/terraform-provider-aws/issues/37740)) - resource/aws\_glue\_job: Add `job_run_queuing_enabled` argument ([#39027](https://github.com/hashicorp/terraform-provider-aws/issues/39027)) - resource/aws\_lambda\_event\_source\_mapping: Add `kms_key_arn` argument ([#39055](https://github.com/hashicorp/terraform-provider-aws/issues/39055)) - resource/aws\_verifiedaccess\_endpoint: Set PolicyEnabled flag to `false` on update if `policy_document` is empty ([#38675](https://github.com/hashicorp/terraform-provider-aws/issues/38675)) BUG FIXES: - resource/aws\_amplify\_app: Fix crash updating `auto_branch_creation_config` ([#39041](https://github.com/hashicorp/terraform-provider-aws/issues/39041)) - resource/aws\_elasticsearch\_domain\_policy: Change `domain_name` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#38086](https://github.com/hashicorp/terraform-provider-aws/issues/38086)) - resource/aws\_elbv2\_listener: Fix crash when reading forward actions not configured in state ([#39039](https://github.com/hashicorp/terraform-provider-aws/issues/39039)) - resource/aws\_emr\_instance\_group: Properly send an `instance_count` value of `0` on create when configured ([#37740](https://github.com/hashicorp/terraform-provider-aws/issues/37740)) - resource/aws\_gamelift\_game\_server\_group: Fix crash while reading server group with a nil auto scaling group ARN ([#39022](https://github.com/hashicorp/terraform-provider-aws/issues/39022)) - resource/aws\_guardduty\_invite\_accepter: Fix `BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter` errors on resource Create ([#39084](https://github.com/hashicorp/terraform-provider-aws/issues/39084)) - resource/aws\_lakeformation\_permissions: Fix error when revoking `data_cells_filter` permissions ([#39026](https://github.com/hashicorp/terraform-provider-aws/issues/39026)) - resource/aws\_neptune\_cluster: Mark `neptune_cluster_parameter_group_name` as Computed ([#38980](https://github.com/hashicorp/terraform-provider-aws/issues/38980)) - resource/aws\_neptune\_cluster\_instance: Mark `neptune_parameter_group_name` as Computed ([#38980](https://github.com/hashicorp/terraform-provider-aws/issues/38980)) - resource/aws\_ssm\_parameter: Fix `ValidationException: Parameter ARN is not supported for this operation` errors when deleting resources imported by ARN ([#39067](https://github.com/hashicorp/terraform-provider-aws/issues/39067)) ### [`v5.64.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.64.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.63.1...v5.64.0) ENHANCEMENTS: - data-source/aws\_opensearch\_domain: Add `dashboard_endpoint_v2`, `domain_endpoint_v2_hosted_zone_id`, and `endpoint_v2` attributes ([#38456](https://github.com/hashicorp/terraform-provider-aws/issues/38456)) - resource/aws\_appautoscaling\_target: Add `suspended_state` configuration block ([#38942](https://github.com/hashicorp/terraform-provider-aws/issues/38942)) - resource/aws\_dynamodb\_table: Add `restore_source_table_arn` attribute ([#38953](https://github.com/hashicorp/terraform-provider-aws/issues/38953)) - resource/aws\_opensearch\_domain: Add `dashboard_endpoint_v2`, `domain_endpoint_v2_hosted_zone_id`, and `endpoint_v2` attributes ([#38456](https://github.com/hashicorp/terraform-provider-aws/issues/38456)) BUG FIXES: - resource/aws\_bedrockagent\_agent: Fixes consistency issues where only some prompts are overridden ([#38944](https://github.com/hashicorp/terraform-provider-aws/issues/38944)) - resource/aws\_cloudformation\_stack\_set\_instance: Fix crash during construction of the `id` attribute when `deployment_targets` does not include organizational unit IDs. ([#38969](https://github.com/hashicorp/terraform-provider-aws/issues/38969)) - resource/aws\_glue\_trigger: Fix crash when null `action` is configured ([#38994](https://github.com/hashicorp/terraform-provider-aws/issues/38994)) - resource/aws\_rds\_cluster: Allow Web Service Data API (`enabled_http_endpoint`) to be enabled and disabled for `provisioned` engine mode and serverlessv2 ([#38997](https://github.com/hashicorp/terraform-provider-aws/issues/38997)) ### [`v5.63.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.63.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.63.0...v5.63.1) FEATURES: - **New Data Source:** `aws_route53_zones` ([#17457](https://github.com/hashicorp/terraform-provider-aws/issues/17457)) - **New Data Source:** `aws_ssoadmin_permission_sets` ([#38741](https://github.com/hashicorp/terraform-provider-aws/issues/38741)) ENHANCEMENTS: - data-source/aws\_batch\_job\_queue: Add `job_state_time_limit_action` attribute ([#38784](https://github.com/hashicorp/terraform-provider-aws/issues/38784)) - resource/aws\_batch\_job\_definition: Add `ecs_properties` argument ([#37871](https://github.com/hashicorp/terraform-provider-aws/issues/37871)) - resource/aws\_batch\_job\_queue: Add `job_state_time_limit_action` argument ([#38784](https://github.com/hashicorp/terraform-provider-aws/issues/38784)) BUG FIXES: - provider: Fix crash when flattening string pointer slices with nil items ([#38886](https://github.com/hashicorp/terraform-provider-aws/issues/38886)) - resource/aws\_datazone\_project: Properly surface import `id` parsing errors ([#38924](https://github.com/hashicorp/terraform-provider-aws/issues/38924)) - resource/aws\_quicksight\_data\_set: Fix crash when setting `logical_table_map.data_transforms.project_operation.projected_columns` with null list elements ([#38886](https://github.com/hashicorp/terraform-provider-aws/issues/38886)) - resource/aws\_ses\_configuration\_set: Fix crash when `reputation_metrics_enabled` is set to `true` ([#38921](https://github.com/hashicorp/terraform-provider-aws/issues/38921)) ### [`v5.63.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.63.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.62.0...v5.63.0) FEATURES: - **New Data Source:** `aws_bedrockagent_agent_versions` ([#38792](https://github.com/hashicorp/terraform-provider-aws/issues/38792)) - **New Resource:** `aws_bedrock_guardrail` ([#38757](https://github.com/hashicorp/terraform-provider-aws/issues/38757)) - **New Resource:** `aws_cloudtrail_organization_delegated_admin_account` ([#38817](https://github.com/hashicorp/terraform-provider-aws/issues/38817)) - **New Resource:** `aws_datazone_environment_profile` ([#35603](https://github.com/hashicorp/terraform-provider-aws/issues/35603)) - **New Resource:** `aws_datazone_form_type` ([#38746](https://github.com/hashicorp/terraform-provider-aws/issues/38746)) - **New Resource:** `aws_datazone_glossary_term` ([#38706](https://github.com/hashicorp/terraform-provider-aws/issues/38706)) - **New Resource:** `aws_pinpoint_email_template` ([#33266](https://github.com/hashicorp/terraform-provider-aws/issues/33266)) ENHANCEMENTS: - resource/aws\_networkfirewall\_logging\_configuration: Change `logging_configuration.log_destination_config` `MaxItems` from `2` to `3` ([#38824](https://github.com/hashicorp/terraform-provider-aws/issues/38824)) BUG FIXES: - data-source/aws\_acm\_certificate: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_appstream\_stack: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_bedrockagent\_agent\_knowledge\_base\_association: Prepare agent when associating a knowledge base so it can be used ([#38799](https://github.com/hashicorp/terraform-provider-aws/issues/38799)) - resource/aws\_cloudwatch\_event\_connection: Fix various expander type assertions to prevent crashes ([#38800](https://github.com/hashicorp/terraform-provider-aws/issues/38800)) - resource/aws\_controltower\_landing\_zone: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_db\_event\_subscription: Fix plan-time validation of `name` and `name_prefix` ([#38194](https://github.com/hashicorp/terraform-provider-aws/issues/38194)) - resource/aws\_ecs\_cluster\_capacity\_providers: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_ecs\_service: Fix crash from nil `service_registries` item ([#38883](https://github.com/hashicorp/terraform-provider-aws/issues/38883)) - resource/aws\_ecs\_task\_definition: Fix perpetual `container_definitions` diffs on `healthCheck`'s default values ([#38872](https://github.com/hashicorp/terraform-provider-aws/issues/38872)) - resource/aws\_ecs\_task\_definition: Prevent lowercasing of the first character of JSON keys in `container_definitions.dockerLabels` ([#38804](https://github.com/hashicorp/terraform-provider-aws/issues/38804)) - resource/aws\_ecs\_task\_definition: Remove `null`s from `container_definition` array fields ([#38870](https://github.com/hashicorp/terraform-provider-aws/issues/38870)) - resource/aws\_elasticache\_replication\_group: Fix crash when setting `replicas_per_node_group` if node groups are empty ([#38797](https://github.com/hashicorp/terraform-provider-aws/issues/38797)) - resource/aws\_fms\_policy: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_grafana\_workspace: Fix crash when empty `network_access_control` block is configured ([#38775](https://github.com/hashicorp/terraform-provider-aws/issues/38775)) - resource/aws\_grafana\_workspace: Fix crash when empty `vpc_configuration` block is configured ([#38775](https://github.com/hashicorp/terraform-provider-aws/issues/38775)) - resource/aws\_iot\_thing\_group: Fix crash when empty `attribute_payload` block is configured ([#38776](https://github.com/hashicorp/terraform-provider-aws/issues/38776)) - resource/aws\_lexv2models\_slot\_type: Fix slot\_type\_values to have sample\_value attribute ([#38856](https://github.com/hashicorp/terraform-provider-aws/issues/38856)) - resource/aws\_networkmanager\_connect\_peer: Set all `configuration.bgp_configurations` on Read ([#38798](https://github.com/hashicorp/terraform-provider-aws/issues/38798)) - resource/aws\_redshift\_cluster: Set `encrypted` on snapshot restore, when enabled ([#38828](https://github.com/hashicorp/terraform-provider-aws/issues/38828)) - resource/aws\_rolesanywhere\_profile: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_rolesanywhere\_trust\_anchor: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix unreturned `sdkdiags.AppendErrorf` function calls ([#38854](https://github.com/hashicorp/terraform-provider-aws/issues/38854)) ### [`v5.62.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.62.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.61.0...v5.62.0) FEATURES: - **New Data Source:** `aws_rds_cluster_parameter_group` ([#38416](https://github.com/hashicorp/terraform-provider-aws/issues/38416)) - **New Data Source:** `aws_secretsmanager_secret_versions` ([#35411](https://github.com/hashicorp/terraform-provider-aws/issues/35411)) - **New Resource:** `aws_ebs_snapshot_block_public_access` ([#38641](https://github.com/hashicorp/terraform-provider-aws/issues/38641)) - **New Resource:** `aws_rds_integration` ([#35199](https://github.com/hashicorp/terraform-provider-aws/issues/35199)) ENHANCEMENTS: - data-source/aws\_s3\_bucket\_object: Expand content types that can be read from S3 to include include `application/x-sql` ([#38737](https://github.com/hashicorp/terraform-provider-aws/issues/38737)) - data-source/aws\_s3\_object: Expand content types that can be read from S3 to include `application/x-sql` ([#38737](https://github.com/hashicorp/terraform-provider-aws/issues/38737)) - provider: Allow `default_tags` to be set by environment variables ([#33339](https://github.com/hashicorp/terraform-provider-aws/issues/33339)) - provider: Allow `ignore_tags.keys` and `ignore_tags.key_prefixes` to be set by environment variables ([#35264](https://github.com/hashicorp/terraform-provider-aws/issues/35264)) - resource/aws\_db\_option\_group: Add `skip_destroy` argument ([#29663](https://github.com/hashicorp/terraform-provider-aws/issues/29663)) - resource/aws\_db\_parameter\_group: Add `skip_destroy` argument ([#29663](https://github.com/hashicorp/terraform-provider-aws/issues/29663)) - resource/aws\_dx\_macsec\_key\_association: Add plan-time validation of `secret_arn` ([#37213](https://github.com/hashicorp/terraform-provider-aws/issues/37213)) - resource/aws\_ecs\_service: Add `force_delete` argument ([#38707](https://github.com/hashicorp/terraform-provider-aws/issues/38707)) - resource/aws\_grafana\_license\_association: Add `grafana_token` argument ([#38743](https://github.com/hashicorp/terraform-provider-aws/issues/38743)) - resource/aws\_lb\_target\_group: Add `target_health_state.unhealthy_draining_interval` argument ([#38654](https://github.com/hashicorp/terraform-provider-aws/issues/38654)) - resource/aws\_lexv2models\_slot: Add `sub_slot_setting` attribute ([#38698](https://github.com/hashicorp/terraform-provider-aws/issues/38698)) BUG FIXES: - data-source/aws\_ecr\_repository\_creation\_template: Support `ROOT` as a valid value for `prefix` ([#38685](https://github.com/hashicorp/terraform-provider-aws/issues/38685)) - data-source/aws\_msk\_broker\_nodes: Filter out nodes with no broker info ([#38042](https://github.com/hashicorp/terraform-provider-aws/issues/38042)) - resource/aws\_appconfig\_configuration\_profile: Increase `name` max length validation to 128 ([#37539](https://github.com/hashicorp/terraform-provider-aws/issues/37539)) - resource/aws\_batch\_job\_definition: Fix panic when checking `eks_properties` for job updates ([#38716](https://github.com/hashicorp/terraform-provider-aws/issues/38716)) - resource/aws\_batch\_job\_definition: Fix panic when checking `retry_strategy` for job updates ([#38716](https://github.com/hashicorp/terraform-provider-aws/issues/38716)) - resource/aws\_batch\_job\_definition: Fix panic when checking `timeout` for job updates ([#38716](https://github.com/hashicorp/terraform-provider-aws/issues/38716)) - resource/aws\_ec2\_capacity\_block\_reservation: Fix error during apply for missing `created_date` attribute ([#38689](https://github.com/hashicorp/terraform-provider-aws/issues/38689)) - resource/aws\_ecr\_repository\_creation\_template: Support `ROOT` as a valid value for `prefix` ([#38685](https://github.com/hashicorp/terraform-provider-aws/issues/38685)) - resource/aws\_elbv2\_trust\_store\_revocation: Fix to properly return errors during resource creation ([#38756](https://github.com/hashicorp/terraform-provider-aws/issues/38756)) - resource/aws\_emr\_cluster: Fix panic when reading an instance fleet with an empty `launch_specifications` argument ([#38773](https://github.com/hashicorp/terraform-provider-aws/issues/38773)) - resource/aws\_lexv2models\_bot: Handle `PreconditionFailedException` on delete for resources deleted out-of-band ([#38661](https://github.com/hashicorp/terraform-provider-aws/issues/38661)) - resource/aws\_lexv2models\_bot\_locale: Handle `PreconditionFailedException` on delete for resources deleted out-of-band ([#38661](https://github.com/hashicorp/terraform-provider-aws/issues/38661)) - resource/aws\_lexv2models\_bot\_version: Handle `PreconditionFailedException` on delete for resources deleted out-of-band ([#38661](https://github.com/hashicorp/terraform-provider-aws/issues/38661)) - resource/aws\_networkmanager\_core\_network: Fix `$.network-function-groups: null found, array expected` errors when creating resource with `create_base_policy` argument ([#38642](https://github.com/hashicorp/terraform-provider-aws/issues/38642)) - resource/aws\_quicksight\_account\_subscription: Fix panic when read returns nil account info ([#38752](https://github.com/hashicorp/terraform-provider-aws/issues/38752)) - resource/aws\_sfn\_state\_machine: Mark `revision_id` and `state_machine_version_arn` as Computed on update if `publish` is `true` ([#38657](https://github.com/hashicorp/terraform-provider-aws/issues/38657)) ### [`v5.61.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.61.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.60.0...v5.61.0) NOTES: - resource/aws\_chatbot\_teams\_channel\_configuration: This resource is provided on a best-effort basis, and we welcome the community's help in testing it. ([#38630](https://github.com/hashicorp/terraform-provider-aws/issues/38630)) FEATURES: - **New Data Source:** `aws_ecr_repository_creation_template` ([#38597](https://github.com/hashicorp/terraform-provider-aws/issues/38597)) - **New Resource:** `aws_chatbot_slack_channel_configuration` ([#38124](https://github.com/hashicorp/terraform-provider-aws/issues/38124)) - **New Resource:** `aws_chatbot_teams_channel_configuration` ([#38630](https://github.com/hashicorp/terraform-provider-aws/issues/38630)) - **New Resource:** `aws_datazone_glossary` ([#38602](https://github.com/hashicorp/terraform-provider-aws/issues/38602)) - **New Resource:** `aws_ecr_repository_creation_template` ([#38597](https://github.com/hashicorp/terraform-provider-aws/issues/38597)) - **New Resource:** `aws_timestreaminfluxdb_db_instance` ([#37963](https://github.com/hashicorp/terraform-provider-aws/issues/37963)) ENHANCEMENTS: - data-source/aws\_eks\_cluster: Add `upgrade_policy` attribute ([#38573](https://github.com/hashicorp/terraform-provider-aws/issues/38573)) - data-source/aws\_sagemaker\_prebuilt\_ecr\_image: Support additional `repository_name` values. See [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sagemaker_prebuilt_ecr_image#repository_name) for details ([#38575](https://github.com/hashicorp/terraform-provider-aws/issues/38575)) - resource/aws\_appsync\_graphql\_api: Add `enhanced_metrics_config` configuration block ([#38570](https://github.com/hashicorp/terraform-provider-aws/issues/38570)) - resource/aws\_db\_instance: Add `upgrade_storage_config` argument ([#36904](https://github.com/hashicorp/terraform-provider-aws/issues/36904)) - resource/aws\_default\_vpc: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_default\_vpc: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_eks\_cluster: Add `upgrade_policy` configuration block ([#38573](https://github.com/hashicorp/terraform-provider-aws/issues/38573)) - resource/aws\_elasticache\_user\_group\_association: Add configurable create and delete timeouts ([#38559](https://github.com/hashicorp/terraform-provider-aws/issues/38559)) - resource/aws\_pipes\_pipe: Add `log_configuration.include_execution_data` argument ([#38569](https://github.com/hashicorp/terraform-provider-aws/issues/38569)) - resource/aws\_rds\_cluster: Add `performance_insights_enabled`, `performance_insights_kms_key_id`, and `performance_insights_retention_period` arguments ([#29415](https://github.com/hashicorp/terraform-provider-aws/issues/29415)) - resource/aws\_rds\_cluster: Add `restore_to_point_in_time.source_cluster_resource_id` argument ([#38540](https://github.com/hashicorp/terraform-provider-aws/issues/38540)) - resource/aws\_rds\_cluster: Mark `restore_to_point_in_time.source_cluster_identifier` as Optional ([#38540](https://github.com/hashicorp/terraform-provider-aws/issues/38540)) - resource/aws\_sfn\_activity: Add `encryption_configuration` configuration block to support the use of Customer Managed Keys with AWS KMS to encrypt Step Functions Activity resources ([#38574](https://github.com/hashicorp/terraform-provider-aws/issues/38574)) - resource/aws\_sfn\_state\_machine: Add `encryption_configuration` configuration block to support the use of Customer Managed Keys with AWS KMS to encrypt Step Functions State Machine resources ([#38574](https://github.com/hashicorp/terraform-provider-aws/issues/38574)) - resource/aws\_ssm\_patch\_baseline: Remove empty fields from `json` attribute value ([#35950](https://github.com/hashicorp/terraform-provider-aws/issues/35950)) - resource/aws\_storagegateway\_file\_system\_association: Add configurable timeouts ([#38554](https://github.com/hashicorp/terraform-provider-aws/issues/38554)) - resource/aws\_vpc: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_vpc: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_vpc\_ipv6\_cidr\_block\_association: Add `assign_generated_ipv6_cidr_block` and `ipv6_pool` arguments ([#27274](https://github.com/hashicorp/terraform-provider-aws/issues/27274)) - resource/aws\_vpc\_ipv6\_cidr\_block\_association: Support `ipv6_cidr_block` sizes between `/44` and `/60` in increments of /4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_vpc\_ipv6\_cidr\_block\_association: Support `ipv6_netmask_length` values between `44` and `60` in increments of 4 ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_vpc\_security\_group\_egress\_rule: Add `tags` to the `AuthorizeSecurityGroupEgress` EC2 API call instead of making a separate `CreateTags` call ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_vpc\_security\_group\_ingress\_rule: Add `tags` to the `AuthorizeSecurityGroupIngress` EC2 API call instead of making a separate `CreateTags` call ([#35614](https://github.com/hashicorp/terraform-provider-aws/issues/35614)) - resource/aws\_wafv2\_web\_acl: Add `rule_json` attribute to allow raw JSON for rules. ([#38309](https://github.com/hashicorp/terraform-provider-aws/issues/38309)) BUG FIXES: - data-source/aws\_appstream\_image: Fix issue where the most recent image is not returned ([#38571](https://github.com/hashicorp/terraform-provider-aws/issues/38571)) - datasource/aws\_networkmanager\_core\_network\_policy\_document: Fix `CoreNetworkPolicyException` when putting policy with single wildcard in `when_sent_to` ([#38595](https://github.com/hashicorp/terraform-provider-aws/issues/38595)) - resource/aws\_cloudsearch\_domain: Fix `index_name` character length validation ([#38509](https://github.com/hashicorp/terraform-provider-aws/issues/38509)) - resource/aws\_ecs\_task\_definition: Ensure that JSON keys in `container_definitions` start with a lowercase letter ([#38622](https://github.com/hashicorp/terraform-provider-aws/issues/38622)) - resource/aws\_iot\_provisioning\_template: Properly send `type` argument on create when configured ([#38640](https://github.com/hashicorp/terraform-provider-aws/issues/38640)) - resource/aws\_opensearchserverless\_security\_policy: Normalize `policy` content to prevent persistent differences ([#38604](https://github.com/hashicorp/terraform-provider-aws/issues/38604)) - resource/aws\_pipes\_pipe: Don't reset `target_parameters` if the configured value has not changed ([#38598](https://github.com/hashicorp/terraform-provider-aws/issues/38598)) - resource/aws\_rds\_instance: Allow `domain_dns_ips` to use single DNS server IP ([#36500](https://github.com/hashicorp/terraform-provider-aws/issues/36500)) - resource/aws\_sagemaker\_domain: Properly send `domain_settings.r_studio_server_pro_domain_settings.r_studio_package_manager_url` argument on create ([#38547](https://github.com/hashicorp/terraform-provider-aws/issues/38547)) - resource/aws\_vpc\_ipam\_pool\_cidr\_allocation: Set `description` on Read ([#38618](https://github.com/hashicorp/terraform-provider-aws/issues/38618)) - resource/aws\_vpc\_ipam\_pool\_cidr\_allocation: Set `netmask_length` on Read ([#38618](https://github.com/hashicorp/terraform-provider-aws/issues/38618)) ### [`v5.60.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.60.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.59.0...v5.60.0) NOTES: - resource/aws\_shield\_subscription: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#37637](https://github.com/hashicorp/terraform-provider-aws/issues/37637)) FEATURES: - **New Data Source:** `aws_service_principal` ([#38307](https://github.com/hashicorp/terraform-provider-aws/issues/38307)) - **New Resource:** `aws_shield_subscription` ([#37637](https://github.com/hashicorp/terraform-provider-aws/issues/37637)) ENHANCEMENTS: - data-source/aws\_cloudwatch\_event\_bus: Add `kms_key_identifier` attribute ([#38492](https://github.com/hashicorp/terraform-provider-aws/issues/38492)) - data-source/aws\_cur\_report\_definition: Add `tags` attribute ([#38483](https://github.com/hashicorp/terraform-provider-aws/issues/38483)) - resource/aws\_appflow\_flow: Add `metadata_catalog_config` attribute ([#37566](https://github.com/hashicorp/terraform-provider-aws/issues/37566)) - resource/aws\_appflow\_flow: Add `prefix_hierarchy` attribute to `destination_flow_config.s3.s3_output_format_config` ([#37566](https://github.com/hashicorp/terraform-provider-aws/issues/37566)) - resource/aws\_batch\_job\_definition: Add `eks_properties.*.pod_properties.*.image_pull_secret` argument ([#38517](https://github.com/hashicorp/terraform-provider-aws/issues/38517)) - resource/aws\_cloudformation\_stack\_set\_instance: Add `operation_preferences.concurrency_mode` argument ([#38498](https://github.com/hashicorp/terraform-provider-aws/issues/38498)) - resource/aws\_cloudwatch\_event\_bus: Add `kms_key_identifier` argument ([#38492](https://github.com/hashicorp/terraform-provider-aws/issues/38492)) - resource/aws\_cur\_report\_definition: Add `tags` argument and `tags_all` attribute ([#38483](https://github.com/hashicorp/terraform-provider-aws/issues/38483)) - resource/aws\_db\_cluster\_snapshot: Add `shared_accounts` argument ([#34885](https://github.com/hashicorp/terraform-provider-aws/issues/34885)) - resource/aws\_db\_snapshot\_copy: Add `shared_accounts` argument ([#34843](https://github.com/hashicorp/terraform-provider-aws/issues/34843)) - resource/aws\_glue\_connection: Add `AZURECOSMOS`, `AZURESQL`, `BIGQUERY`, `OPENSEARCH`, and `SNOWFLAKE` as valid values for the `connection_type` argument and `SparkProperties` as a valid value for the `connection_properties` argument ([#37731](https://github.com/hashicorp/terraform-provider-aws/issues/37731)) - resource/aws\_iam\_role: Change from partial resource creation to resource creation failed if an `inline_policy` fails to create ([#38477](https://github.com/hashicorp/terraform-provider-aws/issues/38477)) - resource/aws\_rds\_cluster: Add `scaling_configuration.seconds_before_timeout` argument ([#38451](https://github.com/hashicorp/terraform-provider-aws/issues/38451)) - resource/aws\_sesv2\_configuration\_set\_event\_destination: Add `event_destination.event_bridge_destination` configuration block ([#38458](https://github.com/hashicorp/terraform-provider-aws/issues/38458)) - resource/aws\_timestreamwrite\_table: Fix `runtime error: invalid memory address or nil pointer dereference` panic when reading a non-existent table ([#38512](https://github.com/hashicorp/terraform-provider-aws/issues/38512)) BUG FIXES: - data-source/aws\_fsx\_ontap\_storage\_virtual\_machine: Correctly set `tags` on Read ([#38343](https://github.com/hashicorp/terraform-provider-aws/issues/38343)) - data-source/aws\_fsx\_openzfs\_snapshot: Correctly set `tags` on Read ([#38343](https://github.com/hashicorp/terraform-provider-aws/issues/38343)) - resource/aws\_ce\_cost\_category: Fix perpetual diff with the `rule` argument on update ([#38449](https://github.com/hashicorp/terraform-provider-aws/issues/38449)) - resource/aws\_codebuild\_webhook: Remove errant validation on `scope_configuration.domain` argument ([#38513](https://github.com/hashicorp/terraform-provider-aws/issues/38513)) - resource/aws\_ecs\_service: Fix `error marshaling prior state: a number is required` when upgrading from v5.58.0 to v5.59.0 ([#38490](https://github.com/hashicorp/terraform-provider-aws/issues/38490)) - resource/aws\_ecs\_task\_definition: Fix `Provider produced inconsistent final plan` errors when `container_definitions` is [unknown](https://developer.hashicorp.com/terraform/language/expressions/references#values-not-yet-known) ([#38471](https://github.com/hashicorp/terraform-provider-aws/issues/38471)) - resource/aws\_elasticache\_replication\_group: Fix `error marshaling prior state` when upgrading from v4.67.0 to v5.59.0 ([#38476](https://github.com/hashicorp/terraform-provider-aws/issues/38476)) - resource/aws\_fsx\_openzfs\_volume: Correctly set `tags` on Read ([#38343](https://github.com/hashicorp/terraform-provider-aws/issues/38343)) - resource/aws\_rds\_cluster: Mark `ca_certificate_identifier` as Computed ([#38437](https://github.com/hashicorp/terraform-provider-aws/issues/38437)) - resource/aws\_rds\_cluster: Use the configured `copy_tags_to_snapshot` value when `restore_to_point_in_time` is set ([#34044](https://github.com/hashicorp/terraform-provider-aws/issues/34044)) - resource/aws\_rds\_cluster: Wait for no pending modified values on Update if `apply_immediately` is `true`. This fixes `InvalidParameterCombination` errors when updating `engine_version` ([#38437](https://github.com/hashicorp/terraform-provider-aws/issues/38437)) ### [`v5.59.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.59.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.58.0...v5.59.0) FEATURES: - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `secrets_manager_configuration` to `redshift_configuration`, `snowflake_configuration`, and `splunk_configuration` ([#38151](https://github.com/hashicorp/terraform-provider-aws/issues/38151)) - **New Data Source:** `aws_cloudfront_origin_access_control` ([#36301](https://github.com/hashicorp/terraform-provider-aws/issues/36301)) - **New Data Source:** `aws_timestreamwrite_database` ([#36368](https://github.com/hashicorp/terraform-provider-aws/issues/36368)) - **New Data Source:** `aws_timestreamwrite_table` ([#36599](https://github.com/hashicorp/terraform-provider-aws/issues/36599)) - **New Resource:** `aws_datazone_project` ([#38345](https://github.com/hashicorp/terraform-provider-aws/issues/38345)) - **New Resource:** `aws_grafana_workspace_service_account` ([#38101](https://github.com/hashicorp/terraform-provider-aws/issues/38101)) - **New Resource:** `aws_grafana_workspace_service_account_token` ([#38101](https://github.com/hashicorp/terraform-provider-aws/issues/38101)) - **New Resource:** `aws_rds_certificate` ([#35003](https://github.com/hashicorp/terraform-provider-aws/issues/35003)) - **New Resource:** `aws_rekognition_stream_processor` ([#37536](https://github.com/hashicorp/terraform-provider-aws/issues/37536)) ENHANCEMENTS: - data-source/aws\_elasticache\_replication\_group: Add `cluster_mode` attribute ([#38002](https://github.com/hashicorp/terraform-provider-aws/issues/38002)) - data-source/aws\_lakeformation\_data\_lake\_settings: Add `allow_full_table_external_data_access` attribute ([#34474](https://github.com/hashicorp/terraform-provider-aws/issues/34474)) - data-source/aws\_msk\_cluster: Add `broker_node_group_info` attribute ([#37705](https://github.com/hashicorp/terraform-provider-aws/issues/37705)) - resource/aws\_bedrockagent\_agent : Add `skip_resource_in_use_check` argument ([#37586](https://github.com/hashicorp/terraform-provider-aws/issues/37586)) - resource/aws\_bedrockagent\_agent\_action\_group: Add `action_group_executor.custom_control` argument ([#37484](https://github.com/hashicorp/terraform-provider-aws/issues/37484)) - resource/aws\_bedrockagent\_agent\_action\_group: Add `function_schema` configuration block ([#37484](https://github.com/hashicorp/terraform-provider-aws/issues/37484)) - resource/aws\_bedrockagent\_agent\_alias : Add `routing_configuration.provisioned_throughput` argument ([#37520](https://github.com/hashicorp/terraform-provider-aws/issues/37520)) - resource/aws\_codebuild\_webhook: Add `scope_configuration` argument ([#38199](https://github.com/hashicorp/terraform-provider-aws/issues/38199)) - resource/aws\_codepipeline: Add `timeout_in_minutes` argument to the `action` configuration block ([#36316](https://github.com/hashicorp/terraform-provider-aws/issues/36316)) - resource/aws\_db\_instance: Add `engine_lifecycle_support` argument ([#37708](https://github.com/hashicorp/terraform-provider-aws/issues/37708)) - resource/aws\_ecs\_cluster: Add `configuration.managed_storage_configuration` argument ([#37932](https://github.com/hashicorp/terraform-provider-aws/issues/37932)) - resource/aws\_elasticache\_replication\_group: Add `cluster_mode` argument ([#38002](https://github.com/hashicorp/terraform-provider-aws/issues/38002)) - resource/aws\_emrserverless\_application: Add `interactive_configuration` argument ([#37889](https://github.com/hashicorp/terraform-provider-aws/issues/37889)) - resource/aws\_fis\_experiment\_template: Add `experiment_options` configuration block ([#36900](https://github.com/hashicorp/terraform-provider-aws/issues/36900)) - resource/aws\_fsx\_lustre\_file\_system: Add `final_backup_tags` and `skip_final_backup` arguments ([#37717](https://github.com/hashicorp/terraform-provider-aws/issues/37717)) - resource/aws\_fsx\_ontap\_volume: Add `final_backup_tags` argument ([#37717](https://github.com/hashicorp/terraform-provider-aws/issues/37717)) - resource/aws\_fsx\_openzfs\_file\_system: Add `delete_options` and `final_backup_tags` arguments ([#37717](https://github.com/hashicorp/terraform-provider-aws/issues/37717)) - resource/aws\_fsx\_windows\_file\_system: Add `final_backup_tags` argument ([#37717](https://github.com/hashicorp/terraform-provider-aws/issues/37717)) - resource/aws\_imagebuilder\_image\_pipeline: Add `execution_role` and `workflow` arguments ([#37317](https://github.com/hashicorp/terraform-provider-aws/issues/37317)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `secrets_manager_configuration` to `http_endpoint_configuration` ([#38245](https://github.com/hashicorp/terraform-provider-aws/issues/38245)) - resource/aws\_kinesisanalyticsv2\_application: Support `FLINK-1_19` as a valid value for `runtime_environment` ([#38350](https://github.com/hashicorp/terraform-provider-aws/issues/38350)) - resource/aws\_lakeformation\_data\_lake\_settings: Add `allow_full_table_external_data_access` attribute ([#34474](https://github.com/hashicorp/terraform-provider-aws/issues/34474)) - resource/aws\_lb\_target\_group: Add `target_group_health` configuration block ([#37082](https://github.com/hashicorp/terraform-provider-aws/issues/37082)) - resource/aws\_msk\_replicator: Add `starting_position` argument ([#36968](https://github.com/hashicorp/terraform-provider-aws/issues/36968)) - resource/aws\_rds\_cluster: Add `engine_lifecycle_support` argument ([#37708](https://github.com/hashicorp/terraform-provider-aws/issues/37708)) - resource/aws\_rds\_global\_cluster: Add `engine_lifecycle_support` argument ([#37708](https://github.com/hashicorp/terraform-provider-aws/issues/37708)) - resource/aws\_redshift\_cluster\_snapshot: Set `arn` from `DescribeClusterSnapshots` API response ([#37996](https://github.com/hashicorp/terraform-provider-aws/issues/37996)) - resource/aws\_vpclattice\_listener: Support `TLS_PASSTHROUGH` as a valid value for `protocol` ([#37964](https://github.com/hashicorp/terraform-provider-aws/issues/37964)) - resource/aws\_wafv2\_web\_acl: Add `enable_machine_learning` to `aws_managed_rules_bot_control_rule_set` configuration block ([#37006](https://github.com/hashicorp/terraform-provider-aws/issues/37006)) BUG FIXES: - data-source/aws\_efs\_access\_point: Set `id` the the access point ID, not the file system ID. This fixes a regression introduced in [v5.58.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5580-july-11-2024) ([#38372](https://github.com/hashicorp/terraform-provider-aws/issues/38372)) - data-source/aws\_lb\_listener: Correctly set `default_action.target_group_arn` ([#37348](https://github.com/hashicorp/terraform-provider-aws/issues/37348)) - resource/aws\_chime\_voice\_connector\_group: Properly handle voice connector groups deleted out of band ([#36774](https://github.com/hashicorp/terraform-provider-aws/issues/36774)) - resource/aws\_codebuild\_project: Fix unsetting `concurrent_build_limit` ([#37748](https://github.com/hashicorp/terraform-provider-aws/issues/37748)) - resource/aws\_codepipeline: Mark `trigger` as Computed ([#36316](https://github.com/hashicorp/terraform-provider-aws/issues/36316)) - resource/aws\_ecs\_service: Change `volume_configuration.managed_ebs_volume.throughput` from `TypeString` to `TypeInt` ([#38109](https://github.com/hashicorp/terraform-provider-aws/issues/38109)) - resource/aws\_elasticache\_replication\_group: Allows setting `replicas_per_node_group` to `0` and sets the maximum to `5`. ([#38396](https://github.com/hashicorp/terraform-provider-aws/issues/38396)) - resource/aws\_elasticache\_replication\_group: Requires `description`. ([#38396](https://github.com/hashicorp/terraform-provider-aws/issues/38396)) - resource/aws\_elasticache\_replication\_group: When `num_cache_clusters` is set, prevents setting `replicas_per_node_group`. ([#38396](https://github.com/hashicorp/terraform-provider-aws/issues/38396)) - resource/aws\_elasticache\_replication\_group: `num_cache_clusters` must be at least 2 when `automatic_failover_enabled` is `true`. ([#38396](https://github.com/hashicorp/terraform-provider-aws/issues/38396)) - resource/aws\_elastictranscoder\_pipeline: Properly handle NotFound exceptions during deletion ([#38018](https://github.com/hashicorp/terraform-provider-aws/issues/38018)) - resource/aws\_elastictranscoder\_preset: Properly handle NotFound exceptions during deletion ([#38018](https://github.com/hashicorp/terraform-provider-aws/issues/38018)) - resource/aws\_lb\_target\_group: Use the configured `ip_address_type` value when `target_type` is `instance` ([#36423](https://github.com/hashicorp/terraform-provider-aws/issues/36423)) - resource/aws\_lb\_trust\_store: Wait until trust store is `ACTIVE` on resource Create ([#38332](https://github.com/hashicorp/terraform-provider-aws/issues/38332)) - resource/aws\_pinpoint\_app: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic when `campaign_hook` is empty (`{}`) ([#38323](https://github.com/hashicorp/terraform-provider-aws/issues/38323)) - resource/aws\_transfer\_server: Add supported values `TransferSecurityPolicy-FIPS-2024-05`, `TransferSecurityPolicy-Restricted-2018-11`, and `TransferSecurityPolicy-Restricted-2020-06` for the `security_policy_name` argument ([#38425](https://github.com/hashicorp/terraform-provider-aws/issues/38425)) ### [`v5.58.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.58.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.57.0...v5.58.0) FEATURES: - **New Resource:** `aws_cloudwatch_log_account_policy` ([#38328](https://github.com/hashicorp/terraform-provider-aws/issues/38328)) - **New Resource:** `aws_verifiedpermissions_identity_source` ([#38181](https://github.com/hashicorp/terraform-provider-aws/issues/38181)) ENHANCEMENTS: - data-source/aws\_launch\_template: Add `network_interfaces.primary_ipv6` attribute ([#37142](https://github.com/hashicorp/terraform-provider-aws/issues/37142)) - data-source/aws\_mskconnect\_connector: Add `tags` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - data-source/aws\_mskconnect\_custom\_plugin: Add `tags` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - data-source/aws\_mskconnect\_worker\_configuration: Add `tags` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - data-source/aws\_oam\_link: Add `link_configuration` attribute ([#38277](https://github.com/hashicorp/terraform-provider-aws/issues/38277)) - resource/aws\_cloudformation\_stack\_set\_instance: Extend `deployment_targets` argument. ([#37898](https://github.com/hashicorp/terraform-provider-aws/issues/37898)) - resource/aws\_cloudtrail\_event\_data\_store: Add `billing_mode` argument ([#38273](https://github.com/hashicorp/terraform-provider-aws/issues/38273)) - resource/aws\_db\_instance: Fix `InvalidParameterCombination: A parameter group can't be specified during Read Replica creation for the following DB engine: postgres` errors ([#38227](https://github.com/hashicorp/terraform-provider-aws/issues/38227)) - resource/aws\_ec2\_capacity\_reservation: Add configurable timeouts ([#36754](https://github.com/hashicorp/terraform-provider-aws/issues/36754)) - resource/aws\_ec2\_capacity\_reservation: Retry `InsufficientInstanceCapacity` errors ([#36754](https://github.com/hashicorp/terraform-provider-aws/issues/36754)) - resource/aws\_eks\_cluster: Add `bootstrap_self_managed_addons` argument ([#38162](https://github.com/hashicorp/terraform-provider-aws/issues/38162)) - resource/aws\_fms\_policy: Add `resource_set_ids` attribute ([#38161](https://github.com/hashicorp/terraform-provider-aws/issues/38161)) - resource/aws\_fsx\_ontap\_file\_system: Add `384`, `768`, `1536`, `3072`, and `6144` as valid values for `throughput_capacity` ([#38308](https://github.com/hashicorp/terraform-provider-aws/issues/38308)) - resource/aws\_fsx\_ontap\_file\_system: Add `384`, `768`, and `1536` as valid values for `throughput_capacity_per_ha_pair` ([#38308](https://github.com/hashicorp/terraform-provider-aws/issues/38308)) - resource/aws\_fsx\_ontap\_file\_system: Add `MULTI_AZ_2` as a valid value for `deployment_type` ([#38308](https://github.com/hashicorp/terraform-provider-aws/issues/38308)) - resource/aws\_globalaccelerator\_cross\_account\_attachment: Add `cidr_block` argument to `resource` configuration block ([#38196](https://github.com/hashicorp/terraform-provider-aws/issues/38196)) - resource/aws\_iam\_server\_certificate: Add configurable `delete` timeout ([#38212](https://github.com/hashicorp/terraform-provider-aws/issues/38212)) - resource/aws\_launch\_template: Add `network_interfaces.primary_ipv6` argument ([#37142](https://github.com/hashicorp/terraform-provider-aws/issues/37142)) - resource/aws\_mskconnect\_connector: Add `tags` argument and `tags_all` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - resource/aws\_mskconnect\_custom\_plugin: Add `tags` argument and `tags_all` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - resource/aws\_mskconnect\_worker\_configuration: Add `tags` argument and `tags_all` attribute ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - resource/aws\_mskconnect\_worker\_configuration: Add resource deletion logic ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) - resource/aws\_oam\_link: Add `link_configuration` argument ([#38277](https://github.com/hashicorp/terraform-provider-aws/issues/38277)) - resource/aws\_rds\_cluster: Add `ca_certificate_identifier` argument and `ca_certificate_valid_till` attribute ([#37108](https://github.com/hashicorp/terraform-provider-aws/issues/37108)) - resource/aws\_ssm\_association: Add `tags` argument and `tags_all` attribute ([#38271](https://github.com/hashicorp/terraform-provider-aws/issues/38271)) BUG FIXES: - aws\_dx\_lag: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_dynamodb\_kinesis\_streaming\_destination: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_ec2\_capacity\_block\_reservation: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_opensearchserverless\_access\_policy: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_opensearchserverless\_collection: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_opensearchserverless\_security\_config: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_opensearchserverless\_security\_policy: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_opensearchserverless\_vpc\_endpoint: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_ram\_principal\_association: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - aws\_route\_table: Checks for errors other than NotFound when reading. ([#38292](https://github.com/hashicorp/terraform-provider-aws/issues/38292)) - data-source/aws\_ecr\_repository: Fix issue where the `tags` attribute is not set ([#38272](https://github.com/hashicorp/terraform-provider-aws/issues/38272)) - data-source/aws\_eks\_cluster: Add `access_config.bootstrap_cluster_creator_admin_permissions` attribute ([#38295](https://github.com/hashicorp/terraform-provider-aws/issues/38295)) - resource/aws\_appstream\_fleet: Support `0` as a valid value for `idle_disconnect_timeout_in_seconds` ([#38274](https://github.com/hashicorp/terraform-provider-aws/issues/38274)) - resource/aws\_cloudformation\_stack\_set\_instance: Add `ForceNew` to deployment\_targets attributes to ensure a new resource is recreated when the deployment\_targets argument is changed, which was not the case previously. ([#37898](https://github.com/hashicorp/terraform-provider-aws/issues/37898)) - resource/aws\_db\_instance: Correctly mark incomplete instances as [tainted](https://developer.hashicorp.com/terraform/cli/state/taint#the-tainted-status) during creation ([#38252](https://github.com/hashicorp/terraform-provider-aws/issues/38252)) - resource/aws\_eks\_cluster: Set `access_config.bootstrap_cluster_creator_admin_permissions` to `true` on Read for clusters with no `access_config` configured. This allows in-place updates of existing clusters when `access_config` is configured ([#38295](https://github.com/hashicorp/terraform-provider-aws/issues/38295)) - resource/aws\_elasticache\_serverless\_cache: Allow `cache_usage_limits.data_storage.maximum`, `cache_usage_limits.data_storage.minimum`, `cache_usage_limits.ecpu_per_second.maximum` and `cache_usage_limits.ecpu_per_second.minimum` to be updated in-place ([#38269](https://github.com/hashicorp/terraform-provider-aws/issues/38269)) - resource/aws\_mskconnect\_connector: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic when `log_delivery.worker_log_delivery` is empty (`{}`) ([#38270](https://github.com/hashicorp/terraform-provider-aws/issues/38270)) ### [`v5.57.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.57.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.56.1...v5.57.0) FEATURES: - **New Data Source:** `aws_appstream_image` ([#38225](https://github.com/hashicorp/terraform-provider-aws/issues/38225)) - **New Data Source:** `aws_cognito_user_pool` ([#37399](https://github.com/hashicorp/terraform-provider-aws/issues/37399)) - **New Data Source:** `aws_ec2_transit_gateway_peering_attachments` ([#25743](https://github.com/hashicorp/terraform-provider-aws/issues/25743)) - **New Data Source:** `aws_transfer_connector` ([#38213](https://github.com/hashicorp/terraform-provider-aws/issues/38213)) ENHANCEMENTS: - data-source/aws\_backup\_plan: Add `rule` attribute ([#37890](https://github.com/hashicorp/terraform-provider-aws/issues/37890)) - resource/aws\_amplify\_domain\_association: Add `certificate_settings` argument ([#37105](https://github.com/hashicorp/terraform-provider-aws/issues/37105)) - resource/aws\_ec2\_transit\_gateway\_peering\_attachment: Add `options` argument ([#36902](https://github.com/hashicorp/terraform-provider-aws/issues/36902)) - resource/aws\_iot\_authorizer: Add `tags` argument ([#37152](https://github.com/hashicorp/terraform-provider-aws/issues/37152)) - resource/aws\_iot\_topic\_rule: Add `cloudwatch_logs.batch_mode` and `error_action.cloudwatch_logs.batch_mode` arguments ([#36772](https://github.com/hashicorp/terraform-provider-aws/issues/36772)) - resource/aws\_sagemaker\_endpoint\_configuration: Add support for `InputAndOutput` in `capture_mode` ([#37726](https://github.com/hashicorp/terraform-provider-aws/issues/37726)) BUG FIXES: - resource/aws\_iot\_provisioning\_template: Fix `pre_provisioning_hook` update operation ([#37152](https://github.com/hashicorp/terraform-provider-aws/issues/37152)) - resource/aws\_iot\_topic\_rule: Retry IAM eventual consistency errors on Update ([#36286](https://github.com/hashicorp/terraform-provider-aws/issues/36286)) ### [`v5.56.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.56.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.56.0...v5.56.1) BUG FIXES: - data-source/aws\_cognito\_user\_pool\_client: Fix `InvalidParameterException: 2 validation errors detected` errors on Read ([#38168](https://github.com/hashicorp/terraform-provider-aws/issues/38168)) - resource/aws\_cognito\_user: Fix a bug that caused resource recreation for resources imported with certain [import ID](https://developer.hashicorp.com/terraform/language/import#import-id) formats ([#38182](https://github.com/hashicorp/terraform-provider-aws/issues/38182)) - resource/aws\_cognito\_user\_pool: Fix `runtime error: index out of range [0] with length 0` panic when adding `lambda_config` ([#38184](https://github.com/hashicorp/terraform-provider-aws/issues/38184)) ### [`v5.56.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.56.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.55.0...v5.56.0) FEATURES: - **New Resource:** `aws_appfabric_app_authorization_connection` ([#38084](https://github.com/hashicorp/terraform-provider-aws/issues/38084)) - **New Resource:** `aws_appfabric_ingestion` ([#37291](https://github.com/hashicorp/terraform-provider-aws/issues/37291)) - **New Resource:** `aws_appfabric_ingestion_destination` ([#37627](https://github.com/hashicorp/terraform-provider-aws/issues/37627)) - **New Resource:** `aws_networkfirewall_tls_inspection_configuration` ([#35168](https://github.com/hashicorp/terraform-provider-aws/issues/35168)) - **New Resource:** `aws_networkmonitor_monitor` ([#35722](https://github.com/hashicorp/terraform-provider-aws/issues/35722)) - **New Resource:** `aws_networkmonitor_probe` ([#35722](https://github.com/hashicorp/terraform-provider-aws/issues/35722)) ENHANCEMENTS: - resource/aws\_controltower\_control: Add `parameters` argument and `arn` attribute ([#38071](https://github.com/hashicorp/terraform-provider-aws/issues/38071)) - resource/aws\_networkfirewall\_logging\_configuration: Add plan-time validation of `firewall_arn` ([#35168](https://github.com/hashicorp/terraform-provider-aws/issues/35168)) - resource/aws\_quicksight\_account\_subscription: Add `iam_identity_center_instance_arn` attribute ([#36830](https://github.com/hashicorp/terraform-provider-aws/issues/36830)) - resource/aws\_route53\_resolver\_firewall\_rule: Add `firewall_domain_redirection_action` argument ([#37242](https://github.com/hashicorp/terraform-provider-aws/issues/37242)) - resource/aws\_route53\_resolver\_firewall\_rule: Add `q_type` argument ([#38074](https://github.com/hashicorp/terraform-provider-aws/issues/38074)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.canvas_app_settings.generative_ai_settings` configuration block ([#37139](https://github.com/hashicorp/terraform-provider-aws/issues/37139)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.code_editor_app_settings.custom_image` configuration block ([#37153](https://github.com/hashicorp/terraform-provider-aws/issues/37153)) - resource/aws\_sagemaker\_endpoint\_configuration: Add `production_variants.inference_ami_version` and `shadow_production_variants.inference_ami_version` arguments ([#38085](https://github.com/hashicorp/terraform-provider-aws/issues/38085)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.canvas_app_settings.generative_ai_settings` configuration block ([#37139](https://github.com/hashicorp/terraform-provider-aws/issues/37139)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.code_editor_app_settings.custom_image` configuration block ([#37153](https://github.com/hashicorp/terraform-provider-aws/issues/37153)) - resource/aws\_sagemaker\_workforce: add `oidc_config.authentication_request_extra_params` and `oidc_config.scope` arguments ([#38078](https://github.com/hashicorp/terraform-provider-aws/issues/38078)) - resource/aws\_sagemaker\_workteam: Add `worker_access_configuration` attribute ([#38087](https://github.com/hashicorp/terraform-provider-aws/issues/38087)) - resource/aws\_wafv2\_web\_acl: Add `sensitivity_level` argument to `sqli_match_statement` configuration block ([#38077](https://github.com/hashicorp/terraform-provider-aws/issues/38077)) BUG FIXES: - data-source/aws\_ecs\_service: Correctly set `tags` ([#38067](https://github.com/hashicorp/terraform-provider-aws/issues/38067)) - resource/aws\_drs\_replication\_configuration\_template: Fix issues preventing creation and deletion ([#38143](https://github.com/hashicorp/terraform-provider-aws/issues/38143)) ### [`v5.55.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.55.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.54.1...v5.55.0) FEATURES: - **New Resource:** `aws_drs_replication_configuration_template` ([#26399](https://github.com/hashicorp/terraform-provider-aws/issues/26399)) ENHANCEMENTS: - data-source/aws\_autoscaling\_group: Add `mixed_instances_policy.launch_template.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price` attribute ([#38003](https://github.com/hashicorp/terraform-provider-aws/issues/38003)) - data-source/aws\_glue\_catalog\_table: Add `additional_locations` argument in `storage_descriptor` ([#37891](https://github.com/hashicorp/terraform-provider-aws/issues/37891)) - data-source/aws\_launch\_template: Add `instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price` attribute ([#38003](https://github.com/hashicorp/terraform-provider-aws/issues/38003)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `attachment_policies.action.add_to_network_function_group` argument ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `network_function_groups` configuration block ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `send-via` and `send-to` as valid values for `segment_actions.action` ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `single-hop` and `dual-hop` as valid values for `segment_actions.mode` ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add `when_sent_to` and `via` configuration blocks to `segment_actions` ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - resource/aws\_api\_gateway\_integration: Increase maximum value of `timeout_milliseconds` from `29000` (29 seconds) to `300000` (5 minutes) ([#38010](https://github.com/hashicorp/terraform-provider-aws/issues/38010)) - resource/aws\_appsync\_api\_key: Add `api_key_id` attribute ([#36568](https://github.com/hashicorp/terraform-provider-aws/issues/36568)) - resource/aws\_autoscaling\_group: Add `mixed_instances_policy.launch_template.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price` argument ([#38003](https://github.com/hashicorp/terraform-provider-aws/issues/38003)) - resource/aws\_autoscaling\_group: Add plan-time validation of `warm_pool.max_group_prepared_capacity` and `warm_pool.min_size` ([#37174](https://github.com/hashicorp/terraform-provider-aws/issues/37174)) - resource/aws\_docdb\_cluster: Add `restore_to_point_in_time` argument ([#37716](https://github.com/hashicorp/terraform-provider-aws/issues/37716)) - resource/aws\_dynamodb\_table: Adds validation for `ttl` values. ([#37991](https://github.com/hashicorp/terraform-provider-aws/issues/37991)) - resource/aws\_ec2\_fleet: Add `launch_template_config.override.instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price` argument ([#38003](https://github.com/hashicorp/terraform-provider-aws/issues/38003)) - resource/aws\_glue\_catalog\_table: Add `additional_locations` argument in `storage_descriptor` ([#37891](https://github.com/hashicorp/terraform-provider-aws/issues/37891)) - resource/aws\_glue\_job: Add `maintenance_window` argument ([#37760](https://github.com/hashicorp/terraform-provider-aws/issues/37760)) - resource/aws\_launch\_template: Add `instance_requirements.max_spot_price_as_percentage_of_optimal_on_demand_price` argument ([#38003](https://github.com/hashicorp/terraform-provider-aws/issues/38003)) BUG FIXES: - data-source/aws\_ami: Fix `interface conversion: interface {} is types.ProductCodeValues, not string` panic ([#37977](https://github.com/hashicorp/terraform-provider-aws/issues/37977)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Add correct `except` values to the returned JSON document when `segment_actions.share_with_except` is configured ([#38013](https://github.com/hashicorp/terraform-provider-aws/issues/38013)) - provider: Now falls back to non-FIPS endpoint if `use_fips_endpoint` is set and no FIPS endpoint is available ([#38057](https://github.com/hashicorp/terraform-provider-aws/issues/38057)) - resource/aws\_autoscaling\_group: Fix bug updating `warm_pool.max_group_prepared_capacity` to `0` ([#37174](https://github.com/hashicorp/terraform-provider-aws/issues/37174)) - resource/aws\_dynamodb\_table: Fixes perpetual diff when `ttl.attribute_name` is set when `ttl.enabled` is not set. ([#37991](https://github.com/hashicorp/terraform-provider-aws/issues/37991)) - resource/aws\_ec2\_network\_insights\_path: Mark `destination` as Optional ([#36966](https://github.com/hashicorp/terraform-provider-aws/issues/36966)) - resource/aws\_lambda\_event\_source\_mapping: Remove the upper limit on `scaling_config.maximum_concurrency` ([#37980](https://github.com/hashicorp/terraform-provider-aws/issues/37980)) - service/transitgateway: Fix resource Read pagination regression causing `NotFound` errors ([#38011](https://github.com/hashicorp/terraform-provider-aws/issues/38011)) ### [`v5.54.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.54.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.54.0...v5.54.1) BUG FIXES: - data-source/aws\_ami: Fix `interface conversion: interface {} is types.ProductCodeValues, not string` panic ([######](https://github.com/hashicorp/terraform-provider-aws/issues/#####)) - resource/aws\_codebuild\_project: Increase maximum values of `build_batch_config.timeout_in_mins` and `build_timeout` from `480` (8 hours) to `2160` (36 hours) ([#37970](https://github.com/hashicorp/terraform-provider-aws/issues/37970)) ### [`v5.54.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.54.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.53.0...v5.54.0) NOTES: - resource/aws\_ec2\_capacity\_block\_reservation: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#37528](https://github.com/hashicorp/terraform-provider-aws/issues/37528)) FEATURES: - **New Data Source:** `aws_ec2_capacity_block_offering` ([#37528](https://github.com/hashicorp/terraform-provider-aws/issues/37528)) - **New Resource:** `aws_appfabric_app_authorization` ([#37468](https://github.com/hashicorp/terraform-provider-aws/issues/37468)) - **New Resource:** `aws_appfabric_app_bundle` ([#37542](https://github.com/hashicorp/terraform-provider-aws/issues/37542)) - **New Resource:** `aws_ec2_capacity_block_reservation` ([#37528](https://github.com/hashicorp/terraform-provider-aws/issues/37528)) - **New Resource:** `aws_fms_resource_set` ([#37767](https://github.com/hashicorp/terraform-provider-aws/issues/37767)) - **New Resource:** `aws_guardduty_malware_protection_plan` ([#37919](https://github.com/hashicorp/terraform-provider-aws/issues/37919)) ENHANCEMENTS: - data-source/aws\_opensearch\_domain: Add `ip_address_type` argument ([#37237](https://github.com/hashicorp/terraform-provider-aws/issues/37237)) - resource/aws\_ec2\_traffic\_mirror\_session: Mark `packet_length` as Computed ([#36962](https://github.com/hashicorp/terraform-provider-aws/issues/36962)) - resource/aws\_opensearch\_domain: Add `ip_address_type` argument ([#37237](https://github.com/hashicorp/terraform-provider-aws/issues/37237)) - resource/aws\_vpc\_endpoint: Add `subnet_configuration` argument to support user defined IP addresses ([#37226](https://github.com/hashicorp/terraform-provider-aws/issues/37226)) BUG FIXES: - data-source/aws\_ami: Fix query returning no results ([#37958](https://github.com/hashicorp/terraform-provider-aws/issues/37958)) - provider: Fixes an error where some data sources were not returning `tags` ([#37966](https://github.com/hashicorp/terraform-provider-aws/issues/37966)) - resource/aws\_applicationinsights\_application: Change `resource_group_name` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#36962](https://github.com/hashicorp/terraform-provider-aws/issues/36962)) - resource/aws\_dynamodb\_table: Fix `UnknownOperationException: Tagging is not currently supported in DynamoDB Local` errors on resource Read ([#37924](https://github.com/hashicorp/terraform-provider-aws/issues/37924)) - resource/aws\_ec2\_capacity\_reservation: Fix `InvalidCapacityReservationId.NotFound` errors during Read and Delete when resource is manually deleted ([#37127](https://github.com/hashicorp/terraform-provider-aws/issues/37127)) - resource/aws\_route53\_zone: Fix `InvalidInput: 1 validation error detected: Value '...' at 'resourceId' failed to satisfy constraint: Member must have length less than or equal to 32` errors for resources imported with a `/hostedzone/` prefix ([#37893](https://github.com/hashicorp/terraform-provider-aws/issues/37893)) - service/apigatewayv2: Retry on `ConflictException: Unable to complete operation due to concurrent modification` errors ([#37902](https://github.com/hashicorp/terraform-provider-aws/issues/37902)) ### [`v5.53.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.53.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.52.0...v5.53.0) FEATURES: - **New Resource:** `aws_paymentcryptography_key` ([#37017](https://github.com/hashicorp/terraform-provider-aws/issues/37017)) - **New Resource:** `aws_paymentcryptography_key_alias` ([#37020](https://github.com/hashicorp/terraform-provider-aws/issues/37020)) ENHANCEMENTS: - data-source/aws\_customer\_gateway: Add `bgp_asn_extended` argument ([#37815](https://github.com/hashicorp/terraform-provider-aws/issues/37815)) - data-source/aws\_rds\_engine\_version: Add `supports_limitless_database` attribute ([#37271](https://github.com/hashicorp/terraform-provider-aws/issues/37271)) - provider: The `use_fips_endpoint` flag is now ignored for any service with a custom endpoint configured in `endpoints`. ([#34233](https://github.com/hashicorp/terraform-provider-aws/issues/34233)) - resource/aws\_apigatewayv2\_authorizer: Add configurable `delete` timeout ([#37732](https://github.com/hashicorp/terraform-provider-aws/issues/37732)) - resource/aws\_customer\_gateway: Add `bgp_asn_extended` argument ([#37815](https://github.com/hashicorp/terraform-provider-aws/issues/37815)) - resource/aws\_fsx\_lustre\_file\_system: Add `metadata_configuration` argument ([#37868](https://github.com/hashicorp/terraform-provider-aws/issues/37868)) - resource/aws\_lb: Add support for IPv6-only Application Load Balancers ([#37700](https://github.com/hashicorp/terraform-provider-aws/issues/37700)) - resource/aws\_mwaa\_environment: Add `max_webservers` and `min_webservers` attributes ([#37632](https://github.com/hashicorp/terraform-provider-aws/issues/37632)) - resource/aws\_pipes\_pipe: Add `log_configuration` argument ([#37135](https://github.com/hashicorp/terraform-provider-aws/issues/37135)) - resource/aws\_route53\_record: Fix `InvalidChangeBatch` errors on resource Delete ([#37850](https://github.com/hashicorp/terraform-provider-aws/issues/37850)) - resource/aws\_s3\_bucket: Ignore `UnsupportedOperation` errors when reading `acceleration_status`, `server_side_encryption_configuration` and `tags` ([#37801](https://github.com/hashicorp/terraform-provider-aws/issues/37801)) - resource/aws\_transfer\_ssh\_key: Add `ssh_key_id` attribute ([#37548](https://github.com/hashicorp/terraform-provider-aws/issues/37548)) BUG FIXES: - resource/aws\_apigatewayv2\_authorizer: Fix `ConflictException` errors on resource Delete ([#37732](https://github.com/hashicorp/terraform-provider-aws/issues/37732)) - resource/aws\_bedrockagent\_agent: Increase `instruction` max length for validation to 4000 ([#37758](https://github.com/hashicorp/terraform-provider-aws/issues/37758)) - resource/aws\_cloudwatch\_log\_group: Correctly handles tag updates with empty string tags ([#37668](https://github.com/hashicorp/terraform-provider-aws/issues/37668)) - resource/aws\_kms\_external\_key: Fixes timeout error on creation when `ignore_tags` matches tag assigned to resource ([#37818](https://github.com/hashicorp/terraform-provider-aws/issues/37818)) - resource/aws\_kms\_key: Fixes timeout error on creation when `ignore_tags` matches tag assigned to resource ([#37818](https://github.com/hashicorp/terraform-provider-aws/issues/37818)) - resource/aws\_kms\_replica\_external\_key: Fixes timeout error on creation when `ignore_tags` matches tag assigned to resource ([#37818](https://github.com/hashicorp/terraform-provider-aws/issues/37818)) - resource/aws\_kms\_replica\_key: Fixes timeout error on creation when `ignore_tags` matches tag assigned to resource ([#37818](https://github.com/hashicorp/terraform-provider-aws/issues/37818)) - resource/aws\_mq\_broker: Do not reboot on changes to `maintenance_window_start_time` or `auto_minor_version_upgrade` ([#36506](https://github.com/hashicorp/terraform-provider-aws/issues/36506)) - resource/aws\_pipes\_pipe: Mark `source_parameters.self_managed_kafka_parameters.credentials.basic_auth` as Optional ([#34293](https://github.com/hashicorp/terraform-provider-aws/issues/34293)) - resource/aws\_secretsmanager\_secret: Tags with empty values no longer remove all tags. ([#37743](https://github.com/hashicorp/terraform-provider-aws/issues/37743)) - resource/aws\_ssm\_parameter: Fix `Cannot import non-existent remote object` errors when importing resources with version ([#37832](https://github.com/hashicorp/terraform-provider-aws/issues/37832)) - resource/aws\_vpc\_endpoint: Restore pre-v5.51.0 default of `false` for `private_dns_enabled` ([#37715](https://github.com/hashicorp/terraform-provider-aws/issues/37715)) - service/chatbot: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/costoptimizationhub: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/cur: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/globalaccelerator: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/route53: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/route53domains: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) - service/shield: Correctly overrides region when using custom endpoint. ([#37851](https://github.com/hashicorp/terraform-provider-aws/issues/37851)) ### [`v5.52.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.52.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.51.1...v5.52.0) ENHANCEMENTS: - resource/aws\_kinesisanalyticsv2\_application: Add `application_mode` argument ([#37714](https://github.com/hashicorp/terraform-provider-aws/issues/37714)) - resource/aws\_lightsail\_bucket: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_certificate: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_container\_service: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_database: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_distribution: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_key\_pair: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_lb: Add support to `ListTags` function for proper key-only tag handling ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) BUG FIXES: - resource/aws\_lightsail\_database: Prevent destroy failure when resource is already deleted outside Terraform ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_instance: Fix crash when reading a resource that has a key-only tag ([#37587](https://github.com/hashicorp/terraform-provider-aws/issues/37587)) - resource/aws\_lightsail\_key\_pair: Prevent destroy failure when resource is already deleted outside Terraform ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) - resource/aws\_lightsail\_lb: Prevent destroy failure when resource is already deleted outside Terraform ([#37711](https://github.com/hashicorp/terraform-provider-aws/issues/37711)) ### [`v5.51.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.51.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.51.0...v5.51.1) ENHANCEMENTS: - resource/aws\_ecs\_service: Add `volume_configuration` argument ([#37019](https://github.com/hashicorp/terraform-provider-aws/issues/37019)) - resource/aws\_ecs\_task\_definition: Add `configure_at_launch` parameter in `volume` argument ([#37019](https://github.com/hashicorp/terraform-provider-aws/issues/37019)) BUG FIXES: - data-source/aws\_route53\_zone: Fix incorrect `name_servers` values ([#37685](https://github.com/hashicorp/terraform-provider-aws/issues/37685)) - data-source/aws\_route53\_zone: Permit both `name` and `zone_id` arguments when one is an empty string ([#37686](https://github.com/hashicorp/terraform-provider-aws/issues/37686)) - resource/aws\_route53\_zone: Fix incorrect `name_servers` values ([#37685](https://github.com/hashicorp/terraform-provider-aws/issues/37685)) ### [`v5.51.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.51.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.50.0...v5.51.0) NOTES: - data-source/aws\_lambda\_function: `source_code_hash` attribute has been deprecated in favor of `code_sha256`. Will be removed in a future major version ([#37669](https://github.com/hashicorp/terraform-provider-aws/issues/37669)) - data-source/aws\_lambda\_layer\_version: `source_code_hash` attribute has been deprecated in favor of `code_sha256`. Will be removed in a future major version ([#37646](https://github.com/hashicorp/terraform-provider-aws/issues/37646)) FEATURES: - **New Data Source:** `aws_chatbot_slack_workspace` ([#37218](https://github.com/hashicorp/terraform-provider-aws/issues/37218)) - **New Resource:** `aws_lambda_runtime_management_config` ([#37643](https://github.com/hashicorp/terraform-provider-aws/issues/37643)) - **New Resource:** `aws_vpc_endpoint_private_dns` ([#37628](https://github.com/hashicorp/terraform-provider-aws/issues/37628)) - **New Resource:** `aws_vpc_endpoint_service_private_dns_verification` ([#37176](https://github.com/hashicorp/terraform-provider-aws/issues/37176)) ENHANCEMENTS: - data-source/aws\_lambda\_function: Add `code_sha256` attribute ([#37669](https://github.com/hashicorp/terraform-provider-aws/issues/37669)) - data-source/aws\_lambda\_layer\_version: Add `code_sha256` attribute ([#37646](https://github.com/hashicorp/terraform-provider-aws/issues/37646)) - data-source/aws\_route53\_traffic\_policy\_document: Add support for `application-load-balancer`, `elastic-beanstalk` and `network-load-balancer` `endpoint.type` values ([#37618](https://github.com/hashicorp/terraform-provider-aws/issues/37618)) - resource/aws\_api\_gateway\_deployment: Add `canary_settings` attribute ([#37573](https://github.com/hashicorp/terraform-provider-aws/issues/37573)) - resource/aws\_iam\_openid\_connect\_provider: Allow `client_id_list` to be updated in-place ([#37612](https://github.com/hashicorp/terraform-provider-aws/issues/37612)) - resource/aws\_lambda\_function: Add `code_sha256` attribute ([#37669](https://github.com/hashicorp/terraform-provider-aws/issues/37669)) - resource/aws\_lambda\_function: Remove `replace_security_group_on_destroy` and `replacement_security_group_ids` deprecations, re-implement with alternate workflow ([#37624](https://github.com/hashicorp/terraform-provider-aws/issues/37624)) - resource/aws\_lambda\_layer\_version: Add `code_sha256` attribute ([#37646](https://github.com/hashicorp/terraform-provider-aws/issues/37646)) - resource/aws\_route53\_health\_check: Add plan-time validation of `cloudwatch_alarm_region` ([#37510](https://github.com/hashicorp/terraform-provider-aws/issues/37510)) - resource/aws\_route53\_record: Add plan-time validation of `latency_routing_policy.region` ([#37510](https://github.com/hashicorp/terraform-provider-aws/issues/37510)) - resource/aws\_route53\_vpc\_association\_authorization: Add plan-time validation of `vpc_region` ([#37510](https://github.com/hashicorp/terraform-provider-aws/issues/37510)) - resource/aws\_route53\_zone\_association: Add plan-time validation of `vpc_region` ([#37510](https://github.com/hashicorp/terraform-provider-aws/issues/37510)) - resource/aws\_wafv2\_web\_acl: Add `api_gateway`, `app_runner_service`, `cognito_user_pool`, and `verified_access_instance` configuration blocks to `association_config.request_body` ([#37588](https://github.com/hashicorp/terraform-provider-aws/issues/37588)) BUG FIXES: - resource/aws\_dynamodb\_table\_replica: Correctly set `kms_key_arn` on Read ([#37570](https://github.com/hashicorp/terraform-provider-aws/issues/37570)) - resource/aws\_kms\_grant: Change `grant_token` to [`Sensitive`](https://developer.hashicorp.com/terraform/plugin/best-practices/sensitive-state#using-sensitive-flag-functionality) ([#37593](https://github.com/hashicorp/terraform-provider-aws/issues/37593)) - resource/aws\_lambda\_function: Fix issue when `source_code_hash` causes drift even if source code has not changed ([#37669](https://github.com/hashicorp/terraform-provider-aws/issues/37669)) - resource/aws\_lambda\_layer\_version: Fix issue when `source_code_hash` forces a replacement even if source code has not changed ([#37646](https://github.com/hashicorp/terraform-provider-aws/issues/37646)) - resource/aws\_m2\_deployment: Fix `state` error on `deployment_id` during start/stop update ([#37581](https://github.com/hashicorp/terraform-provider-aws/issues/37581)) - resource/aws\_storagegateway\_smb\_file\_share: Fix crash when `cache_attributes` is removed on update ([#37611](https://github.com/hashicorp/terraform-provider-aws/issues/37611)) ### [`v5.50.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.50.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.49.0...v5.50.0) ENHANCEMENTS: - data-source/aws\_budgets\_budget: Add `tags` attribute ([#37361](https://github.com/hashicorp/terraform-provider-aws/issues/37361)) - data-source/aws\_instance: Add `launch_time` attribute ([#37002](https://github.com/hashicorp/terraform-provider-aws/issues/37002)) - resource/aws\_budgets\_budget: Add `tags` argument ([#37361](https://github.com/hashicorp/terraform-provider-aws/issues/37361)) - resource/aws\_budgets\_budget\_action: Add `tags` argument ([#37361](https://github.com/hashicorp/terraform-provider-aws/issues/37361)) - resource/aws\_ecs\_account\_setting\_default: Add support for `fargateTaskRetirementWaitPeriod` value in `Name` argument ([#37018](https://github.com/hashicorp/terraform-provider-aws/issues/37018)) - resource/aws\_ssm\_resource\_data\_sync: Add plan-time validation of `s3_destination.kms_key_arn`, `s3_destination.region` and `s3_destination.sync_format` ([#37481](https://github.com/hashicorp/terraform-provider-aws/issues/37481)) BUG FIXES: - data-source/aws\_bedrock\_foundation\_models: Fix validation regex for the `by_provider` argument ([#37306](https://github.com/hashicorp/terraform-provider-aws/issues/37306)) - resource/aws\_dynamodb\_table: Fix `UnknownOperationException: Tagging is not currently supported in DynamoDB Local` errors on resource Read ([#37472](https://github.com/hashicorp/terraform-provider-aws/issues/37472)) - resource/aws\_glue\_job: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic when `notify_delay_after` is empty (`null`) ([#37347](https://github.com/hashicorp/terraform-provider-aws/issues/37347)) - resource/aws\_iam\_server\_certificate: Now correctly reads tags after update and on read. ([#37483](https://github.com/hashicorp/terraform-provider-aws/issues/37483)) - resource/aws\_lakeformation\_data\_cells\_filter: Fix inconsistent `state` error when using `row_filter.all_rows_wildcard` ([#37433](https://github.com/hashicorp/terraform-provider-aws/issues/37433)) - resource/aws\_organizations\_account: Allow import of accounts with IAM access to the AWS Billing and Cost Management console ([#35662](https://github.com/hashicorp/terraform-provider-aws/issues/35662)) - resource/aws\_ram\_principal\_association: Correct plan-time validation of `principal` to fix `panic: unexpected format for ID parts ([...]), the following id parts indexes are blank ([1])` ([#37450](https://github.com/hashicorp/terraform-provider-aws/issues/37450)) - resource/aws\_route53\_record: Change region default to us-east-1 ([#37565](https://github.com/hashicorp/terraform-provider-aws/issues/37565)) - resource/aws\_vpc\_endpoint\_service: Fix destroy error when endpoint service is deleted out-of-band ([#37534](https://github.com/hashicorp/terraform-provider-aws/issues/37534)) ### [`v5.49.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.49.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.48.0...v5.49.0) FEATURES: - **New Data Source:** `aws_datazone_environment_blueprint` ([#36600](https://github.com/hashicorp/terraform-provider-aws/issues/36600)) - **New Resource:** `aws_bedrockagent_data_source` ([#37158](https://github.com/hashicorp/terraform-provider-aws/issues/37158)) - **New Resource:** `aws_datazone_domain` ([#36600](https://github.com/hashicorp/terraform-provider-aws/issues/36600)) - **New Resource:** `aws_datazone_environment_blueprint_configuration` ([#36600](https://github.com/hashicorp/terraform-provider-aws/issues/36600)) ENHANCEMENTS: - data-source/aws\_iam\_policy\_document: Add `minified_json` attribute ([#35677](https://github.com/hashicorp/terraform-provider-aws/issues/35677)) - resource/aws\_dynamodb\_table\_export: Add plan-time validation of `table_arn` ([#37288](https://github.com/hashicorp/terraform-provider-aws/issues/37288)) - resource/aws\_kms\_key: Add `rotation_period_in_days` argument ([#37140](https://github.com/hashicorp/terraform-provider-aws/issues/37140)) - resource/aws\_securitylake\_subscriber\_notification: Better handles importing resource ([#37332](https://github.com/hashicorp/terraform-provider-aws/issues/37332)) - resource/aws\_securitylake\_subscriber\_notification: Deprecates `endpoint_id` in favor of `subscriber_endpoint` ([#37332](https://github.com/hashicorp/terraform-provider-aws/issues/37332)) - resource/aws\_securitylake\_subscriber\_notification: Handles `configuration.https_notification_configuration.authorization_api_key_value` as sensitive value ([#37332](https://github.com/hashicorp/terraform-provider-aws/issues/37332)) BUG FIXES: - data-source/aws\_fsx\_ontap\_storage\_virtual\_machine: Correctly set `tags` on Read ([#37353](https://github.com/hashicorp/terraform-provider-aws/issues/37353)) - data-source/aws\_rds\_orderable\_db\_instance: Fix `InvalidParameterValue: Invalid value 3412 for MaxRecords. Must be between 20 and 1000` errors ([#37251](https://github.com/hashicorp/terraform-provider-aws/issues/37251)) - data-source/aws\_resourceexplorer2\_search: Fix 401 unauthorized error due to missing `view_arn` in the AWS API request ([#36778](https://github.com/hashicorp/terraform-provider-aws/issues/36778)) - data-source/aws\_resourceexplorer2\_search: Fix panic caused by bad mappping between Terraform and AWS schemas ([#36778](https://github.com/hashicorp/terraform-provider-aws/issues/36778)) - data-source/aws\_resourceexplorer2\_search: Fix state persistence and data types ([#36778](https://github.com/hashicorp/terraform-provider-aws/issues/36778)) - resource/aws\_bedrockagent\_agent: Fix to use the configured `prepare_agent` value (or default value of `true` when omitted) for all create and update operations ([#37405](https://github.com/hashicorp/terraform-provider-aws/issues/37405)) - resource/aws\_elasticsearch\_domain: Fix handling of unset `auto_tune_options.rollback_on_disable` argument ([#37394](https://github.com/hashicorp/terraform-provider-aws/issues/37394)) - resource/aws\_fsx\_ontap\_storage\_virtual\_machine: Correctly set `tags` and `tags_all` on resource Read ([#37353](https://github.com/hashicorp/terraform-provider-aws/issues/37353)) - resource/aws\_fsx\_openzfs\_file\_system: Correctly set `tags` and `tags_all` on resource Read ([#37353](https://github.com/hashicorp/terraform-provider-aws/issues/37353)) - resource/aws\_kms\_custom\_key\_store: Change `trust_anchor_certificate` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#37092](https://github.com/hashicorp/terraform-provider-aws/issues/37092)) - resource/aws\_opensearch\_domain: Fix handling of unset `auto_tune_options.rollback_on_disable` argument ([#37394](https://github.com/hashicorp/terraform-provider-aws/issues/37394)) - resource/aws\_opensearch\_domain: Wait for `auto_tune_options` to be applied during creation ([#37394](https://github.com/hashicorp/terraform-provider-aws/issues/37394)) - resource/aws\_securitylake\_aws\_log\_source: Correctly handles unspecified `source_version` ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_aws\_log\_source: Prevents errors when creating multiple log sources concurrently ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_custom\_log\_source: Prevents errors when creating multiple log sources concurrently ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_custom\_log\_source: Validates length of `source_name` parameter ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_subscriber: Allow more than one log source ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_subscriber: Correctly handles unspecified `access_type` ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_subscriber: Correctly handles unspecified `source_version` parameter for `aws_log_source_resource` and `custom_log_source_resource` ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_subscriber: Correctly requires `source_name` parameter for `aws_log_source_resource` and `custom_log_source_resource` ([#36268](https://github.com/hashicorp/terraform-provider-aws/issues/36268)) - resource/aws\_securitylake\_subscriber\_notification: No longer recreates resource when not needed ([#37332](https://github.com/hashicorp/terraform-provider-aws/issues/37332)) - resource/aws\_securitylake\_subscriber\_notification: Requires value for `configuration.https_notification_configuration.endpoint` ([#37332](https://github.com/hashicorp/terraform-provider-aws/issues/37332)) - resource/provider: Change the AWS SDK for Go v2 API client [`BackoffDelayer`](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2@v1.26.1/aws/retry#BackoffDelayer) to maintain behavioral compatibility with AWS SDK for Go v1 ([#37404](https://github.com/hashicorp/terraform-provider-aws/issues/37404)) ### [`v5.48.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.48.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.47.0...v5.48.0) FEATURES: - **New Resource:** `aws_bedrockagent_agent_knowledge_base_association` ([#37185](https://github.com/hashicorp/terraform-provider-aws/issues/37185)) ENHANCEMENTS: - resource/aws\_cloudwatch\_event\_target: Add `force_destroy` argument ([#37130](https://github.com/hashicorp/terraform-provider-aws/issues/37130)) - resource/aws\_elasticache\_replication\_group: Increase default Delete timeout to 45 minutes ([#37182](https://github.com/hashicorp/terraform-provider-aws/issues/37182)) - resource/aws\_elasticache\_replication\_group: Use the configured Delete timeout when detaching from any global replication group ([#37182](https://github.com/hashicorp/terraform-provider-aws/issues/37182)) - resource/aws\_fsx\_ontap\_file\_system: Add support for specifying 1 ha\_pair with `SINGLE_AZ_1` and `MULTI_AZ_1` deployment types ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) - resource/aws\_fsx\_ontap\_file\_system: Increase `storage_capacity` maximum to 1PiB ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) - resource/aws\_fsx\_ontap\_file\_system: Support up to 12 `ha_pairs` ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) - resource/aws\_fsx\_ontap\_file\_system: Update `throughput_capacity_per_ha_pair` to support all values from `throughput_capacity` ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) - resource/aws\_fsx\_ontap\_volume: Add `aggregate_configuration` configuration block ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) - resource/aws\_fsx\_ontap\_volume: Add `size_in_bytes` and `volume_style` arguments ([#36511](https://github.com/hashicorp/terraform-provider-aws/issues/36511)) BUG FIXES: - resource/aws\_bcmdataexports\_export: Fix `table_configurations` expand/flatten ([#37205](https://github.com/hashicorp/terraform-provider-aws/issues/37205)) - resource/aws\_cloudwatch\_event\_connection: Add plan-time validation preventing empty `auth_parameters.oauth.oauth_http_parameters` or `auth_parameters.invocation_http_parameters` `body`, `header` and `query_string` configuration blocks ([#26755](https://github.com/hashicorp/terraform-provider-aws/issues/26755)) - resource/aws\_elasticache\_replication\_group: Decrease replica count after other updates ([#34819](https://github.com/hashicorp/terraform-provider-aws/issues/34819)) - resource/aws\_elasticache\_replication\_group: Fix `unexpected state 'snapshotting'` errors when increasing or decreasing replica count ([#30493](https://github.com/hashicorp/terraform-provider-aws/issues/30493)) ### [`v5.47.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.47.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.46.0...v5.47.0) NOTES: - provider: Updates to Go 1.22. This is the last Go release that will run on macOS 10.15 Catalina ([#36996](https://github.com/hashicorp/terraform-provider-aws/issues/36996)) - resource/aws\_bedrockagent\_knowledge\_base: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#36783](https://github.com/hashicorp/terraform-provider-aws/issues/36783)) FEATURES: - **New Data Source:** `aws_identitystore_groups` ([#36993](https://github.com/hashicorp/terraform-provider-aws/issues/36993)) - **New Resource:** `aws_bcmdataexports_export` ([#36847](https://github.com/hashicorp/terraform-provider-aws/issues/36847)) - **New Resource:** `aws_bedrockagent_agent` ([#36851](https://github.com/hashicorp/terraform-provider-aws/issues/36851)) - **New Resource:** `aws_bedrockagent_agent_action_group` ([#36935](https://github.com/hashicorp/terraform-provider-aws/issues/36935)) - **New Resource:** `aws_bedrockagent_agent_alias` ([#36905](https://github.com/hashicorp/terraform-provider-aws/issues/36905)) - **New Resource:** `aws_bedrockagent_knowledge_base` ([#36783](https://github.com/hashicorp/terraform-provider-aws/issues/36783)) - **New Resource:** `aws_globalaccelerator_cross_account_attachment` ([#35991](https://github.com/hashicorp/terraform-provider-aws/issues/35991)) - **New Resource:** `aws_verifiedpermissions_policy` ([#35413](https://github.com/hashicorp/terraform-provider-aws/issues/35413)) ENHANCEMENTS: - data-source/aws\_eip: Add `arn` attribute ([#35991](https://github.com/hashicorp/terraform-provider-aws/issues/35991)) - resource/aws\_api\_gateway\_rest\_api: Correctly set `root_resource_id` on resource Read ([#37040](https://github.com/hashicorp/terraform-provider-aws/issues/37040)) - resource/aws\_appmesh\_mesh: Add `spec.service_discovery` argument ([#37042](https://github.com/hashicorp/terraform-provider-aws/issues/37042)) - resource/aws\_cloudformation\_stack\_set: Adds guidance on permissions when using delegated administrator account ([#37069](https://github.com/hashicorp/terraform-provider-aws/issues/37069)) - resource/aws\_db\_instance: Add `dedicated_log_volume` argument ([#36503](https://github.com/hashicorp/terraform-provider-aws/issues/36503)) - resource/aws\_eip: Add `arn` attribute ([#35991](https://github.com/hashicorp/terraform-provider-aws/issues/35991)) - resource/aws\_elasticache\_replication\_group: Add `transit_encryption_mode` argument ([#30403](https://github.com/hashicorp/terraform-provider-aws/issues/30403)) - resource/aws\_elasticache\_replication\_group: Changes to the `transit_encryption_enabled` argument can now be done in-place for engine versions > `7.0.5` ([#30403](https://github.com/hashicorp/terraform-provider-aws/issues/30403)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `snowflake_configuration` argument ([#36646](https://github.com/hashicorp/terraform-provider-aws/issues/36646)) - resource/aws\_memorydb\_user: Support IAM authentication mode ([#32027](https://github.com/hashicorp/terraform-provider-aws/issues/32027)) - resource/aws\_sagemaker\_app\_image\_config: Add `code_editor_app_image_config` and `jupyter_lab_image_config.jupyter_lab_image_config` arguments ([#37059](https://github.com/hashicorp/terraform-provider-aws/issues/37059)) - resource/aws\_sagemaker\_app\_image\_config: Change `kernel_gateway_image_config.kernel_spec` MaxItems to 5 ([#37059](https://github.com/hashicorp/terraform-provider-aws/issues/37059)) - resource/aws\_transfer\_server: Add `sftp_authentication_methods` argument ([#37015](https://github.com/hashicorp/terraform-provider-aws/issues/37015)) BUG FIXES: - resource/aws\_batch\_job\_definition: Fix issues where changes causing a new `revision` do not trigger changes in dependent resources and/or cause an error, "Provider produced inconsistent final plan" ([#37111](https://github.com/hashicorp/terraform-provider-aws/issues/37111)) - resource/aws\_ce\_cost\_category: Allow up to 3 levels of `and`, `not` and `or` operand nesting for the `rule` argument ([#30862](https://github.com/hashicorp/terraform-provider-aws/issues/30862)) - resource/aws\_elasticache\_replication\_group: Fix excessive delay on read ([#30403](https://github.com/hashicorp/terraform-provider-aws/issues/30403)) - resource/aws\_servicecatalog\_portfolio: Fixes error where deletion fails if resource was deleted out of band. ([#37066](https://github.com/hashicorp/terraform-provider-aws/issues/37066)) - resource/aws\_servicecatalog\_provisioned\_product: Fixes error where tag values are not applied to products when tag values don't change. ([#37066](https://github.com/hashicorp/terraform-provider-aws/issues/37066)) ### [`v5.46.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.46.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.45.0...v5.46.0) NOTES: - provider: When using YAML or JSON documents, such as in `template_body` of `aws_cloudformation_stack`, CRLF was previously treated as different from LF but these are now treated as equivalent in many situations ([#14270](https://github.com/hashicorp/terraform-provider-aws/issues/14270)) FEATURES: - **New Resource:** `aws_eip_domain_name` ([#36963](https://github.com/hashicorp/terraform-provider-aws/issues/36963)) ENHANCEMENTS: - data-source/aws\_alb: Add `client_keep_alive` argument ([#36969](https://github.com/hashicorp/terraform-provider-aws/issues/36969)) - data-source/aws\_eip: Add `ptr_record` attribute ([#36963](https://github.com/hashicorp/terraform-provider-aws/issues/36963)) - data-source/aws\_iam\_policy: Add `attachment_count` attribute ([#36759](https://github.com/hashicorp/terraform-provider-aws/issues/36759)) - data-source/aws\_lb: Add `client_keep_alive` argument ([#36969](https://github.com/hashicorp/terraform-provider-aws/issues/36969)) - data-source/aws\_organizations\_organization: Add `master_account_name` attribute ([#36797](https://github.com/hashicorp/terraform-provider-aws/issues/36797)) - data-source/aws\_vpc\_dhcp\_options: Add `ipv6_address_preferred_lease_time` attribute ([#36934](https://github.com/hashicorp/terraform-provider-aws/issues/36934)) - resource/aws\_alb: Add `client_keep_alive` argument ([#36969](https://github.com/hashicorp/terraform-provider-aws/issues/36969)) - resource/aws\_autoscaling\_group: Add `alarm_specification` to the `instance_refresh.preferences` configuration block ([#36954](https://github.com/hashicorp/terraform-provider-aws/issues/36954)) - resource/aws\_cloudformation\_stack\_set: Add retry when creating to potentially help with eventual consistency problems ([#36982](https://github.com/hashicorp/terraform-provider-aws/issues/36982)) - resource/aws\_cloudfront\_origin\_access\_control: Add `lambda` and `mediapackagev2` as valid values for `origin_access_control_origin_type` ([#34362](https://github.com/hashicorp/terraform-provider-aws/issues/34362)) - resource/aws\_cloudwatch\_event\_rule: Add `force_destroy` attribute ([#34905](https://github.com/hashicorp/terraform-provider-aws/issues/34905)) - resource/aws\_codebuild\_project: Add GitLab and GitLab Self Managed support to the `report_build_status` and `build_status_config` arguments ([#36942](https://github.com/hashicorp/terraform-provider-aws/issues/36942)) - resource/aws\_default\_vpc\_dhcp\_options: Add `ipv6_address_preferred_lease_time` as Computed attribute ([#36934](https://github.com/hashicorp/terraform-provider-aws/issues/36934)) - resource/aws\_dms\_replication\_task: Add `resource_identifier` argument ([#36901](https://github.com/hashicorp/terraform-provider-aws/issues/36901)) - resource/aws\_eip: Add `ptr_record` attribute ([#36963](https://github.com/hashicorp/terraform-provider-aws/issues/36963)) - resource/aws\_elasticache\_serverless\_cache: Add `minimum` attribute in `cache_usage_limits.data_storage` and `cache_usage_limits.ecpu_per_second` ([#36766](https://github.com/hashicorp/terraform-provider-aws/issues/36766)) - resource/aws\_fsx\_openzfs\_file\_system: Add `endpoint_ip_address` attribute ([#36767](https://github.com/hashicorp/terraform-provider-aws/issues/36767)) - resource/aws\_iam\_policy: Add `attachment_count` attribute ([#36759](https://github.com/hashicorp/terraform-provider-aws/issues/36759)) - resource/aws\_imagebuilder\_image: Add `execution_role` and `workflow` arguments ([#36953](https://github.com/hashicorp/terraform-provider-aws/issues/36953)) - resource/aws\_lb: Add `client_keep_alive` argument ([#36969](https://github.com/hashicorp/terraform-provider-aws/issues/36969)) - resource/aws\_mwaa\_environment: Add `database_vpc_endpoint_service` and `webserver_vpc_endpoint_service` attributes ([#36903](https://github.com/hashicorp/terraform-provider-aws/issues/36903)) - resource/aws\_organizations\_organization: Add `master_account_name` attribute ([#36797](https://github.com/hashicorp/terraform-provider-aws/issues/36797)) - resource/aws\_transfer\_connector: Add `security_policy_name` argument ([#36893](https://github.com/hashicorp/terraform-provider-aws/issues/36893)) - resource/aws\_vpc\_dhcp\_options: Add `ipv6_address_preferred_lease_time` attribute ([#36934](https://github.com/hashicorp/terraform-provider-aws/issues/36934)) - resource/aws\_vpc\_ipam\_pool: Add `cascade` argument ([#36898](https://github.com/hashicorp/terraform-provider-aws/issues/36898)) BUG FIXES: - data-source/aws\_iam\_policy\_document: When using multiple principals, sort them to avoid differences based only on order ([#25967](https://github.com/hashicorp/terraform-provider-aws/issues/25967)) - resource/aws\_appconfig\_deployment: Fix `ConflictException` errors on resource Create ([#36980](https://github.com/hashicorp/terraform-provider-aws/issues/36980)) - resource/aws\_ce\_anomaly\_monitor: Change `monitor_dimension` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#36773](https://github.com/hashicorp/terraform-provider-aws/issues/36773)) - resource/aws\_ce\_anomaly\_subscription: Change `account_id` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#36773](https://github.com/hashicorp/terraform-provider-aws/issues/36773)) - resource/aws\_cloudformation\_stack: CRLF line endings in `template_body` no longer cause erroneous diffs ([#14270](https://github.com/hashicorp/terraform-provider-aws/issues/14270)) - resource/aws\_db\_proxy: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic when `auth` is empty (`{}`) ([#36967](https://github.com/hashicorp/terraform-provider-aws/issues/36967)) - resource/aws\_dms\_replication\_config: Adds validation to `replication_settings` to disallow `Logging.CloudWatchLogGroup` and `Logging.CloudWatchLogStream`. ([#36936](https://github.com/hashicorp/terraform-provider-aws/issues/36936)) - resource/aws\_dms\_replication\_config: Suppresses differences in partial `replication_settings` JSON documents. ([#36936](https://github.com/hashicorp/terraform-provider-aws/issues/36936)) - resource/aws\_dms\_replication\_task: Adds validation to `replication_task_settings` to disallow `Logging.CloudWatchLogGroup` and `Logging.CloudWatchLogStream`. ([#36936](https://github.com/hashicorp/terraform-provider-aws/issues/36936)) - resource/aws\_dms\_replication\_task: Allows leaving `replication_task_settings` unset to use default settings. ([#36936](https://github.com/hashicorp/terraform-provider-aws/issues/36936)) - resource/aws\_dms\_replication\_task: Suppresses differences in partial `replication_task_settings` JSON documents. ([#36936](https://github.com/hashicorp/terraform-provider-aws/issues/36936)) - resource/aws\_fsx\_windows\_file\_system: Fix error `BadRequest: AuditLogDestination must not be provided when auditing is disabled` when updating `audit_log_configuration.0.file_access_audit_log_level` and `audit_log_configuration.0.file_share_access_audit_log_level` to `"DISABLED"` ([#36928](https://github.com/hashicorp/terraform-provider-aws/issues/36928)) - resource/aws\_glue\_job: Mark `number_of_workers` and `worker_type` as optional/computed, preventing persistent differences when `max_capacity` is set. ([#36770](https://github.com/hashicorp/terraform-provider-aws/issues/36770)) - resource/aws\_iam\_user\_login\_profile: Fix forced re-creation when `password_reset_required` is `true` and initial password reset is completed ([#36926](https://github.com/hashicorp/terraform-provider-aws/issues/36926)) - resource/aws\_lightsail\_distribution: Fix to properly set `certificate_name` on create and update ([#36888](https://github.com/hashicorp/terraform-provider-aws/issues/36888)) - resource/aws\_vpc\_dhcp\_options: Fix `NotFound` error handling on delete ([#36933](https://github.com/hashicorp/terraform-provider-aws/issues/36933)) ### [`v5.45.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.45.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.44.0...v5.45.0) NOTES: - resource/aws\_redshift\_cluster: The `logging` argument is now deprecated. Use the `aws_redshift_logging` resource instead. ([#36862](https://github.com/hashicorp/terraform-provider-aws/issues/36862)) - resource/aws\_redshift\_cluster: The `snapshot_copy` argument is now deprecated. Use the `aws_redshift_snapshot_copy` resource instead. ([#36810](https://github.com/hashicorp/terraform-provider-aws/issues/36810)) FEATURES: - **New Resource:** `aws_redshift_logging` ([#36862](https://github.com/hashicorp/terraform-provider-aws/issues/36862)) - **New Resource:** `aws_redshift_snapshot_copy` ([#36810](https://github.com/hashicorp/terraform-provider-aws/issues/36810)) ENHANCEMENTS: - data-source/aws\_sagemaker\_prebuilt\_ecr\_image: Add `registry_id` for `af-south-1` AWS Region ([#36803](https://github.com/hashicorp/terraform-provider-aws/issues/36803)) - resource/aws\_api\_gateway\_documentation\_part: Add `documentation_part_id` attribute ([#36445](https://github.com/hashicorp/terraform-provider-aws/issues/36445)) - resource/aws\_wafregional\_web\_acl\_association: Add configurable timeouts ([#36445](https://github.com/hashicorp/terraform-provider-aws/issues/36445)) - resource/aws\_wafregional\_web\_acl\_association: Add plan-time validation of `resource_arn` ([#36445](https://github.com/hashicorp/terraform-provider-aws/issues/36445)) BUG FIXES: - provider: Change the default AWS SDK for Go v2 API client [`MaxBackoff`](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/retries-timeouts/#limiting-the-max-back-off-delay) value to 300 seconds so that services migrated to AWS SDK for Go v2 maintain behavioral compatibility with AWS SDK for Go v1 ([#36855](https://github.com/hashicorp/terraform-provider-aws/issues/36855)) - resource/aws\_datasync\_location\_object\_storage: Allow update to `agent_arns` ([#36819](https://github.com/hashicorp/terraform-provider-aws/issues/36819)) - resource/aws\_devopsguru\_notification\_channel: Fix persistent diff when `filters.message_types` or `filters.severities` contains multiple elements ([#36804](https://github.com/hashicorp/terraform-provider-aws/issues/36804)) - resource/aws\_securityhub\_configuration\_policy: Mark `configuration_policy.enabled_standard_arns` as Optional, fixing `InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled` errors ([#36740](https://github.com/hashicorp/terraform-provider-aws/issues/36740)) ### [`v5.44.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.44.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.43.0...v5.44.0) FEATURES: - **New Data Source:** `aws_devopsguru_notification_channel` ([#36656](https://github.com/hashicorp/terraform-provider-aws/issues/36656)) - **New Data Source:** `aws_devopsguru_resource_collection` ([#36657](https://github.com/hashicorp/terraform-provider-aws/issues/36657)) - **New Data Source:** `aws_ecr_lifecycle_policy_document` ([#6133](https://github.com/hashicorp/terraform-provider-aws/issues/6133)) - **New Function:** `trim_iam_role_path` ([#36723](https://github.com/hashicorp/terraform-provider-aws/issues/36723)) - **New Resource:** `aws_devopsguru_service_integration` ([#36694](https://github.com/hashicorp/terraform-provider-aws/issues/36694)) ENHANCEMENTS: - data-source/aws\_servicecatalogappregistry\_application: Add `application_tag` attribute ([#36647](https://github.com/hashicorp/terraform-provider-aws/issues/36647)) - data/aws\_glue\_data\_catalog\_encryption\_settings: Add `data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_service_role` attribute ([#35978](https://github.com/hashicorp/terraform-provider-aws/issues/35978)) - resource/aws\_appstream\_fleet: Add `desired_sessions` argument to the `compute_capacity` block. ([#34266](https://github.com/hashicorp/terraform-provider-aws/issues/34266)) - resource/aws\_appstream\_fleet: Add `max_sessions_per_instance` argument. ([#34266](https://github.com/hashicorp/terraform-provider-aws/issues/34266)) - resource/aws\_batch\_job\_definition: Add update functions instead of ForceNew. Add `deregister_on_new_revision` to allow keeping prior versions ACTIVE when a new revision is published. ([#35149](https://github.com/hashicorp/terraform-provider-aws/issues/35149)) - resource/aws\_db\_instance: Adds warning when setting `character_set_name` when `replicate_source_db`, `restore_to_point_in_time`, or `snapshot_identifier` is set ([#36518](https://github.com/hashicorp/terraform-provider-aws/issues/36518)) - resource/aws\_emr\_cluster: Add `unhealthy_node_replacement` argument ([#36523](https://github.com/hashicorp/terraform-provider-aws/issues/36523)) - resource/aws\_glue\_data\_catalog\_encryption\_settings: Add `data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_service_role` argument ([#35978](https://github.com/hashicorp/terraform-provider-aws/issues/35978)) - resource/aws\_servicecatalogappregistry\_application: Add `application_tag` attribute ([#36647](https://github.com/hashicorp/terraform-provider-aws/issues/36647)) - resource/aws\_transfer\_server: Add `s3_storage_options` configuration block ([#36664](https://github.com/hashicorp/terraform-provider-aws/issues/36664)) - resource/aws\_wafv2\_web\_acl: Add `address_fields` and `phone_number_fields` to `statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_acfp_rule_set.request_inspection` ([#36685](https://github.com/hashicorp/terraform-provider-aws/issues/36685)) BUG FIXES: - Correctly handles user agents passed using `TF_APPEND_USER_AGENT` which contain `/`, `(`, `)`, or space. ([#36738](https://github.com/hashicorp/terraform-provider-aws/issues/36738)) - resource/aws\_batch\_scheduling\_policy: Fixes error where tags could not be updated ([#36517](https://github.com/hashicorp/terraform-provider-aws/issues/36517)) - resource/aws\_cloudfront\_key\_value\_store: Serialize CloudFront KeyValueStore access ([#36734](https://github.com/hashicorp/terraform-provider-aws/issues/36734)) - resource/aws\_cloudfrontkeyvaluestore\_key: Serialize CloudFront KeyValueStore access ([#36734](https://github.com/hashicorp/terraform-provider-aws/issues/36734)) - resource/aws\_cognito\_user\_pool: Correct plan-time validation of `email_verification_message`, `email_verification_subject`, `admin_create_user_config.invite_message_template.email_message`, `admin_create_user_config.invite_message_template.email_subject`, `admin_create_user_config.invite_message_template.sms_message`, `sms_authentication_message`, `sms_verification_message`, `verification_message_template.email_message`, `verification_message_template.email_message_by_link`, `verification_message_template.email_subject`, `verification_message_template.email_subject_by_link`, and `verification_message_template.sms_message` to count UTF-8 characters properly ([#36661](https://github.com/hashicorp/terraform-provider-aws/issues/36661)) - resource/aws\_ecr\_lifecycle\_policy: Add missing `tagPatternList` change detection in policy JSON ([#35231](https://github.com/hashicorp/terraform-provider-aws/issues/35231)) - resource/aws\_ecs\_service: Correctly set `alarms.rollback` on resource Create and Update ([#36691](https://github.com/hashicorp/terraform-provider-aws/issues/36691)) - resource/aws\_iam\_user: When `force_destroy` is used and there are inline or attached policies, allow resource to be destroyed ([#36640](https://github.com/hashicorp/terraform-provider-aws/issues/36640)) - resource/aws\_imagebuilder\_distribution\_configuration: Fix validation regex for `ami_distribution_configuration.name` ([#36659](https://github.com/hashicorp/terraform-provider-aws/issues/36659)) - resource/aws\_redshift\_cluster: Fix error preventing modification of a configured `snapshot_copy` block ([#36655](https://github.com/hashicorp/terraform-provider-aws/issues/36655)) - resource/aws\_route53\_record: Fix to correctly interpret alias names with wildcards ([#36699](https://github.com/hashicorp/terraform-provider-aws/issues/36699)) ### [`v5.43.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.43.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.42.0...v5.43.0) FEATURES: - **New Data Source:** `aws_resourceexplorer2_search` ([#36560](https://github.com/hashicorp/terraform-provider-aws/issues/36560)) - **New Data Source:** `aws_servicecatalogappregistry_application` ([#36596](https://github.com/hashicorp/terraform-provider-aws/issues/36596)) - **New Resource:** `aws_cloudfrontkeyvaluestore_key` ([#36534](https://github.com/hashicorp/terraform-provider-aws/issues/36534)) - **New Resource:** `aws_devopsguru_notification_channel` ([#36557](https://github.com/hashicorp/terraform-provider-aws/issues/36557)) - **New Resource:** `aws_ec2_instance_metadata_defaults` ([#36589](https://github.com/hashicorp/terraform-provider-aws/issues/36589)) - **New Resource:** `aws_lakeformation_resource_lf_tag` ([#36537](https://github.com/hashicorp/terraform-provider-aws/issues/36537)) - **New Resource:** `aws_m2_application` ([#35399](https://github.com/hashicorp/terraform-provider-aws/issues/35399)) - **New Resource:** `aws_m2_deployment` ([#35408](https://github.com/hashicorp/terraform-provider-aws/issues/35408)) - **New Resource:** `aws_m2_environment` ([#35311](https://github.com/hashicorp/terraform-provider-aws/issues/35311)) - **New Resource:** `aws_redshiftserverless_custom_domain_association` ([#35865](https://github.com/hashicorp/terraform-provider-aws/issues/35865)) - **New Resource:** `aws_servicecatalogappregistry_application` ([#36277](https://github.com/hashicorp/terraform-provider-aws/issues/36277)) ENHANCEMENTS: - data-source/aws\_cloudfront\_function: Add `key_value_store_associations` attribute ([#36585](https://github.com/hashicorp/terraform-provider-aws/issues/36585)) - data-source/aws\_db\_snapshot: Add `original_snapshot_create_time` attribute ([#36544](https://github.com/hashicorp/terraform-provider-aws/issues/36544)) - resource/aws\_cloudfront\_function: Add `key_value_store_associations` argument ([#36585](https://github.com/hashicorp/terraform-provider-aws/issues/36585)) - resource/aws\_ec2\_host: Add user configurable timeouts ([#36538](https://github.com/hashicorp/terraform-provider-aws/issues/36538)) - resource/aws\_glacier\_vault\_lock: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_iam\_group\_policy: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_iam\_policy: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_iam\_role: Allow `assume_role_policy` and `inline_policy.*.policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_iam\_role\_policy: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_iam\_user\_policy: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_kinesisanalyticsv2\_application: Add support for `FLINK-1_18` `runtime_environment` value ([#36562](https://github.com/hashicorp/terraform-provider-aws/issues/36562)) - resource/aws\_media\_store\_container\_policy: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_ssoadmin\_permission\_set\_inline\_policy: Allow `inline_policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_transfer\_access: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_transfer\_user: Allow `policy` to have leading whitespace ([#36597](https://github.com/hashicorp/terraform-provider-aws/issues/36597)) - resource/aws\_vpc\_ipam: Add `tier` argument ([#36504](https://github.com/hashicorp/terraform-provider-aws/issues/36504)) BUG FIXES: - data-source/aws\_cur\_report\_definition: Direct all API calls to the `us-east-1` endpoint as this is the only Region in which AWS Cost and Usage Reports is available ([#36540](https://github.com/hashicorp/terraform-provider-aws/issues/36540)) - resource/aws\_applicationinsights\_application: Make `ACTIVE` a valid create target status ([#36615](https://github.com/hashicorp/terraform-provider-aws/issues/36615)) - resource/aws\_autoscaling\_group: Don't attempt to remove scale-in protection from instances that don't have the feature enabled ([#36586](https://github.com/hashicorp/terraform-provider-aws/issues/36586)) - resource/aws\_cur\_report\_definition: Direct all API calls to the `us-east-1` endpoint as this is the only Region in which AWS Cost and Usage Reports is available ([#36540](https://github.com/hashicorp/terraform-provider-aws/issues/36540)) - resource/aws\_elasticsearch\_domain\_policy: Handle delayed domain status propagation, preventing a `ValidationException`. ([#36592](https://github.com/hashicorp/terraform-provider-aws/issues/36592)) - resource/aws\_iam\_instance\_profile: Detect when the associated `role` no longer exists ([#34099](https://github.com/hashicorp/terraform-provider-aws/issues/34099)) - resource/aws\_instance: Replace an instance when an `instance_type` change also requires an architecture change, such as x86\_64 to arm64 ([#36590](https://github.com/hashicorp/terraform-provider-aws/issues/36590)) - resource/aws\_opensearch\_domain\_policy: Handle delayed domain status propagation, preventing a `ValidationException`. ([#36592](https://github.com/hashicorp/terraform-provider-aws/issues/36592)) - resource/aws\_quicksight\_dashboard: Fix failure when updating a dashboard takes a while ([#34227](https://github.com/hashicorp/terraform-provider-aws/issues/34227)) - resource/aws\_quicksight\_template: Fix "Invalid address to set" errors ([#34227](https://github.com/hashicorp/terraform-provider-aws/issues/34227)) - resource/aws\_quicksight\_template: Fix "a number is required" errors when state contains an empty string ([#34227](https://github.com/hashicorp/terraform-provider-aws/issues/34227)) - resource/aws\_redshift\_cluster: Fix `InvalidParameterCombination` errors when updating only `skip_final_snapshot` ([#36635](https://github.com/hashicorp/terraform-provider-aws/issues/36635)) - resource/aws\_route53\_zone: Prevent re-creation when `name` casing changes ([#36563](https://github.com/hashicorp/terraform-provider-aws/issues/36563)) - resource/aws\_secretsmanager\_secret\_version: Fix to handle versions deleted out-of-band without raising an `InvalidRequestException` ([#36609](https://github.com/hashicorp/terraform-provider-aws/issues/36609)) - resource/aws\_ssm\_parameter: force create a new SSM parameter when `data_type` is updated. ([#35960](https://github.com/hashicorp/terraform-provider-aws/issues/35960)) ### [`v5.42.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.42.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.41.0...v5.42.0) FEATURES: - **New Data Source:** `aws_redshift_producer_data_shares` ([#36481](https://github.com/hashicorp/terraform-provider-aws/issues/36481)) - **New Resource:** `aws_devopsguru_event_sources_config` ([#36485](https://github.com/hashicorp/terraform-provider-aws/issues/36485)) - **New Resource:** `aws_devopsguru_resource_collection` ([#36489](https://github.com/hashicorp/terraform-provider-aws/issues/36489)) - **New Resource:** `aws_dynamodb_table_export` ([#30399](https://github.com/hashicorp/terraform-provider-aws/issues/30399)) ENHANCEMENTS: - data-source/aws\_vpc\_peering\_connection: Add `ipv6_cidr_block_set` and `peer_ipv6_cidr_block_set` attributes ([#36391](https://github.com/hashicorp/terraform-provider-aws/issues/36391)) - resource/aws\_datasync\_location\_hdfs: Add `kerberos_keytab_base64` and `kerberos_krb5_conf_base64` arguments ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_finspace\_kx\_dataview: Add `read_write` and `segment_configuration.on_demand` arguments ([#36486](https://github.com/hashicorp/terraform-provider-aws/issues/36486)) - resource/aws\_rds\_cluster: Add `enable_local_write_forwarding` argument to support Aurora MySQL local write forwarding ([#34370](https://github.com/hashicorp/terraform-provider-aws/issues/34370)) BUG FIXES: - provider: Change the default AWS SDK for Go v2 API client [`RateLimiter`](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/retry#RateLimiter) to [`ratelimit.None`](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/ratelimit#pkg-variables) so that services migrated to AWS SDK for Go v2 maintain behavioral compatibility with AWS SDK for Go v1 ([#36467](https://github.com/hashicorp/terraform-provider-aws/issues/36467)) - resource/aws\_appautoscaling\_policy: Fix errors when importing an MSK storage autoscaling policy ([#34934](https://github.com/hashicorp/terraform-provider-aws/issues/34934)) - resource/aws\_appautoscaling\_scheduled\_action: Always send `start_time` and `end_time` values on update when configured ([#33713](https://github.com/hashicorp/terraform-provider-aws/issues/33713)) - resource/aws\_appautoscaling\_scheduled\_action: Read correct resource by using `scalable_dimension` as an additional filter ([#34382](https://github.com/hashicorp/terraform-provider-aws/issues/34382)) - resource/aws\_datasync\_location\_azure\_blob: Fix missing `container_url` attribute value and bad `subdirectory` attribute value from state read/refresh ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_datasync\_location\_efs: Fix missing `efs_file_system_arn` attribute value from state read/refresh ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_datasync\_location\_hdfs: Mark `qop_configuration` as Computed ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_datasync\_location\_nfs: Fix missing `server_hostname` attribute value from state read/refresh ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_datasync\_location\_s3: Fix missing `s3_bucket_arn` attribute value from state read/refresh ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_datasync\_location\_smb: Fix missing `server_hostname` attribute value from state read/refresh ([#36072](https://github.com/hashicorp/terraform-provider-aws/issues/36072)) - resource/aws\_dms\_replication\_config: Fix persistent change in `replication_settings` ([#35670](https://github.com/hashicorp/terraform-provider-aws/issues/35670)) - resource/aws\_dms\_replication\_task: Fix persistent change in `replication_task_settings` ([#35670](https://github.com/hashicorp/terraform-provider-aws/issues/35670)) - resource/aws\_eks\_access\_entry: Always send `kubernetes_groups` and `user_name` values on update when configured ([#36484](https://github.com/hashicorp/terraform-provider-aws/issues/36484)) - resource/aws\_glue\_job: Adjust `number_of_workers` minimum value to `1` ([#36458](https://github.com/hashicorp/terraform-provider-aws/issues/36458)) - resource/aws\_lexv2models\_slot: Fix custom\_payload typo ([#36488](https://github.com/hashicorp/terraform-provider-aws/issues/36488)) - resource/aws\_route: Allow resource creation if a propagated route to the same destination exists ([#36512](https://github.com/hashicorp/terraform-provider-aws/issues/36512)) - resource/aws\_vpn\_connection: `local_ipv6_network_cidr`, `remote_ipv6_network_cidr`, `tunnel1_inside_ipv6_cidr`, and `tunnel2_inside_ipv6_cidr` no longer require `transit_gateway_id` to be specified ([#36405](https://github.com/hashicorp/terraform-provider-aws/issues/36405)) ### [`v5.41.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.41.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.40.0...v5.41.0) FEATURES: - **New Data Source:** `aws_apprunner_hosted_zone_id` ([#36288](https://github.com/hashicorp/terraform-provider-aws/issues/36288)) - **New Data Source:** `aws_medialive_input` ([#36307](https://github.com/hashicorp/terraform-provider-aws/issues/36307)) - **New Resource:** `aws_lakeformation_data_cells_filter` ([#36264](https://github.com/hashicorp/terraform-provider-aws/issues/36264)) - **New Resource:** `aws_securityhub_configuration_policy` ([#35752](https://github.com/hashicorp/terraform-provider-aws/issues/35752)) - **New Resource:** `aws_securityhub_configuration_policy_association` ([#35752](https://github.com/hashicorp/terraform-provider-aws/issues/35752)) - **New Resource:** `aws_securitylake_subscriber_notification` ([#36323](https://github.com/hashicorp/terraform-provider-aws/issues/36323)) ENHANCEMENTS: - data-source/aws\_ec2\_transit\_gateway\_peering\_attachment: Add `state` attribute ([#36304](https://github.com/hashicorp/terraform-provider-aws/issues/36304)) - data-source/aws\_lakeformation\_permissions: Add `data_cells_filter` attribute ([#36264](https://github.com/hashicorp/terraform-provider-aws/issues/36264)) - data-source/aws\_ram\_resource\_share: `name` is Optional ([#36062](https://github.com/hashicorp/terraform-provider-aws/issues/36062)) - resource/aws\_cognito\_user\_pool: Add `pre_token_generation_config` configuration block ([#35236](https://github.com/hashicorp/terraform-provider-aws/issues/35236)) - resource/aws\_ec2\_transit\_gateway\_peering\_attachment: Add `state` attribute ([#36304](https://github.com/hashicorp/terraform-provider-aws/issues/36304)) - resource/aws\_ecs\_cluster: Add default value (`DEFAULT`) for `configuration.execute_command_configuration.logging` ([#36341](https://github.com/hashicorp/terraform-provider-aws/issues/36341)) - resource/aws\_lakeformation\_permissions: Add `data_cells_filter` attribute ([#36264](https://github.com/hashicorp/terraform-provider-aws/issues/36264)) - resource/aws\_ram\_resource\_association: Add plan-time validation of `resource_arn` and `resource_share_arn` ([#36062](https://github.com/hashicorp/terraform-provider-aws/issues/36062)) - resource/aws\_route53domains\_registered\_domain: Add `billing_contact` and `billing_privacy` arguments ([#36285](https://github.com/hashicorp/terraform-provider-aws/issues/36285)) - resource/aws\_securityhub\_organization\_configuration: Add `organization_configuration` configuration block to support [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/start-central-configuration.html) ([#35752](https://github.com/hashicorp/terraform-provider-aws/issues/35752)) - resource/aws\_securityhub\_organization\_configuration: Set `auto_enable` to `false`, `auto_enable_standards` to `NONE`, and `organization_configuration.configuration_type` to `LOCAL` on resource Delete ([#35752](https://github.com/hashicorp/terraform-provider-aws/issues/35752)) BUG FIXES: - data-source/aws\_iam\_policy\_document: Fix `Failed to marshal state to json: unsupported attribute "override_json"` and `Failed to marshal state to json: unsupported attribute "source_json"` errors when running `terraform show -json` or `terraform state rm` ([#36383](https://github.com/hashicorp/terraform-provider-aws/issues/36383)) - data-source/aws\_opensearch\_domain : Add `auto_tune_options.use_off_peak_window` attribute. This fixes a regression introduced in [v5.40.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5400-march--7-2024) causing `Invalid address to set` errors ([#36298](https://github.com/hashicorp/terraform-provider-aws/issues/36298)) - resource/aws\_cognito\_identity\_pool: Fix handling of resources deleted out of band ([#36100](https://github.com/hashicorp/terraform-provider-aws/issues/36100)) - resource/aws\_cognito\_identity\_provider: Fix `InvalidParameterException: ActiveEncryptionCertificate is not a valid key for SAML identity provider details` errors on resource Update ([#36311](https://github.com/hashicorp/terraform-provider-aws/issues/36311)) - resource/aws\_ec2\_instance: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `ipv6_address_count` ([#36308](https://github.com/hashicorp/terraform-provider-aws/issues/36308)) - resource/aws\_ecs\_cluster: Fix `panic: interface conversion: interface {} is nil, not map[string]interface {}` when `configuration`, `configuration.execute_command_configuration`, or `configuration.execute_command_configuration.log_configuration` are empty ([#36341](https://github.com/hashicorp/terraform-provider-aws/issues/36341)) - resource/aws\_ecs\_service: Fix `panic: interface conversion: interface {} is nil, not map[string]interface {}` when `service_connect_configuration.service.timeout` is empty ([#36309](https://github.com/hashicorp/terraform-provider-aws/issues/36309)) - resource/aws\_ecs\_service: `service_connect_configuration.service.tls.issuer_cert_authority.aws_pca_authority_arn` is Required ([#36309](https://github.com/hashicorp/terraform-provider-aws/issues/36309)) - resource/aws\_elasticache\_replication\_group: Fix bugs causing errors like `InvalidReplicationGroupState: Cluster not in available state to perform tagging operations.` ([#36310](https://github.com/hashicorp/terraform-provider-aws/issues/36310)) - resource/aws\_finspace\_kx\_cluster: Prevent `command_line_arguments` and `initialization_script` updates from overwriting one another ([#36361](https://github.com/hashicorp/terraform-provider-aws/issues/36361)) - resource/aws\_network\_acl\_rule: Fix `InvalidNetworkAclID.NotFound` errors on resource Delete ([#36326](https://github.com/hashicorp/terraform-provider-aws/issues/36326)) - resource/aws\_network\_acl\_rule: Prevent creation of duplicate Terraform resources ([#36326](https://github.com/hashicorp/terraform-provider-aws/issues/36326)) - resource/aws\_ram\_principal\_association: Prevent creation of duplicate Terraform resources ([#36062](https://github.com/hashicorp/terraform-provider-aws/issues/36062)) - resource/aws\_ram\_principal\_association: Remove from state on resource Read if `principal` is disassociated outside of Terraform ([#36062](https://github.com/hashicorp/terraform-provider-aws/issues/36062)) - resource/aws\_ram\_resource\_association: Prevent creation of duplicate Terraform resources ([#36062](https://github.com/hashicorp/terraform-provider-aws/issues/36062)) - resource/aws\_route: Prevent creation of duplicate Terraform resources ([#36326](https://github.com/hashicorp/terraform-provider-aws/issues/36326)) - resource/aws\_route\_table: Fix `couldn't find resource` errors on resource Delete ([#36326](https://github.com/hashicorp/terraform-provider-aws/issues/36326)) - resource/aws\_vpn\_connection: Correct plan-time validation of `tunnel1_inside_ipv6_cidr` and `tunnel2_inside_ipv6_cidr` ([#36236](https://github.com/hashicorp/terraform-provider-aws/issues/36236)) ### [`v5.40.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.40.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.39.1...v5.40.0) FEATURES: - **New Function:** `arn_build` ([#34952](https://github.com/hashicorp/terraform-provider-aws/issues/34952)) - **New Function:** `arn_parse` ([#34952](https://github.com/hashicorp/terraform-provider-aws/issues/34952)) - **New Resource:** `aws_account_region` ([#35739](https://github.com/hashicorp/terraform-provider-aws/issues/35739)) - **New Resource:** `aws_securitylake_subscriber` ([#35981](https://github.com/hashicorp/terraform-provider-aws/issues/35981)) ENHANCEMENTS: - data-source/aws\_rds\_engine\_version: Add `has_major_target` and `has_minor_target` optional arguments and `valid_major_targets` and `valid_minor_targets` attributes ([#36246](https://github.com/hashicorp/terraform-provider-aws/issues/36246)) - resource/aws\_batch\_job\_queue: added parameter `compute_environment_order` which conflicts with `compute_environments` but aligns with AWS API. `compute_environments` has been deprecated. ([#34750](https://github.com/hashicorp/terraform-provider-aws/issues/34750)) - resource/aws\_cloudfront\_distribution: Remove the upper limit on `origin.custom_origin_config.origin_read_timeout` ([#36088](https://github.com/hashicorp/terraform-provider-aws/issues/36088)) - resource/aws\_db\_instance: Add `io2` as a valid value for `storage_type` ([#36252](https://github.com/hashicorp/terraform-provider-aws/issues/36252)) - resource/aws\_elasticache\_serverless\_cache: Add plan-time validation of `cache_usage_limits.ecpu_per_second.maximum` ([#35927](https://github.com/hashicorp/terraform-provider-aws/issues/35927)) - resource/aws\_iot\_policy: Add tagging support ([#36102](https://github.com/hashicorp/terraform-provider-aws/issues/36102)) - resource/aws\_iot\_role\_alias: Add tagging support ([#36255](https://github.com/hashicorp/terraform-provider-aws/issues/36255)) - resource/aws\_opensearch\_domain: Add `use_off_peak_window` argument to the `auto_tune_options` configuration block ([#36067](https://github.com/hashicorp/terraform-provider-aws/issues/36067)) - resource/aws\_rds\_cluster: Add `io2` as a valid value for `storage_type` ([#36252](https://github.com/hashicorp/terraform-provider-aws/issues/36252)) - resource/aws\_s3\_bucket\_object: Adds attribute `arn`. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_s3\_object: Adds attribute `arn`. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_s3\_object\_copy: Adds attribute `arn`. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_wafv2\_rule\_group: Add `evaluation_window_sec` argument to the `rate_based_statement` configuration block ([#36045](https://github.com/hashicorp/terraform-provider-aws/issues/36045)) - resource/aws\_wafv2\_web\_acl: Add `evaluation_window_sec` argument to the `rate_based_statement` configuration block ([#36045](https://github.com/hashicorp/terraform-provider-aws/issues/36045)) BUG FIXES: - data-source/aws\_rds\_engine\_version: Fix bugs that could limit engine version to a default version even when not appropriate ([#36246](https://github.com/hashicorp/terraform-provider-aws/issues/36246)) - resource/aws\_db\_instance: Correctly sets `parameter_group_name` when `replicate_source_db` is in different region. ([#36080](https://github.com/hashicorp/terraform-provider-aws/issues/36080)) - resource/aws\_elastic\_beanstalk\_environment: Fix `InvalidParameterValue: Environment named ... is in an invalid state for this operation. Must be Ready` errors when `tags` are updated along with other attributes ([#36074](https://github.com/hashicorp/terraform-provider-aws/issues/36074)) - resource/aws\_elasticache\_serverless\_cache: Change `cache_usage_limits.data_storage.maximum` and `cache_usage_limits.ecpu_per_second.maximum` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#35927](https://github.com/hashicorp/terraform-provider-aws/issues/35927)) - resource/aws\_medialive\_channel: Fix handling of optional `encoder_settings.audio_descriptions` arguments ([#36097](https://github.com/hashicorp/terraform-provider-aws/issues/36097)) - resource/aws\_rds\_global\_cluster: Fix bugs and delays that could occur when performing major or minor version upgrades ([#36246](https://github.com/hashicorp/terraform-provider-aws/issues/36246)) - resource/aws\_s3\_bucket: Tags with empty values no longer remove all tags. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_s3\_bucket\_object: Tags with empty values no longer remove all tags. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_s3\_object: Tags with empty values no longer remove all tags. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_s3\_object\_copy: Tags with empty values no longer remove all tags. ([#35710](https://github.com/hashicorp/terraform-provider-aws/issues/35710)) - resource/aws\_vpclattice\_listener\_rule: Remove `action.forward.target_groups` maximum item limit ([#36095](https://github.com/hashicorp/terraform-provider-aws/issues/36095)) ### [`v5.39.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.39.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.39.0...v5.39.1) BUG FIXES: - data-source/aws\_instance: Fix `panic: Invalid address to set` related to `root_block_device.0.tags_all` ([#36054](https://github.com/hashicorp/terraform-provider-aws/issues/36054)) ### [`v5.39.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.39.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.38.0...v5.39.0) FEATURES: - **New Data Source:** `aws_redshift_data_shares` ([#35937](https://github.com/hashicorp/terraform-provider-aws/issues/35937)) - **New Resource:** `aws_apprunner_deployment` ([#35758](https://github.com/hashicorp/terraform-provider-aws/issues/35758)) - **New Resource:** `aws_config_retention_configuration` ([#15136](https://github.com/hashicorp/terraform-provider-aws/issues/15136)) - **New Resource:** `aws_securityhub_automation_rule` ([#34781](https://github.com/hashicorp/terraform-provider-aws/issues/34781)) - **New Resource:** `aws_shield_proactive_engagement` ([#34667](https://github.com/hashicorp/terraform-provider-aws/issues/34667)) ENHANCEMENTS: - aws\_kinesis\_firehose\_delivery\_stream: Add `custom_time_zone` and `file_extension` arguments to the `extended_S3_configuration` configuration block ([#35969](https://github.com/hashicorp/terraform-provider-aws/issues/35969)) - resource/aws\_appflow\_flow: Allow `task.source_fields` to be a `null` value ([#35993](https://github.com/hashicorp/terraform-provider-aws/issues/35993)) - resource/aws\_codepipeline: Add `trigger` configuration block ([#35475](https://github.com/hashicorp/terraform-provider-aws/issues/35475)) - resource/aws\_config\_configuration\_recorder: Add plan-time validation of `aws_config_organization_custom_rule.lambda_function_arn` ([#15136](https://github.com/hashicorp/terraform-provider-aws/issues/15136)) - resource/aws\_instance: Add configurable `read` timeout ([#35955](https://github.com/hashicorp/terraform-provider-aws/issues/35955)) - resource/aws\_instance: Apply default tags to volumes/block devices managed through an `aws_instance`, add `ebs_block_device.*.tags_all` and `root_block_device.*.tags_all` attributes which include default tags ([#33769](https://github.com/hashicorp/terraform-provider-aws/issues/33769)) - resource/aws\_mq\_broker: Add `data_replication_mode` and `data_replication_primary_broker_arn` arguments, enabling support for cross-region data replication ([#35990](https://github.com/hashicorp/terraform-provider-aws/issues/35990)) - resource/aws\_mwaa\_environment: Add `endpoint_management` attribute ([#35961](https://github.com/hashicorp/terraform-provider-aws/issues/35961)) - resource/aws\_redshiftserverless\_namespace: Add attributes `admin_password_secret_kms_key_id` and `manage_admin_password` ([#35965](https://github.com/hashicorp/terraform-provider-aws/issues/35965)) - resource/aws\_shield\_drt\_access\_log\_bucket\_association: Support resource import ([#34667](https://github.com/hashicorp/terraform-provider-aws/issues/34667)) - resource/aws\_shield\_drt\_access\_role\_arn\_association: Support resource import ([#34667](https://github.com/hashicorp/terraform-provider-aws/issues/34667)) - resource/aws\_spot\_instance\_request: Add configurable `read` timeout ([#35955](https://github.com/hashicorp/terraform-provider-aws/issues/35955)) - resource/aws\_wafv2\_web\_acl: Add `application_integration_url` attribute ([#35974](https://github.com/hashicorp/terraform-provider-aws/issues/35974)) BUG FIXES: - data/aws\_redshiftserverless\_namespace: Properly set `iam_roles` attribute on read ([#35965](https://github.com/hashicorp/terraform-provider-aws/issues/35965)) - resource/aws\_appflow\_flow: Fix perpetual diff when `task.task_type` is set to `Map_all` ([#35993](https://github.com/hashicorp/terraform-provider-aws/issues/35993)) - resource/aws\_config\_configuration\_recorder: Fix `panic: interface conversion: interface {} is nil, not map[string]interface {}` when `recording_group.exclusion_by_resource_types` is empty ([#15136](https://github.com/hashicorp/terraform-provider-aws/issues/15136)) - resource/aws\_config\_rule: Change `name` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#15136](https://github.com/hashicorp/terraform-provider-aws/issues/15136)) - resource/aws\_config\_rule: Fix `InvalidParameterValueException: PolicyText is required when Owner is CUSTOM_POLICY` errors on resource Update ([#15136](https://github.com/hashicorp/terraform-provider-aws/issues/15136)) - resource/aws\_ecs\_task\_definition: Fix perpetual `container_definitions` diffs when `Name`s are ordered differently ([#36029](https://github.com/hashicorp/terraform-provider-aws/issues/36029)) - resource/aws\_msk\_replicator: Fix incorrect `detect_and_copy_new_topics` attribute value from state read/refresh ([#35966](https://github.com/hashicorp/terraform-provider-aws/issues/35966)) - resource/aws\_redshiftserverless\_workgroup: Fix `max_capacity` removal ([#36032](https://github.com/hashicorp/terraform-provider-aws/issues/36032)) - resource/aws\_redshiftserverless\_workgroup: Fix updating both `base_capacity` and `max_capacity` ([#36032](https://github.com/hashicorp/terraform-provider-aws/issues/36032)) - resource/aws\_shield\_drt\_access\_log\_bucket\_association: Change `log_bucket` and `role_arn_association_id` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#34667](https://github.com/hashicorp/terraform-provider-aws/issues/34667)) ### [`v5.38.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.38.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.37.0...v5.38.0) FEATURES: - **New Data Source:** `aws_batch_job_definition` ([#34663](https://github.com/hashicorp/terraform-provider-aws/issues/34663)) - **New Data Source:** `aws_cognito_user_group` ([#34046](https://github.com/hashicorp/terraform-provider-aws/issues/34046)) - **New Data Source:** `aws_cognito_user_groups` ([#34046](https://github.com/hashicorp/terraform-provider-aws/issues/34046)) ENHANCEMENTS: - data-source/aws\_alb\_target\_group: Add `load_balancer_arns` attribute ([#34364](https://github.com/hashicorp/terraform-provider-aws/issues/34364)) - data-source/aws\_ec2\_instance\_type: Add `maximum_network_cards` attribute ([#35840](https://github.com/hashicorp/terraform-provider-aws/issues/35840)) - data-source/aws\_elasticache\_subnet\_group: Add `vpc_id` attribute ([#35887](https://github.com/hashicorp/terraform-provider-aws/issues/35887)) - data-source/aws\_lb\_target\_group: Add `load_balancer_arns` attribute ([#34364](https://github.com/hashicorp/terraform-provider-aws/issues/34364)) - provider: Add `token_bucket_rate_limiter_capacity` parameter ([#35926](https://github.com/hashicorp/terraform-provider-aws/issues/35926)) - resource/aws\_alb\_target\_group: Add `load_balancer_arns` attribute ([#34364](https://github.com/hashicorp/terraform-provider-aws/issues/34364)) - resource/aws\_codedeploy\_deployment\_config: Add `arn` attribute ([#35888](https://github.com/hashicorp/terraform-provider-aws/issues/35888)) - resource/aws\_codepipeline: Add `execution_mode` argument ([#35875](https://github.com/hashicorp/terraform-provider-aws/issues/35875)) - resource/aws\_config\_configuration\_recorder: Add `recording_mode` configuration block ([#35527](https://github.com/hashicorp/terraform-provider-aws/issues/35527)) - resource/aws\_db\_instance: Add plan-time validation of `performance_insights_retention_period` ([#35870](https://github.com/hashicorp/terraform-provider-aws/issues/35870)) - resource/aws\_elasticache\_subnet\_group: Add `vpc_id` attribute ([#35887](https://github.com/hashicorp/terraform-provider-aws/issues/35887)) - resource/aws\_lb\_target\_group: Add `load_balancer_arns` attribute ([#34364](https://github.com/hashicorp/terraform-provider-aws/issues/34364)) - resource/aws\_redshiftserverless\_workgroup: Add `max_capacity` argument ([#35720](https://github.com/hashicorp/terraform-provider-aws/issues/35720)) - resource/aws\_transfer\_server: Add `TransferSecurityPolicy-2024-01` and `TransferSecurityPolicy-FIPS-2024-01` as valid values for `security_policy_name` ([#35879](https://github.com/hashicorp/terraform-provider-aws/issues/35879)) BUG FIXES: - data-source/aws\_caller\_identity: Fix authentication signature error when alternate `sts_region` is specified ([#35860](https://github.com/hashicorp/terraform-provider-aws/issues/35860)) - data-source/aws\_eks\_access\_entry: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - data-source/aws\_eks\_addon: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - data-source/aws\_eks\_cluster: Fix `name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_cloudsearch\_domain: Prevent panic when reading nil `index_field` options response values ([#35900](https://github.com/hashicorp/terraform-provider-aws/issues/35900)) - resource/aws\_eks\_access\_entry: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_eks\_access\_policy\_association: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_eks\_addon: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_eks\_cluster: Fix `name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_eks\_fargate\_profile: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_eks\_node\_group: Fix `cluster_name` plan-time validation, allowing single-character names ([#35874](https://github.com/hashicorp/terraform-provider-aws/issues/35874)) - resource/aws\_prometheus\_scraper: Fixes invalid result after apply error. ([#35844](https://github.com/hashicorp/terraform-provider-aws/issues/35844)) - resource/aws\_sqs\_queue\_policy: Retry IAM eventual consistency errors ([#35861](https://github.com/hashicorp/terraform-provider-aws/issues/35861)) ### [`v5.37.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.37.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.36.0...v5.37.0) NOTES: - provider: Updates to Go 1.21 (used by Terraform starting with v1.6.0), which, for Windows, requires at least Windows 10 or Windows Server 2016--support for previous versions has been discontinued--and, for macOS, requires macOS 10.15 Catalina or later--support for previous versions has been discontinued. ([#35832](https://github.com/hashicorp/terraform-provider-aws/issues/35832)) - resource/aws\_bedrock\_provisioned\_model\_throughput: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#35689](https://github.com/hashicorp/terraform-provider-aws/issues/35689)) FEATURES: - **New Data Source:** `aws_db_parameter_group` ([#35698](https://github.com/hashicorp/terraform-provider-aws/issues/35698)) - **New Resource:** `aws_bedrock_provisioned_model_throughput` ([#35689](https://github.com/hashicorp/terraform-provider-aws/issues/35689)) - **New Resource:** `aws_cloudfront_key_value_store` ([#35663](https://github.com/hashicorp/terraform-provider-aws/issues/35663)) - **New Resource:** `aws_redshift_data_share_consumer_association` ([#35771](https://github.com/hashicorp/terraform-provider-aws/issues/35771)) ENHANCEMENTS: - data-source/aws\_ecr\_pull\_through\_cache\_rule: Add `credential_arn` attribute ([#34475](https://github.com/hashicorp/terraform-provider-aws/issues/34475)) - data-source/aws\_ecs\_task\_execution: Add `client_token` argument ([#34402](https://github.com/hashicorp/terraform-provider-aws/issues/34402)) - data-source/aws\_neptune\_cluster\_instance: Add `skip_final_snapshot` argument ([#35698](https://github.com/hashicorp/terraform-provider-aws/issues/35698)) - data-source/aws\_rds\_engine\_version: Improve search functionality and options by adding `latest`, `preferred_major_targets`, and `preferred_upgrade_targets`. Add `version_actual` attribute ([#35698](https://github.com/hashicorp/terraform-provider-aws/issues/35698)) - data-source/aws\_rds\_orderable\_db\_instance: Improve search functionality and options by adding `engine_latest_version` and `supports_clusters` arguments and converting `read_replica_capable`, `supported_engine_modes`, `supported_network_types`, and `supports_multi_az` to arguments for use as search criteria ([#35698](https://github.com/hashicorp/terraform-provider-aws/issues/35698)) - resource/aws\_appsync\_graphql\_api: Add `introspection_config`, `query_depth_limit`, and `resolver_count_limit` arguments ([#35631](https://github.com/hashicorp/terraform-provider-aws/issues/35631)) - resource/aws\_codeartifact\_domain: Add `s3_bucket_arn` attribute ([#35760](https://github.com/hashicorp/terraform-provider-aws/issues/35760)) - resource/aws\_ecr\_pull\_through\_cache\_rule: Add `credential_arn` argument ([#34475](https://github.com/hashicorp/terraform-provider-aws/issues/34475)) - resource/aws\_ecs\_service: Add `service_connect_configuration.service.timeout` and `service_connect_configuration.service.tls` configuration blocks ([#35684](https://github.com/hashicorp/terraform-provider-aws/issues/35684)) - resource/aws\_ecs\_task\_definition: Add `track_latest` argument ([#30154](https://github.com/hashicorp/terraform-provider-aws/issues/30154)) - resource/aws\_glue\_catalog\_database: Add `federated_database` argument ([#35799](https://github.com/hashicorp/terraform-provider-aws/issues/35799)) - resource/aws\_glue\_trigger: Add configurable `timeouts` ([#35542](https://github.com/hashicorp/terraform-provider-aws/issues/35542)) - resource/aws\_rds\_cluster: Add `domain` and `domain_iam_role_name` arguments to support [Kerberos authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.KerberosAuthentication.html) ([#35753](https://github.com/hashicorp/terraform-provider-aws/issues/35753)) - resource/aws\_route53\_record: Add `geoproximity_routing_policy` configuration block to support [geoproximity routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-geoproximity.html) ([#35565](https://github.com/hashicorp/terraform-provider-aws/issues/35565)) - resource/aws\_route53\_resolver\_rule: Add `target_ip.protocol` argument ([#35744](https://github.com/hashicorp/terraform-provider-aws/issues/35744)) - resource/aws\_sagemaker\_endpoint\_configuration: Add `routing_config` argument. Enables the specification of a `routing_strategy`. ([#34777](https://github.com/hashicorp/terraform-provider-aws/issues/34777)) - resource/aws\_sagemaker\_space: Add `ownership_settings`, `space_sharing_settings`, `space_settings.app_type`, `space_settings.code_editor_app_settings`, `space_settings.custom_file_system`, `space_settings.jupyter_lab_app_settings`, and `space_settings.space_storage_settings` arguments ([#35116](https://github.com/hashicorp/terraform-provider-aws/issues/35116)) BUG FIXES: - provider: Fix `failed to get rate limit token, retry quota exceeded` errors ([#35817](https://github.com/hashicorp/terraform-provider-aws/issues/35817)) - resource/aws\_apigateway\_domain\_name: Properly send changes to `ownership_verification_certificate_arn` on update ([#35777](https://github.com/hashicorp/terraform-provider-aws/issues/35777)) - resource/aws\_apigatewayv2\_route: Fix `BadRequestException: Unable to update route. Authorizer type is invalid or null` errors when updating `authorizer_id` ([#35821](https://github.com/hashicorp/terraform-provider-aws/issues/35821)) - resource/aws\_autoscaling\_group: Fix version to computed for inconsistent final plan issue ([#35774](https://github.com/hashicorp/terraform-provider-aws/issues/35774)) - resource/aws\_datasync\_task: Fix crash when reading empty `report_override` values ([#35778](https://github.com/hashicorp/terraform-provider-aws/issues/35778)) - resource/aws\_datasync\_task: Prevent ValidationErrors when empty values are sent with `report_override` arguments ([#35778](https://github.com/hashicorp/terraform-provider-aws/issues/35778)) - resource/aws\_db\_proxy: Change `auth` from `TypeList` to `TypeSet` as order is not significant ([#35819](https://github.com/hashicorp/terraform-provider-aws/issues/35819)) - resource/aws\_ecs\_account\_setting\_default: Remove plan-time validation of `value` ([#33393](https://github.com/hashicorp/terraform-provider-aws/issues/33393)) - resource/aws\_ecs\_task\_definition: Fix perpetual `container_definitions` diffs when `Secrets` are ordered differently ([#35792](https://github.com/hashicorp/terraform-provider-aws/issues/35792)) - resource/aws\_eks\_access\_policy\_association: Retry IAM eventual consistency errors on create ([#35736](https://github.com/hashicorp/terraform-provider-aws/issues/35736)) - resource/aws\_instance: Fix `ReservationCapacityExceeded` errors when updating `instance_type` and `capacity_reservation_specification.capacity_reservation_target.capacity_reservation_id` ([#33412](https://github.com/hashicorp/terraform-provider-aws/issues/33412)) - resource/aws\_lakeformation\_resource: Properly handle configured `false` values for `use_service_linked_role` ([#35799](https://github.com/hashicorp/terraform-provider-aws/issues/35799)) - resource/aws\_medialive\_channel: Added `client_cache` to `hls_group_settings`. ([#35738](https://github.com/hashicorp/terraform-provider-aws/issues/35738)) - resource/aws\_ram\_resource\_share\_accepter: Fix handling of out-of-band resource share deletion ([#35800](https://github.com/hashicorp/terraform-provider-aws/issues/35800)) - resource/aws\_redshift\_data\_share\_authorization: Fix read operation to properly handle shares in `ACTIVE` status ([#35771](https://github.com/hashicorp/terraform-provider-aws/issues/35771)) - resource/aws\_s3\_bucket\_acl: Correctly updates `access_control_policy` when switching configuration to `acl`. ([#35775](https://github.com/hashicorp/terraform-provider-aws/issues/35775)) - resource/resource\_share\_acceptor: Wait until RAM resource share available after accepting the invitation ([#34753](https://github.com/hashicorp/terraform-provider-aws/issues/34753)) ### [`v5.36.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.36.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.35.0...v5.36.0) NOTES: - data-source/aws\_media\_convert\_queue: The AWS Elemental MediaConvert service has been converted to use standard [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/mediaconvert.html#mediaconvert_region) instead of deprecated per-account endpoints ([#35615](https://github.com/hashicorp/terraform-provider-aws/issues/35615)) - resource/aws\_controltower\_landing\_zone: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#34595](https://github.com/hashicorp/terraform-provider-aws/issues/34595)) - resource/aws\_media\_convert\_queue: The AWS Elemental MediaConvert service has been converted to use standard [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/mediaconvert.html#mediaconvert_region) instead of deprecated per-account endpoints ([#35615](https://github.com/hashicorp/terraform-provider-aws/issues/35615)) FEATURES: - **New Resource:** `aws_controltower_landing_zone` ([#34595](https://github.com/hashicorp/terraform-provider-aws/issues/34595)) - **New Resource:** `aws_osis_pipeline` ([#35582](https://github.com/hashicorp/terraform-provider-aws/issues/35582)) - **New Resource:** `aws_redshift_data_share_authorization` ([#35703](https://github.com/hashicorp/terraform-provider-aws/issues/35703)) - **New Resource:** `aws_securitylake_custom_log_source` ([#35354](https://github.com/hashicorp/terraform-provider-aws/issues/35354)) ENHANCEMENTS: - resource/aws\_cloudwatch\_metric\_stream: Add plan-time validation of `output_format` ([#35569](https://github.com/hashicorp/terraform-provider-aws/issues/35569)) - resource/aws\_db\_instance: Add `diag.log` and `notify.log` as valid values for `enabled_cloudwatch_logs_exports` ([#35626](https://github.com/hashicorp/terraform-provider-aws/issues/35626)) - resource/aws\_db\_instance: Add `domain_auth_secret_arn`, `domain_dns_ips`, `domain_fqdn`, and `domain_ou` arguments to support [self-managed Active Directory](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.html) ([#35500](https://github.com/hashicorp/terraform-provider-aws/issues/35500)) - resource/aws\_s3\_bucket\_metric: Add `filter.access_point` argument ([#35590](https://github.com/hashicorp/terraform-provider-aws/issues/35590)) - resource/aws\_verifiedaccess\_group: Add `sse_configuration` argument ([#34055](https://github.com/hashicorp/terraform-provider-aws/issues/34055)) BUG FIXES: - resource/aws\_db\_instance: Creating resource from point-in-time recovery now handles `password` attribute correctly ([#35589](https://github.com/hashicorp/terraform-provider-aws/issues/35589)) - resource/aws\_dynamodb\_table: Ensure that `replica`s are always set on Read ([#35630](https://github.com/hashicorp/terraform-provider-aws/issues/35630)) - resource/aws\_emr\_cluster: Properly normalize `launch_specifications.on_demand_specification.allocation_strategy` and `launch_specifications.spot_specification.allocation_strategy` values to fix perpetual state differences ([#34367](https://github.com/hashicorp/terraform-provider-aws/issues/34367)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Change `extended_s3_configuration.processing_configuration.processors.parameters` from `TypeList` to `TypeSet` as order is not significant ([#35672](https://github.com/hashicorp/terraform-provider-aws/issues/35672)) - resource/aws\_lambda\_function: Resolve consecutive diff issue in `logging_config` when values for `application_log_level` or `system_log_level` are not specified ([#35694](https://github.com/hashicorp/terraform-provider-aws/issues/35694)) - resource/aws\_lb\_listener: Fixes unexpected diff when using `default_action` parameters which don't match the `type`. ([#35678](https://github.com/hashicorp/terraform-provider-aws/issues/35678)) - resource/aws\_lb\_listener: Was incorrectly reporting conflicting `default_action[].target_group_arn` when `ignore_changes` was set. ([#35671](https://github.com/hashicorp/terraform-provider-aws/issues/35671)) - resource/aws\_lb\_listener: Was not storing `default_action[].forward` in state if only a single `target_group` was set. ([#35671](https://github.com/hashicorp/terraform-provider-aws/issues/35671)) - resource/aws\_lb\_listener\_rule: Fixes unexpected diff when using `action` parameters which don't match the `type`. ([#35678](https://github.com/hashicorp/terraform-provider-aws/issues/35678)) - resource/aws\_lb\_listener\_rule: Was incorrectly reporting conflicting `action[].target_group_arn` when `ignore_changes` was set. ([#35671](https://github.com/hashicorp/terraform-provider-aws/issues/35671)) - resource/aws\_lb\_listener\_rule: Was not storing `action[].forward` in state if only a single `target_group` was set. ([#35671](https://github.com/hashicorp/terraform-provider-aws/issues/35671)) - resource/aws\_ssm\_patch\_baseline: Mark `json` as Computed if there are content changes ([#35606](https://github.com/hashicorp/terraform-provider-aws/issues/35606)) ### [`v5.35.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.35.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.34.0...v5.35.0) FEATURES: - **New Data Source:** `aws_bedrock_custom_model` ([#34310](https://github.com/hashicorp/terraform-provider-aws/issues/34310)) - **New Data Source:** `aws_bedrock_custom_models` ([#34310](https://github.com/hashicorp/terraform-provider-aws/issues/34310)) - **New Data Source:** `aws_ssmcontacts_rotation` ([#32710](https://github.com/hashicorp/terraform-provider-aws/issues/32710)) - **New Resource:** `aws_bedrock_custom_model` ([#34310](https://github.com/hashicorp/terraform-provider-aws/issues/34310)) - **New Resource:** `aws_lexv2models_slot` ([#34617](https://github.com/hashicorp/terraform-provider-aws/issues/34617)) - **New Resource:** `aws_lexv2models_slot_type` ([#35555](https://github.com/hashicorp/terraform-provider-aws/issues/35555)) - **New Resource:** `aws_rekognition_collection` ([#35407](https://github.com/hashicorp/terraform-provider-aws/issues/35407)) - **New Resource:** `aws_sesv2_email_identity_policy` ([#35486](https://github.com/hashicorp/terraform-provider-aws/issues/35486)) - **New Resource:** `aws_ssmcontacts_rotation` ([#32710](https://github.com/hashicorp/terraform-provider-aws/issues/32710)) ENHANCEMENTS: - data-source/aws\_redshift\_cluster: Add `multi_az` attribute ([#35508](https://github.com/hashicorp/terraform-provider-aws/issues/35508)) - resource/aws\_lakeformation\_resource: Add `hybrid_access_enabled` argument ([#35571](https://github.com/hashicorp/terraform-provider-aws/issues/35571)) - resource/aws\_lakeformation\_resource: Add `with_federation` argument ([#35154](https://github.com/hashicorp/terraform-provider-aws/issues/35154)) - resource/aws\_redshift\_cluster: Add `multi_az` argument ([#35508](https://github.com/hashicorp/terraform-provider-aws/issues/35508)) - resource/aws\_redshiftserverless\_endpoint\_access: Add `owner_account` argument ([#35509](https://github.com/hashicorp/terraform-provider-aws/issues/35509)) - resource/aws\_wafv2\_rule\_group: Add `header_order` to `field_to_match` configuration blocks ([#35521](https://github.com/hashicorp/terraform-provider-aws/issues/35521)) - resource/aws\_wafv2\_web\_acl: Add `header_order`to `field_to_match` configuration blocks ([#35521](https://github.com/hashicorp/terraform-provider-aws/issues/35521)) BUG FIXES: - data-source/aws\_networkmanager\_core\_network\_policy\_document: Remove `core_network_configuration.edge_locations` maximum item limit ([#35585](https://github.com/hashicorp/terraform-provider-aws/issues/35585)) - resource/aws\_backup\_plan: Fix `InvalidParameterValueException: Invalid lifecycle. EBS Cold Tier is not yet supported` errors on resource Create in AWS GovCloud (US) ([#35560](https://github.com/hashicorp/terraform-provider-aws/issues/35560)) - resource/aws\_cognito\_user\_group: Allow import of user groups with names containing `/` ([#35501](https://github.com/hashicorp/terraform-provider-aws/issues/35501)) - resource/aws\_dms\_event\_subscription: Mark `source_ids` as Optional. This fixes a regression introduced in [v5.31.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#5310-december-15-2023) ([#35541](https://github.com/hashicorp/terraform-provider-aws/issues/35541)) - resource/aws\_efs\_file\_system: Increase `lifecycle_policy` maximum item limit to 3 ([#35522](https://github.com/hashicorp/terraform-provider-aws/issues/35522)) - resource/aws\_eks\_access\_entry: Retry IAM eventual consistency errors on create ([#35535](https://github.com/hashicorp/terraform-provider-aws/issues/35535)) - resource/aws\_finspace\_kx\_cluster: Increase `command_line_arguments` max length restriction from 50 to 1024. ([#35581](https://github.com/hashicorp/terraform-provider-aws/issues/35581)) ### [`v5.34.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.34.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.33.0...v5.34.0) FEATURES: - **New Resource:** `aws_rekognition_project` ([#35429](https://github.com/hashicorp/terraform-provider-aws/issues/35429)) - **New Resource:** `aws_route53domains_delegation_signer_record` ([#33596](https://github.com/hashicorp/terraform-provider-aws/issues/33596)) ENHANCEMENTS: - data-source/aws\_codecommit\_repository: Add `kms_key_id` attribute ([#35095](https://github.com/hashicorp/terraform-provider-aws/issues/35095)) - data-source/aws\_imagebuilder\_components: Add support for `ThirdParty` `owner` value ([#35286](https://github.com/hashicorp/terraform-provider-aws/issues/35286)) - data-source/aws\_imagebuilder\_container\_recipes: Add support for `ThirdParty` `owner` value ([#35286](https://github.com/hashicorp/terraform-provider-aws/issues/35286)) - data-source/aws\_imagebuilder\_image\_recipes: Add support for `ThirdParty` `owner` value ([#35286](https://github.com/hashicorp/terraform-provider-aws/issues/35286)) - data-source/aws\_ssm\_patch\_baseline: Add `json` attribute to facilitate use with S3 buckets ([#33402](https://github.com/hashicorp/terraform-provider-aws/issues/33402)) - resource/aws\_accessanalyzer\_analyzer: Add `configuration` configuration block ([#35310](https://github.com/hashicorp/terraform-provider-aws/issues/35310)) - resource/aws\_appflow\_flow: Add `flow_status` attribute ([#34948](https://github.com/hashicorp/terraform-provider-aws/issues/34948)) - resource/aws\_codecommit\_repository: Add `kms_key_id` argument ([#35095](https://github.com/hashicorp/terraform-provider-aws/issues/35095)) - resource/aws\_codecommit\_trigger: Add plan-time validation of `trigger.destination_arn` and `trigger.events` ([#35095](https://github.com/hashicorp/terraform-provider-aws/issues/35095)) - resource/aws\_ecs\_capacity\_provider: Add `auto_scaling_group_provider.managed_draining` argument ([#35421](https://github.com/hashicorp/terraform-provider-aws/issues/35421)) - resource/aws\_fis\_experiment\_template: Add support for `AutoScalingGroups`, `Buckets`, `ReplicationGroups`, `Tables` and `TransitGateways` to `action.*.target` ([#35300](https://github.com/hashicorp/terraform-provider-aws/issues/35300)) - resource/aws\_fsx\_openzfs\_file\_system: Add `skip_final_backup` argument ([#35320](https://github.com/hashicorp/terraform-provider-aws/issues/35320)) - resource/aws\_network\_interface\_sg\_attachment: Increase default timeouts to 3 minutes and allow them to be configured ([#35435](https://github.com/hashicorp/terraform-provider-aws/issues/35435)) - resource/aws\_prometheus\_scraper: Add `role_arn` attribute ([#35453](https://github.com/hashicorp/terraform-provider-aws/issues/35453)) - resource/aws\_route53domains\_registered\_domain: Support resource import ([#33596](https://github.com/hashicorp/terraform-provider-aws/issues/33596)) - resource/aws\_ssm\_patch\_baseline: Add `json` attribute to facilitate use with S3 buckets ([#33402](https://github.com/hashicorp/terraform-provider-aws/issues/33402)) - resource/aws\_wafv2\_web\_acl: Add `challenge_config` argument ([#35367](https://github.com/hashicorp/terraform-provider-aws/issues/35367)) BUG FIXES: - resource/aws\_codebuild\_project: Allow `build_batch_config` to be removed on Update ([#34121](https://github.com/hashicorp/terraform-provider-aws/issues/34121)) - resource/aws\_eks\_access\_entry: Mark `kubernetes_groups` as Computed ([#35391](https://github.com/hashicorp/terraform-provider-aws/issues/35391)) - resource/aws\_eks\_access\_entry: Mark `type` and `user_name` as Optional, allowing values to be configured ([#35391](https://github.com/hashicorp/terraform-provider-aws/issues/35391)) - resource/aws\_grafana\_license\_association: Fix missing `workspace_id` attribute after import ([#35290](https://github.com/hashicorp/terraform-provider-aws/issues/35290)) - resource/aws\_security\_group\_rule: Fix `UnsupportedOperation: The functionality you requested is not available in this region` errors on Read in certain partitions ([#33484](https://github.com/hashicorp/terraform-provider-aws/issues/33484)) ### [`v5.33.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.33.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.32.1...v5.33.0) FEATURES: - **New Data Source:** `aws_eks_access_entry` ([#35037](https://github.com/hashicorp/terraform-provider-aws/issues/35037)) - **New Resource:** `aws_eks_access_entry` ([#35037](https://github.com/hashicorp/terraform-provider-aws/issues/35037)) - **New Resource:** `aws_eks_access_policy_association` ([#35037](https://github.com/hashicorp/terraform-provider-aws/issues/35037)) - **New Resource:** `aws_lexv2models_intent` ([#34891](https://github.com/hashicorp/terraform-provider-aws/issues/34891)) ENHANCEMENTS: - data-source/aws\_eks\_cluster: Add `access_config` attribute ([#35037](https://github.com/hashicorp/terraform-provider-aws/issues/35037)) - data-source/aws\_secretsmanager\_secret: Add `created_date` and `last_changed_date` attributes ([#35117](https://github.com/hashicorp/terraform-provider-aws/issues/35117)) - data-source/aws\_secretsmanager\_secret\_version: Add `created_date` attribute ([#35117](https://github.com/hashicorp/terraform-provider-aws/issues/35117)) - resource/aws\_backup\_plan: Add `rule.lifecycle.opt_in_to_archive_for_supported_resources` and `rule.copy_action.lifecycle.opt_in_to_archive_for_supported_resources` and arguments ([#34994](https://github.com/hashicorp/terraform-provider-aws/issues/34994)) - resource/aws\_eks\_cluster: Add `access_config` configuration block ([#35037](https://github.com/hashicorp/terraform-provider-aws/issues/35037)) - resource/aws\_lakeformation\_resource: Add `use_service_linked_role` argument ([#35284](https://github.com/hashicorp/terraform-provider-aws/issues/35284)) - resource/aws\_secretsmanager\_secret\_rotation: Add `rotate_immediately` argument ([#35105](https://github.com/hashicorp/terraform-provider-aws/issues/35105)) BUG FIXES: - resource/aws\_datasync\_task: Allow `schedule` to be removed successfully ([#35282](https://github.com/hashicorp/terraform-provider-aws/issues/35282)) - resource/aws\_fis\_experiment\_template: Fix validation error when not using `target.resource_arns` or `target.resource_tag` attributes. ([#35254](https://github.com/hashicorp/terraform-provider-aws/issues/35254)) - resource/aws\_lb\_listener: Fix `ValidationError: Mutual Authentication mode passthrough does not support ignoring certificate expiry` errors when `mutual_authentication.mode` is set to `passthrough` ([#35289](https://github.com/hashicorp/terraform-provider-aws/issues/35289)) - resource/aws\_secretsmanager\_secret\_version: Fix `InvalidParameterException: The parameter RemoveFromVersionId can't be empty. Staging label AWSCURRENT is currently attached to version ..., so you must explicitly reference that version in RemoveFromVersionId` errors when a secret is updated outside Terraform ([#19943](https://github.com/hashicorp/terraform-provider-aws/issues/19943)) ### [`v5.32.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.32.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.32.0...v5.32.1) BUG FIXES: - data-source/aws\_ecr\_image: Fix error when `most_recent` is not also `latest` ([#35269](https://github.com/hashicorp/terraform-provider-aws/issues/35269)) - resource/aws\_iot\_ca\_certificate: Change `registration_config.role_arn` from `TypeBool` to `TypeString`, fixing `Inappropriate value for attribute "role_arn": a bool is required` errors ([#35234](https://github.com/hashicorp/terraform-provider-aws/issues/35234)) - resource/aws\_mq\_broker: Fix `interface conversion: interface {} is *schema.Set, not []string` panic ([#35265](https://github.com/hashicorp/terraform-provider-aws/issues/35265)) ### [`v5.32.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.32.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.31.0...v5.32.0) FEATURES: - **New Data Source:** `aws_mq_broker_engine_types` ([#34232](https://github.com/hashicorp/terraform-provider-aws/issues/34232)) - **New Data Source:** `aws_msk_bootstrap_brokers` ([#32484](https://github.com/hashicorp/terraform-provider-aws/issues/32484)) - **New Data Source:** `aws_verifiedpermissions_policy_store` ([#32204](https://github.com/hashicorp/terraform-provider-aws/issues/32204)) - **New Resource:** `aws_ebs_fast_snapshot_restore` ([#35211](https://github.com/hashicorp/terraform-provider-aws/issues/35211)) - **New Resource:** `aws_elasticache_serverless_cache` ([#34951](https://github.com/hashicorp/terraform-provider-aws/issues/34951)) - **New Resource:** `aws_imagebuilder_workflow` ([#35097](https://github.com/hashicorp/terraform-provider-aws/issues/35097)) - **New Resource:** `aws_kinesis_resource_policy` ([#35167](https://github.com/hashicorp/terraform-provider-aws/issues/35167)) - **New Resource:** `aws_prometheus_scraper` ([#34749](https://github.com/hashicorp/terraform-provider-aws/issues/34749)) - **New Resource:** `aws_securitylake_aws_log_source` ([#34974](https://github.com/hashicorp/terraform-provider-aws/issues/34974)) - **New Resource:** `aws_ssoadmin_application_access_scope` ([#34811](https://github.com/hashicorp/terraform-provider-aws/issues/34811)) - **New Resource:** `aws_verifiedpermissions_policy_store` ([#32204](https://github.com/hashicorp/terraform-provider-aws/issues/32204)) - **New Resource:** `aws_verifiedpermissions_policy_template` ([#32205](https://github.com/hashicorp/terraform-provider-aws/issues/32205)) - **New Resource:** `aws_verifiedpermissions_schema` ([#32204](https://github.com/hashicorp/terraform-provider-aws/issues/32204)) ENHANCEMENTS: - data-source/aws\_batch\_compute\_environment: Add `update_policy` attribute ([#34353](https://github.com/hashicorp/terraform-provider-aws/issues/34353)) - data-source/aws\_ecr\_image: Add `image_uri` attribute ([#24526](https://github.com/hashicorp/terraform-provider-aws/issues/24526)) - data-source/aws\_efs\_file\_system: Add `lifecycle_policy.transition_to_archive` attribute ([#35096](https://github.com/hashicorp/terraform-provider-aws/issues/35096)) - data-source/aws\_efs\_file\_system: Add `protection` attribute ([#35029](https://github.com/hashicorp/terraform-provider-aws/issues/35029)) - data-source/aws\_elastic\_beanstalk\_hosted\_zone: Add hosted zone ID for `il-central-1` AWS Region ([#35131](https://github.com/hashicorp/terraform-provider-aws/issues/35131)) - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `ca-west-1` AWS Region ([#35131](https://github.com/hashicorp/terraform-provider-aws/issues/35131)) - data-source/aws\_fsx\_ontap\_file\_system: Add `ha_pairs` and `throughput_capacity_per_ha_pair` attributes ([#34993](https://github.com/hashicorp/terraform-provider-aws/issues/34993)) - data-source/aws\_glue\_catalog\_table: Add `region` attribute to `target_table` block. ([#34817](https://github.com/hashicorp/terraform-provider-aws/issues/34817)) - data-source/aws\_lambda\_function: Add `logging_config` attribute ([#35050](https://github.com/hashicorp/terraform-provider-aws/issues/35050)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `ca-west-1` AWS Region ([#35131](https://github.com/hashicorp/terraform-provider-aws/issues/35131)) - data-source/aws\_lb\_target\_group: Add `load_balancing_anomaly_mitigation` attribute ([#35083](https://github.com/hashicorp/terraform-provider-aws/issues/35083)) - data-source/aws\_msk\_configuration: Remove `name` length validation ([#34399](https://github.com/hashicorp/terraform-provider-aws/issues/34399)) - data-source/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.tls_inspection_configuration_arn` attribute ([#35094](https://github.com/hashicorp/terraform-provider-aws/issues/35094)) - data-source/aws\_prometheus\_workspace: Add `kms_key_arn` attribute ([#35062](https://github.com/hashicorp/terraform-provider-aws/issues/35062)) - data-source/aws\_route53\_resolver\_endpoint: Add `protocols` attribute ([#35098](https://github.com/hashicorp/terraform-provider-aws/issues/35098)) - data-source/aws\_route53\_resolver\_endpoint: Add `resolver_endpoint_type` attribute ([#34798](https://github.com/hashicorp/terraform-provider-aws/issues/34798)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `ca-west-1` AWS Region ([#35131](https://github.com/hashicorp/terraform-provider-aws/issues/35131)) - provider: Support `ca-west-1` as a valid AWS Region ([#35131](https://github.com/hashicorp/terraform-provider-aws/issues/35131)) - resource/aws\_appflow\_flow: Add `destination_connector_properties.s3.s3_output_format_config.target_file_size` argument ([#35215](https://github.com/hashicorp/terraform-provider-aws/issues/35215)) - resource/aws\_appstream\_fleet: Increase `idle_disconnect_timeout_in_seconds` max value for validation to 360000 ([#35173](https://github.com/hashicorp/terraform-provider-aws/issues/35173)) - resource/aws\_autoscaling\_group: Add `instance_refresh.preferences.max_healthy_percentage` attribute ([#34929](https://github.com/hashicorp/terraform-provider-aws/issues/34929)) - resource/aws\_autoscaling\_group: Fix `ValidationError: The instance ... is not part of Auto Scaling group ...` errors on resource Delete when disabling scale-in protection for instances that are already fully terminated ([#35071](https://github.com/hashicorp/terraform-provider-aws/issues/35071)) - resource/aws\_batch\_compute\_environment: Add `update_policy` parameter ([#34353](https://github.com/hashicorp/terraform-provider-aws/issues/34353)) - resource/aws\_batch\_job\_definition: Add `scheduling_priority` argument and `arn_prefix` attribute ([#34997](https://github.com/hashicorp/terraform-provider-aws/issues/34997)) - resource/aws\_cloud9\_environment\_ec2: Add `amazonlinux-2023-x86_64` and `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2023-x86_64` as valid values for `image_id` ([#35020](https://github.com/hashicorp/terraform-provider-aws/issues/35020)) - resource/aws\_codepipeline: Add `pipeline_type` argument and `variable` configuration block ([#34841](https://github.com/hashicorp/terraform-provider-aws/issues/34841)) - resource/aws\_dms\_replication\_task: Allow `cdc_start_time` to use [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) formatted dates in addition to UNIX timestamps ([#31917](https://github.com/hashicorp/terraform-provider-aws/issues/31917)) - resource/aws\_dms\_replication\_task: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `replication_instance_arn`, allowing in-place migration between DMS instances ([#30721](https://github.com/hashicorp/terraform-provider-aws/issues/30721)) - resource/aws\_efs\_file\_system: Add `lifecycle_policy.transition_to_archive` argument ([#35096](https://github.com/hashicorp/terraform-provider-aws/issues/35096)) - resource/aws\_efs\_file\_system: Add `protection` configuration block ([#35029](https://github.com/hashicorp/terraform-provider-aws/issues/35029)) - resource/aws\_efs\_replication\_configuration: Increase Create timeout to 20 minutes ([#34955](https://github.com/hashicorp/terraform-provider-aws/issues/34955)) - resource/aws\_efs\_replication\_configuration: Mark `destination.file_system_id` as Optional, enabling [EFS replication fallback](https://docs.aws.amazon.com/efs/latest/ug/replication-use-cases.html#replicate-existing-destination) ([#34955](https://github.com/hashicorp/terraform-provider-aws/issues/34955)) - resource/aws\_finspace\_kx\_dataview: Increase default create, update, and delete timeouts to 4 hours ([#35207](https://github.com/hashicorp/terraform-provider-aws/issues/35207)) - resource/aws\_finspace\_kx\_scaling\_group: Increase default create, delete timeouts to 4 hours ([#35206](https://github.com/hashicorp/terraform-provider-aws/issues/35206)) - resource/aws\_fsx\_lustre\_file\_system: Allow `per_unit_storage_throughput` to be updated in-place ([#34932](https://github.com/hashicorp/terraform-provider-aws/issues/34932)) - resource/aws\_fsx\_ontap\_file\_system: Add `ha_pairs` and `throughput_capacity_per_ha_pair` arguments ([#34993](https://github.com/hashicorp/terraform-provider-aws/issues/34993)) - resource/aws\_fsx\_ontap\_file\_system: Increase maximum value of `disk_iops_configuration.iops` to `2400000` ([#34993](https://github.com/hashicorp/terraform-provider-aws/issues/34993)) - resource/aws\_fsx\_ontap\_file\_system: `throughput_capacity` is Optional ([#34993](https://github.com/hashicorp/terraform-provider-aws/issues/34993)) - resource/aws\_glue\_catalog\_table: Add `region` attribute to `target_table` block. ([#34817](https://github.com/hashicorp/terraform-provider-aws/issues/34817)) - resource/aws\_glue\_classifier: Add `csv_classifier.serde` argument ([#34251](https://github.com/hashicorp/terraform-provider-aws/issues/34251)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `opensearch_configuration.document_id_options` configuration block ([#35137](https://github.com/hashicorp/terraform-provider-aws/issues/35137)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `splunk_configuration.buffering_interval` and `splunk_configuration.buffering_size` arguments ([#35137](https://github.com/hashicorp/terraform-provider-aws/issues/35137)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Adjust `elasticsearch_configuration.buffering_interval`, `http_endpoint_configuration.buffering_interval`, `opensearch_configuration.buffering_interval`, `opensearchserverless_configuration.buffering_interval`, `redshift_configuration.s3_backup_configuration.buffering_interval`,`extended_s3_configuration.s3_backup_configuration.buffering_interval`, `elasticsearch_configuration.s3_configuration.buffering_interval`, `http_endpoint_configuration.s3_configuration.buffering_interval`, `opensearch_configuration.s3_configuration.buffering_interval`, `opensearchserverless_configuration.s3_configuration.buffering_interval`, `redshift_configuration.s3_configuration.buffering_interval` and `splunk_configuration.s3_configuration.buffering_interval` minimum values to `0` to support zero buffering ([#35137](https://github.com/hashicorp/terraform-provider-aws/issues/35137)) - resource/aws\_kms\_key: Add `xks_key_id` attribute ([#31216](https://github.com/hashicorp/terraform-provider-aws/issues/31216)) - resource/aws\_lambda\_function: Add `logging_config` configuration block in support of [advanced logging controls](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html#monitoring-cloudwatchlogs-advanced) ([#35050](https://github.com/hashicorp/terraform-provider-aws/issues/35050)) - resource/aws\_lambda\_function: Add support for `python3.12` `runtime` value ([#35049](https://github.com/hashicorp/terraform-provider-aws/issues/35049)) - resource/aws\_lambda\_layer\_version: Add support for `python3.12` `compatible_runtimes` value ([#35049](https://github.com/hashicorp/terraform-provider-aws/issues/35049)) - resource/aws\_lb\_target\_group: Add `load_balancing_anomaly_mitigation` argument ([#35083](https://github.com/hashicorp/terraform-provider-aws/issues/35083)) - resource/aws\_lb\_target\_group: Add `weighted_random` as a valid value for `load_balancing_algorithm_type` ([#35083](https://github.com/hashicorp/terraform-provider-aws/issues/35083)) - resource/aws\_neptune\_cluster: Add `storage_type` argument ([#34985](https://github.com/hashicorp/terraform-provider-aws/issues/34985)) - resource/aws\_neptune\_cluster\_instance: Add `storage_type` attribute ([#34985](https://github.com/hashicorp/terraform-provider-aws/issues/34985)) - resource/aws\_networkfirewall\_firewall: Add configurable timeouts ([#34918](https://github.com/hashicorp/terraform-provider-aws/issues/34918)) - resource/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.tls_inspection_configuration_arn` argument ([#35094](https://github.com/hashicorp/terraform-provider-aws/issues/35094)) - resource/aws\_prometheus\_workspace: Add `kms_key_arn` argument, enabling encryption at-rest using AWS KMS Customer Managed Keys (CMK) ([#35062](https://github.com/hashicorp/terraform-provider-aws/issues/35062)) - resource/aws\_redshiftserverless\_workgroup: Add `port` argument ([#34925](https://github.com/hashicorp/terraform-provider-aws/issues/34925)) - resource/aws\_route53\_resolver\_endpoint: Add `protocols` argument ([#35098](https://github.com/hashicorp/terraform-provider-aws/issues/35098)) - resource/aws\_route53\_resolver\_endpoint: Add `resolver_endpoint_type` argument ([#34798](https://github.com/hashicorp/terraform-provider-aws/issues/34798)) - resource/aws\_s3\_bucket: Modify resource Read to support third-party S3 API implementations. Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#35035](https://github.com/hashicorp/terraform-provider-aws/issues/35035)) - resource/aws\_s3\_bucket: Modify server-side encryption configuration error handling, enabling support for NetApp StorageGRID ([#34890](https://github.com/hashicorp/terraform-provider-aws/issues/34890)) - resource/aws\_transfer\_server: Add `TransferSecurityPolicy-PQ-SSH-Experimental-2023-04` and `TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04` as valid values for `security_policy_name` ([#35129](https://github.com/hashicorp/terraform-provider-aws/issues/35129)) - resource/aws\_verifiedaccess\_endpoint: Add `policy_document` argument ([#34264](https://github.com/hashicorp/terraform-provider-aws/issues/34264)) BUG FIXES: - data-source/aws\_lb\_target\_group: Change `deregistration_delay` from `TypeInt` to `TypeString` ([#31436](https://github.com/hashicorp/terraform-provider-aws/issues/31436)) - data-source/aws\_s3\_bucket\_object: Remove any leading `./` from `key` to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility ([#35223](https://github.com/hashicorp/terraform-provider-aws/issues/35223)) - data-source/aws\_s3\_object: Remove any leading `./` from `key` to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility ([#35223](https://github.com/hashicorp/terraform-provider-aws/issues/35223)) - resource/aws\_cloud9\_environment\_ec2: `image_id` is Required ([#35020](https://github.com/hashicorp/terraform-provider-aws/issues/35020)) - resource/aws\_codebuild\_project: Prevent erroneous diffs on `build_timeout` and `queued_timeout` for Lambda compute types ([#35043](https://github.com/hashicorp/terraform-provider-aws/issues/35043)) - resource/aws\_datasync\_agent: Fix import of agents created with `activation_key` by removing requirement for one of `ip_address` or `activation_key` to be set ([#35150](https://github.com/hashicorp/terraform-provider-aws/issues/35150)) - resource/aws\_dms\_replication\_config: Prevent erroneous diffs on `replication_settings` ([#34356](https://github.com/hashicorp/terraform-provider-aws/issues/34356)) - resource/aws\_dms\_replication\_task: Prevent erroneous diffs on `replication_task_settings` ([#34356](https://github.com/hashicorp/terraform-provider-aws/issues/34356)) - resource/aws\_dynamodb\_table: Fix error when waiting for snapshot to be created ([#34848](https://github.com/hashicorp/terraform-provider-aws/issues/34848)) - resource/aws\_finspace\_kx\_dataview: Properly set `arn` attribute on read, resolving persistent differences when `tags` are configured ([#34998](https://github.com/hashicorp/terraform-provider-aws/issues/34998)) - resource/aws\_glue\_catalog\_database: Properly handle out-of-band resource deletion ([#35195](https://github.com/hashicorp/terraform-provider-aws/issues/35195)) - resource/aws\_iot\_indexing\_configuration: Correct plan-time validation of `thing_indexing_configuration.filter.named_shadow_names` ([#35225](https://github.com/hashicorp/terraform-provider-aws/issues/35225)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Fix `InvalidArgumentException: Both BufferSizeInMBs and BufferIntervalInSeconds are required to configure buffering for lambda processor` errors on resource Update ([#26964](https://github.com/hashicorp/terraform-provider-aws/issues/26964)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Fix perpetual `extended_s3_configuration.processing_configuration.processors.parameters` diffs when processor type is `Lambda` ([#35137](https://github.com/hashicorp/terraform-provider-aws/issues/35137)) - resource/aws\_lambda\_function: Ensure lambda does not get deployed if `source_code_hash` does not change. ([#29921](https://github.com/hashicorp/terraform-provider-aws/issues/29921)) - resource/aws\_lb: Fix `ValidationError: Attributes cannot be empty` errors ([#35228](https://github.com/hashicorp/terraform-provider-aws/issues/35228)) - resource/aws\_lb\_target\_group: Fix diff on `stickiness.cookie_name` when `stickiness.type` is `lb_cookie` ([#31436](https://github.com/hashicorp/terraform-provider-aws/issues/31436)) - resource/aws\_memorydb\_cluster: Treat `snapshotting` status as pending when creating cluster ([#31077](https://github.com/hashicorp/terraform-provider-aws/issues/31077)) - resource/aws\_ram\_principal\_association: Fix `reading RAM Resource Share (...) Principal Association (...): couldn't find resource (21 retries)` errors when a high number of principals are associated with a resource share ([#34738](https://github.com/hashicorp/terraform-provider-aws/issues/34738)) - resource/aws\_s3\_bucket\_object: Remove any leading `./` from `key` to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility ([#35223](https://github.com/hashicorp/terraform-provider-aws/issues/35223)) - resource/aws\_s3\_object: Remove any leading `./` from `key` to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility ([#35223](https://github.com/hashicorp/terraform-provider-aws/issues/35223)) - resource/aws\_s3\_object\_copy: Remove any leading `./` from `key` to maintain AWS SDK for Go v1 (pre-v5.17.0) compatibility ([#35223](https://github.com/hashicorp/terraform-provider-aws/issues/35223)) - resource/aws\_secretsmanager\_secret\_rotation: No longer ignores changes to `rotation_rules.automatically_after_days` when `rotation_rules.schedule_expression` is set. ([#35024](https://github.com/hashicorp/terraform-provider-aws/issues/35024)) - resource/aws\_ses\_configuration\_set: Fix `tracking_options` being omitted from state and resulting in persistent diff ([#35056](https://github.com/hashicorp/terraform-provider-aws/issues/35056)) - resource/aws\_ssoadmin\_application: Fix `portal_options.sign_in_options.application_url` triggering `ValidationError` when unset ([#34967](https://github.com/hashicorp/terraform-provider-aws/issues/34967)) ### [`v5.31.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.31.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.30.0...v5.31.0) FEATURES: - **New Data Source:** `aws_polly_voices` ([#34916](https://github.com/hashicorp/terraform-provider-aws/issues/34916)) - **New Data Source:** `aws_ssoadmin_application_assignments` ([#34796](https://github.com/hashicorp/terraform-provider-aws/issues/34796)) - **New Data Source:** `aws_ssoadmin_principal_application_assignments` ([#34815](https://github.com/hashicorp/terraform-provider-aws/issues/34815)) - **New Resource:** `aws_finspace_kx_dataview` ([#34828](https://github.com/hashicorp/terraform-provider-aws/issues/34828)) - **New Resource:** `aws_finspace_kx_scaling_group` ([#34832](https://github.com/hashicorp/terraform-provider-aws/issues/34832)) - **New Resource:** `aws_finspace_kx_volume` ([#34833](https://github.com/hashicorp/terraform-provider-aws/issues/34833)) - **New Resource:** `aws_ssoadmin_trusted_token_issuer` ([#34839](https://github.com/hashicorp/terraform-provider-aws/issues/34839)) ENHANCEMENTS: - data-source/aws\_cloudwatch\_log\_group: Add `log_group_class` attribute ([#34812](https://github.com/hashicorp/terraform-provider-aws/issues/34812)) - data-source/aws\_dms\_endpoint: Add `postgres_settings` attribute ([#34724](https://github.com/hashicorp/terraform-provider-aws/issues/34724)) - data-source/aws\_lb: Add `connection_logs` attribute ([#34864](https://github.com/hashicorp/terraform-provider-aws/issues/34864)) - data-source/aws\_lb: Add `dns_record_client_routing_policy` attribute ([#34135](https://github.com/hashicorp/terraform-provider-aws/issues/34135)) - data-source/aws\_opensearchserverless\_collection: Add `standby_replicas` attribute ([#34677](https://github.com/hashicorp/terraform-provider-aws/issues/34677)) - resource/aws\_db\_instance: Add support for IBM Db2 databases ([#34834](https://github.com/hashicorp/terraform-provider-aws/issues/34834)) - resource/aws\_dms\_endpoint: Add `elasticsearch_settings.use_new_mapping_type` argument ([#29470](https://github.com/hashicorp/terraform-provider-aws/issues/29470)) - resource/aws\_dms\_endpoint: Add `postgres_settings` configuration block ([#34724](https://github.com/hashicorp/terraform-provider-aws/issues/34724)) - resource/aws\_finspace\_kx\_cluster: Add `database.dataview_name`, `scaling_group_configuration`, and `tickerplant_log_configuration` arguments. ([#34831](https://github.com/hashicorp/terraform-provider-aws/issues/34831)) - resource/aws\_finspace\_kx\_cluster: The `capacity_configuration` argument is now optional. ([#34831](https://github.com/hashicorp/terraform-provider-aws/issues/34831)) - resource/aws\_lb: Add `connection_logs` configuration block ([#34864](https://github.com/hashicorp/terraform-provider-aws/issues/34864)) - resource/aws\_lb: Add plan-time validation that exactly one of either `subnets` or `subnet_mapping` is configured ([#33205](https://github.com/hashicorp/terraform-provider-aws/issues/33205)) - resource/aws\_lb: Allow the number of `subnet_mapping`s for Application Load Balancers to be changed without recreating the resource ([#33205](https://github.com/hashicorp/terraform-provider-aws/issues/33205)) - resource/aws\_lb: Allow the number of `subnet_mapping`s for Network Load Balancers to be increased without recreating the resource ([#33205](https://github.com/hashicorp/terraform-provider-aws/issues/33205)) - resource/aws\_lb: Allow the number of `subnets` for Network Load Balancers to be increased without recreating the resource ([#33205](https://github.com/hashicorp/terraform-provider-aws/issues/33205)) - resource/aws\_opensearchserverless\_collection: Add `standby_replicas` attribute ([#34677](https://github.com/hashicorp/terraform-provider-aws/issues/34677)) BUG FIXES: - data-source/aws\_ecr\_pull\_through\_cache\_rule: Fix plan time validation for `ecr_repository_prefix` ([#34716](https://github.com/hashicorp/terraform-provider-aws/issues/34716)) - provider: Always use the S3 regional endpoint in `us-east-1` for S3 directory bucket operations. This fixes `no such host` errors ([#34893](https://github.com/hashicorp/terraform-provider-aws/issues/34893)) - resource/aws\_appmesh\_virtual\_node: Remove limit of 50 `backend`s per virtual node ([#34774](https://github.com/hashicorp/terraform-provider-aws/issues/34774)) - resource/aws\_cloudwatch\_log\_group: Fix `invalid new value for .skip_destroy: was cty.False, but now null` errors ([#30354](https://github.com/hashicorp/terraform-provider-aws/issues/30354)) - resource/aws\_cloudwatch\_log\_group: Remove default value (`STANDARD`) for `log_group_class` argument and mark as Computed. This fixes `InvalidParameterException: Only Standard log class is supported` errors in AWS Regions other than AWS Commercial ([#34812](https://github.com/hashicorp/terraform-provider-aws/issues/34812)) - resource/aws\_db\_instance: Fix error where Terraform loses track of resource if Blue/Green Deployment is applied outside of Terraform ([#34728](https://github.com/hashicorp/terraform-provider-aws/issues/34728)) - resource/aws\_dms\_event\_subscription: `source_ids` and `source_type` are Required ([#33731](https://github.com/hashicorp/terraform-provider-aws/issues/33731)) - resource/aws\_ecr\_pull\_through\_cache\_rule: Fix plan time validation for `ecr_repository_prefix` ([#34716](https://github.com/hashicorp/terraform-provider-aws/issues/34716)) - resource/aws\_lb: Correct in-place update of `security_groups` for Network Load Balancers when the new value is Computed ([#33205](https://github.com/hashicorp/terraform-provider-aws/issues/33205)) - resource/aws\_lb: Fix `InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'` errors on resource Create in AWS GovCloud (US) ([#34135](https://github.com/hashicorp/terraform-provider-aws/issues/34135)) - resource/aws\_medialive\_channel: Fixed errors related to setting the `failover_condition` argument ([#33410](https://github.com/hashicorp/terraform-provider-aws/issues/33410)) - resource/aws\_securitylake\_data\_lake: Fix `reflect.Set: value of type basetypes.StringValue is not assignable to type types.ARN` panic when importing resources with `nil` ARN fields ([#34820](https://github.com/hashicorp/terraform-provider-aws/issues/34820)) - resource/aws\_vpc: Increase IPAM pool allocation deletion timeout from 20 minutes to 35 minutes ([#34859](https://github.com/hashicorp/terraform-provider-aws/issues/34859)) ### [`v5.30.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.30.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.29.0...v5.30.0) FEATURES: - **New Data Source:** `aws_codeguruprofiler_profiling_group` ([#34672](https://github.com/hashicorp/terraform-provider-aws/issues/34672)) - **New Data Source:** `aws_ecr_repositories` ([#34446](https://github.com/hashicorp/terraform-provider-aws/issues/34446)) - **New Data Source:** `aws_lb_trust_store` ([#34584](https://github.com/hashicorp/terraform-provider-aws/issues/34584)) - **New Data Source:** `aws_ssoadmin_application` ([#34773](https://github.com/hashicorp/terraform-provider-aws/issues/34773)) - **New Data Source:** `aws_ssoadmin_application_providers` ([#34670](https://github.com/hashicorp/terraform-provider-aws/issues/34670)) - **New Resource:** `aws_codeguruprofiler_profiling_group` ([#34672](https://github.com/hashicorp/terraform-provider-aws/issues/34672)) - **New Resource:** `aws_customerprofiles_domain` ([#34622](https://github.com/hashicorp/terraform-provider-aws/issues/34622)) - **New Resource:** `aws_customerprofiles_profile` ([#34622](https://github.com/hashicorp/terraform-provider-aws/issues/34622)) - **New Resource:** `aws_lb_trust_store` ([#34584](https://github.com/hashicorp/terraform-provider-aws/issues/34584)) - **New Resource:** `aws_lb_trust_store_revocation` ([#34584](https://github.com/hashicorp/terraform-provider-aws/issues/34584)) - **New Resource:** `aws_securitylake_data_lake` ([#34521](https://github.com/hashicorp/terraform-provider-aws/issues/34521)) - **New Resource:** `aws_ssoadmin_application` ([#34723](https://github.com/hashicorp/terraform-provider-aws/issues/34723)) - **New Resource:** `aws_ssoadmin_application_assignment` ([#34741](https://github.com/hashicorp/terraform-provider-aws/issues/34741)) - **New Resource:** `aws_ssoadmin_application_assignment_configuration` ([#34752](https://github.com/hashicorp/terraform-provider-aws/issues/34752)) ENHANCEMENTS: - data-source/aws\_appconfig\_configuration\_profile: Add `kms_key_identifier` attribute ([#34725](https://github.com/hashicorp/terraform-provider-aws/issues/34725)) - data-source/aws\_lb: Add `enforce_security_group_inbound_rules_on_private_link_traffic` attribute ([#33767](https://github.com/hashicorp/terraform-provider-aws/issues/33767)) - data-source/aws\_lb\_listener: Add `mutual_authentication` attribute ([#34584](https://github.com/hashicorp/terraform-provider-aws/issues/34584)) - resource/aws\_appconfig\_configuration\_profile: Add `kms_key_identifier` attribute ([#34725](https://github.com/hashicorp/terraform-provider-aws/issues/34725)) - resource/aws\_appconfig\_deployment: Add `kms_key_identifier` attribute ([#34739](https://github.com/hashicorp/terraform-provider-aws/issues/34739)) - resource/aws\_cloudwatch\_log\_group: Add `log_group_class` argument ([#34679](https://github.com/hashicorp/terraform-provider-aws/issues/34679)) - resource/aws\_lb: Add `enforce_security_group_inbound_rules_on_private_link_traffic` argument ([#33767](https://github.com/hashicorp/terraform-provider-aws/issues/33767)) - resource/aws\_lb\_listener: Add `mutual_authentication` configuration block ([#34584](https://github.com/hashicorp/terraform-provider-aws/issues/34584)) - resource/aws\_s3\_bucket: Fix `stack overflow` fatal errors on resource Delete when `force_destroy` is `true` and the bucket contains delete markers ([#34712](https://github.com/hashicorp/terraform-provider-aws/issues/34712)) - resource/aws\_sagemaker\_app: Add `resource_spec.sagemaker_image_version_alias` argument ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_app\_image\_config: Add `jupyter_lab_image_config` configuration block ([#34696](https://github.com/hashicorp/terraform-provider-aws/issues/34696)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.code_editor_app_settings`, `default_user_settings.custom_file_system_config`, `default_user_settings.custom_posix_user_config`, `default_user_settings.default_landing_uri`, `default_user_settings.jupyter_lab_app_settings`, `default_user_settings.space_storage_settings`, `default_user_settings.studio_web_portal` arguments ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_domain: Add `sagemaker_image_version_alias` argument under all `default_resource_spec` blocks ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_domain: Add `single_sign_on_application_arn` attribute ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_space: Add `sagemaker_image_version_alias` argument under all `default_resource_spec` blocks ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_space: Add `space_display_name` argument ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_space: Add `url` attribute ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_user\_profile: Add `sagemaker_image_version_alias` argument under all `default_resource_spec` blocks ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.code_editor_app_settings`, `user_settings.custom_file_system_config`, `user_settings.custom_posix_user_config`, `user_settings.default_landing_uri`, `user_settings.jupyter_lab_app_settings`, `user_settings.space_storage_settings`, `user_settings.studio_web_portal` arguments ([#34729](https://github.com/hashicorp/terraform-provider-aws/issues/34729)) - resource/aws\_transfer\_server: Add support for `TransferSecurityPolicy-FIPS-2023-05` `security_policy_name` value ([#34709](https://github.com/hashicorp/terraform-provider-aws/issues/34709)) BUG FIXES: - resource/aws\_ami: Correctly sets `deprecation_time` on creation and update due to eventual consistency ([#34691](https://github.com/hashicorp/terraform-provider-aws/issues/34691)) - resource/aws\_ami: Correctly sets `description` on update due to eventual consistency ([#34691](https://github.com/hashicorp/terraform-provider-aws/issues/34691)) - resource/aws\_ami: Now allows removing `deprecation_time` ([#34691](https://github.com/hashicorp/terraform-provider-aws/issues/34691)) - resource/aws\_appflow\_flow: Fix perpetual diff on `destination_flow_config` ([#34770](https://github.com/hashicorp/terraform-provider-aws/issues/34770)) - resource/aws\_backup\_vault\_policy: Fix eventual consistency error when waiting for IAM ([#34671](https://github.com/hashicorp/terraform-provider-aws/issues/34671)) - resource/aws\_eks\_pod\_identity\_association: Retry IAM eventual consistency errors on create and update ([#34717](https://github.com/hashicorp/terraform-provider-aws/issues/34717)) - resource/aws\_glue\_connection: Fix crash while creating resource with empty `physical_connection_requirements` configuration block ([#34737](https://github.com/hashicorp/terraform-provider-aws/issues/34737)) ### [`v5.29.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.29.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.28.0...v5.29.0) FEATURES: - **New Resource:** `aws_docdbelastic_cluster` ([#31033](https://github.com/hashicorp/terraform-provider-aws/issues/31033)) - **New Resource:** `aws_eks_pod_identity_association` ([#34566](https://github.com/hashicorp/terraform-provider-aws/issues/34566)) ENHANCEMENTS: - resource/aws\_docdb\_cluster: Add `storage_type` argument ([#34637](https://github.com/hashicorp/terraform-provider-aws/issues/34637)) - resource/aws\_neptune\_parameter\_group: Add `name_prefix` argument ([#34500](https://github.com/hashicorp/terraform-provider-aws/issues/34500)) BUG FIXES: - resource/aws\_networkmanager\_attachment\_accepter: Now revokes attachment on deletion for VPC Attachments ([#34547](https://github.com/hashicorp/terraform-provider-aws/issues/34547)) - resource/aws\_networkmanager\_vpc\_attachment: Fixes error when modifying `options` fields while waiting for acceptance ([#34547](https://github.com/hashicorp/terraform-provider-aws/issues/34547)) - resource/aws\_networkmanager\_vpc\_attachment: Fixes error where VPC Attachments waiting for acceptance could not be deleted ([#34547](https://github.com/hashicorp/terraform-provider-aws/issues/34547)) - resource/aws\_s3\_directory\_bucket: Fix `NotImplemented: This bucket does not support Object Versioning` errors on resource Delete when `force_destroy` is `true` ([#34647](https://github.com/hashicorp/terraform-provider-aws/issues/34647)) ### [`v5.28.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.28.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.27.0...v5.28.0) FEATURES: - **New Data Source:** `aws_s3_directory_buckets` ([#34612](https://github.com/hashicorp/terraform-provider-aws/issues/34612)) - **New Resource:** `aws_s3_directory_bucket` ([#34612](https://github.com/hashicorp/terraform-provider-aws/issues/34612)) ENHANCEMENTS: - resource/aws\_s3control\_access\_grants\_instance: Add `identity_center_arn` argument and `identity_center_application_arn` attribute ([#34582](https://github.com/hashicorp/terraform-provider-aws/issues/34582)) BUG FIXES: - resource/aws\_elaticache\_replication\_group: Fix regression caused by the introduction of the `auth_token_update_strategy` argument with a default value ([#34600](https://github.com/hashicorp/terraform-provider-aws/issues/34600)) ### [`v5.27.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.27.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.26.0...v5.27.0) NOTES: - provider: This release includes an update to the AWS SDK for Go v2 with breaking type changes to several services: `internetmonitor`, `ivschat`, `pipes`, and `s3`. These changes primarily affect how arguments with default values are serialized for outbound requests, changing scalar types to pointers. See [this AWS SDK for Go V2 issue](https://github.com/aws/aws-sdk-go-v2/issues/2162) for additional context. The corresponding provider changes should make this breakfix transparent to users, but as with any breaking change there is the potential for missed edge cases. If errors are observed in the impacted resources, please link to this dependency update pull request in the bug report ([#34476](https://github.com/hashicorp/terraform-provider-aws/issues/34476)) FEATURES: - **New Data Source:** `aws_emr_supported_instance_types` ([#34481](https://github.com/hashicorp/terraform-provider-aws/issues/34481)) - **New Resource:** `aws_apprunner_default_auto_scaling_configuration_version` ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - **New Resource:** `aws_lexv2models_bot_version` ([#33858](https://github.com/hashicorp/terraform-provider-aws/issues/33858)) - **New Resource:** `aws_s3control_access_grant` ([#34564](https://github.com/hashicorp/terraform-provider-aws/issues/34564)) - **New Resource:** `aws_s3control_access_grants_instance` ([#34564](https://github.com/hashicorp/terraform-provider-aws/issues/34564)) - **New Resource:** `aws_s3control_access_grants_instance_resource_policy` ([#34564](https://github.com/hashicorp/terraform-provider-aws/issues/34564)) - **New Resource:** `aws_s3control_access_grants_location` ([#34564](https://github.com/hashicorp/terraform-provider-aws/issues/34564)) ENHANCEMENTS: - resource/aws\_apprunner\_auto\_scaling\_configuration\_version: Add `has_associated_service` and `is_default` attributes ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - resource/aws\_apprunner\_service: Add `network_configuration.ip_address_type` argument ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - resource/aws\_apprunner\_service: Add `source_configuration.code_repository.source_directory` argument to support monorepos ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - resource/aws\_apprunner\_service: Allow `health_check_configuration` to be updated in-place ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - resource/aws\_cloudwatch\_event\_rule: Add `state` parameter and deprecate `is_enabled` parameter ([#34510](https://github.com/hashicorp/terraform-provider-aws/issues/34510)) - resource/aws\_elaticache\_replication\_group: Add `auth_token_update_strategy` argument ([#34460](https://github.com/hashicorp/terraform-provider-aws/issues/34460)) - resource/aws\_lambda\_function: Add support for `java21` `runtime` value ([#34476](https://github.com/hashicorp/terraform-provider-aws/issues/34476)) - resource/aws\_lambda\_function: Add support for `python3.12` `runtime` value ([#34533](https://github.com/hashicorp/terraform-provider-aws/issues/34533)) - resource/aws\_lambda\_layer\_version: Add support for `java21` `compatible_runtimes` value ([#34476](https://github.com/hashicorp/terraform-provider-aws/issues/34476)) - resource/aws\_lambda\_layer\_version: Add support for `python3.12` `compatible_runtimes` value ([#34533](https://github.com/hashicorp/terraform-provider-aws/issues/34533)) - resource/aws\_s3\_bucket\_logging: Add `target_object_key_format` configuration block to support [automatic date-based partitioning](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html#server-access-logging-overview) ([#34504](https://github.com/hashicorp/terraform-provider-aws/issues/34504)) BUG FIXES: - resource/aws\_appflow\_flow: Fix `InvalidParameter: 2 validation error(s) found` error when `destination_flow_config` or `task` is updated ([#34456](https://github.com/hashicorp/terraform-provider-aws/issues/34456)) - resource/aws\_appflow\_flow: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic ([#34456](https://github.com/hashicorp/terraform-provider-aws/issues/34456)) - resource/aws\_apprunner\_service: Correctly set `service_url` for private services ([#34292](https://github.com/hashicorp/terraform-provider-aws/issues/34292)) - resource/aws\_glue\_trigger: Fix `ConcurrentModificationException: Workflow <workflowName> was modified while adding trigger <triggerName>` errors ([#34530](https://github.com/hashicorp/terraform-provider-aws/issues/34530)) - resource/aws\_lb\_target\_group: Adds plan- and apply-time validation for invalid parameter combinations ([#34488](https://github.com/hashicorp/terraform-provider-aws/issues/34488)) - resource/aws\_lexv2\_bot\_locale: Fix `voice_settings.engine` validation, value conversion errors ([#34532](https://github.com/hashicorp/terraform-provider-aws/issues/34532)) - resource/aws\_lexv2models\_bot: Properly send `type` argument on create and update when configured ([#34524](https://github.com/hashicorp/terraform-provider-aws/issues/34524)) - resource/aws\_pipes\_pipe: Fix error when zero value is sent to `source_parameters` on update ([#34487](https://github.com/hashicorp/terraform-provider-aws/issues/34487)) ### [`v5.26.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.26.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.25.0...v5.26.0) FEATURES: - **New Data Source:** `aws_iot_registration_code` ([#15098](https://github.com/hashicorp/terraform-provider-aws/issues/15098)) - **New Resource:** `aws_iot_billing_group` ([#31237](https://github.com/hashicorp/terraform-provider-aws/issues/31237)) - **New Resource:** `aws_iot_ca_certificate` ([#15098](https://github.com/hashicorp/terraform-provider-aws/issues/15098)) - **New Resource:** `aws_iot_event_configurations` ([#31237](https://github.com/hashicorp/terraform-provider-aws/issues/31237)) ENHANCEMENTS: - data-source/aws\_autoscaling\_group: Add `instance_maintenance_policy` attribute ([#34430](https://github.com/hashicorp/terraform-provider-aws/issues/34430)) - provider: Adds `https_proxy` and `no_proxy` parameters. ([#34243](https://github.com/hashicorp/terraform-provider-aws/issues/34243)) - resource/aws\_autoscaling\_group: Add `instance_maintenance_policy` configuration block ([#34430](https://github.com/hashicorp/terraform-provider-aws/issues/34430)) - resource/aws\_finspace\_kx\_cluster: Increase default create and update timeouts to 4 hours to allow for increased startup times with large volumes of cached data ([#34398](https://github.com/hashicorp/terraform-provider-aws/issues/34398)) - resource/aws\_finspace\_kx\_environment: Increase default delete timeout to 75 minutes ([#34398](https://github.com/hashicorp/terraform-provider-aws/issues/34398)) - resource/aws\_iam\_group\_policy\_attachment: Add plan-time validation of `policy_arn` ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_policy\_attachment: Add plan-time validation of `policy_arn` ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_role\_policy\_attachment: Add plan-time validation of `policy_arn` ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_user\_policy\_attachment: Add plan-time validation of `policy_arn` ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iot\_ca\_certificate: Add `ca_certificate_id` attribute ([#15098](https://github.com/hashicorp/terraform-provider-aws/issues/15098)) - resource/aws\_iot\_policy: Add configurable timeouts ([#34329](https://github.com/hashicorp/terraform-provider-aws/issues/34329)) - resource/aws\_iot\_policy: When updating the resource, delete the oldest non-default version of the policy if creating a new version would exceed the maximum number of versions (5) ([#34329](https://github.com/hashicorp/terraform-provider-aws/issues/34329)) - resource/aws\_lambda\_function: Add support for `nodejs20.x` and `provided.al2023` `runtime` values ([#34401](https://github.com/hashicorp/terraform-provider-aws/issues/34401)) - resource/aws\_lambda\_layer\_version: Add support for `nodejs20.x` and `provided.al2023` `compatible_runtimes` values ([#34401](https://github.com/hashicorp/terraform-provider-aws/issues/34401)) - resource/aws\_quicksight\_analysis: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Add `number_display_format_configuration` and `percentage_display_format_configuration` to nested `numeric_format_configuration` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Add `number_display_format_configuration` and `percentage_display_format_configuration` to nested `numeric_format_configuration` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.sparkline` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Add `definition.sheets.visuals.kpi_visual.chart_configuration.kpi_options.visual_layout_options` attribute ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Add `number_display_format_configuration` and `percentage_display_format_configuration` to nested `numeric_format_configuration` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_rds\_cluster: Add `delete_automated_backups` argument ([#34309](https://github.com/hashicorp/terraform-provider-aws/issues/34309)) BUG FIXES: - resource/aws\_chime\_voice\_connector: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chime\_voice\_connector\_group: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chime\_voice\_connector\_logging: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chime\_voice\_connector\_origination: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chime\_voice\_connector\_termination: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chime\_voice\_connector\_termination\_credentials: Fix `read` error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chimesdkmediapipelines\_media\_insights\_pipeline\_configuration: Fix eventual consistency error when resource is not created in `us-east-1` ([#34334](https://github.com/hashicorp/terraform-provider-aws/issues/34334)) - resource/aws\_chimesdkvoice\_sip\_media\_application: Fix eventual consistency errors when not using `us-east-1` ([#34426](https://github.com/hashicorp/terraform-provider-aws/issues/34426)) - resource/aws\_chimesdkvoice\_sip\_rule: Fix eventual consistency errors when not using `us-east-1` ([#34426](https://github.com/hashicorp/terraform-provider-aws/issues/34426)) - resource/aws\_elasticache\_user: Fix `UserNotFound: ... is not available for tagging` errors on resource Read when there is a concurrent update to the user ([#34396](https://github.com/hashicorp/terraform-provider-aws/issues/34396)) - resource/aws\_grafana\_workspace\_api\_key: Change `key` to [`Sensitive`](https://developer.hashicorp.com/terraform/plugin/best-practices/sensitive-state#using-sensitive-flag-functionality) ([#34105](https://github.com/hashicorp/terraform-provider-aws/issues/34105)) - resource/aws\_iam\_group\_policy\_attachment: Retry `ConcurrentModificationException` errors on create and delete ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_policy\_attachment: Retry `ConcurrentModificationException` errors on create and delete ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_role\_policy\_attachment: Retry `ConcurrentModificationException` errors on create and delete ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_iam\_user\_policy\_attachment: Retry `ConcurrentModificationException` errors on create and delete ([#34378](https://github.com/hashicorp/terraform-provider-aws/issues/34378)) - resource/aws\_inspector2\_delegated\_admin\_account: Fix `errors: *target must be interface or implement error` panic ([#34424](https://github.com/hashicorp/terraform-provider-aws/issues/34424)) - resource/aws\_inspector2\_enabler: Fix `interface conversion: interface {} is nil, not map[string]inspector2.AccountResourceStatus` panic ([#34424](https://github.com/hashicorp/terraform-provider-aws/issues/34424)) - resource/aws\_iot\_ca\_certificate: Change `ca_pem` and `certificate_pem` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#15098](https://github.com/hashicorp/terraform-provider-aws/issues/15098)) - resource/aws\_iot\_policy: Retry `DeleteConflictException` errors on delete ([#34329](https://github.com/hashicorp/terraform-provider-aws/issues/34329)) - resource/aws\_quicksight\_analysis: Fix handling of the nested `number_scale`, `prefix`, and `suffix` integer arguments ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Fix handling of the nested `rolling_date` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Fix handling of the nested `select_all_options` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Fix handling of the nested `visual_ids` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Fixes to various optional blocks utilizing the shared column schema definition ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_analysis: Nested `column_index` and `row_index` arguments now properly handle zero values ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Fix handling of the nested `number_scale`, `prefix`, and `suffix` integer arguments ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Fix handling of the nested `rolling_date` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Fix handling of the nested `select_all_options` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Fix handling of the nested `visual_ids` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Fixes to various optional blocks utilizing the shared column schema definition ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_dashboard: Nested `column_index` and `row_index` arguments now properly handle zero values ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_data\_set: Increase `permissions.actions` maximum item limit to 20, aligning with the AWS API limits ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_data\_source: Set all parameters to update aws\_quicksight\_data\_source ([#33061](https://github.com/hashicorp/terraform-provider-aws/issues/33061)) - resource/aws\_quicksight\_template: Fix handling of the nested `number_scale`, `prefix`, and `suffix` integer arguments ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Fix handling of the nested `rolling_date` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Fix handling of the nested `select_all_options` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Fix handling of the nested `visual_ids` argument ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Fixes to various optional blocks utilizing the shared column schema definition ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_quicksight\_template: Nested `column_index` and `row_index` arguments now properly handle zero values ([#33931](https://github.com/hashicorp/terraform-provider-aws/issues/33931)) - resource/aws\_sagemaker\_user\_profile: Change `default_user_settings.canvas_app_settings.identity_provider_oauth_settings` from TypeSet to TypeList, preventing `interface conversion: interface {} is *schema.Set, not []interface {}` panics ([#34418](https://github.com/hashicorp/terraform-provider-aws/issues/34418)) - resource/aws\_synthetics\_canary: Fix to properly suppress differences when `expression` is `rate(0 minutes)` ([#34084](https://github.com/hashicorp/terraform-provider-aws/issues/34084)) - resource/aws\_vpn\_connection: Fix `UnsupportedOperation: The tunnel inside ip version parameter is not currently supported in this region` error when creating connections in certain partitions and Regions ([#34420](https://github.com/hashicorp/terraform-provider-aws/issues/34420)) ### [`v5.25.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.25.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.24.0...v5.25.0) NOTES: - resource/aws\_cloudtrail: The resource's [import ID](https://developer.hashicorp.com/terraform/language/import#import-id) has changed from `name` to `arn` ([#30758](https://github.com/hashicorp/terraform-provider-aws/issues/30758)) FEATURES: - **New Data Source:** `aws_apigatewayv2_vpc_link` ([#33974](https://github.com/hashicorp/terraform-provider-aws/issues/33974)) - **New Data Source:** `aws_athena_named_query` ([#24815](https://github.com/hashicorp/terraform-provider-aws/issues/24815)) - **New Data Source:** `aws_bedrock_foundation_model` ([#34148](https://github.com/hashicorp/terraform-provider-aws/issues/34148)) - **New Data Source:** `aws_bedrock_foundation_models` ([#34148](https://github.com/hashicorp/terraform-provider-aws/issues/34148)) - **New Resource:** `aws_athena_prepared_statement` ([#33417](https://github.com/hashicorp/terraform-provider-aws/issues/33417)) - **New Resource:** `aws_lexv2models_bot_locale` ([#33949](https://github.com/hashicorp/terraform-provider-aws/issues/33949)) ENHANCEMENTS: - provider: Adds SSO API endpoint override parameter `endpoints.sso` ([#34302](https://github.com/hashicorp/terraform-provider-aws/issues/34302)) - resource/aws\_appflow\_connector\_profile: Add `jwt_token` and `oauth2_grant_type` arguments to the `connector_profile_config.connector_profile_credentials.salesforce` block. ([#34248](https://github.com/hashicorp/terraform-provider-aws/issues/34248)) - resource/aws\_autoscaling\_group: Add plan-time validation of `initial_lifecycle_hook.default_result`, `initial_lifecycle_hook.heartbeat_timeout`, `initial_lifecycle_hook.lifecycle_transition`, `initial_lifecycle_hook.name`, `initial_lifecycle_hook.notification_target_arn` and `initial_lifecycle_hook.role_arn` ([#12145](https://github.com/hashicorp/terraform-provider-aws/issues/12145)) - resource/aws\_autoscaling\_lifecycle\_hook: Add plan-time validation of `default_result`, `heartbeat_timeout`, `lifecycle_transition`, `name`, `notification_target_arn` and `role_arn` ([#12145](https://github.com/hashicorp/terraform-provider-aws/issues/12145)) - resource/aws\_datasync\_task: Add `task_report_config` argument ([#33861](https://github.com/hashicorp/terraform-provider-aws/issues/33861)) - resource/aws\_db\_instance: Add `postgres` as a valid `engine` value for blue/green deployments ([#34216](https://github.com/hashicorp/terraform-provider-aws/issues/34216)) - resource/aws\_dms\_endpoint: Add `pause_replication_tasks`, which when set to `true`, pauses associated running replication tasks, regardless if they are managed by Terraform, prior to modifying the endpoint (only tasks paused by the resource will be restarted after the modification completes) ([#34316](https://github.com/hashicorp/terraform-provider-aws/issues/34316)) - resource/aws\_eks\_cluster: Allow `vpc_config.security_group_ids` and `vpc_config.subnet_ids` to be updated in-place ([#32409](https://github.com/hashicorp/terraform-provider-aws/issues/32409)) - resource/aws\_inspector2\_organization\_configuration: Add `lambda_code` argument to the `auto_enable` configuration block ([#34261](https://github.com/hashicorp/terraform-provider-aws/issues/34261)) - resource/aws\_route53\_record: Allow import of records with an empty record name. ([#34212](https://github.com/hashicorp/terraform-provider-aws/issues/34212)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.canvas_app_settings.direct_deploy_settings`, `default_user_settings.canvas_app_settings.identity_provider_oauth_settings` and `default_user_settings.canvas_app_settings.kendra_settings` arguments ([#34265](https://github.com/hashicorp/terraform-provider-aws/issues/34265)) - resource/aws\_sagemaker\_domain: Change `default_space_settings.kernel_gateway_app_settings.custom_image`, `default_user_settings.kernel_gateway_app_settings.custom_image` and `default_user_settings.r_session_app_settings.custom_image` `MaxItems` from `30` to `200` ([#34265](https://github.com/hashicorp/terraform-provider-aws/issues/34265)) - resource/aws\_sagemaker\_feature\_group: Add `offline_store_config.s3_storage_config.resolved_output_s3_uri`, `online_store_config.storage_type` and `online_store_config.ttl_duration` arguments ([#34283](https://github.com/hashicorp/terraform-provider-aws/issues/34283)) - resource/aws\_sagemaker\_feature\_group: Allow `online_store_config.ttl_duration` to be updated in-place ([#34283](https://github.com/hashicorp/terraform-provider-aws/issues/34283)) - resource/aws\_sagemaker\_model: Add `container.model_data_source` and `primary_container.model_data_source` configuration blocks ([#34158](https://github.com/hashicorp/terraform-provider-aws/issues/34158)) - resource/aws\_sagemaker\_space: Change `space_settings.kernel_gateway_app_settings.custom_image` `MaxItems` from `30` to `200` ([#34265](https://github.com/hashicorp/terraform-provider-aws/issues/34265)) - resource/aws\_sagemaker\_user\_profile: Add `default_user_settings.canvas_app_settings.direct_deploy_settings`, `default_user_settings.canvas_app_settings.identity_provider_oauth_settings` and `default_user_settings.canvas_app_settings.kendra_settings` arguments ([#34265](https://github.com/hashicorp/terraform-provider-aws/issues/34265)) - resource/aws\_sns\_topic: Add `archive_policy` argument and `beginning_archive_time` attribute to support [message archiving](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-archiving-replay.html) ([#34252](https://github.com/hashicorp/terraform-provider-aws/issues/34252)) - resource/aws\_sns\_topic: Add `replay_policy` argument ([#34252](https://github.com/hashicorp/terraform-provider-aws/issues/34252)) BUG FIXES: - provider: Fix `Value Conversion Error` panic for certain resources when `null` tag values are specified ([#34319](https://github.com/hashicorp/terraform-provider-aws/issues/34319)) - provider: Fixes parsing error in AWS shared config files with extra whitespace ([#34300](https://github.com/hashicorp/terraform-provider-aws/issues/34300)) - provider: Fixes poor performance when parsing AWS shared config files ([#34300](https://github.com/hashicorp/terraform-provider-aws/issues/34300)) - resource/aws\_autoscaling\_group: Change all `initial_lifecycle_hook` configuration block attributes to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#34260](https://github.com/hashicorp/terraform-provider-aws/issues/34260)) - resource/aws\_cloudtrail: Change the `id` attribute from the trail's name to its ARN to support [organization trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) ([#30758](https://github.com/hashicorp/terraform-provider-aws/issues/30758)) - resource/aws\_cloudwatch\_event\_rule: Increase `event_pattern` max length for validation to 4096 ([#34270](https://github.com/hashicorp/terraform-provider-aws/issues/34270)) - resource/aws\_sagemaker\_domain: Fix updating `default_space_settings.r_studio_server_pro_app_settings.access_status` from `ENABLED` to `DISABLED` ([#34265](https://github.com/hashicorp/terraform-provider-aws/issues/34265)) ### [`v5.24.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.24.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.23.1...v5.24.0) NOTES: - resource/aws\_detective\_organization\_admin\_account: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#25237](https://github.com/hashicorp/terraform-provider-aws/issues/25237)) - resource/aws\_detective\_organization\_configuration: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#25237](https://github.com/hashicorp/terraform-provider-aws/issues/25237)) FEATURES: - **New Data Source:** `aws_opensearchserverless_lifecycle_policy` ([#34144](https://github.com/hashicorp/terraform-provider-aws/issues/34144)) - **New Resource:** `aws_detective_organization_admin_account` ([#25237](https://github.com/hashicorp/terraform-provider-aws/issues/25237)) - **New Resource:** `aws_detective_organization_configuration` ([#25237](https://github.com/hashicorp/terraform-provider-aws/issues/25237)) - **New Resource:** `aws_opensearchserverless_lifecycle_policy` ([#34144](https://github.com/hashicorp/terraform-provider-aws/issues/34144)) - **New Resource:** `aws_redshift_resource_policy` ([#34149](https://github.com/hashicorp/terraform-provider-aws/issues/34149)) - **New Resource:** `aws_verifiedaccess_endpoint` ([#30763](https://github.com/hashicorp/terraform-provider-aws/issues/30763)) ENHANCEMENTS: - resource/aws\_amplify\_app: Add `custom_headers` argument ([#31561](https://github.com/hashicorp/terraform-provider-aws/issues/31561)) - resource/aws\_batch\_job\_definition: Add `node_properties` argument ([#34153](https://github.com/hashicorp/terraform-provider-aws/issues/34153)) - resource/aws\_finspace\_kx\_cluster: In-place updates are now supported for the `code`, `database`, and `initialization_script` arguments. The update timeout has been increased to 30 minutes. ([#34220](https://github.com/hashicorp/terraform-provider-aws/issues/34220)) - resource/aws\_iot\_topic\_rule: Add `kafka.header` and `error_action.kafka.header` arguments ([#34191](https://github.com/hashicorp/terraform-provider-aws/issues/34191)) - resource/aws\_networkmanager\_connect\_attachment: Add `NO_ENCAP` as a valid `options.protocol` value ([#34109](https://github.com/hashicorp/terraform-provider-aws/issues/34109)) - resource/aws\_networkmanager\_connect\_peer: Add `subnet_arn` argument to support [Tunnel-less Connect attachments](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-connect-attachment.html#cloudwan-connect-tlc) ([#34109](https://github.com/hashicorp/terraform-provider-aws/issues/34109)) - resource/aws\_networkmanager\_connect\_peer: `inside_cidr_blocks` is Optional ([#34109](https://github.com/hashicorp/terraform-provider-aws/issues/34109)) - resource/aws\_rds\_cluster: Remove the provider default (previously, "1") and use the AWS default for `backup_retention_period` (also, "1") to allow integration with AWS Backup ([#34187](https://github.com/hashicorp/terraform-provider-aws/issues/34187)) - resource/aws\_redshift\_cluster: Add `snapshot_arn` argument ([#34181](https://github.com/hashicorp/terraform-provider-aws/issues/34181)) - resource/aws\_redshift\_cluster: Add the `manage_master_password` and `master_password_secret_kms_key_id` arguments to support managed admin credentials ([#34182](https://github.com/hashicorp/terraform-provider-aws/issues/34182)) - resource/aws\_s3\_object: Add `override_provider` configuration block, allowing tags inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) to be ignored ([#33262](https://github.com/hashicorp/terraform-provider-aws/issues/33262)) - resource/aws\_secretsmanager\_secret\_rotation: The `rotation_lambda_arn` argument is now optional to support modifying the rotation schedule of AWS-managed secrets. ([#34180](https://github.com/hashicorp/terraform-provider-aws/issues/34180)) BUG FIXES: - data-source/aws\_vpc\_ipam\_pools: Add `id` attribute for individual IPAM pools ([#32133](https://github.com/hashicorp/terraform-provider-aws/issues/32133)) - resource/aws\_alb\_listener\_rule: Fixed the `action.forward.target_group` argument minimum item requirement. Previously this was set to 2, but the AWS API allows specifying a single target group. ([#33727](https://github.com/hashicorp/terraform-provider-aws/issues/33727)) - resource/aws\_amplify\_branch: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `enable_performance_mode` ([#34141](https://github.com/hashicorp/terraform-provider-aws/issues/34141)) - resource/aws\_lb\_listener\_rule: Fixed the `action.forward.target_group` argument minimum item requirement. Previously this was set to 2, but the AWS API allows specifying a single target group. ([#33727](https://github.com/hashicorp/terraform-provider-aws/issues/33727)) - resource/aws\_quicksight\_analysis: Fix "expected type to be integer" errors in `window_options.bounds.*` argument validatation functions ([#34230](https://github.com/hashicorp/terraform-provider-aws/issues/34230)) - resource/aws\_quicksight\_dashboard: Fix "expected type to be integer" errors in `window_options.bounds.*` argument validatation functions ([#34230](https://github.com/hashicorp/terraform-provider-aws/issues/34230)) - resource/aws\_quicksight\_template: Fix "expected type to be integer" errors in `window_options.bounds.*` argument validatation functions ([#34230](https://github.com/hashicorp/terraform-provider-aws/issues/34230)) - resource/aws\_rds\_cluster: Avoid an error on delete related to `unexpected state 'scaling-compute'` ([#34187](https://github.com/hashicorp/terraform-provider-aws/issues/34187)) ### [`v5.23.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.23.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.23.0...v5.23.1) BUG FIXES: - data-source/aws\_lambda\_function: Add `vpc_config.ipv6_allowed_for_dual_stack` attribute, fixing `Invalid address to set: []string{"vpc_config", "0", "ipv6_allowed_for_dual_stack"}` errors ([#34134](https://github.com/hashicorp/terraform-provider-aws/issues/34134)) ### [`v5.23.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.23.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.22.0...v5.23.0) NOTES: - provider: This release includes an update to the AWS SDK for Go v2 with breaking type changes to several services: `finspace`, `kafka`, `medialive`, `rds`, `s3control`, `timestreamwrite`, and `xray`. These changes primarily affect how arguments with default values are serialized for outbound requests, changing scalar types to pointers. See [this AWS SDK for Go V2 issue](https://github.com/aws/aws-sdk-go-v2/issues/2162) for additional context. The corresponding provider changes should make this breakfix transparent to users, but as with any breaking change there is the potential for missed edge cases. If errors are observed in the impacted resources, please link to this dependency update pull request in the bug report. ([#34096](https://github.com/hashicorp/terraform-provider-aws/issues/34096)) FEATURES: - **New Resource:** `aws_iot_domain_configuration` ([#24765](https://github.com/hashicorp/terraform-provider-aws/issues/24765)) ENHANCEMENTS: - data-source/aws\_imagebuilder\_image: Add `image_scanning_configuration` attribute ([#34049](https://github.com/hashicorp/terraform-provider-aws/issues/34049)) - resource/aws\_config\_config\_rule: Add `evaluation_mode` attribute ([#34033](https://github.com/hashicorp/terraform-provider-aws/issues/34033)) - resource/aws\_elasticache\_replication\_group: Add `ip_discovery` and `network_type` arguments ([#34019](https://github.com/hashicorp/terraform-provider-aws/issues/34019)) - resource/aws\_imagebuilder\_image: Add `image_scanning_configuration` configuration block ([#34049](https://github.com/hashicorp/terraform-provider-aws/issues/34049)) - resource/aws\_kms\_key: Add configurable timeouts ([#34112](https://github.com/hashicorp/terraform-provider-aws/issues/34112)) - resource/aws\_lambda\_function: Add `vpc_config.ipv6_allowed_for_dual_stack` argument ([#34045](https://github.com/hashicorp/terraform-provider-aws/issues/34045)) - resource/aws\_lb: Add `dns_record_client_routing_policy` attribute to configure Availability Zonal DNS affinity on Network Load Balancer (NLB) ([#33992](https://github.com/hashicorp/terraform-provider-aws/issues/33992)) - resource/aws\_lb\_target\_group: Add `target_health_state` configuration block ([#34070](https://github.com/hashicorp/terraform-provider-aws/issues/34070)) - resource/aws\_lb\_target\_group: Remove default value (`false`) for `connection_termination` argument and mark as Computed, to support new default behavior for UDP/TCP\_UDP target groups ([#34070](https://github.com/hashicorp/terraform-provider-aws/issues/34070)) - resource/aws\_neptune\_cluster: Add `slowquery` as a valid `enable_cloudwatch_logs_exports` value ([#34053](https://github.com/hashicorp/terraform-provider-aws/issues/34053)) BUG FIXES: - provider/tags: Prevent crash when `tags_all` is null ([#34073](https://github.com/hashicorp/terraform-provider-aws/issues/34073)) - resource/aws\_autoscaling\_group: Fix error when `launch_template` name is updated. ([#34086](https://github.com/hashicorp/terraform-provider-aws/issues/34086)) - resource/aws\_dms\_s3\_endpoint: Don't send the default value of `false` for `add_trailing_padding_character`, maintaining compatibility with older ([pre-3.4.7](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReleaseNotes.html#CHAP_ReleaseNotes.DMS347)) DMS engine versions ([#34048](https://github.com/hashicorp/terraform-provider-aws/issues/34048)) - resource/aws\_ecs\_task\_definition: Add `0` as a valid value for `volume.efs_volume_configuration.transit_encryption_port`, preventing unexpected drift ([#34020](https://github.com/hashicorp/terraform-provider-aws/issues/34020)) - resource/aws\_identitystore\_group: Fix updating `description` attribute when it is changed ([#34037](https://github.com/hashicorp/terraform-provider-aws/issues/34037)) - resource/aws\_iot\_indexing\_configuration: Add `thing_indexing_configuration.filter` attribute, resolving `InvalidRequestException: NamedShadowNames Filter must not be empty for enabling NamedShadowIndexingMode` errors ([#26859](https://github.com/hashicorp/terraform-provider-aws/issues/26859)) - resource/aws\_storagegateway\_gateway: Support the value `0` (representing Sunday) for `maintenance_start_time.day_of_week` ([#34015](https://github.com/hashicorp/terraform-provider-aws/issues/34015)) - resource/aws\_verifiedaccess\_group: Fix `InvalidParameterValue: Policy Document cannot be provided when Policy Enabled is false or missing` errors when updating `policy_document` ([#34054](https://github.com/hashicorp/terraform-provider-aws/issues/34054)) ### [`v5.22.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.22.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.21.0...v5.22.0) FEATURES: - **New Data Source:** `aws_media_convert_queue` ([#27075](https://github.com/hashicorp/terraform-provider-aws/issues/27075)) - **New Resource:** `aws_elasticsearch_vpc_endpoint` ([#33925](https://github.com/hashicorp/terraform-provider-aws/issues/33925)) - **New Resource:** `aws_msk_replicator` ([#33973](https://github.com/hashicorp/terraform-provider-aws/issues/33973)) ENHANCEMENTS: - data-source/aws\_ec2\_client\_vpn\_endpoint: Add `self_service_portal_url` attribute ([#34007](https://github.com/hashicorp/terraform-provider-aws/issues/34007)) - resource/aws\_alb: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_alb\_target\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_cloudfront\_public\_key: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_db\_option\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_docdb\_cluster: Support import of `cluster_identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_docdb\_cluster\_instance: Support import of `identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_docdb\_cluster\_parameter\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_docdb\_subnet\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_ec2\_client\_vpn\_endpoint: Add `self_service_portal_url` attribute ([#34007](https://github.com/hashicorp/terraform-provider-aws/issues/34007)) - resource/aws\_elb: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_emr\_security\_configuration: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_iam\_group\_policy: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_iam\_role\_policy: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_iam\_user\_policy: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_iot\_provisioning\_template: Add `type` attribute ([#33950](https://github.com/hashicorp/terraform-provider-aws/issues/33950)) - resource/aws\_lb: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_lb\_target\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_neptune\_cluster: Support import of `cluster_identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_neptune\_cluster\_instance: Support import of `identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_neptune\_cluster\_parameter\_group: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_neptune\_event\_subscription: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_pinpoint\_app: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_rds\_cluster: Support import of `cluster_identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_rds\_cluster\_instance: Support import of `identifier_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_signer\_signing\_profile: Support import of `name_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_signer\_signing\_profile\_permission: Add `signer:SignPayload` as a valid `action` value ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_signer\_signing\_profile\_permission: Support import of `statement_id_prefix` argument ([#33852](https://github.com/hashicorp/terraform-provider-aws/issues/33852)) - resource/aws\_transfer\_server: Change `pre_authentication_login_banner` and `post_authentication_login_banner` length limits to 4096 ([#33937](https://github.com/hashicorp/terraform-provider-aws/issues/33937)) - resource/aws\_wafv2\_web\_acl: Add `ja3_fingerprint` to `field_to_match` configuration blocks ([#33933](https://github.com/hashicorp/terraform-provider-aws/issues/33933)) BUG FIXES: - data-source/aws\_dms\_certificate: Fix crash when certificate not found ([#34012](https://github.com/hashicorp/terraform-provider-aws/issues/34012)) - resource/aws\_cloudformation\_stack: Fix error when `computed` values are not set when there is no update ([#33969](https://github.com/hashicorp/terraform-provider-aws/issues/33969)) - resource/aws\_codecommit\_repository: Doesn't force replacement when renaming ([#32207](https://github.com/hashicorp/terraform-provider-aws/issues/32207)) - resource/aws\_db\_instance: Creating resource from snapshot or point-in-time recovery now handles `manage_master_user_password` and `master_user_secret_kms_key_id` attributes correctly ([#33699](https://github.com/hashicorp/terraform-provider-aws/issues/33699)) - resource/aws\_elasticache\_replication\_group: Fix error when switching `engine_version` from `6.x` to a specific `6.<digit>` version number ([#33954](https://github.com/hashicorp/terraform-provider-aws/issues/33954)) - resource/aws\_iam\_role: Fix refreshing `permission_boundary` when deleted outside of Terraform ([#33963](https://github.com/hashicorp/terraform-provider-aws/issues/33963)) - resource/aws\_iam\_user: Fix refreshing `permission_boundary` when deleted outside of Terraform ([#33963](https://github.com/hashicorp/terraform-provider-aws/issues/33963)) - resource/aws\_inspector2\_enabler: Fix `Value at 'resourceTypes' failed to satisfy constraint` errors ([#33348](https://github.com/hashicorp/terraform-provider-aws/issues/33348)) - resource/aws\_neptune\_cluster\_instance: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `engine_version` ([#33487](https://github.com/hashicorp/terraform-provider-aws/issues/33487)) - resource/aws\_neptune\_cluster\_parameter\_group: Fix condition where defined cluster parameters with system default values are seen as updates ([#33487](https://github.com/hashicorp/terraform-provider-aws/issues/33487)) - resource/aws\_s3\_bucket\_object\_lock\_configuration: Fix `found resource` errors on Delete ([#33966](https://github.com/hashicorp/terraform-provider-aws/issues/33966)) ### [`v5.21.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.21.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.20.1...v5.21.0) FEATURES: - **New Data Source:** `aws_servicequotas_templates` ([#33871](https://github.com/hashicorp/terraform-provider-aws/issues/33871)) - **New Resource:** `aws_ec2_image_block_public_access` ([#33810](https://github.com/hashicorp/terraform-provider-aws/issues/33810)) - **New Resource:** `aws_guardduty_organization_configuration_feature` ([#33913](https://github.com/hashicorp/terraform-provider-aws/issues/33913)) - **New Resource:** `aws_servicequotas_template_association` ([#33725](https://github.com/hashicorp/terraform-provider-aws/issues/33725)) - **New Resource:** `aws_verifiedaccess_group` ([#33297](https://github.com/hashicorp/terraform-provider-aws/issues/33297)) - **New Resource:** `aws_verifiedaccess_instance_logging_configuration` ([#33864](https://github.com/hashicorp/terraform-provider-aws/issues/33864)) ENHANCEMENTS: - data-source/aws\_dms\_endpoint: Add `s3_settings.glue_catalog_generation` attribute ([#33778](https://github.com/hashicorp/terraform-provider-aws/issues/33778)) - data-source/aws\_msk\_cluster: Add `cluster_uuid` attribute ([#33805](https://github.com/hashicorp/terraform-provider-aws/issues/33805)) - resource/aws\_codedeploy\_deployment\_group: Add `outdated_instances_strategy` argument ([#33844](https://github.com/hashicorp/terraform-provider-aws/issues/33844)) - resource/aws\_dms\_endpoint: Add `s3_settings.glue_catalog_generation` attribute ([#33778](https://github.com/hashicorp/terraform-provider-aws/issues/33778)) - resource/aws\_dms\_s3\_endpoint: Add `glue_catalog_generation` attribute ([#33778](https://github.com/hashicorp/terraform-provider-aws/issues/33778)) - resource/aws\_docdb\_cluster: Add `allow_major_version_upgrade` argument ([#33790](https://github.com/hashicorp/terraform-provider-aws/issues/33790)) - resource/aws\_docdb\_cluster\_instance: Add `copy_tags_to_snapshot` argument ([#31022](https://github.com/hashicorp/terraform-provider-aws/issues/31022)) - resource/aws\_dynamodb\_table: Add `import_table` configuration block ([#33802](https://github.com/hashicorp/terraform-provider-aws/issues/33802)) - resource/aws\_msk\_cluster: Add `cluster_uuid` attribute ([#33805](https://github.com/hashicorp/terraform-provider-aws/issues/33805)) - resource/aws\_msk\_serverless\_cluster: Add `cluster_uuid` attribute ([#33805](https://github.com/hashicorp/terraform-provider-aws/issues/33805)) - resource/aws\_networkmanager\_core\_network: Add `base_policy_document` argument ([#33712](https://github.com/hashicorp/terraform-provider-aws/issues/33712)) - resource/aws\_redshiftserverless\_workgroup: Allow `require_ssl` and `use_fips_ssl` `config_parameters` keys ([#33916](https://github.com/hashicorp/terraform-provider-aws/issues/33916)) - resource/aws\_s3\_bucket: Use configurable timeout for resource Delete ([#33845](https://github.com/hashicorp/terraform-provider-aws/issues/33845)) - resource/aws\_verifiedaccess\_instance: Add `fips_enabled` argument ([#33880](https://github.com/hashicorp/terraform-provider-aws/issues/33880)) - resource/aws\_vpclattice\_target\_group: Add `config.lambda_event_structure_version` argument ([#33804](https://github.com/hashicorp/terraform-provider-aws/issues/33804)) - resource/aws\_vpclattice\_target\_group: Make `config.port`, `config.protocol` and `config.vpc_identifier` optional ([#33804](https://github.com/hashicorp/terraform-provider-aws/issues/33804)) - resource/aws\_wafv2\_web\_acl: Add `aws_managed_rules_acfp_rule_set` to `managed_rule_group_configs` configuration block ([#33915](https://github.com/hashicorp/terraform-provider-aws/issues/33915)) BUG FIXES: - provider: Respect valid values for the `AWS_S3_US_EAST_1_REGIONAL_ENDPOINT` environment variable when configuring the S3 API client ([#33874](https://github.com/hashicorp/terraform-provider-aws/issues/33874)) - resource/aws\_appflow\_connector\_profile: Fix various crashes ([#33856](https://github.com/hashicorp/terraform-provider-aws/issues/33856)) - resource/aws\_db\_parameter\_group: Group names containing periods (`.`) no longer fail validation ([#33704](https://github.com/hashicorp/terraform-provider-aws/issues/33704)) - resource/aws\_opensearchserverless\_collection: Fix crash when error is returned ([#33918](https://github.com/hashicorp/terraform-provider-aws/issues/33918)) - resource/aws\_rds\_cluster\_parameter\_group: Group names containing periods (`.`) no longer fail validation ([#33704](https://github.com/hashicorp/terraform-provider-aws/issues/33704)) ### [`v5.20.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.20.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.20.0...v5.20.1) NOTES: - provider: Build with [Terraform Plugin Framework v1.4.1](https://github.com/hashicorp/terraform-plugin-framework/blob/main/CHANGELOG.md#141-october-09-2023), fixing potential [initialization errors](https://github.com/hashicorp/terraform/issues/33990) when using v1.6 of the Terraform CLI. ### [`v5.20.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.20.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.19.0...v5.20.0) FEATURES: - **New Resource:** `aws_guardduty_detector_feature` ([#31463](https://github.com/hashicorp/terraform-provider-aws/issues/31463)) - **New Resource:** `aws_servicequotas_template` ([#33688](https://github.com/hashicorp/terraform-provider-aws/issues/33688)) - **New Resource:** `aws_sesv2_account_vdm_attributes` ([#33705](https://github.com/hashicorp/terraform-provider-aws/issues/33705)) - **New Resource:** `aws_verifiedaccess_instance_trust_provider_attachment` ([#33734](https://github.com/hashicorp/terraform-provider-aws/issues/33734)) ENHANCEMENTS: - data-source/aws\_guardduty\_detector: Add `features` attribute ([#31463](https://github.com/hashicorp/terraform-provider-aws/issues/31463)) - resource/aws\_finspace\_kx\_cluster: Increase default creation timeout to 45 minutes, default deletion timeout to 60 minutes ([#33745](https://github.com/hashicorp/terraform-provider-aws/issues/33745)) - resource/aws\_finspace\_kx\_environment: Increase default deletion timeout to 45 minutes ([#33745](https://github.com/hashicorp/terraform-provider-aws/issues/33745)) - resource/aws\_guardduty\_filter: Add plan-time validation of `name` ([#21030](https://github.com/hashicorp/terraform-provider-aws/issues/21030)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `opensearchserverless_configuration` and `msk_source_configuration` configuration blocks ([#33101](https://github.com/hashicorp/terraform-provider-aws/issues/33101)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `opensearchserverless` as a valid `destination` value ([#33101](https://github.com/hashicorp/terraform-provider-aws/issues/33101)) BUG FIXES: - data-source/aws\_fsx\_ontap\_storage\_virtual\_machine: Fix crash when `active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group` is not configured ([#33800](https://github.com/hashicorp/terraform-provider-aws/issues/33800)) - resource/aws\_ec2\_transit\_gateway\_route : Fix TGW route search filter to avoid routes being missed when more than 1,000 static routes are in a TGW route table ([#33765](https://github.com/hashicorp/terraform-provider-aws/issues/33765)) - resource/aws\_fsx\_ontap\_storage\_virtual\_machine: Fix crash when `active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group` is not configured ([#33800](https://github.com/hashicorp/terraform-provider-aws/issues/33800)) - resource/aws\_medialive\_channel: Fix VPC settings flatten/expand/docs. ([#33558](https://github.com/hashicorp/terraform-provider-aws/issues/33558)) - resource/aws\_vpc\_endpoint: Set `dns_options.dns_record_ip_type` to `Computed` to prevent diffs ([#33743](https://github.com/hashicorp/terraform-provider-aws/issues/33743)) ### [`v5.19.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.19.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.18.1...v5.19.0) BREAKING CHANGES: - data-source/aws\_s3\_bucket\_object: Following migration to [AWS SDK for Go v2](https://aws.github.io/aws-sdk-go-v2/), the `metadata` attribute's [keys](https://developer.hashicorp.com/terraform/language/expressions/types#maps-objects) are always [returned in lowercase](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/s3#HeadObjectOutput) ([#33660](https://github.com/hashicorp/terraform-provider-aws/issues/33660)) - data-source/aws\_s3\_object: Following migration to [AWS SDK for Go v2](https://aws.github.io/aws-sdk-go-v2/), the `metadata` attribute's [keys](https://developer.hashicorp.com/terraform/language/expressions/types#maps-objects) are always [returned in lowercase](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/s3#HeadObjectOutput) ([#33660](https://github.com/hashicorp/terraform-provider-aws/issues/33660)) NOTES: - data-source/aws\_s3\_bucket\_object: The `metadata` attribute's keys are now always returned in lowercase. Please modify configurations as necessary ([#33660](https://github.com/hashicorp/terraform-provider-aws/issues/33660)) - data-source/aws\_s3\_object: The `metadata` attribute's keys are now always returned in lowercase. Please modify configurations as necessary ([#33660](https://github.com/hashicorp/terraform-provider-aws/issues/33660)) - resource/aws\_iam\_\*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) FEATURES: - **New Resource:** `aws_cleanrooms_configured_table` ([#33602](https://github.com/hashicorp/terraform-provider-aws/issues/33602)) - **New Resource:** `aws_dms_replication_config` ([#32908](https://github.com/hashicorp/terraform-provider-aws/issues/32908)) - **New Resource:** `aws_lexv2models_bot` ([#33475](https://github.com/hashicorp/terraform-provider-aws/issues/33475)) - **New Resource:** `aws_rds_custom_db_engine_version` ([#33285](https://github.com/hashicorp/terraform-provider-aws/issues/33285)) - **New Resource:** `aws_vpclattice_service_network` ([#30482](https://github.com/hashicorp/terraform-provider-aws/issues/30482)) ENHANCEMENTS: - data-source/aws\_opensearch\_domain: Add `off_peak_window_options` attribute ([#30965](https://github.com/hashicorp/terraform-provider-aws/issues/30965)) - resource/aws\_cloud9\_environment\_ec2: Add `ubuntu-22.04-x86_64` and `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64` as valid values for `image_id` ([#33662](https://github.com/hashicorp/terraform-provider-aws/issues/33662)) - resource/aws\_fsx\_ontap\_volume: Add `bypass_snaplock_enterprise_retention` argument and `snaplock_configuration` configuration block to support [SnapLock](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock.html) ([#32530](https://github.com/hashicorp/terraform-provider-aws/issues/32530)) - resource/aws\_fsx\_ontap\_volume: Add `copy_tags_to_backups` and `snapshot_policy` arguments ([#32530](https://github.com/hashicorp/terraform-provider-aws/issues/32530)) - resource/aws\_fsx\_openzfs\_volume: Add `delete_volume_options` argument ([#32530](https://github.com/hashicorp/terraform-provider-aws/issues/32530)) - resource/aws\_lightsail\_bucket: Add `force_delete` argument ([#33586](https://github.com/hashicorp/terraform-provider-aws/issues/33586)) - resource/aws\_opensearch\_domain: Add `off_peak_window_options` configuration block ([#30965](https://github.com/hashicorp/terraform-provider-aws/issues/30965)) - resource/aws\_opensearch\_outbound\_connection: Add `connection_properties`, `connection_mode` and `accept_connection` arguments ([#32990](https://github.com/hashicorp/terraform-provider-aws/issues/32990)) - resource/aws\_schemas\_schema: Add `JSONSchemaDraft4` schema type support ([#33442](https://github.com/hashicorp/terraform-provider-aws/issues/33442)) - resource/aws\_wafv2\_rule\_group: Add `rate_based_statement.custom_key` configuration block ([#33594](https://github.com/hashicorp/terraform-provider-aws/issues/33594)) - resource/aws\_wafv2\_web\_acl: Add `rate_based_statement.custom_key` configuration block ([#33594](https://github.com/hashicorp/terraform-provider-aws/issues/33594)) BUG FIXES: - resource/aws\_batch\_job\_queue: Correctly validates elements of `compute_environments` as ARNs ([#33577](https://github.com/hashicorp/terraform-provider-aws/issues/33577)) - resource/aws\_cloudfront\_continuous\_deployment\_policy: Fix `IllegalUpdate` errors when updating a staging `aws_cloudfront_distribution` that is part of continuous deployment ([#33578](https://github.com/hashicorp/terraform-provider-aws/issues/33578)) - resource/aws\_cloudfront\_distribution: Fix `IllegalUpdate` errors when updating a staging distribution associated with an `aws_cloudfront_continuous_deployment_policy` ([#33578](https://github.com/hashicorp/terraform-provider-aws/issues/33578)) - resource/aws\_cloudfront\_distribution: Fix `PreconditionFailed` errors when destroying a distribution associated with an `aws_cloudfront_continuous_deployment_policy` ([#33578](https://github.com/hashicorp/terraform-provider-aws/issues/33578)) - resource/aws\_cloudfront\_distribution: Fix `StagingDistributionInUse` errors when destroying a distribution associated with an `aws_cloudfront_continuous_deployment_policy` ([#33578](https://github.com/hashicorp/terraform-provider-aws/issues/33578)) - resource/aws\_datasync\_location\_fsx\_ontap\_file\_system: Correct handling of `protocol.smb.domain`, `protocol.smb.user` and `protocol.smb.password` ([#33641](https://github.com/hashicorp/terraform-provider-aws/issues/33641)) - resource/aws\_glacier\_vault\_lock: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_iam\_group\_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_iam\_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_iam\_role: Fail validation if duplicated keys are found in `assume_role_policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_iam\_role\_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_iam\_user\_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_mediastore\_container\_policy: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_s3\_bucket\_policy: Fix intermittent `couldn't find resource` errors on resource Create ([#33537](https://github.com/hashicorp/terraform-provider-aws/issues/33537)) - resource/aws\_ssoadmin\_permission\_set\_inline\_policy: Fail validation if duplicated keys are found in `inline_policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_transfer\_access: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) - resource/aws\_transfer\_user: Fail validation if duplicated keys are found in `policy` ([#33570](https://github.com/hashicorp/terraform-provider-aws/issues/33570)) ### [`v5.18.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.18.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.18.0...v5.18.1) NOTES: - documentation: Duplicate CDKTF guides with differing file extensions have been removed to resolve failures in the provider release workflow. ([#33630](https://github.com/hashicorp/terraform-provider-aws/issues/33630)) ### [`v5.18.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.18.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.17.0...v5.18.0) FEATURES: - **New Data Source:** `aws_fsx_ontap_file_system` ([#32503](https://github.com/hashicorp/terraform-provider-aws/issues/32503)) - **New Data Source:** `aws_fsx_ontap_storage_virtual_machine` ([#32621](https://github.com/hashicorp/terraform-provider-aws/issues/32621)) - **New Data Source:** `aws_fsx_ontap_storage_virtual_machines` ([#32624](https://github.com/hashicorp/terraform-provider-aws/issues/32624)) - **New Data Source:** `aws_organizations_organizational_unit` ([#33408](https://github.com/hashicorp/terraform-provider-aws/issues/33408)) - **New Resource:** `aws_opensearch_package` ([#33227](https://github.com/hashicorp/terraform-provider-aws/issues/33227)) - **New Resource:** `aws_opensearch_package_association` ([#33227](https://github.com/hashicorp/terraform-provider-aws/issues/33227)) ENHANCEMENTS: - resource/aws\_fsx\_ontap\_storage\_virtual\_machine: Remove [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) from `active_directory_configuration.self_managed_active_directory_configuration.domain_name`, `active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group` and `active_directory_configuration.self_managed_active_directory_configuration.organizational_unit_distinguished_name` allowing an SVM to join AD after creation ([#33466](https://github.com/hashicorp/terraform-provider-aws/issues/33466)) BUG FIXES: - data-source/aws\_sesv2\_email\_identity: Mark `dkim_signing_attributes.domain_signing_private_key` as sensitive ([#33477](https://github.com/hashicorp/terraform-provider-aws/issues/33477)) - resource/aws\_db\_instance: Fix so that `storage_throughput` can be changed when `iops` and `allocated_storage` are not changed ([#33529](https://github.com/hashicorp/terraform-provider-aws/issues/33529)) - resource/aws\_db\_option\_group: Avoid erroneous differences being reported when an `option` `port` and/or `version` is not set ([#33511](https://github.com/hashicorp/terraform-provider-aws/issues/33511)) - resource/aws\_fsx\_ontap\_storage\_virtual\_machine: Avoid recreating resource when `active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group` is configured ([#33466](https://github.com/hashicorp/terraform-provider-aws/issues/33466)) - resource/aws\_fsx\_ontap\_storage\_virtual\_machine: Change `file_system_id` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#32621](https://github.com/hashicorp/terraform-provider-aws/issues/32621)) - resource/aws\_s3\_bucket\_accelerate\_configuration: Retry resource Delete on `OperationAborted: A conflicting conditional operation is currently in progress against this resource` errors ([#33531](https://github.com/hashicorp/terraform-provider-aws/issues/33531)) - resource/aws\_s3\_bucket\_policy: Retry resource Delete on `OperationAborted: A conflicting conditional operation is currently in progress against this resource` errors ([#33531](https://github.com/hashicorp/terraform-provider-aws/issues/33531)) - resource/aws\_s3\_bucket\_versioning: Retry resource Delete on `OperationAborted: A conflicting conditional operation is currently in progress against this resource` errors ([#33531](https://github.com/hashicorp/terraform-provider-aws/issues/33531)) - resource/aws\_sesv2\_email\_identity: Mark `dkim_signing_attributes.domain_signing_private_key` as sensitive ([#33477](https://github.com/hashicorp/terraform-provider-aws/issues/33477)) ### [`v5.17.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.17.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.16.2...v5.17.0) NOTES: - data-source/aws\_s3\_object: Migration to [AWS SDK for Go v2](https://aws.github.io/aws-sdk-go-v2/) means that the edge case of specifying a single `/` as the value for `key` is no longer supported ([#33358](https://github.com/hashicorp/terraform-provider-aws/issues/33358)) FEATURES: - **New Resource:** `aws_shield_application_layer_automatic_response` ([#33432](https://github.com/hashicorp/terraform-provider-aws/issues/33432)) - **New Resource:** `aws_verifiedaccess_instance` ([#33459](https://github.com/hashicorp/terraform-provider-aws/issues/33459)) ENHANCEMENTS: - data-source/aws\_s3\_object: Add `checksum_mode` argument and `checksum_crc32`, `checksum_crc32c`, `checksum_sha1` and `checksum_sha256` attributes ([#33358](https://github.com/hashicorp/terraform-provider-aws/issues/33358)) - data-source/aws\_s3control\_multi\_region\_access\_point: Add `details.region.bucket_account_id` attribute ([#33416](https://github.com/hashicorp/terraform-provider-aws/issues/33416)) - resource/aws\_s3\_object: Add `checksum_algorithm` argument and `checksum_crc32`, `checksum_crc32c`, `checksum_sha1` and `checksum_sha256` attributes ([#33358](https://github.com/hashicorp/terraform-provider-aws/issues/33358)) - resource/aws\_s3\_object\_copy: Add `checksum_algorithm` argument and `checksum_crc32`, `checksum_crc32c`, `checksum_sha1` and `checksum_sha256` attributes ([#33358](https://github.com/hashicorp/terraform-provider-aws/issues/33358)) - resource/aws\_s3control\_multi\_region\_access\_point: Add `details.region.bucket_account_id` argument to support [cross-account Multi-Region Access Points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/multi-region-access-point-buckets.html) ([#33416](https://github.com/hashicorp/terraform-provider-aws/issues/33416)) - resource/aws\_s3control\_multi\_region\_access\_point: Add `details.region.region` attribute ([#33416](https://github.com/hashicorp/terraform-provider-aws/issues/33416)) - resource/aws\_schemas\_schema: Add `JSONSchemaDraft4` schema type support ([#35971](https://github.com/hashicorp/terraform-provider-aws/issues/35971)) - resource/aws\_transfer\_connector: Add `sftp_config` argument and make `as2_config` optional ([#32741](https://github.com/hashicorp/terraform-provider-aws/issues/32741)) - resource/aws\_wafv2\_web\_acl: Retry resource Update on `WAFOptimisticLockException` errors ([#33432](https://github.com/hashicorp/terraform-provider-aws/issues/33432)) BUG FIXES: - resource/aws\_dms\_replication\_task: Fix error when `replication_task_settings` is `nil` ([#33456](https://github.com/hashicorp/terraform-provider-aws/issues/33456)) - resource/aws\_elasticache\_cluster: Fix regression for `redis` engine types caused by the new `transit_encryption_enabled` argument ([#33451](https://github.com/hashicorp/terraform-provider-aws/issues/33451)) - resource/aws\_neptune\_cluster: Fix ignored `kms_key_arn` on restore from DB cluster snapshot ([#33413](https://github.com/hashicorp/terraform-provider-aws/issues/33413)) - resource/aws\_servicecatalog\_product: Allow import on `provisioning_artifact_parameters` attribute ([#33448](https://github.com/hashicorp/terraform-provider-aws/issues/33448)) - resource/aws\_subnet: Fix destroy error when there is a lingering ENI for DMS ([#33375](https://github.com/hashicorp/terraform-provider-aws/issues/33375)) ### [`v5.16.2`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.16.2) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.16.1...v5.16.2) FEATURES: - **New Data Source:** `aws_cognito_identity_pool` ([#33053](https://github.com/hashicorp/terraform-provider-aws/issues/33053)) - **New Resource:** `aws_verifiedaccess_trust_provider` ([#33195](https://github.com/hashicorp/terraform-provider-aws/issues/33195)) ENHANCEMENTS: - resource/aws\_autoscaling\_group: Change the default values of `instance_refresh.preferences.scale_in_protected_instances` and `instance_refresh.preferences.standby_instances` from `Wait` to the [Amazon EC2 Auto Scaling console recommended value](https://docs.aws.amazon.com/autoscaling/ec2/userguide/understand-instance-refresh-default-values.html) of `Ignore` ([#33382](https://github.com/hashicorp/terraform-provider-aws/issues/33382)) - resource/aws\_s3control\_object\_lambda\_access\_point: Add `alias` attribute ([#33388](https://github.com/hashicorp/terraform-provider-aws/issues/33388)) BUG FIXES: - resource/aws\_autoscaling\_group: Fix `ValidationError` errors when starting Auto Scaling group instance refresh ([#33382](https://github.com/hashicorp/terraform-provider-aws/issues/33382)) - resource/aws\_iot\_topic\_rule: Fix `InvalidParameter` errors on Update with Kafka destinations ([#33360](https://github.com/hashicorp/terraform-provider-aws/issues/33360)) - resource/aws\_lightsail\_certificate: Fix validation of `name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_database: Fix validation of `name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_disk: Fix validation of `name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_instance: Fix validation of `name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb\_attachment: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb\_certificate: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb\_certificate\_attachment: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb\_https\_redirection\_policy: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) - resource/aws\_lightsail\_lb\_stickiness\_policy: Fix validation of `lb_name` ([#33405](https://github.com/hashicorp/terraform-provider-aws/issues/33405)) ### [`v5.16.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.16.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.16.0...v5.16.1) BUG FIXES: - data-source/aws\_efs\_file\_system: Fix `Search returned 0 results` errors when there are more than 101 file systems in the configured Region ([#33336](https://github.com/hashicorp/terraform-provider-aws/issues/33336)) - resource/aws\_db\_instance\_automated\_backups\_replication: Fix `unexpected state` errors on resource Create ([#33369](https://github.com/hashicorp/terraform-provider-aws/issues/33369)) - resource/aws\_glue\_catalog\_table: Fix removal of `metadata_location` and `table_type` `parameters` when updating Iceberg tables ([#33374](https://github.com/hashicorp/terraform-provider-aws/issues/33374)) - resource/aws\_service\_discovery\_instance: Fix validation error "expected to match regular expression" ([#33371](https://github.com/hashicorp/terraform-provider-aws/issues/33371)) ### [`v5.16.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.16.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.15.0...v5.16.0) NOTES: - provider: Performance regression introduced in v5.14.0 should be largely mitigated ([#33317](https://github.com/hashicorp/terraform-provider-aws/issues/33317)) FEATURES: - **New Resource:** `aws_shield_drt_access_log_bucket_association` ([#33328](https://github.com/hashicorp/terraform-provider-aws/issues/33328)) - **New Resource:** `aws_shield_drt_access_role_arn_association` ([#33328](https://github.com/hashicorp/terraform-provider-aws/issues/33328)) ENHANCEMENTS: - data-source/aws\_api\_gateway\_api\_key: Add `customer_id` attribute ([#33281](https://github.com/hashicorp/terraform-provider-aws/issues/33281)) - data-source/aws\_fsx\_windows\_file\_system: Add `disk_iops_configuration` attribute ([#33303](https://github.com/hashicorp/terraform-provider-aws/issues/33303)) - data-source/aws\_opensearch\_domain: Add `software_update_options` attribute ([#32234](https://github.com/hashicorp/terraform-provider-aws/issues/32234)) - data-source/aws\_s3\_objects: Add `request_payer` argument and `request_charged` attribute ([#33304](https://github.com/hashicorp/terraform-provider-aws/issues/33304)) - data-source/aws\_s3\_objects: Add plan-time validation of `encoding_type` ([#33304](https://github.com/hashicorp/terraform-provider-aws/issues/33304)) - resource/aws\_api\_gateway\_account: Add `api_key_version` and `features` attributes ([#33279](https://github.com/hashicorp/terraform-provider-aws/issues/33279)) - resource/aws\_api\_gateway\_api\_key: Add `customer_id` argument ([#33281](https://github.com/hashicorp/terraform-provider-aws/issues/33281)) - resource/aws\_api\_gateway\_api\_key: Allow updating `name` ([#33281](https://github.com/hashicorp/terraform-provider-aws/issues/33281)) - resource/aws\_autoscaling\_group: Add `scale_in_protected_instances` and `standby_instances` attributes to `instance_refresh.preferences` configuration block ([#33310](https://github.com/hashicorp/terraform-provider-aws/issues/33310)) - resource/aws\_dms\_endpoint: Add `redshift-serverless` as valid value for `engine_name` ([#33316](https://github.com/hashicorp/terraform-provider-aws/issues/33316)) - resource/aws\_elasticache\_cluster: Add `transit_encryption_enabled` argument, enabling in-transit encryption for Memcached clusters inside a VPC ([#26987](https://github.com/hashicorp/terraform-provider-aws/issues/26987)) - resource/aws\_fsx\_windows\_file\_system: Add `disk_iops_configuration` configuration block ([#33303](https://github.com/hashicorp/terraform-provider-aws/issues/33303)) - resource/aws\_glue\_catalog\_table: Add `open_table_format_input` configuration block to support open table formats such as [Apache Iceberg](https://iceberg.apache.org/) ([#33274](https://github.com/hashicorp/terraform-provider-aws/issues/33274)) - resource/aws\_medialive\_channel: Implement expand/flatten functions for `automatic_input_failover_settings` in `input_attachments` ([#33129](https://github.com/hashicorp/terraform-provider-aws/issues/33129)) - resource/aws\_opensearch\_domain: Add `software_update_options` attribute ([#32234](https://github.com/hashicorp/terraform-provider-aws/issues/32234)) - resource/aws\_ssm\_association: Add `sync_compliance` attribute ([#23515](https://github.com/hashicorp/terraform-provider-aws/issues/23515)) BUG FIXES: - data-source/aws\_identitystore\_group: Restore `filter` argument to prevent `UnknownOperationException` errors in certain Regions ([#33311](https://github.com/hashicorp/terraform-provider-aws/issues/33311)) - data-source/aws\_identitystore\_user: Restore `filter` argument to prevent `UnknownOperationException` errors in certain Regions ([#33311](https://github.com/hashicorp/terraform-provider-aws/issues/33311)) - data-source/aws\_s3\_objects: Respect configured `max_keys` value if it's greater than `1000` ([#33304](https://github.com/hashicorp/terraform-provider-aws/issues/33304)) - resource/aws\_api\_gateway\_account: Allow setting `cloudwatch_role_arn` to an empty value and set it correctly on Read, allowing its value to be determined on import ([#33279](https://github.com/hashicorp/terraform-provider-aws/issues/33279)) - resource/aws\_fsx\_ontap\_file\_system: Increase maximum value of `disk_iops_configuration.iops` to `160000` ([#33263](https://github.com/hashicorp/terraform-provider-aws/issues/33263)) - resource/aws\_servicecatalog\_principal\_portfolio\_association: Fix `ResourceNotFoundException` errors on resource Delete when configured `principal_type` is `IAM_PATTERN` ([#32243](https://github.com/hashicorp/terraform-provider-aws/issues/32243)) ### [`v5.15.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.15.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.14.0...v5.15.0) ENHANCEMENTS: - data-source/aws\_efs\_file\_system: Add `name` attribute ([#33243](https://github.com/hashicorp/terraform-provider-aws/issues/33243)) - data-source/aws\_lakeformation\_data\_lake\_settings: Add `read_only_admins` attribute ([#33189](https://github.com/hashicorp/terraform-provider-aws/issues/33189)) - data-source/aws\_opensearch\_domain: Add `cluster_config.multi_az_with_standby_enabled` attribute ([#33031](https://github.com/hashicorp/terraform-provider-aws/issues/33031)) - resource/aws\_cloudformation\_stack\_set: Support resource import with `call_as = "DELEGATED_ADMIN"` via *StackSetName*,*CallAs* syntax for `import` block or `terraform import` command ([#19092](https://github.com/hashicorp/terraform-provider-aws/issues/19092)) - resource/aws\_cloudformation\_stack\_set\_instance: Support resource import with `call_as = "DELEGATED_ADMIN"` via *StackSetName*,*AccountID*,*Region*,*CallAs* syntax for `import` block or `terraform import` command ([#19092](https://github.com/hashicorp/terraform-provider-aws/issues/19092)) - resource/aws\_datasync\_location\_fsx\_openzfs\_file\_system: Fix `setting protocol: Invalid address to set` errors ([#33225](https://github.com/hashicorp/terraform-provider-aws/issues/33225)) - resource/aws\_efs\_file\_system: Add `name` attribute ([#33243](https://github.com/hashicorp/terraform-provider-aws/issues/33243)) - resource/aws\_fsx\_openzfs\_file\_system: Add `endpoint_ip_address_range`, `preferred_subnet_id` and `route_table_ids` arguments to support the [Multi-AZ deployment type](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#choosing-single-or-multi) ([#33245](https://github.com/hashicorp/terraform-provider-aws/issues/33245)) - resource/aws\_lakeformation\_data\_lake\_settings: Add `read_only_admins` argument ([#33189](https://github.com/hashicorp/terraform-provider-aws/issues/33189)) - resource/aws\_opensearch\_domain: Add `cluster_config.multi_az_with_standby_enabled` argument ([#33031](https://github.com/hashicorp/terraform-provider-aws/issues/33031)) - resource/aws\_wafv2\_rule\_group: Add `name_prefix` argument ([#33206](https://github.com/hashicorp/terraform-provider-aws/issues/33206)) - resource/aws\_wafv2\_web\_acl: Add `statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_atp_rule_set.enable_regex_in_path` argument ([#33217](https://github.com/hashicorp/terraform-provider-aws/issues/33217)) BUG FIXES: - provider: Correctly use old and new tag values when updating `tags` that are `computed` ([#33226](https://github.com/hashicorp/terraform-provider-aws/issues/33226)) - resource/aws\_appflow\_connector\_profile: Fix validation on `oauth2` in `custom_connector_profile` ([#33192](https://github.com/hashicorp/terraform-provider-aws/issues/33192)) - resource/aws\_cloudformation\_stack\_set: Fix `Can only set RetainStacksOnAccountRemoval if AutoDeployment is enabled` errors ([#19092](https://github.com/hashicorp/terraform-provider-aws/issues/19092)) - resource/aws\_cloudwatch\_event\_bus\_policy: Fix error during plan when the associated aws\_cloudwatch\_event\_bus resource is manually deleted ([#33203](https://github.com/hashicorp/terraform-provider-aws/issues/33203)) - resource/aws\_codeartifact\_domain: Change the type of asset\_size\_bytes to `TypeString` instead of `TypeInt` to prevent `value out of range` panic ([#33220](https://github.com/hashicorp/terraform-provider-aws/issues/33220)) - resource/aws\_efs\_file\_system\_policy: Retry IAM eventual consistency errors ([#21734](https://github.com/hashicorp/terraform-provider-aws/issues/21734)) - resource/aws\_fsx\_openzfs\_file\_system: Wait for administrative action completion when updating root volume ([#33245](https://github.com/hashicorp/terraform-provider-aws/issues/33245)) - resource/aws\_iot\_thing\_type: Fix error during plan when resource is manually deleted ([#33203](https://github.com/hashicorp/terraform-provider-aws/issues/33203)) - resource/aws\_kms\_key: Fix `tag propagation: timeout while waiting for state to become 'TRUE'` errors when any tag value is empty (`""`) ([#33226](https://github.com/hashicorp/terraform-provider-aws/issues/33226)) - resource/aws\_wafv2\_web\_acl: Prevent deletion of the AWS-managed `ShieldMitigationRuleGroup` rule on resource Update ([#33216](https://github.com/hashicorp/terraform-provider-aws/issues/33216)) ### [`v5.14.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.14.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.13.1...v5.14.0) NOTES: - data-source/aws\_iam\_policy\_document: In some cases, `statement.*.condition` blocks with the same `test` and `variable` arguments were incorrectly handled by the provider. Since this results in unexpected IAM Policies being submitted to AWS, we have updated the logic to merge `values` lists in this case. This may cause existing IAM Policy documents to report a difference. However, those policies are likely not what was originally intended. ([#33093](https://github.com/hashicorp/terraform-provider-aws/issues/33093)) FEATURES: - **New Resource:** `aws_datasync_location_azure_blob` ([#32632](https://github.com/hashicorp/terraform-provider-aws/issues/32632)) - **New Resource:** `aws_datasync_location_fsx_ontap_file_system` ([#32632](https://github.com/hashicorp/terraform-provider-aws/issues/32632)) ENHANCEMENTS: - data-source/aws\_dms\_endpoint: Fix crash when specified endpoint not found ([#33158](https://github.com/hashicorp/terraform-provider-aws/issues/33158)) - data-source/aws\_dms\_replication\_instance: Add `network_type` attribute ([#33158](https://github.com/hashicorp/terraform-provider-aws/issues/33158)) - data-source/aws\_ec2\_network\_insights\_path: Add `destination_arn` and `source_arn` attributes ([#33168](https://github.com/hashicorp/terraform-provider-aws/issues/33168)) - resource/aws\_dms\_replication\_instance: Add `network_type` argument ([#33158](https://github.com/hashicorp/terraform-provider-aws/issues/33158)) - resource/aws\_ec2\_network\_insights\_path: Add `destination_arn` and `source_arn` attributes ([#33168](https://github.com/hashicorp/terraform-provider-aws/issues/33168)) - resource/aws\_finspace\_kx\_environment: Add `transit_gateway_configuration.*.attachment_network_acl_configuration` argument. ([#33123](https://github.com/hashicorp/terraform-provider-aws/issues/33123)) - resource/aws\_medialive\_channel: Updates schemas for `selector_settings` for `audio_selector` and `selector_settings` for `caption_selector` ([#32714](https://github.com/hashicorp/terraform-provider-aws/issues/32714)) - resource/aws\_ssoadmin\_account\_assignment: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) - resource/aws\_ssoadmin\_customer\_managed\_policy\_attachment: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) - resource/aws\_ssoadmin\_managed\_policy\_attachment: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) - resource/aws\_ssoadmin\_permission\_set: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) - resource/aws\_ssoadmin\_permission\_set\_inline\_policy: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) - resource/aws\_ssoadmin\_permissions\_boundary\_attachment: Add configurable timeouts ([#33121](https://github.com/hashicorp/terraform-provider-aws/issues/33121)) BUG FIXES: - data-source/aws\_iam\_policy\_document: Fix inconsistent handling of `condition` blocks with duplicated `test` and `variable` arguments ([#33093](https://github.com/hashicorp/terraform-provider-aws/issues/33093)) - resource/aws\_ec2\_host: Fixed a bug that caused resource recreation when specifying an `outpost_arn` without an `asset_id` ([#33142](https://github.com/hashicorp/terraform-provider-aws/issues/33142)) - resource/aws\_ec2\_network\_insights\_analysis: Fix `setting forward_path_components: Invalid address to set` errors ([#33168](https://github.com/hashicorp/terraform-provider-aws/issues/33168)) - resource/aws\_ec2\_network\_insights\_path: Avoid recreating resource when passing an ARN as `source` or `destination` ([#33168](https://github.com/hashicorp/terraform-provider-aws/issues/33168)) - resource/aws\_ec2\_network\_insights\_path: Retry `AnalysisExistsForNetworkInsightsPath` errors on resource Delete ([#33168](https://github.com/hashicorp/terraform-provider-aws/issues/33168)) - resource/aws\_kms\_key: Fix `tag propagation: timeout while waiting for state to become 'TRUE'` errors when [`ignore_tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#ignore_tags) has been configured ([#33167](https://github.com/hashicorp/terraform-provider-aws/issues/33167)) - resource/aws\_licensemanager\_license\_configuration: Surface `InvalidParameterValueException` errors during resource Delete ([#32845](https://github.com/hashicorp/terraform-provider-aws/issues/32845)) - resource/aws\_msk\_cluster\_policy: Fix `Current cluster policy version needed for Update` errors ([#33118](https://github.com/hashicorp/terraform-provider-aws/issues/33118)) - resource/aws\_quicksight\_analysis: Change `definition.*.parameter_declarations` to a set type, preventing persistent differences ([#33120](https://github.com/hashicorp/terraform-provider-aws/issues/33120)) - resource/aws\_quicksight\_analysis: Fixed a bug that caused errors related to the `word_orientation` argument when using word cloud visuals. ([#33122](https://github.com/hashicorp/terraform-provider-aws/issues/33122)) - resource/aws\_quicksight\_analysis: Skip setting `definition.*.parameter_declarations.*.*_parameter_declaration.static_values` when empty, preventing persistent differences. ([#33161](https://github.com/hashicorp/terraform-provider-aws/issues/33161)) - resource/aws\_quicksight\_dashboard: Change `definition.*.parameter_declarations` to a set type, preventing persistent differences ([#33120](https://github.com/hashicorp/terraform-provider-aws/issues/33120)) - resource/aws\_quicksight\_dashboard: Fixed a bug that caused errors related to the `word_orientation` argument when using word cloud visuals. ([#33122](https://github.com/hashicorp/terraform-provider-aws/issues/33122)) - resource/aws\_quicksight\_dashboard: Skip setting `definition.*.parameter_declarations.*.*_parameter_declaration.static_values` when empty, preventing persistent differences. ([#33161](https://github.com/hashicorp/terraform-provider-aws/issues/33161)) - resource/aws\_quicksight\_template: Change `definition.*.parameter_declarations` to a set type, preventing persistent differences ([#33120](https://github.com/hashicorp/terraform-provider-aws/issues/33120)) - resource/aws\_quicksight\_template: Fixed a bug that caused errors related to the `word_orientation` argument when using word cloud visuals. ([#33122](https://github.com/hashicorp/terraform-provider-aws/issues/33122)) - resource/aws\_quicksight\_template: Skip setting `definition.*.parameter_declarations.*.*_parameter_declaration.static_values` when empty, preventing persistent differences. ([#33161](https://github.com/hashicorp/terraform-provider-aws/issues/33161)) - resource/aws\_route53\_zone: Skip disabling DNS SEC in unsupported partitions ([#33103](https://github.com/hashicorp/terraform-provider-aws/issues/33103)) - resource/aws\_s3\_object: Mark `acl` as Computed. This suppresses the diffs shown when migrating resources with no configured `acl` attribute value from v4.67.0 (or earlier) ([#33138](https://github.com/hashicorp/terraform-provider-aws/issues/33138)) - resource/aws\_s3\_object\_copy: Mark `acl` as Computed. This suppresses the diffs shown when migrating resources with no configured `acl` attribute value from v4.67.0 (or earlier) ([#33138](https://github.com/hashicorp/terraform-provider-aws/issues/33138)) - resource/aws\_securityhub\_account: Remove default value (`SECURITY_CONTROL`) for `control_finding_generator` argument and mark as Computed ([#33095](https://github.com/hashicorp/terraform-provider-aws/issues/33095)) ### [`v5.13.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.13.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.13.0...v5.13.1) BUG FIXES: - resource/aws\_lambda\_layer\_version: Change `source_code_hash` back to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew). This fixes `doesn't support update` errors ([#33097](https://github.com/hashicorp/terraform-provider-aws/issues/33097)) - resource/aws\_organizations\_organization: Fix `current Organization ID (o-xxxxxxxxxx) does not match` errors on resource Read ([#33091](https://github.com/hashicorp/terraform-provider-aws/issues/33091)) ### [`v5.13.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.13.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.12.0...v5.13.0) FEATURES: - **New Resource:** `aws_msk_cluster_policy` ([#32848](https://github.com/hashicorp/terraform-provider-aws/issues/32848)) - **New Resource:** `aws_opensearch_vpc_endpoint` ([#32435](https://github.com/hashicorp/terraform-provider-aws/issues/32435)) - **New Resource:** `aws_ram_sharing_with_organization` ([#25433](https://github.com/hashicorp/terraform-provider-aws/issues/25433)) ENHANCEMENTS: - data-source/aws\_imagebuilder\_image\_pipeline: Add `image_scanning_configuration` attribute ([#33005](https://github.com/hashicorp/terraform-provider-aws/issues/33005)) - data-source/aws\_ram\_resource\_share: Add `resource_arns` attribute ([#22591](https://github.com/hashicorp/terraform-provider-aws/issues/22591)) - provider: Adds the `s3_us_east_1_regional_endpoint` attribute to support using the regional S3 API endpoint in `us-east-1`. ([#33024](https://github.com/hashicorp/terraform-provider-aws/issues/33024)) - resource/aws\_appstream\_fleet: Retry ConcurrentModificationException errors during creation ([#32958](https://github.com/hashicorp/terraform-provider-aws/issues/32958)) - resource/aws\_dms\_endpoint: Add `babelfish` as an `engine_name` option ([#32975](https://github.com/hashicorp/terraform-provider-aws/issues/32975)) - resource/aws\_imagebuilder\_image\_pipeline: Add `image_scanning_configuration` configuration block ([#33005](https://github.com/hashicorp/terraform-provider-aws/issues/33005)) - resource/aws\_lb: Changes to `security_groups` for Network Load Balancers force a new resource if either the old or new set of security group IDs is empty ([#32987](https://github.com/hashicorp/terraform-provider-aws/issues/32987)) - resource/aws\_rds\_global\_cluster: Add plan-time validation of `global_cluster_identifier` ([#30996](https://github.com/hashicorp/terraform-provider-aws/issues/30996)) BUG FIXES: - data-source/aws\_ecr\_repository: Correctly set `most_recent_image_tags` when only a single image is found ([#31757](https://github.com/hashicorp/terraform-provider-aws/issues/31757)) - resource/aws\_budgets\_budget\_action: No longer times out when creating a non-triggered action ([#33015](https://github.com/hashicorp/terraform-provider-aws/issues/33015)) - resource/aws\_cloudformation\_stack: Marks `outputs` as Computed when there are potential changes. ([#33059](https://github.com/hashicorp/terraform-provider-aws/issues/33059)) - resource/aws\_cloudwatch\_event\_rule: Fix ARN-based partner event bus rule ID parsing error ([#30293](https://github.com/hashicorp/terraform-provider-aws/issues/30293)) - resource/aws\_ecr\_registry\_scanning\_configuration: Correctly delete rules on resource Update ([#31449](https://github.com/hashicorp/terraform-provider-aws/issues/31449)) - resource/aws\_lambda\_layer\_version: Fix bug causing new version to be created on every apply when `source_code_hash` is used but not changed ([#32535](https://github.com/hashicorp/terraform-provider-aws/issues/32535)) - resource/aws\_lb\_listener\_certificate: Remove from state when listener not found ([#32412](https://github.com/hashicorp/terraform-provider-aws/issues/32412)) - resource/aws\_organizations\_organization: Ensure that the Organization ID specified in `terraform import` is the current Organization ([#31796](https://github.com/hashicorp/terraform-provider-aws/issues/31796)) - resource/aws\_quicksight\_analysis: Adjust max length of `definition.*.calculated_fields.*.expression` to 32000 characters ([#33012](https://github.com/hashicorp/terraform-provider-aws/issues/33012)) - resource/aws\_quicksight\_analysis: Convert `definition.*.calculated_fields` to a set type, preventing persistent differences ([#33040](https://github.com/hashicorp/terraform-provider-aws/issues/33040)) - resource/aws\_quicksight\_analysis: Convert `permissions` argument to TypeSet, preventing persistent differences ([#33023](https://github.com/hashicorp/terraform-provider-aws/issues/33023)) - resource/aws\_quicksight\_analysis: Enable `font_configuration` to be set for table header styles ([#33018](https://github.com/hashicorp/terraform-provider-aws/issues/33018)) - resource/aws\_quicksight\_analysis: Enable `font_configuration` to be set for table header styles ([#33018](https://github.com/hashicorp/terraform-provider-aws/issues/33018)) - resource/aws\_quicksight\_analysis: Enable `font_configuration` to be set for table header styles ([#33018](https://github.com/hashicorp/terraform-provider-aws/issues/33018)) - resource/aws\_quicksight\_analysis: Raise limit for maximum allowed `visuals` blocks per sheet to 50 ([#32856](https://github.com/hashicorp/terraform-provider-aws/issues/32856)) - resource/aws\_quicksight\_dashboard: Adjust max length of `definition.*.calculated_fields.*.expression` to 32000 characters ([#33012](https://github.com/hashicorp/terraform-provider-aws/issues/33012)) - resource/aws\_quicksight\_dashboard: Convert `definition.*.calculated_fields` to a set type, preventing persistent differences ([#33040](https://github.com/hashicorp/terraform-provider-aws/issues/33040)) - resource/aws\_quicksight\_dashboard: Convert `permissions` argument to TypeSet, preventing persistent differences ([#33023](https://github.com/hashicorp/terraform-provider-aws/issues/33023)) - resource/aws\_quicksight\_data\_set: Change permission attribute type from TypeList to TypeSet ([#32984](https://github.com/hashicorp/terraform-provider-aws/issues/32984)) - resource/aws\_quicksight\_template: Adjust max items of `definition.*.calculated_fields` to 500 ([#33012](https://github.com/hashicorp/terraform-provider-aws/issues/33012)) - resource/aws\_quicksight\_template: Adjust max length of `definition.*.calculated_fields.*.expression` to 32000 characters ([#33012](https://github.com/hashicorp/terraform-provider-aws/issues/33012)) - resource/aws\_quicksight\_template: Convert `definition.*.calculated_fields` to a set type, preventing persistent differences ([#33040](https://github.com/hashicorp/terraform-provider-aws/issues/33040)) - resource/aws\_quicksight\_template: Convert `permissions` argument to TypeSet, preventing persistent differences ([#33023](https://github.com/hashicorp/terraform-provider-aws/issues/33023)) - resource/aws\_s3\_bucket\_logging: Fix perpetual drift when `expected_bucket_owner` is configured ([#32989](https://github.com/hashicorp/terraform-provider-aws/issues/32989)) - resource/aws\_sagemaker\_domain: Fix validation on `s3_kms_key_id` in `sharing_settings` and `kms_key_id` ([#32661](https://github.com/hashicorp/terraform-provider-aws/issues/32661)) - resource/aws\_subnet: Fix allowing IPv6 to be enabled in an update after initial creation with IPv4 only ([#32896](https://github.com/hashicorp/terraform-provider-aws/issues/32896)) - resource/aws\_wafv2\_web\_acl: Adds `rule_group_reference_statement.rule_action_override.action_to_use.challenge` argument ([#31127](https://github.com/hashicorp/terraform-provider-aws/issues/31127)) ### [`v5.12.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.12.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.11.0...v5.12.0) NOTES: - data-source/aws\_codecatalyst\_dev\_environment: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#32886](https://github.com/hashicorp/terraform-provider-aws/issues/32886)) - resource/aws\_codecatalyst\_dev\_environment: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#32366](https://github.com/hashicorp/terraform-provider-aws/issues/32366)) - resource/aws\_codecatalyst\_project: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#32883](https://github.com/hashicorp/terraform-provider-aws/issues/32883)) - resource/aws\_codecatalyst\_source\_repository: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#32899](https://github.com/hashicorp/terraform-provider-aws/issues/32899)) FEATURES: - **New Data Source:** `aws_codecatalyst_dev_environment` ([#32886](https://github.com/hashicorp/terraform-provider-aws/issues/32886)) - **New Data Source:** `aws_ec2_transit_gateway_route_table_routes` ([#30771](https://github.com/hashicorp/terraform-provider-aws/issues/30771)) - **New Data Source:** `aws_msk_vpc_connection` ([#31062](https://github.com/hashicorp/terraform-provider-aws/issues/31062)) - **New Resource:** `aws_cloudfront_continuous_deployment_policy` ([#32936](https://github.com/hashicorp/terraform-provider-aws/issues/32936)) - **New Resource:** `aws_codecatalyst_dev_environment` ([#32366](https://github.com/hashicorp/terraform-provider-aws/issues/32366)) - **New Resource:** `aws_codecatalyst_project` ([#32883](https://github.com/hashicorp/terraform-provider-aws/issues/32883)) - **New Resource:** `aws_codecatalyst_source_repository` ([#32899](https://github.com/hashicorp/terraform-provider-aws/issues/32899)) - **New Resource:** `aws_msk_vpc_connection` ([#31062](https://github.com/hashicorp/terraform-provider-aws/issues/31062)) ENHANCEMENTS: - data-source/aws\_instance: Add `metadata_options.http_protocol_ipv6` attribute ([#32759](https://github.com/hashicorp/terraform-provider-aws/issues/32759)) - data-source/aws\_rds\_cluster: Add `db_system_id` attribute ([#32846](https://github.com/hashicorp/terraform-provider-aws/issues/32846)) - provider: Support `il-central-1` as a valid AWS Region ([#32878](https://github.com/hashicorp/terraform-provider-aws/issues/32878)) - resource/aws\_autoscaling\_group: Add `ignore_failed_scaling_activities` argument ([#32914](https://github.com/hashicorp/terraform-provider-aws/issues/32914)) - resource/aws\_cloudfront\_distribution: Add `continuous_deployment_policy_id` and `staging` arguments to support continuous deployments ([#32936](https://github.com/hashicorp/terraform-provider-aws/issues/32936)) - resource/aws\_cloudwatch\_composite\_alarm: Add `actions_suppressor` configuration block ([#32751](https://github.com/hashicorp/terraform-provider-aws/issues/32751)) - resource/aws\_cloudwatch\_events\_target: Add `sagemaker_pipeline_target` argument ([#32882](https://github.com/hashicorp/terraform-provider-aws/issues/32882)) - resource/aws\_fms\_admin\_account: Add configurable timeouts ([#32860](https://github.com/hashicorp/terraform-provider-aws/issues/32860)) - resource/aws\_glue\_crawler: Add `hudi_target` argument ([#32898](https://github.com/hashicorp/terraform-provider-aws/issues/32898)) - resource/aws\_instance: Add `http_protocol_ipv6` attribute to `metadata_options` configuration block ([#32759](https://github.com/hashicorp/terraform-provider-aws/issues/32759)) - resource/aws\_lambda\_event\_source\_mapping: Increased the maximum number of filters to 10 ([#32890](https://github.com/hashicorp/terraform-provider-aws/issues/32890)) - resource/aws\_msk\_broker: Add `bootstrap_brokers_vpc_connectivity_sasl_iam`, `bootstrap_brokers_vpc_connectivity_sasl_scram` and `bootstrap_brokers_vpc_connectivity_tls` attributes ([#31062](https://github.com/hashicorp/terraform-provider-aws/issues/31062)) - resource/aws\_msk\_broker: Add `vpc_connectivity` attribute to the `broker_node_group_info.connectivity_info` configuration block ([#31062](https://github.com/hashicorp/terraform-provider-aws/issues/31062)) - resource/aws\_rds\_cluster: Add `db_system_id` argument to support RDS Custom engine types ([#32846](https://github.com/hashicorp/terraform-provider-aws/issues/32846)) - resource/aws\_rds\_cluster\_instance: Add `custom_iam_instance_profile` argument to allow RDS Custom users to specify an IAM Instance Profile for the RDS Cluster Instance ([#32846](https://github.com/hashicorp/terraform-provider-aws/issues/32846)) - resource/aws\_rds\_cluster\_instance: Update `engine` plan-time validation to allow for RDS Custom engine types ([#32846](https://github.com/hashicorp/terraform-provider-aws/issues/32846)) BUG FIXES: - data-source/aws\_vpclattice\_service: Avoid listing tags when the service has been shared to the current account via AWS Resource Access Manager (RAM) ([#32939](https://github.com/hashicorp/terraform-provider-aws/issues/32939)) - data-source/aws\_vpclattice\_service\_network: Avoid listing tags when the service network has been shared to the current account via AWS Resource Access Manager (RAM) ([#32939](https://github.com/hashicorp/terraform-provider-aws/issues/32939)) - resource/aws\_appstream\_fleet: Increased upper limit of `max_user_duration_in_seconds` to 432000 ([#32933](https://github.com/hashicorp/terraform-provider-aws/issues/32933)) - resource/aws\_cloudfront\_distribution: Don't call `UpdateDistribution` API if only tags are updated ([#32865](https://github.com/hashicorp/terraform-provider-aws/issues/32865)) - resource/aws\_db\_instance: Fix crash creating resource with empty `restore_to_point_in_time` configuration block ([#32928](https://github.com/hashicorp/terraform-provider-aws/issues/32928)) - resource/aws\_emr\_cluster: Fix to allow empty `args` for `bootstrap_action` ([#32956](https://github.com/hashicorp/terraform-provider-aws/issues/32956)) - resource/aws\_emr\_instance\_fleet: Fix fleet deletion failing for terminated clusters ([#32866](https://github.com/hashicorp/terraform-provider-aws/issues/32866)) - resource/aws\_fms\_policy: Prevent erroneous diffs on `security_service_policy_data.managed_service_data` ([#32860](https://github.com/hashicorp/terraform-provider-aws/issues/32860)) - resource/aws\_instance: Fix `InvalidParameterCombination: Network interfaces and an instance-level security groups may not be specified on the same request` errors creating Instances with `subnet_id` configured and `launch_template` referencing an `aws_launch_template` with configured `vpc_security_group_ids` ([#32854](https://github.com/hashicorp/terraform-provider-aws/issues/32854)) - resource/aws\_lb: Fix to avoid creating a load balancer with same name as an existing load balancer ([#32941](https://github.com/hashicorp/terraform-provider-aws/issues/32941)) ### [`v5.11.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.11.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.10.0...v5.11.0) FEATURES: - **New Resource:** `aws_sagemaker_pipeline` ([#32527](https://github.com/hashicorp/terraform-provider-aws/issues/32527)) ENHANCEMENTS: - data-source/aws\_cloudtrail\_service\_account: Add service account ID for `il-central-1` AWS Region ([#32840](https://github.com/hashicorp/terraform-provider-aws/issues/32840)) - data-source/aws\_db\_cluster\_snapshot: Add `tags` argument ([#31602](https://github.com/hashicorp/terraform-provider-aws/issues/31602)) - data-source/aws\_db\_instance: Add ability to filter by `tags` ([#32740](https://github.com/hashicorp/terraform-provider-aws/issues/32740)) - data-source/aws\_db\_instances: Add ability to filter by `tags` ([#32740](https://github.com/hashicorp/terraform-provider-aws/issues/32740)) - data-source/aws\_db\_snapshot: Add `tags` argument ([#31600](https://github.com/hashicorp/terraform-provider-aws/issues/31600)) - data-source/aws\_elb\_hosted\_zone\_id: Add hosted zone ID for `il-central-1` AWS Region ([#32840](https://github.com/hashicorp/terraform-provider-aws/issues/32840)) - data-source/aws\_lb\_hosted\_zone\_id: Add hosted zone IDs for `il-central-1` AWS Region ([#32840](https://github.com/hashicorp/terraform-provider-aws/issues/32840)) - data-source/aws\_s3\_bucket: Add hosted zone ID for `il-central-1` AWS Region ([#32840](https://github.com/hashicorp/terraform-provider-aws/issues/32840)) - data-source/aws\_vpclattice\_service: Add ability to find by `name` ([#32177](https://github.com/hashicorp/terraform-provider-aws/issues/32177)) - resource/aws\_finspace\_kx\_cluster: Adjusted `savedown_storage_configuration.size` minimum value to `10` GB. ([#32800](https://github.com/hashicorp/terraform-provider-aws/issues/32800)) - resource/aws\_lambda\_function: Add support for `python3.11` `runtime` value ([#32729](https://github.com/hashicorp/terraform-provider-aws/issues/32729)) - resource/aws\_lambda\_layer\_version: Add support for `python3.11` `compatible_runtimes` value ([#32729](https://github.com/hashicorp/terraform-provider-aws/issues/32729)) - resource/aws\_networkfirewall\_rule\_group: Add support for `REJECT` action in stateful rule actions ([#32746](https://github.com/hashicorp/terraform-provider-aws/issues/32746)) - resource/aws\_route\_table: Allow an existing local route to be adopted or imported and the target to be updated ([#32794](https://github.com/hashicorp/terraform-provider-aws/issues/32794)) - resource/aws\_sagemaker\_endpoint: Add `deployment_config.rolling_update_policy` argument ([#32418](https://github.com/hashicorp/terraform-provider-aws/issues/32418)) - resource/aws\_sagemaker\_endpoint: Make `deployment_config.blue_green_update_policy` optional ([#32418](https://github.com/hashicorp/terraform-provider-aws/issues/32418)) BUG FIXES: - data-source/aws\_ecs\_task\_execution: Fixed bug that incorrectly mapped the value of `container_overrides.memory` to `container_overrides.memory_reservation` ([#32793](https://github.com/hashicorp/terraform-provider-aws/issues/32793)) - resource/aws\_db\_instance\_automated\_backups\_replication: Fix `unexpected state 'Pending'` errors on resource Create ([#31600](https://github.com/hashicorp/terraform-provider-aws/issues/31600)) - resource/aws\_ec2\_transit\_gateway\_vpc\_attachment: Change `transit_gateway_default_route_table_association` and `transit_gateway_default_route_table_propagation` to Computed ([#32821](https://github.com/hashicorp/terraform-provider-aws/issues/32821)) - resource/aws\_emr\_studio\_session\_mapping: Fix `InvalidRequestException: IdentityId is invalid` errors reading resources created with `identity_name` ([#32416](https://github.com/hashicorp/terraform-provider-aws/issues/32416)) - resource/aws\_quicksight\_analysis: Fix an error related to setting the value for `definition.sheets.visuals.insight_visual.insight_configuration.computation` ([#32791](https://github.com/hashicorp/terraform-provider-aws/issues/32791)) - resource/aws\_quicksight\_analysis: Fixed a bug that incorrectly determined the valid `select_all_options` values for `custom_filter_configuration`, `custom_filter_list_configuration`, `filter_list_configuration`, `numeric_equality_filter`, and `numeric_range_filter` ([#32822](https://github.com/hashicorp/terraform-provider-aws/issues/32822)) - resource/aws\_quicksight\_dashboard: Fix an error related to setting the value for `definition.sheets.visuals.insight_visual.insight_configuration.computation` ([#32791](https://github.com/hashicorp/terraform-provider-aws/issues/32791)) - resource/aws\_quicksight\_template: Fix an error related to setting the value for `definition.sheets.visuals.insight_visual.insight_configuration.computation` ([#32791](https://github.com/hashicorp/terraform-provider-aws/issues/32791)) - resource/aws\_quicksight\_template: Fixed a bug that incorrectly determined the valid `select_all_options` values for `custom_filter_configuration`, `custom_filter_list_configuration`, `filter_list_configuration`, `numeric_equality_filter`, and `numeric_range_filter` ([#32822](https://github.com/hashicorp/terraform-provider-aws/issues/32822)) - resource/aws\_sfn\_state\_machine: Fix `Provider produced inconsistent final plan` errors for `publish` ([#32844](https://github.com/hashicorp/terraform-provider-aws/issues/32844)) ### [`v5.10.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.10.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.9.0...v5.10.0) FEATURES: - **New Resource:** `aws_iam_security_token_service_preferences` ([#32091](https://github.com/hashicorp/terraform-provider-aws/issues/32091)) ENHANCEMENTS: - data-source/aws\_nat\_gateway: Add `secondary_allocation_ids`, `secondary_private_ip_addresses` and `secondary_private_ip_address_count` attributes ([#31778](https://github.com/hashicorp/terraform-provider-aws/issues/31778)) - data-source/aws\_transfer\_server: Add `structured_log_destinations` attribute ([#32654](https://github.com/hashicorp/terraform-provider-aws/issues/32654)) - resource/aws\_batch\_compute\_environment: `compute_resources.allocation_strategy`, `compute_resources.bid_percentage`, `compute_resources.ec2_configuration.image_id_override`, `compute_resources.ec2_configuration.image_type`, `compute_resources.ec2_key_pair`, `compute_resources.image_id`, `compute_resources.instance_role`, `compute_resources.launch_template.launch_template_id` , `compute_resources.launch_template.launch_template_name`, `compute_resources.tags` and `compute_resources.type` can now be updated in-place ([#30438](https://github.com/hashicorp/terraform-provider-aws/issues/30438)) - resource/aws\_glue\_job: Add `command.runtime` attribute ([#32528](https://github.com/hashicorp/terraform-provider-aws/issues/32528)) - resource/aws\_grafana\_workspace: Allow `grafana_version` to be updated in-place ([#32679](https://github.com/hashicorp/terraform-provider-aws/issues/32679)) - resource/aws\_kms\_grant: Allow usage of service principal as grantee and revoker ([#32595](https://github.com/hashicorp/terraform-provider-aws/issues/32595)) - resource/aws\_medialive\_channel: Adds schemas for `caption_descriptions`, `global_configuration`, `motion_graphics_configuration`, and `nielsen_configuration` support to `encoder settings` ([#32233](https://github.com/hashicorp/terraform-provider-aws/issues/32233)) - resource/aws\_nat\_gateway: Add `secondary_allocation_ids`, `secondary_private_ip_addresses` and `secondary_private_ip_address_count` arguments ([#31778](https://github.com/hashicorp/terraform-provider-aws/issues/31778)) - resource/aws\_nat\_gateway: Add configurable timeouts ([#31778](https://github.com/hashicorp/terraform-provider-aws/issues/31778)) - resource/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.policy_variables` configuration block to support Suricata HOME\_NET variable override ([#32400](https://github.com/hashicorp/terraform-provider-aws/issues/32400)) - resource/aws\_sagemaker\_domain: Add `default_user_settings.canvas_app_settings.workspace_settings` attribute ([#32526](https://github.com/hashicorp/terraform-provider-aws/issues/32526)) - resource/aws\_sagemaker\_user\_profile: Add `user_settings.canvas_app_settings.workspace_settings` attribute ([#32526](https://github.com/hashicorp/terraform-provider-aws/issues/32526)) - resource/aws\_transfer\_server: Add `structured_log_destinations` argument ([#32654](https://github.com/hashicorp/terraform-provider-aws/issues/32654)) BUG FIXES: - resource/aws\_account\_primary\_contact: Correct plan-time validation of `phone_number` ([#32715](https://github.com/hashicorp/terraform-provider-aws/issues/32715)) - resource/aws\_apigatewayv2\_authorizer: Skip setting authorizer TTL when there are no identity sources ([#32629](https://github.com/hashicorp/terraform-provider-aws/issues/32629)) - resource/aws\_elasticache\_parameter\_group: Remove from state on resource Read if deleted outside of Terraform ([#32669](https://github.com/hashicorp/terraform-provider-aws/issues/32669)) - resource/aws\_elasticsearch\_domain: Omit `ebs_options.throughput` and `ebs_options.iops` for unsupported volume types ([#32659](https://github.com/hashicorp/terraform-provider-aws/issues/32659)) - resource/aws\_finspace\_kx\_cluster: `database.cache_configurations.db_paths` argument is now optional ([#32579](https://github.com/hashicorp/terraform-provider-aws/issues/32579)) - resource/aws\_finspace\_kx\_cluster: `database.cache_configurations` argument is now optional ([#32579](https://github.com/hashicorp/terraform-provider-aws/issues/32579)) - resource/aws\_lambda\_invocation: Fix plan failing with deferred input values ([#32706](https://github.com/hashicorp/terraform-provider-aws/issues/32706)) - resource/aws\_lightsail\_domain\_entry: Add support for `AAAA` `type` value ([#32664](https://github.com/hashicorp/terraform-provider-aws/issues/32664)) - resource/aws\_opensearch\_domain: Correctly handle `off_peak_window_options.off_peak_window.window_start_time` value of `00:00` ([#32716](https://github.com/hashicorp/terraform-provider-aws/issues/32716)) - resource/aws\_quicksight\_analysis: Fix exception thrown when setting the value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility` ([#32668](https://github.com/hashicorp/terraform-provider-aws/issues/32668)) - resource/aws\_quicksight\_analysis: Grid layout `optimized_view_port_width` argument changed to Optional ([#32644](https://github.com/hashicorp/terraform-provider-aws/issues/32644)) - resource/aws\_quicksight\_dashboard: Fix exception thrown when setting the value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility` ([#32668](https://github.com/hashicorp/terraform-provider-aws/issues/32668)) - resource/aws\_quicksight\_dashboard: Grid layout `optimized_view_port_width` argument changed to Optional ([#32644](https://github.com/hashicorp/terraform-provider-aws/issues/32644)) - resource/aws\_quicksight\_template: Fix exception thrown when setting the value for `definition.sheets.visuals.pie_chart_visual.chart_configuration.data_labels.measure_label_visibility` ([#32668](https://github.com/hashicorp/terraform-provider-aws/issues/32668)) - resource/aws\_quicksight\_template: Grid layout `optimized_view_port_width` argument changed to Optional ([#32644](https://github.com/hashicorp/terraform-provider-aws/issues/32644)) - resource/aws\_vpclattice\_access\_log\_subscription: Avoid recreating resource when passing a non-wildcard CloudWatch Logs log group ARN as `destination_arn` ([#32186](https://github.com/hashicorp/terraform-provider-aws/issues/32186)) - resource/aws\_vpclattice\_access\_log\_subscription: Avoid recreating resource when passing an ARN as `resource_identifier` ([#32186](https://github.com/hashicorp/terraform-provider-aws/issues/32186)) - resource/aws\_vpclattice\_service\_network\_service\_association: Avoid recreating resource when passing an ARN as `service_identifier` or `service_network_identifier` ([#32658](https://github.com/hashicorp/terraform-provider-aws/issues/32658)) - resource/aws\_vpclattice\_service\_network\_vpc\_association: Avoid recreating resource when passing an ARN as `service_network_identifier` ([#32658](https://github.com/hashicorp/terraform-provider-aws/issues/32658)) ### [`v5.9.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.9.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.8.0...v5.9.0) FEATURES: - **New Resource:** `aws_workspaces_connection_alias` ([#32482](https://github.com/hashicorp/terraform-provider-aws/issues/32482)) ENHANCEMENTS: - data-source/aws\_appmesh\_gateway\_route: Add `path` to the `spec.http_route.action.rewrite` and `spec.http2_route.action.rewrite` configuration blocks ([#32449](https://github.com/hashicorp/terraform-provider-aws/issues/32449)) - data-source/aws\_db\_instance: Add `max_allocated_storage` attribute ([#32477](https://github.com/hashicorp/terraform-provider-aws/issues/32477)) - data-source/aws\_ec2\_host: Add `asset_id` attribute ([#32388](https://github.com/hashicorp/terraform-provider-aws/issues/32388)) - resource/aws\_appmesh\_gateway\_route: Add `path` to the `spec.http_route.action.rewrite` and `spec.http2_route.action.rewrite` configuration blocks ([#32449](https://github.com/hashicorp/terraform-provider-aws/issues/32449)) - resource/aws\_cloudformation\_stack\_set\_instance: Added the `stack_instance_summaries` attribute to track all account and stack IDs for deployments to organizational units. ([#24523](https://github.com/hashicorp/terraform-provider-aws/issues/24523)) - resource/aws\_cloudformation\_stack\_set\_instance: Changes to `deployment_targets` now force a new resource. ([#24523](https://github.com/hashicorp/terraform-provider-aws/issues/24523)) - resource/aws\_connect\_queue: add delete function ([#32538](https://github.com/hashicorp/terraform-provider-aws/issues/32538)) - resource/aws\_connect\_routing\_profile: add delete function ([#32540](https://github.com/hashicorp/terraform-provider-aws/issues/32540)) - resource/aws\_db\_instance: Add `backup_target` attribute ([#32609](https://github.com/hashicorp/terraform-provider-aws/issues/32609)) - resource/aws\_ec2\_host: Add `asset_id` argument ([#32388](https://github.com/hashicorp/terraform-provider-aws/issues/32388)) - resource/aws\_ec2\_traffic\_mirror\_filter\_rule: Fix crash when updating `rule_number` ([#32594](https://github.com/hashicorp/terraform-provider-aws/issues/32594)) - resource/aws\_lightsail\_key\_pair: Add `tags` attribute ([#32606](https://github.com/hashicorp/terraform-provider-aws/issues/32606)) - resource/aws\_signer\_signing\_profile: Add `signing_material` attribute. ([#32414](https://github.com/hashicorp/terraform-provider-aws/issues/32414)) - resource/aws\_signer\_signing\_profile: Update `platform_id` validation. ([#32414](https://github.com/hashicorp/terraform-provider-aws/issues/32414)) - resource/aws\_wafv2\_web\_acl: Add `association_config` argument ([#31668](https://github.com/hashicorp/terraform-provider-aws/issues/31668)) BUG FIXES: - data-source/aws\_dms\_replication\_instance: Fixed bug that caused `replication_instance_private_ips`, `replication_instance_public_ips`, and `vpc_security_group_ids` to always return `null` ([#32551](https://github.com/hashicorp/terraform-provider-aws/issues/32551)) - data-source/aws\_mq\_broker: Fix `setting user: Invalid address to set` errors ([#32593](https://github.com/hashicorp/terraform-provider-aws/issues/32593)) - data-source/aws\_vpc\_endpoint: Add `dns_options.private_dns_only_for_inbound_resolver_endpoint` ([#32517](https://github.com/hashicorp/terraform-provider-aws/issues/32517)) - resource/aws\_appflow\_flow: Fix tasks not updating properly due to empty task being processed ([#26614](https://github.com/hashicorp/terraform-provider-aws/issues/26614)) - resource/aws\_cloudformation\_stack\_set\_instance: Fix error when deploying to organizational units with no accounts. ([#24523](https://github.com/hashicorp/terraform-provider-aws/issues/24523)) - resource/aws\_cognito\_user\_pool: Suppress diff when `schema.string_attribute_constraints` is omitted for `String` attribute types ([#32445](https://github.com/hashicorp/terraform-provider-aws/issues/32445)) - resource/aws\_config\_config\_rule: Prevent crash from unhandled read error ([#32520](https://github.com/hashicorp/terraform-provider-aws/issues/32520)) - resource/aws\_datasync\_agent: Prevent persistent diffs when `private_link_endpoint` is not explicitly configured. ([#32546](https://github.com/hashicorp/terraform-provider-aws/issues/32546)) - resource/aws\_globalaccelerator\_custom\_routing\_endpoint\_group: Respect configured `endpoint_group_region` value on resource Create ([#32393](https://github.com/hashicorp/terraform-provider-aws/issues/32393)) - resource/aws\_pipes\_pipe: Fix `Error: setting target_parameters: Invalid address to set` errors when creating pipes with ecs task targets ([#32432](https://github.com/hashicorp/terraform-provider-aws/issues/32432)) - resource/aws\_pipes\_pipe: Fix `ValidationException` errors when updating pipe ([#32622](https://github.com/hashicorp/terraform-provider-aws/issues/32622)) - resource/aws\_quicksight\_analysis: Correctly expand comparison method ([#32285](https://github.com/hashicorp/terraform-provider-aws/issues/32285)) - resource/aws\_quicksight\_group\_membership: Allow non `default` value for namespace ([#32494](https://github.com/hashicorp/terraform-provider-aws/issues/32494)) - resource/aws\_route53\_cidr\_location: Fix `Value Conversion Error` errors ([#32596](https://github.com/hashicorp/terraform-provider-aws/issues/32596)) - resource/aws\_wafv2\_web\_acl: Fixed error handling `response_inspection` parameters ([#31111](https://github.com/hashicorp/terraform-provider-aws/issues/31111)) ### [`v5.8.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.8.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.7.0...v5.8.0) ENHANCEMENTS: - data-source/aws\_ssm\_parameter: Add `insecure_value` attribute ([#30817](https://github.com/hashicorp/terraform-provider-aws/issues/30817)) - resource/aws\_fms\_policy: Add `policy_option` attribute for `security_service_policy_data` block ([#25362](https://github.com/hashicorp/terraform-provider-aws/issues/25362)) - resource/aws\_iam\_virtual\_mfa\_device: Add `enable_date` and `user_name` attributes ([#32462](https://github.com/hashicorp/terraform-provider-aws/issues/32462)) BUG FIXES: - resource/aws\_config\_config\_rule: Prevent crash on nil describe output ([#32439](https://github.com/hashicorp/terraform-provider-aws/issues/32439)) - resource/aws\_mq\_broker: default `replication_user` to `false` ([#32454](https://github.com/hashicorp/terraform-provider-aws/issues/32454)) - resource/aws\_quicksight\_analysis: Fix exception thrown when specifying `definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_analysis: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_analysis: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_dashboard: Fix exception thrown when specifying `definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_dashboard: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_dashboard: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_template: Fix exception thrown when specifying `definition.sheets.visuals.bar_chart_visual.chart_configuration.category_axis.scrollbar_options.visible_range` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_template: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_options.selected_field_options.visibility` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) - resource/aws\_quicksight\_template: Fix exception thrown when specifying `definition.sheets.visuals.pivot_table_visual.chart_configuration.field_wells.pivot_table_aggregated_field_wells.rows` ([#32464](https://github.com/hashicorp/terraform-provider-aws/issues/32464)) ### [`v5.7.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.7.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.6.2...v5.7.0) FEATURES: - **New Data Source:** `aws_opensearchserverless_security_config` ([#32321](https://github.com/hashicorp/terraform-provider-aws/issues/32321)) - **New Data Source:** `aws_opensearchserverless_security_policy` ([#32226](https://github.com/hashicorp/terraform-provider-aws/issues/32226)) - **New Data Source:** `aws_opensearchserverless_vpc_endpoint` ([#32276](https://github.com/hashicorp/terraform-provider-aws/issues/32276)) - **New Resource:** `aws_cleanrooms_collaboration` ([#31680](https://github.com/hashicorp/terraform-provider-aws/issues/31680)) ENHANCEMENTS: - resource/aws\_aws\_keyspaces\_table: Add `client_side_timestamps` configuration block ([#32339](https://github.com/hashicorp/terraform-provider-aws/issues/32339)) - resource/aws\_glue\_catalog\_database: Add `target_database.region` argument ([#32283](https://github.com/hashicorp/terraform-provider-aws/issues/32283)) - resource/aws\_glue\_crawler: Add `iceberg_target` configuration block ([#32332](https://github.com/hashicorp/terraform-provider-aws/issues/32332)) - resource/aws\_internetmonitor\_monitor: Add `health_events_config` configuration block ([#32343](https://github.com/hashicorp/terraform-provider-aws/issues/32343)) - resource/aws\_lambda\_function: Support `code_signing_config_arn` in the `ap-east-1` AWS Region ([#32327](https://github.com/hashicorp/terraform-provider-aws/issues/32327)) - resource/aws\_qldb\_stream: Add configurable Create and Delete timeouts ([#32345](https://github.com/hashicorp/terraform-provider-aws/issues/32345)) - resource/aws\_service\_discovery\_private\_dns\_namespace: Allow `description` to be updated in-place ([#32342](https://github.com/hashicorp/terraform-provider-aws/issues/32342)) - resource/aws\_service\_discovery\_public\_dns\_namespace: Allow `description` to be updated in-place ([#32342](https://github.com/hashicorp/terraform-provider-aws/issues/32342)) - resource/aws\_timestreamwrite\_table: Add `schema` configuration block ([#32354](https://github.com/hashicorp/terraform-provider-aws/issues/32354)) BUG FIXES: - provider: Correctly handle `forbidden_account_ids` ([#32352](https://github.com/hashicorp/terraform-provider-aws/issues/32352)) - resource/aws\_kms\_external\_key: Correctly remove all tags ([#32371](https://github.com/hashicorp/terraform-provider-aws/issues/32371)) - resource/aws\_kms\_key: Correctly remove all tags ([#32371](https://github.com/hashicorp/terraform-provider-aws/issues/32371)) - resource/aws\_kms\_replica\_external\_key: Correctly remove all tags ([#32371](https://github.com/hashicorp/terraform-provider-aws/issues/32371)) - resource/aws\_kms\_replica\_key: Correctly remove all tags ([#32371](https://github.com/hashicorp/terraform-provider-aws/issues/32371)) - resource/aws\_secretsmanager\_secret\_rotation: Fix `InvalidParameterException: You cannot specify both rotation frequency and schedule expression together` errors on resource Update ([#31915](https://github.com/hashicorp/terraform-provider-aws/issues/31915)) - resource/aws\_ssm\_parameter: Skip Update if only `overwrite` parameter changes ([#32372](https://github.com/hashicorp/terraform-provider-aws/issues/32372)) - resource/aws\_vpc\_endpoint: Fix `InvalidParameter: PrivateDnsOnlyForInboundResolverEndpoint not supported for this service` errors creating S3 *Interface* VPC endpoints ([#32355](https://github.com/hashicorp/terraform-provider-aws/issues/32355)) ### [`v5.6.2`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.6.2) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.6.1...v5.6.2) BUG FIXES: - resource/aws\_s3\_bucket: Fix `InvalidArgument: Invalid attribute name specified` errors when listing S3 Bucket objects, caused by an [AWS SDK for Go regression](https://github.com/aws/aws-sdk-go/issues/4897) ([#32317](https://github.com/hashicorp/terraform-provider-aws/issues/32317)) ### [`v5.6.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.6.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.6.0...v5.6.1) BUG FIXES: - provider: Prevent resource recreation if `tags` or `tags_all` are updated ([#32297](https://github.com/hashicorp/terraform-provider-aws/issues/32297)) ### [`v5.6.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.6.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.5.0...v5.6.0) FEATURES: - **New Data Source:** `aws_opensearchserverless_access_policy` ([#32231](https://github.com/hashicorp/terraform-provider-aws/issues/32231)) - **New Data Source:** `aws_opensearchserverless_collection` ([#32247](https://github.com/hashicorp/terraform-provider-aws/issues/32247)) - **New Data Source:** `aws_sfn_alias` ([#32176](https://github.com/hashicorp/terraform-provider-aws/issues/32176)) - **New Data Source:** `aws_sfn_state_machine_versions` ([#32176](https://github.com/hashicorp/terraform-provider-aws/issues/32176)) - **New Resource:** `aws_ec2_instance_connect_endpoint` ([#31858](https://github.com/hashicorp/terraform-provider-aws/issues/31858)) - **New Resource:** `aws_sfn_alias` ([#32176](https://github.com/hashicorp/terraform-provider-aws/issues/32176)) - **New Resource:** `aws_transfer_agreement` ([#32203](https://github.com/hashicorp/terraform-provider-aws/issues/32203)) - **New Resource:** `aws_transfer_certificate` ([#32203](https://github.com/hashicorp/terraform-provider-aws/issues/32203)) - **New Resource:** `aws_transfer_connector` ([#32203](https://github.com/hashicorp/terraform-provider-aws/issues/32203)) - **New Resource:** `aws_transfer_profile` ([#32203](https://github.com/hashicorp/terraform-provider-aws/issues/32203)) ENHANCEMENTS: - resource/aws\_batch\_compute\_environment: Add `placement_group` attribute to the `compute_resources` configuration block ([#32200](https://github.com/hashicorp/terraform-provider-aws/issues/32200)) - resource/aws\_emrserverless\_application: Do not recreate the resource if `release_label` changes ([#32278](https://github.com/hashicorp/terraform-provider-aws/issues/32278)) - resource/aws\_fis\_experiment\_template: Add `log_configuration` configuration block ([#32102](https://github.com/hashicorp/terraform-provider-aws/issues/32102)) - resource/aws\_fis\_experiment\_template: Add `parameters` attribute to the `target` configuration block ([#32160](https://github.com/hashicorp/terraform-provider-aws/issues/32160)) - resource/aws\_fis\_experiment\_template: Add support for `Pods` and `Tasks` to `action.*.target` ([#32152](https://github.com/hashicorp/terraform-provider-aws/issues/32152)) - resource/aws\_lambda\_event\_source\_mapping: The `queues` argument has changed from a set to a list with a maximum of one element. ([#31931](https://github.com/hashicorp/terraform-provider-aws/issues/31931)) - resource/aws\_pipes\_pipe: Add `activemq_broker_parameters`, `dynamodb_stream_parameters`, `kinesis_stream_parameters`, `managed_streaming_kafka_parameters`, `rabbitmq_broker_parameters`, `self_managed_kafka_parameters` and `sqs_queue_parameters` attributes to the `source_parameters` configuration block. NOTE: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing ([#31607](https://github.com/hashicorp/terraform-provider-aws/issues/31607)) - resource/aws\_pipes\_pipe: Add `batch_job_parameters`, `cloudwatch_logs_parameters`, `ecs_task_parameters`, `eventbridge_event_bus_parameters`, `http_parameters`, `kinesis_stream_parameters`, `lambda_function_parameters`, `redshift_data_parameters`, `sagemaker_pipeline_parameters`, `sqs_queue_parameters` and `step_function_state_machine_parameters` attributes to the `target_parameters` configuration block. NOTE: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing ([#31607](https://github.com/hashicorp/terraform-provider-aws/issues/31607)) - resource/aws\_pipes\_pipe: Add `enrichment_parameters` argument ([#31607](https://github.com/hashicorp/terraform-provider-aws/issues/31607)) - resource/aws\_resourcegroups\_group: `resource_query` no longer conflicts with `configuration` ([#30242](https://github.com/hashicorp/terraform-provider-aws/issues/30242)) - resource/aws\_s3\_bucket\_logging: Retry on empty read of logging config ([#30916](https://github.com/hashicorp/terraform-provider-aws/issues/30916)) - resource/aws\_sfn\_state\_machine: Add `description`, `publish`, `revision_id`, `state_machine_version_arn` and `version_description` attributes ([#32176](https://github.com/hashicorp/terraform-provider-aws/issues/32176)) BUG FIXES: - resource/aws\_db\_instance: Fix resource Create returning instances not in the `available` state when `identifier_prefix` is specified ([#32287](https://github.com/hashicorp/terraform-provider-aws/issues/32287)) - resource/aws\_resourcegroups\_resource: Fix crash when resource Create fails ([#30242](https://github.com/hashicorp/terraform-provider-aws/issues/30242)) - resource/aws\_route: Fix `reading Route in Route Table (rtb-1234abcd) with destination (1.2.3.4/5): couldn't find resource` errors when reading new resource ([#32196](https://github.com/hashicorp/terraform-provider-aws/issues/32196)) - resource/aws\_vpc\_security\_group\_egress\_rule: `security_group_id` is Required ([#32148](https://github.com/hashicorp/terraform-provider-aws/issues/32148)) - resource/aws\_vpc\_security\_group\_ingress\_rule: `security_group_id` is Required ([#32148](https://github.com/hashicorp/terraform-provider-aws/issues/32148)) ### [`v5.5.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.5.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.4.0...v5.5.0) NOTES: - provider: Updates to Go 1.20, the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. A future release will update to Go 1.21, and these platforms will no longer be supported. ([#32108](https://github.com/hashicorp/terraform-provider-aws/issues/32108)) - provider: Updates to Go 1.20, the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. A future release will update to Go 1.21, and these platforms will no longer be supported. ([#32108](https://github.com/hashicorp/terraform-provider-aws/issues/32108)) - provider: Updates to Go 1.20. The provider will now notice the `trust-ad` option in `/etc/resolv.conf` and, if set, will set the "authentic data" option in outgoing DNS requests in order to better match the behavior of the GNU libc resolver. ([#32108](https://github.com/hashicorp/terraform-provider-aws/issues/32108)) FEATURES: - **New Data Source:** `aws_sesv2_email_identity` ([#32026](https://github.com/hashicorp/terraform-provider-aws/issues/32026)) - **New Data Source:** `aws_sesv2_email_identity_mail_from_attributes` ([#32026](https://github.com/hashicorp/terraform-provider-aws/issues/32026)) - **New Resource:** `aws_chimesdkvoice_sip_rule` ([#32070](https://github.com/hashicorp/terraform-provider-aws/issues/32070)) - **New Resource:** `aws_organizations_resource_policy` ([#32056](https://github.com/hashicorp/terraform-provider-aws/issues/32056)) ENHANCEMENTS: - data-source/aws\_organizations\_organization: Return the full set of attributes when running as a [delegated administrator for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) ([#32056](https://github.com/hashicorp/terraform-provider-aws/issues/32056)) - provider: Mask all sensitive values that appear when `TF_LOG` level is `TRACE` ([#32174](https://github.com/hashicorp/terraform-provider-aws/issues/32174)) - resource/aws\_config\_configuration\_recorder: Add `exclusion_by_resource_types` and `recording_strategy` attributes to the `recording_group` configuration block ([#32007](https://github.com/hashicorp/terraform-provider-aws/issues/32007)) - resource/aws\_datasync\_task: Add `object_tags` attribute to `options` configuration block ([#27811](https://github.com/hashicorp/terraform-provider-aws/issues/27811)) - resource/aws\_networkmanager\_attachment\_accepter: Added support for Transit Gateway route table attachments ([#32023](https://github.com/hashicorp/terraform-provider-aws/issues/32023)) - resource/aws\_ses\_active\_receipt\_rule\_set: Support import ([#27604](https://github.com/hashicorp/terraform-provider-aws/issues/27604)) BUG FIXES: - resource/aws\_api\_gateway\_rest\_api: Fix crash when `binary_media_types` is `null` ([#32169](https://github.com/hashicorp/terraform-provider-aws/issues/32169)) - resource/aws\_datasync\_location\_object\_storage: Don't ignore `server_certificate` argument ([#27811](https://github.com/hashicorp/terraform-provider-aws/issues/27811)) - resource/aws\_eip: Fix `reading EC2 EIP (eipalloc-abcd1234): couldn't find resource` errors when reading new resource ([#32016](https://github.com/hashicorp/terraform-provider-aws/issues/32016)) - resource/aws\_quicksight\_analysis: Fix schema mapping for string set elements ([#31903](https://github.com/hashicorp/terraform-provider-aws/issues/31903)) - resource/aws\_redshiftserverless\_workgroup: Fix `waiting for completion: unexpected state 'AVAILABLE'` errors when deleting resource ([#32067](https://github.com/hashicorp/terraform-provider-aws/issues/32067)) - resource/aws\_route\_table: Fix `reading Route Table (rtb-abcd1234): couldn't find resource` errors when reading new resource ([#30999](https://github.com/hashicorp/terraform-provider-aws/issues/30999)) - resource/aws\_storagegateway\_smb\_file\_share: Fix update error when `kms_encrypted` is `true` but `kms_key_arn` is not sent in the request ([#32171](https://github.com/hashicorp/terraform-provider-aws/issues/32171)) ### [`v5.4.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.4.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.3.0...v5.4.0) FEATURES: - **New Data Source:** `aws_organizations_policies` ([#31545](https://github.com/hashicorp/terraform-provider-aws/issues/31545)) - **New Data Source:** `aws_organizations_policies_for_target` ([#31682](https://github.com/hashicorp/terraform-provider-aws/issues/31682)) - **New Resource:** `aws_chimesdkvoice_sip_media_application` ([#31937](https://github.com/hashicorp/terraform-provider-aws/issues/31937)) - **New Resource:** `aws_opensearchserverless_collection` ([#31091](https://github.com/hashicorp/terraform-provider-aws/issues/31091)) - **New Resource:** `aws_opensearchserverless_security_config` ([#28776](https://github.com/hashicorp/terraform-provider-aws/issues/28776)) - **New Resource:** `aws_opensearchserverless_vpc_endpoint` ([#28651](https://github.com/hashicorp/terraform-provider-aws/issues/28651)) ENHANCEMENTS: - resource/aws\_elb: Add configurable Create and Update timeouts ([#31976](https://github.com/hashicorp/terraform-provider-aws/issues/31976)) - resource/aws\_glue\_data\_quality\_ruleset: Add `catalog_id` argument to `target_table` block ([#31926](https://github.com/hashicorp/terraform-provider-aws/issues/31926)) BUG FIXES: - provider: Fix `index out of range [0] with length 0` panic ([#32004](https://github.com/hashicorp/terraform-provider-aws/issues/32004)) - resource/aws\_elb: Recreate the resource if `subnets` is updated to an empty list ([#31976](https://github.com/hashicorp/terraform-provider-aws/issues/31976)) - resource/aws\_lambda\_provisioned\_concurrency\_config: The `function_name` argument now properly handles ARN values ([#31933](https://github.com/hashicorp/terraform-provider-aws/issues/31933)) - resource/aws\_quicksight\_data\_set: Allow physical table map to be optional ([#31863](https://github.com/hashicorp/terraform-provider-aws/issues/31863)) - resource/aws\_ssm\_default\_patch\_baseline: Fix `*conns.AWSClient is not ssm.ssmClient: missing method SSMClient` panic ([#31928](https://github.com/hashicorp/terraform-provider-aws/issues/31928)) ### [`v5.3.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.3.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.2.0...v5.3.0) NOTES: - resource/aws\_instance: The `metadata_options.http_endpoint` argument now correctly defaults to `enabled`. ([#24774](https://github.com/hashicorp/terraform-provider-aws/issues/24774)) - resource/aws\_lambda\_function: The `replace_security_groups_on_destroy` and `replacement_security_group_ids` attributes are being deprecated as AWS no longer supports this operation. These attributes now have no effect, and will be removed in a future major version. ([#31904](https://github.com/hashicorp/terraform-provider-aws/issues/31904)) FEATURES: - **New Data Source:** `aws_quicksight_theme` ([#31900](https://github.com/hashicorp/terraform-provider-aws/issues/31900)) - **New Resource:** `aws_opensearchserverless_access_policy` ([#28518](https://github.com/hashicorp/terraform-provider-aws/issues/28518)) - **New Resource:** `aws_opensearchserverless_security_policy` ([#28470](https://github.com/hashicorp/terraform-provider-aws/issues/28470)) - **New Resource:** `aws_quicksight_theme` ([#31900](https://github.com/hashicorp/terraform-provider-aws/issues/31900)) ENHANCEMENTS: - data-source/aws\_redshift\_cluster: Add `cluster_namespace_arn` attribute ([#31884](https://github.com/hashicorp/terraform-provider-aws/issues/31884)) - resource/aws\_redshift\_cluster: Add `cluster_namespace_arn` attribute ([#31884](https://github.com/hashicorp/terraform-provider-aws/issues/31884)) - resource/aws\_vpc\_endpoint: Add `private_dns_only_for_inbound_resolver_endpoint` attribute to the `dns_options` configuration block ([#31873](https://github.com/hashicorp/terraform-provider-aws/issues/31873)) BUG FIXES: - resource/aws\_ecs\_task\_definition: Fix to prevent persistent diff when `efs_volume_configuration` has both `root_volume` and `authorization_config` set. ([#26880](https://github.com/hashicorp/terraform-provider-aws/issues/26880)) - resource/aws\_instance: Fix default for `metadata_options.http_endpoint` argument. ([#24774](https://github.com/hashicorp/terraform-provider-aws/issues/24774)) - resource/aws\_keyspaces\_keyspace: Correct plan time validation for `name` ([#31352](https://github.com/hashicorp/terraform-provider-aws/issues/31352)) - resource/aws\_keyspaces\_table: Correct plan time validation for `keyspace_name`, `table_name` and column names ([#31352](https://github.com/hashicorp/terraform-provider-aws/issues/31352)) - resource/aws\_quicksight\_analysis: Fix assignment of KPI visual field well target values ([#31901](https://github.com/hashicorp/terraform-provider-aws/issues/31901)) - resource/aws\_redshift\_cluster: Allow `availability_zone_relocation_enabled` to be `true` when `publicly_accessible` is `true` ([#31886](https://github.com/hashicorp/terraform-provider-aws/issues/31886)) - resource/aws\_vpc: Fix `reading EC2 VPC (vpc-abcd1234) Attribute (enableDnsSupport): couldn't find resource` errors when reading new resource ([#31877](https://github.com/hashicorp/terraform-provider-aws/issues/31877)) ### [`v5.2.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.2.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.1.0...v5.2.0) NOTES: - resource/aws\_mwaa\_environment: Upgrading your environment to a new major version of Apache Airflow forces replacement of the resource ([#31833](https://github.com/hashicorp/terraform-provider-aws/issues/31833)) FEATURES: - **New Data Source:** `aws_budgets_budget` ([#31691](https://github.com/hashicorp/terraform-provider-aws/issues/31691)) - **New Data Source:** `aws_ecr_pull_through_cache_rule` ([#31696](https://github.com/hashicorp/terraform-provider-aws/issues/31696)) - **New Data Source:** `aws_guardduty_finding_ids` ([#31711](https://github.com/hashicorp/terraform-provider-aws/issues/31711)) - **New Data Source:** `aws_iam_principal_policy_simulation` ([#25569](https://github.com/hashicorp/terraform-provider-aws/issues/25569)) - **New Resource:** `aws_chimesdkvoice_global_settings` ([#31365](https://github.com/hashicorp/terraform-provider-aws/issues/31365)) - **New Resource:** `aws_finspace_kx_cluster` ([#31806](https://github.com/hashicorp/terraform-provider-aws/issues/31806)) - **New Resource:** `aws_finspace_kx_database` ([#31803](https://github.com/hashicorp/terraform-provider-aws/issues/31803)) - **New Resource:** `aws_finspace_kx_environment` ([#31802](https://github.com/hashicorp/terraform-provider-aws/issues/31802)) - **New Resource:** `aws_finspace_kx_user` ([#31804](https://github.com/hashicorp/terraform-provider-aws/issues/31804)) ENHANCEMENTS: - data/aws\_ec2\_transit\_gateway\_connect\_peer: Add `bgp_peer_address` and `bgp_transit_gateway_addresses` attributes ([#31752](https://github.com/hashicorp/terraform-provider-aws/issues/31752)) - provider: Adds `retry_mode` parameter ([#31745](https://github.com/hashicorp/terraform-provider-aws/issues/31745)) - resource/aws\_chime\_voice\_connector: Add tagging support ([#31746](https://github.com/hashicorp/terraform-provider-aws/issues/31746)) - resource/aws\_ec2\_transit\_gateway\_connect\_peer: Add `bgp_peer_address` and `bgp_transit_gateway_addresses` attributes ([#31752](https://github.com/hashicorp/terraform-provider-aws/issues/31752)) - resource/aws\_ec2\_transit\_gateway\_route\_table\_association: Add `replace_existing_association` argument ([#31452](https://github.com/hashicorp/terraform-provider-aws/issues/31452)) - resource/aws\_fis\_experiment\_template: Add support for `Volumes` to `actions.*.target` ([#31499](https://github.com/hashicorp/terraform-provider-aws/issues/31499)) - resource/aws\_instance: Add `instance_market_options` configuration block and `instance_lifecycle` and `spot_instance_request_id` attributes ([#31495](https://github.com/hashicorp/terraform-provider-aws/issues/31495)) - resource/aws\_lambda\_function: Add support for `ruby3.2` `runtime` value ([#31842](https://github.com/hashicorp/terraform-provider-aws/issues/31842)) - resource/aws\_lambda\_layer\_version: Add support for `ruby3.2` `compatible_runtimes` value ([#31842](https://github.com/hashicorp/terraform-provider-aws/issues/31842)) - resource/aws\_mwaa\_environment: Consider `CREATING_SNAPSHOT` a valid pending state for resource update ([#31833](https://github.com/hashicorp/terraform-provider-aws/issues/31833)) - resource/aws\_networkfirewall\_firewall\_policy: Add `stream_exception_policy` option to `firewall_policy.stateful_engine_options` ([#31541](https://github.com/hashicorp/terraform-provider-aws/issues/31541)) - resource/aws\_redshiftserverless\_workgroup: Additional supported values for `config_parameter.parameter_key` ([#31747](https://github.com/hashicorp/terraform-provider-aws/issues/31747)) - resource/aws\_sagemaker\_model: Add `container.model_package_name` and `primary_container.model_package_name` arguments ([#31755](https://github.com/hashicorp/terraform-provider-aws/issues/31755)) BUG FIXES: - data-source/aws\_redshift\_cluster: Fix crash reading clusters in `modifying` state ([#31772](https://github.com/hashicorp/terraform-provider-aws/issues/31772)) - provider/default\_tags: Fix perpetual diff when identical tags are moved from `default_tags` to resource `tags`, and vice versa ([#31826](https://github.com/hashicorp/terraform-provider-aws/issues/31826)) - resource/aws\_autoscaling\_group: Ignore any `Failed` scaling activities due to IAM eventual consistency ([#31282](https://github.com/hashicorp/terraform-provider-aws/issues/31282)) - resource/aws\_dx\_connection: Convert `vlan_id` from [`TypeString`](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-types#typestring) to [`TypeInt`](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-types#typeint) in [Terraform state](https://developer.hashicorp.com/terraform/language/state) for existing resources. This fixes a regression introduced in [v5.1.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#510-june--1-2023) causing `a number is required` errors ([#31735](https://github.com/hashicorp/terraform-provider-aws/issues/31735)) - resource/aws\_globalaccelerator\_endpoint\_group: Fix bug updating `endpoint_configuration.weight` to `0` ([#31767](https://github.com/hashicorp/terraform-provider-aws/issues/31767)) - resource/aws\_medialive\_channel: Fix spelling in `hls_cdn_settings` expander. ([#31844](https://github.com/hashicorp/terraform-provider-aws/issues/31844)) - resource/aws\_redshiftserverless\_namespace: Fix perpetual `iam_roles` diffs when the namespace contains a workgroup ([#31749](https://github.com/hashicorp/terraform-provider-aws/issues/31749)) - resource/aws\_redshiftserverless\_workgroup: Change `config_parameter` from `TypeList` to `TypeSet` as order is not significant ([#31747](https://github.com/hashicorp/terraform-provider-aws/issues/31747)) - resource/aws\_redshiftserverless\_workgroup: Fix `ValidationException: Can't update multiple configurations at the same time` errors ([#31747](https://github.com/hashicorp/terraform-provider-aws/issues/31747)) - resource/aws\_vpc\_endpoint: Fix tagging error preventing use in ISO partitions ([#31801](https://github.com/hashicorp/terraform-provider-aws/issues/31801)) ### [`v5.1.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.1.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.0.1...v5.1.0) BREAKING CHANGES: - resource/aws\_iam\_role: The `role_last_used` attribute has been removed. Use the `aws_iam_role` data source instead. ([#31656](https://github.com/hashicorp/terraform-provider-aws/issues/31656)) NOTES: - resource/aws\_autoscaling\_group: The `load_balancers` and `target_group_arns` attributes have been changed to `Computed`. This means that omitting this argument is interpreted as ignoring any existing load balancer or target group attachments. To remove all load balancer or target group attachments an empty list should be specified. ([#31527](https://github.com/hashicorp/terraform-provider-aws/issues/31527)) - resource/aws\_iam\_role: The `role_last_used` attribute has been removed. Use the `aws_iam_role` data source instead. See the community feedback provided in the [linked issue](https://github.com/hashicorp/terraform-provider-aws/issues/30861) for additional justification on this change. As the attribute is read-only, unlikely to be used as an input to another resource, and available in the corresponding data source, a breaking change in a minor version was deemed preferable to a long deprecation/removal cycle in this circumstance. ([#31656](https://github.com/hashicorp/terraform-provider-aws/issues/31656)) - resource/aws\_redshift\_cluster: Ignores the parameter `aqua_configuration_status`, since the AWS API ignores it. Now always returns `auto`. ([#31612](https://github.com/hashicorp/terraform-provider-aws/issues/31612)) FEATURES: - **New Data Source:** `aws_vpclattice_resource_policy` ([#31372](https://github.com/hashicorp/terraform-provider-aws/issues/31372)) - **New Resource:** `aws_autoscaling_traffic_source_attachment` ([#31527](https://github.com/hashicorp/terraform-provider-aws/issues/31527)) - **New Resource:** `aws_emrcontainers_job_template` ([#31399](https://github.com/hashicorp/terraform-provider-aws/issues/31399)) - **New Resource:** `aws_glue_data_quality_ruleset` ([#31604](https://github.com/hashicorp/terraform-provider-aws/issues/31604)) - **New Resource:** `aws_quicksight_analysis` ([#31542](https://github.com/hashicorp/terraform-provider-aws/issues/31542)) - **New Resource:** `aws_quicksight_dashboard` ([#31448](https://github.com/hashicorp/terraform-provider-aws/issues/31448)) - **New Resource:** `aws_resourcegroups_resource` ([#31430](https://github.com/hashicorp/terraform-provider-aws/issues/31430)) ENHANCEMENTS: - data-source/aws\_autoscaling\_group: Add `traffic_source` attribute ([#31527](https://github.com/hashicorp/terraform-provider-aws/issues/31527)) - data-source/aws\_opensearch\_domain: Add `off_peak_window_options` attribute ([#35970](https://github.com/hashicorp/terraform-provider-aws/issues/35970)) - provider: Increases size of HTTP request bodies in logs to 1 KB ([#31718](https://github.com/hashicorp/terraform-provider-aws/issues/31718)) - resource/aws\_appsync\_graphql\_api: Add `visibility` argument ([#31369](https://github.com/hashicorp/terraform-provider-aws/issues/31369)) - resource/aws\_appsync\_graphql\_api: Add plan time validation for `log_config.cloudwatch_logs_role_arn` ([#31369](https://github.com/hashicorp/terraform-provider-aws/issues/31369)) - resource/aws\_autoscaling\_group: Add `traffic_source` configuration block ([#31527](https://github.com/hashicorp/terraform-provider-aws/issues/31527)) - resource/aws\_cloudformation\_stack\_set: Add `managed_execution` argument ([#25210](https://github.com/hashicorp/terraform-provider-aws/issues/25210)) - resource/aws\_fsx\_ontap\_volume: Add `skip_final_backup` argument ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_fsx\_ontap\_volume: Remove default value for `security_style` argument and mark as Computed ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_fsx\_ontap\_volume: Update `ontap_volume_type` attribute to be configurable ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_fsx\_ontap\_volume: `junction_path` is Optional ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_fsx\_ontap\_volume: `storage_efficiency_enabled` is Optional ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_grafana\_workspace: Increase default Create and Update timeouts to 30 minutes ([#31422](https://github.com/hashicorp/terraform-provider-aws/issues/31422)) - resource/aws\_lambda\_invocation: Add lifecycle\_scope CRUD to invoke on each resource state transition ([#29367](https://github.com/hashicorp/terraform-provider-aws/issues/29367)) - resource/aws\_lambda\_layer\_version\_permission: Add `skip_destroy` attribute ([#29571](https://github.com/hashicorp/terraform-provider-aws/issues/29571)) - resource/aws\_lambda\_provisioned\_concurrency\_configuration: Add `skip_destroy` argument ([#31646](https://github.com/hashicorp/terraform-provider-aws/issues/31646)) - resource/aws\_opensearch\_domain: Add `off_peak_window_options` configuration block ([#35970](https://github.com/hashicorp/terraform-provider-aws/issues/35970)) - resource/aws\_sagemaker\_endpoint\_configuration: Add and `shadow_production_variants.serverless_config.provisioned_concurrency` arguments ([#31398](https://github.com/hashicorp/terraform-provider-aws/issues/31398)) - resource/aws\_transfer\_server: Add support for `TransferSecurityPolicy-2023-05` `security_policy_name` value ([#31536](https://github.com/hashicorp/terraform-provider-aws/issues/31536)) BUG FIXES: - data-source/aws\_dx\_connection: Fix the `vlan_id` being returned as null ([#31480](https://github.com/hashicorp/terraform-provider-aws/issues/31480)) - provider/tags: Fix crash when some `tags` are `null` and others are `computed` ([#31687](https://github.com/hashicorp/terraform-provider-aws/issues/31687)) - provider: Limits size of HTTP response bodies in logs to 4 KB ([#31718](https://github.com/hashicorp/terraform-provider-aws/issues/31718)) - resource/aws\_autoscaling\_group: Fix `The AutoRollback parameter cannot be set to true when the DesiredConfiguration parameter is empty` errors when refreshing instances ([#31715](https://github.com/hashicorp/terraform-provider-aws/issues/31715)) - resource/aws\_autoscaling\_group: Now ignores previous failed scaling activities ([#31551](https://github.com/hashicorp/terraform-provider-aws/issues/31551)) - resource/aws\_cloudfront\_distribution: Remove the upper limit on `origin_keepalive_timeout` ([#31608](https://github.com/hashicorp/terraform-provider-aws/issues/31608)) - resource/aws\_connect\_instance: Fix crash when reading instances with `CREATION_FAILED` status ([#31689](https://github.com/hashicorp/terraform-provider-aws/issues/31689)) - resource/aws\_connect\_security\_profile: Set correct `tags` in state ([#31716](https://github.com/hashicorp/terraform-provider-aws/issues/31716)) - resource/aws\_dx\_connection: Fix the `vlan_id` being returned as null ([#31480](https://github.com/hashicorp/terraform-provider-aws/issues/31480)) - resource/aws\_ecs\_service: Fix crash when just `alarms` is updated ([#31683](https://github.com/hashicorp/terraform-provider-aws/issues/31683)) - resource/aws\_fsx\_ontap\_volume: Change `storage_virtual_machine_id` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_fsx\_ontap\_volume: Change `volume_type` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) ([#31544](https://github.com/hashicorp/terraform-provider-aws/issues/31544)) - resource/aws\_kendra\_index: Persist `user_group_resolution_mode` value to state after creation ([#31669](https://github.com/hashicorp/terraform-provider-aws/issues/31669)) - resource/aws\_medialive\_channel: Fix attribute spelling in `hls_cdn_settings` expand ([#31647](https://github.com/hashicorp/terraform-provider-aws/issues/31647)) - resource/aws\_quicksight\_data\_set: Fix join\_instruction not applied when creating dataset ([#31424](https://github.com/hashicorp/terraform-provider-aws/issues/31424)) - resource/aws\_quicksight\_data\_set: Ignore failure to read refresh properties for non-SPICE datasets ([#31488](https://github.com/hashicorp/terraform-provider-aws/issues/31488)) - resource/aws\_rbin\_rule: Fix crash when multiple `resource_tags` blocks are configured ([#31393](https://github.com/hashicorp/terraform-provider-aws/issues/31393)) - resource/aws\_rds\_cluster: Correctly update `db_cluster_instance_class` ([#31709](https://github.com/hashicorp/terraform-provider-aws/issues/31709)) - resource/aws\_redshift\_cluster: No longer errors on deletion when status is `Maintenance` ([#31612](https://github.com/hashicorp/terraform-provider-aws/issues/31612)) - resource/aws\_route53\_vpc\_association\_authorization: Fix `ConcurrentModification` error ([#31588](https://github.com/hashicorp/terraform-provider-aws/issues/31588)) - resource/aws\_s3\_bucket\_replication\_configuration: Replication configs sometimes need more than a second or two. This resolves a race condition and adds retry logic when reading them. ([#30995](https://github.com/hashicorp/terraform-provider-aws/issues/30995)) ### [`v5.0.1`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.1) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v5.0.0...v5.0.1) BUG FIXES: - provider/tags: Fix crash when tags are `null` ([#31587](https://github.com/hashicorp/terraform-provider-aws/issues/31587)) ### [`v5.0.0`](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v4.67.0...v5.0.0) BREAKING CHANGES: - data-source/aws\_api\_gateway\_rest\_api: `minimum_compression_size` is now a string type to allow values set via the `body` attribute to be properly computed. ([#30969](https://github.com/hashicorp/terraform-provider-aws/issues/30969)) - data-source/aws\_connect\_hours\_of\_operation: The `hours_of_operation_arn` attribute has been removed ([#31484](https://github.com/hashicorp/terraform-provider-aws/issues/31484)) - data-source/aws\_db\_instance: With the retirement of EC2-Classic the `db_security_groups` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - data-source/aws\_elasticache\_cluster: With the retirement of EC2-Classic the `security_group_names` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - data-source/aws\_elasticache\_replication\_group: Remove `number_cache_clusters`, `replication_group_description` arguments -- use `num_cache_clusters`, and `description`, respectively, instead ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - data-source/aws\_iam\_policy\_document: Don't add empty `statement.sid` values to `json` attribute value ([#28539](https://github.com/hashicorp/terraform-provider-aws/issues/28539)) - data-source/aws\_iam\_policy\_document: `source_json` and `override_json` have been removed -- use `source_policy_documents` and `override_policy_documents`, respectively, instead ([#30829](https://github.com/hashicorp/terraform-provider-aws/issues/30829)) - data-source/aws\_identitystore\_group: The `filter` argument has been removed ([#31312](https://github.com/hashicorp/terraform-provider-aws/issues/31312)) - data-source/aws\_identitystore\_user: The `filter` argument has been removed ([#31312](https://github.com/hashicorp/terraform-provider-aws/issues/31312)) - data-source/aws\_launch\_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - data-source/aws\_redshift\_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - data-source/aws\_secretsmanager\_secret: The `rotation_enabled`, `rotation_lambda_arn` and `rotation_rules` attributes have been removed ([#31487](https://github.com/hashicorp/terraform-provider-aws/issues/31487)) - data-source/aws\_vpc\_peering\_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - provider: The `assume_role.duration_seconds`, `assume_role_with_web_identity.duration_seconds`, `s3_force_path_style`, `shared_credentials_file` and `skip_get_ec2_platforms` attributes have been removed ([#31155](https://github.com/hashicorp/terraform-provider-aws/issues/31155)) - provider: The `aws_subnet_ids` data source has been removed ([#31140](https://github.com/hashicorp/terraform-provider-aws/issues/31140)) - provider: With the retirement of EC2-Classic the `aws_db_security_group` resource has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - provider: With the retirement of EC2-Classic the `aws_elasticache_security_group` resource has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - provider: With the retirement of EC2-Classic the `aws_redshift_security_group` resource has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - provider: With the retirement of Macie Classic the `aws_macie_member_account_association` resource has been removed ([#31058](https://github.com/hashicorp/terraform-provider-aws/issues/31058)) - provider: With the retirement of Macie Classic the `aws_macie_s3_bucket_association` resource has been removed ([#31058](https://github.com/hashicorp/terraform-provider-aws/issues/31058)) - resource/aws\_acmpca\_certificate\_authority: The `status` attribute has been removed ([#31084](https://github.com/hashicorp/terraform-provider-aws/issues/31084)) - resource/aws\_api\_gateway\_rest\_api: `minimum_compression_size` is now a string type to allow values set via the `body` attribute to be properly computed. ([#30969](https://github.com/hashicorp/terraform-provider-aws/issues/30969)) - resource/aws\_autoscaling\_attachment: `alb_target_group_arn` has been removed -- use `lb_target_group_arn` instead ([#30828](https://github.com/hashicorp/terraform-provider-aws/issues/30828)) - resource/aws\_autoscaling\_group: Remove deprecated `tags` attribute ([#30842](https://github.com/hashicorp/terraform-provider-aws/issues/30842)) - resource/aws\_budgets\_budget: The `cost_filters` attribute has been removed ([#31395](https://github.com/hashicorp/terraform-provider-aws/issues/31395)) - resource/aws\_ce\_anomaly\_subscription: The `threshold` attribute has been removed ([#30374](https://github.com/hashicorp/terraform-provider-aws/issues/30374)) - resource/aws\_cloudwatch\_event\_target: The `ecs_target.propagate_tags` attribute now has no default value ([#25233](https://github.com/hashicorp/terraform-provider-aws/issues/25233)) - resource/aws\_codebuild\_project: The `secondary_sources.auth` and `source.auth` attributes have been removed ([#31483](https://github.com/hashicorp/terraform-provider-aws/issues/31483)) - resource/aws\_connect\_hours\_of\_operation: The `hours_of_operation_arn` attribute has been removed ([#31484](https://github.com/hashicorp/terraform-provider-aws/issues/31484)) - resource/aws\_connect\_queue: The `quick_connect_ids_associated` attribute has been removed ([#31376](https://github.com/hashicorp/terraform-provider-aws/issues/31376)) - resource/aws\_connect\_routing\_profile: The `queue_configs_associated` attribute has been removed ([#31376](https://github.com/hashicorp/terraform-provider-aws/issues/31376)) - resource/aws\_db\_instance: Remove `name` - use `db_name` instead ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_instance: With the retirement of EC2-Classic the `security_group_names` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_db\_instance: `id` is no longer the AWS database `identifier` - `id` is now the `dbi-resource-id`. Refer to `identifier` instead of `id` to use the database's identifier ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_default\_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_dms\_endpoint: `s3_settings.ignore_headers_row` has been removed ([#30452](https://github.com/hashicorp/terraform-provider-aws/issues/30452)) - resource/aws\_docdb\_cluster: `snapshot_identifier` change now properly forces replacement ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_ec2\_client\_vpn\_endpoint: The `status` attribute has been removed ([#31223](https://github.com/hashicorp/terraform-provider-aws/issues/31223)) - resource/aws\_ec2\_client\_vpn\_network\_association: The `security_groups` attribute has been removed ([#31396](https://github.com/hashicorp/terraform-provider-aws/issues/31396)) - resource/aws\_ec2\_client\_vpn\_network\_association: The `status` attribute has been removed ([#31223](https://github.com/hashicorp/terraform-provider-aws/issues/31223)) - resource/aws\_ecs\_cluster: The `capacity_providers` and `default_capacity_provider_strategy` attributes have been removed ([#31346](https://github.com/hashicorp/terraform-provider-aws/issues/31346)) - resource/aws\_eip: With the retirement of EC2-Classic the `standard` domain is no longer supported ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_eip\_association: With the retirement of EC2-Classic the `standard` domain is no longer supported ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_elasticache\_cluster: With the retirement of EC2-Classic the `security_group_names` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_elasticache\_replication\_group: Remove `availability_zones`, `number_cache_clusters`, `replication_group_description` arguments -- use `preferred_cache_cluster_azs`, `num_cache_clusters`, and `description`, respectively, instead ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_elasticache\_replication\_group: Remove `cluster_mode` configuration block -- use top-level `num_node_groups` and `replicas_per_node_group` instead ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Remove `s3_configuration` attribute from the root of the resource. `s3_configuration` is now a part of the following blocks: `elasticsearch_configuration`, `opensearch_configuration`, `redshift_configuration`, `splunk_configuration`, and `http_endpoint_configuration` ([#31138](https://github.com/hashicorp/terraform-provider-aws/issues/31138)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Remove `s3` as an option for `destination`. Use `extended_s3` instead ([#31138](https://github.com/hashicorp/terraform-provider-aws/issues/31138)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Rename `extended_s3_configuration.0.s3_backup_configuration.0.buffer_size` and `extended_s3_configuration.0.s3_backup_configuration.0.buffer_interval` to `extended_s3_configuration.0.s3_backup_configuration.0.buffering_size` and `extended_s3_configuration.0.s3_backup_configuration.0.buffering_interval`, respectively ([#31141](https://github.com/hashicorp/terraform-provider-aws/issues/31141)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Rename `redshift_configuration.0.s3_backup_configuration.0.buffer_size` and `redshift_configuration.0.s3_backup_configuration.0.buffer_interval` to `redshift_configuration.0.s3_backup_configuration.0.buffering_size` and `redshift_configuration.0.s3_backup_configuration.0.buffering_interval`, respectively ([#31141](https://github.com/hashicorp/terraform-provider-aws/issues/31141)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Rename `s3_configuration.0.buffer_size` and `s3_configuration.0.buffer_internval` to `s3_configuration.0.buffering_size` and `s3_configuration.0.buffering_internval`, respectively ([#31141](https://github.com/hashicorp/terraform-provider-aws/issues/31141)) - resource/aws\_launch\_configuration: With the retirement of EC2-Classic the `vpc_classic_link_id` and `vpc_classic_link_security_groups` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_lightsail\_instance: The `ipv6_address` attribute has been removed ([#31489](https://github.com/hashicorp/terraform-provider-aws/issues/31489)) - resource/aws\_medialive\_multiplex\_program: The `statemux_settings` attribute has been removed. Use `statmux_settings` argument instead ([#31034](https://github.com/hashicorp/terraform-provider-aws/issues/31034)) - resource/aws\_msk\_cluster: The `broker_node_group_info.ebs_volume_size` attribute has been removed ([#31324](https://github.com/hashicorp/terraform-provider-aws/issues/31324)) - resource/aws\_neptune\_cluster: `snapshot_identifier` change now properly forces replacement ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_networkmanager\_core\_network: Removed `policy_document` argument -- use `aws_networkmanager_core_network_policy_attachment` resource instead ([#30875](https://github.com/hashicorp/terraform-provider-aws/issues/30875)) - resource/aws\_rds\_cluster: The `engine` argument is now required and has no default ([#31112](https://github.com/hashicorp/terraform-provider-aws/issues/31112)) - resource/aws\_rds\_cluster: `snapshot_identifier` change now properly forces replacement ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_rds\_cluster\_instance: The `engine` argument is now required and has no default ([#31112](https://github.com/hashicorp/terraform-provider-aws/issues/31112)) - resource/aws\_redshift\_cluster: With the retirement of EC2-Classic the `cluster_security_groups` attribute has been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_route: `instance_id` can no longer be set in configurations. Use `network_interface_id` instead, for example, setting `network_interface_id` to `aws_instance.test.primary_network_interface_id`. ([#30804](https://github.com/hashicorp/terraform-provider-aws/issues/30804)) - resource/aws\_route\_table: `route.*.instance_id` can no longer be set in configurations. Use `route.*.network_interface_id` instead, for example, setting `network_interface_id` to `aws_instance.test.primary_network_interface_id`. ([#30804](https://github.com/hashicorp/terraform-provider-aws/issues/30804)) - resource/aws\_secretsmanager\_secret: The `rotation_enabled`, `rotation_lambda_arn` and `rotation_rules` attributes have been removed ([#31487](https://github.com/hashicorp/terraform-provider-aws/issues/31487)) - resource/aws\_security\_group: With the retirement of EC2-Classic non-VPC security groups are no longer supported ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_security\_group\_rule: With the retirement of EC2-Classic non-VPC security groups are no longer supported ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_servicecatalog\_product: Changes to any `provisioning_artifact_parameters` arguments now properly trigger a replacement. This fixes incorrect behavior, but may technically be breaking for configurations expecting non-functional in-place updates. ([#31061](https://github.com/hashicorp/terraform-provider-aws/issues/31061)) - resource/aws\_vpc: With the retirement of EC2-Classic the `enable_classiclink` and `enable_classiclink_dns_support` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_vpc\_peering\_connection: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_vpc\_peering\_connection\_accepter: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_vpc\_peering\_connection\_options: With the retirement of EC2-Classic the `allow_classic_link_to_remote_vpc` and `allow_vpc_to_remote_classic_link` attributes have been removed ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) - resource/aws\_wafv2\_web\_acl: The `statement.managed_rule_group_statement.excluded_rule` and `statement.rule_group_reference_statement.excluded_rule` attributes have been removed ([#31374](https://github.com/hashicorp/terraform-provider-aws/issues/31374)) - resource/aws\_wafv2\_web\_acl\_logging\_configuration: The `redacted_fields.all_query_arguments`, `redacted_fields.body` and `redacted_fields.single_query_argument` attributes have been removed ([#31486](https://github.com/hashicorp/terraform-provider-aws/issues/31486)) NOTES: - data-source/aws\_elasticache\_replication\_group: Update configurations to use `description` instead of the `replication_group_description` argument ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - data-source/aws\_elasticache\_replication\_group: Update configurations to use `num_cache_clusters` instead of the `number_cache_clusters` argument ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - data-source/aws\_opensearch\_domain: The `kibana_endpoint` attribute has been deprecated. All configurations using `kibana_endpoint` should be updated to use the `dashboard_endpoint` attribute instead ([#31490](https://github.com/hashicorp/terraform-provider-aws/issues/31490)) - data-source/aws\_quicksight\_data\_set: The `tags_all` attribute has been deprecated and will be removed in a future version ([#31162](https://github.com/hashicorp/terraform-provider-aws/issues/31162)) - data-source/aws\_redshift\_service\_account: The `aws_redshift_service_account` data source has been deprecated and will be removed in a future version. AWS documentation [states that](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy ([#31006](https://github.com/hashicorp/terraform-provider-aws/issues/31006)) - data-source/aws\_service\_discovery\_service: The `tags_all` attribute has been deprecated and will be removed in a future version ([#31162](https://github.com/hashicorp/terraform-provider-aws/issues/31162)) - resource/aws\_api\_gateway\_rest\_api: Update configurations with `minimum_compression_size` set to pass the value as a string. Valid values remain the same. ([#30969](https://github.com/hashicorp/terraform-provider-aws/issues/30969)) - resource/aws\_autoscaling\_attachment: Update configurations to use `lb_target_group_arn` instead of `alb_target_group_arn` which has been removed ([#30828](https://github.com/hashicorp/terraform-provider-aws/issues/30828)) - resource/aws\_db\_event\_subscription: Configurations that define `source_ids` using the `id` attribute of `aws_db_instance` must be updated to use `identifier` instead - for example, `source_ids = [aws_db_instance.example.id]` must be updated to `source_ids = [aws_db_instance.example.identifier]` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_instance: Configurations that define `replicate_source_db` using the `id` attribute of `aws_db_instance` must be updated to use `identifier` instead - for example, `replicate_source_db = aws_db_instance.example.id` must be updated to `replicate_source_db = aws_db_instance.example.identifier` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_instance: The change of what `id` is, namely, a DBI Resource ID now versus DB Identifier previously, has far-reaching consequences. Configurations that refer to, for example, `aws_db_instance.example.id` will now have errors and must be changed to use `identifier` instead, for example, `aws_db_instance.example.identifier` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_instance\_role\_association: Configurations that define `db_instance_identifier` using the `id` attribute of `aws_db_instance` must be updated to use `identifier` instead - for example, `db_instance_identifier = aws_db_instance.example.id` must be updated to `db_instance_identifier = aws_db_instance.example.identifier` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_proxy\_target: Configurations that define `db_instance_identifier` using the `id` attribute of `aws_db_instance` must be updated to use `identifier` instead - for example, `db_instance_identifier = aws_db_instance.example.id` must be updated to `db_instance_identifier = aws_db_instance.example.identifier` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_db\_snapshot: Configurations that define `db_instance_identifier` using the `id` attribute of `aws_db_instance` must be updated to use `identifier` instead - for example, `db_instance_identifier = aws_db_instance.example.id` must be updated to `db_instance_identifier = aws_db_instance.example.identifier` ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_docdb\_cluster: Changes to the `snapshot_identifier` attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_dx\_gateway\_association: The `vpn_gateway_id` attribute has been deprecated. All configurations using `vpn_gateway_id` should be updated to use the `associated_gateway_id` attribute instead ([#31384](https://github.com/hashicorp/terraform-provider-aws/issues/31384)) - resource/aws\_elasticache\_replication\_group: Update configurations to use `description` instead of the `replication_group_description` argument ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_elasticache\_replication\_group: Update configurations to use `num_cache_clusters` instead of the `number_cache_clusters` argument ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_elasticache\_replication\_group: Update configurations to use `preferred_cache_cluster_azs` instead of the `availability_zones` argument ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_elasticache\_replication\_group: Update configurations to use top-level `num_node_groups` and `replicas_per_node_group` instead of `cluster_mode.0.num_node_groups` and `cluster_mode.0.replicas_per_node_group`, respectively ([#31008](https://github.com/hashicorp/terraform-provider-aws/issues/31008)) - resource/aws\_flow\_log: The `log_group_name` attribute has been deprecated. All configurations using `log_group_name` should be updated to use the `log_destination` attribute instead ([#31382](https://github.com/hashicorp/terraform-provider-aws/issues/31382)) - resource/aws\_guardduty\_organization\_configuration: The `auto_enable` argument has been deprecated. Use the `auto_enable_organization_members` argument instead. ([#30736](https://github.com/hashicorp/terraform-provider-aws/issues/30736)) - resource/aws\_neptune\_cluster: Changes to the `snapshot_identifier` attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_networkmanager\_core\_network: Update configurations to use the `aws_networkmanager_core_network_policy_attachment` resource instead of the `policy_document` argument ([#30875](https://github.com/hashicorp/terraform-provider-aws/issues/30875)) - resource/aws\_opensearch\_domain: The `engine_version` attribute no longer has a default value. When omitted, the underlying AWS API will use the latest OpenSearch engine version. ([#31568](https://github.com/hashicorp/terraform-provider-aws/issues/31568)) - resource/aws\_opensearch\_domain: The `kibana_endpoint` attribute has been deprecated. All configurations using `kibana_endpoint` should be updated to use the `dashboard_endpoint` attribute instead ([#31490](https://github.com/hashicorp/terraform-provider-aws/issues/31490)) - resource/aws\_rds\_cluster: Changes to the `snapshot_identifier` attribute will now trigger a replacement, rather than an in-place update. This corrects the previous behavior which resulted in a successful apply, but did not actually restore the cluster from the designated snapshot. ([#29409](https://github.com/hashicorp/terraform-provider-aws/issues/29409)) - resource/aws\_rds\_cluster: Configurations not including the `engine` argument must be updated to include `engine` as it is now required. Previously, not including `engine` was equivalent to `engine = "aurora"` and created a MySQL-5.6-compatible cluster ([#31112](https://github.com/hashicorp/terraform-provider-aws/issues/31112)) - resource/aws\_rds\_cluster\_instance: Configurations not including the `engine` argument must be updated to include `engine` as it is now required. Previously, not including `engine` was equivalent to `engine = "aurora"` and created a MySQL-5.6-compatible cluster instance ([#31112](https://github.com/hashicorp/terraform-provider-aws/issues/31112)) - resource/aws\_route: Since `instance_id` can no longer be set in configurations, use `network_interface_id` instead. For example, set `network_interface_id` to `aws_instance.test.primary_network_interface_id`. ([#30804](https://github.com/hashicorp/terraform-provider-aws/issues/30804)) - resource/aws\_route\_table: Since `route.*.instance_id` can no longer be set in configurations, use `route.*.network_interface_id` instead. For example, set `network_interface_id` to `aws_instance.test.primary_network_interface_id`. ([#30804](https://github.com/hashicorp/terraform-provider-aws/issues/30804)) - resource/aws\_ssm\_association: The `instance_id` attribute has been deprecated. All configurations using `instance_id` should be updated to use the `targets` attribute instead ([#31380](https://github.com/hashicorp/terraform-provider-aws/issues/31380)) ENHANCEMENTS: - provider: Allow `computed` `tags` on resources ([#30793](https://github.com/hashicorp/terraform-provider-aws/issues/30793)) - provider: Allow `default_tags` and resource `tags` to include zero values `""` ([#30793](https://github.com/hashicorp/terraform-provider-aws/issues/30793)) - provider: Duplicate `default_tags` can now be included and will be overwritten by resource `tags` ([#30793](https://github.com/hashicorp/terraform-provider-aws/issues/30793)) - resource/aws\_db\_instance: Updates to `identifier` and `identifier_prefix` will no longer cause the database instance to be destroyed and recreated ([#31232](https://github.com/hashicorp/terraform-provider-aws/issues/31232)) - resource/aws\_eip: Deprecate `vpc` attribute. Use `domain` instead ([#31567](https://github.com/hashicorp/terraform-provider-aws/issues/31567)) - resource/aws\_guardduty\_organization\_configuration: Add `auto_enable_organization_members` attribute ([#30736](https://github.com/hashicorp/terraform-provider-aws/issues/30736)) - resource/aws\_kinesis\_firehose\_delivery\_stream: Add `s3_configuration` to `elasticsearch_configuration`, `opensearch_configuration`, `redshift_configuration`, `splunk_configuration`, and `http_endpoint_configuration` ([#31138](https://github.com/hashicorp/terraform-provider-aws/issues/31138)) - resource/aws\_opensearch\_domain: Removed `engine_version` default value ([#31568](https://github.com/hashicorp/terraform-provider-aws/issues/31568)) - resource/aws\_wafv2\_web\_acl: Support `rule_action_override` on `rule_group_reference_statement` ([#31374](https://github.com/hashicorp/terraform-provider-aws/issues/31374)) BUG FIXES: - resource/aws\_ecs\_capacity\_provider: Allow an `instance_warmup_period` of `0` in the `auto_scaling_group_provider.managed_scaling` configuration block ([#24005](https://github.com/hashicorp/terraform-provider-aws/issues/24005)) - resource/aws\_launch\_template: Remove default values in `metadata_options` to allow default condition ([#30545](https://github.com/hashicorp/terraform-provider-aws/issues/30545)) - resource/aws\_s3\_bucket: Fix bucket\_regional\_domain\_name not including region for buckets in us-east-1 ([#25724](https://github.com/hashicorp/terraform-provider-aws/issues/25724)) - resource/aws\_s3\_object: Remove `acl` default in order to work with S3 buckets that have ACL disabled ([#27197](https://github.com/hashicorp/terraform-provider-aws/issues/27197)) - resource/aws\_s3\_object\_copy: Remove `acl` default in order to work with S3 buckets that have ACL disabled ([#27197](https://github.com/hashicorp/terraform-provider-aws/issues/27197)) - resource/aws\_servicecatalog\_product: Changes to `provisioning_artifact_parameters` arguments now properly trigger a replacement ([#31061](https://github.com/hashicorp/terraform-provider-aws/issues/31061)) - resource/aws\_vpc\_peering\_connection: Fix crash in `vpcPeeringConnectionOptionsEqual` ([#30966](https://github.com/hashicorp/terraform-provider-aws/issues/30966)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate force-pushed renovate/aws-6.x from 2772750cbf

/ terraform (push) Successful in 1m31s

Details

/ ansible (push) Successful in 2m57s

Details

to 41f5d2994a

/ ansible (push) Successful in 3m47s

Details

/ terraform (push) Successful in 1m34s

Details

2025-06-26 20:01:53 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 41f5d2994a

/ ansible (push) Successful in 3m47s

Details

/ terraform (push) Successful in 1m34s

Details

to e719bdffb9

/ terraform (push) Successful in 57s

Details

/ ansible (push) Successful in 2m18s

Details

2025-06-26 22:01:17 +01:00

Compare

renovate force-pushed renovate/aws-6.x from e719bdffb9

/ terraform (push) Successful in 57s

Details

/ ansible (push) Successful in 2m18s

Details

to 48c0a0f5c5

/ terraform (push) Successful in 1m26s

Details

/ ansible (push) Successful in 3m22s

Details

2025-07-03 08:01:21 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 48c0a0f5c5

/ terraform (push) Successful in 1m26s

Details

/ ansible (push) Successful in 3m22s

Details

to 40b5a4cfcd

/ terraform (push) Successful in 2m1s

Details

/ ansible (push) Successful in 3m29s

Details

2025-07-11 08:01:11 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 40b5a4cfcd

/ terraform (push) Successful in 2m1s

Details

/ ansible (push) Successful in 3m29s

Details

to bf9bb61948

/ terraform (push) Successful in 1m53s

Details

/ ansible (push) Successful in 3m21s

Details

2025-07-18 08:01:54 +01:00

Compare

renovate force-pushed renovate/aws-6.x from bf9bb61948

/ terraform (push) Successful in 1m53s

Details

/ ansible (push) Successful in 3m21s

Details

to 2d71e439d9

/ terraform (push) Successful in 2m32s

Details

/ ansible (push) Successful in 4m12s

Details

2025-07-24 20:01:10 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 2d71e439d9

/ terraform (push) Successful in 2m32s

Details

/ ansible (push) Successful in 4m12s

Details

to 002b0592fc

/ terraform (push) Successful in 2m54s

Details

/ ansible (push) Successful in 5m20s

Details

2025-07-29 08:01:16 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 002b0592fc

/ terraform (push) Successful in 2m54s

Details

/ ansible (push) Successful in 5m20s

Details

to 356ddd720c

/ terraform (push) Successful in 2m26s

Details

/ ansible (push) Successful in 3m40s

Details

2025-08-01 08:01:43 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 356ddd720c

/ terraform (push) Successful in 2m26s

Details

/ ansible (push) Successful in 3m40s

Details

to 7f3a75d09a

/ terraform (push) Successful in 1m13s

Details

/ ansible (push) Successful in 4m10s

Details

2025-08-05 12:00:34 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 7f3a75d09a

/ terraform (push) Successful in 1m13s

Details

/ ansible (push) Successful in 4m10s

Details

to 8a44371b0a

/ terraform (push) Successful in 1m54s

Details

/ ansible (push) Successful in 3m43s

Details

2025-08-07 22:01:21 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 8a44371b0a

/ terraform (push) Successful in 1m54s

Details

/ ansible (push) Successful in 3m43s

Details

to 1f32675be8

/ terraform (push) Successful in 1m1s

Details

/ ansible (push) Successful in 2m30s

Details

2025-08-14 22:01:16 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 1f32675be8

/ terraform (push) Successful in 1m1s

Details

/ ansible (push) Successful in 2m30s

Details

to 2d641fb258

/ terraform (push) Successful in 1m43s

Details

/ ansible (push) Successful in 2m54s

Details

2025-08-22 08:01:19 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 2d641fb258

/ terraform (push) Successful in 1m43s

Details

/ ansible (push) Successful in 2m54s

Details

to 592c3f5fb9

/ terraform (push) Successful in 2m30s

Details

/ ansible (push) Successful in 4m17s

Details

2025-08-28 20:01:48 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 592c3f5fb9

/ terraform (push) Successful in 2m30s

Details

/ ansible (push) Successful in 4m17s

Details

to dd11b8ba2b

/ terraform (push) Successful in 56s

Details

/ ansible (push) Successful in 2m3s

Details

2025-09-04 22:01:35 +01:00

Compare

renovate force-pushed renovate/aws-6.x from dd11b8ba2b

/ terraform (push) Successful in 56s

Details

/ ansible (push) Successful in 2m3s

Details

to 19986b0891

/ terraform (push) Successful in 1m10s

Details

/ ansible (push) Successful in 1m52s

Details

2025-09-11 22:03:41 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 19986b0891

/ terraform (push) Successful in 1m10s

Details

/ ansible (push) Successful in 1m52s

Details

to 71267ea07a

/ terraform (push) Successful in 2m19s

Details

/ ansible (push) Successful in 2m57s

Details

2025-09-19 08:03:42 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 71267ea07a

/ terraform (push) Successful in 2m19s

Details

/ ansible (push) Successful in 2m57s

Details

to d4ecb3b557

/ terraform (push) Successful in 1m11s

Details

/ ansible (push) Successful in 1m57s

Details

2025-09-19 18:03:45 +01:00

Compare

renovate force-pushed renovate/aws-6.x from d4ecb3b557

/ terraform (push) Successful in 1m11s

Details

/ ansible (push) Successful in 1m57s

Details

to 396a097474

/ terraform (push) Successful in 1m21s

Details

/ ansible (push) Successful in 2m2s

Details

2025-09-19 20:00:23 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 396a097474

/ terraform (push) Successful in 1m21s

Details

/ ansible (push) Successful in 2m2s

Details

to 3ff485e81d

/ terraform (push) Successful in 1m14s

Details

/ ansible (push) Successful in 2m10s

Details

2025-09-22 20:04:13 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 3ff485e81d

/ terraform (push) Successful in 1m14s

Details

/ ansible (push) Successful in 2m10s

Details

to e3ab4ca12a

/ terraform (push) Successful in 1m12s

Details

/ ansible (push) Successful in 1m56s

Details

2025-10-02 22:03:44 +01:00

Compare

renovate force-pushed renovate/aws-6.x from e3ab4ca12a

/ terraform (push) Successful in 1m12s

Details

/ ansible (push) Successful in 1m56s

Details

to 464dda27b6

/ terraform (push) Successful in 3m5s

Details

/ ansible (push) Successful in 5m51s

Details

2025-10-14 14:03:45 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 464dda27b6

/ terraform (push) Successful in 3m5s

Details

/ ansible (push) Successful in 5m51s

Details

to 7249b34ae1

/ terraform (push) Successful in 1m15s

Details

/ ansible (push) Successful in 1m58s

Details

2025-10-16 22:03:50 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 7249b34ae1

/ terraform (push) Successful in 1m15s

Details

/ ansible (push) Successful in 1m58s

Details

to 3d3892ba9a

/ ansible (push) Successful in 3m9s

Details

/ terraform (push) Successful in 2m27s

Details

2025-10-24 08:03:48 +01:00

Compare

renovate force-pushed renovate/aws-6.x from 3d3892ba9a

/ ansible (push) Successful in 3m9s

Details

/ terraform (push) Successful in 2m27s

Details

to 577c41be0a

/ terraform (push) Successful in 2m53s

Details

/ ansible (push) Failing after 3m17s

Details

2025-10-31 08:03:50 +00:00

Compare

/ terraform (push) Successful in 2m53s

Details

/ ansible (push) Failing after 3m17s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/aws-6.x:renovate/aws-6.x

git switch renovate/aws-6.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate/aws-6.x

git switch renovate/aws-6.x

git rebase master

git switch master

git merge --ff-only renovate/aws-6.x

git switch renovate/aws-6.x

git rebase master

git switch master

git merge --no-ff renovate/aws-6.x

git switch master

git merge --squash renovate/aws-6.x

git switch master

git merge --ff-only renovate/aws-6.x

git switch master

git merge renovate/aws-6.x

git push origin master

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

systems/infrastructure!247

No description provided.

Rows
Columns