terraform-provider-aws/CHANGELOG.md at main · handlerbot/terraform-provider-aws

6.43.0 (Unreleased)

FEATURES:

New List Resource: aws_securityhub_insight (#47622)
New Resource: aws_securityhub_account_v2 (#47356)

ENHANCEMENTS:

resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#47589)
resource/aws_securityhub_action_target: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#47078)
resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#47543)
resource/aws_securityhub_finding_aggregator: Add arn attribute (#47543)
resource/aws_securityhub_insight: Add Resource Identity support (#47543)
resource/aws_securityhub_member: Add Resource Identity support (#47543)
resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#47543)
resource/aws_securityhub_product_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control_association: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add arn attribute (#47543)

BUG FIXES:

resource/aws_globalaccelerator_cross_account_attachment: Fix runtime error: invalid memory address or nil pointer dereference panics when removing resource blocks (#47625)
resource/aws_pinpoint_app: Lower minimum of limits.messages_per_second from 50 to 1 to match the AWS API. (#47636)

6.42.0 (April 22, 2026)

BREAKING CHANGES:

resource/aws_mq_configuration: Destruction of this resource will now delete the configuration. Previously delete was a no-op due to missing API operations, leaving resources in an unmanaged state. For this reason a breaking change was deemed acceptable in a minor version. This functionality requires the mq:DeleteConfiguration IAM permission. To restore the previous no-op behavior, set skip_destroy to true. (#47273)

NOTES:

documentation: CDKTF documentation has been removed from the provider (#47484)
resource/aws_eip: Because we cannot easily test this behavior in isolated regions, it is best effort and we ask for community help in testing (#47091)

FEATURES:

New Data Source: aws_ec2_service_link_virtual_interface (#47478)
New Data Source: aws_ec2_service_link_virtual_interfaces (#47478)
New List Resource: aws_apigatewayv2_api (#47472)
New List Resource: aws_cloudwatch_log_metric_filter (#47495)
New List Resource: aws_config_remediation_configuration (#47514)
New List Resource: aws_ebs_volume (#47551)
New List Resource: aws_ebs_volume_attachment (#47561)
New List Resource: aws_eip (#47557)
New List Resource: aws_iam_user_policy_attachment (#47467)
New List Resource: aws_internet_gateway (#47529)
New List Resource: aws_lambda_layer_version (#47496)
New List Resource: aws_launch_template (#47540)
New List Resource: aws_route53_zone (#47494)
New List Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)
New List Resource: aws_sqs_queue_policy (#47489)
New Resource: aws_cloudwatch_otel_enrichment (#47275)
New Resource: aws_ebs_volume_copy (#47311)
New Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)

ENHANCEMENTS:

data-source/aws_identitystore_user: Add user_status attribute (#47323)
data-source/aws_identitystore_users: Add user_status attribute (#47323)
data-source/aws_network_interface: Add ena_srd_specification attribute (#46669)
data-source/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_cloudwatch_log_metric_filter: Add Resource Identity support (#47495)
resource/aws_cloudwatch_metric_alarm: Add evaluation_criteria and evaluation_interval arguments in support of PromQL queries. Change comparison_operator and evaluation_periods to Optional (#47449)
resource/aws_ebs_volume_attachment: Add resource identity support (#47561)
resource/aws_eip: Add resource identity support (#47557)
resource/aws_eks_access_entry: Add Resource Identity support (#47428)
resource/aws_eks_access_policy_association: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add namespace_config argument (#44087)
resource/aws_eks_capability: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add identity_provider_config_name attribute (#47428)
resource/aws_eks_node_group: Add Resource Identity support (#47428)
resource/aws_eks_pod_identity_association: Add Resource Identity support (#47428)
resource/aws_fargate_profile: Add Resource Identity support (#47428)
resource/aws_identitystore_user: Add user_status attribute (#47323)
resource/aws_imagebuilder_lifecycle_policy: Support wildcard semantic version for resource_selection.recipe.semantic_version (#47443)
resource/aws_lambda_layer_version: Add resource identity support (#47496)
resource/aws_launch_template: Add resource identity support (#47540)
resource/aws_mq_configuration: Add skip_destroy argument (#47273)
resource/aws_mq_configuration: Implement resource deletion (#47273)
resource/aws_network_interface: Add ena_srd_specification argument to support ENA Express (#46669)
resource/aws_networkmanager_site_to_site_vpn_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#47541)
resource/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_rds_integration: Add integration_identifier attribute (#45632)
resource/aws_rds_integration: Support in-place update of data_filter and integration_name (#45632)
resource/aws_s3_bucket_inventory: Support S3 Inventory for directory buckets (#47555)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.expanded_prefixes_data_export and storage_lens_configuration.prefix_delimiter arguments (#47205)
resource/aws_s3files_file_system: Add accept_bucket_warning argument (#47510)
resource/network_peering_connection: Peer cidr management through peer_network_cidrs argument. (#46207)

BUG FIXES:

resource/aws_appintegrations_data_integration: Fix source_uri regular expression validation (#47498)
resource/aws_bedrock_guardrail: Update maximum length of topic_policy_config.topics_config.definition from 200 to 1000 to support standard tier. (#47574)
resource/aws_cloudwatch_alarm_mute_rule: Fix mute_targets.alarm_names ordering causing "Provider produced inconsistent result after apply" errors (#47507)
resource/aws_ecs_service: Excludes Express-Mode Services from listing. (#47533)
resource/aws_eip: Gracefully handle UnsupportedOperation errors in isolated regions (#47091)
resource/aws_msk_cluster: Fix a request parameter error when updating broker_node_group_info.vpc_connectivity configuration block. This fixes a regression introduced in v6.40.0 (#47515)
resource/aws_odb_network: Fix runtime error: invalid memory address or nil pointer dereference panic in statusManagedService() and statusNetwork() when FindOracleDBNetworkResourceByID returns a nil result during resource creation (#47159)
resource/aws_securityhub_member: Only set email if returned by AWS API and don't recompute invite from member_status. This prevents drift for organization members (#47106)

6.41.0 (April 15, 2026)

FEATURES:

New List Resource: aws_api_gateway_integration (#47370)
New List Resource: aws_api_gateway_integration_response (#47388)
New List Resource: aws_api_gateway_method (#47365)
New List Resource: aws_api_gateway_method_response (#47387)
New List Resource: aws_api_gateway_resource (#47382)
New List Resource: aws_api_gateway_rest_api (#47404)
New List Resource: aws_apigatewayv2_route (#47452)
New List Resource: aws_cloudfront_distribution (#47459)
New List Resource: aws_cloudwatch_alarm_mute_rule (#46750)
New List Resource: aws_cloudwatch_log_subscription_filter (#47451)
New List Resource: aws_nat_gateway (#47349)
New List Resource: aws_sns_topic_policy (#47445)
New Resource: aws_cloudwatch_alarm_mute_rule (#46750)

ENHANCEMENTS:

data-source/aws_ecs_task_definition: Add volume.s3files_volume_configuration attribute (#47363)
data-source/aws_opensearch_domain: Add deployment_strategy_options block (#47401)
resource/aws_api_gateway_integration: Add resource identity support (#47357)
resource/aws_api_gateway_integration_response: Add resource identity support (#47366)
resource/aws_api_gateway_method: Add resource identity support (#47310)
resource/aws_api_gateway_method_response: Add resource identity support (#47360)
resource/aws_api_gateway_resource: Add resource identity support (#47358)
resource/aws_api_gateway_rest_api: Add resource identity support (#47384)
resource/aws_apigatewayv2_api: Add resource identity support (#47465)
resource/aws_apigatewayv2_route: Add resource identity support (#47441)
resource/aws_autoscaling_group: Add Resource Identity support (#47381)
resource/aws_autoscaling_lifecycle_hook: Add Resource Identity support (#47381)
resource/aws_autoscaling_notification: Add plan-time validation of topic_arn (#47381)
resource/aws_autoscaling_policy: Add Resource Identity support (#47381)
resource/aws_autoscaling_traffic_source_attachment: Add import support (#47381)
resource/aws_budgets_budget: Add metrics attribute (#47047)
resource/aws_cloudwatch_log_subscription_filter: Add Resource Identity support (#47451)
resource/aws_directory_service_directory: add enable_directory_data_access argument (#44736)
resource/aws_dynamodb_table: Add Resource Identity support (#47301)
resource/aws_ecs_task_definition: Add volume.s3files_volume_configuration argument (#47363)
resource/aws_elasticache_user: Add passwords_wo and passwords_wo_version write-only arguments (#45988)
resource/aws_launch_configuration: Add Resource Identity support (#47381)
resource/aws_opensearch_domain: Add deployment_strategy_options configuration block (#47401)
resource/aws_wafv2_web_acl_rule: Add schema caching to reduce allocations for the resource on provider initialization (#47335)

BUG FIXES:

data-source/aws_outposts_asset: Fix nil pointer dereference panic when asset has no ComputeAttributes or AssetLocation (#47450)
list-resource/aws_lb: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener_rule: Fixes error when no results are returned (#47455)
list-resource/aws_lb_target_group: Fixes error when no results are returned (#47455)
resource/aws_autoscaling_traffic_source_attachment: Change traffic_source to Required (#47381)
resource/aws_budgets_budget: Add missing metrics attribute required for filter_expression (#47047)
resource/aws_cloudfront_multitenant_distribution: Allows disabling the enforcement of a response_completion_timeout for Origins, by removing its default value (#46329)
resource/aws_cloudfront_multitenant_distribution: Fix function_association and lambda_function_association block ordering producing inconsistent result after apply when multiple associations are configured (#46378)
resource/aws_cloudfront_multitenant_distribution: Fix origin block ordering producing inconsistent result after apply when multiple origins are configured (#47199)
resource/aws_dynamodb_global_secondary_index: Fixes error when key_type is unknown during plan-time. (#47456)
resource/aws_dynamodb_table: Prevents validation error when global secondary index range_key is set to empty string (#47427)
resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)
resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)

6.40.0 (April 8, 2026)

FEATURES:

New Data Source: aws_opensearchserverless_collection_group (#46308)
New Data Source: aws_opensearchserverless_collection_groups (#46308)
New Data Source: aws_s3files_access_point (#47352)
New Data Source: aws_s3files_file_system (#47344)
New Data Source: aws_s3files_file_systems (#47344)
New Data Source: aws_s3files_mount_target (#47347)
New List Resource: aws_config_config_rule (#47319)
New List Resource: aws_glue_job (#47266)
New List Resource: aws_opensearchserverless_collection_group (#46308)
New List Resource: aws_s3files_access_point (#47352)
New List Resource: aws_s3files_file_system (#47325)
New List Resource: aws_s3files_file_system_policy (#47355)
New List Resource: aws_s3files_mount_target (#47347)
New List Resource: aws_s3files_synchronization_configuration (#47353)
New List Resource: aws_ssm_association (#47321)
New List Resource: aws_ssm_patch_group (#47329)
New Resource: aws_opensearchserverless_collection_group (#46308)
New Resource: aws_s3files_access_point (#47352)
New Resource: aws_s3files_file_system (#47325)
New Resource: aws_s3files_file_system_policy (#47355)
New Resource: aws_s3files_mount_target (#47347)
New Resource: aws_s3files_synchronization_configuration (#47353)
New Resource: aws_servicequotas_auto_management (#45968)

ENHANCEMENTS:

data-source/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type attribute (#47279)
resource/aws_cloudformation_stack_set: Add depends_on_stack_sets to auto_deployment configuration block (#47269)
resource/aws_config_config_rule: Add Resource Identity support (#47286)
resource/aws_config_configuration_aggregator: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder_status: Add Resource Identity support (#47286)
resource/aws_config_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_delivery_channel: Add Resource Identity support (#47286)
resource/aws_config_organization_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_policy_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_managed_rule: Add Resource Identity support (#47286)
resource/aws_config_remediation_configuration: Add Resource Identity support (#47286)
resource/aws_config_retention_configuration: Add Resource Identity support (#47286)
resource/aws_controltower_landing_zone: Add remediation_types attribute (#46549)
resource/aws_glue_job: Add Resource Identity support (#47266)
resource/aws_iam_instance_profile: Add resource identity support (#47307)
resource/aws_kinesisanalyticsv2_application: Support FLINK-2_2 as a valid value for runtime_environment (#47207)
resource/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type argument (#47279)
resource/aws_opensearchserverless_access_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_lifecycle_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_config: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_vpc_endpoint: Add Resource Identity support (#47262)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.data_export.storage_lens_table_destination argument (#47152)
resource/aws_ssm_patch_group: Add resource identity support (#47318)

BUG FIXES:

resource/aws_bcmdataexports_export: Allows empty values in export.data_query.table_configurations (#47261)
resource/aws_cloudwatch_log_metric_filter: Fix validation to count pattern length in UTF-8 characters (#47287)
resource/aws_config_configuration_recorder_status: Mark name as as ForceNew (#47286)
resource/aws_organizations_account: Fix AccountAlreadyClosedException error when deleting an account that has already been closed with close_on_deletion set to true (#46627)
resource/aws_s3_bucket_server_side_encryption_configuration: Change rule.apply_server_side_encryption_by_default.kms_master_key_id, rule.blocked_encryption_types, and rule.bucket_key_enabled to Optional and Computed, preventings diffs once SSE-C is disabled for all new general purpose buckets (#47359)
resource/aws_uxc_account_customizations: Fix inconsistent result error when visible_regions or visible_services is set to an explicit empty set ([]) (#47290)

6.39.0 (April 1, 2026)

NOTES:

data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version (#47133)

FEATURES:

New Data Source: aws_iam_role_policies (#46936)
New Data Source: aws_iam_role_policy_attachments (#47119)
New Data Source: aws_networkmanager_core_network (#45798)
New Data Source: aws_uxc_services (#47115)
New List Resource: aws_eks_cluster (#47133)
New List Resource: aws_organizations_aws_service_access (#46993)
New List Resource: aws_sagemaker_training_job (#46892)
New List Resource: aws_workmail_group (#47131)
New List Resource: aws_workmail_user (#47131)
New Resource: aws_organizations_aws_service_access (#46993)
New Resource: aws_sagemaker_training_job (#46892)
New Resource: aws_uxc_account_customizations (#47115)
New Resource: aws_workmail_group (#47131)
New Resource: aws_workmail_user (#47131)

ENHANCEMENTS:

data-source/aws_outposts_asset: Add instance_families attribute (#47153)
resource/aws_eks_cluster: Add resource identity support (#47133)
resource/aws_eks_cluster: Support tier-8xl as a valid value for control_plane_scaling_config.tier (#46976)
resource/aws_network_acl_rule: Add Resource Identity support (#47090)
resource/aws_observabilityadmin_centralization_rule_for_organization: Add source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#47154)
resource/aws_prometheus_scraper: Add source.vpc argument. Change source.eks to Optional (#47155)
resource/aws_s3_bucket_metric: Support bucket metrics for directory buckets (#47184)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#46865)

BUG FIXES:

data-source/aws_eks_access_entry: Fixed tags not being returned (#47133)
data-source/aws_service_principal: Fix service principal names for EC2 and S3 in the aws-cn partition (#47141)
resource/aws_config_organization_conformance_pack: Fix creation timeout when using a delegated administrator account (#47072)
resource/aws_dynamodb_table: Fix Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)
resource/aws_eks_cluster: Set bootstrap_self_managed_addons to true when importing (#47133)
resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error when cache_usage_limits is removed (#46134)
resource/aws_glue_catalog_table: Detect and report failed view creation (#47101)

6.38.0 (March 25, 2026)

FEATURES:

New Action: aws_dms_start_replication_task_assessment_run (#47058)
New Data Source: aws_dynamodb_backups (#47036)
New Data Source: aws_msk_topic (#46490)
New Data Source: aws_savingsplans_offerings (#47081)
New List Resource: aws_msk_cluster (#46490)
New List Resource: aws_msk_serverless_cluster (#46490)
New List Resource: aws_msk_topic (#46490)
New List Resource: aws_route53_resolver_rule (#47063)
New List Resource: aws_sagemaker_algorithm (#47051)
New List Resource: aws_ssm_document (#46974)
New List Resource: aws_ssoadmin_account_assignment (#47067)
New List Resource: aws_vpc_endpoint (#46977)
New List Resource: aws_workmail_domain (#46931)
New Resource: aws_msk_topic (#46490)
New Resource: aws_observabilityadmin_telemetry_enrichment (#47089)
New Resource: aws_sagemaker_algorithm (#47051)
New Resource: aws_workmail_default_domain (#46931)
New Resource: aws_workmail_domain (#46931)

ENHANCEMENTS:

data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding attribute (#47065)
resource/aws_bedrockagentcore_agent_runtime: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
resource/aws_bedrockagentcore_gateway: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.api_gateway configuration block (#46916)
resource/aws_dynamodb_table: Add restore_backup_arn argument (#47068)
resource/aws_fis_experiment_template: Support KinesisStreams as a value for action.target.key (#47010)
resource/aws_fis_experiment_template: Support VPCEndpoints as a value for action.target.key (#47045)
resource/aws_mq_broker: Change user block to Optional (#46883)
resource/aws_msk_cluster: Add resource identity support (#46490)
resource/aws_msk_serverless_cluster: Add resource identity support (#46490)
resource/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding argument (#47065)
resource/aws_securityhub_insight: Add filters.aws_account_name configuration block (#47027)
resource/aws_securityhub_insight: Add filters.compliance_associated_standards_id configuration block (#47027)
resource/aws_securityhub_insight: Add filters.compliance_security_control_id configuration block (#47027)
resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_name configuration block (#47027)
resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_value configuration block (#47027)
resource/aws_ssoadmin_account_assignment: Add Resource Identity support (#47067)

BUG FIXES:

resource/aws_api_gateway_method: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_apigatewayv2_integration: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_apigatewayv2_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_apigatewayv2_stage: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_gateway_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_virtual_gateway: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_virtual_node: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_virtual_router: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_appmesh_virtual_service: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_cloudfront_distribution_tenant: Fix panic when managed certificate is not found during creation (#46982)
resource/aws_controltower_control: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_default_route_table: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_gateway_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_private_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_public_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_hosted_transit_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_dx_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_ecs_express_gateway_service: Fix Provider produced inconsistent result after apply error when environment variables are defined in non-alphabetical order (#46771)
resource/aws_elasticache_reserved_cache_node: Fix Provider returned invalid result object after apply errors where computed attributes remained unknown after create (#47012)
resource/aws_kinesis_stream: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_mq_broker: Fix non-idempotent behavior for RabbitMQ brokers with user block (#46883)
resource/aws_network_acl: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_network_interface_sg_attachment: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_opensearch_domain: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_route53recoverycontrolconfig_routing_control: Fix panic on concurrent creates when API returns ConflictException (#47038)
resource/aws_route_table_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_serverlessapplicationrepository_cloudformation_stack: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_servicecatalog_product: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_ses_active_receipt_rule_set: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_ssm_default_patch_baseline: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_vpc_dhcp_options_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
resource/aws_wafv2_web_acl_rule: Fix Unable to unmarshal DynamicValue error when statement.managed_rule_group_statement.rule_action_override block is specified (#46998)
resource/aws_wafv2_web_acl_rule_group_association: Fix WAFOptimisticLockException errors when multiple associations target the same Web ACL (#47037)

6.37.0 (March 18, 2026)

BREAKING CHANGES:

resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values (#46788)

NOTES:

data-source/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#46959)
resource/aws_savingsplan_savingsplan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#46959)
resource/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#46959)

FEATURES:

New List Resource: aws_ec2_transit_gateway_metering_policy (#46812)
New List Resource: aws_iam_user (#46869)
New List Resource: aws_s3_bucket_ownership_controls (#46832)
New List Resource: aws_wafv2_web_acl_rule (#46682)
New List Resource: aws_workmail_organization (#46692)
New Resource: aws_ec2_transit_gateway_metering_policy (#46812)
New Resource: aws_ec2_transit_gateway_metering_policy_entry (#46812)
New Resource: aws_wafv2_web_acl_rule (#46682)
New Resource: aws_workmail_organization (#46692)

ENHANCEMENTS:

resource/aws_datasync_task: Add schedule.status argument (#46037)
resource/aws_docdbelastic_cluster: Add shard_instance_count argument (#46938)
resource/aws_iam_user: Add resource identity support (#46869)
resource/aws_s3_bucket: Add bucket_namespace argument in support of account regional namespaces for general purpose buckets (#46917)

BUG FIXES:

data-source/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read (#46959)
resource/aws_bedrockagentcore_gateway: Fix "Unable to Convert Configuration" error caused by schema/model mismatch in authorizer_configuration.custom_jwt_authorizer. This fixes a regression introduced in v6.36.0 (#46908)
resource/aws_cloudfrontkeyvaluestore_key: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#46898)
resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#46899)
resource/aws_datasync_agent: Support activation of advanced mode agents. Previously, attempting to activate advanced mode agents would result in EOF errors when retrieving the activation key (#46958)
resource/aws_dynamodb_table: Fix GSI removal with key_schema syntax deleting all GSIs (#46602)
resource/aws_instance: Fix MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCore errors when updating cpu_options.core_count or cpu_options.threads_per_core (#46879)
resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values. Previously, attempting to use resource_data.lf_tag.value would result in missing required field errors (#46788)
resource/aws_msk_cluster: Properly handle removal of the client_authentication.sasl block (#42163)
resource/aws_msk_cluster: Properly handle removal of the client_authentication.tls block (#42163)
resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.sasl blocks (#42163)
resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.tls blocks (#42163)
resource/aws_s3_bucket_lifecycle_configuration: Fix "Missing Resource Identity After Read" error when resource created with provider version < 6.34.0 is deleted outside Terraform (#46674)
resource/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read to prevent forced replacement following import (#46959)
resource/aws_wafv2_web_acl: Fix enable_machine_learning in aws_managed_rules_bot_control_rule_set incorrectly defaulting to false instead of reflecting the AWS default of true (#46682)

6.36.0 (March 11, 2026)

NOTES:

provider: Update Go version to v1.25.8. Addresses GO-2026-4602, FileInfo can escape from a Root in os, GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, and GO-2026-4601, Incorrect parsing of IPv6 host literals in net/url (#46820)

FEATURES:

New Data Source: aws_iam_outbound_web_identity_federation (#46503)
New Ephemeral Resource: aws_sts_web_identity_token (#46173)
New List Resource: aws_s3_bucket_versioning (#46802)

ENHANCEMENTS:

listresource/aws_s3_bucket: No longer returns values for deprecated parameters (#46852)
resource/aws_bedrockagentcore_agent_runtime: Add authorizer_config.custom_jwt_authorizer.allowed_scopes argument (#46828)
resource/aws_cloudwatch_log_resource_policy: Add resource_arn argument and policy_scope and revision_id attributes. policy_name is now optional (#46813)
resource/aws_glue_catalog_table: Add open_table_format_input.iceberg_input.iceberg_table_input argument (#46843)
resource/aws_glue_catalog_table: Add view_definition argument (#46843)
resource/aws_glue_catalog_table: Change open_table_format_input.iceberg_input.metadata_operation and open_table_format_input.iceberg_input.version to ForceNew (#46843)
resource/aws_glue_catalog_table: Change parameters, storage_descriptor, and table_type to Optional and Computed (#46843)
resource/aws_guardduty_ipset: Add ip_set_id attribute (#46703)
resource/aws_guardduty_publishing_destination: Add arn and destination_id attributes (#46703)
resource/aws_guardduty_publishing_destination: Add tagging support (#46703)
resource/aws_guardduty_threatintelset: Add threat_intel_set_id attribute (#46703)
resource/aws_observabilityadmin_centralization_rule_for_organization: Add rule.destination.destination_logs_configuration.log_group_name_configuration block (#46811)

BUG FIXES:

data-source/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#46843)
list-resource/aws_iam_role_policy_attachment: Prevent infinite loop when IAM Role deleted during list (#46763)
listresource/aws_s3_bucket: No longer appears to hang when buckets are deleted concurrently with listing (#46852)
resource/aws_appconfig_deployment_strategy: Fix panic due to "interface conversion: interface {} is float64, not float32" when updating growth_factor (#46810)
resource/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#46843)
resource/aws_vpc_endpoint: Allow in-place update of private_dns_enabled when vpc_endpoint_type is Interface (#46800)
resource/aws_vpc_endpoint: Set new computed value for network_interface_ids attribute when changing subnet_configuration or subnet_ids (#46800)
resource/aws_vpn_concentrator: Retry VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reached errors on Create (#46823)

6.35.1 (March 5, 2026)

BUG FIXES:

provider: Fix regression causing "Incompatible Types" errors during flattening (#46778)
resource/aws_bedrockagentcore_gateway_target: Fix "Incompatible Types" errors during schema definition flattening (#46778)
resource/aws_s3_bucket_lifecycle_configuration: Fix "Incompatible Types" errors for LifecycleRuleAndOperator while flattening configuration (#46778)

6.35.0 (March 4, 2026)

FEATURES:

New List Resource: aws_ecs_service (#46678)
New List Resource: aws_lb (#46660)
New List Resource: aws_lb_listener (#46679)
New List Resource: aws_lb_listener_rule (#46731)
New List Resource: aws_lb_target_group (#46662)
New List Resource: aws_sns_topic (#46744)
New List Resource: aws_sns_topic_subscription (#46738)
New Resource: aws_observabilityadmin_telemetry_pipeline (#46698)
New Resource: aws_sagemaker_mlflow_app (#45565)

ENHANCEMENTS:

data-source/aws_lambda_layer_version: Add layer_version_arn argument to support cross-account Lambda layer access (#46673)
resource/aws_emrserverless_application: Add job_level_cost_allocation_configuration block (#46107)
resource/aws_ram_resource_share: Add resource_share_configuration block (#46715)

BUG FIXES:

resource/aws_ce_cost_category: Change split_charge_rule targets from TypeSet to TypeList to retain order (#42856)
resource/aws_dms_endpoint: Fix InvalidParameterCombinationException errors when oracle_settings is configured (#46689)
resource/aws_elasticache_replication_group: Remove hard-coded upper limit of 5 for replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#46670)
resource/aws_networkmanager_attachment_routing_policy_label: Fix attachment state waiter to handle all Cloud WAN attachment lifecycle states (#46672)

6.34.0 (February 25, 2026)

FEATURES:

New List Resource: aws_ec2_secondary_network (#46552)
New List Resource: aws_ec2_secondary_subnet (#46552)
New List Resource: aws_ecr_task_definition (#46628)
New List Resource: aws_elb (#46639)
New List Resource: aws_s3_bucket_lifecycle_configuration (#46531)
New Resource: aws_networkmanager_prefix_list_association (#46566)

ENHANCEMENTS:

data-source/aws_grafana_workspace: Add kms_key_id attribute (#46584)
data-source/aws_memorydb_cluster: Add network_type and ip_discovery attributes (#46636)
resource/aws_athena_workgroup: Add configuration.query_results_s3_access_grants_configuration argument (#46376)
resource/aws_bedrockagentcore_api_key_credential_provider: Add tagging support (#46591)
resource/aws_bedrockagentcore_gateway_target: Add metadata_configuration block for HTTP header and query parameter propagation (#45808)
resource/aws_bedrockagentcore_oauth2_credential_provider: Add tagging support (#46590)
resource/aws_cloudwatch_event_connection: Add auth_parameters.connectivity_parameters argument (#41561)
resource/aws_ecs_service: Add service_connect_configuration.access_log_configuration argument (#45820)
resource/aws_ecs_service: Add resource identity support (#46644)
resource/aws_eip_domain_name: Add import support (#46582)
resource/aws_grafana_workspace: Add kms_key_id argument (#46584)
resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#46568)
resource/aws_lb_target_group_attachment: Add import support (#46646)
resource/aws_lb_target_group_attachment: Add resource identity (#46646)
resource/aws_memorydb_cluster: Add network_type and ip_discovery arguments (#46636)
resource/aws_opensearch_domain: Add jwt_options attribute (#46439)
resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#44426)

BUG FIXES:

data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#46616)
data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#46226)
list-resource/aws_s3_object: Includes parent bucket in display name. (#46596)
resource/aws_autoscaling_group: Fix couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#46622)
resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#46127)
resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#46127)
resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#46462)
resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#46150)
resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#46556)
resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#46102)

6.33.0 (February 18, 2026)

FEATURES:

New Resource: aws_networkmanager_attachment_routing_policy_label (#46489)

ENHANCEMENTS:

data-source/aws_launch_template: Add cpu_options.nested_virtualization and network_performance_options attributes (#46540)
data/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#46487)
resource/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#46487)
resource/aws_budgets_budget: Add filter_expression attribute (#46501)
resource/aws_dms_endpoint: Add access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#46516)
resource/aws_dms_endpoint: Add use_update_lookup argument to mongodb_settings configuration block (#46253)
resource/aws_ecs_task_definition: Add resource identity support (#46411)
resource/aws_instance: Add nested_virtualization attribute to cpu_options configuration block (#46533)
resource/aws_launch_template: Add nested_virtualization attribute to cpu_options configuration block (#46533)
resource/aws_launch_template: Add secondary_interfaces configuration block (#46540)
resource/aws_lexv2models_intent: Add qna_intent_configuration attribute (#46419)
resource/aws_sagemaker_domain: Add domain_settings.trusted_identity_propagation_settings argument (#44965)

BUG FIXES:

data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#46478)
resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#46475)
resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#45049)
resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#46496)
resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#44960)
resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#46453)
resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#46515)

6.32.1 (February 13, 2026)

BUG FIXES:

resource/aws_autoscaling_group: Fix couldn't find resource error during creation when waiting for capacity to be satisfied (#46452)
resource/aws_cloudwatch_log_delivery: Fix s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#46455)
resource/aws_dynamodb_table: Fix perpetual diff when using key_schema with a single range key on a global secondary index (#46442)
resource/aws_elasticache_replication_group: Fix false validation error when auth_token references another resource (#46454)

6.32.0 (February 11, 2026)

FEATURES:

New List Resource: aws_ecr_repository (#46344)
New List Resource: aws_lambda_permission (#46341)
New List Resource: aws_route (#46370)
New List Resource: aws_route53_resolver_rule_association (#46349)
New List Resource: aws_route_table (#46337)
New List Resource: aws_s3_directory_bucket (#46373)
New List Resource: aws_secretsmanager_secret (#46318)
New List Resource: aws_secretsmanager_secret_version (#46342)
New List Resource: aws_vpc_security_group_egress_rule (#46368)
New List Resource: aws_vpc_security_group_ingress_rule (#46367)
New Resource: aws_ec2_secondary_network (#46408)
New Resource: aws_ec2_secondary_subnet (#46408)

ENHANCEMENTS:

resource/aws_instance: Add secondary_network_interface argument (#46408)
resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#42687)

BUG FIXES:

data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#46384)
list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#46401)
resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#46427)
resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#46375)
resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#45637)

6.31.0 (February 4, 2026)

NOTES:

resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#46272)
resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#46262)
resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#46272)

FEATURES:

New Data Source: aws_account_regions (#41746)
New Ephemeral Resource: aws_ecrpublic_authorization_token (#45841)
New List Resource: aws_cloudwatch_event_rule (#46304)
New List Resource: aws_cloudwatch_event_target (#46297)
New List Resource: aws_cloudwatch_metric_alarm (#46268)
New List Resource: aws_iam_role_policy (#46293)
New List Resource: aws_lambda_function (#46295)
New List Resource: aws_s3_bucket_acl (#46305)
New List Resource: aws_s3_bucket_policy (#46312)
New List Resource: aws_s3_bucket_public_access_block (#46309)
New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#46191)

ENHANCEMENTS:

resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#45583)
resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#45882)

BUG FIXES:

list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#46305)
resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#45518)
resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#45893)
resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#45571)
resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#45087)
resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#46211)

6.30.0 (January 28, 2026)

FEATURES:

New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#46176)

BUG FIXES:

resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#46195)

6.29.0 (January 28, 2026)

NOTES:

data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)
resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#43331)
resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#46185)
resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)
resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#45834)

FEATURES:

New Data Source: aws_arcregionswitch_plan (#43781)
New Data Source: aws_arcregionswitch_route53_health_checks (#43781)
New Data Source: aws_organizations_entity_path (#45890)
New Data Source: aws_resourcegroupstaggingapi_required_tags (#45994)
New Data Source: aws_s3_bucket_object_lock_configuration (#45990)
New Data Source: aws_s3_bucket_replication_configuration (#42662)
New Data Source: aws_s3control_access_points (#45949)
New Data Source: aws_s3control_multi_region_access_points (#45974)
New Data Source: aws_savingsplans_savings_plan (#45834)
New Data Source: aws_wafv2_managed_rule_group (#45899)
New List Resource: aws_appflow_connector_profile (#45983)
New List Resource: aws_appflow_flow (#45980)
New List Resource: aws_cleanrooms_collaboration (#45953)
New List Resource: aws_cleanrooms_configured_table (#45956)
New List Resource: aws_cloudfront_key_value_store (#45957)
New List Resource: aws_opensearchserverless_collection (#46001)
New List Resource: aws_route53_record (#46059)
New List Resource: aws_s3_bucket (#46004)
New List Resource: aws_s3_object (#46002)
New List Resource: aws_security_group (#46062)
New Resource: aws_apigatewayv2_routing_rule (#42961)
New Resource: aws_arcregionswitch_plan (#43781)
New Resource: aws_cloudfront_anycast_ip_list (#43331)
New Resource: aws_notifications_managed_notification_account_contact_association (#45185)
New Resource: aws_notifications_managed_notification_additional_channel_association (#45186)
New Resource: aws_notifications_organizational_unit_association (#45197)
New Resource: aws_notifications_organizations_access (#45273)
New Resource: aws_opensearch_application (#43822)
New Resource: aws_ram_permission (#44114)
New Resource: aws_ram_resource_associations_exclusive (#45883)
New Resource: aws_sagemaker_labeling_job (#46041)
New Resource: aws_sagemaker_model_card (#45993)
New Resource: aws_sagemaker_model_card_export_job (#46009)
New Resource: aws_savingsplans_savings_plan (#45834)
New Resource: aws_sesv2_tenant_resource_association (#45904)
New Resource: aws_vpc_security_group_rules_exclusive (#45876)

ENHANCEMENTS:

aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#42961)
aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#42961)
data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#45896)
data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#46157)
data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#45928)
data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#46163)
data-source/aws_vpc_ipam_pool: Add source_resource attribute (#44705)
resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#45896)
resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#45966)
resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#46056)
resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#45984)
resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#45357)
resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#45934)
resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#46092)
resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#45852)
resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#45852)
resource/aws_invoicing_invoice_unit: Adds resource identity support. (#46185)
resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#46185)
resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#46065)
resource/aws_launch_template: Add network_performance_options argument (#46071)
resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#45636)
resource/aws_opensearchserverless_collection: Add resource identity support (#45981)
resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#44881)
resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#45951)
resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#45951)
resource/aws_sagemaker_monitoring_schedule: Make monitoring_schedule_config.monitoring_job_definition_name argument optional (#45951)
resource/aws_vpc_ipam_pool: Add source_resource argument in support of provisioning of VPC Resource Planning Pools (#44705)
resource/aws_vpc_ipam_resource_discovery: Add organizational_unit_exclusion argument (#45890)
resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#44705)
resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#44705)

BUG FIXES:

data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#45909)
data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)
data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#46160)
provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#46000)
provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#46159)
resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#45972)
resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#45713)
resource/aws_billing_view: Fix handling of data_filter_expression (#45293)
resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#45992)
resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#45873)
resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#45873)
resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#45977)
resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#45921)
resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#46110)
resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#46094)
resource/aws_dynamodb_table: Fixes error when name is known after apply (#45917)
resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#45997)
resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)
resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#45967)
resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lb_target_group: Fix update error when switching health_check.protocol from HTTP to TCP when protocol is TCP (#46036)
resource/aws_multitenant_cloudfront_distribution: Prevent mistakenly importing a standard distribution (#45873)
resource/aws_networkfirewall_firewall_policy: Support partner-managed rule groups via firewall_policy.stateful_rule_group_reference.resource_arn (#46124)
resource/aws_odb_network: Fix delete_associated_resources being set when value is unknown (#45636)
resource/aws_pipes_pipe: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_placement_group: Correct validation of partition_count (#45042)
resource/aws_rds_cluster: Properly set iam_database_authentication_enabled when restored from snapshot (#39461)
resource/aws_redshift_cluster: Changing port now works. (#45870)
resource/aws_redshiftserverless_workgroup: Fix ValidationException: Base capacity cannot be updated when PerformanceTarget is Enabled error when updating price_performance_target and base_capacity (#46137)
resource/aws_route53_health_check: Mark regions argument as Computed to fix an unexpected regions diff when it is not specified (#45829)
resource/aws_route53_zone: Fix InvalidChangeBatch errors during ForceNew operations when zone name changes (#45242)
resource/aws_route53_zone: Fixes error where Delete would fail if the remote resource had already been deleted. (#45985)
resource/aws_route53profiles_resource_association: Fix Invalid JSON String Value error on initial apply and ConflictException on subsequent apply when associating Route53 Resolver Query Log Configs (#45958)
resource/aws_route53recoverycontrolconfig_control_panel: Fix crash when create returns an error (#45954)
resource/aws_s3_bucket: Fix bucket creation with tags in non-commercial AWS regions by handling UnsupportedArgument errors during tag-on-create operations (#46122)
resource/aws_s3_bucket: Fix tag read and update operations in non-commercial AWS regions by handling MethodNotAllowed errors when S3 Control APIs are unavailable (#46122)
resource/aws_servicecatalog_portfolio_share: Support organization and OU IDs in addition to ARNs for GovCloud compatibility (#39863)
resource/aws_subnet: Mark ipv6_cidr_block as ForceNew when the existing IPv6 subnet was created with assign_ipv6_address_on_create = true (#46043)
resource/aws_vpc_endpoint: Fix persistent diffs caused by case differences in ip_address_type (#45947)

6.28.0 (January 7, 2026)

NOTES:

resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#44999)

FEATURES:

New Data Source: aws_cloudfront_connection_group (#44885)
New Data Source: aws_cloudfront_distribution_tenant (#45088)
New List Resource: aws_kms_alias (#45700)
New List Resource: aws_sqs_queue (#45691)
New Resource: aws_cloudfront_connection_function (#45664)
New Resource: aws_cloudfront_connection_group (#44885)
New Resource: aws_cloudfront_distribution_tenant (#45088)
New Resource: aws_cloudfront_multitenant_distribution (#45535)
New Resource: aws_dynamodb_global_secondary_index (#44999)
New Resource: aws_ecr_pull_time_update_exclusion (#45765)
New Resource: aws_organizations_tag (#45730)
New Resource: aws_redshift_idc_application (#37345)
New Resource: aws_secretsmanager_tag (#45825)
New Resource: aws_sesv2_tenant (#45706)

ENHANCEMENTS:

data-source/aws_apigateway_domain_name : Add endpoint_access_mode attribute (#45741)
data-source/aws_db_proxy: Add endpoint_network_type and target_connection_network_type attributes (#45634)
data-source/aws_dx_gateway: Add tags attribute (#45766)
data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#45752)
data-source/aws_iam_saml_provider: Add saml_provider_uuid attribute (#45707)
data-source/aws_lambda_function: Add response_streaming_invoke_arn attribute (#45652)
data-source/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#45652)
data-source/aws_route53_resolver_firewall_rules: Add dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#45711)
data-source/aws_route53_resolver_rule: Add target_ips attribute (#45492)
data-source/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#45679)
data-source/aws_vpc_endpoint: Promote service_region and vpc_endpoint_type from attributes to arguments for filtering (#45679)
resource/aws_alb: Enforce tag policy compliance for the elasticloadbalancing:loadbalancer tag type (#45671)
resource/aws_alb_listener: Enforce tag policy compliance for the elasticloadbalancing:listener tag type (#45671)
resource/aws_alb_listener_rule: Enforce tag policy compliance for the elasticloadbalancing:listener-rule tag type (#45671)
resource/aws_alb_target_group: Enforce tag policy compliance for the elasticloadbalancing:targetgroup tag type (#45671)
resource/aws_apigateway_domain_name: Add endpoint_access_mode argument and configurable timeout for create and update (#45741)
resource/aws_athena_workgroup: Add customer_content_encryption_configuration argument (#45744)
resource/aws_athena_workgroup: Add enable_minimum_encryption_configuration argument (#45744)
resource/aws_athena_workgroup: Add monitoring_configuration argument (#45744)
resource/aws_cleanrooms_collaboration: Add resource identity support (#45548)
resource/aws_cloudfront_distribution: Add connection_function_association and viewer_mtls_config arguments (#45847)
resource/aws_cloudfront_distribution: Add owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#45011)
resource/aws_cloudwatch_log_subscription_filter: Add apply_on_transformed_logs argument (#45826)
resource/aws_cloudwatch_log_subscription_filter: Add emit_system_fields argument (#45760)
resource/aws_db_proxy: Add endpoint_network_type and target_connection_network_type arguments (#45634)
resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#45671)
resource/aws_docdb_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#45671)
resource/aws_dx_gateway: Add tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#45766)
resource/aws_ecr_repository_creation_template: Support CREATE_ON_PUSH as a valid value for applied_for (#45720)
resource/aws_ecs_capacity_provider: Add managed_instances_provider.instance_launch_template.capacity_option_type argument (#45667)
resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the fsx:snapshot tag type (#45671)
resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the fsx:volume tag type (#45671)
resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_guardduty_filter: Add finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#45758)
resource/aws_iam_policy: Add delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#42054)
resource/aws_iam_saml_provider: Add saml_provider_uuid attribute (#45707)
resource/aws_iam_virtual_mfa_device: Add serial_number attribute (#45751)
resource/aws_imagebuilder_image: Add logging_configuration argument (#45749)
resource/aws_imagebuilder_image_pipeline: Add logging_configuration argument (#45749)
resource/aws_inspector_assessment_target: Add plan-time validation of resource_group_arn (#45688)
resource/aws_inspector_assessment_template: Add plan-time validation of rules_package_arns and target_arn (#45688)
resource/aws_lambda_event_source_mapping: Add provisioned_poller_config.poller_group_name argument (#45313)
resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (kafka://topic-name) for destination_config.on_failure.destination_arn argument (#45802)
resource/aws_lambda_function: Add response_streaming_invoke_arn attribute (#45652)
resource/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#45652)
resource/aws_lambda_function_url: Automatically add the lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#44858)
resource/aws_lambda_permission: Add invoked_via_function_url argument (#44858)
resource/aws_lb_target_group_attachment: Add quic_server_id argument (#45666)
resource/aws_lb_target_group_attachment: Add plan-time validation of target_group_arn (#45666)
resource/aws_neptune_cluster: Enforce tag policy compliance for the rds:cluster tag type (#45671)
resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#45671)
resource/aws_neptune_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#45671)
resource/aws_networkmanager_vpc_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#45728)
resource/aws_osis_pipeline: Add pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#45806)
resource/aws_rds_cluster: Enforce tag policy compliance for the rds:cluster tag type (#45671)
resource/aws_redshift_data_share_consumer_association: Add plan-time validation of consumer_region (#45688)
resource/aws_route53_resolver_firewall_rule: Add dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#45711)
resource/aws_transfer_web_app: Add endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#45745)
resource/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#45679)
resource/aws_vpclattice_service_network_resource_association: Add private_dns_enabled argument (#45673)
resource/aws_vpn_connection: Support in-place updates for tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#45781)

BUG FIXES:

data-source/aws_ecr_authorization_token: Fix value of proxy_endpoint when registry_id is specified (#45754)
data-source/aws_networkmanager_core_network_policy_document: Support account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#45788)
data-source/aws_vpc_endpoint: Add missing implementation for service_region attribute (#45679)
provider: Fix handling of user_agent values where the product name contains a forward slash (#45715)
resource/aws_batch_job_definition: Fix crash during update when node_properties has NodeRangeProperties.ecsProperties set (#45676)
resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#45694)
resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs: PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#43762)
resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#45778)
resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#45842)
resource/aws_vpc: Fix reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#45780)
resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#45849)
resource/aws_vpc_endpoint: private_dns_enabled argument is now marked as ForceNew (#45679)

6.27.0 (December 17, 2025)

FEATURES:

New Data Source: aws_organizations_account (#45543)
New Function: user_agent (#45464)
New List Resource: aws_kms_key (#45514)
New Resource: aws_cloudfront_trust_store (#45534)

ENHANCEMENTS:

data-source/aws_datazone_domain: Add root_domain_unit_id attribute (#44964)
data-source/aws_networkmanager_core_network_policy_document: Add routing_policies and attachment_routing_policy_rules arguments (#45246)
data-source/aws_route53_resolver_endpoint: Add rni_enhanced_metrics_enabled attribute (#45630)
data-source/aws_route53_resolver_endpoint: Add target_name_server_metrics_enabled attribute (#45630)
provider: Add user_agent argument (#45464)
provider: The provider_meta block is now supported. The user_agent argument enables module authors to include additional product information in the User-Agent header sent during all AWS API requests made during Create, Read, Update, and Delete operations. (#45464)
resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.kendra_knowledge_base_configuration argument (#44388)
resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.sql_knowledge_base_configuration and storage_configuration.neptune_analytics_configuration arguments (#45465)
resource/aws_bedrockagent_knowledge_base: Add storage_configuration.mongo_db_atlas_configuration argument (#37220)
resource/aws_bedrockagent_knowledge_base: Add storage_configuration.opensearch_managed_cluster_configuration argument (#44060)
resource/aws_bedrockagent_knowledge_base: Add storage_configuration.s3_vectors_configuration block (#45468)
resource/aws_bedrockagent_knowledge_base: Make knowledge_base_configuration.vector_knowledge_base_configuration and ``storage_configuration` optional (#44388)
resource/aws_codebuild_project: Add cache.cache_namespace argument (#45584)
resource/aws_datazone_domain: Add root_domain_unit_id argument (#44964)
resource/aws_lambda_function: code_sha256 is now optional and computed (#45618)
resource/aws_networkmanager_connect_attachment: Add routing_policy_label argument (#45246)
resource/aws_networkmanager_connect_peer: Support 4 byte ASNs in bgp_options.peer_asn (#45246)
resource/aws_networkmanager_connect_peer: Support 4 byte ASNs in configuration.bgp_configurations.peer_asn (#45639)
resource/aws_networkmanager_dx_gateway_attachment: Add routing_policy_label argument (#45246)
resource/aws_networkmanager_site_to_site_vpn_attachment: Add routing_policy_label argument (#45246)
resource/aws_networkmanager_transit_gateway_route_table_attachment: Add routing_policy_label argument (#45246)
resource/aws_networkmanager_vpc_attachment: Add routing_policy_label argument (#45246)
resource/aws_route53_resolver_endpoint: Add rni_enhanced_metrics_enabled argument (#45630)
resource/aws_route53_resolver_endpoint: Add target_name_server_metrics_enabled argument (#45630)
resource/aws_vpclattice_service_network_vpc_association: Add private_dns_enabled and dns_options arguments (#45619)

BUG FIXES:

data-source/aws_networkmanager_core_network_policy_document: Correct plan-time validation of attachment_policies.conditions.type to allow account instead of account-id (#45246)
resource/aws_bedrockagent_knowledge_base: Mark knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration and knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration as ForceNew (#45465)
resource/aws_dynamodb_table: Fix perpetual diff on global_secondary_index when using ignore_changes lifecycle meta-argument (#41113)
resource/aws_iam_user: Fix NoSuchEntity errors when name and tags arguments are both updated (#45608)
resource/aws_lakeformation_data_cells_filter: Fix excluded_column_names ordering causing "Provider produced inconsistent result after apply" errors (#45453)
resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow triggered by upstream changes to the API error response text (#45605)
resource/aws_networkmanager_connect_peer: Change bgp_options and bgp_options.peer_asn to Optional, Computed and ForceNew (#45639)
resource/aws_odb_cloud_vm_cluster: Enable deletion of vm cluster in resource shared account. (#45552)
resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow triggered by upstream changes to the API error response text (#45605)
resource/aws_s3_bucket: Fix endpoint rule error, AccountId must only contain a-z, A-Z, 0-9 and `-` errors when the provider is configured with skip_requesting_account_id = true. This fixes a regression introduced in v6.23.0 (#45576)
resource/aws_verifiedpermissions_identity_source: Fixes error when updating resource (#45540)
resource/aws_verifiedpermissions_identity_source: Prevents eventual consistency error with associated Policy Store (#45540)
resource/aws_verifiedpermissions_identity_source: Removes AutoFlex error log messages (#45540)

6.26.0 (December 10, 2025)

FEATURES:

New List Resource: aws_batch_job_definition (#45401)
New List Resource: aws_codebuild_project (#45400)
New List Resource: aws_lambda_capacity_provider (#45467)
New List Resource: aws_ssm_parameter (#45512)
New Resource: aws_iam_outbound_web_identity_federation (#45217)

ENHANCEMENTS:

data-source/aws_db_instance: Add upgrade_rollout_order attribute (#45527)
data-source/aws_eks_node_group : Add update_config block including update_strategy attribute (#41487)
data-source/aws_rds_cluster: Add upgrade_rollout_order attribute (#45527)
resource/aws_bedrockagent_agent: Add session_summary_configuration.max_recent_sessions argument (#45449)
resource/aws_db_instance: Add upgrade_rollout_order attribute (#45527)
resource/aws_eks_node_group : Add update_config.update_strategy attribute (#41487)
resource/aws_kinesisanalyticsv2_application: Add application_configuration.application_encryption_configuration argument (#45356)
resource/aws_kinesisanalyticsv2_application: Support FLINK-1_20 as a valid value for runtime_environment (#45356)
resource/aws_lambda_capacity_provider: Add resource identity support (#45456)
resource/aws_odb_network_peering_connection: Add network peering creation using odb_network_arn for resource sharing model. (#45509)
resource/aws_rds_cluster: Add upgrade_rollout_order attribute (#45527)
resource/aws_s3vectors_index: Add encryption_configuration block (#45470)
resource/aws_s3vectors_index: Add metadata_configuration block (#45470)

BUG FIXES:

data-source/aws_ec2_transit_gateway: Fix potential crash when reading encryption_support. This addresses a regression introduced in v6.25.0. (#45462)
resource/aws_api_gateway_integration: Fix timeout_milliseconds validation to allow up to 900,000 ms when response_transfer_mode is STREAM (#45482)
resource/aws_bedrock_model_invocation_logging_configuration: Mark logging_config.s3_config.bucket_name, logging_config.cloudwatch_config.log_group_name, logging_config.cloudwatch_config.role_arn, and logging_config.cloudwatch_config.large_data_delivery_s3_config.bucket_name as Required (#45469)
resource/aws_ec2_transit_gateway: Fix potential crash when setting encryption_support. This addresses a regression introduced in v6.25.0. (#45462)
resource/aws_lambda_function: Fix persistent diff when image_config has null values set in config (#45511)
resource/aws_notifications_event_rule: Fix persistent diff when event_pattern argument is not specified in config (#45524)
resource/aws_route53_zone: Operations to enable accelerated recovery are enforced to run serially when multiple hosted zones are configured (#45457)
resource/aws_sagemaker_model: Mark vpc_config.security_group_ids and vpc_config.subnets as ForceNew (#45491)
resource/aws_secretsmanager_secret_version: Avoid sending GetSecretValue calls when the secret is write-only (#44876)

6.25.0 (December 4, 2025)

FEATURES:

New Resource: aws_cloudwatch_log_transformer (#44300)
New Resource: aws_eks_capability (#45326)

ENHANCEMENTS:

data-source/aws_backup_plan: Add rule.scan_action and scan_setting attributes (#45392)
data-source/aws_cloudwatch_log_group: Add deletion_protection_enabled attribute (#45298)
data-source/aws_ec2_transit_gateway: Add encryption_support attribute (#45317)
data-source/aws_lambda_function: Add durable_config attribute (#45359)
data-source/aws_lb: Add health_check_logs attribute (#45269)
data-source/aws_lb_target_group: Add target_control_port attribute (#45270)
data-source/aws_route53_zone: Add enable_accelerated_recovery attribute (#45302)
data-source/aws_transfer_connector: Add egress_config attribute to expose VPC Lattice connectivity configuration (#45314)
data-source/aws_workspaces_directory: Add tenancy attribute (#43134)
resource/aws_api_gateway_integration: Add integration_target argument (#45311)
resource/aws_api_gateway_integration: Add response_transfer_mode argument (#45329)
resource/aws_athena_workgroup: Add configuration.managed_query_results_configuration block (#44273)
resource/aws_backup_plan: Support malware scanning by adding rule.scan_action and scan_setting configuration blocks (#45392)
resource/aws_bedrockagentcore_gateway: Add interceptor_configuration argument (#45344)
resource/aws_cloudwatch_log_group: Add deletion_protection_enabled argument (#45298)
resource/aws_ec2_transit_gateway: Add encryption_support argument (#45317)
resource/aws_flow_log: Add regional_nat_gateway_id argument (#45380)
resource/aws_kms_ciphertext: Add plaintext_wo and plaintext_wo_version arguments to support write-only input (#43592)
resource/aws_lambda_function: Add durable_config argument (#45359)
resource/aws_lb: Add health_check_logs configuration block (#45269)
resource/aws_lb_target_group: Add target_control_port argument to support the ALB Target Optimizer (#45270)
resource/aws_rolesanywhere_profile: Add accept_role_session_name argument (#45391)
resource/aws_rolesanywhere_profile: Add plan-time validation of managed_policy_arns and role_arns (#45391)
resource/aws_route53_zone: Add enable_accelerated_recovery argument (#45302)
resource/aws_ssm_association: Add calendar_names argument (#45363)
resource/aws_transfer_connector: Add egress_config argument to support VPC Lattice connectivity for SFTP connectors (#45314)
resource/aws_transfer_connector: Make url argument optional to support VPC Lattice connectors (#45314)
resource/aws_workspaces_directory: Add tenancy argument (#43134)

6.24.0 (December 2, 2025)

FEATURES:

New Resource: aws_lambda_capacity_provider (#45342)
New Resource: aws_s3tables_table_bucket_replication (#45360)
New Resource: aws_s3tables_table_replication (#45360)
New Resource: aws_s3vectors_index (#43393)
New Resource: aws_s3vectors_vector_bucket (#43393)
New Resource: aws_s3vectors_vector_bucket_policy (#43393)

ENHANCEMENTS:

data-source/aws_lambda_function: Add capacity_provider_config attribute (#45342)
data-source/aws_vpc_nat_gateway: Support regional NAT Gateways by adding auto_provision_zones, auto_scaling_ips, availability_mode, availability_zone_address, regional_nat_gateway_address, and route_table_id attributes (#45240)
resource/aws_backup_plan: Add target_logically_air_gapped_backup_vault_arn argument to rule block (#45321)
resource/aws_lambda_function: Add capacity_provider_config and publish_to arguments (#45342)
resource/aws_resourceexplorer2_index: Deprecates id. Use arn instead. (#45345)
resource/aws_resourceexplorer2_view: Deprecates id. Use arn instead. (#45345)
resource/aws_vpc_nat_gateway: Make subnet_id argument optional to support regional NAT Gateways (#45420)
resource/aws_vpc_nat_gateway: Support regional NAT Gateways by adding availability_mode, availability_zone_address, and vpc_id arguments, and auto_provision_zones, auto_scaling_ips, regional_nat_gateway_address, and route_table_id attributes. This functionality requires the ec2:DescribeAvailabilityZones IAM permission (#45240)
resource/aws_vpn_connection: Add bgp_log_enabled, bgp_log_group_arn, and bgp_log_stream_arn arguments to tunnel1_log_options.cloudwatch_log_options and tunnel2_log_options.cloudwatch_log_options blocks (#45271)

6.23.0 (November 26, 2025)

NOTES:

resource/aws_s3_bucket: To support ABAC (Attribute Based Access Control) in general purpose buckets, this resource will now attempt to send tags in the create request and use the S3 Control tagging APIs TagResource, UntagResource, and ListTagsForResource for read and update operations. The calling principal must have the corresponding s3:TagResource, s3:UntagResource, and s3:ListTagsForResource IAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIs PutBucketTagging, DeleteBucketTagging, and GetBucketTagging instead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#45251)

FEATURES:

New Resource: aws_ecs_express_gateway_service (#45235)
New Resource: aws_s3_bucket_abac (#45251)
New Resource: aws_vpc_encryption_control (#45263)
New Resource: aws_vpn_concentrator (#45175)

ENHANCEMENTS:

action/aws_lambda_invoke: Add tenant_id argument (#45170)
data-source/aws_eks_cluster: Add control_plane_scaling_config attribute (#45258)
data-source/aws_lambda_function: Add tenancy_config attribute (#45170)
data-source/aws_lambda_invocation: Add tenant_id argument (#45170)
data-source/aws_vpn_connection: Add vpn_concentrator_id attribute (#45175)
resoource/aws_ecs_capacity_provider: Add managed_instances_provider.infrastructure_optimization argument (#45142)
resource/aws_docdb_cluster: Add network_type argument (#45140)
resource/aws_docdb_subnet_group: Add supported_network_types attribute (#45140)
resource/aws_eks_cluster: Add control_plane_scaling_config configuration block to support EKS Provisioned Control Plane (#45258)
resource/aws_lambda_function: Add tenancy_config argument (#45170)
resource/aws_lambda_invocation: Add tenant_id argument (#45170)
resource/aws_s3_bucket: Tag on creation when the s3:TagResource permission is present (#45251)
resource/aws_s3_bucket: Use the S3 Control tagging APIs when the s3:TagResource, s3:UntagResource, and s3:ListTagsForResource permissions are present (#45251)
resource/aws_vpn_connection: Add vpn_concentrator_id argument to support Site-to-Site VPN Concentrator (#45175)

6.22.1 (November 21, 2025)

ENHANCEMENTS:

resource/aws_fsx_openzfs_file_system: Support INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#45159)
resource/aws_msk_cluster: Add rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#45073)

BUG FIXES:

provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in v6.22.0. (#45201)
provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in v6.22.0. (#45201)
resource/aws_accessanalyzer_analyzer: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#45202)
resource/aws_odb_cloud_vm_cluster: Fix incorrect validation error when arguments are configured using variables. This addresses a regression introduced in v6.22.0 (#45205)

6.22.0 (November 20, 2025)

NOTES:

resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#45105)

FEATURES:

New Ephemeral Resource: aws_ecr_authorization_token (#44949)
New Guide: Tag Policy Compliance (#45143)
New Resource: aws_billing_view (#45097)
New Resource: aws_vpclattice_domain_verification (#45085)

ENHANCEMENTS:

data-source/aws_lb_listener: Add default_action.jwt_validation attribute (#45089)
data-source/aws_lb_listener_rule: Add action.jwt_validation attribute (#45089)
data-source/aws_route53_zone: Support filtering by tags only or by vpc_id only (#39671)
provider: Add support for enforcing tag policy compliance. This opt-in feature can be enabled via the new tag_policy_compliance provider argument, or the TF_AWS_TAG_POLICY_COMPLIANCE environment variable. When enabled, the principal executing Terraform must have the tags:ListRequiredTags IAM permission. (#45143)
resource/aws_backup_logically_air_gapped_vault: Add encryption_key_arn argument (#45020)
resource/aws_bedrock_guardrail: Add input_action, input_enabled, input_modalities, output_action, output_enabled, and output_modalities arguments to the content_policy_config.filters_config block (#45104)
resource/aws_bedrockagent_knowledge_base: Add storage_configuration.rds_configuration.field_mapping.custom_metadata_field argument (#45075)
resource/aws_bedrockagentcore_agent_runtime: Add agent_runtime_artifact.code_configuration block (#45091)
resource/aws_bedrockagentcore_agent_runtime: Make agent_runtime_artifact.container_configuration block optional (#45091)
resource/aws_dynamodb_table: Add global_table_witness argument (#43908)
resource/aws_emr_managed_scaling_policy: Add scaling_strategy and utilization_performance_index arguments (#45132)
resource/aws_fis_experiment_template: Add plan-time validation of log_configuration.cloudwatch_logs_configuration.log_group_arn (#35941)
resource/aws_fis_experiment_template: Add support for Functions to action.*.target (#41209)
resource/aws_lambda_invocation: Add import support (#41240)
resource/aws_lb_listener: Support jwt-validation as a valid default_action.type and add default_action.jwt_validation configuration block (#45089)
resource/aws_lb_listener_rule: Support jwt-validation as a valid action.type and add action.jwt_validation configuration block (#45089)
resource/aws_odb_cloud_vm_cluster: vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#45003)
resource/aws_organizations_organization: Add SECURITYHUB_POLICY as a valid value for enabled_policy_types argument (#45135)
resource/aws_prometheus_query_logging_configuration: Add plan-time validation of destination.cloudwatch_logs.log_group_arn (#35941)
resource/aws_prometheus_workspace: Add plan-time validation of logging_configuration.log_group_arn (#35941)
resource/aws_s3_bucket_server_side_encryption_configuration: Add rule.blocked_encryption_types argument (#45105)
resource/aws_sagemaker_model: Add container.additional_model_data_source and primary_container.additional_model_data_source arguments (#44407)
resource/aws_sfn_state_machine: Add plan-time validation of logging_configuration.log_destination (#35941)
resource/aws_timestreaminfluxdb_db_cluster: Add engine_type attribute (#44899)
resource/aws_timestreaminfluxdb_db_cluster: Add validation to ensure InfluxDB V2 clusters have required fields and InfluxDB V3 clusters (when using V3 parameter groups) do not have forbidden V2 fields. This functionality requires the timestream-influxdb:GetDbParameterGroup IAM permission (#44899)
resource/aws_vpclattice_resource_configuration: Add custom_domain_name and domain_verification_id arguments and domain_verification_arn and domain_verification_status attributes to support custom domain names for resource configurations (#45085)
resource/aws_vpn_connection: Add tunnel_bandwidth argument to support higher bandwidth tunnels (#45070)

BUG FIXES:

resource/aws_db_instance: Fix blue/green deployments failing with "not in available state" by improving stability and handling storage-config-upgrade and storage-initialization statuses (#41275)
resource/aws_elastic_beanstalk_configuration_template: Fix updates not applying by including ResourceName for option settings and preventing duplicate add/remove operations (#45077)
resource/aws_odb_cloud_vm_cluster: support for hyphen in odb cloud vm cluster hostname prefix. (#45003)
resource/aws_quicksight_account_settings: Add region argument (#45083)
resource/aws_s3_directory_bucket: Fix plan-time AWS resource not found during refresh warnings causing resource replacement when ReadOnly s3express:SessionMode is enforced (#45086)
resource/aws_ssoadmin_account_assignment: Correct target_type argument to required (#45092)
resource/aws_timestreaminfluxdb_db_cluster: Make allocated_storage, bucket, organization, username, and password optional to support InfluxDB V3 clusters (#44899)

6.21.0 (November 13, 2025)

BREAKING CHANGES:

resource/aws_bedrockagentcore_browser: Rename network_configuration.network_mode_config to network_configuration.vpc_config (#44828)

FEATURES:

New Action: aws_dynamodb_create_backup (#45001)
New Resource: aws_networkflowmonitor_monitor (#44782)
New Resource: aws_networkflowmonitor_scope (#44782)
New Resource: aws_observabilityadmin_centralization_rule_for_organization (#44806)

ENHANCEMENTS:

data-source/aws_ecs_service: Add capacity_provider_strategy, created_at, created_by, deployment_configuration, deployment_controller, deployments, enable_ecs_managed_tags, enable_execute_command, events, health_check_grace_period_seconds, iam_role, network_configuration, ordered_placement_strategy, pending_count, placement_constraints, platform_family, platform_version, propagate_tags, running_count, service_connect_configuration, service_registries, status, and task_sets attributes (#44842)
resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.mcp_server block (#44991)
resource/aws_bedrockagentcore_gateway_target: Make credential_provider_configuration block optional (#44991)
resource/aws_cloudwatch_log_delivery_destination: Make delivery_destination_type and delivery_destination_configuration optional to support AWS X-Ray as a destination (#44995)
resource/aws_ecs_service: Add support for LINEAR and CANARY deployment strategies with deployment_configuration.linear_configuration and deployment_configuration.canary_configuration blocks (#44842)
resource/aws_lambda_function: Add support for java25 runtime value (#45024)
resource/aws_lambda_function: Add support for nodejs24.x runtime value (#45024)
resource/aws_lambda_function: Add support for python3.14 runtime value (#45024)
resource/aws_lambda_layer_version: Add support for java25 compatible_runtimes value (#45024)
resource/aws_lambda_layer_version: Add support for nodejs24.x compatible_runtimes value (#45024)
resource/aws_lambda_layer_version: Add support for python3.14 compatible_runtimes value (#45024)
resource/aws_s3tables_table: Add tagging support (#44996)
resource/aws_s3tables_table_bucket: Add tagging support (#44996)
resource/aws_sagemaker_endpoint_configuration: Add execution_role_arn argument and make model_name optional in production_variants and shadow_production_variants blocks to support Inference Components (#44977)
resource/aws_sns_topic: Fix AuthorizationError ... is not authorized to perform: iam:PassRole on resource ... IAM eventual consistency errors on Create and Update (#45018)

BUG FIXES:

provider: Fix situation where refreshes of removed infrastructure appear as errors rather than warnings (#45022)
resource/aws_acmpca_certificate_authority: Prevents error when upgrading from provider pre-v6.0 without refreshing (#45050)
resource/aws_apprunner_service: Prevents error when upgrading from provider pre-v6.0 without refreshing (#45051)
resource/aws_ec2_image_block_public_access: Add region argument (#45023)
resource/aws_ec2_serial_console_access: Add region argument (#45064)
resource/aws_emrcontainers_job_template: Fix ValidationException: Value null at 'jobTemplateData.configurationOverrides.monitoringConfiguration.cloudWatchMonitoringConfiguration.logGroupName' failed to satisfy constraint: Member must not be null error (#45029)
resource/aws_emrcontainers_job_template: Fix setting job_template_data: job_template_data.0.configuration_overrides.0.application_configuration.0: '' expected a map, got 'slice' error (#45029)
resource/aws_emrcontainers_job_template: Mark job_template_data.job_driver.configuration_overrides.monitoring_configuration.persistent_app_ui argument as computed (#45029)
resource/aws_invoicing_invoice_unit: Fix Provider returned invalid result object after apply error occurred when updating the resource (#45030)
resource/aws_opensearch_authorize_vpc_endpoint_access: Fix reading the resource when more than one principal is authorized. The import ID has changed from domain_name to domain_name and account separated by a comma (#44982)
resource/aws_redshift_cluster: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_integration: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#44952)
resource/aws_sagemaker_endpoint: Fix bug where endpoint_config_name was not correctly updated, causing the endpoint to retain the old configuration (#42843)
resource/aws_wafv2_web_acl_logging_configuration: Fix the validation for redacted_fields.single_header.name (#44987)

6.20.0 (November 6, 2025)

FEATURES:

New Resource: aws_ec2_allowed_images_settings (#44800)
New Resource: aws_fis_target_account_configuration (#44875)
New Resource: aws_invoicing_invoice_unit (#44892)

ENHANCEMENTS:

data-source/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior attribute (#44934)
data-source/aws_elasticache_replication_group: Add node_group_configuration attribute to expose node group details including availability zones, replica counts, and slot ranges (#44879)
data-source/aws_kinesis_stream: Add max_record_size_in_kib attribute (#44915)
data-source/aws_opensearch_domain: Add identity_center_options attribute (#44626)
provider: Support us-isob-west-1 as a valid AWS Region (#44944)
resource/aws_cloudfront_distribution: Add logging_v1_enabled attribute (#44838)
resource/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior argument (#44934)
resource/aws_ec2_client_vpn_route: Allow IPv6 address ranges for destination_cidr_block (#44926)
resource/aws_ec2_instance_connect_endpoint: Add ip_address_type argument (#44616)
resource/aws_eks_node_group: Add max_parallel_nodes_repaired_count, max_parallel_nodes_repaired_percentage, max_unhealthy_node_threshold_count, max_unhealthy_node_threshold_percentage, and node_repair_config_overrides to the node_repair_config schema (#44894)
resource/aws_elasticache_replication_group: Add node_group_configuration block to support availability zone specification and snapshot restoration for cluster mode enabled replication groups (#44879)
resource/aws_glue_job: Ensure that timeout is unconfigured for Ray jobs (#35012)
resource/aws_kinesis_stream: Add max_record_size_in_kib argument to support for Kinesis 10MiB payloads. This functionality requires the kinesis:UpdateMaxRecordSize IAM permission (#44915)
resource/aws_opensearch_domain: Add identity_center_options configuration block (#44626)
resource/aws_transfer_server: Add support for TransferSecurityPolicy-AS2Restricted-2025-07 security_policy_name value (#44865)
resource/aws_transfer_server: Support TransferSecurityPolicy-AS2Restricted-2025-07 as a valid value for security_policy_name (#44652)

BUG FIXES:

resource/aws_cloudfront_continuous_deployment_policy: Fix Source type "...cloudfront.stagingDistributionDNSNamesModel" does not implement attr.Value error. This fixes a regression introduced in v6.17.0 (#44972)
resource/aws_cloudfront_distribution: Change logging_config.bucket argument from Required to Optional (#44838)
resource/aws_cloudfront_distribution: Fix inability to configure logging_config.include_cookies argument while keeping V1 logging disabled (#44838)
resource/aws_cloudfront_vpc_origin: Fix Source type "...cloudfront.originSSLProtocolsModel" does not implement attr.Value and missing required field, CreateVpcOriginInput.VpcOriginEndpointConfig errors. This fixes a regression introduced in v6.17.0 (#44861)
resource/aws_glue_job: Allow Ray jobs to be updated (#35012)
resource/aws_glue_job: Allow a zero (0) value for timeout for Apache Spark streaming ETL jobs. This allows the job to be configured with no timeout (#44920)
resource/aws_lakeformation_lf_tags: Remove incorrect validation from catalog_id, database.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#44890)
resource/aws_launch_template: Allow an empty ("") value for block_device_mappings.ebs.kms_key_id. This fixes a regression introduced in v6.16.0 (#44708)
resource/aws_redshift_cluster: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_integration: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#44952)
resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#44952)

6.19.0 (October 30, 2025)

FEATURES:

New Data Source: aws_ecrpublic_images (#44795)
New Resource: aws_lakeformation_identity_center_configuration (#44867)

ENHANCEMENTS:

action/aws_lambda_invoke: Output logs in a progress message when log_type is Tail (#44843)
data-source/aws_imagebuilder_image_recipe: Add ami_tags attribute (#44731)
data-source/aws_lb_listener_rule: Add regex_values attribute to condition.host_header, condition.http_header and condition.path_pattern blocks (#44741)
data-source/aws_lb_listener_rule: Add transform attribute (#44702)
resource/aws_bedrockagentcore_gateway: Add validator to ensure correct authorizer_configuration and authorizer_type config (#44826)
resource/aws_emrserverless_application: Add monitoring_configuration argument (#43317)
resource/aws_emrserverless_application: Add runtime_configuration argument (#43302)
resource/aws_identitystore_group: Adds arn attribute. (#44867)
resource/aws_imagebuilder_image_recipe: Add ami_tags argument (#44731)
resource/aws_lb_listener_rule: Add regex_values argument to condition.host_header, condition.http_header and condition.path_pattern blocks (#44741)
resource/aws_lb_listener_rule: Add transform configuration block (#44702)
resource/aws_lb_listener_rule: The values argument in condition.host_header, condition.http_header and condition.path_pattern is now optional (#44741)
resource/aws_quicksight_data_set: Increase upper limit of physical_table_map.relational_table.name from 64 to 256 characters (#44807)
resource/aws_sagemaker_notebook_instance: Add notebook-al2023-v1 to valid platform_identifier values (#44570)
resource/aws_sqs_queue: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_policy: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_redrive_allow_policy: Remove account_id and region from Resource Identity schema (#44846)
resource/aws_sqs_queue_redrive_policy: Remove account_id and region from Resource Identity schema (#44846)

BUG FIXES:

data-source/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#44867)
provider: Fix crash when setting override region during provider initialization (#44860)
resource/aws_bedrockagentcore_gateway: Change authorizer_configuration block from Required to Optional (#44812)
resource/aws_bedrockagentcore_gateway: Mark authorizer_type argument as ForceNew (#44812)
resource/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#44867)

6.18.0 (October 23, 2025)

NOTES:

data-source/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#44327)
data-source/aws_organizations_organizational_unit_child_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#44327)
data-source/aws_organizations_organizational_unit_descendant_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#44327)
resource/aws_organizations_account: The status attribute is deprecated. Use state instead. (#44327)
resource/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#44327)

FEATURES:

New List Resource: aws_iam_policy (#44703)
New List Resource: aws_iam_role_policy_attachment (#44739)
New Resource: aws_bedrockagentcore_memory (#44306)
New Resource: aws_bedrockagentcore_memory_strategy (#44306)
New Resource: aws_bedrockagentcore_oauth2_credential_provider (#44307)
New Resource: aws_bedrockagentcore_token_vault_cmk (#44606)
New Resource: aws_bedrockagentcore_workload_identity (#44308)

ENHANCEMENTS:

data-source/aws_iam_policy: Adds validation for path_prefix attribute (#44703)
data-source/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#44327)
data-source/aws_organizations_organizational_unit_child_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#44327)
data-source/aws_organizations_organizational_unit_descendant_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#44327)
resource/aws_appstream_directory_config: Add certificate_based_auth_properties argument (#44679)
resource/aws_iam_policy: Adds validation for path attribute (#44703)
resource/aws_odb_network: Add delete_associated_resources attribute to enable practitioner to delete associated oci resource. (#44754)
resource/aws_organizations_account: Add state attribute (#44327)
resource/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#44327)

BUG FIXES:

data-source/aws_vpn_connection: Properly set tags attribute (#44761)
resource/aws_rds_cluster: Fix "When modifying Provisioned IOPS storage, specify a value for both allocated storage and iops" error when updating RDS clusters with Provisioned IOPS storage (#44706)
resource/guardduty_detector_feature: Fix additional_configuration block to ignore ordering (#44627)

6.17.0 (October 16, 2025)

NOTES:

resource/aws_quicksight_account_subscription: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#44638)

FEATURES:

New Data Source: aws_rds_global_cluster (#37286)
New Data Source: aws_vpn_connection (#44622)
New List Resource: aws_subnet (#44671)
New List Resource: aws_vpc (#44609)
New Resource: aws_bedrockagentcore_agent_runtime (#44301)
New Resource: aws_bedrockagentcore_agent_runtime_endpoint (#44301)
New Resource: aws_bedrockagentcore_api_key_credential_provider (#44302)
New Resource: aws_bedrockagentcore_browser (#44303)
New Resource: aws_bedrockagentcore_code_interpreter (#44304)
New Resource: aws_bedrockagentcore_gateway (#44305)
New Resource: aws_bedrockagentcore_gateway_target (#44305)

ENHANCEMENTS:

resource/aws_imagebuilder_container_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_imagebuilder_image_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_launch_template: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44604)
resource/aws_quicksight_account_subscription: Add admin_pro_group, author_pro_group, and reader_pro_group arguments (#44638)

BUG FIXES:

resource/aws_ec2_transit_gateway_route_table_propagation.test: Fix bug causing inconsistent final plan errors (#44542)
resource/aws_lambda_function: Reset non-API attributes (source_code_hash, s3_bucket, s3_key, s3_object_version and filename) to their previous values when an update operation fails (#42829)

6.16.0 (October 9, 2025)

FEATURES:

New Action: aws_transcribe_start_transcription_job (#44445)
New Data Source: aws_odb_cloud_autonomous_vm_clusters (#44336)
New Data Source: aws_odb_cloud_exadata_infrastructures (#44336)
New Data Source: aws_odb_cloud_vm_clusters (#44336)
New Data Source: aws_odb_network_peering_connections (#44336)
New Data Source: aws_odb_networks (#44336)
New Resource: aws_prometheus_resource_policy (#44256)
New Resource: aws_transfer_host_key (#44559)
New Resource: aws_transfer_web_app (#42708)
New Resource: aws_transfer_web_app_customization (#42708)

ENHANCEMENTS:

resource/aws_codebuild_project: Add auto_retry_limit argument (#40035)
resource/aws_emrserverless_application: Add scheduler_configuration block (#44589)
resource/aws_lambda_event_source_mapping: Add schema_registry_config configuration blocks to amazon_managed_kafka_event_source_config and self_managed_kafka_event_source_config blocks (#44540)
resource/aws_ssmcontacts_contact: Add resource identity support (#44548)
resource/aws_vpclattice_resource_gateway: Add ipv4_addresses_per_eni argument (#44560)

BUG FIXES:

provider: Correctly validate AWS European Sovereign Cloud Regions in ARNs (#44573)
provider: Fix Missing Resource Identity After Update errors for non-refreshed and failed updates of Plugin Framework based resources (#44518)
provider: Fix Unexpected Identity Change errors when fully-null identity values in state are updated to valid values for Plugin Framework based resources (#44518)
resource/aws_datazone_environment: Correctly updates glossary_terms. (#44491)
resource/aws_datazone_environment: Prevents unknown value error when optional account_identifier is not specified. (#44491)
resource/aws_datazone_environment: Prevents unknown value error when optional account_region is not specified. (#44491)
resource/aws_datazone_environment: Prevents error when updating. (#44491)
resource/aws_datazone_environment: Prevents occasional unexpected state error when deleting. (#44491)
resource/aws_datazone_environment: Properly passes blueprint_identifier on creation. (#44491)
resource/aws_datazone_environment: Sets values for user_parameters when importing. (#44491)
resource/aws_datazone_environment: Values in user_parameters should not be updateable. (#44491)
resource/aws_datazone_project: No longer ignores errors when deleting. (#44491)
resource/aws_datazone_project: No longer returns error when already deleting. (#44491)
resource/aws_dynamodb_table: Do not retry on LimitExceededException (#44576)
resource/aws_ivschat_room: Set maximum_message_rate_per_second validation maximum to 100 (#44572)
resource/aws_launch_template: kms_key_id validation now accepts key ID, alias, and alias ARN in addition to key ARN (#44505)
resource/aws_servicecatalog_portfolio_share: Add global mutex lock around create and delete operations to prevent ThrottlingException errors (#24730)

6.15.0 (October 2, 2025)

BREAKING CHANGES:

resource/aws_ecs_service: Fix behavior when updating capacity_provider_strategy to avoid ECS service recreation after recent AWS changes (#43533)

FEATURES:

New Action: aws_codebuild_start_build (#44444)
New Action: aws_events_put_events (#44487)
New Action: aws_sfn_start_execution (#44464)
New Data Source: aws_appconfig_application (#44168)
New Data Source: aws_odb_db_node (#43792)
New Data Source: aws_odb_db_nodes (#43792)
New Data Source: aws_odb_db_server (#43792)
New Data Source: aws_odb_db_servers (#43792)
New Data Source: aws_odb_db_system_shapes (#43825)
New Data Source: aws_odb_gi_versions (#43825)
New Resource: aws_lakeformation_lf_tag_expression (#43883)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Add mysql_settings attribute (#44516)
data-source/aws_ec2_instance_type_offering: Add location attribute (#44328)
data-source/aws_rds_proxy: Add default_auth_scheme attribute (#44309)
resource/aws_cleanrooms_configured_table: Add resource identity support (#44435)
resource/aws_cloudfront_distribution: Add ip_address_type argument to origin.custom_origin_config block (#44463)
resource/aws_connect_instance: Add resource identity support (#44346)
resource/aws_connect_phone_number: Add resource identity support (#44365)
resource/aws_dms_endpoint: Add mysql_settings configuration block (#44516)
resource/aws_dsql_cluster: Adds attribute force_destroy. (#44406)
resource/aws_ebs_volume: Update throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#44514)
resource/aws_ecs_capacity_provider: Add cluster and managed_instances_provider arguments (#44509)
resource/aws_ecs_capacity_provider: Make auto_scaling_group_provider optional (#44509)
resource/aws_iam_service_specific_credential: Add support for Bedrock API keys with credential_age_days, service_credential_alias, service_credential_secret, create_date, and expiration_date attributes (#44299)
resource/aws_networkfirewall_logging_configuration: Add enable_monitoring_dashboard argument (#44515)
resource/aws_opensearch_domain: Add aiml_options argument (#44417)
resource/aws_pinpointsmsvoicev2_phone_number: Update two_way_channel_arn argument to accept connect.[region].amazonaws.com in addition to ARNs (#44372)
resource/aws_rds_proxy: Add default_auth_scheme argument (#44309)
resource/aws_rds_proxy: Make auth configuration block optional (#44309)
resource/aws_route53recoverycontrolconfig_cluster: Add network_type argument (#44377)
resource/aws_route53recoverycontrolconfig_cluster: Add tagging support (#44473)
resource/aws_route53recoverycontrolconfig_control_panel: Add tagging support (#44473)
resource/aws_route53recoverycontrolconfig_safety_rule: Add tagging support (#44473)
resource/aws_s3control_bucket: Add resource identity support (#44379)
resource/aws_sfn_activity: Add arn argument (#44408)
resource/aws_sfn_activity: Add resource identity support (#44408)
resource/aws_sfn_alias: Add resource identity support (#44408)
resource/aws_ssmcontacts_contact_channel: Add resource identity support (#44369)

BUG FIXES:

data-source/aws_lb: Fix Invalid address to set: []string{"secondary_ips_auto_assigned_per_subnet"} errors (#44485)
data-source/aws_networkfirewall_firewall_policy: Fix failure to retrieve multiple firewall_policy.stateful_rule_group_reference attributes (#44482)
data-source/aws_servicequotas_service_quota: Fixed a panic that occurred when a non-existing quota_name was provided (#44449)
resource/aws_bedrock_provisioned_model_throughput: Fix AttributeName("arn") still remains in the path: could not find attribute or block "arn" in schema errors when upgrading from a pre-v6.0.0 provider version (#44434)
resource/aws_chatbot_slack_channel_configuration: Force resource replacement when configuration_name is modified (#43996)
resource/aws_cloudwatch_event_rule: Do not retry on LimitExceededException (#44489)
resource/aws_cloudwatch_log_resource_policy: Do not retry on LimitExceededException (#44522)
resource/aws_default_vpc: Correctly set ipv6_cidr_block when the VPC has multiple associated IPv6 CIDRs (#44362)
resource/aws_dms_endpoint: Ensure that postgres_settings are updated (#44389)
resource/aws_dsql_cluster: Prevents error when optional attribute deletion_protection_enabled not set. (#44406)
resource/aws_eks_cluster: Change compute_config, kubernetes_network_config.elastic_load_balancing, and storage_config. to Optional and Computed, allowing EKS Auto Mode settings to be enabled, disabled, and removed from configuration (#44334)
resource/aws_elastic_beanstalk_configuration_template: Fix inconsistent final plan error in some cases with setting elements. (#44461)
resource/aws_elastic_beanstalk_environment: Fix inconsistent final plan error in some cases with setting elements. (#44461)
resource/aws_elasticache_cluster: Fix provider produced unexpected value for cache_usage_limits argument. (#43841)
resource/aws_fsx_lustre_file_system: Fixed to update metadata_configuration first to allow simultaneous increase of metadata_configuration.iops and storage_capacity (#44456)
resource/aws_instance: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when capacity_reservation_target is empty (#44459)
resource/aws_kinesisanalyticsv2_application: Ensure that configured application_configuration.run_configuration values are respected during update (#43490)
resource/aws_odb_cloud_autonomous_vm_cluster : Fixed planmodifier for computed attribute. (#44401)
resource/aws_odb_cloud_vm_cluster : Fixed planmodifier for computed attribute. Fixed planmodifier from display_name attribute. (#44401)
resource/aws_odb_cloud_vm_cluster : Fixed planmodifier for data_storage_size_in_tbs. Marked it mandatory. Fixed gi-version issue during creation (#44498)
resource/aws_odb_network_peering_connection : Fixed planmodifier for computed attribute. (#44401)
resource/aws_rds_cluster: Fixes error when setting database_insights_mode with global_cluster_identifier. (#44404)
resource/aws_route53_health_check: Fix child_health_threshold to properly accept explicitly specified zero value (#44006)
resource/aws_s3_bucket_lifecycle_configuration: Allows unsetting noncurrent_version_expiration.newer_noncurrent_versions and noncurrent_version_transition.newer_noncurrent_versions. (#44442)
resource/aws_s3_bucket_lifecycle_configuration: Do not warn if no filter element is set (#43590)
resource/aws_vpc: Correctly set ipv6_cidr_block when the VPC has multiple associated IPv6 CIDRs (#44362)

6.14.1 (September 22, 2025)

NOTES:

provider: This release contains both internal provider fixes and a Terraform Plugin SDK V2 update related to a regression which may impact resources that support resource identity (#44375)

BUG FIXES:

provider: Fix Missing Resource Identity After Update errors for non-refreshed and failed updates (#44375)
provider: Fix Unexpected Identity Change errors when fully-null identity values in state are updated to valid values (#44375)

6.14.0 (September 18, 2025)

FEATURES:

New Action: aws_cloudfront_create_invalidation (#43955)
New Action: aws_ec2_stop_instance (#43700)
New Action: aws_lambda_invoke (#43972)
New Action: aws_ses_send_email (#44214)
New Action: aws_sns_publish (#44232)
New Data Source: aws_billing_views (#44272)
New Data Source: aws_odb_cloud_autonomous_vm_cluster (#43809)
New Data Source: aws_odb_cloud_exadata_infrastructure (#43650)
New Data Source: aws_odb_cloud_vm_cluster (#43790)
New Data Source: aws_odb_network (#43715)
New Data Source: aws_odb_network_peering_connection (#43757)
New List Resource: aws_batch_job_queue (#43960)
New List Resource: aws_cloudwatch_log_group (#44129)
New List Resource: aws_iam_role (#44129)
New List Resource: aws_instance (#44129)
New Resource: aws_controltower_baseline (#42397)
New Resource: aws_odb_cloud_autonomous_vm_cluster (#43809)
New Resource: aws_odb_cloud_exadata_infrastructure (#43650)
New Resource: aws_odb_cloud_vm_cluster (#43790)
New Resource: aws_odb_network (#43715)
New Resource: aws_odb_network_peering_connection (#43757)

ENHANCEMENTS:

resource/aws_ecs_service: Add deployment_configuration.lifecycle_hook.hook_details argument (#44289)
resource/aws_rds_global_cluster: Remove provider-side conflict between source_db_cluster_identifier and engine arguments (#44252)
resource/aws_scheduler_schedule: Add action_after_completion argument (#44264)
resource/aws_sfn_state_machine: Add resource identity support (#44286)

BUG FIXES:

resource/aws_elasticache_user_group: Ignore InvalidParameterValue: User xxx is not a member of user group xxx errors during group modification (#43520)
resource/aws_sagemaker_endpoint_configuration: Fix panic when empty async_inference_config.output_config.notification_config block is specified (#44310)

6.13.0 (September 11, 2025)

ENHANCEMENTS:

data-source/aws_budgets_budget: Add billing_view_arn attribute (#44241)
data-source/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput attributes (#41308)
data-source/aws_elastic_beanstalk_hosted_zone: Add hosted zone IDs for ap-southeast-5, ap-southeast-7, eu-south-2, and me-central-1 AWS Regions (#44132)
data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-southeast-6 AWS Region (#44132)
data-source/aws_s3_bucket: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
resource/aws_appautoscaling_policy: Add predictive_scaling_policy_configuration argument (#44211)
resource/aws_appautoscaling_policy: Add plan-time validation of policy_type (#44211)
resource/aws_appautoscaling_policy: Add plan-time validation of step_scaling_policy_configuration.adjustment_type and step_scaling_policy_configuration.metric_aggregation_type (#44211)
resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled arguments to word_policy_config.managed_word_lists_config and word_policy_config.words_config configuration blocks (#44224)
resource/aws_budgets_budget: Add billing_view_arn argument (#44241)
resource/aws_cloudfront_distribution: Add origin.response_completion_timeout argument (#44163)
resource/aws_codebuild_webhook: Add pull_request_build_policy configuration block (#44201)
resource/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput arguments (#41308)
resource/aws_ecs_account_setting_default: Support dualStackIPv6 as a valid value for name (#44165)
resource/aws_glue_catalog_table_optimizer: Add iceberg_configuration.run_rate_in_hours argument to retention_configuration and orphan_file_deletion_configuration blocks (#44207)
resource/aws_networkfirewall_rule_group: Add IPv6 CIDR block support to address_definition arguments in source and destination blocks within rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rule.rule_definition.match_attributes (#44215)
resource/aws_networkmanager_vpc_attachment: Add options.dns_support and options.security_group_referencing_support arguments (#43742)
resource/aws_networkmanager_vpc_attachment: Change options to Optional and Computed (#43742)
resource/aws_opensearch_package: Add engine_version argument (#44155)
resource/aws_opensearch_package: Add waiter to ensure package validation completes (#44155)
resource/aws_synthetics_canary: Add schedule.retry_config configuration block (#44244)
resource/aws_vpc_endpoint: Add resource identity support (#44194)
resource/aws_vpc_security_group_egress_rule: Add resource identity support (#44198)
resource/aws_vpc_security_group_ingress_rule: Add resource identity support (#44198)

BUG FIXES:

resource/aws_appautoscaling_policy: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when step_scaling_policy_configuration is empty (#44211)
resource/aws_cognito_managed_login_branding: Fix reading Cognito Managed Login Branding by client ... couldn't find resource errors when a user pool contains multiple client apps (#44204)
resource/aws_eks_cluster: Supports null compute_config.node_role_arn when disabling auto mode or built-in node pools (#42483)
resource/aws_flow_log: Fix Error decoding ... from prior state: unsupported attribute "log_group_name" errors when upgrading from a pre-v6.0.0 provider version (#44191)
resource/aws_launch_template: Fix Error decoding ... from prior state: unsupported attribute "elastic_gpu_specifications" errors when upgrading from a pre-v6.0.0 provider version (#44195)
resource/aws_rds_cluster_role_association: Make feature_name optional (#44143)
resource/aws_s3_bucket_lifecycle_configuration: Ignore MethodNotAllowed errors when deleting non-existent lifecycle configurations (#44189)
resource/aws_secretsmanager_secret: Return diagnostic warning when remote policy is invalid (#44228)
resource/aws_servicecatalog_provisioned_product: Restore timeouts.read arguments removed in v6.12.0 (#44238)

6.12.0 (September 4, 2025)

NOTES:

resource/aws_s3_bucket_acl: The access_control_policy.grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
resource/aws_s3_bucket_acl: The access_control_policy.owner.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
resource/aws_s3_bucket_logging: The target_grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)

FEATURES:

New Resource: aws_cognito_managed_login_branding (#43817)

ENHANCEMENTS:

data-source/aws_efs_mount_target: Add ip_address_type and ipv6_address attributes (#44079)
data-source/aws_instance: Add placement_group_id attribute (#38527)
data-source/aws_lambda_function: Add source_kms_key_arn attribute (#44080)
data-source/aws_launch_template: Add placement.group_id attribute (#44097)
provider: Support ap-southeast-6 as a valid AWS Region (#44127)
resource/aws_ecs_service: Remove Terraform default for availability_zone_rebalancing and change the attribute to Optional and Computed. This allow ECS to default to ENABLED for new resources compatible with AvailabilityZoneRebalancing and maintain an existing service's availability_zone_rebalancing value during update when not configured. If an existing service never had an availability_zone_rebalancing value configured and is updated, ECS will treat this as DISABLED (#43241)
resource/aws_efs_mount_target: Add ip_address_type and ipv6_address arguments to support IPv6 connectivity (#44079)
resource/aws_fsx_openzfs_file_system: Remove maximum items limit on the user_and_group_quotas argument (#44120)
resource/aws_fsx_openzfs_volume: Remove maximum items limit on the user_and_group_quotas argument (#44118)
resource/aws_instance: Add placement_group_id argument (#38527)
resource/aws_instance: Add resource identity support (#44068)
resource/aws_lambda_function: Add source_kms_key_arn argument (#44080)
resource/aws_launch_template: Add placement.group_id argument (#44097)
resource/aws_ssm_association: Add resource identity support (#44075)
resource/aws_ssm_document: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window_target: Add resource identity support (#44075)
resource/aws_ssm_maintenance_window_task: Add resource identity support (#44075)
resource/aws_ssm_patch_baseline: Add resource identity support (#44075)
resource/aws_synthetics_canary: Add run_config.ephemeral_storage argument. (#44105)

BUG FIXES:

resource/aws_s3tables_table_policy: Remove plan-time validation of name and namespace (#44072)
resource/aws_servicecatalog_provisioned_product: Set provisioning_parameters and provisioning_artifact_id to the values from the last successful deployment when update fails (#43956)
resource/aws_wafv2_web_acl: Fix performance of update when the WebACL has a large number of rules (#42740)

6.11.0 (August 28, 2025)

FEATURES:

New Resource: aws_timestreaminfluxdb_db_cluster (#42382)
New Resource: aws_workspacesweb_browser_settings_association (#43735)
New Resource: aws_workspacesweb_data_protection_settings_association (#43773)
New Resource: aws_workspacesweb_identity_provider (#43729)
New Resource: aws_workspacesweb_ip_access_settings_association (#43774)
New Resource: aws_workspacesweb_network_settings_association (#43775)
New Resource: aws_workspacesweb_portal (#43444)
New Resource: aws_workspacesweb_session_logger (#43863)
New Resource: aws_workspacesweb_session_logger_association (#43866)
New Resource: aws_workspacesweb_trust_store (#43408)
New Resource: aws_workspacesweb_trust_store_association (#43778)
New Resource: aws_workspacesweb_user_access_logging_settings_association (#43776)
New Resource: aws_workspacesweb_user_settings_association (#43777)

ENHANCEMENTS:

data-source/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type attributes (#44059)
data-source/aws_network_interface: Add attachment.network_card_index attribute (#42188)
data-source/aws_sesv2_email_identity: Add verification_status attribute (#44045)
data-source/aws_signer_signing_profile: Add signing_material and signing_parameters attributes (#43921)
data-source/aws_vpc_ipam: Add metered_account attribute (#43967)
resource/aws_datazone_domain: Add domain_version and service_role arguments to support V2 domains (#44042)
resource/aws_dlm_lifecycle_policy: Add copy_tags, create_interval, exclusions, extend_deletion, policy_language, resource_type and retain_interval attributes to policy_details configuration block (#41055)
resource/aws_dlm_lifecycle_policy: Add default_policy argument (#41055)
resource/aws_dlm_lifecycle_policy: Add policy_details.create_rule.scripts argument (#41055)
resource/aws_dlm_lifecycle_policy: Add policy_details.schedule.cross_region_copy_rule.target_region argument (#33796)
resource/aws_dlm_lifecycle_policy: Make policy_details.schedule.cross_region_copy_rule.target optional (#33796)
resource/aws_dlm_lifecycle_policy:Add policy_details.schedule.archive_rule argument (#41055)
resource/aws_dynamodb_contributor_insights: Add mode argument in support of CloudWatch contributor insights modes (#43914)
resource/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type arguments to support IPv6 connectivity in Client VPN (#44059)
resource/aws_ec2_client_vpn_endpoint: Make client_cidr_block optional (#44059)
resource/aws_ecr_lifecycle_policy: Add resource identity support (#44041)
resource/aws_ecr_repository: Add resource identity support (#44041)
resource/aws_ecr_repository_policy: Add resource identity support (#44041)
resource/aws_ecs_service: Add sigint_rollback argument (#43986)
resource/aws_ecs_service: Change deployment_configuration to Optional and Computed (#43986)
resource/aws_eks_cluster: Allow remote_network_config to be updated in-place, enabling support for EKS hybrid nodes on existing clusters (#42928)
resource/aws_elasticache_global_replication_group: Change engine to Optional and Computed (#42636)
resource/aws_inspector2_filter: Support code_repository_project_name, code_repository_provider_type, ecr_image_in_use_count, and ecr_image_last_in_use_at in filter_criteria (#43950)
resource/aws_iot_thing_principal_attachment: Add thing_principal_type argument (#43916)
resource/aws_kms_alias: Add resource identity support (#44025)
resource/aws_kms_external_key: Add key_spec argument (#44011)
resource/aws_kms_external_key: Change key_usage to Optional and Computed (#44011)
resource/aws_kms_key: Add resource identity support (#44025)
resource/aws_lb: Add secondary_ips_auto_assigned_per_subnet argument for Network Load Balancers (#43699)
resource/aws_mwaa_environment: Add worker_replacement_strategy argument (#43946)
resource/aws_network_interface: Add attachment.network_card_index argument (#42188)
resource/aws_network_interface_attachment: Add network_card_index argument (#42188)
resource/aws_route53_resolver_rule: Add resource identity support (#44048)
resource/aws_route53_resolver_rule_association: Add resource identity support (#44048)
resource/aws_route: Add resource identity support (#43910)
resource/aws_route_table: Add resource identity support (#43990)
resource/aws_s3_bucket_acl: Add resource identity support (#44043)
resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_logging: Add resource identity support (#43976)
resource/aws_s3_bucket_notification: Add resource identity support (#43976)
resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43976)
resource/aws_s3_bucket_policy: Add resource identity support (#43976)
resource/aws_s3_bucket_public_access_block: Add resource identity support (#43976)
resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_versioning: Add resource identity support (#43976)
resource/aws_s3_bucket_website_configuration: Add resource identity support (#43976)
resource/aws_s3tables_table_bucket: Add force_destroy argument (#43922)
resource/aws_secretsmanager_secret_version: Add resource identity support (#44031)
resource/aws_sesv2_email_identity: Add verification_status attribute (#44045)
resource/aws_signer_signing_profile: Add signing_parameters argument (#43921)
resource/aws_synthetics_canary: Add vpc_config.ipv6_allowed_for_dual_stack argument (#43989)
resource/aws_vpc_ipam: Add metered_account argument (#43967)

BUG FIXES:

data-source/aws_glue_catalog_table: Add partition_keys.parameters attribute (#26702)
resource/aws_cognito_user_pool: Fixed to accept an empty email_mfa_configuration block (#43926)
resource/aws_db_instance: Fixes the behavior when modifying database_insights_mode when using custom KMS key (#44050)
resource/aws_dx_hosted_connection: Fix DescribeHostedConnections failed for connection dxcon-xxxx doesn't exist by pointing to the correct connection ID when doing the describe. (#43499)
resource/aws_glue_catalog_table: Add partition_keys.parameters argument, fixing Invalid address to set: []string{"partition_keys", "0", "parameters"} errors (#26702)
resource/aws_imagebuilder_image_recipe: Increase upper limit of block_device_mapping.ebs.iops from 10000 to 100000 (#43981)
resource/aws_nat_gateway: Fix inconsistent final plan for secondary_private_ip_addresses (#43708)
resource/aws_spot_instance_request: Change network_interface.network_card_index to Computed (#38336)
resource/aws_timestreaminfluxdb_db_instance: Fix tag-only update errors (#42382)
resource/aws_wafv2_web_acl: Add missing flattening of name in response_inspection.header blocks for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet to avoid persistent plan diffs (#44032)

6.10.0 (August 21, 2025)

NOTES:

resource/aws_instance: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)
resource/aws_spot_instance_request: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)

ENHANCEMENTS:

data-source/aws_ecr_repository: Add image_tag_mutability_exclusion_filter attribute (#43886)
data-source/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter attribute (#43886)
resource/aws_cloudwatch_event_target: Add resource identity support (#43984)
resource/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter configuration block (#43886)
resource/aws_glue_job: Support G.12X, G.16X, R.1X, R.2X, R.4X, and R.8X as valid values for worker_type (#43988)
resource/aws_lambda_permission: Add resource identity support (#43954)
resource/aws_lightsail_static_ip_attachment: Support resource import (#43874)
resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_logging: Add resource identity support (#43976)
resource/aws_s3_bucket_notification: Add resource identity support (#43976)
resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43976)
resource/aws_s3_bucket_policy: Add resource identity support (#43976)
resource/aws_s3_bucket_public_access_block: Add resource identity support (#43976)
resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43976)
resource/aws_s3_bucket_versioning: Add resource identity support (#43976)
resource/aws_s3_bucket_website_configuration: Add resource identity support (#43976)
resource/aws_secretsmanager_secret: Add resource identity support (#43872)
resource/aws_secretsmanager_secret_policy: Add resource identity support (#43872)
resource/aws_secretsmanager_secret_rotation: Add resource identity support (#43872)
resource/aws_sqs_queue: Add resource identity support (#43918)
resource/aws_sqs_queue_policy: Add resource identity support (#43918)
resource/aws_sqs_queue_redrive_allow_policy: Add resource identity support (#43918)
resource/aws_sqs_queue_redrive_policy: Add resource identity support (#43918)

BUG FIXES:

resource/aws_batch_compute_environment: Allow in-place updates of compute environments that have the SPOT_PRICE_CAPACITY_OPTIMIZED strategy (#40148)
resource/aws_imagebuilder_lifecycle_policy: Fix Provider produced inconsistent result after apply error when policy_detail.exclusion_rules.amis.is_public is omitted (#43925)
resource/aws_instance: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)
resource/aws_rds_cluster: Fixes the behavior when enabling database_insights_mode="advanced" without changing performance insights retention window (#43919)
resource/aws_rds_cluster: Fixes the behavior when modifying database_insights_mode when using custom KMS key (#43942)
resource/aws_spot_instance_request: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)

6.9.0 (August 14, 2025)

FEATURES:

New Resource: aws_appsync_api (#43787)
New Resource: aws_appsync_channel_namespace (#43787)

ENHANCEMENTS:

data-source/aws_eks_cluster: Add deletion_protection attribute (#43779)
resource/aws_cloudwatch_event_rule: Add resource identity support (#43758)
resource/aws_cloudwatch_metric_alarm: Add resource identity support (#43759)
resource/aws_dynamodb_table: Add replica.deletion_protection_enabled argument (#43240)
resource/aws_eks_cluster: Add deletion_protection argument (#43779)
resource/aws_lambda_function: Add resource identity support (#43821)
resource/aws_sns_topic_data_protection_policy: Add resource identity support (#43830)
resource/aws_sns_topic_policy: Add resource identity support (#43830)
resource/aws_sns_topic_subscription: Add resource identity support (#43830)
resource/aws_subnet: Add resource identity support (#43833)

BUG FIXES:

data-source/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
data-source/aws_networkfirewall_firewall_policy: Add missing schema definition for firewall_policy.stateful_engine_options.flow_timeouts (#43852)
resource/aws_cognito_risk_configuration: Make account_takeover_risk_configuration.notify_configuration optional (#33624)
resource/aws_ecs_service: Fix tagging failure after upgrading to v6 provider (#43816)
resource/aws_ecs_service: Fix refreshing service_connect_configuration when deleted outside of Terraform (#43871)
resource/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
resource/aws_s3tables_table: Fix runtime error: invalid memory address or nil pointer dereference panics when GetTableMaintenanceConfiguration returns an error (#43764)
resource/aws_sagemaker_user_profile: Fix incomplete regex for user_profile_name (#43807)
resource/aws_servicequotas_service_quota: Add validation, during create, to check if new value is less than current value of quota (#43545)
resource/aws_storagegateway_gateway: Handle InvalidGatewayRequestException: The specified gateway is not connected errors during Read by using the ListGateways API to return minimal information about a disconnected gateway. This functionality requires the storagegateway:ListGateways IAM permission (#43819)
resource/aws_vpc_ipam_pool_cidr: Fix netmask_length not being saved and diffed correctly (#43262)

6.8.0 (August 7, 2025)

FEATURES:

New Resource: aws_networkfirewall_vpc_endpoint_association (#43675)
New Resource: aws_quicksight_custom_permissions (#43613)
New Resource: aws_quicksight_role_custom_permission (#43613)
New Resource: aws_quicksight_user_custom_permission (#43613)
New Resource: aws_wafv2_web_acl_rule_group_association (#43561)

ENHANCEMENTS:

data-source/aws_quicksight_user: Add custom_permissions_name attribute (#43613)
data-source/aws_wafv2_web_acl: Add resource_arn argument to enable finding web ACLs by resource ARN (#43597)
data-source/aws_wafv2_web_acl: Add support for CLOUDFRONT scope web ACLs using resource_arn (#43597)
resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled attributes to sensitive_information_policy_config.pii_entities_config and sensitive_information_policy_config.regexes_config configuration blocks (#43702)
resource/aws_cloudwatch_log_group: Add resource identity support (#43719)
resource/aws_computeoptimizer_recommendation_preferences: Add AuroraDBClusterStorage as a valid resource_type (#43677)
resource/aws_docdb_cluster: Add serverless_v2_scaling_configuration argument in support of Amazon DocumentDB serverless (#43667)
resource/aws_ecr_repository: Add image_tag_mutability_exclusion_filter argument (#43642)
resource/aws_ecr_repository: Support IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION as valid values for image_tag_mutability (#43642)
resource/aws_inspector2_enabler: Support resource import (#43673)
resource/aws_instance: Adds force_destroy argument that allows destruction even when disable_api_termination and disable_api_stop are true (#43722)
resource/aws_ivs_channel: Add resource identity support (#43704)
resource/aws_ivs_playback_key_pair: Add resource identity support (#43704)
resource/aws_ivs_recording_configuration: Add resource identity support (#43704)
resource/aws_ivschat_logging_configuration: Add resource identity support (#43697)
resource/aws_ivschat_room: Add resource identity support (#43697)
resource/aws_kinesis_firehose_delivery_stream: Add iceberg_configuration.append_only argument (#43647)
resource/aws_lightsail_static_ip: Support resource import (#43672)
resource/aws_opensearch_domain_policy: Support resource import (#43674)
resource/aws_quicksight_user: Add plan-time validation of iam_arn (#43613)
resource/aws_quicksight_user: Change user_name to Optional and Computed (#43613)
resource/aws_quicksight_user: Support IAM_IDENTITY_CENTER as a valid value for identity_type (#43613)
resource/aws_quicksight_user: Support RESTRICTED_AUTHOR and RESTRICTED_READER as valid values for user_role (#43613)
resource/aws_security_group: Add parameterized resource identity support (#43744)
resource/aws_sqs_queue: Increase upper limit of max_message_size from 256 KiB to 1024 KiB (#43710)
resource/aws_ssm_parameter: Add resource identity support (#43736)

BUG FIXES:

ephemeral-resource/aws_lambda_invocation: Fix plan inconsistency issue due to improperly assigned payload values (#43676)
provider: Fix failure to detect resources deleted outside of Terraform as missing for numerous resource types (#43659)
resource/aws_batch_compute_environment: Fix inconsistent final plan error when compute_resource.launch_template.version is unknown during an update (#43337)
resource/aws_bedrockagent_flow: Prevent created_at becoming null on Update (#43654)
resource/aws_ec2_managed_prefix_list: Fix PrefixListVersionMismatch: The prefix list has the incorrect version number errors when updating entry description (#43661)
resource/aws_fsx_lustre_file_system: Fix validation of SSD read cache size for file systems using the Intelligent-Tiering storage class (#43605)
resource/aws_instance: Prevent destruction of resource when disable_api_termination is true (#43722)
resource/aws_kms_key: Restore pre-v6.3.0 retry delay behavior when waiting for continuous target state occurrences. This fixes certain tag update timeouts (#43716)
resource/aws_s3tables_table_bucket: Fix crash on maintenance_configuration read failure (#43707)
resource/aws_sagemaker_image: Fix image_name regular expression validation (#43751)
resource/aws_timestreaminfluxdb_db_instance: Don't mark network_type as ForceNew if the value is not configured. This fixes a problem with terraform apply -refresh=false after upgrade from v5.90.0 and below (#43534)
resource/aws_wafv2_regex_pattern_set: Remove maximum items limit on the regular_expression argument (#43693)

6.7.0 (July 31, 2025)

FEATURES:

New Resource: aws_quicksight_ip_restriction (#43596)
New Resource: aws_quicksight_key_registration (#43587)

ENHANCEMENTS:

data-source/aws_codebuild_fleet: Add instance_type attribute in compute_configuration block (#43449)
data-source/aws_ebs_volume: Add volume_initialization_rate attribute (#43565)
data-source/aws_ecs_service: Support load_balancer attribute (#43582)
data-source/aws_s3_access_point: Add tags attribute. This functionality requires the s3:ListTagsForResource IAM permission with S3 Access Points for general purpose buckets and the s3express:ListTagsForResource IAM permission with S3 Access Points for directory buckets (#43630)
data-source/aws_verifiedpermissions_policy_store: Add deletion_protection attribute (#43452)
resource/aws_athena_workgroup: Add configuration.identity_center_configuration argument (#38717)
resource/aws_cleanrooms_collaboration: Add analytics_engine argument (#43614)
resource/aws_codebuild_fleet: Add instance_type argument in compute_configuration block to support custom instance types (#43449)
resource/aws_ebs_volume: Add volume_initialization_rate argument (#43565)
resource/aws_s3_access_point: Add tags argument and tags_all attribute. This functionality requires the s3:ListTagsForResource, s3:TagResource, and s3:UntagResource IAM permissions with S3 Access Points for general purpose buckets and the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions with S3 Access Points for directory buckets (#43630)
resource/aws_verifiedpermissions_policy_store: Add deletion_protection argument (#43452)

BUG FIXES:

resource/aws_bedrockagent_flow: Fix missing required field, CreateFlowInput.Definition.Nodes[0].Configuration[prompt].SourceConfiguration[resource].PromptArn errors on Create (#43595)
resource/aws_s3_bucket: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
resource/aws_s3_object: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
resource/aws_servicequotas_service_quota: Fix error when updating a pending service quota request (#43606)
resource/aws_ssm_parameter: Fix Provider produced inconsistent final plan errors when changing from using value to using value_wo (#42877)
resource/aws_ssm_parameter: Fix version not being updated when description changes (#42595)

6.6.0 (July 28, 2025)

FEATURES:

New Resource: aws_connect_phone_number_contact_flow_association (#43557)
New Resource: aws_nat_gateway_eip_association (#42591)

ENHANCEMENTS:

data-source/aws_cloudwatch_event_bus: Add log_config attribute (#43453)
data-source/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
feature/aws_bedrock_guardrail: Add cross_region_config, content_policy_config.tier_config, and topic_policy_config.tier_config arguments (#43517)
resource/aws_athena_database: Add workgroup argument (#36628)
resource/aws_batch_compute_environment: Add compute_resources.ec2_configuration.image_kubernetes_version argument (#43454)
resource/aws_cloudwatch_event_bus: Add log_config argument (#43453)
resource/aws_cognito_resource_server: Allow name to be updated in-place (#41702)
resource/aws_cognito_user_pool: Allow name to be updated in-place (#42639)
resource/aws_globalaccelerator_custom_routing_endpoint_group: Add resource identity support (#43539)
resource/aws_globalaccelerator_custom_routing_listener: Add resource identity support (#43539)
resource/aws_globalaccelerator_endpoint_group: Add resource identity support (#43539)
resource/aws_globalaccelerator_listener: Add resource identity support (#43539)
resource/aws_imagebuilder_container_recipe: Add resource identity support (#43540)
resource/aws_imagebuilder_distribution_configuration: Add resource identity support (#43540)
resource/aws_imagebuilder_image: Add resource identity support (#43540)
resource/aws_imagebuilder_image_pipeline: Add resource identity support (#43540)
resource/aws_imagebuilder_image_recipe: Add resource identity support (#43540)
resource/aws_imagebuilder_infrastructure_configuration: Add resource identity support (#43540)
resource/aws_imagebuilder_workflow: Add resource identity support (#43540)
resource/aws_inspector_assessment_target: Add resource identity support (#43542)
resource/aws_inspector_assessment_template: Add resource identity support (#43542)
resource/aws_inspector_resource_group: Add resource identity support (#43542)
resource/aws_nat_gateway: Change secondary_allocation_ids to Optional and Computed (#42591)
resource/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
resource/aws_ssm_service_setting: Support short format (with /ssm/ prefix) for setting_id (#43562)

BUG FIXES:

resource/aws_appsync_api_cache: Fix "missing required field" error during update (#43523)
resource/aws_cloudwatch_log_delivery_destination: Fix update failure when tags are set (#43576)
resource/aws_ecs_service: Fix unspecified test_listener_rule incorrectly being set as empty string in load_balancer.advanced_configuration block (#43558)

6.5.0 (July 24, 2025)

NOTES:

resource/aws_cognito_log_delivery_configuration: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#43396)
resource/aws_ecs_service: Acceptance tests cannot fully reproduce scenarios with deployments older than 3 months. Community feedback on this fix is appreciated, particularly for long-running ECS services with in-place updates (#43502)

FEATURES:

New Data Source: aws_ecr_images (#42577)
New Resource: aws_cognito_log_delivery_configuration (#43396)
New Resource: aws_networkfirewall_firewall_transit_gateway_attachment_accepter (#43430)
New Resource: aws_s3_bucket_metadata_configuration (#41364)

ENHANCEMENTS:

data-source/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn attributes (#43440)
data-source/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, firewall_status.sync_states.attachment.status_message, firewall_status.transit_gateway_attachment_sync_states, transit_gateway_id, and transit_gateway_owner_account_id attributes (#43430)
resource/aws_alb_listener: Add resource identity support (#43161)
resource/aws_alb_listener_rule: Add resource identity support (#43155)
resource/aws_alb_target_group: Add resource identity support (#43171)
resource/aws_dms_endpoint: Add oracle_settings configuration block for authentication method (#43125)
resource/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn arguments (#43440)
resource/aws_dms_endpoint: Add plan-time validation of postgres_settings.database_mode, postgres_settings.map_long_varchar_as, and postgres_settings.plugin_name arguments (#43440)
resource/aws_dms_replication_instance: Add dns_name_servers attribute and kerberos_authentication_settings configuration block for Kerberos authentication settings (#43125)
resource/aws_dx_gateway_association: Add transit_gateway_attachment_id attribute. This functionality requires the ec2:DescribeTransitGatewayAttachments IAM permission (#43436)
resource/aws_globalaccelerator_accelerator: Add resource identity support (#43200)
resource/aws_globalaccelerator_custom_routing_accelerator: Add resource identity support (#43423)
resource/aws_glue_registry: Add resource identity support (#43450)
resource/aws_glue_schema: Add resource identity support (#43450)
resource/aws_iam_openid_connect_provider: Add resource identity support (#43503)
resource/aws_iam_policy: Add resource identity support (#43503)
resource/aws_iam_saml_provider: Add resource identity support (#43503)
resource/aws_iam_service_linked_role: Add resource identity support (#43503)
resource/aws_inspector2_enabler: Support CODE_REPOSITORY as a valid value for resource_types (#43525)
resource/aws_inspector2_organization_configuration: Add auto_enable.code_repository argument (#43525)
resource/aws_lb_listener: Add resource identity support (#43161)
resource/aws_lb_listener_rule: Add resource identity support (#43155)
resource/aws_lb_target_group: Add resource identity support (#43171)
resource/aws_lb_trust_store: Add resource identity support (#43186)
resource/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, and transit_gateway_id arguments and firewall_status.transit_gateway_attachment_sync_states and transit_gateway_owner_account_id attributes (#43430)
resource/aws_networkfirewall_firewall: Mark subnet_mapping and vpc_id as Optional (#43430)
resource/aws_quicksight_account_subscription: Add import support. This resource can now be imported via the aws_account_id argument. (#43501)
resource/aws_sns_topic: Add resource identity support (#43202)
resource/aws_wafv2_rule_group: Add rules_json argument (#43397)
resource/aws_wafv2_web_acl: Add statement.rate_based_statement.custom_key.asn argument (#43506)

BUG FIXES:

provider: Prevent planned forces replacement on region for numerous resource types when upgrading from a pre-v6.0.0 provider version and -refresh=false is in effect (#43516)
resource/aws_api_gateway_resource: Recompute path when path_part is updated (#43215)
resource/aws_bedrockagent_flow: Remove definition.connection and definition.node list length limits (#43471)
resource/aws_ecs_service: Improve stabilization logic to handle both new deployments and in-place updates correctly. This fixes a regression introduced in v6.4.0 (#43502)
resource/aws_instance: Recompute ipv6_addresses when ipv6_address_count is updated (#43158)

6.4.0 (July 17, 2025)

FEATURES:

New Data Source: aws_s3_access_point (#43391)
New Resource: aws_bedrockagent_flow (#42201)
New Resource: aws_fsx_s3_access_point_attachment (#43391)

ENHANCEMENTS:

data-source/aws_bedrock_inference_profiles: Add type argument (#43150)
data-source/aws_lakeformation_resource: Support hybrid_access_enabled, with_federation and with_privileged_access attributes (#43377)
resource/aws_acm_certificate: Support options.export argument to issue an exportable certificate (#43207)
resource/aws_cloudwatch_log_metric_filter: Add apply_on_transformed_logs argument (#43381)
resource/aws_datasync_location_object_storage: Make agent_arns optional (#43400)
resource/aws_ecs_service: Add deployment_configuration argument (#43434)
resource/aws_ecs_service: Add load_balancer.advanced_configuration argument (#43434)
resource/aws_ecs_service: Add service.client_alias.test_traffic_rules argument (#43434)
resource/aws_ecs_service: deployment_controller.type changes no longer force a replacement (#43434)
resource/aws_lakeformation_resource: Support with_privileged_access argument (#43377)
resource/aws_s3_bucket_public_access_block: Add skip_destroy argument (#43415)

BUG FIXES:

resource/aws_bedrockagent_agent_action_group: Correctly set parent_action_group_signature on Read (#43355)
resource/aws_datazone_environment_blueprint_configuration: Fix Inappropriate value for attribute "regional_parameters" errors during planning. This fixes a regression introduced in v6.0.0 (#43382)
resource/aws_ec2_transit_gateway_route_table_propagation: Don't mark transit_gateway_attachment_id as ForceNew if the value is known not to change (#43405)
resource/aws_lambda_function: Fix waiting for Lambda Function (...) version publish: unexpected state '', wanted target 'Successful' errors on Update. This fixes a regression introduced in v6.2.0 (#43416)
resource/aws_lexv2models_slot: Fix error when sub_slot_setting.slot_specification.value_elicitation_setting.prompt_specification.prompt_attempts_specification and value_elicitation_setting.prompt_specification.prompt_attempts_specification have default values (#43358)
resource/aws_securitylake_data_lake: Allow meta_store_role_arn to be updated in-place (#36874)

6.3.0 (July 10, 2025)

FEATURES:

New Resource: aws_prometheus_query_logging_configuration (#43222)

ENHANCEMENTS:

data-source/aws_cloudfront_distribution: Add anycast_ip_list_id attribute (#43196)
data-source/aws_networkmanager_core_network_policy_document: Add core_network_configuration.dns_support and core_network_configuration.security_group_referencing_support arguments (#43277)
resource/aws_cloudfront_distribution: Add anycast_ip_list_id argument (#43196)
resource/aws_dynamodb_table: Add replica.consistency_mode argument in support of multi-Region strong consistency for Amazon DynamoDB global tables (#43236)

BUG FIXES:

provider: Fix runtime error: invalid memory address or nil pointer dereference panics for numerous resource types when modifying tags (#43324)
resource/aws_bedrockagent_agent_action_group: Add missing prepare agent call when deleting an action group (#43232)
resource/aws_bedrockagent_agent_action_group: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent action group base creation, update, and deletion. (#43232)
resource/aws_bedrockagent_agent_knowledge_base_association: Add missing prepare agent call when deleting a knowledge base association (#43232)
resource/aws_bedrockagent_agent_knowledge_base_association: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent knowledge base creation and disassociation (#43232)
resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix errant deletion of key value pairs when a value is changed (#43208)
resource/aws_cognito_user_pool_domain: Correctly update managed_login_version for custom Cognito domains (#43252)
resource/aws_db_instance_role_association: Retry InvalidDBInstanceState errors on delete (#43303)
resource/aws_medialive_channel: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration blocks are empty (#43308)
resource/aws_rds_cluster_role_association: Retry InvalidDBClusterStateFault errors on delete (#43303)
resource/aws_redshift_cluster: Correctly set availability_zone_relocation_enabled (#43270)
resource/aws_route53profiles_resource_association: Change resource_properties to Computed to enable vpc_endpoint associations (#42562)
resource/aws_ssoadmin_application: Updates value of arn when refreshing state. (#43273)

6.2.0 (July 2, 2025)

NOTES:

resource/aws_s3_bucket_object: The format of the id attribute has changed from key to bucket/key. All configurations using id should be updated to use the key attribute instead (#43119)
resource/aws_s3_object: The format of the id attribute has changed from key to bucket/key. All configurations using id should be updated to use the key attribute instead (#43119)

ENHANCEMENTS:

data-source/aws_kinesis_stream_consumer: Add tags attribute. This functionality requires the kinesis:ListTagsForResource IAM permission (#43173)
data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection attribute (#43137)
resource/aws_accessanalyzer_analyzer: Add configuration.internal_access argument (#43138)
resource/aws_amplify_app: Add job_config argument (#43136)
resource/aws_amplify_branch: Add enable_skew_protection argument (#43218)
resource/aws_cloudtrail: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
resource/aws_cloudtrail_event_data_store: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
resource/aws_cloudwatch_event_archive: Add kms_key_identifier argument (#43139)
resource/aws_cloudwatch_log_group: Support DELIVERY as a valid value for log_group_class (#42658)
resource/aws_codebuild_project: Add environment.docker_server configuration block (#42982)
resource/aws_eks_pod_identity_association: Add disable_session_tags and target_role_arn arguments and external_id attribute (#42979)
resource/aws_emr_cluster: Add os_release_label argument (#43018)
resource/aws_fms_policy: Add resource_tag_logical_operator argument (#43031)
resource/aws_glue_job: Support job_mode argument (#42607)
resource/aws_kinesis_stream_consumer: Add tags argument and tags_all attribute. This functionality requires the kinesis:ListTagsForResource, kinesis:TagResource, and kinesis:UntagResource IAM permissions (#43173)
resource/aws_kms_key: Support HMAC_224, HMAC_384, HMAC_512, ML_DSA_44, ML_DSA_65, and ML_DSA_87 as valid values for customer_master_key_spec (#43128)
resource/aws_lightsail_instance_public_ports: -1 is now a valid value for port_info.from_port and port_info.to_port (#37703)
resource/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection argument (#43137)
resource/aws_rbin_rule: Add exclude_resource_tags argument (#43189)
resource/aws_s3_directory_bucket: Add tags argument and tags_all attribute. This functionality requires the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions (#43256)
resource/aws_s3tables_table: Add metadata argument (#43112)
resource/aws_wafv2_web_acl: Add aws_managed_rules_anti_ddos_rule_set to managed_rule_group_configs configuration block in support of L7 DDoS protection (#43149)

BUG FIXES:

provider: Fix Unexpected Identity Change errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#43221)
resource/aws_appflow_connector_profile: Fixes error refreshing resource state (#43221)
resource/aws_bcmdataexports_export: Fixes error when refreshing state with resources created before v6.0.0 (#43090)
resource/aws_bedrockagent_agent: Retry Exceeded the number of retries on OptLock failure. Too many concurrent requests. errors during update (#43179)
resource/aws_bedrockagent_agent: Retry Prepare operation can't be performed on Agent when it is in Preparing state. errors during prepare (#43179)
resource/aws_bedrockagent_agent: Retry Update operation can't be performed on Agent when it is in Preparing state. errors during update (#43179)
resource/aws_bedrockagent_agent_collaborator: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent collaborator update and disassociation (#43179)
resource/aws_cloudwatch_query_definition: Support ARNs as valid values for log_group_names (#43183)
resource/aws_cur_report_definition: Allow an empty ("") value for s3_prefix. This fixes a regression introduced in v6.0.0 (#43159)
resource/aws_elasticsearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
resource/aws_elasticsearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
resource/aws_lambda_function: Fix perpetual logging_config diffs when log_format is set to JSON and publish = true (#42660)
resource/aws_lexv2models_intent: Add semantic equality check for confirmation_setting.prompt_specification.prompt_attempts_specification defaults (#43147)
resource/aws_opensearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
resource/aws_opensearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
resource/aws_quicksight_analysis: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_dashboard: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_template: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
resource/aws_quicksight_user: Remove ForceNew from email (#43014)
resource/aws_verifiedpermissions_schema: Fix Value Conversion Error errors when upgrading existing resources to Terraform AWS Provider v6.0.0 (#43116)

6.1.0 (June 26, 2025)

Important

Terraform AWS Provider version v6.1.0 was removed from the Terraform Registry shortly after release due to a significant bug that could not be remediated quickly.

All changes originally included in the removed release are included in version v6.2.0.

6.0.0 (June 18, 2025)

BREAKING CHANGES:

data-source/aws_ami: The severity of the diagnostic returned when most_recent is true and owner and image ID filter criteria has been increased to an error. Existing configurations which were previously receiving a warning diagnostic will now fail to apply. To prevent this error, set the owner argument or include a filter block with an image-id or owner-id name/value pair. To continue using unsafe filter values with most_recent set to true, set the new allow_unsafe_filter argument to true. This is not recommended. (#42114)
data-source/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_ecs_task_execution: Remove inference_accelerator_overrides attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_elbv2_listener_rule: The action.authenticate_cognito, action.authenticate_oidc, action.fixed_response, action.forward, action.forward.stickiness, action.redirect, condition.host_header, condition.http_header, condition.http_request_method, condition.path_pattern, condition.query_string, and condition.source_ip attributes are now list nested blocks instead of single nested blocks (#42283)
data-source/aws_identitystore_user: filter has been removed (#42325)
data-source/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
data-source/aws_launch_template: elastic_gpu_specifications has been removed (#42312)
data-source/aws_opensearch_domain: kibana_endpoint has been removed (#42268)
data-source/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#42270)
data-source/aws_service_discovery_service: Remove tags_all attribute (#42136)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_application resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_custom_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ecs_cluster_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ganglia_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_haproxy_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_instance resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_java_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_memcached_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_mysql_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_nodejs_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_permission resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_php_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rails_app_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rds_db_instance resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_stack resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_static_web_layer resource has been removed (#41948)
provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_user_profile resource has been removed (#41948)
provider: As the AWS SDK for Go v2 does not support Amazon SimpleDB the aws_simpledb_domain resource has been removed. Add a constraint to v5 of the Terraform AWS Provider for continued use of this resource (#41775)
provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_fleet resource has been removed (#42059)
provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_website_certificate_authority_association resource has been removed (#42059)
provider: The aws_redshift_service_account resource has been removed. AWS recommends that a service principal name should be used instead of an AWS account ID in any relevant IAM policy (#41941)
provider: The endpoints.iotanalytics and endpoints.iotevents configuration arguments have been removed (#42703)
provider: The endpoints.opsworks configuration argument has been removed (#41948)
provider: The endpoints.simpledb and endpoints.sdb configuration arguments have been removed (#41775)
provider: The endpoints.worklink configuration argument has been removed (#42059)
resource/aws_accessanalyzer_archive_rule: filter.exists now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_alb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_api_gateway_account: The reset_on_delete argument has been removed (#42226)
resource/aws_api_gateway_deployment: Remove canary_settings, execution_arn, invoke_url, stage_description, and stage_name arguments. Instead, use the aws_api_gateway_stage resource to manage stages. (#42249)
resource/aws_batch_compute_environment: Rename compute_environment_name to name resource/aws_batch_compute_environment: Rename compute_environment_name_prefix to name_prefix (#38050)
resource/aws_batch_compute_environment_data_source: Rename compute_environment_name to name (#38050)
resource/aws_batch_job_queue: Remove deprecated parameter compute_environments in place of compute_environment_order (#40751)
resource/aws_bedrock_model_invocation_logging_configuration: logging_config, logging_config.cloudwatch_config, logging_config.cloudwatch_config.large_data_delivery_s3_config, and logging_config.s3_config are now list nested blocks instead of single nested blocks (#42307)
resource/aws_cloudfront_key_value_store: Attribute id is now set to remote object's Id instead of name (#42230)
resource/aws_cloudfront_response_headers_policy: The etag argument is now computed only (#38448)
resource/aws_cloudtrail_event_data_store: suspend now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_cognito_user_in_group: The id attribute is now a comma-delimited string concatenating the user_pool_id, group_name, and username arguments (#34082)
resource/aws_cur_report_definition: The s3_prefix argument is now required (#38446)
resource/aws_db_instance: character_set_name now cannot be set with replicate_source_db, restore_to_point_in_time, s3_import, or snapshot_identifier. (#42348)
resource/aws_dms_endpoint: Remove s3_settings attribute. Use aws_dms_s3_endpoint instead (#42379)
resource/aws_dx_gateway_association: vpn_gateway_id has been removed (#42323)
resource/aws_ec2_spot_instance_fleet: terminate_instances_on_delete now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_ec2_spot_instance_request: Remove block_duration_minutes attribute (#42060)
resource/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
resource/aws_eip: vpc has been removed. Use domain instead. (#42340)
resource/aws_eks_addon: resolve_conflicts has been removed. Use resolve_conflicts_on_create and resolve_conflicts_on_update instead. (#42318)
resource/aws_elasticache_cluster: auto_minor_version_upgrade now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_elasticache_replication_group: at_rest_encryption_enabled and auto_minor_version_upgrade now only accept one of "" (empty string), true, or false (#42434)
resource/aws_elasticache_replication_group: auth_token_update_strategy no longer has a default value. If auth_token is set, auth_token_update_strategy must also be explicitly configured. (#42336)
resource/aws_evidently_feature: variations.value.bool_value now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_flow_log: log_group_name has been removed. Use log_destination instead. (#42333)
resource/aws_globalaccelerator_accelerator: The id attribute is now computed only (#42097)
resource/aws_guardduty_detector: Deprecates datasources. Use aws_guardduty_detector_feature resources instead. (#42436)
resource/aws_guardduty_organization_configuration: The auto_enable attribute has been removed (#42251)
resource/aws_identitystore_group: filter has been removed (#42325)
resource/aws_imagebuilder_container_recipe: instance_configuration.block_device_mapping.ebs.delete_on_termination and instance_configuration.block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#42434)
resource/aws_imagebuilder_image_recipe: block_device_mapping.ebs.delete_on_termination and block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#42434)
resource/aws_instance: Remove cpu_core_count and cpu_threads_per_core. Instead, use cpu_options. (#42280)
resource/aws_instance: user_data now displays cleartext instead of a hash. Base64 encoded content should use user_data_base64 instead. (#42078)
resource/aws_launch_template: block_device_mappings.ebs.delete_on_termination, block_device_mappings.ebs.encrypted, ebs_optimized, network_interfaces.associate_carrier_ip_address, network_interfaces.associate_public_ip_address, network_interfaces.delete_on_termination, and network_interfaces.primary_ipv6 now only accept one of "" (empty string), true, or false (#42434)
resource/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#42137)
resource/aws_launch_template: elastic_gpu_specifications has been removed (#42312)
resource/aws_lb_listener: mutual_authentication attributes advertise_trust_store_ca_names, ignore_client_certificate_expiry, and trust_store_arn are only valid if mode is verify (#42326)
resource/aws_lb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_mq_broker: logs.audit now only accepts one of "" (empty string), true, or false (#42434)
resource/aws_networkmanager_core_network: The base_policy_region argument has been removed. Use base_policy_regions instead. (#38398)
resource/aws_opensearch_domain: kibana_endpoint has been removed (#42268)
resource/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#42270)
resource/aws_paymentcryptography_key: key_attributes and key_attributes.key_modes_of_use are now list nested blocks instead of single nested blocks. (#42264)
resource/aws_quicksight_data_set: tags_all has been removed (#42260)
resource/aws_redshift_cluster: Attributes cluster_public_key, cluster_revision_number, and endpoint are now read only and should not be set (#42119)
resource/aws_redshift_cluster: The logging attribute has been removed (#42013)
resource/aws_redshift_cluster: The publicly_accessible attribute now defaults to false (#41978)
resource/aws_redshift_cluster: The snapshot_copy attribute has been removed (#41995)
resource/aws_rekognition_stream_processor: regions_of_interest.bounding_box is now a list nested block instead of a single nested block (#41380)
resource/aws_resiliencehub_resiliency_policy: policy, policy.az, policy.hardware, policy.software, and policy.region are now list nested blocks instead of single nested blocks (#42297)
resource/aws_sagemaker_app_image_config: Exactly one code_editor_app_image_config, jupyter_lab_image_config, or kernel_gateway_image_config block must be configured (#42753)
resource/aws_sagemaker_image_version: id is now a comma-delimited string concatenating image_name and version (#42536)
resource/aws_sagemaker_notebook_instance: Remove accelerator_types from your configuration—it no longer exists. Instead, use instance_type to use Inferentia. (#42099)
resource/aws_ssm_association: Remove instance_id argument (#42224)
resource/aws_verifiedpermissions_schema: definition is now a list nested block instead of a single nested block (#42305)
resource/aws_wafv2_web_acl: rule.statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_bot_control_rule_set.enable_machine_learning now defaults to false (#39858)

NOTES:

data-source/aws_cloudtrail_service_account: This data source is deprecated. AWS recommends using a service principal name instead of an AWS account ID in any relevant IAM policy. (#42320)
data-source/aws_kms_secret: This data source will be removed in a future version (#42524)
data-source/aws_region: The name attribute has been deprecated. All configurations using name should be updated to use the region attribute instead (#42131)
data-source/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#42014)
data-source/aws_servicequotas_templates: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#42131)
data-source/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#42014)
data-source/aws_vpc_endpoint_service: The region attribute has been deprecated. All configurations using region should be updated to use the service_region attribute instead (#42014)
data-source/aws_vpc_peering_connection: The region attribute has been deprecated. All configurations using region should be updated to use the requester_region attribute instead (#42014)
provider: Support for the global S3 endpoint is deprecated, along with the s3_us_east_1_regional_endpoint argument. The ability to use the global S3 endpoint will be removed in v7.0.0. (#42375)
resource/aws_cloudformation_stack_set_instance: The region attribute has been deprecated. All configurations using region should be updated to use the stack_set_instance_region attribute instead (#42014)
resource/aws_codeconnections_host: Deprecates id in favor of arn (#42232)
resource/aws_config_aggregate_authorization: The region attribute has been deprecated. All configurations using region should be updated to use the authorized_aws_region attribute instead (#42014)
resource/aws_dx_hosted_connection: The region attribute has been deprecated. All configurations using region should be updated to use the connection_region attribute instead (#42014)
resource/aws_elasticache_replication_group: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elasticache_user: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elasticache_user_group: The ability to provide an uppercase engine value is deprecated (#42419)
resource/aws_elastictranscoder_pipeline: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#42313)
resource/aws_elastictranscoder_preset: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#42313)
resource/aws_evidently_feature: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_launch: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_project: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_evidently_segment: This resource is deprecated. Use AWS AppConfig feature flags instead. (#42227)
resource/aws_guardduty_organization_configuration: datasources now returns a deprecation warning (#42251)
resource/aws_kinesis_analytics_application: Effective January 27, 2026, AWS will no longer support Kinesis Data Analytics for SQL. This resource is deprecated and will be removed in a future version. Use the aws_kinesisanalyticsv2_application resource instead (#42102)
resource/aws_media_store_container: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#42265)
resource/aws_media_store_container_policy: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#42265)
resource/aws_redshift_cluster: The default value of encrypted is now true to match the AWS API. (#42631)
resource/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#42014)
resource/aws_service_discovery_service: health_check_custom_config.failure_threshold is deprecated. The argument is no longer supported by AWS and is always set to 1 (#40777)
resource/aws_servicequotas_template: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#42131)
resource/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#42014)

ENHANCEMENTS:

data-source/aws_ami: Add allow_unsafe_filter argument (#42114)
data-source/aws_availability_zone: Add group_long_name attribute (#42014)
data-source/aws_availability_zone: Mark region as Optional, allowing a value to be configured (#42014)
resource/aws_auditmanager_assessment: Add plan-time validation of roles.role_arn and roles.role_type (#42131)
provider: Add enhanced region support to most resources, data sources, and ephemeral resources, allowing per-resource Region targeting without requiring multiple provider configurations. See the Enhanced Region Support guide for more information. (#43075)
resource/aws_auditmanager_control: Add plan-time validation of control_mapping_sources.source_frequency, control_mapping_sources.source_set_up_option, and control_mapping_sources.source_type (#42131)
resource/aws_auditmanager_framework_share: Add plan-time validation of destination_account (#42741)
resource/aws_auditmanager_organization_admin_account_registration: Add plan-time validation of admin_account_id (#42741)
resource/aws_cognito_user_in_group: Add import support (#34082)
resource/aws_ecs_service: Add arn attribute (#42733)
resource/aws_guardduty_detector: Adds validation to finding_publishing_frequency. (#42436)
resource/aws_lb_listener: mutual_authentication attribute trust_store_arn is required if mode is verify (#42326)
resource/aws_quicksight_iam_policy_assignment: Add plan-time validation of policy_arn (#42131)
resource/aws_sagemaker_image_version: Add aliases argument (#42610)
resource/aws_securitylake_subscriber: Add plan-time validation of access_type source.aws_log_source_resource.source_name, and subscriber_identity.external_id (#42131)

BUG FIXES:

resource/aws_auditmanager_control: Fix Provider produced inconsistent result after apply errors (#42131)
resource/aws_redshift_cluster: Fixes permanent diff when encrypted is not explicitly set to true. (#42631)
resource/aws_rekognition_stream_processor: Fix regions_of_interest.bounding_box and regions_of_interest.polygon argument validation (#41380)
resource/aws_sagemaker_image_version: Read the correct image version after creation rather than always fetching the latest (#42536)
resource/aws_securitylake_subscriber: Change access_type to ForceNew (#42131)

Previous Releases

For information on prior major releases, see their changelogs:

FilesExpand file tree

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

6.43.0 (Unreleased)

6.42.0 (April 22, 2026)

6.41.0 (April 15, 2026)

6.40.0 (April 8, 2026)

6.39.0 (April 1, 2026)

6.38.0 (March 25, 2026)

6.37.0 (March 18, 2026)

6.36.0 (March 11, 2026)

6.35.1 (March 5, 2026)

6.35.0 (March 4, 2026)

6.34.0 (February 25, 2026)

6.33.0 (February 18, 2026)

6.32.1 (February 13, 2026)

6.32.0 (February 11, 2026)

6.31.0 (February 4, 2026)

6.30.0 (January 28, 2026)

6.29.0 (January 28, 2026)

6.28.0 (January 7, 2026)

6.27.0 (December 17, 2025)

6.26.0 (December 10, 2025)

6.25.0 (December 4, 2025)

6.24.0 (December 2, 2025)

6.23.0 (November 26, 2025)

6.22.1 (November 21, 2025)

6.22.0 (November 20, 2025)

6.21.0 (November 13, 2025)

6.20.0 (November 6, 2025)

6.19.0 (October 30, 2025)

6.18.0 (October 23, 2025)

6.17.0 (October 16, 2025)

6.16.0 (October 9, 2025)

6.15.0 (October 2, 2025)

6.14.1 (September 22, 2025)

6.14.0 (September 18, 2025)

6.13.0 (September 11, 2025)

6.12.0 (September 4, 2025)

6.11.0 (August 28, 2025)

6.10.0 (August 21, 2025)

6.9.0 (August 14, 2025)

6.8.0 (August 7, 2025)

6.7.0 (July 31, 2025)

6.6.0 (July 28, 2025)

6.5.0 (July 24, 2025)

6.4.0 (July 17, 2025)

6.3.0 (July 10, 2025)

6.2.0 (July 2, 2025)

6.1.0 (June 26, 2025)

6.0.0 (June 18, 2025)

Previous Releases