Releases: hashicorp/terraform-provider-aws
Releases · hashicorp/terraform-provider-aws
Release list
v6.55.0
6.55.0 (July 15, 2026)
FEATURES:
- New Data Source:
aws_elasticache_service_updates(#44608) - New List Resource:
aws_autoscaling_group(#48928) - New List Resource:
aws_cloudwatch_log_stream(#48878) - New List Resource:
aws_kinesis_firehose_delivery_stream(#48946) - New List Resource:
aws_network_interface(#48887) - New List Resource:
aws_rds_cluster(#48948) - New List Resource:
aws_sfn_state_machine(#48840)
ENHANCEMENTS:
- resource/aws_bedrock_guardrail: Add
updated_atattribute (#48881) - resource/aws_bedrockagentcore_agent_runtime: Add
allowed_workload_configuration,private_endpoint, andprivate_endpoint_overridesconfiguration blocks toauthorizer_configuration.custom_jwt_authorizer, and the read-onlyrequire_service_s3_endpointattribute tonetwork_configuration.network_mode_config(#48654) - resource/aws_bedrockagentcore_gateway: Add
allowed_workload_configuration,private_endpoint, andprivate_endpoint_overridesconfiguration blocks toauthorizer_configuration.custom_jwt_authorizer(#48654) - resource/aws_bedrockagentcore_harness: Add
allowed_workload_configuration,private_endpoint, andprivate_endpoint_overridesconfiguration blocks toauthorizer_configuration.custom_jwt_authorizer(#48654) - resource/aws_bedrockagentcore_harness: Add
require_service_s3_endpointargument tonetwork_configuration.network_mode_config(#48654) - resource/aws_bedrockagentcore_registry: Add
allowed_workload_configuration,private_endpoint, andprivate_endpoint_overridesconfiguration blocks toauthorizer_configuration.custom_jwt_authorizer(#48654) - resource/aws_msk_replicator: Add
consumer_group_offset_sync_modeattribute toconsumer_group_replicationblock (#47670) - resource/aws_network_interface: Add resource identity support (#48887)
- resource/aws_rds_cluster: Add resource identity support (#48948)
BUG FIXES:
v6.54.0
6.54.0 (July 8, 2026)
NOTES:
- resource/aws_sagemaker_endpoint_configuration: Because we cannot easily test the behavior of
capacity_reservation_config, it is best effort and we ask for community help in testing (#45926) - resource/aws_ssoadmin_region: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#48126)
FEATURES:
- New Data Source:
aws_route53profiles_profile(#48780) - New List Resource:
aws_bedrockagentcore_browser_profile(#46862) - New List Resource:
aws_codepipeline(#48808) - New List Resource:
aws_lambda_function_scaling_config(#48229) - New List Resource:
aws_scheduler_schedule(#48828) - New List Resource:
aws_ssoadmin_region(#48126) - New List Resource:
aws_workspaces_pool(#42678) - New Resource:
aws_bedrockagentcore_browser_profile(#46862) - New Resource:
aws_lambda_function_scaling_config(#48229) - New Resource:
aws_ssoadmin_region(#48126) - New Resource:
aws_workspaces_pool(#42678)
ENHANCEMENTS:
- action/aws_codebuild_start_build: Add
host_kernel_overrideargument (#48777) - data-source/aws_mq_broker: Add
resource_share_arnsandshared_resourcesattributes (#48729) - resource/aws_cloudfront_key_value_store: Add
tagsandtags_allattributes (#48458) - resource/aws_cloudwatch_event_api_destination: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_archive: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_bus: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_bus_policy: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_connection: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_endpoint: Add Resource Identity support (#48819)
- resource/aws_cloudwatch_event_permission: Add Resource Identity support (#48819)
- resource/aws_codebuild_project: Add
host_kernelargument to theenvironmentconfiguration block (#48777) - resource/aws_codepipeline: Add resource identity support (#48808)
- resource/aws_iam_policy_attachment: Add resource identity support (#48639)
- resource/aws_lambda_event_source_mapping: Add
use_resource_timeout_for_propagationargument (#46405) - resource/aws_lambda_event_source_mapping: Add configurable resource timeouts. Defaults to
10mforcreateandupdate,5mfordelete. (#46405) - resource/aws_lambda_function: Add
use_resource_timeout_for_propagationargument (#46405) - resource/aws_lambda_permission: Add configurable resource timeouts. Defaults to
5mforcreate,read, anddelete. (#46405) - resource/aws_lambda_permission: Hard-coded timeouts to account for eventual consistency have been replaced with configurable resource timeouts (#46405)
- resource/aws_mq_broker: Add
resource_share_arnsargument andshared_resourcesattribute (#48729) - resource/aws_prometheus_workspace_configuration: Add
out_of_order_time_window_in_secondsandrule_query_offset_in_secondsarguments (#48659) - resource/aws_rds_cluster: Add support for
auto_minor_version_upgradeargument (#42472) - resource/aws_sagemaker_endpoint_configuration: Add Resource Identity support (#45926)
- resource/aws_sagemaker_endpoint_configuration: Add
production_variants.capacity_reservation_configandshadow_production_variants.capacity_reservation_configconfiguration blocks (#45926) - resource/aws_scheduler_schedule: Add resource identity support (#48828)
BUG FIXES:
- resource/aws_bedrock_guardrail: Prevents "inconsistent result" error when adding
content_policy_configblock. (#48772) - resource/aws_bedrock_guardrail: Prevents "inconsistent result" error when adding
topic_policy_configblock. (#48772) - resource/aws_bedrock_guardrail: Prevents "inconsistent result" error with multiple
content_policy_config.filters_config.input_modalitiesvalues. (#48772) - resource/aws_bedrock_guardrail: Prevents "inconsistent result" error with multiple
content_policy_config.filters_config.output_modalitiesvalues. (#48772) - resource/aws_cloudfront_multitenant_distribution: Correctly handles default tags. (#48783)
- resource/aws_cloudfront_multitenant_distribution: Correctly taints resource if Create fails. (#48782)
- resource/aws_cloudfront_multitenant_distribution: Sets
etagon Import. (#48782) - resource/aws_cloudfront_multitenant_distribution: Updates
etagwhen onlytagsupdated. (#48782) - resource/aws_cloudfront_multitenant_distribution: Waits for deployment on Update. (#48782)
- resource/aws_directory_service_directory: Fix
UnsupportedOperationExceptionerror when readingenable_directory_data_accessin regions where Directory Service Data is not available (e.g. GovCloud) (#47660)
v6.53.0
6.53.0 (July 1, 2026)
BREAKING CHANGES:
- resource/aws_pinpointsmsvoicev2_phone_number: Remove provider-side defaults for
opt_out_list_nameandtwo_way_channel_enabledin favor of AWS server-side defaults (Defaultandfalserespectively). Configurations that omit these attributes will now show(known after apply)on first plan instead of the previous static value; the post-apply state is unchanged. This change mitigates persistent drift when the phone number is managed by anaws_pinpointsmsvoicev2_pool. (#48414)
NOTES:
- list-resource/aws_bedrockagentcore_registry: This resource is deprecated. AWS Agent Registry is currently available in public preview. On August 6, 2026 this functionality will move from the
bedrock-agentcorenamespace to theagent-registrynamespace. Theaws_bedrockagentcore_browserresource will continue to work until September 17, 2026 (#48693) - resource/aws_bedrockagentcore_registry: This resource is deprecated. AWS Agent Registry is currently available in public preview. On August 6, 2026 this functionality will move from the
bedrock-agentcorenamespace to theagent-registrynamespace. Theaws_bedrockagentcore_browserresource will continue to work until September 17, 2026 (#48693) - resource/aws_ecs_capacity_provider: When a change forces replacement of a capacity provider that is associated with a cluster via
aws_ecs_cluster_capacity_providers, add areplace_triggered_bylifecycle rule to the association so the old capacity provider is detached before it is deleted (#48156)
FEATURES:
- New Data Source:
aws_bedrock_foundation_model_agreement_offers(#47665) - New Data Source:
aws_bedrock_use_case_for_model_access(#47665) - New Data Source:
aws_ec2_capacity_block_reservation(#48185) - New List Resource:
aws_pinpointsmsvoicev2_pool(#48414) - New Resource:
aws_bedrock_foundation_model_agreement(#47665) - New Resource:
aws_bedrock_use_case_for_model_access(#47665) - New Resource:
aws_pinpointsmsvoicev2_pool(#48414)
ENHANCEMENTS:
- data-source/aws_api_gateway_rest_api: Add
security_policyandendpoint_access_modeattributes (#47973) - data-source/aws_msk_cluster: Add
customer_action_statusattribute (#48536) - resource/aws_api_gateway_rest_api: Add
security_policyandendpoint_access_modearguments (#47973) - resource/aws_bedrockagentcore_browser: Add
browser_signing,certificate, andenterprise_policyconfiguration blocks (#47816) - resource/aws_bedrockagentcore_code_interpreter: Add
certificateargument (#47817) - resource/aws_cloudwatch_composite_alarm: Add Resource Identity support (#48679)
- resource/aws_cloudwatch_contributor_insight_rule: Add Resource Identity support (#48679)
- resource/aws_cloudwatch_contributor_insight_rule: Add plan-time validation of
rule_definition(#48679) - resource/aws_cloudwatch_contributor_insight_rule: Change
rule_stateto Optional and Computed (#48679) - resource/aws_cloudwatch_contributor_managed_insight_rule: Add Resource Identity support (#48679)
- resource/aws_cloudwatch_contributor_managed_insight_rule: Add plan-time validation of
resource_arnandtemplate_name(#48679) - resource/aws_cloudwatch_dashboard: Add Resource Identity support (#48679)
- resource/aws_cloudwatch_metric_stream: Add Resource Identity support (#48679)
- resource/aws_default_vpc: Add resource identity support (#47590)
- resource/aws_msk_cluster: Add
customer_action_statusattribute (#48536) - resource/aws_pinpointsmsvoicev2_phone_number: Add
force_disassociateargument (#48414) - resource/aws_securityhub_automation_rule: Deprecates
idin favor ofarn(#48636) - resource/aws_ssmcontacts_rotation: Deprecates
idin favor ofarn(#48636) - resource/aws_ssoadmin_trusted_token_issuer: Deprecates
idin favor ofarn(#48636)
BUG FIXES:
- data-source/aws_codeartifact_authorization_token: Mark
authorization_tokenas sensitive (#48577) - resource/aws_cloudwatch_contributor_managed_insight_rule: Mark
resource_arn,tagsandtemplate_nameasForceNew(#48679) - resource/aws_default_vpc: Fix provider panic (nil pointer dereference) when importing via an
importblock orterraform import(#47590) - resource/aws_ecs_capacity_provider: Return the underlying error immediately instead of timing out after 20 minutes when deleting a capacity provider that is still associated with a cluster (#48156)
- resource/aws_iam_user: Handle
InvalidActionerrors in partitions where access key cleanup operations are not supported (#48473) - resource/aws_instance: Fix perpetual diff when
instance_market_options.market_typeis set tocapacity-block(#48701) - resource/aws_lightsail_bucket_access_key: Mark
secret_access_keyas sensitive (#48577) - resource/aws_lightsail_key_pair: Mark
private_keyas sensitive (#48577) - resource/aws_route53_record: Fix the
typeattribute to no longer force resource replacement on change (#47105) - resource/aws_sqs_queue: Reduce the wait time for queue deletion. This fixes a regression introduced in v6.34.0. (#48722)
v6.52.0
6.52.0 (June 24, 2026)
NOTES:
- resource/aws_lakeformation_permissions: Grants on
aws_glue_catalog_tableviews (table_type = "VIRTUAL_VIEW") are now preserved when the view'sview_definitionis updated, as the underlying table is updated in place rather than recreated (#48532) - resource/aws_serverlessapplicationrepository_cloudformation_stack: Existing affected resources whose state still contains
****forNoEchoparameters or is missing default-matchingparameterskeys require a one-time manual reconciliation after upgrading. To recover: (1) addlifecycle { ignore_changes = [parameters] }temporarily, (2) pull state withterraform state pull, (3) correct the affectedparametersvalues and incrementserial, (4) push state back withterraform state push, (5) remove theignore_changesblock, and (6) confirm withterraform plan. For non-sensitive parameters you can instead temporarily set the parameter to a non-default value, apply, revert, and apply again (#46748) - resource/aws_serverlessapplicationrepository_cloudformation_stack:
NoEchoparameter values are now persisted in Terraform state in plaintext rather than as****. This is consistent with how Terraform stores other sensitive inputs (for example,aws_db_instance.password). Ensure your state backend is appropriately secured (#46748)
FEATURES:
- New Data Source:
aws_s3_bucket_notification(#31512) - New List Resource:
aws_appautoscaling_target(#48449) - New List Resource:
aws_bedrockagentcore_registry(#48314) - New List Resource:
aws_dynamodb_table_item(#48520) - New Resource:
aws_bedrockagentcore_registry(#48314)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
control_plane_egress_modeattribute tovpc_configblock (#48497) - provider: Generated names are now created using a cryptographically strong random generator instead of a timestamp and counter, so values are more uniformly distributed over the lowercase hexadecimal digit characters (#47995)
- resource/aws_appautoscaling_target: Add resource identity support (#48449)
- resource/aws_cloudwatch_log_account_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_anomaly_detector: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_data_protection_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_delivery: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_delivery_destination: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_delivery_destination_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_delivery_source: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_destination: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_destination_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_index_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_resource_policy: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_log_stream: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_query_definition: Add Resource Identity support (#48502)
- resource/aws_cloudwatch_query_definition: Add
arnattribute (#48502) - resource/aws_default_network_acl: Prevents error on creation when tag-based authorization in use. (#44798)
- resource/aws_dynamodb_table_item: Add Resource Identity support (#48520)
- resource/aws_dynamodb_table_item: Add import support (#48520)
- resource/aws_eks_cluster: Add
control_plane_egress_modeargument tovpc_configblock (#48497) - resource/aws_mq_broker: Known endpoints in
instances.0.endpointsare now returned in a deterministic order based on protocol prefix and port, including the newhttps://...:16001Prometheus metrics endpoint introduced in RabbitMQ 4.2 and later; any unrecognized endpoint types are appended afterward in API order (#47777) - resource/aws_serverlessapplicationrepository_cloudformation_stack: Change
capabilitiesfromRequiredtoOptional/Computed. Applications without required capabilities can now omit the argument and the value applied by AWS will be tracked in state (#46748)
BUG FIXES:
- provider: Fix AWS API errors such as EC2's
IdempotentParameterMismatchby generating client-supplied idempotency tokens using a cryptographically strong random generator and extended alphabet (#47995) - provider: Restore HTTP request and response body content in
TF_LOG=DEBUGoutput for resources, data sources, and list resources. Redaction continues to apply to ephemeral resources and actions (#48463) - resource/aws_cloudwatch_log_delivery: Add mutex lock around create, update, and delete operations to prevent
ConflictExceptionerrors (#48158) - resource/aws_cloudwatch_log_delivery: Fix
Provided delivery configuration is invalid for the destination typeerrors whens3_delivery_configurationis unchanged (#46123) - resource/aws_elasticache_global_replication_group: Fix persistent
automatic_failover_enableddiff by reading the value from the primary member (#47647) - resource/aws_elasticache_replication_group: Fix persistent
automatic_failover_enableddiff on member replication groups of anaws_elasticache_global_replication_group(#47647) - resource/aws_elasticache_reserved_cache_node: Fix
Provider returned invalid result object after applyand subsequenttoo many resultswarning that silently removed the resource from state whenidwas not set in configuration (#48462) - resource/aws_elasticache_serverless_cache: Fix
InvalidParameterCombination: Serverless Cache modifications only support modifying one field per requesterror when changing multiple attributes in a single apply (#47918) - resource/aws_elasticache_user: Fix
user_idproducing inconsistent final plan when using mixed-case values (#47705) - resource/aws_elasticache_user_group: Fix
user_group_idproducing inconsistent final plan when using mixed-case values (#47705) - resource/aws_glue_catalog_table: Allow in-place update of a
VIRTUAL_VIEWtable'sview_definitionby passingViewUpdateActionto the GlueUpdateTableAPI (#48532) - resource/aws_serverlessapplicationrepository_cloudformation_stack: Fix
change set: unexpected state 'FAILED', wanted target 'CREATE_COMPLETE'. last error: No updates are to be performederrors on subsequent applies. Previously,parameterswhose value matched the application's default were pruned from state, andNoEchoparameter values were stored as****, both of which produced false drift (#46748)
v6.51.0
6.51.0 (June 17, 2026)
NOTES:
- resource/aws_cloudfront_distribution_tenant: When using
managed_certificate_request, managed certificate issuance uses a fixed 3-hour timeout regardless of the configured resource timeout. This behavior will be updated in a future major version. (#47839) - resource/aws_dms_s3_endpoint: The
kms_key_arnattribute has been deprecated. All configurations usingkms_key_arnshould be updated to use theserver_side_encryption_kms_key_idattribute instead. (#48441) - resource/aws_eks_cluster: Because we cannot easily test the behavior of
outpost_config, the changes are best effort and we ask for community help in testing (#48367)
FEATURES:
- New List Resource:
aws_acm_certificate(#48283) - New List Resource:
aws_bedrockagentcore_evaluator(#47964) - New List Resource:
aws_sagemaker_hub_content_reference(#48379) - New Resource:
aws_bedrockagentcore_evaluator(#47964) - New Resource:
aws_sagemaker_hub_content_reference(#48379)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
outpost_config.control_plane_placement.spread_level,outpost_config.etcd_instance_type, andoutpost_config.etcd_placementattributes (#48367) - resource/aws_cloudfront_distribution: Add
origin.custom_origin_config.origin_mtls_configargument (#46421) - resource/aws_cloudfront_multitenant_distribution: Add
origin.custom_origin_config.origin_mtls_configargument (#46421) - resource/aws_detective_graph: Add Resource Identity support (#48383)
- resource/aws_detective_organization_configuration: Add Resource Identity support (#48383)
- resource/aws_eks_cluster: Add
outpost_config.control_plane_placement.spread_level,outpost_config.etcd_instance_type, andoutpost_config.etcd_placementarguments (#48367) - resource/aws_eks_cluster: Change
outpost_config.control_plane_placement.group_nameto Optional (#48367) - resource/aws_elasticache_replication_group: Add
durabilityargument (#48254) - resource/aws_elasticache_serverless_cache: Add
network_typeargument (#48371) - resource/aws_msk_replicator: Add Resource Identity support (#48338)
- resource/aws_observabilityadmin_centralization_rule_for_organization: Add
destination_metrics_configurationandsource_metrics_configurationblocks (#48303) - resource/aws_opensearchserverless_collection: Add
vector_options.serverless_vector_accelerationargument (#47018)
BUG FIXES:
- resource/aws_acm_certificate: Correctly updates
subject_alternative_namesfor Imported certificates (#48362) - resource/aws_acmpca_certificate_authority: Prevents hang when trying to create resources over the quota limit. (#48365)
- resource/aws_cloudfront_distribution_tenant: Configured operation timeouts are now correctly honored, preventing potential indefinite hangs (#47839)
- resource/aws_dms_s3_endpoint: Fix perpetual diff when
kms_key_arnis set but not returned by the API for S3 engine endpoints. (#48441) - resource/aws_elasticache_replication_group: Fix error when adding a
log_delivery_configurationwithlog_type = "slow-log"while simultaneously upgrading the engine from Redis 5 to Redis 6 or Valkey 7 (#46526) - resource/aws_kinesis_firehose_delivery_stream: Fix
InvalidArgumentExceptionerrors when creating or updatingextended_s3_configurationin AWS partitions that report unsupportedcustom_time_zoneandfile_extensionattributes in a combined error message (#48369) - resource/aws_lakeformation_opt_in: Fix handling of out-of-band deletion of linked resource (#48416)
- resource/aws_lakeformation_opt_in: Prevent crash by making the
principalblock required (#48416) - resource/aws_lakeformation_resource_lf_tag: Prevent crash when processing null tag values during read operations (#48417)
- resource/aws_msk_replicator: Fix
runtime error: index out of range [0] with length 0panic when importing a replicator with no replication configurations (#48338) - resource/aws_ses_domain_mail_from: Correctly detect resources deleted outside of Terraform when refreshing state (#48387)
v6.50.0
6.50.0 (June 10, 2026)
NOTES:
- resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the behavior of
private_endpoint, it is best effort and we ask for community help in testing (#47602)
FEATURES:
- New List Resource:
aws_bedrockagentcore_policy(#47971) - New List Resource:
aws_cloudwatch_log_s3_table_integration_source(#48190) - New List Resource:
aws_ecs_daemon(#47562) - New List Resource:
aws_ecs_daemon_task_definition(#47562) - New Resource:
aws_bedrockagentcore_policy(#47971) - New Resource:
aws_cloudwatch_log_s3_table_integration_source(#48190) - New Resource:
aws_ecs_daemon(#47562) - New Resource:
aws_ecs_daemon_task_definition(#47562) - New Resource:
aws_observabilityadmin_s3_table_integration(#48190)
ENHANCEMENTS:
- provider: Add Linux s390x support (#48272)
- resource/aws_bedrockagentcore_agent_runtime: Add
AGUIas a valid value forprotocol_configuration.server_protocol(#47906) - resource/aws_bedrockagentcore_gateway: Add
policy_engine_configurationconfiguration block (#47818) - resource/aws_bedrockagentcore_gateway_target: Add
listing_modeargument to thetarget_configuration.mcp.mcp_serverconfiguration block (#48225) - resource/aws_bedrockagentcore_gateway_target: Add
private_endpointargument to support private connectivity to VPC-hosted MCP servers via Amazon VPC Lattice (#47602) - resource/aws_bedrockagentcore_memory: Add
indexed_keyandstream_delivery_resourcesarguments (#48240)
BUG FIXES:
- data-source/aws_secretsmanager_secret_version: Fix eventual consistency issues that could result in
couldn't find resourceerrors when reading a version immediately after creation (#48318) - resource/aws_cloudwatch_log_subscription_filter: Retry
ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided roleIAM eventual consistency errors on Create and Update (#48255) - resource/aws_datazone_project: Fix import separator to match the expected format. (#48271)
- resource/aws_default_route_table: Fix perpetual drift on
route.gateway_idwhenroute.odb_network_arnis configured (#48239) - resource/aws_ecs_express_gateway_service: Fix "inconsistent result after apply" error for
network_configuration[0].security_groupswhen usingnetwork_configuration.ec2:DescribeSecurityGroupsIAM permission is newly required. (#47944) - resource/aws_ecs_express_gateway_service: Fix
Resource Already Existserror when recreating a service after deletion (#48098) - resource/aws_elasticsearch_domain: Fix unexpected state error during engine version upgrade (#47316)
- resource/aws_kinesis_firehose_delivery_stream: Fix
InvalidArgumentExceptionerrors when creating or updatingextended_s3_configurationin AWS partitions that do not support thecustom_time_zoneandfile_extensionattributes (#48284) - resource/aws_route: Fix perpetual drift on
gateway_idwhenodb_network_arnis configured (#48239) - resource/aws_route_table: Fix perpetual drift on
route.gateway_idwhenroute.odb_network_arnis configured (#48239) - resource/aws_secretsmanager_secret_version: Fix
Provider produced inconsistent final planerrors whensecret_stringorsecret_string_wo_versionreferences a resource being created or replaced in the same apply (#48318) - resource/aws_secretsmanager_secret_version: Fix eventual consistency issues on resource creation that could result in
version_stagesbeing empty in state (#48318) - resource/aws_secretsmanager_secret_version: Fix unnecessary resource replacement when switching between
secret_stringandsecret_string_wo(or vice versa) without changing the secret value (#48318)
v6.49.0
6.49.0 (June 4, 2026)
ENHANCEMENTS:
- data-source/aws_opensearch_domain: Add
advanced_security_options.jwt_options.jwks_urlattribute (#48146) - data-source/aws_opensearchserverless_collection_group: Add
generationattribute (#48125) - resource/aws_bedrockagentcore_gateway: Add
protocol_configuration.mcp.session_configurationblock (#48179) - resource/aws_bedrockagentcore_gateway: Add
protocol_configuration.mcp.streaming_configurationblock (#48179) - resource/aws_cloudfront_function: Add
tagsandtags_allarguments (#47916) - resource/aws_opensearch_domain: Add
advanced_security_options.jwt_options.jwks_urlargument (#48146) - resource/aws_opensearchserverless_collection_group: Add
generationargument (#48125)
BUG FIXES:
v6.48.0
6.48.0 (June 3, 2026)
NOTES:
- resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the ``credential_provider_configuration.gateway_iam_role` SigV4 functionality, it is best effort and we ask for community help in testing (#47626)
FEATURES:
- New Data Source:
aws_ec2_hosts(#47986) - New List Resource:
aws_cleanrooms_membership(#48166) - New List Resource:
aws_pinpointsmsvoicev2_event_destination(#48034) - New Resource:
aws_ec2_local_gateway_route_table(#48013) - New Resource:
aws_ec2_local_gateway_route_table_virtual_interface_group_association(#48014) - New Resource:
aws_pinpointsmsvoicev2_event_destination(#48034)
ENHANCEMENTS:
- data-source/aws_ec2_host: Add
state,allocation_time,release_time,host_maintenance,host_reservation_id,availability_zone_id,allows_multiple_instance_types,member_of_service_linked_resource_group,instances, andavailable_capacityattributes (#47991) - data-source/aws_kinesis_stream: Add
warm_throughputattribute (#48152) - data-source/aws_lb: Add
enable_prefix_for_ipv6_source_natattribute (#40431) - data-source/aws_odb_network: Add computed
ec2_placement_group_idsattribute. (#47317) - resource/aws_bedrockagentcore_gateway: Mark
protocol_typeas Optional. Omit it to create a gateway that routes traffic directly to HTTP targets (e.g. AgentCore Runtime) (#47897) - resource/aws_bedrockagentcore_gateway_target: Add
credential_provider_configuration.caller_iam_credentialsandcredential_provider_configuration.jwt_passthrougharguments (#47780) - resource/aws_bedrockagentcore_gateway_target: Add
credential_provider_configuration.gateway_iam_role.serviceandcredential_provider_configuration.gateway_iam_role.regionarguments to enable SigV4 signing of upstream requests formcp_servertargets pointing at AWS-hosted endpoints (#47626) - resource/aws_bedrockagentcore_gateway_target: Add
target_configuration.httpargument (#47897) - resource/aws_cleanrooms_membership: Add resource identity support (#48166)
- resource/aws_datazone_asset_type: Add resource identity support (#48136)
- resource/aws_datazone_domain: Add resource identity support (#48136)
- resource/aws_datazone_environment: Add resource identity support (#48136)
- resource/aws_datazone_environment_blueprint_configuration: Add
global_parametersargument (#44857) - resource/aws_datazone_environment_blueprint_configuration: Add resource identity support (#48136)
- resource/aws_datazone_environment_profile: Add resource identity support (#48136)
- resource/aws_datazone_form_type: Add resource identity support (#48136)
- resource/aws_datazone_glossary: Add resource identity support (#48136)
- resource/aws_datazone_glossary_term: Add resource identity support (#48136)
- resource/aws_datazone_project: Add resource identity support (#48136)
- resource/aws_datazone_user_profile: Add resource identity support (#48136)
- resource/aws_kinesis_firehose_delivery_stream: Add Resource Identity support (#48186)
- resource/aws_kinesis_stream: Add Resource Identity support (#48152)
- resource/aws_kinesis_stream: Add
warm_throughput_mib_psargument. This functionality requires thekinesis:UpdateStreamWarmThroughputIAM permission (#48152) - resource/aws_kinesis_stream: Add plan-time validation of
shard_level_metrics(#48152) - resource/aws_kinesis_stream_consumer: Add Resource Identity support (#48152)
- resource/aws_lb: Add
enable_prefix_for_ipv6_source_natargument (#40431) - resource/aws_observabilityadmin_telemetry_rule: Expand
ruleschema to cover the full SDK shape, includingall_regions,allow_field_updates,regions,scope,selection_criteria,telemetry_source_types, and the fulldestination_configurationtree (cloudtrail_parameters,elb_load_balancer_logging_parameters,log_delivery_parameters,msk_monitoring_parameters,vpc_flow_log_parameters,waf_logging_parameters) (#48072) - resource/aws_observabilityadmin_telemetry_rule_for_organization: Expand
ruleschema to cover the full SDK shape, includingall_regions,allow_field_updates,regions,scope,selection_criteria,telemetry_source_types, and the fulldestination_configurationtree (cloudtrail_parameters,elb_load_balancer_logging_parameters,log_delivery_parameters,msk_monitoring_parameters,vpc_flow_log_parameters,waf_logging_parameters) (#48072) - resource/aws_odb_network: Add computed
ec2_placement_group_idsattribute. (#47317) - resource/aws_osis_pipeline: Adds resource identity (#48155)
- resource/aws_vpc_ipam_pool_cidr_allocation: Add tagging support (#48084)
BUG FIXES:
- resource/aws_api_gateway_rest_api: Fix OpenAPI body-managed
x-amazon-apigateway-policyupdates being overwritten by prior policy state (#48118) - resource/aws_bedrockagentcore_gateway: Fix
ValidationException: Gateway with ID: ... has targets associated with it. Delete all targets before deleting the gatewayerrors on delete (#47626) - resource/aws_bedrockagentcore_gateway_target: Include
FAILEDandSYNCHRONIZINGas pending states while a target is deleting (#47626) - resource/aws_db_instance_automated_backups_replication: Fix
InvalidDBInstanceState: Cannot create a snapshot because the database instance ... is not currently in the available stateerrors on delete (#46687) - resource/aws_elasticache_replication_group: Fix
CacheClusterNotFoundwhen enabling snapshots after the primary cache cluster has been changed away from-001, andInvalidParameterCombinationwhen enabling snapshots on cluster mode enabled groups (#46326) - resource/aws_kinesis_firehose_delivery_stream: Fix
ValidationException: Unknown parameter: ExtendedS3DestinationConfiguration.CustomTimeZoneerrors in AWS partitions which do not yet support selecting a time zone for bucket prefixes (#48186) - resource/aws_lambda_alias: Fix plan drift caused by transient routing weights appearing in state after updating
function_version(#48116) - resource/aws_lambda_provisioned_concurrency_config: Fix
InvalidParameterValueException: Alias with weights can not be used with Provisioned Concurrencyerror when updating provisioned concurrency simultaneously with alias version change (#48116) - resource/aws_s3_bucket_versioning: Fix perpetual drift on
versioning_configuration.mfa_deletewhenstatusisDisabled(#48161)
v6.47.0
6.47.0 (May 27, 2026)
FEATURES:
- New List Resource:
aws_bedrockagentcore_online_evaluation_config(#47209) - New List Resource:
aws_bedrockagentcore_policy_engine(#47108) - New List Resource:
aws_bedrockagentcore_resource_policy(#46844) - New List Resource:
aws_s3control_multi_region_access_point(#48081) - New List Resource:
aws_s3control_multi_region_access_point_routes(#48081) - New Resource:
aws_bedrockagentcore_online_evaluation_config(#47209) - New Resource:
aws_bedrockagentcore_policy_engine(#47108) - New Resource:
aws_bedrockagentcore_resource_policy(#46844) - New Resource:
aws_s3control_multi_region_access_point_routes(#47994)
ENHANCEMENTS:
- data-source/aws_arn: Deprecates
idin favor ofarn(#48036) - data-source/aws_default_tags: Deprecates
id(#48036) - data-source/aws_ip_ranges: Deprecates
id(#48036) - data-source/aws_partition: Deprecates
idin favor ofpartition(#48036) - data-source/aws_region: Deprecates
idin favor ofregion(#48036) - data-source/aws_regions: Deprecates
id(#48036) - data-source/aws_route: Add
odb_network_arnattribute (#48027) - data-source/aws_route_table: Add
routes.odb_network_arnattribute (#48027) - data-source/aws_secretsmanager_secret_version: Deprecates
arnin favor ofsecret_arn. (#48011) - data-source/aws_secretsmanager_secret_versions: Deprecates
arnin favor ofsecret_arn. (#48033) - data-source/aws_secretsmanager_secret_versions: Deprecates
namein favor ofsecret_name. (#48033) - data-source/aws_service: Deprecates
idin favor ofreverse_dns_name(#48036) - data-source/aws_transfer_server: Add
ip_address_typeattribute (#48039) - resource/aws_acm_certificate: Add
private_key_wowrite-only argument andprivate_key_wo_versionargument (#44414) - resource/aws_arcregionswitch_plan: Add
step.rds_promote_read_replica_config,step.rds_create_cross_region_read_replica_config, andreport_configurationarguments (#46965) - resource/aws_eks_cluster: Add CGNAT IP address ranges as valid private range (#47988)
- resource/aws_eks_cluster: Make
remote_node_networksfield inremote_network_configoptional (#47988) - resource/aws_eks_cluster: Remove conflict between
outpost_configandremote_network_config(#47988) - resource/aws_msk_replicator: Add support for
log_deliveryconfiguration block (#48054) - resource/aws_quicksight_data_source: Add
parameters.athena.role_arnargument to allow override an account-wide role for a specific Athena data source (#44666) - resource/aws_route: Add
odb_network_arnargument (#48027) - resource/aws_route: Add plan-time validation of
core_network_arn(#48027) - resource/aws_route_table: Add
route.odb_network_arnargument (#48027) - resource/aws_route_table: Add plan-time validation of
route.core_network_arn(#48027) - resource/aws_s3control_multi_region_access_point: Add resource identity support (#48081)
- resource/aws_secretsmanager_secret_version: Deprecates
arnin favor ofsecret_arn. (#48011) - resource/aws_ssm_resource_data_sync: Add
s3_destination.destination_data_sharingargument (#21996) - resource/aws_transfer_server: Add
ip_address_typeargument (#48039)
BUG FIXES:
- data-source/aws_secretsmanager_secret_versions: Polulates
versions.*.last_accessed_date. (#48033) - provider: Fix
lifecycle.ignore_changesfor individualtagselements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#48008) - resource/aws_dynamodb_table: Ensure diffs are shown for GSI hash key type changes (#47867)
- resource/aws_eks_cluster: Change
securityGroupIdslogic inflattenVPCConfigResponse()for Outpost clusters (#47988) - resource/aws_instance: Fix
lifecycle.ignore_changesfor individualtagselements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#48008) - resource/aws_lb: Fix
Provider produced inconsistent final planerrors and force resource recreation for Network Load Balancers when no security groups were initially configured and updated security groups are unknown at plan-time (#46695) - resource/aws_msk_replicator: Mark
replication_info_list.consumer_group_replication.consumer_groups_to_excludeas Computed (#48054) - resource/aws_msk_replicator: Mark
replication_info_list.topic_replication.topics_to_excludeas Computed (#48054)
v6.46.0
6.46.0 (May 20, 2026)
NOTES:
- resource/aws_xray_resource_policy: Changes to
policy_namenow force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updatingpolicy_namewould leave an orphaned policy with the old name in AWS (#47948)
FEATURES:
- New List Resource:
aws_bedrockagentcore_harness(#47725) - New List Resource:
aws_iam_access_key(#47966) - New List Resource:
aws_observabilityadmin_telemetry_rule_for_organization(#47920) - New List Resource:
aws_route53_vpc_association_authorization(#47905) - New List Resource:
aws_route53_zone_association(#47950) - New List Resource:
aws_securityhub_automation_rule_v2(#47677) - New Resource:
aws_bedrockagentcore_harness(#47725) - New Resource:
aws_observabilityadmin_telemetry_rule_for_organization(#47920) - New Resource:
aws_securityhub_automation_rule_v2(#47677) - New Resource:
aws_xray_indexing_rule(#47975) - New Resource:
aws_xray_trace_segment_destination(#47961)
ENHANCEMENTS:
- data-source/aws_ec2_local_gateway_virtual_interface: Add
outpost_lag_idandlocal_gateway_virtual_interface_group_idattributes (#47974) - data-source/aws_opensearch_domain: Add
jwt_optionsblock to fix "Invalid address to set" error (#47874) - resource/aws_bedrockagent_agent: Increase maximum value of
idle_session_ttl_in_secondsfrom3600to5400to match the AWS API limit (#47890) - resource/aws_bedrockagentcore_agent_runtime: Add
filesystem_configurationargument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#47810) - resource/aws_cloudfront_distribution: Add
cache_tag_configconfiguration block (#47872) - resource/aws_iam_access_key: Add resource identity support (#47966)
- resource/aws_route53_vpc_association_authorization: Add resource identity support (#47905)
- resource/aws_route53_zone_association: Add resource identity support (#47950)
- resource/aws_vpclattice_resource_gateway: Add
resource_config_dns_resolutionargument (#47879) - resource/aws_xray_resource_policy: Add Resource Identity support (#47948)
- resource/aws_xray_sampling_rule: Add Resource Identity support (#47948)
BUG FIXES:
- resource/aws_s3_bucket: Defer to the corresponding dedicated standalone resource for each deprecated nested attribute (
acceleration_status,acl,cors_rule,grant,lifecycle_rule,logging,object_lock_configuration,policy,replication_configuration,request_payer,server_side_encryption_configuration,versioning,website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#47962) - resource/aws_s3_bucket: Fix
InvalidRequest: SourceSelectionCriteria cannot be emptyerrors on unrelated updates (e.g.tags) when replication is managed by the dedicatedaws_s3_bucket_replication_configurationresource usingreplica_modifications(#47962) - resource/aws_xray_resource_policy: Fix
Provider returned invalid result object after applyerrors on Update (#47948) - resource/aws_xray_resource_policy: Mark
policy_nameas asForceNew(#47948)