Update Terraform aws to v6

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	5.98.0 → 6.31.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.31.0

Compare Source

NOTES:

• resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)

FEATURES:

• New Data Source: aws_account_regions (#​41746)
• New Ephemeral Resource: aws_ecrpublic_authorization_token (#​45841)
• New List Resource: aws_cloudwatch_event_rule (#​46304)
• New List Resource: aws_cloudwatch_event_target (#​46297)
• New List Resource: aws_cloudwatch_metric_alarm (#​46268)
• New List Resource: aws_iam_role_policy (#​46293)
• New List Resource: aws_lambda_function (#​46295)
• New List Resource: aws_s3_bucket_acl (#​46305)
• New List Resource: aws_s3_bucket_policy (#​46312)
• New List Resource: aws_s3_bucket_public_access_block (#​46309)
• New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#​46191)

ENHANCEMENTS:

• resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45583)
• resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#​45882)

BUG FIXES:

• list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#​46305)
• resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#​45518)
• resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#​45893)
• resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#​45571)
• resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#​45087)
• resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#​46211)

v6.30.0

Compare Source

FEATURES:

• New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#​46176)

BUG FIXES:

• resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#​46195)

v6.29.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​43331)
• resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#​46185)
• resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​45834)

FEATURES:

• New Data Source: aws_arcregionswitch_plan (#​43781)
• New Data Source: aws_arcregionswitch_route53_health_checks (#​43781)
• New Data Source: aws_organizations_entity_path (#​45890)
• New Data Source: aws_resourcegroupstaggingapi_required_tags (#​45994)
• New Data Source: aws_s3_bucket_object_lock_configuration (#​45990)
• New Data Source: aws_s3_bucket_replication_configuration (#​42662)
• New Data Source: aws_s3control_access_points (#​45949)
• New Data Source: aws_s3control_multi_region_access_points (#​45974)
• New Data Source: aws_savingsplans_savings_plan (#​45834)
• New Data Source: aws_wafv2_managed_rule_group (#​45899)
• New List Resource: aws_appflow_connector_profile (#​45983)
• New List Resource: aws_appflow_flow (#​45980)
• New List Resource: aws_cleanrooms_collaboration (#​45953)
• New List Resource: aws_cleanrooms_configured_table (#​45956)
• New List Resource: aws_cloudfront_key_value_store (#​45957)
• New List Resource: aws_opensearchserverless_collection (#​46001)
• New List Resource: aws_route53_record (#​46059)
• New List Resource: aws_s3_bucket (#​46004)
• New List Resource: aws_s3_object (#​46002)
• New List Resource: aws_security_group (#​46062)
• New Resource: aws_apigatewayv2_routing_rule (#​42961)
• New Resource: aws_arcregionswitch_plan (#​43781)
• New Resource: aws_cloudfront_anycast_ip_list (#​43331)
• New Resource: aws_notifications_managed_notification_account_contact_association (#​45185)
• New Resource: aws_notifications_managed_notification_additional_channel_association (#​45186)
• New Resource: aws_notifications_organizational_unit_association (#​45197)
• New Resource: aws_notifications_organizations_access (#​45273)
• New Resource: aws_opensearch_application (#​43822)
• New Resource: aws_ram_permission (#​44114)
• New Resource: aws_ram_resource_associations_exclusive (#​45883)
• New Resource: aws_sagemaker_labeling_job (#​46041)
• New Resource: aws_sagemaker_model_card (#​45993)
• New Resource: aws_sagemaker_model_card_export_job (#​46009)
• New Resource: aws_savingsplans_savings_plan (#​45834)
• New Resource: aws_sesv2_tenant_resource_association (#​45904)
• New Resource: aws_vpc_security_group_rules_exclusive (#​45876)

ENHANCEMENTS:

• aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#​46157)
• data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#​45928)
• data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#​46163)
• data-source/aws_vpc_ipam_pool: Add source_resource attribute (#​44705)
• resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#​45966)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#​46056)
• resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#​45984)
• resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#​45357)
• resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#​45934)
• resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#​46092)
• resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#​45852)
• resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#​45852)
• resource/aws_invoicing_invoice_unit: Adds resource identity support. (#​46185)
• resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#​46185)
• resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#​46065)
• resource/aws_launch_template: Add network_performance_options argument (#​46071)
• resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#​45636)
• resource/aws_opensearchserverless_collection: Add resource identity support (#​45981)
• resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#​44881)
• resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Make monitoring_schedule_config.monitoring_job_definition_name argument optional (#​45951)
• resource/aws_vpc_ipam_pool: Add source_resource argument in support of provisioning of VPC Resource Planning Pools (#​44705)
• resource/aws_vpc_ipam_resource_discovery: Add organizational_unit_exclusion argument (#​45890)
• resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#​44705)
• resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#​44705)

BUG FIXES:

• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#​45909)
• data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#​46160)
• provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#​46000)
• provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#​46159)
• resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#​45972)
• resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#​45713)
• resource/aws_billing_view: Fix handling of data_filter_expression (#​45293)
• resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#​45992)
• resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#​45977)
• resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#​45921)
• resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#​46110)
• resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#​46094)
• resource/aws_dynamodb_table: Fixes error when name is known after apply (#​45917)
• resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#​45997)
• resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#​45967)
• resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lb_target_group: Fix update error when switching health_check.protocol from HTTP to TCP when protocol is TCP (#​46036)
• resource/aws_multitenant_cloudfront_distribution: Prevent mistakenly importing a standard distribution (#​45873)
• resource/aws_networkfirewall_firewall_policy: Support partner-managed rule groups via firewall_policy.stateful_rule_group_reference.resource_arn (#​46124)
• resource/aws_odb_network: Fix delete_associated_resources being set when value is unknown (#​45636)
• resource/aws_pipes_pipe: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_placement_group: Correct validation of partition_count (#​45042)
• resource/aws_rds_cluster: Properly set iam_database_authentication_enabled when restored from snapshot (#​39461)
• resource/aws_redshift_cluster: Changing port now works. (#​45870)
• resource/aws_redshiftserverless_workgroup: Fix ValidationException: Base capacity cannot be updated when PerformanceTarget is Enabled error when updating price_performance_target and base_capacity (#​46137)
• resource/aws_route53_health_check: Mark regions argument as Computed to fix an unexpected regions diff when it is not specified (#​45829)
• resource/aws_route53_zone: Fix InvalidChangeBatch errors during ForceNew operations when zone name changes (#​45242)
• resource/aws_route53_zone: Fixes error where Delete would fail if the remote resource had already been deleted. (#​45985)
• resource/aws_route53profiles_resource_association: Fix Invalid JSON String Value error on initial apply and ConflictException on subsequent apply when associating Route53 Resolver Query Log Configs (#​45958)
• resource/aws_route53recoverycontrolconfig_control_panel: Fix crash when create returns an error (#​45954)
• resource/aws_s3_bucket: Fix bucket creation with tags in non-commercial AWS regions by handling UnsupportedArgument errors during tag-on-create operations (#​46122)
• resource/aws_s3_bucket: Fix tag read and update operations in non-commercial AWS regions by handling MethodNotAllowed errors when S3 Control APIs are unavailable (#​46122)
• resource/aws_servicecatalog_portfolio_share: Support organization and OU IDs in addition to ARNs for GovCloud compatibility (#​39863)
• resource/aws_subnet: Mark ipv6_cidr_block as ForceNew when the existing IPv6 subnet was created with assign_ipv6_address_on_create = true (#​46043)
• resource/aws_vpc_endpoint: Fix persistent diffs caused by case differences in ip_address_type (#​45947)

v6.28.0

Compare Source

NOTES:

• resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#​44999)

FEATURES:

• New Data Source: aws_cloudfront_connection_group (#​44885)
• New Data Source: aws_cloudfront_distribution_tenant (#​45088)
• New List Resource: aws_kms_alias (#​45700)
• New List Resource: aws_sqs_queue (#​45691)
• New Resource: aws_cloudfront_connection_function (#​45664)
• New Resource: aws_cloudfront_connection_group (#​44885)
• New Resource: aws_cloudfront_distribution_tenant (#​45088)
• New Resource: aws_cloudfront_multitenant_distribution (#​45535)
• New Resource: aws_dynamodb_global_secondary_index (#​44999)
• New Resource: aws_ecr_pull_time_update_exclusion (#​45765)
• New Resource: aws_organizations_tag (#​45730)
• New Resource: aws_redshift_idc_application (#​37345)
• New Resource: aws_secretsmanager_tag (#​45825)
• New Resource: aws_sesv2_tenant (#​45706)

ENHANCEMENTS:

• data-source/aws_apigateway_domain_name : Add endpoint_access_mode attribute (#​45741)
• data-source/aws_db_proxy: Add endpoint_network_type and target_connection_network_type attributes (#​45634)
• data-source/aws_dx_gateway: Add tags attribute (#​45766)
• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#​45752)
• data-source/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• data-source/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• data-source/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• data-source/aws_route53_resolver_firewall_rules: Add dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#​45711)
• data-source/aws_route53_resolver_rule: Add target_ips attribute (#​45492)
• data-source/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#​45679)
• data-source/aws_vpc_endpoint: Promote service_region and vpc_endpoint_type from attributes to arguments for filtering (#​45679)
• resource/aws_alb: Enforce tag policy compliance for the elasticloadbalancing:loadbalancer tag type (#​45671)
• resource/aws_alb_listener: Enforce tag policy compliance for the elasticloadbalancing:listener tag type (#​45671)
• resource/aws_alb_listener_rule: Enforce tag policy compliance for the elasticloadbalancing:listener-rule tag type (#​45671)
• resource/aws_alb_target_group: Enforce tag policy compliance for the elasticloadbalancing:targetgroup tag type (#​45671)
• resource/aws_apigateway_domain_name: Add endpoint_access_mode argument and configurable timeout for create and update (#​45741)
• resource/aws_athena_workgroup: Add customer_content_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add enable_minimum_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add monitoring_configuration argument (#​45744)
• resource/aws_cleanrooms_collaboration: Add resource identity support (#​45548)
• resource/aws_cloudfront_distribution: Add connection_function_association and viewer_mtls_config arguments (#​45847)
• resource/aws_cloudfront_distribution: Add owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#​45011)
• resource/aws_cloudwatch_log_subscription_filter: Add apply_on_transformed_logs argument (#​45826)
• resource/aws_cloudwatch_log_subscription_filter: Add emit_system_fields argument (#​45760)
• resource/aws_db_proxy: Add endpoint_network_type and target_connection_network_type arguments (#​45634)
• resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_docdb_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_dx_gateway: Add tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#​45766)
• resource/aws_ecr_repository_creation_template: Support CREATE_ON_PUSH as a valid value for applied_for (#​45720)
• resource/aws_ecs_capacity_provider: Add managed_instances_provider.instance_launch_template.capacity_option_type argument (#​45667)
• resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the fsx:snapshot tag type (#​45671)
• resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the fsx:volume tag type (#​45671)
• resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_guardduty_filter: Add finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#​45758)
• resource/aws_iam_policy: Add delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#​42054)
• resource/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• resource/aws_iam_virtual_mfa_device: Add serial_number attribute (#​45751)
• resource/aws_imagebuilder_image: Add logging_configuration argument (#​45749)
• resource/aws_imagebuilder_image_pipeline: Add logging_configuration argument (#​45749)
• resource/aws_inspector_assessment_target: Add plan-time validation of resource_group_arn (#​45688)
• resource/aws_inspector_assessment_template: Add plan-time validation of rules_package_arns and target_arn (#​45688)
• resource/aws_lambda_event_source_mapping: Add provisioned_poller_config.poller_group_name argument (#​45313)
• resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (kafka://topic-name) for destination_config.on_failure.destination_arn argument (#​45802)
• resource/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• resource/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• resource/aws_lambda_function_url: Automatically add the lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#​44858)
• resource/aws_lambda_permission: Add invoked_via_function_url argument (#​44858)
• resource/aws_lb_target_group_attachment: Add quic_server_id argument (#​45666)
• resource/aws_lb_target_group_attachment: Add plan-time validation of target_group_arn (#​45666)
• resource/aws_neptune_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_neptune_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_networkmanager_vpc_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#​45728)
• resource/aws_osis_pipeline: Add pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#​45806)
• resource/aws_rds_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_redshift_data_share_consumer_association: Add plan-time validation of consumer_region (#​45688)
• resource/aws_route53_resolver_firewall_rule: Add dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#​45711)
• resource/aws_transfer_web_app: Add endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#​45745)
• resource/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#​45679)
• resource/aws_vpclattice_service_network_resource_association: Add private_dns_enabled argument (#​45673)
• resource/aws_vpn_connection: Support in-place updates for tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#​45781)

BUG FIXES:

• data-source/aws_ecr_authorization_token: Fix value of proxy_endpoint when registry_id is specified (#​45754)
• data-source/aws_networkmanager_core_network_policy_document: Support account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#​45788)
• data-source/aws_vpc_endpoint: Add missing implementation for service_region attribute (#​45679)
• provider: Fix handling of user_agent values where the product name contains a forward slash (#​45715)
• resource/aws_batch_job_definition: Fix crash during update when node_properties has NodeRangeProperties.ecsProperties set (#​45676)
• resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#​45694)
• resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs: PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#​43762)
• resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#​45778)
• resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#​45842)
• resource/aws_vpc: Fix reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#​45780)
• resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#​45849)
• resource/aws_vpc_endpoint: private_dns_enabled argument is now marked as ForceNew (#​45679)

v6.27.0

Compare Source

FEATURES:

• New Data Source: aws_organizations_account (#​45543)
• New Function: user_agent (#​45464)
• New List Resource: aws_kms_key (#​45514)
• New Resource: aws_cloudfront_trust_store (#​45534)

ENHANCEMENTS:

• data-source/aws_datazone_domain: Add root_domain_unit_id attribute (#​44964)
• data-source/aws_networkmanager_core_network_policy_document: Add routing_policies and attachment_routing_policy_rules arguments (#​45246)
• data-source/aws_route53_resolver_endpoint: Add rni_enhanced_metrics_enabled attribute (#​45630)
• data-source/aws_route53_resolver_endpoint: Add target_name_server_metrics_enabled attribute (#​45630)
• provider: Add user_agent argument (#​45464)
• provider: The provider_meta block is now supported. The user_agent argument enables module authors to include additional product information in the User-Agent header sent during all AWS API requests made during Create, Read, Update, and Delete operations. (#​45464)
• resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.kendra_knowledge_base_configuration argument (#​44388)
• resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.sql_knowledge_base_configuration and storage_configuration.neptune_analytics_configuration arguments (#​45465)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.mongo_db_atlas_configuration argument (#​37220)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.opensearch_managed_cluster_configuration argument (#​44060)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.s3_vectors_configuration block (#​45468)
• resource/aws_bedrockagent_knowledge_base: Make knowledge_base_configuration.vector_knowledge_base_configuration and ``storage_configuration` optional (#​44388)
• resource/aws_codebuild_project: Add cache.cache_namespace argument (#​45584)
• resource/aws_datazone_domain: Add root_domain_unit_id argument (#​44964)
• resource/aws_lambda_function: code_sha256 is now optional and computed (#​45618)
• resource/aws_networkmanager_connect_attachment: Add routing_policy_label argument ([#​45246](https://redirect.github.com/hashic

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.