Update Terraform aws to v6

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	5.60.0 → 6.50.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.50.0

Compare Source

NOTES:

• resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the behavior of private_endpoint, it is best effort and we ask for community help in testing (#​47602)

FEATURES:

• New List Resource: aws_bedrockagentcore_policy (#​47971)
• New List Resource: aws_cloudwatch_log_s3_table_integration_source (#​48190)
• New List Resource: aws_ecs_daemon (#​47562)
• New List Resource: aws_ecs_daemon_task_definition (#​47562)
• New Resource: aws_bedrockagentcore_policy (#​47971)
• New Resource: aws_cloudwatch_log_s3_table_integration_source (#​48190)
• New Resource: aws_ecs_daemon (#​47562)
• New Resource: aws_ecs_daemon_task_definition (#​47562)
• New Resource: aws_observabilityadmin_s3_table_integration (#​48190)

ENHANCEMENTS:

• provider: Add Linux s390x support (#​48272)
• resource/aws_bedrockagentcore_agent_runtime: Add AGUI as a valid value for protocol_configuration.server_protocol (#​47906)
• resource/aws_bedrockagentcore_gateway: Add policy_engine_configuration configuration block (#​47818)
• resource/aws_bedrockagentcore_gateway_target: Add listing_mode argument to the target_configuration.mcp.mcp_server configuration block (#​48225)
• resource/aws_bedrockagentcore_gateway_target: Add private_endpoint argument to support private connectivity to VPC-hosted MCP servers via Amazon VPC Lattice (#​47602)
• resource/aws_bedrockagentcore_memory: Add indexed_key and stream_delivery_resources arguments (#​48240)

BUG FIXES:

• data-source/aws_secretsmanager_secret_version: Fix eventual consistency issues that could result in couldn't find resource errors when reading a version immediately after creation (#​48318)
• resource/aws_cloudwatch_log_subscription_filter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role IAM eventual consistency errors on Create and Update (#​48255)
• resource/aws_datazone_project: Fix import separator to match the expected format. (#​48271)
• resource/aws_default_route_table: Fix perpetual drift on route.gateway_id when route.odb_network_arn is configured (#​48239)
• resource/aws_ecs_express_gateway_service: Fix "inconsistent result after apply" error for network_configuration[0].security_groups when using network_configuration. ec2:DescribeSecurityGroups IAM permission is newly required. (#​47944)
• resource/aws_ecs_express_gateway_service: Fix Resource Already Exists error when recreating a service after deletion (#​48098)
• resource/aws_elasticsearch_domain: Fix unexpected state error during engine version upgrade (#​47316)
• resource/aws_kinesis_firehose_delivery_stream: Fix InvalidArgumentException errors when creating or updating extended_s3_configuration in AWS partitions that do not support the custom_time_zone and file_extension attributes (#​48284)
• resource/aws_route: Fix perpetual drift on gateway_id when odb_network_arn is configured (#​48239)
• resource/aws_route_table: Fix perpetual drift on route.gateway_id when route.odb_network_arn is configured (#​48239)
• resource/aws_secretsmanager_secret_version: Fix Provider produced inconsistent final plan errors when secret_string or secret_string_wo_version references a resource being created or replaced in the same apply (#​48318)
• resource/aws_secretsmanager_secret_version: Fix eventual consistency issues on resource creation that could result in version_stages being empty in state (#​48318)
• resource/aws_secretsmanager_secret_version: Fix unnecessary resource replacement when switching between secret_string and secret_string_wo (or vice versa) without changing the secret value (#​48318)

v6.49.0

Compare Source

ENHANCEMENTS:

• data-source/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url attribute (#​48146)
• data-source/aws_opensearchserverless_collection_group: Add generation attribute (#​48125)
• resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.session_configuration block (#​48179)
• resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.streaming_configuration block (#​48179)
• resource/aws_cloudfront_function: Add tags and tags_all arguments (#​47916)
• resource/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url argument (#​48146)
• resource/aws_opensearchserverless_collection_group: Add generation argument (#​48125)

BUG FIXES:

• resource/aws_bedrockagentcore_gateway_target: Fix runtime error: slice bounds out of range [1:0] panics when refreshing state. This fixes a regression introduced in v6.48.0 (#​48215)

v6.48.0

Compare Source

NOTES:

• resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the ``credential_provider_configuration.gateway_iam_role` SigV4 functionality, it is best effort and we ask for community help in testing (#​47626)

FEATURES:

• New Data Source: aws_ec2_hosts (#​47986)
• New List Resource: aws_cleanrooms_membership (#​48166)
• New List Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)
• New Resource: aws_ec2_local_gateway_route_table (#​48013)
• New Resource: aws_ec2_local_gateway_route_table_virtual_interface_group_association (#​48014)
• New Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)

ENHANCEMENTS:

• data-source/aws_ec2_host: Add state, allocation_time, release_time, host_maintenance, host_reservation_id, availability_zone_id, allows_multiple_instance_types, member_of_service_linked_resource_group, instances, and available_capacity attributes (#​47991)
• data-source/aws_kinesis_stream: Add warm_throughput attribute (#​48152)
• data-source/aws_lb: Add enable_prefix_for_ipv6_source_nat attribute (#​40431)
• data-source/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
• resource/aws_bedrockagentcore_gateway: Mark protocol_type as Optional. Omit it to create a gateway that routes traffic directly to HTTP targets (e.g. AgentCore Runtime) (#​47897)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.caller_iam_credentials and credential_provider_configuration.jwt_passthrough arguments (#​47780)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.gateway_iam_role.service and credential_provider_configuration.gateway_iam_role.region arguments to enable SigV4 signing of upstream requests for mcp_server targets pointing at AWS-hosted endpoints (#​47626)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.http argument (#​47897)
• resource/aws_cleanrooms_membership: Add resource identity support (#​48166)
• resource/aws_datazone_asset_type: Add resource identity support (#​48136)
• resource/aws_datazone_domain: Add resource identity support (#​48136)
• resource/aws_datazone_environment: Add resource identity support (#​48136)
• resource/aws_datazone_environment_blueprint_configuration: Add global_parameters argument (#​44857)
• resource/aws_datazone_environment_blueprint_configuration: Add resource identity support (#​48136)
• resource/aws_datazone_environment_profile: Add resource identity support (#​48136)
• resource/aws_datazone_form_type: Add resource identity support (#​48136)
• resource/aws_datazone_glossary: Add resource identity support (#​48136)
• resource/aws_datazone_glossary_term: Add resource identity support (#​48136)
• resource/aws_datazone_project: Add resource identity support (#​48136)
• resource/aws_datazone_user_profile: Add resource identity support (#​48136)
• resource/aws_kinesis_firehose_delivery_stream: Add Resource Identity support (#​48186)
• resource/aws_kinesis_stream: Add Resource Identity support (#​48152)
• resource/aws_kinesis_stream: Add warm_throughput_mib_ps argument. This functionality requires the kinesis:UpdateStreamWarmThroughput IAM permission (#​48152)
• resource/aws_kinesis_stream: Add plan-time validation of shard_level_metrics (#​48152)
• resource/aws_kinesis_stream_consumer: Add Resource Identity support (#​48152)
• resource/aws_lb: Add enable_prefix_for_ipv6_source_nat argument (#​40431)
• resource/aws_observabilityadmin_telemetry_rule: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
• resource/aws_observabilityadmin_telemetry_rule_for_organization: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
• resource/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
• resource/aws_osis_pipeline: Adds resource identity (#​48155)
• resource/aws_vpc_ipam_pool_cidr_allocation: Add tagging support (#​48084)

BUG FIXES:

• resource/aws_api_gateway_rest_api: Fix OpenAPI body-managed x-amazon-apigateway-policy updates being overwritten by prior policy state (#​48118)
• resource/aws_bedrockagentcore_gateway: Fix ValidationException: Gateway with ID: ... has targets associated with it. Delete all targets before deleting the gateway errors on delete (#​47626)
• resource/aws_bedrockagentcore_gateway_target: Include FAILED and SYNCHRONIZING as pending states while a target is deleting (#​47626)
• resource/aws_db_instance_automated_backups_replication: Fix InvalidDBInstanceState: Cannot create a snapshot because the database instance ... is not currently in the available state errors on delete (#​46687)
• resource/aws_elasticache_replication_group: Fix CacheClusterNotFound when enabling snapshots after the primary cache cluster has been changed away from -001, and InvalidParameterCombination when enabling snapshots on cluster mode enabled groups (#​46326)
• resource/aws_kinesis_firehose_delivery_stream: Fix ValidationException: Unknown parameter: ExtendedS3DestinationConfiguration.CustomTimeZone errors in AWS partitions which do not yet support selecting a time zone for bucket prefixes (#​48186)
• resource/aws_lambda_alias: Fix plan drift caused by transient routing weights appearing in state after updating function_version (#​48116)
• resource/aws_lambda_provisioned_concurrency_config: Fix InvalidParameterValueException: Alias with weights can not be used with Provisioned Concurrency error when updating provisioned concurrency simultaneously with alias version change (#​48116)
• resource/aws_s3_bucket_versioning: Fix perpetual drift on versioning_configuration.mfa_delete when status is Disabled (#​48161)

v6.47.0

Compare Source

FEATURES:

• New List Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
• New List Resource: aws_bedrockagentcore_policy_engine (#​47108)
• New List Resource: aws_bedrockagentcore_resource_policy (#​46844)
• New List Resource: aws_s3control_multi_region_access_point (#​48081)
• New List Resource: aws_s3control_multi_region_access_point_routes (#​48081)
• New Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
• New Resource: aws_bedrockagentcore_policy_engine (#​47108)
• New Resource: aws_bedrockagentcore_resource_policy (#​46844)
• New Resource: aws_s3control_multi_region_access_point_routes (#​47994)

ENHANCEMENTS:

• data-source/aws_arn: Deprecates id in favor of arn (#​48036)
• data-source/aws_default_tags: Deprecates id (#​48036)
• data-source/aws_ip_ranges: Deprecates id (#​48036)
• data-source/aws_partition: Deprecates id in favor of partition (#​48036)
• data-source/aws_region: Deprecates id in favor of region (#​48036)
• data-source/aws_regions: Deprecates id (#​48036)
• data-source/aws_route: Add odb_network_arn attribute (#​48027)
• data-source/aws_route_table: Add routes.odb_network_arn attribute (#​48027)
• data-source/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
• data-source/aws_secretsmanager_secret_versions: Deprecates arn in favor of secret_arn. (#​48033)
• data-source/aws_secretsmanager_secret_versions: Deprecates name in favor of secret_name. (#​48033)
• data-source/aws_service: Deprecates id in favor of reverse_dns_name (#​48036)
• data-source/aws_transfer_server: Add ip_address_type attribute (#​48039)
• resource/aws_acm_certificate: Add private_key_wo write-only argument and private_key_wo_version argument (#​44414)
• resource/aws_arcregionswitch_plan: Add step.rds_promote_read_replica_config, step.rds_create_cross_region_read_replica_config, and report_configuration arguments (#​46965)
• resource/aws_eks_cluster: Add CGNAT IP address ranges as valid private range (#​47988)
• resource/aws_eks_cluster: Make remote_node_networks field in remote_network_config optional (#​47988)
• resource/aws_eks_cluster: Remove conflict between outpost_config and remote_network_config (#​47988)
• resource/aws_msk_replicator: Add support for log_delivery configuration block (#​48054)
• resource/aws_quicksight_data_source: Add parameters.athena.role_arn argument to allow override an account-wide role for a specific Athena data source (#​44666)
• resource/aws_route: Add odb_network_arn argument (#​48027)
• resource/aws_route: Add plan-time validation of core_network_arn (#​48027)
• resource/aws_route_table: Add route.odb_network_arn argument (#​48027)
• resource/aws_route_table: Add plan-time validation of route.core_network_arn (#​48027)
• resource/aws_s3control_multi_region_access_point: Add resource identity support (#​48081)
• resource/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
• resource/aws_ssm_resource_data_sync: Add s3_destination.destination_data_sharing argument (#​21996)
• resource/aws_transfer_server: Add ip_address_type argument (#​48039)

BUG FIXES:

• data-source/aws_secretsmanager_secret_versions: Polulates versions.*.last_accessed_date. (#​48033)
• provider: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
• resource/aws_dynamodb_table: Ensure diffs are shown for GSI hash key type changes (#​47867)
• resource/aws_eks_cluster: Change securityGroupIds logic in flattenVPCConfigResponse() for Outpost clusters (#​47988)
• resource/aws_instance: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
• resource/aws_lb: Fix Provider produced inconsistent final plan errors and force resource recreation for Network Load Balancers when no security groups were initially configured and updated security groups are unknown at plan-time (#​46695)
• resource/aws_msk_replicator: Mark replication_info_list.consumer_group_replication.consumer_groups_to_exclude as Computed (#​48054)
• resource/aws_msk_replicator: Mark replication_info_list.topic_replication.topics_to_exclude as Computed (#​48054)

v6.46.0

Compare Source

NOTES:

• resource/aws_xray_resource_policy: Changes to policy_name now force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updating policy_name would leave an orphaned policy with the old name in AWS (#​47948)

FEATURES:

• New List Resource: aws_bedrockagentcore_harness (#​47725)
• New List Resource: aws_iam_access_key (#​47966)
• New List Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
• New List Resource: aws_route53_vpc_association_authorization (#​47905)
• New List Resource: aws_route53_zone_association (#​47950)
• New List Resource: aws_securityhub_automation_rule_v2 (#​47677)
• New Resource: aws_bedrockagentcore_harness (#​47725)
• New Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
• New Resource: aws_securityhub_automation_rule_v2 (#​47677)
• New Resource: aws_xray_indexing_rule (#​47975)
• New Resource: aws_xray_trace_segment_destination (#​47961)

ENHANCEMENTS:

• data-source/aws_ec2_local_gateway_virtual_interface: Add outpost_lag_id and local_gateway_virtual_interface_group_id attributes (#​47974)
• data-source/aws_opensearch_domain: Add jwt_options block to fix "Invalid address to set" error (#​47874)
• resource/aws_bedrockagent_agent: Increase maximum value of idle_session_ttl_in_seconds from 3600 to 5400 to match the AWS API limit (#​47890)
• resource/aws_bedrockagentcore_agent_runtime: Add filesystem_configuration argument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#​47810)
• resource/aws_cloudfront_distribution: Add cache_tag_config configuration block (#​47872)
• resource/aws_iam_access_key: Add resource identity support (#​47966)
• resource/aws_route53_vpc_association_authorization: Add resource identity support (#​47905)
• resource/aws_route53_zone_association: Add resource identity support (#​47950)
• resource/aws_vpclattice_resource_gateway: Add resource_config_dns_resolution argument (#​47879)
• resource/aws_xray_resource_policy: Add Resource Identity support (#​47948)
• resource/aws_xray_sampling_rule: Add Resource Identity support (#​47948)

BUG FIXES:

• resource/aws_s3_bucket: Defer to the corresponding dedicated standalone resource for each deprecated nested attribute (acceleration_status, acl, cors_rule, grant, lifecycle_rule, logging, object_lock_configuration, policy, replication_configuration, request_payer, server_side_encryption_configuration, versioning, website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#​47962)
• resource/aws_s3_bucket: Fix InvalidRequest: SourceSelectionCriteria cannot be empty errors on unrelated updates (e.g. tags) when replication is managed by the dedicated aws_s3_bucket_replication_configuration resource using replica_modifications (#​47962)
• resource/aws_xray_resource_policy: Fix Provider returned invalid result object after apply errors on Update (#​47948)
• resource/aws_xray_resource_policy: Mark policy_name as as ForceNew (#​47948)

v6.45.0

Compare Source

FEATURES:

• New List Resource: aws_observabilityadmin_telemetry_rule (#​47857)
• New List Resource: aws_securityhub_connector_v2 (#​47678)
• New Resource: aws_observabilityadmin_telemetry_evaluation (#​47799)
• New Resource: aws_observabilityadmin_telemetry_evaluation_for_organization (#​47808)
• New Resource: aws_observabilityadmin_telemetry_rule (#​47857)
• New Resource: aws_securityhub_aggregator_v2 (#​47651)
• New Resource: aws_securityhub_connector_v2 (#​47678)

ENHANCEMENTS:

• resource/aws_lambda_function: Add support for ruby4.0 as a runtime value (#​47841)
• resource/aws_lambda_function: Support mounting Amazon S3 buckets as file systems with S3 Files (#​47838)
• resource/aws_lambda_layer_version: Add support for ruby4.0 as a compatible_runtimes value (#​47841)
• resource/aws_secretsmanager_secret_version: Allow switching from secret_string to secret_string_wo without re-creating the resource. (#​47815)
• resource/aws_timestreaminfluxdb_db_instance: Add maintenance_schedule configuration block (#​47853)

BUG FIXES:

• resource/aws_elasticache_cluster: Fixed by removing valkey as an engine option to keep an alignment with aws sdk CreateCacheCluster (#​45017)
• resource/aws_elasticache_replication_group: Fix engine_version returning full patch version instead of minor version for Valkey engine (#​46109)
• resource/aws_elasticache_replication_group: Fix engine, engine_version, and parameter_group_name changes being ignored after disassociating from a global replication group (#​46109)
• resource/aws_grafana_workspace: Fix network_access_control regression causing ValidationException when only one of vpce_ids or prefix_list_ids is set (#​47646)

v6.44.0

Compare Source

NOTES:

• resource/aws_dynamodb_global_secondary_index: This resource type is no longer experimental. The schema and behavior are now subject to the backwards compatibility guarantee of the provider. (#​47747)
• resource/aws_outposts_capacity_task: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​47681)

FEATURES:

• New Data Source: aws_glue_catalog (#​43583)
• New List Resource: aws_alb_target_group_attachment (#​47724)
• New List Resource: aws_appautoscaling_policy (#​47718)
• New List Resource: aws_arczonalshift_zonal_autoshift_configuration (#​46114)
• New List Resource: aws_dynamodb_global_secondary_index (#​47785)
• New List Resource: aws_dynamodb_table (#​47518)
• New List Resource: aws_ecr_repository_policy (#​47763)
• New List Resource: aws_glue_catalog (#​43583)
• New List Resource: aws_lb_target_group_attachment (#​47724)
• New List Resource: aws_s3_bucket_logging (#​47766)
• New List Resource: aws_securityhub_standards_control (#​47702)
• New List Resource: aws_vpc_endpoint_route_table_association (#​47751)
• New Resource: aws_arczonalshift_zonal_autoshift_configuration (#​46114)
• New Resource: aws_glue_catalog (#​43583)
• New Resource: aws_outposts_capacity_task (#​47681)
• New Resource: aws_redshift_namespace_registration (#​43583)

ENHANCEMENTS:

• data-source/aws_glue_connection: Add authentication_configuration attribute (#​43583)
• resource/aws_appautoscaling_policy: Add resource identity support (#​47718)
• resource/aws_ec2_client_vpn_endpoint: Add transit_gateway_configuration block (#​47635)
• resource/aws_fsx_lustre_file_system: Support in-place modification of file_system_type_version (#​47703)
• resource/aws_fsx_windows_file_system: Add self_managed_active_directory.password_wo and self_managed_active_directory.password_wo_version arguments (#​47752)
• resource/aws_glue_connection: Add authentication_configuration argument (#​43583)
• resource/aws_timestreaminfluxdb_db_cluster: Add Resource Identity support (#​47052)
• resource/aws_timestreaminfluxdb_db_cluster: Add maintenance_schedule configuration block (#​47354)
• resource/aws_timestreaminfluxdb_db_instance: Add Resource Identity support (#​47052)
• resource/aws_vpc_endpoint_route_table_association: Add resource identity support (#​47751)

BUG FIXES:

• resource/aws_odb_cloud_vm_cluster: Attempt to read GI Version from resource tags to avoid failures due to new API response values (#​46589)
• resource/aws_s3files_synchronization_configuration: Fix Delete to use the file system prefix when resetting the synchronization configuration (#​47760)
• resource/aws_securityhub_configuration_policy_association: Fix waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s) errors on Create. This fixes a regression introduced in v6.34.0 (#​47783)
• resource/aws_timestreaminfluxdb_db_cluster: Correct plan-time validation of db_parameter_group_identifier (#​47052)

v6.43.0

Compare Source

FEATURES:

• New Data Source: aws_securityhub_enabled_standards (#​43947)
• New Data Source: aws_securityhub_security_controls (#​43947)
• New List Resource: aws_db_subnet_group (#​47637)
• New List Resource: aws_ec2_network_insights_access_scope (#​47582)
• New List Resource: aws_iam_group_policy_attachment (#​47667)
• New List Resource: aws_lambda_event_source_mapping (#​47686)
• New List Resource: aws_securityhub_insight (#​47622)
• New Resource: aws_arczonalshift_autoshift_observer_notification_status (#​46343)
• New Resource: aws_ec2_network_insights_access_scope (#​47582)
• New Resource: aws_securityhub_account_v2 (#​47356)

ENHANCEMENTS:

• resource/aws_arczonalshift_autoshift_observer_notification_status: Add resource identity support (#​46343)
• resource/aws_auditmanager_assessment: Add resource identity support (#​47674)
• resource/aws_auditmanager_control: Add resource identity support (#​47674)
• resource/aws_auditmanager_framework: Add resource identity support (#​47674)
• resource/aws_auditmanager_framework_share: Add resource identity support (#​47674)
• resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#​47589)
• resource/aws_ecs_express_gateway_service: Deprecates current_deployment. (#​47694)
• resource/aws_iam_group_policy_attachment: Add resource identity support (#​47667)
• resource/aws_lambda_event_source_mapping: Add resource identity support (#​47686)
• resource/aws_securityhub_action_target: Add Resource Identity support (#​47543)
• resource/aws_securityhub_configuration_policy: Add Resource Identity support (#​47543)
• resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#​47543)
• resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#​47078)
• resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#​47543)
• resource/aws_securityhub_finding_aggregator: Add arn attribute (#​47543)
• resource/aws_securityhub_insight: Add Resource Identity support (#​47543)
• resource/aws_securityhub_member: Add Resource Identity support (#​47543)
• resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#​47543)
• resource/aws_securityhub_product_subscription: Add Resource Identity support (#​47543)
• resource/aws_securityhub_standards_control: Add Resource Identity support (#​47543)
• resource/aws_securityhub_standards_control_association: Add Resource Identity support (#​47543)
• resource/aws_securityhub_standards_subscription: Add Resource Identity support (#​47543)
• resource/aws_securityhub_standards_subscription: Add arn attribute (#​47543)
• resource/aws_subnet: Automatically detect and dissociate GuardDuty-managed VPC endpoints during terraform destroy when they block subnet deletion (#​46953)
• resource/aws_vpc: Automatically detect and remove GuardDuty-managed VPC endpoints and security groups during terraform destroy when they block VPC deletion (#​46953)

BUG FIXES:

• resource/aws_cloudwatch_metric_alarm: Fix invalid One of 'metric_name', 'metric_query', or 'evaluation_criteria' must be set for a cloudwatch metric alarm plan-time errors. This fixes a regression introduced in v6.42.0 (#​47666)
• resource/aws_ecs_express_gateway_service: Handles more transient API errors during creation and deletion. (#​47568)
• resource/aws_ecs_express_gateway_service: Marks resource for re-creation if it fails while waiting for creation. (#​47568)
• resource/aws_ecs_express_gateway_service: Prevents errors when value of current_deployment changes. (#​47694)
• resource/aws_ecs_express_gateway_service: Waits until the service is INACTIVE instead of DRAINING. (#​47568)
• resource/aws_flow_log: Prevents error when updating from earlier versions of the provider or importing VPC Flow Logs (#​47699)
• resource/aws_globalaccelerator_cross_account_attachment: Fix runtime error: invalid memory address or nil pointer dereference panics when removing resource blocks (#​47625)
• resource/aws_pinpoint_app: Lower minimum of limits.messages_per_second from 50 to 1 to match the AWS API. (#​47636)
• resource/aws_s3_bucket: Fix bucket creation on third-party S3-compatible APIs (e.g. OVH, Ceph RGW) by handling MalformedXML errors during tag-on-create and CreateBucketConfiguration operations (#​47530)

v6.42.0

Compare Source

BREAKING CHANGES:

• resource/aws_mq_configuration: Destruction of this resource will now delete the configuration. Previously delete was a no-op due to missing API operations, leaving resources in an unmanaged state. For this reason a breaking change was deemed acceptable in a minor version. This functionality requires the mq:DeleteConfiguration IAM permission. To restore the previous no-op behavior, set skip_destroy to true. (#​47273)

NOTES:

• documentation: CDKTF documentation has been removed from the provider (#​47484)
• resource/aws_eip: Because we cannot easily test this behavior in isolated regions, it is best effort and we ask for community help in testing (#​47091)

FEATURES:

• New Data Source: aws_ec2_service_link_virtual_interface (#​47478)
• New Data Source: aws_ec2_service_link_virtual_interfaces (#​47478)
• New List Resource: aws_apigatewayv2_api (#​47472)
• New List Resource: aws_cloudwatch_log_metric_filter (#​47495)
• New List Resource: aws_config_remediation_configuration (#​47514)
• New List Resource: aws_ebs_volume (#​47551)
• New List Resource: aws_ebs_volume_attachment (#​47561)
• New List Resource: aws_eip (#​47557)
• New List Resource: aws_iam_user_policy_attachment (#​47467)
• New List Resource: aws_internet_gateway (#​47529)
• New List Resource: aws_lambda_layer_version (#​47496)
• New List Resource: aws_launch_template (#​47540)
• New List Resource: aws_route53_zone (#​47494)
• New List Resource: aws_sagemaker_hyper_parameter_tuning_job (#​47138)
• New List Resource: aws_sqs_queue_policy (#​47489)
• New Resource: aws_cloudwatch_otel_enrichment (#​47275)
• New Resource: aws_ebs_volume_copy (#​47311)
• New Resource: aws_sagemaker_hyper_parameter_tuning_job (#​47138)

ENHANCEMENTS:

• data-source/aws_identitystore_user: Add user_status attribute (#​47323)
• data-source/aws_identitystore_users: Add user_status attribute (#​47323)
• data-source/aws_network_interface: Add ena_srd_specification attribute (#​46669)
• data-source/aws_odb_network: Enhancements to support cross-region restore. (#​46317)
• resource/aws_cloudwatch_log_metric_filter: Add Resource Identity support (#​47495)
• resource/aws_cloudwatch_metric_alarm: Add evaluation_criteria and evaluation_interval arguments in support of PromQL queries. Change comparison_operator and evaluation_periods to Optional (#​47449)
• resource/aws_ebs_volume_attachment: Add resource identity support (#​47561)
• resource/aws_eip: Add resource iden

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[infracost]

💰 Infracost report

Monthly estimate generated

_{This comment will be updated when code changes.}