v6.28.0 — Terraform Provider AWS

6.28.0 (January 7, 2026)

NOTES:

resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#44999)

FEATURES:

New Data Source: aws_cloudfront_connection_group (#44885)
New Data Source: aws_cloudfront_distribution_tenant (#45088)
New List Resource: aws_kms_alias (#45700)
New List Resource: aws_sqs_queue (#45691)
New Resource: aws_cloudfront_connection_function (#45664)
New Resource: aws_cloudfront_connection_group (#44885)
New Resource: aws_cloudfront_distribution_tenant (#45088)
New Resource: aws_cloudfront_multitenant_distribution (#45535)
New Resource: aws_dynamodb_global_secondary_index (#44999)
New Resource: aws_ecr_pull_time_update_exclusion (#45765)
New Resource: aws_organizations_tag (#45730)
New Resource: aws_redshift_idc_application (#37345)
New Resource: aws_secretsmanager_tag (#45825)
New Resource: aws_sesv2_tenant (#45706)

ENHANCEMENTS:

data-source/aws_apigateway_domain_name : Add endpoint_access_mode attribute (#45741)
data-source/aws_db_proxy: Add endpoint_network_type and target_connection_network_type attributes (#45634)
data-source/aws_dx_gateway: Add tags attribute (#45766)
data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#45752)
data-source/aws_iam_saml_provider: Add saml_provider_uuid attribute (#45707)
data-source/aws_lambda_function: Add response_streaming_invoke_arn attribute (#45652)
data-source/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#45652)
data-source/aws_route53_resolver_firewall_rules: Add dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#45711)
data-source/aws_route53_resolver_rule: Add target_ips attribute (#45492)
data-source/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#45679)
data-source/aws_vpc_endpoint: Promote service_region and vpc_endpoint_type from attributes to arguments for filtering (#45679)
resource/aws_alb: Enforce tag policy compliance for the elasticloadbalancing:loadbalancer tag type (#45671)
resource/aws_alb_listener: Enforce tag policy compliance for the elasticloadbalancing:listener tag type (#45671)
resource/aws_alb_listener_rule: Enforce tag policy compliance for the elasticloadbalancing:listener-rule tag type (#45671)
resource/aws_alb_target_group: Enforce tag policy compliance for the elasticloadbalancing:targetgroup tag type (#45671)
resource/aws_apigateway_domain_name: Add endpoint_access_mode argument and configurable timeout for create and update (#45741)
resource/aws_athena_workgroup: Add customer_content_encryption_configuration argument (#45744)
resource/aws_athena_workgroup: Add enable_minimum_encryption_configuration argument (#45744)
resource/aws_athena_workgroup: Add monitoring_configuration argument (#45744)
resource/aws_cleanrooms_collaboration: Add resource identity support (#45548)
resource/aws_cloudfront_distribution: Add connection_function_association and viewer_mtls_config arguments (#45847)
resource/aws_cloudfront_distribution: Add owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#45011)
resource/aws_cloudwatch_log_subscription_filter: Add apply_on_transformed_logs argument (#45826)
resource/aws_cloudwatch_log_subscription_filter: Add emit_system_fields argument (#45760)
resource/aws_db_proxy: Add endpoint_network_type and target_connection_network_type arguments (#45634)
resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#45671)
resource/aws_docdb_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#45671)
resource/aws_dx_gateway: Add tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#45766)
resource/aws_ecr_repository_creation_template: Support CREATE_ON_PUSH as a valid value for applied_for (#45720)
resource/aws_ecs_capacity_provider: Add managed_instances_provider.instance_launch_template.capacity_option_type argument (#45667)
resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the fsx:snapshot tag type (#45671)
resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the fsx:volume tag type (#45671)
resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#45671)
resource/aws_guardduty_filter: Add finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#45758)
resource/aws_iam_policy: Add delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#42054)
resource/aws_iam_saml_provider: Add saml_provider_uuid attribute (#45707)
resource/aws_iam_virtual_mfa_device: Add serial_number attribute (#45751)
resource/aws_imagebuilder_image: Add logging_configuration argument (#45749)
resource/aws_imagebuilder_image_pipeline: Add logging_configuration argument (#45749)
resource/aws_inspector_assessment_target: Add plan-time validation of resource_group_arn (#45688)
resource/aws_inspector_assessment_template: Add plan-time validation of rules_package_arns and target_arn (#45688)
resource/aws_lambda_event_source_mapping: Add provisioned_poller_config.poller_group_name argument (#45313)
resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (kafka://topic-name) for destination_config.on_failure.destination_arn argument (#45802)
resource/aws_lambda_function: Add response_streaming_invoke_arn attribute (#45652)
resource/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#45652)
resource/aws_lambda_function_url: Automatically add the lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#44858)
resource/aws_lambda_permission: Add invoked_via_function_url argument (#44858)
resource/aws_lb_target_group_attachment: Add quic_server_id argument (#45666)
resource/aws_lb_target_group_attachment: Add plan-time validation of target_group_arn (#45666)
resource/aws_neptune_cluster: Enforce tag policy compliance for the rds:cluster tag type (#45671)
resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#45671)
resource/aws_neptune_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#45671)
resource/aws_networkmanager_vpc_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#45728)
resource/aws_osis_pipeline: Add pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#45806)
resource/aws_rds_cluster: Enforce tag policy compliance for the rds:cluster tag type (#45671)
resource/aws_redshift_data_share_consumer_association: Add plan-time validation of consumer_region (#45688)
resource/aws_route53_resolver_firewall_rule: Add dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#45711)
resource/aws_transfer_web_app: Add endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#45745)
resource/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#45679)
resource/aws_vpclattice_service_network_resource_association: Add private_dns_enabled argument (#45673)
resource/aws_vpn_connection: Support in-place updates for tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#45781)

BUG FIXES:

data-source/aws_ecr_authorization_token: Fix value of proxy_endpoint when registry_id is specified (#45754)
data-source/aws_networkmanager_core_network_policy_document: Support account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#45788)
data-source/aws_vpc_endpoint: Add missing implementation for service_region attribute (#45679)
provider: Fix handling of user_agent values where the product name contains a forward slash (#45715)
resource/aws_batch_job_definition: Fix crash during update when node_properties has NodeRangeProperties.ecsProperties set (#45676)
resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#45694)
resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs: PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#43762)
resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#45778)
resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#45842)
resource/aws_vpc: Fix reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#45780)
resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#45849)
resource/aws_vpc_endpoint: private_dns_enabled argument is now marked as ForceNew (#45679)