You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#46568)
resource/aws_lb_target_group_attachment: Add import support (#46646)
resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#44426)
BUG FIXES:
data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#46616)
data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#46226)
list-resource/aws_s3_object: Includes parent bucket in display name. (#46596)
resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#46127)
resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#46127)
resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#46462)
resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#46150)
resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#46556)
resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#46102)
data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#46478)
resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#46475)
resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#45049)
resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#46496)
resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#44960)
resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#46453)
resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#46515)
resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#42687)
BUG FIXES:
data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#46384)
list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#46401)
resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#46427)
resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#46375)
resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#45637)
New List Resource:aws_s3_bucket_public_access_block (#46309)
New Resource:aws_ssoadmin_customer_managed_policy_attachments_exclusive (#46191)
ENHANCEMENTS:
resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#45583)
resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#45882)
BUG FIXES:
list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#46305)
resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#45518)
resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#45893)
resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#45571)
resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#45087)
resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#46211)
data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)
resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#43331)
resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#46185)
resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#40884)
resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#45834)
FEATURES:
New Data Source:aws_arcregionswitch_plan (#43781)
New Data Source:aws_arcregionswitch_route53_health_checks (#43781)
New Data Source:aws_organizations_entity_path (#45890)
New Data Source:aws_resourcegroupstaggingapi_required_tags (#45994)
New Data Source:aws_s3_bucket_object_lock_configuration (#45990)
New Data Source:aws_s3_bucket_replication_configuration (#42662)
New Data Source:aws_s3control_access_points (#45949)
New Data Source:aws_s3control_multi_region_access_points (#45974)
New Data Source:aws_savingsplans_savings_plan (#45834)
New Data Source:aws_wafv2_managed_rule_group (#45899)
New List Resource:aws_appflow_connector_profile (#45983)
data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#46163)
resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#45357)
resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#45934)
resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#46092)
resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#45852)
resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#45852)
resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#45636)
resource/aws_opensearchserverless_collection: Add resource identity support (#45981)
resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#44881)
resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#45951)
resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#44705)
resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#44705)
BUG FIXES:
data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#45909)
data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)
data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#46160)
provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#46000)
provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#46159)
resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#45972)
resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#45713)
resource/aws_billing_view: Fix handling of data_filter_expression (#45293)
resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#45992)
resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#45873)
resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#45873)
resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#45977)
resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#45921)
resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#46110)
resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#46094)
resource/aws_dynamodb_table: Fixes error when name is known after apply (#45917)
resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#45997)
resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#43931)
resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#45967)
resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_lb_target_group: Fix update error when switching health_check.protocol from HTTP to TCP when protocol is TCP (#46036)
resource/aws_multitenant_cloudfront_distribution: Prevent mistakenly importing a standard distribution (#45873)
resource/aws_networkfirewall_firewall_policy: Support partner-managed rule groups via firewall_policy.stateful_rule_group_reference.resource_arn (#46124)
resource/aws_odb_network: Fix delete_associated_resources being set when value is unknown (#45636)
resource/aws_pipes_pipe: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#45895)
resource/aws_placement_group: Correct validation of partition_count (#45042)
resource/aws_rds_cluster: Properly set iam_database_authentication_enabled when restored from snapshot (#39461)
resource/aws_redshift_cluster: Changing port now works. (#45870)
resource/aws_redshiftserverless_workgroup: Fix ValidationException: Base capacity cannot be updated when PerformanceTarget is Enabled error when updating price_performance_target and base_capacity (#46137)
resource/aws_route53_health_check: Mark regions argument as Computed to fix an unexpected regions diff when it is not specified (#45829)
resource/aws_route53_zone: Fix InvalidChangeBatch errors during ForceNew operations when zone name changes (#45242)
resource/aws_route53_zone: Fixes error where Delete would fail if the remote resource had already been deleted. (#45985)
resource/aws_route53profiles_resource_association: Fix Invalid JSON String Value error on initial apply and ConflictException on subsequent apply when associating Route53 Resolver Query Log Configs (#45958)
resource/aws_route53recoverycontrolconfig_control_panel: Fix crash when create returns an error (#45954)
resource/aws_s3_bucket: Fix bucket creation with tags in non-commercial AWS regions by handling UnsupportedArgument errors during tag-on-create operations (#46122)
resource/aws_s3_bucket: Fix tag read and update operations in non-commercial AWS regions by handling MethodNotAllowed errors when S3 Control APIs are unavailable (#46122)
resource/aws_servicecatalog_portfolio_share: Support organization and OU IDs in addition to ARNs for GovCloud compatibility (#39863)
resource/aws_subnet: Mark ipv6_cidr_block as ForceNew when the existing IPv6 subnet was created with assign_ipv6_address_on_create = true (#46043)
resource/aws_vpc_endpoint: Fix persistent diffs caused by case differences in ip_address_type (#45947)
resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#44999)
FEATURES:
New Data Source:aws_cloudfront_connection_group (#44885)
New Data Source:aws_cloudfront_distribution_tenant (#45088)
data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#45752)
model|risks_v6 ✨Encryption Key State Risk✨KMS Key Creation
🔴 Change Signals
Routine 🔴 ▇▅▃▂▁ AWS SNS topic subscriptions showing unusual infrequent updates with only 2 events/week for the last 2 months, which is rare compared to typical patterns. Policies 🔴 ▃▂▁ Multiple policy violations detected, including missing required tags and lack of server-side encryption for the S3 bucket 'aws_s3_bucket.terraform-example-state-bucket', and a security group allowing SSH access from anywhere, which is unusual compared to typical patterns.
We investigated 3 potential risks across 74 resources and verified each was safe. See the investigation details below.
🧠 Reasoning · ✖ 3 · ✔ 0
NAT gateway updates risking private subnet egress and ENI/EIP routing
Observations 27
Hypothesis
Updating NAT gateways in VPC vpc-02901bcbb89561298 (including nat-0bcff9aa2633b680e in subnet subnet-07b5b1fb2ba02f964 and nat-019b2865124bca19d) may change or disrupt associated Elastic IPs (for example 13.42.93.249), network interfaces (such as eni-0c502e5a8c20f4df7 with private IP 10.0.101.182), and routing for private subnets (including subnet-07b5b1fb2ba02f964 and subnet-09605cfe202ef69e7). Route table rtb-0fd627aea94dee6ea routes 0.0.0.0/0 via nat-0bcff9aa2633b680e, and multiple security groups (e.g., sg-0159f0e3d8224d441 with wide-open ingress and unrestricted egress, sg-089e5107637083db5 and sg-0fe38b77fda090133 with 0.0.0.0/0 egress) indicate workloads and API servers depend on these NAT gateways for outbound internet connectivity. Any in-place update, replacement, ENI/EIP reassignment, or behavior change—even when Terraform shows an empty diff—can cause transient or persistent loss of egress, affect ALB/ELB target health checks (for targets such as 10.0.101.169 in subnet-07b5b1fb2ba02f964), and change exposure or traffic flow for instances behind these security groups. This creates a single point of failure for monitoring, backups, patching, external service calls, and application availability, and may violate high-availability, network segmentation, public endpoint, and multi-AZ design best practices (REL02-BP03, REL2, SEC05-BP01, SEC05-BP02). NAT changes should be coordinated with maintenance windows, monitoring/rollback plans, and verification of NAT state, ENI/EIP associations, route tables, and redundant NAT design per AZ.
Investigation
I loaded our org’s AWS network security and high-availability guidelines and then checked both the plan diffs and the current state of the NAT gateways, EIPs/ENIs, and route tables.
Organizational knowledge: The standards call for multi-AZ network design and least-privilege routing; a NAT per AZ is recommended to avoid single-AZ SPOFs (REL10/SEC05). This environment already follows that pattern.
Planned changes: Both NAT gateways nat-0bcff9aa2633b680e and nat-019b2865124bca19d are marked “updated” but have empty diffs. No attribute-level changes are proposed for the NATs, EIPs, ENIs, or route tables, and no dependent routing changes are included in this plan. With no attribute differences, Terraform won’t modify those remote objects during apply. (developer.hashicorp.com)
Current state (pre-change) confirms stable associations and correct routing per AZ:
nat-0bcff9aa2633b680e in subnet-07b5b1fb2ba02f964 (eu-west-2a) has EIP 13.42.93.249 on ENI eni-0c502e5a8c20f4df7 (private 10.0.101.182). Route table rtb-0fd627aea94dee6ea sends 0.0.0.0/0 to this NAT for private subnet subnet-09605cfe202ef69e7.
nat-019b2865124bca19d in subnet-0c5bac530d4e52739 (eu-west-2b) has EIP 52.56.230.253 on ENI eni-030542fb12761bd4f (private 10.0.102.25). Route table rtb-0fa8d71472f3214bd sends 0.0.0.0/0 to this NAT for private subnet subnet-025746ecaa54aec58.
These match AWS guidance for routing private subnets to a NAT gateway using a default route and for deploying one NAT per AZ for resiliency. (docs.aws.amazon.com)
The hypothesis also cites EIP 13.134.236.98; blast-radius shows this EIP is attached to instance i-0c702de6b81da72e3 (not a NAT), so NAT changes would not affect that address. No evidence of ENI/EIP reassignment or NAT replacement is present.
Given there are no concrete changes to NAT configuration, addresses, or routes in this plan—and the existing design is already multi-AZ—there’s no substantiated risk of private subnet egress loss or HA violations from this change. Assertions about transient disruption “even when Terraform shows an empty diff” are speculative without any proposed operations on the NATs. AWS docs also show that EIPs/ENIs remain as-is unless explicitly re-associated or the NAT is replaced, which is not planned here. (docs.aws.amazon.com)
✖ Hypothesis disproven
SNS email subscription misconfiguration exposing production alerts
Observations 1
Hypothesis
Creation or modification of an SNS email subscription on a production alert topic can cause alerts to be delivered to incorrect or unauthorized external email addresses. Misconfigured endpoints may leak sensitive operational and security information (incident details, infrastructure health, identifiers) outside intended recipients, and additional subscriptions increase the attack surface for SNS topic enumeration, misdelivery, or social engineering via alert content. SNS topic owners should validate recipient ownership/authorization and regularly review and prune subscriptions, especially external addresses.
Investigation
I reviewed the organizational security/monitoring standards and found no explicit policy banning SNS email subscriptions or requiring recipients to be limited to specific domains. I then examined the planned diff: it creates an aws_sns_topic_subscription with protocol "email" and endpoint "alerts@example.com" on the production topic. By AWS design, email subscriptions never receive any messages until the recipient explicitly confirms via the emailed SubscribeURL; unconfirmed subscriptions remain PendingConfirmation and receive nothing. This is documented by AWS (email subscriptions require a click-to-confirm and do not deliver until confirmed) and by the Subscribe API (confirmation tokens valid for two days). The planned attributes also don’t change that: endpoint_auto_confirms=false is expected, and confirmation_timeout_in_minutes applies only to http/https, not email. Together, this means simply creating this subscription does not deliver alerts or leak operational content unless the external recipient confirms. While a single confirmation email will be sent to the address (revealing the topic ARN/name), the hypothesis’ claimed impact—ongoing delivery of production alerts to unauthorized recipients—is not supported by the evidence for this change. If there were org rules restricting external recipients, or if auto-confirm were possible for email, this would be different, but neither is the case here.
Changing the Terraform EC2 instance resource attribute force_destroy from null to false can prevent automatic deletion of the instance and certain attached resources during destroy workflows. While EBS volumes with DeleteOnTermination=true remain configured to delete on termination, tooling or scripts that assume a full cleanup on terraform destroy may leave instances or dependencies orphaned, complicating lifecycle management, automated test environments, or cost-control processes. This risk is primarily about infrastructure cleanup reliability rather than runtime availability (Severity: Low, Origin: aws-compute-configuration PERF02-BP05).
Investigation
I loaded our AWS compute and governance standards, inspected the plan diffs, and checked the current instance state. Both affected EC2 instances only change the aws_instance argument force_destroy from null to false. This argument was introduced recently in the AWS provider (v6.8.0) and specifically allows Terraform to destroy an instance even when termination/stop protection is enabled; setting it to false simply means Terraform will respect protections like disable_api_termination and disable_api_stop if those are set. There is no evidence in the diffs that termination protection is being enabled (disable_api_termination remains unset/default), so Terraform destroy behavior is unchanged. Release notes for v6.8.0 confirm the new force_destroy argument and its purpose. (newreleases.io)
From blast-radius state, the instance’s root EBS volume is configured with DeleteOnTermination=true and the attached primary ENI has DeleteOnTermination=true on its attachment, so normal termination will still clean up those resources. AWS documentation clarifies that DeleteOnTermination=true deletes the EBS volume when the instance is terminated, and that disable_api_termination is the attribute that would actually block termination; neither is being altered by this change. (docs.aws.amazon.com)
Conclusion: Changing force_destroy from null to false reflects the new provider’s explicit default and does not introduce a cleanup risk for these instances. Therefore no real risk is present.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
force-pushed
the
renovate/major-terraform
branch
from
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This PR contains the following updates:
< 6.0→< 6.35~> 5.0→~> 6.0~> 5.0→~> 7.0~> 3.0→~> 6.05.12.1→7.3.1~> 4.0→~> 5.0< 6.0→< 6.7Release Notes
hashicorp/terraform-provider-aws (aws)
v6.34.0Compare Source
FEATURES:
aws_ec2_secondary_network(#46552)aws_ec2_secondary_subnet(#46552)aws_ecr_task_definition(#46628)aws_elb(#46639)aws_s3_bucket_lifecycle_configuration(#46531)aws_networkmanager_prefix_list_association(#46566)ENHANCEMENTS:
kms_key_idattribute (#46584)network_typeandip_discoveryattributes (#46636)configuration.query_results_s3_access_grants_configurationargument (#46376)metadata_configurationblock for HTTP header and query parameter propagation (#45808)auth_parameters.connectivity_parametersargument (#41561)service_connect_configuration.access_log_configurationargument (#45820)kms_key_idargument (#46584)cpu_options.core_count,cpu_options.nested_virtualization, andcpu_options.threads_per_coreto be updated in-place (#46568)network_typeandip_discoveryarguments (#46636)jwt_optionsattribute (#46439)managed_rule_group_configswithinmanaged_rule_groupand root-levelvisibility_configblock for CloudWatch metrics configuration (#44426)BUG FIXES:
mongodb_settings.use_update_lookupattribute to fix "invalid address to set" error (#46616)statement.principals.identifierscontains a non-string value (#46226)couldn't find resource (21 retries)errors updatingload_balancers,target_group_arns, andtraffic_source(#46622)credential_provider_configuration.oauth.default_return_urlandcredential_provider_configuration.oauth.grant_typearguments (#46127)data_filter_expression.dimensions.values(#46462)encryption_configurationto Optional and Computed, fixingunexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")})errors (#46150)InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpointserrors when creating S3Tables VPC endpoints (#46102)v6.33.0Compare Source
FEATURES:
aws_networkmanager_attachment_routing_policy_label(#46489)ENHANCEMENTS:
cpu_options.nested_virtualizationandnetwork_performance_optionsattributes (#46540)custom_pathargument torevocation_configuration.crl_configurationconfiguration block (#46487)custom_pathargument torevocation_configuration.crl_configurationconfiguration block (#46487)filter_expressionattribute (#46501)access_alternate_directly,add_supplemental_logging,additional_archived_log_dest_id,allow_selected_nested_tables,archived_log_dest_id,archived_logs_only,asm_password,asm_server,asm_user,authentication_method,char_length_semantics,convert_timestamp_with_zone_to_utc,direct_path_no_log,direct_path_parallel_load,enable_homogenous_tablespace,extra_archived_log_dest_ids,fail_task_on_lob_truncation,number_datatype_scale,open_transaction_window,oracle_path_prefix,parallel_asm_read_threads,read_ahead_blocks,read_table_space_name,replace_path_prefix,retry_interval,secrets_manager_oracle_asm_access_role_arn,secrets_manager_oracle_asm_secret_id,security_db_encryption,security_db_encryption_name,spatial_data_option_to_geo_json_function_name,standby_delay_time,trim_space_in_char,use_alternate_folder_for_online,use_bfile,use_direct_path_full_load,use_logminer_reader, anduse_path_prefixarguments to theoracle_settings` configuration block (#46516)use_update_lookupargument tomongodb_settingsconfiguration block (#46253)nested_virtualizationattribute tocpu_optionsconfiguration block (#46533)nested_virtualizationattribute tocpu_optionsconfiguration block (#46533)secondary_interfacesconfiguration block (#46540)qna_intent_configurationattribute (#46419)domain_settings.trusted_identity_propagation_settingsargument (#44965)BUG FIXES:
runtime error: invalid memory address or nil pointer dereferencepanics whenname_regexis an invalid regular expression (#46478)ap-southeast-5andeusc-de-east-1as valid values fors3_region(#46475)serverless_v2_scaling_configurationwithout forcing cluster replacement (#45049)ValidationError ... Member must have length less than or equal to 20errors when more than 20 load balancer attributes are being modified (#46496)cidr_blockwhen allocating a subnet from an IPAM resource pool. (#46453)expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64validation error (#46515)v6.32.1Compare Source
BUG FIXES:
couldn't find resourceerror during creation when waiting for capacity to be satisfied (#46452)s3_delivery_configuration.suffix_pathlosing AWS-added prefix on update (#46455)key_schemawith a single range key on a global secondary index (#46442)auth_tokenreferences another resource (#46454)v6.32.0Compare Source
FEATURES:
aws_ecr_repository(#46344)aws_lambda_permission(#46341)aws_route(#46370)aws_route53_resolver_rule_association(#46349)aws_route_table(#46337)aws_s3_directory_bucket(#46373)aws_secretsmanager_secret(#46318)aws_secretsmanager_secret_version(#46342)aws_vpc_security_group_egress_rule(#46368)aws_vpc_security_group_ingress_rule(#46367)aws_ec2_secondary_network(#46408)aws_ec2_secondary_subnet(#46408)ENHANCEMENTS:
secondary_network_interfaceargument (#46408)use_asproperty to create special RLS rules dataset (#42687)BUG FIXES:
configuration.result_configurationor child attributes. (#46427)custom_error_responseis configured andcustom_error_response.response_codeandcustom_error_response.response_page_pathare omitted (#46375)network_access_controlis configured with emptyprefix_list_idsandvpce_ids(#45637)v6.31.0Compare Source
NOTES:
expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerandaclattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)expected_bucket_ownerattribute. (#46262)expected_bucket_ownerattribute from Resource Identity. (#46272)FEATURES:
aws_account_regions(#41746)aws_ecrpublic_authorization_token(#45841)aws_cloudwatch_event_rule(#46304)aws_cloudwatch_event_target(#46297)aws_cloudwatch_metric_alarm(#46268)aws_iam_role_policy(#46293)aws_lambda_function(#46295)aws_s3_bucket_acl(#46305)aws_s3_bucket_policy(#46312)aws_s3_bucket_public_access_block(#46309)aws_ssoadmin_customer_managed_policy_attachments_exclusive(#46191)ENHANCEMENTS:
serverless_vector_accelerationtoaiml_options(#45882)BUG FIXES:
auth_token_update_strategyalways requiredauth_token, which caused an error when migrating from AUTH to RBAC. Now,auth_token_update_strategystill requiresauth_tokenexcept whenauth_token_update_strategyisDELETE. (#45518)aws_elasticache_replication_groupwhencluster_mode="enabled"andnum_node_groupsis reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes0001,0002,0003,0004, and0005exist, and a user manually removes0003and0005, then setsnum_node_groups = 2, terraform would attempt to delete0003,0004, and0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#45893)user_group_idremoval during modification. (#45571)UnauthorizedOperationerror when detaching resource that does not have an attachment (#46211)v6.30.0Compare Source
FEATURES:
aws_ssoadmin_managed_policy_attachments_exclusive(#46176)BUG FIXES:
global_secondary_indexorglobal_secondary_index.key_schemaaredynamic(#46195)v6.29.0Compare Source
NOTES:
return_organization_onlyargument to return only the results of theDescribeOrganizationAPI and avoid API limits (#40884)regionattribute, as the resource is global. (#46185)return_organization_onlyargument to return only the results of theDescribeOrganizationAPI and avoid API limits (#40884)FEATURES:
aws_arcregionswitch_plan(#43781)aws_arcregionswitch_route53_health_checks(#43781)aws_organizations_entity_path(#45890)aws_resourcegroupstaggingapi_required_tags(#45994)aws_s3_bucket_object_lock_configuration(#45990)aws_s3_bucket_replication_configuration(#42662)aws_s3control_access_points(#45949)aws_s3control_multi_region_access_points(#45974)aws_savingsplans_savings_plan(#45834)aws_wafv2_managed_rule_group(#45899)aws_appflow_connector_profile(#45983)aws_appflow_flow(#45980)aws_cleanrooms_collaboration(#45953)aws_cleanrooms_configured_table(#45956)aws_cloudfront_key_value_store(#45957)aws_opensearchserverless_collection(#46001)aws_route53_record(#46059)aws_s3_bucket(#46004)aws_s3_object(#46002)aws_security_group(#46062)aws_apigatewayv2_routing_rule(#42961)aws_arcregionswitch_plan(#43781)aws_cloudfront_anycast_ip_list(#43331)aws_notifications_managed_notification_account_contact_association(#45185)aws_notifications_managed_notification_additional_channel_association(#45186)aws_notifications_organizational_unit_association(#45197)aws_notifications_organizations_access(#45273)aws_opensearch_application(#43822)aws_ram_permission(#44114)aws_ram_resource_associations_exclusive(#45883)aws_sagemaker_labeling_job(#46041)aws_sagemaker_model_card(#45993)aws_sagemaker_model_card_export_job(#46009)aws_savingsplans_savings_plan(#45834)aws_sesv2_tenant_resource_association(#45904)aws_vpc_security_group_rules_exclusive(#45876)ENHANCEMENTS:
routing_modeargument to support dynamic routing via routing rules (#42961)routing_modeargument to support dynamic routing via routing rules (#42961)allow_privilege_escalationattribute toeks_properties.pod_properties.containers.security_context(#45896)global_secondary_index.key_schemaattribute (#46157)segment_actions.routing_policy_namesargument (#45928)body_base64anddownload_bodyattributes. For improved performance, setdownload_body = falseto ensure bodies are never downloaded (#46163)source_resourceattribute (#44705)allow_privilege_escalationattribute toeks_properties.pod_properties.containers.security_context(#45896)vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configurationblock (#45966)vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modalityargument (#46056)certificate_rotation_restartargument (#45984)stream_view_typeis set andstream_enabledis eitherfalseor unset. (#45934)BLOB_MOUNTINGaccount setting name withENABLEDandDISABLEDvalues (#46092)domain_join_service_account_secretargument toself_managed_active_directoryconfiguration block (#45852)self_managed_active_directory.passwordto Optional andself_managed_active_directory.usernameto Optional and Computed (#45852)rulesto a single element. (#46185)memory_sizefrom 10240 MB to 32768 MB (#46065)network_performance_optionsargument (#46071)pipeline_configuration_bodymaximum length validation to 2,621,440 bytes to align with AWS API specification. (#44881)monitoring_schedule_config.monitoring_job_definitionargument (#45951)monitoring_schedule_config.monitoring_job_definition_nameargument optional (#45951)source_resourceargument in support of provisioning of VPC Resource Planning Pools (#44705)organizational_unit_exclusionargument (#45890)ipv4_ipam_pool_id,ipv4_netmask_length,ipv6_ipam_pool_id, andipv6_netmask_lengtharguments in support of provisioning of subnets using IPAM (#44705)ipv6_cidr_blockto Optional and Computed (#44705)BUG FIXES:
rule.action.target_storage_classandrule.selection.storage_classto JSON serialization (#45909)catalog_id,data_location.catalog_id,database.catalog_id,lf_tag_policy.catalog_id,table.catalog_id, andtable_with_columns.catalog_idarguments (#43931)attachment_routing_policy_rules.action.associate_routing_policiesis empty (#46160)regiondefined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#45895)configuration.result_configuration.encryption_configurationargument (#46159)Provider produced inconsistent result after applyerror when queryingCARBON_EMISSIONStable withouttable_configurations(#45972)model_sourceis set (#45713)auto_deploymentwithpermission_modelset toSERVICE_MANAGED(#45992)runtime error: invalid memory address or nil pointer dereferencepanic when mistakenly importing a multi-tenant distribution (#45873)origin_groupto use correctidattribute name and fix field mapping to resolvemissing required fielderrors (#45921)InvalidRecordingGroupException: The recording group provided is not validerrors when therecording_group.exclusion_by_resource_typeorrecording_group.recording_strategyargument is removed during update (#46110)warm_throughputin global_secondary_index when not set in configuration. (#46094)nameis known after apply (#45917)kubernetes_network_configargument name in EKS Auto Mode validation error message (#45997)catalog_id,data_location.catalog_id,database.catalog_id,lf_tag_policy.catalog_id,table.catalog_id, andtable_with_columns.catalog_idarguments (#43931)health_check.protocolfromHTTPtoTCPwhenprotocolisTCP(#46036)firewall_policy.stateful_rule_group_reference.resource_arn(#46124)delete_associated_resourcesbeing set when value is unknown (#45636)partition_count(#45042)iam_database_authentication_enabledwhen restored from snapshot (#39461)portnow works. (#45870)ValidationException: Base capacity cannot be updated when PerformanceTarget is Enablederror when updatingprice_performance_targetandbase_capacity(#46137)regionsargument asComputedto fix an unexpectedregionsdiff when it is not specified (#45829)InvalidChangeBatcherrors during ForceNew operations when zone name changes (#45242)Invalid JSON String Valueerror on initial apply andConflictExceptionon subsequent apply when associating Route53 Resolver Query Log Configs (#45958)UnsupportedArgumenterrors during tag-on-create operations (#46122)MethodNotAllowederrors when S3 Control APIs are unavailable (#46122)ipv6_cidr_blockasForceNewwhen the existing IPv6 subnet was created withassign_ipv6_address_on_create = true(#46043)ip_address_type(#45947)v6.28.0Compare Source
NOTES:
FEATURES:
aws_cloudfront_connection_group(#44885)aws_cloudfront_distribution_tenant(#45088)aws_kms_alias(#45700)aws_sqs_queue(#45691)aws_cloudfront_connection_function(#45664)aws_cloudfront_connection_group(#44885)aws_cloudfront_distribution_tenant(#45088)aws_cloudfront_multitenant_distribution(#45535)aws_dynamodb_global_secondary_index(#44999)aws_ecr_pull_time_update_exclusion(#45765)aws_organizations_tag(#45730)aws_redshift_idc_application(#37345)aws_secretsmanager_tag(#45825)aws_sesv2_tenant(#45706)ENHANCEMENTS:
endpoint_access_modeattribute (#45741)endpoint_network_typeandtarget_connection_network_typeattributes (#45634)tagsattribute (#45766)rule.action.target_storage_classandrule.selection.storage_classarguments, and new valid values forrule.action.typeandrule.selection.count_typearguments (#45752)saml_provider_uuidattribute (#45707)response_streaming_invoke_arnattribute (#45652)code_signing_config_arnin AWS GovCloud (US) Regions (#45652)dns_threat_protection,confidence_threshold,firewall_threat_protection_id,firewall_domain_redirection_action, andq_typeattributes (#45711)target_ipsattribute (#45492)dns_options.private_dns_preferenceanddns_options.private_dns_specified_domainsattributes (#45679)service_regionandvpc_endpoint_typefrom attributes to arguments for filtering ([#4Configuration
📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.