NOTES:
tags_all attribute is deprecated and will be removed in a future major version (#47133)FEATURES:
aws_iam_role_policies (#46936)aws_iam_role_policy_attachments (#47119)aws_networkmanager_core_network (#45798)aws_uxc_services (#47115)aws_eks_cluster (#47133)aws_organizations_aws_service_access (#46993)aws_sagemaker_training_job (#46892)aws_workmail_group (#47131)aws_workmail_user (#47131)aws_organizations_aws_service_access (#46993)aws_sagemaker_training_job (#46892)aws_uxc_account_customizations (#47115)aws_workmail_group (#47131)aws_workmail_user (#47131)ENHANCEMENTS:
instance_families attribute (#47153)tier-8xl as a valid value for control_plane_scaling_config.tier (#46976)source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#47154)source.vpc argument. Change source.eks to Optional (#47155)storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#46865)BUG FIXES:
aws-cn partition (#47141)Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)bootstrap_self_managed_addons to true when importing (#47133)InvalidParameterCombination error when cache_usage_limits is removed (#46134)FEATURES:
aws_dms_start_replication_task_assessment_run (#47058)aws_dynamodb_backups (#47036)aws_msk_topic (#46490)aws_savingsplans_offerings (#47081)aws_msk_cluster (#46490)aws_msk_serverless_cluster (#46490)aws_msk_topic (#46490)aws_route53_resolver_rule (#47063)aws_sagemaker_algorithm (#47051)aws_ssm_document (#46974)aws_ssoadmin_account_assignment (#47067)aws_vpc_endpoint (#46977)aws_workmail_domain (#46931)aws_msk_topic (#46490)aws_observabilityadmin_telemetry_enrichment (#47089)aws_sagemaker_algorithm (#47051)aws_workmail_default_domain (#46931)aws_workmail_domain (#46931)ENHANCEMENTS:
firewall_policy.enable_tls_session_holding attribute (#47065)authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)target_configuration.mcp.api_gateway configuration block (#46916)restore_backup_arn argument (#47068)KinesisStreams as a value for action.target.key (#47010)VPCEndpoints as a value for action.target.key (#47045)user block to Optional (#46883)firewall_policy.enable_tls_session_holding argument (#47065)filters.aws_account_name configuration block (#47027)filters.compliance_associated_standards_id configuration block (#47027)filters.compliance_security_control_id configuration block (#47027)filters.compliance_security_control_parameters_name configuration block (#47027)filters.compliance_security_control_parameters_value configuration block (#47027)BUG FIXES:
@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)Provider produced inconsistent result after apply error when environment variables are defined in non-alphabetical order (#46771)Provider returned invalid result object after apply errors where computed attributes remained unknown after create (#47012)@region suffix when using resource-level region attribute (#47043)user block (#46883)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)@region suffix when using resource-level region attribute (#47043)Unable to unmarshal DynamicValue error when statement.managed_rule_group_statement.rule_action_override block is specified (#46998)WAFOptimisticLockException errors when multiple associations target the same Web ACL (#47037)BREAKING CHANGES:
resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values (#46788)NOTES:
offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#46959)offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#46959)FEATURES:
aws_ec2_transit_gateway_metering_policy (#46812)aws_iam_user (#46869)aws_s3_bucket_ownership_controls (#46832)aws_wafv2_web_acl_rule (#46682)aws_workmail_organization (#46692)aws_ec2_transit_gateway_metering_policy (#46812)aws_ec2_transit_gateway_metering_policy_entry (#46812)aws_wafv2_web_acl_rule (#46682)aws_workmail_organization (#46692)ENHANCEMENTS:
schedule.status argument (#46037)shard_instance_count argument (#46938)bucket_namespace argument in support of account regional namespaces for general purpose buckets (#46917)BUG FIXES:
savings_plan_offering_id during read (#46959)authorizer_configuration.custom_jwt_authorizer. This fixes a regression introduced in v6.36.0 (#46908)EOF errors when retrieving the activation key (#46958)key_schema syntax deleting all GSIs (#46602) MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCore errors when updating cpu_options.core_count or cpu_options.threads_per_core (#46879)resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values. Previously, attempting to use resource_data.lf_tag.value would result in missing required field errors (#46788)client_authentication.sasl block (#42163)client_authentication.tls block (#42163)client_authentication.sasl blocks (#42163)client_authentication.tls blocks (#42163)savings_plan_offering_id during read to prevent forced replacement following import (#46959)enable_machine_learning in aws_managed_rules_bot_control_rule_set incorrectly defaulting to false instead of reflecting the AWS default of true (#46682)NOTES:
GO-2026-4602, FileInfo can escape from a Root in os, GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, and GO-2026-4601, Incorrect parsing of IPv6 host literals in net/url (#46820)FEATURES:
aws_iam_outbound_web_identity_federation (#46503)aws_sts_web_identity_token (#46173)aws_s3_bucket_versioning (#46802)ENHANCEMENTS:
authorizer_config.custom_jwt_authorizer.allowed_scopes argument (#46828)resource_arn argument and policy_scope and revision_id attributes. policy_name is now optional (#46813)open_table_format_input.iceberg_input.iceberg_table_input argument (#46843)view_definition argument (#46843)open_table_format_input.iceberg_input.metadata_operation and open_table_format_input.iceberg_input.version to ForceNew (#46843)parameters, storage_descriptor, and table_type to Optional and Computed (#46843)ip_set_id attribute (#46703)arn and destination_id attributes (#46703)threat_intel_set_id attribute (#46703)rule.destination.destination_logs_configuration.log_group_name_configuration block (#46811)BUG FIXES:
EntityNotFoundException errors (#46843)growth_factor (#46810)EntityNotFoundException errors (#46843)private_dns_enabled when vpc_endpoint_type is Interface (#46800)network_interface_ids attribute when changing subnet_configuration or subnet_ids (#46800)VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reached errors on Create (#46823)BUG FIXES:
LifecycleRuleAndOperator while flattening configuration (#46778)FEATURES:
aws_ecs_service (#46678)aws_lb (#46660)aws_lb_listener (#46679)aws_lb_listener_rule (#46731)aws_lb_target_group (#46662)aws_sns_topic (#46744)aws_sns_topic_subscription (#46738)aws_observabilityadmin_telemetry_pipeline (#46698)aws_sagemaker_mlflow_app (#45565)ENHANCEMENTS:
layer_version_arn argument to support cross-account Lambda layer access (#46673)job_level_cost_allocation_configuration block (#46107)resource_share_configuration block (#46715)BUG FIXES:
split_charge_rule targets from TypeSet to TypeList to retain order (#42856)InvalidParameterCombinationException errors when oracle_settings is configured (#46689)replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#46670)FEATURES:
aws_ec2_secondary_network (#46552)aws_ec2_secondary_subnet (#46552)aws_ecr_task_definition (#46628)aws_elb (#46639)aws_s3_bucket_lifecycle_configuration (#46531)aws_networkmanager_prefix_list_association (#46566)ENHANCEMENTS:
kms_key_id attribute (#46584)network_type and ip_discovery attributes (#46636)configuration.query_results_s3_access_grants_configuration argument (#46376)metadata_configuration block for HTTP header and query parameter propagation (#45808)auth_parameters.connectivity_parameters argument (#41561)service_connect_configuration.access_log_configuration argument (#45820)kms_key_id argument (#46584)cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#46568)network_type and ip_discovery arguments (#46636)jwt_options attribute (#46439)managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#44426)BUG FIXES:
mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#46616)statement.principals.identifiers contains a non-string value (#46226)couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#46622)credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#46127)data_filter_expression.dimensions.values (#46462)encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#46150)InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#46102)FEATURES:
aws_networkmanager_attachment_routing_policy_label (#46489)ENHANCEMENTS:
cpu_options.nested_virtualization and network_performance_options attributes (#46540)custom_path argument to revocation_configuration.crl_configuration configuration block (#46487)custom_path argument to revocation_configuration.crl_configuration configuration block (#46487)filter_expression attribute (#46501)access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#46516)use_update_lookup argument to mongodb_settings configuration block (#46253)nested_virtualization attribute to cpu_options configuration block (#46533)nested_virtualization attribute to cpu_options configuration block (#46533)secondary_interfaces configuration block (#46540)qna_intent_configuration attribute (#46419)domain_settings.trusted_identity_propagation_settings argument (#44965)BUG FIXES:
runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#46478)ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#46475)serverless_v2_scaling_configuration without forcing cluster replacement (#45049)ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#46496)cidr_block when allocating a subnet from an IPAM resource pool. (#46453)expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#46515)BUG FIXES:
couldn't find resource error during creation when waiting for capacity to be satisfied (#46452)s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#46455)key_schema with a single range key on a global secondary index (#46442)auth_token references another resource (#46454)FEATURES:
aws_ecr_repository (#46344)aws_lambda_permission (#46341)aws_route (#46370)aws_route53_resolver_rule_association (#46349)aws_route_table (#46337)aws_s3_directory_bucket (#46373)aws_secretsmanager_secret (#46318)aws_secretsmanager_secret_version (#46342)aws_vpc_security_group_egress_rule (#46368)aws_vpc_security_group_ingress_rule (#46367)aws_ec2_secondary_network (#46408)aws_ec2_secondary_subnet (#46408)ENHANCEMENTS:
secondary_network_interface argument (#46408)use_as property to create special RLS rules dataset (#42687)BUG FIXES:
configuration.result_configuration or child attributes. (#46427)custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#46375)network_access_control is configured with empty prefix_list_ids and vpce_ids (#45637)NOTES:
expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner and acl attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)expected_bucket_owner attribute. (#46262)expected_bucket_owner attribute from Resource Identity. (#46272)FEATURES:
aws_account_regions (#41746)aws_ecrpublic_authorization_token (#45841)aws_cloudwatch_event_rule (#46304)aws_cloudwatch_event_target (#46297)aws_cloudwatch_metric_alarm (#46268)aws_iam_role_policy (#46293)aws_lambda_function (#46295)aws_s3_bucket_acl (#46305)aws_s3_bucket_policy (#46312)aws_s3_bucket_public_access_block (#46309)aws_ssoadmin_customer_managed_policy_attachments_exclusive (#46191)ENHANCEMENTS:
serverless_vector_acceleration to aiml_options (#45882)BUG FIXES:
auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#45518)aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#45893)user_group_id removal during modification. (#45571)UnauthorizedOperation error when detaching resource that does not have an attachment (#46211)NOTES:
return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)region attribute, as the resource is global. (#46185)return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)FEATURES:
aws_arcregionswitch_plan (#43781)aws_arcregionswitch_route53_health_checks (#43781)aws_organizations_entity_path (#45890)aws_resourcegroupstaggingapi_required_tags (#45994)aws_s3_bucket_object_lock_configuration (#45990)aws_s3_bucket_replication_configuration (#42662)aws_s3control_access_points (#45949)aws_s3control_multi_region_access_points (#45974)aws_savingsplans_savings_plan (#45834)aws_wafv2_managed_rule_group (#45899)aws_appflow_connector_profile (#45983)aws_appflow_flow (#45980)aws_cleanrooms_collaboration (#45953)aws_cleanrooms_configured_table (#45956)aws_cloudfront_key_value_store (#45957)aws_opensearchserverless_collection (#46001)aws_route53_record (#46059)aws_s3_bucket (#46004)aws_s3_object (#46002)aws_security_group (#46062)aws_apigatewayv2_routing_rule (#42961)aws_arcregionswitch_plan (#43781)aws_cloudfront_anycast_ip_list (#43331)aws_notifications_managed_notification_account_contact_association (#45185)aws_notifications_managed_notification_additional_channel_association (#45186)aws_notifications_organizational_unit_association (#45197)aws_notifications_organizations_access (#45273)aws_opensearch_application (#43822)aws_ram_permission (#44114)aws_ram_resource_associations_exclusive (#45883)aws_sagemaker_labeling_job (#46041)aws_sagemaker_model_card (#45993)aws_sagemaker_model_card_export_job (#46009)aws_savingsplans_savings_plan (#45834)aws_sesv2_tenant_resource_association (#45904)aws_vpc_security_group_rules_exclusive (#45876)ENHANCEMENTS:
routing_mode argument to support dynamic routing via routing rules (#42961)routing_mode argument to support dynamic routing via routing rules (#42961)allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#45896)global_secondary_index.key_schema attribute (#46157)segment_actions.routing_policy_names argument (#45928)body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#46163)source_resource attribute (#44705)allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#45896)vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#45966)vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#46056)certificate_rotation_restart argument (#45984)stream_view_type is set and stream_enabled is either false or unset. (#45934)BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#46092)domain_join_service_account_secret argument to self_managed_active_directory configuration block (#45852)self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#45852)rules to a single element. (#46185)memory_size from 10240 MB to 32768 MB (#46065)network_performance_options argument (#46071)pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#44881)monitoring_schedule_config.monitoring_job_definition argument (#45951)monitoring_schedule_config.monitoring_job_definition_name argument optional (#45951)source_resource argument in support of provisioning of VPC Resource Planning Pools (#44705)organizational_unit_exclusion argument (#45890)ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#44705)ipv6_cidr_block to Optional and Computed (#44705)BUG FIXES:
rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#45909)catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)attachment_routing_policy_rules.action.associate_routing_policies is empty (#46160)region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#45895)configuration.result_configuration.encryption_configuration argument (#46159)Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#45972)model_source is set (#45713)auto_deployment with permission_model set to SERVICE_MANAGED (#45992)runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#45873)origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#45921)InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#46110)warm_throughput in global_secondary_index when not set in configuration. (#46094)name is known after apply (#45917)kubernetes_network_config argument name in EKS Auto Mode validation error message (#45997)catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)health_check.protocol from HTTP to TCP when protocol is TCP (#46036)firewall_policy.stateful_rule_group_reference.resource_arn (#46124)delete_associated_resources being set when value is unknown (#45636)partition_count (#45042)iam_database_authentication_enabled when restored from snapshot (#39461)port now works. (#45870)ValidationException: Base capacity cannot be updated when PerformanceTarget is Enabled error when updating price_performance_target and base_capacity (#46137)regions argument as Computed to fix an unexpected regions diff when it is not specified (#45829)InvalidChangeBatch errors during ForceNew operations when zone name changes (#45242)Invalid JSON String Value error on initial apply and ConflictException on subsequent apply when associating Route53 Resolver Query Log Configs (#45958)UnsupportedArgument errors during tag-on-create operations (#46122)MethodNotAllowed errors when S3 Control APIs are unavailable (#46122)ipv6_cidr_block as ForceNew when the existing IPv6 subnet was created with assign_ipv6_address_on_create = true (#46043)ip_address_type (#45947)NOTES:
FEATURES:
aws_cloudfront_connection_group (#44885)aws_cloudfront_distribution_tenant (#45088)aws_kms_alias (#45700)aws_sqs_queue (#45691)aws_cloudfront_connection_function (#45664)aws_cloudfront_connection_group (#44885)aws_cloudfront_distribution_tenant (#45088)aws_cloudfront_multitenant_distribution (#45535)aws_dynamodb_global_secondary_index (#44999)aws_ecr_pull_time_update_exclusion (#45765)aws_organizations_tag (#45730)aws_redshift_idc_application (#37345)aws_secretsmanager_tag (#45825)aws_sesv2_tenant (#45706)ENHANCEMENTS:
endpoint_access_mode attribute (#45741)endpoint_network_type and target_connection_network_type attributes (#45634)tags attribute (#45766)rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#45752)saml_provider_uuid attribute (#45707)response_streaming_invoke_arn attribute (#45652)code_signing_config_arn in AWS GovCloud (US) Regions (#45652)dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#45711)target_ips attribute (#45492)dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#45679)service_region and vpc_endpoint_type from attributes to arguments for filtering (#45679)elasticloadbalancing:loadbalancer tag type (#45671)elasticloadbalancing:listener tag type (#45671)elasticloadbalancing:listener-rule tag type (#45671)elasticloadbalancing:targetgroup tag type (#45671)endpoint_access_mode argument and configurable timeout for create and update (#45741)customer_content_encryption_configuration argument (#45744)enable_minimum_encryption_configuration argument (#45744)monitoring_configuration argument (#45744)connection_function_association and viewer_mtls_config arguments (#45847)owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#45011)apply_on_transformed_logs argument (#45826)emit_system_fields argument (#45760)endpoint_network_type and target_connection_network_type arguments (#45634)rds:db tag type (#45671)rds:global-cluster tag type (#45671)tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#45766)CREATE_ON_PUSH as a valid value for applied_for (#45720)managed_instances_provider.instance_launch_template.capacity_option_type argument (#45667)fsx:file-system tag type (#45671)fsx:file-system tag type (#45671)fsx:file-system tag type (#45671)fsx:snapshot tag type (#45671)fsx:volume tag type (#45671)fsx:file-system tag type (#45671)finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#45758)delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#42054)saml_provider_uuid attribute (#45707)serial_number attribute (#45751)logging_configuration argument (#45749)logging_configuration argument (#45749)resource_group_arn (#45688)rules_package_arns and target_arn (#45688)provisioned_poller_config.poller_group_name argument (#45313)kafka://topic-name) for destination_config.on_failure.destination_arn argument (#45802)response_streaming_invoke_arn attribute (#45652)code_signing_config_arn in AWS GovCloud (US) Regions (#45652)lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#44858)invoked_via_function_url argument (#44858)quic_server_id argument (#45666)target_group_arn (#45666)rds:cluster tag type (#45671)rds:db tag type (#45671)rds:global-cluster tag type (#45671)routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#45728)pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#45806)rds:cluster tag type (#45671)consumer_region (#45688)dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#45711)endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#45745)dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#45679)private_dns_enabled argument (#45673)tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#45781)BUG FIXES:
proxy_endpoint when registry_id is specified (#45754)account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#45788)service_region attribute (#45679)user_agent values where the product name contains a forward slash (#45715)node_properties has NodeRangeProperties.ecsProperties set (#45676)PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#43762)reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#45780)private_dns_enabled argument is now marked as ForceNew (#45679)FEATURES:
aws_organizations_account (#45543)user_agent (#45464)aws_kms_key (#45514)aws_cloudfront_trust_store (#45534)ENHANCEMENTS:
root_domain_unit_id attribute (#44964)routing_policies and attachment_routing_policy_rules arguments (#45246)rni_enhanced_metrics_enabled attribute (#45630)target_name_server_metrics_enabled attribute (#45630)user_agent argument (#45464)provider_meta block is now supported. The user_agent argument enables module authors to include additional product information in the User-Agent header sent during all AWS API requests made during Create, Read, Update, and Delete operations. (#45464)knowledge_base_configuration.kendra_knowledge_base_configuration argument (#44388)knowledge_base_configuration.sql_knowledge_base_configuration and storage_configuration.neptune_analytics_configuration arguments (#45465)storage_configuration.mongo_db_atlas_configuration argument (#37220)storage_configuration.opensearch_managed_cluster_configuration argument (#44060)storage_configuration.s3_vectors_configuration block (#45468)knowledge_base_configuration.vector_knowledge_base_configuration and ``storage_configuration` optional (#44388)cache.cache_namespace argument (#45584)root_domain_unit_id argument (#44964)code_sha256 is now optional and computed (#45618)routing_policy_label argument (#45246)bgp_options.peer_asn (#45246)configuration.bgp_configurations.peer_asn (#45639)routing_policy_label argument (#45246)routing_policy_label argument (#45246)routing_policy_label argument (#45246)routing_policy_label argument (#45246)rni_enhanced_metrics_enabled argument (#45630)target_name_server_metrics_enabled argument (#45630)private_dns_enabled and dns_options arguments (#45619)BUG FIXES:
attachment_policies.conditions.type to allow account instead of account-id (#45246)knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration and knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration as ForceNew (#45465)global_secondary_index when using ignore_changes lifecycle meta-argument (#41113)NoSuchEntity errors when name and tags arguments are both updated (#45608)excluded_column_names ordering causing "Provider produced inconsistent result after apply" errors (#45453)bgp_options and bgp_options.peer_asn to Optional, Computed and ForceNew (#45639)endpoint rule error, AccountId must only contain a-z, A-Z, 0-9 and `-` errors when the provider is configured with skip_requesting_account_id = true. This fixes a regression introduced in v6.23.0 (#45576)FEATURES:
aws_batch_job_definition (#45401)aws_codebuild_project (#45400)aws_lambda_capacity_provider (#45467)aws_ssm_parameter (#45512)aws_iam_outbound_web_identity_federation (#45217)ENHANCEMENTS:
upgrade_rollout_order attribute (#45527)update_config block including update_strategy attribute (#41487)upgrade_rollout_order attribute (#45527)session_summary_configuration.max_recent_sessions argument (#45449)upgrade_rollout_order attribute (#45527)update_config.update_strategy attribute (#41487)application_configuration.application_encryption_configuration argument (#45356)FLINK-1_20 as a valid value for runtime_environment (#45356)odb_network_arn for resource sharing model. (#45509)upgrade_rollout_order attribute (#45527)encryption_configuration block (#45470)metadata_configuration block (#45470)BUG FIXES:
encryption_support. This addresses a regression introduced in v6.25.0. (#45462)timeout_milliseconds validation to allow up to 900,000 ms when response_transfer_mode is STREAM (#45482)logging_config.s3_config.bucket_name, logging_config.cloudwatch_config.log_group_name, logging_config.cloudwatch_config.role_arn, and logging_config.cloudwatch_config.large_data_delivery_s3_config.bucket_name as Required (#45469)encryption_support. This addresses a regression introduced in v6.25.0. (#45462)image_config has null values set in config (#45511)event_pattern argument is not specified in config (#45524)vpc_config.security_group_ids and vpc_config.subnets as ForceNew (#45491)FEATURES:
ENHANCEMENTS:
rule.scan_action and scan_setting attributes (#45392)deletion_protection_enabled attribute (#45298)encryption_support attribute (#45317)durable_config attribute (#45359)health_check_logs attribute (#45269)target_control_port attribute (#45270)enable_accelerated_recovery attribute (#45302)egress_config attribute to expose VPC Lattice connectivity configuration (#45314)tenancy attribute (#43134)integration_target argument (#45311)response_transfer_mode argument (#45329)configuration.managed_query_results_configuration block (#44273)rule.scan_action and scan_setting configuration blocks (#45392)interceptor_configuration argument (#45344)deletion_protection_enabled argument (#45298)encryption_support argument (#45317)regional_nat_gateway_id argument (#45380)plaintext_wo and plaintext_wo_version arguments to support write-only input (#43592)durable_config argument (#45359)health_check_logs configuration block (#45269)target_control_port argument to support the ALB Target Optimizer (#45270)accept_role_session_name argument (#45391)managed_policy_arns and role_arns (#45391)enable_accelerated_recovery argument (#45302)calendar_names argument (#45363)egress_config argument to support VPC Lattice connectivity for SFTP connectors (#45314)url argument optional to support VPC Lattice connectors (#45314)tenancy argument (#43134)FEATURES:
aws_lambda_capacity_provider (#45342)aws_s3tables_table_bucket_replication (#45360)aws_s3tables_table_replication (#45360)aws_s3vectors_index (#43393)aws_s3vectors_vector_bucket (#43393)aws_s3vectors_vector_bucket_policy (#43393)ENHANCEMENTS:
capacity_provider_config attribute (#45342)auto_provision_zones, auto_scaling_ips, availability_mode, availability_zone_address, regional_nat_gateway_address, and route_table_id attributes (#45420)target_logically_air_gapped_backup_vault_arn argument to rule block (#45321)capacity_provider_config and publish_to arguments (#45342)id. Use arn instead. (#45345)id. Use arn instead. (#45345)subnet_id argument optional to support regional NAT Gateways (#45420)availability_mode, availability_zone_address, and vpc_id arguments, and auto_provision_zones, auto_scaling_ips, regional_nat_gateway_address, and route_table_id attributes. This functionality requires the ec2:DescribeAvailabilityZones IAM permission (#45420)bgp_log_enabled, bgp_log_group_arn, and bgp_log_stream_arn arguments to tunnel1_log_options.cloudwatch_log_options and tunnel2_log_options.cloudwatch_log_options blocks (#45271)NOTES:
TagResource, UntagResource, and ListTagsForResource for read and update operations. The calling principal must have the corresponding s3:TagResource, s3:UntagResource, and s3:ListTagsForResource IAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIs PutBucketTagging, DeleteBucketTagging, and GetBucketTagging instead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#45251)FEATURES:
aws_ecs_express_gateway_service (#45235)aws_s3_bucket_abac (#45251)aws_vpc_encryption_control (#45263)aws_vpn_concentrator (#45175)ENHANCEMENTS:
tenant_id argument (#45170)control_plane_scaling_config attribute (#45258)tenancy_config attribute (#45170)tenant_id argument (#45170)vpn_concentrator_id attribute (#45175)managed_instances_provider.infrastructure_optimization argument (#45142)network_type argument (#45140)supported_network_types attribute (#45140)control_plane_scaling_config configuration block to support EKS Provisioned Control Plane (#45258)tenancy_config argument (#45170)tenant_id argument (#45170)s3:TagResource permission is present (#45251)s3:TagResource, s3:UntagResource, and s3:ListTagsForResource permissions are present (#45251)vpn_concentrator_id argument to support Site-to-Site VPN Concentrator (#45175)ENHANCEMENTS:
INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#45159)rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#45073)BUG FIXES:
interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#45202)