chore(deps): update terraform aws to ~> 6.28.0 (main)

[anaconda-renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	~> 6.3.0 -> ~> 6.28.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.28.0

Compare Source

NOTES:

• resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#​44999)

FEATURES:

• New Data Source: aws_cloudfront_connection_group (#​44885)
• New Data Source: aws_cloudfront_distribution_tenant (#​45088)
• New List Resource: aws_kms_alias (#​45700)
• New List Resource: aws_sqs_queue (#​45691)
• New Resource: aws_cloudfront_connection_function (#​45664)
• New Resource: aws_cloudfront_connection_group (#​44885)
• New Resource: aws_cloudfront_distribution_tenant (#​45088)
• New Resource: aws_cloudfront_multitenant_distribution (#​45535)
• New Resource: aws_dynamodb_global_secondary_index (#​44999)
• New Resource: aws_ecr_pull_time_update_exclusion (#​45765)
• New Resource: aws_organizations_tag (#​45730)
• New Resource: aws_redshift_idc_application (#​37345)
• New Resource: aws_secretsmanager_tag (#​45825)
• New Resource: aws_sesv2_tenant (#​45706)

ENHANCEMENTS:

• data-source/aws_apigateway_domain_name : Add endpoint_access_mode attribute (#​45741)
• data-source/aws_db_proxy: Add endpoint_network_type and target_connection_network_type attributes (#​45634)
• data-source/aws_dx_gateway: Add tags attribute (#​45766)
• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#​45752)
• data-source/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• data-source/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• data-source/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• data-source/aws_route53_resolver_firewall_rules: Add dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#​45711)
• data-source/aws_route53_resolver_rule: Add target_ips attribute (#​45492)
• data-source/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#​45679)
• data-source/aws_vpc_endpoint: Promote service_region and vpc_endpoint_type from attributes to arguments for filtering (#​45679)
• resource/aws_alb: Enforce tag policy compliance for the elasticloadbalancing:loadbalancer tag type (#​45671)
• resource/aws_alb_listener: Enforce tag policy compliance for the elasticloadbalancing:listener tag type (#​45671)
• resource/aws_alb_listener_rule: Enforce tag policy compliance for the elasticloadbalancing:listener-rule tag type (#​45671)
• resource/aws_alb_target_group: Enforce tag policy compliance for the elasticloadbalancing:targetgroup tag type (#​45671)
• resource/aws_apigateway_domain_name: Add endpoint_access_mode argument and configurable timeout for create and update (#​45741)
• resource/aws_athena_workgroup: Add customer_content_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add enable_minimum_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add monitoring_configuration argument (#​45744)
• resource/aws_cleanrooms_collaboration: Add resource identity support (#​45548)
• resource/aws_cloudfront_distribution: Add connection_function_association and viewer_mtls_config arguments (#​45847)
• resource/aws_cloudfront_distribution: Add owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#​45011)
• resource/aws_cloudwatch_log_subscription_filter: Add apply_on_transformed_logs argument (#​45826)
• resource/aws_cloudwatch_log_subscription_filter: Add emit_system_fields argument (#​45760)
• resource/aws_db_proxy: Add endpoint_network_type and target_connection_network_type arguments (#​45634)
• resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_docdb_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_dx_gateway: Add tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#​45766)
• resource/aws_ecr_repository_creation_template: Support CREATE_ON_PUSH as a valid value for applied_for (#​45720)
• resource/aws_ecs_capacity_provider: Add managed_instances_provider.instance_launch_template.capacity_option_type argument (#​45667)
• resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the fsx:snapshot tag type (#​45671)
• resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the fsx:volume tag type (#​45671)
• resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_guardduty_filter: Add finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#​45758)
• resource/aws_iam_policy: Add delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#​42054)
• resource/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• resource/aws_iam_virtual_mfa_device: Add serial_number attribute (#​45751)
• resource/aws_imagebuilder_image: Add logging_configuration argument (#​45749)
• resource/aws_imagebuilder_image_pipeline: Add logging_configuration argument (#​45749)
• resource/aws_inspector_assessment_target: Add plan-time validation of resource_group_arn (#​45688)
• resource/aws_inspector_assessment_template: Add plan-time validation of rules_package_arns and target_arn (#​45688)
• resource/aws_lambda_event_source_mapping: Add provisioned_poller_config.poller_group_name argument (#​45313)
• resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (kafka://topic-name) for destination_config.on_failure.destination_arn argument (#​45802)
• resource/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• resource/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• resource/aws_lambda_function_url: Automatically add the lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#​44858)
• resource/aws_lambda_permission: Add invoked_via_function_url argument (#​44858)
• resource/aws_lb_target_group_attachment: Add quic_server_id argument (#​45666)
• resource/aws_lb_target_group_attachment: Add plan-time validation of target_group_arn (#​45666)
• resource/aws_neptune_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_neptune_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_networkmanager_vpc_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#​45728)
• resource/aws_osis_pipeline: Add pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#​45806)
• resource/aws_rds_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_redshift_data_share_consumer_association: Add plan-time validation of consumer_region (#​45688)
• resource/aws_route53_resolver_firewall_rule: Add dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#​45711)
• resource/aws_transfer_web_app: Add endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#​45745)
• resource/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#​45679)
• resource/aws_vpclattice_service_network_resource_association: Add private_dns_enabled argument (#​45673)
• resource/aws_vpn_connection: Support in-place updates for tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#​45781)

BUG FIXES:

• data-source/aws_ecr_authorization_token: Fix value of proxy_endpoint when registry_id is specified (#​45754)
• data-source/aws_networkmanager_core_network_policy_document: Support account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#​45788)
• data-source/aws_vpc_endpoint: Add missing implementation for service_region attribute (#​45679)
• provider: Fix handling of user_agent values where the product name contains a forward slash (#​45715)
• resource/aws_batch_job_definition: Fix crash during update when node_properties has NodeRangeProperties.ecsProperties set (#​45676)
• resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#​45694)
• resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs: PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#​43762)
• resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#​45778)
• resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#​45842)
• resource/aws_vpc: Fix reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#​45780)
• resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#​45849)
• resource/aws_vpc_endpoint: private_dns_enabled argument is now marked as ForceNew (#​45679)

v6.27.0

Compare Source

FEATURES:

• New Data Source: aws_organizations_account (#​45543)
• New Function: user_agent (#​45464)
• New List Resource: aws_kms_key (#​45514)
• New Resource: aws_cloudfront_trust_store (#​45534)

ENHANCEMENTS:

• data-source/aws_datazone_domain: Add root_domain_unit_id attribute (#​44964)
• data-source/aws_networkmanager_core_network_policy_document: Add routing_policies and attachment_routing_policy_rules arguments (#​45246)
• data-source/aws_route53_resolver_endpoint: Add rni_enhanced_metrics_enabled attribute (#​45630)
• data-source/aws_route53_resolver_endpoint: Add target_name_server_metrics_enabled attribute (#​45630)
• provider: Add user_agent argument (#​45464)
• provider: The provider_meta block is now supported. The user_agent argument enables module authors to include additional product information in the User-Agent header sent during all AWS API requests made during Create, Read, Update, and Delete operations. (#​45464)
• resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.kendra_knowledge_base_configuration argument (#​44388)
• resource/aws_bedrockagent_knowledge_base: Add knowledge_base_configuration.sql_knowledge_base_configuration and storage_configuration.neptune_analytics_configuration arguments (#​45465)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.mongo_db_atlas_configuration argument (#​37220)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.opensearch_managed_cluster_configuration argument (#​44060)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.s3_vectors_configuration block (#​45468)
• resource/aws_bedrockagent_knowledge_base: Make knowledge_base_configuration.vector_knowledge_base_configuration and ``storage_configuration` optional (#​44388)
• resource/aws_codebuild_project: Add cache.cache_namespace argument (#​45584)
• resource/aws_datazone_domain: Add root_domain_unit_id argument (#​44964)
• resource/aws_lambda_function: code_sha256 is now optional and computed (#​45618)
• resource/aws_networkmanager_connect_attachment: Add routing_policy_label argument (#​45246)
• resource/aws_networkmanager_connect_peer: Support 4 byte ASNs in bgp_options.peer_asn (#​45246)
• resource/aws_networkmanager_connect_peer: Support 4 byte ASNs in configuration.bgp_configurations.peer_asn (#​45639)
• resource/aws_networkmanager_dx_gateway_attachment: Add routing_policy_label argument (#​45246)
• resource/aws_networkmanager_site_to_site_vpn_attachment: Add routing_policy_label argument (#​45246)
• resource/aws_networkmanager_transit_gateway_route_table_attachment: Add routing_policy_label argument (#​45246)
• resource/aws_networkmanager_vpc_attachment: Add routing_policy_label argument (#​45246)
• resource/aws_route53_resolver_endpoint: Add rni_enhanced_metrics_enabled argument (#​45630)
• resource/aws_route53_resolver_endpoint: Add target_name_server_metrics_enabled argument (#​45630)
• resource/aws_vpclattice_service_network_vpc_association: Add private_dns_enabled and dns_options arguments (#​45619)

BUG FIXES:

• data-source/aws_networkmanager_core_network_policy_document: Correct plan-time validation of attachment_policies.conditions.type to allow account instead of account-id (#​45246)
• resource/aws_bedrockagent_knowledge_base: Mark knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration and knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration as ForceNew (#​45465)
• resource/aws_dynamodb_table: Fix perpetual diff on global_secondary_index when using ignore_changes lifecycle meta-argument (#​41113)
• resource/aws_iam_user: Fix NoSuchEntity errors when name and tags arguments are both updated (#​45608)
• resource/aws_lakeformation_data_cells_filter: Fix excluded_column_names ordering causing "Provider produced inconsistent result after apply" errors (#​45453)
• resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow triggered by upstream changes to the API error response text (#​45605)
• resource/aws_networkmanager_connect_peer: Change bgp_options and bgp_options.peer_asn to Optional, Computed and ForceNew (#​45639)
• resource/aws_odb_cloud_vm_cluster: Enable deletion of vm cluster in resource shared account. (#​45552)
• resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow triggered by upstream changes to the API error response text (#​45605)
• resource/aws_s3_bucket: Fix endpoint rule error, AccountId must only contain a-z, A-Z, 0-9 and `-`​ errors when the provider is configured with skip_requesting_account_id = true. This fixes a regression introduced in v6.23.0 (#​45576)
• resource/aws_verifiedpermissions_identity_source: Fixes error when updating resource (#​45540)
• resource/aws_verifiedpermissions_identity_source: Prevents eventual consistency error with associated Policy Store (#​45540)
• resource/aws_verifiedpermissions_identity_source: Removes AutoFlex error log messages (#​45540)

v6.26.0

Compare Source

FEATURES:

• New List Resource: aws_batch_job_definition (#​45401)
• New List Resource: aws_codebuild_project (#​45400)
• New List Resource: aws_lambda_capacity_provider (#​45467)
• New List Resource: aws_ssm_parameter (#​45512)
• New Resource: aws_iam_outbound_web_identity_federation (#​45217)

ENHANCEMENTS:

• data-source/aws_db_instance: Add upgrade_rollout_order attribute (#​45527)
• data-source/aws_eks_node_group : Add update_config block including update_strategy attribute (#​41487)
• data-source/aws_rds_cluster: Add upgrade_rollout_order attribute (#​45527)
• resource/aws_bedrockagent_agent: Add session_summary_configuration.max_recent_sessions argument (#​45449)
• resource/aws_db_instance: Add upgrade_rollout_order attribute (#​45527)
• resource/aws_eks_node_group : Add update_config.update_strategy attribute (#​41487)
• resource/aws_kinesisanalyticsv2_application: Add application_configuration.application_encryption_configuration argument (#​45356)
• resource/aws_kinesisanalyticsv2_application: Support FLINK-1_20 as a valid value for runtime_environment (#​45356)
• resource/aws_lambda_capacity_provider: Add resource identity support (#​45456)
• resource/aws_odb_network_peering_connection: Add network peering creation using odb_network_arn for resource sharing model. (#​45509)
• resource/aws_rds_cluster: Add upgrade_rollout_order attribute (#​45527)
• resource/aws_s3vectors_index: Add encryption_configuration block (#​45470)
• resource/aws_s3vectors_index: Add metadata_configuration block (#​45470)

BUG FIXES:

• data-source/aws_ec2_transit_gateway: Fix potential crash when reading encryption_support. This addresses a regression introduced in v6.25.0. (#​45462)
• resource/aws_api_gateway_integration: Fix timeout_milliseconds validation to allow up to 900,000 ms when response_transfer_mode is STREAM (#​45482)
• resource/aws_bedrock_model_invocation_logging_configuration: Mark logging_config.s3_config.bucket_name, logging_config.cloudwatch_config.log_group_name, logging_config.cloudwatch_config.role_arn, and logging_config.cloudwatch_config.large_data_delivery_s3_config.bucket_name as Required (#​45469)
• resource/aws_ec2_transit_gateway: Fix potential crash when setting encryption_support. This addresses a regression introduced in v6.25.0. (#​45462)
• resource/aws_lambda_function: Fix persistent diff when image_config has null values set in config (#​45511)
• resource/aws_notifications_event_rule: Fix persistent diff when event_pattern argument is not specified in config (#​45524)
• resource/aws_route53_zone: Operations to enable accelerated recovery are enforced to run serially when multiple hosted zones are configured (#​45457)
• resource/aws_sagemaker_model: Mark vpc_config.security_group_ids and vpc_config.subnets as ForceNew (#​45491)
• resource/aws_secretsmanager_secret_version: Avoid sending GetSecretValue calls when the secret is write-only (#​44876)

v6.25.0

Compare Source

FEATURES:

• New Resource: aws_cloudwatch_log_transformer (#​44300)
• New Resource: aws_eks_capability (#​45326)

ENHANCEMENTS:

• data-source/aws_backup_plan: Add rule.scan_action and scan_setting attributes (#​45392)
• data-source/aws_cloudwatch_log_group: Add deletion_protection_enabled attribute (#​45298)
• data-source/aws_ec2_transit_gateway: Add encryption_support attribute (#​45317)
• data-source/aws_lambda_function: Add durable_config attribute (#​45359)
• data-source/aws_lb: Add health_check_logs attribute (#​45269)
• data-source/aws_lb_target_group: Add target_control_port attribute (#​45270)
• data-source/aws_route53_zone: Add enable_accelerated_recovery attribute (#​45302)
• data-source/aws_transfer_connector: Add egress_config attribute to expose VPC Lattice connectivity configuration (#​45314)
• data-source/aws_workspaces_directory: Add tenancy attribute (#​43134)
• resource/aws_api_gateway_integration: Add integration_target argument (#​45311)
• resource/aws_api_gateway_integration: Add response_transfer_mode argument (#​45329)
• resource/aws_athena_workgroup: Add configuration.managed_query_results_configuration block (#​44273)
• resource/aws_backup_plan: Support malware scanning by adding rule.scan_action and scan_setting configuration blocks (#​45392)
• resource/aws_bedrockagentcore_gateway: Add interceptor_configuration argument (#​45344)
• resource/aws_cloudwatch_log_group: Add deletion_protection_enabled argument (#​45298)
• resource/aws_ec2_transit_gateway: Add encryption_support argument (#​45317)
• resource/aws_flow_log: Add regional_nat_gateway_id argument (#​45380)
• resource/aws_kms_ciphertext: Add plaintext_wo and plaintext_wo_version arguments to support write-only input (#​43592)
• resource/aws_lambda_function: Add durable_config argument (#​45359)
• resource/aws_lb: Add health_check_logs configuration block (#​45269)
• resource/aws_lb_target_group: Add target_control_port argument to support the ALB Target Optimizer (#​45270)
• resource/aws_rolesanywhere_profile: Add accept_role_session_name argument (#​45391)
• resource/aws_rolesanywhere_profile: Add plan-time validation of managed_policy_arns and role_arns (#​45391)
• resource/aws_route53_zone: Add enable_accelerated_recovery argument (#​45302)
• resource/aws_ssm_association: Add calendar_names argument (#​45363)
• resource/aws_transfer_connector: Add egress_config argument to support VPC Lattice connectivity for SFTP connectors (#​45314)
• resource/aws_transfer_connector: Make url argument optional to support VPC Lattice connectors (#​45314)
• resource/aws_workspaces_directory: Add tenancy argument (#​43134)

v6.24.0

Compare Source

FEATURES:

• New Resource: aws_lambda_capacity_provider (#​45342)
• New Resource: aws_s3tables_table_bucket_replication (#​45360)
• New Resource: aws_s3tables_table_replication (#​45360)
• New Resource: aws_s3vectors_index (#​43393)
• New Resource: aws_s3vectors_vector_bucket (#​43393)
• New Resource: aws_s3vectors_vector_bucket_policy (#​43393)

ENHANCEMENTS:

• data-source/aws_lambda_function: Add capacity_provider_config attribute (#​45342)
• data-source/aws_vpc_nat_gateway: Support regional NAT Gateways by adding auto_provision_zones, auto_scaling_ips, availability_mode, availability_zone_address, regional_nat_gateway_address, and route_table_id attributes (#​45240)
• resource/aws_backup_plan: Add target_logically_air_gapped_backup_vault_arn argument to rule block (#​45321)
• resource/aws_lambda_function: Add capacity_provider_config and publish_to arguments (#​45342)
• resource/aws_resourceexplorer2_index: Deprecates id. Use arn instead. (#​45345)
• resource/aws_resourceexplorer2_view: Deprecates id. Use arn instead. (#​45345)
• resource/aws_vpc_nat_gateway: Make subnet_id argument optional to support regional NAT Gateways (#​45420)
• resource/aws_vpc_nat_gateway: Support regional NAT Gateways by adding availability_mode, availability_zone_address, and vpc_id arguments, and auto_provision_zones, auto_scaling_ips, regional_nat_gateway_address, and route_table_id attributes. This functionality requires the ec2:DescribeAvailabilityZones IAM permission (#​45240)
• resource/aws_vpn_connection: Add bgp_log_enabled, bgp_log_group_arn, and bgp_log_stream_arn arguments to tunnel1_log_options.cloudwatch_log_options and tunnel2_log_options.cloudwatch_log_options blocks (#​45271)

v6.23.0

Compare Source

NOTES:

• resource/aws_s3_bucket: To support ABAC (Attribute Based Access Control) in general purpose buckets, this resource will now attempt to send tags in the create request and use the S3 Control tagging APIs TagResource, UntagResource, and ListTagsForResource for read and update operations. The calling principal must have the corresponding s3:TagResource, s3:UntagResource, and s3:ListTagsForResource IAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIs PutBucketTagging, DeleteBucketTagging, and GetBucketTagging instead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#​45251)

FEATURES:

• New Resource: aws_ecs_express_gateway_service (#​45235)
• New Resource: aws_s3_bucket_abac (#​45251)
• New Resource: aws_vpc_encryption_control (#​45263)
• New Resource: aws_vpn_concentrator (#​45175)

ENHANCEMENTS:

• action/aws_lambda_invoke: Add tenant_id argument (#​45170)
• data-source/aws_eks_cluster: Add control_plane_scaling_config attribute (#​45258)
• data-source/aws_lambda_function: Add tenancy_config attribute (#​45170)
• data-source/aws_lambda_invocation: Add tenant_id argument (#​45170)
• data-source/aws_vpn_connection: Add vpn_concentrator_id attribute (#​45175)
• resoource/aws_ecs_capacity_provider: Add managed_instances_provider.infrastructure_optimization argument (#​45142)
• resource/aws_docdb_cluster: Add network_type argument (#​45140)
• resource/aws_docdb_subnet_group: Add supported_network_types attribute (#​45140)
• resource/aws_eks_cluster: Add control_plane_scaling_config configuration block to support EKS Provisioned Control Plane (#​45258)
• resource/aws_lambda_function: Add tenancy_config argument (#​45170)
• resource/aws_lambda_invocation: Add tenant_id argument (#​45170)
• resource/aws_s3_bucket: Tag on creation when the s3:TagResource permission is present (#​45251)
• resource/aws_s3_bucket: Use the S3 Control tagging APIs when the s3:TagResource, s3:UntagResource, and s3:ListTagsForResource permissions are present (#​45251)
• resource/aws_vpn_connection: Add vpn_concentrator_id argument to support Site-to-Site VPN Concentrator (#​45175)

v6.22.1

Compare Source

ENHANCEMENTS:

• resource/aws_fsx_openzfs_file_system: Support INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#​45159)
• resource/aws_msk_cluster: Add rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#​45073)

BUG FIXES:

• provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in v6.22.0. (#​45201)
• provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in v6.22.0. (#​45201)
• resource/aws_accessanalyzer_analyzer: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#​45202)
• resource/aws_odb_cloud_vm_cluster: Fix incorrect validation error when arguments are configured using variables. This addresses a regression introduced in v6.22.0 (#​45205)

v6.22.0

Compare Source

NOTES:

• resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#​45105)

FEATURES:

• New Ephemeral Resource: aws_ecr_authorization_token (#​44949)
• New Guide: Tag Policy Compliance (#​45143)
• New Resource: aws_billing_view (#​45097)
• New Resource: aws_vpclattice_domain_verification (#​45085)

ENHANCEMENTS:

• data-source/aws_lb_listener: Add default_action.jwt_validation attribute (#​45089)
• data-source/aws_lb_listener_rule: Add action.jwt_validation attribute (#​45089)
• data-source/aws_route53_zone: Support filtering by tags only or by vpc_id only (#​39671)
• provider: Add support for enforcing tag policy compliance. This opt-in feature can be enabled via the new tag_policy_compliance provider argument, or the TF_AWS_TAG_POLICY_COMPLIANCE environment variable. When enabled, the principal executing Terraform must have the tags:ListRequiredTags IAM permission. (#​45143)
• resource/aws_backup_logically_air_gapped_vault: Add encryption_key_arn argument (#​45020)
• resource/aws_bedrock_guardrail: Add input_action, input_enabled, input_modalities, output_action, output_enabled, and output_modalities arguments to the content_policy_config.filters_config block (#​45104)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.rds_configuration.field_mapping.custom_metadata_field argument (#​45075)
• resource/aws_bedrockagentcore_agent_runtime: Add agent_runtime_artifact.code_configuration block (#​45091)
• resource/aws_bedrockagentcore_agent_runtime: Make agent_runtime_artifact.container_configuration block optional (#​45091)
• resource/aws_dynamodb_table: Add global_table_witness argument (#​43908)
• resource/aws_emr_managed_scaling_policy: Add scaling_strategy and utilization_performance_index arguments (#​45132)
• resource/aws_fis_experiment_template: Add plan-time validation of log_configuration.cloudwatch_logs_configuration.log_group_arn (#​35941)
• resource/aws_fis_experiment_template: Add support for Functions to action.*.target (#​41209)
• resource/aws_lambda_invocation: Add import support (#​41240)
• resource/aws_lb_listener: Support jwt-validation as a valid default_action.type and add default_action.jwt_validation configuration block (#​45089)
• resource/aws_lb_listener_rule: Support jwt-validation as a valid action.type and add action.jwt_validation configuration block (#​45089)
• resource/aws_odb_cloud_vm_cluster: vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45003)
• resource/aws_organizations_organization: Add SECURITYHUB_POLICY as a valid value for enabled_policy_types argument (#​45135)
• resource/aws_prometheus_query_logging_configuration: Add plan-time validation of destination.cloudwatch_logs.log_group_arn (#​35941)
• resource/aws_prometheus_workspace: Add plan-time validation of logging_configuration.log_group_arn (#​35941)
• resource/aws_s3_bucket_server_side_encryption_configuration: Add rule.blocked_encryption_types argument (#​45105)
• resource/aws_sagemaker_model: Add container.additional_model_data_source and primary_container.additional_model_data_source arguments (#​44407)
• resource/aws_sfn_state_machine: Add plan-time validation of logging_configuration.log_destination (#​35941)
• resource/aws_timestreaminfluxdb_db_cluster: Add engine_type attribute (#​44899)
• resource/aws_timestreaminfluxdb_db_cluster: Add validation to ensure InfluxDB V2 clusters have required fields and InfluxDB V3 clusters (when using V3 parameter groups) do not have forbidden V2 fields. This functionality requires the timestream-influxdb:GetDbParameterGroup IAM permission (#​44899)
• resource/aws_vpclattice_resource_configuration: Add custom_domain_name and domain_verification_id arguments and domain_verification_arn and domain_verification_status attributes to support custom domain names for resource configurations (#​45085)
• resource/aws_vpn_connection: Add `tunnel_bandwi

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.