Update Terraform aws to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	5.60.0 -> 6.4.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.4.0

Compare Source

FEATURES:

• New Data Source: aws_s3_access_point (#​43391)
• New Resource: aws_bedrockagent_flow (#​42201)
• New Resource: aws_fsx_s3_access_point_attachment (#​43391)

ENHANCEMENTS:

• data-source/aws_bedrock_inference_profiles: Add type argument (#​43150)
• data-source/aws_lakeformation_resource: Support hybrid_access_enabled, with_federation and with_privileged_access attributes (#​43377)
• resource/aws_acm_certificate: Support options.export argument to issue an exportable certificate (#​43207)
• resource/aws_cloudwatch_log_metric_filter: Add apply_on_transformed_logs argument (#​43381)
• resource/aws_datasync_location_object_storage: Make agent_arns optional (#​43400)
• resource/aws_ecs_service: Add deployment_configuration argument (#​43434)
• resource/aws_ecs_service: Add load_balancer.advanced_configuration argument (#​43434)
• resource/aws_ecs_service: Add service.client_alias.test_traffic_rules argument (#​43434)
• resource/aws_ecs_service: deployment_controller.type changes no longer force a replacement (#​43434)
• resource/aws_lakeformation_resource: Support with_privileged_access argument (#​43377)
• resource/aws_s3_bucket_public_access_block: Add skip_destroy argument (#​43415)

BUG FIXES:

• resource/aws_bedrockagent_agent_action_group: Correctly set parent_action_group_signature on Read (#​43355)
• resource/aws_datazone_environment_blueprint_configuration: Fix Inappropriate value for attribute "regional_parameters" errors during planning. This fixes a regression introduced in v6.0.0 (#​43382)
• resource/aws_ec2_transit_gateway_route_table_propagation: Don't mark transit_gateway_attachment_id as ForceNew if the value is known not to change (#​43405)
• resource/aws_lambda_function: Fix waiting for Lambda Function (...) version publish: unexpected state '', wanted target 'Successful' errors on Update. This fixes a regression introduced in v6.2.0 (#​43416)
• resource/aws_lexv2models_slot: Fix error when sub_slot_setting.slot_specification.value_elicitation_setting.prompt_specification.prompt_attempts_specification and value_elicitation_setting.prompt_specification.prompt_attempts_specification have default values (#​43358)
• resource/aws_securitylake_data_lake: Allow meta_store_role_arn to be updated in-place (#​36874)

v6.3.0

Compare Source

FEATURES:

• New Resource: aws_prometheus_query_logging_configuration (#​43222)

ENHANCEMENTS:

• data-source/aws_cloudfront_distribution: Add anycast_ip_list_id attribute (#​43196)
• data-source/aws_networkmanager_core_network_policy_document: Add core_network_configuration.dns_support and core_network_configuration.security_group_referencing_support arguments (#​43277)
• resource/aws_cloudfront_distribution: Add anycast_ip_list_id argument (#​43196)
• resource/aws_dynamodb_table: Add replica.consistency_mode argument in support of multi-Region strong consistency for Amazon DynamoDB global tables (#​43236)

BUG FIXES:

• provider: Fix runtime error: invalid memory address or nil pointer dereference panics for numerous resource types when modifying tags (#​43324)
• resource/aws_bedrockagent_agent_action_group: Add missing prepare agent call when deleting an action group (#​43232)
• resource/aws_bedrockagent_agent_action_group: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent action group base creation, update, and deletion. (#​43232)
• resource/aws_bedrockagent_agent_knowledge_base_association: Add missing prepare agent call when deleting a knowledge base association (#​43232)
• resource/aws_bedrockagent_agent_knowledge_base_association: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent knowledge base creation and disassociation (#​43232)
• resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix errant deletion of key value pairs when a value is changed (#​43208)
• resource/aws_cognito_user_pool_domain: Correctly update managed_login_version for custom Cognito domains (#​43252)
• resource/aws_db_instance_role_association: Retry InvalidDBInstanceState errors on delete (#​43303)
• resource/aws_medialive_channel: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration blocks are empty (#​43308)
• resource/aws_rds_cluster_role_association: Retry InvalidDBClusterStateFault errors on delete (#​43303)
• resource/aws_redshift_cluster: Correctly set availability_zone_relocation_enabled (#​43270)
• resource/aws_route53profiles_resource_association: Change resource_properties to Computed to enable vpc_endpoint associations (#​42562)
• resource/aws_ssoadmin_application: Updates value of arn when refreshing state. (#​43273)

v6.2.0

Compare Source

ENHANCEMENTS:

• data-source/aws_kinesis_stream_consumer: Add tags attribute. This functionality requires the kinesis:ListTagsForResource IAM permission (#​43173)
• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection attribute (#​43137)
• resource/aws_accessanalyzer_analyzer: Add configuration.internal_access argument (#​43138)
• resource/aws_amplify_app: Add job_config argument (#​43136)
• resource/aws_amplify_branch: Add enable_skew_protection argument (#​43218)
• resource/aws_cloudtrail: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#​43091)
• resource/aws_cloudtrail_event_data_store: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#​43091)
• resource/aws_cloudwatch_event_archive: Add kms_key_identifier argument (#​43139)
• resource/aws_cloudwatch_log_group: Support DELIVERY as a valid value for log_group_class (#​42658)
• resource/aws_codebuild_project: Add environment.docker_server configuration block (#​42982)
• resource/aws_eks_pod_identity_association: Add disable_session_tags and target_role_arn arguments and external_id attribute (#​42979)
• resource/aws_emr_cluster: Add os_release_label argument (#​43018)
• resource/aws_fms_policy: Add resource_tag_logical_operator argument (#​43031)
• resource/aws_glue_job: Support job_mode argument (#​42607)
• resource/aws_kinesis_stream_consumer: Add tags argument and tags_all attribute. This functionality requires the kinesis:ListTagsForResource, kinesis:TagResource, and kinesis:UntagResource IAM permissions (#​43173)
• resource/aws_kms_key: Support HMAC_224, HMAC_384, HMAC_512, ML_DSA_44, ML_DSA_65, and ML_DSA_87 as valid values for customer_master_key_spec (#​43128)
• resource/aws_lightsail_instance_public_ports: -1 is now a valid value for port_info.from_port and port_info.to_port (#​37703)
• resource/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection argument (#​43137)
• resource/aws_rbin_rule: Add exclude_resource_tags argument (#​43189)
• resource/aws_s3_directory_bucket: Add tags argument and tags_all attribute. This functionality requires the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions (#​43256)
• resource/aws_s3tables_table: Add metadata argument (#​43112)
• resource/aws_wafv2_web_acl: Add aws_managed_rules_anti_ddos_rule_set to managed_rule_group_configs configuration block in support of L7 DDoS protection (#​43149)

BUG FIXES:

• provider: Fix Unexpected Identity Change errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#​43221)
• resource/aws_appflow_connector_profile: Fixes error refreshing resource state (#​43221)
• resource/aws_bcmdataexports_export: Fixes error when refreshing state with resources created before v6.0.0 (#​43090)
• resource/aws_bedrockagent_agent: Retry Exceeded the number of retries on OptLock failure. Too many concurrent requests. errors during update (#​43179)
• resource/aws_bedrockagent_agent: Retry Prepare operation can't be performed on Agent when it is in Preparing state. errors during prepare (#​43179)
• resource/aws_bedrockagent_agent: Retry Update operation can't be performed on Agent when it is in Preparing state. errors during update (#​43179)
• resource/aws_bedrockagent_agent_collaborator: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent collaborator update and disassociation (#​43179)
• resource/aws_cloudwatch_query_definition: Support ARNs as valid values for log_group_names (#​43183)
• resource/aws_cur_report_definition: Allow an empty ("") value for s3_prefix. This fixes a regression introduced in v6.0.0 (#​43159)
• resource/aws_elasticsearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#​43033)
• resource/aws_elasticsearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#​43033)
• resource/aws_lambda_function: Fix perpetual logging_config diffs when log_format is set to JSON and publish = true (#​42660)
• resource/aws_lexv2models_intent: Add semantic equality check for confirmation_setting.prompt_specification.prompt_attempts_specification defaults (#​43147)
• resource/aws_opensearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#​43033)
• resource/aws_opensearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#​43033)
• resource/aws_quicksight_analysis: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#​37116)
• resource/aws_quicksight_dashboard: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#​37116)
• resource/aws_quicksight_template: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#​37116)
• resource/aws_quicksight_user: Remove ForceNew from email (#​43014)
• resource/aws_verifiedpermissions_schema: Fix Value Conversion Error errors when upgrading existing resources to Terraform AWS Provider v6.0.0 (#​43116)

v6.0.0

Compare Source

BREAKING CHANGES:

• data-source/aws_ami: The severity of the diagnostic returned when most_recent is true and owner and image ID filter criteria has been increased to an error. Existing configurations which were previously receiving a warning diagnostic will now fail to apply. To prevent this error, set the owner argument or include a filter block with an image-id or owner-id name/value pair. To continue using unsafe filter values with most_recent set to true, set the new allow_unsafe_filter argument to true. This is not recommended. (#​42114)
• data-source/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#​42137)
• data-source/aws_ecs_task_execution: Remove inference_accelerator_overrides attribute. Amazon Elastic Inference reached end of life on April, 2024. (#​42137)
• data-source/aws_elbv2_listener_rule: The action.authenticate_cognito, action.authenticate_oidc, action.fixed_response, action.forward, action.forward.stickiness, action.redirect, condition.host_header, condition.http_header, condition.http_request_method, condition.path_pattern, condition.query_string, and condition.source_ip attributes are now list nested blocks instead of single nested blocks (#​42283)
• data-source/aws_identitystore_user: filter has been removed (#​42325)
• data-source/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#​42137)
• data-source/aws_launch_template: elastic_gpu_specifications has been removed (#​42312)
• data-source/aws_opensearch_domain: kibana_endpoint has been removed (#​42268)
• data-source/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#​42270)
• data-source/aws_service_discovery_service: Remove tags_all attribute (#​42136)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_application resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_custom_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ecs_cluster_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_ganglia_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_haproxy_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_instance resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_java_app_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_memcached_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_mysql_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_nodejs_app_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_permission resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_php_app_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rails_app_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_rds_db_instance resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_stack resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_static_web_layer resource has been removed (#​41948)
• provider: As the AWS OpsWorks Stacks service has reached End Of Life, the aws_opsworks_user_profile resource has been removed (#​41948)
• provider: As the AWS SDK for Go v2 does not support Amazon SimpleDB the aws_simpledb_domain resource has been removed. Add a constraint to v5 of the Terraform AWS Provider for continued use of this resource (#​41775)
• provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_fleet resource has been removed (#​42059)
• provider: As the AWS SDK for Go v2 does not support Amazon Worklink, the aws_worklink_website_certificate_authority_association resource has been removed (#​42059)
• provider: The aws_redshift_service_account resource has been removed. AWS recommends that a service principal name should be used instead of an AWS account ID in any relevant IAM policy (#​41941)
• provider: The endpoints.iotanalytics and endpoints.iotevents configuration arguments have been removed (#​42703)
• provider: The endpoints.opsworks configuration argument has been removed (#​41948)
• provider: The endpoints.simpledb and endpoints.sdb configuration arguments have been removed (#​41775)
• provider: The endpoints.worklink configuration argument has been removed (#​42059)
• resource/aws_accessanalyzer_archive_rule: filter.exists now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_alb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_api_gateway_account: The reset_on_delete argument has been removed (#​42226)
• resource/aws_api_gateway_deployment: Remove canary_settings, execution_arn, invoke_url, stage_description, and stage_name arguments. Instead, use the aws_api_gateway_stage resource to manage stages. (#​42249)
• resource/aws_batch_compute_environment: Rename compute_environment_name to name
  resource/aws_batch_compute_environment: Rename compute_environment_name_prefix to name_prefix (#​38050)
• resource/aws_batch_compute_environment_data_source: Rename compute_environment_name to name (#​38050)
• resource/aws_batch_job_queue: Remove deprecated parameter compute_environments in place of compute_environment_order (#​40751)
• resource/aws_bedrock_model_invocation_logging_configuration: logging_config, logging_config.cloudwatch_config, logging_config.cloudwatch_config.large_data_delivery_s3_config, and logging_config.s3_config are now list nested blocks instead of single nested blocks (#​42307)
• resource/aws_cloudfront_key_value_store: Attribute id is now set to remote object's Id instead of name (#​42230)
• resource/aws_cloudfront_response_headers_policy: The etag argument is now computed only (#​38448)
• resource/aws_cloudtrail_event_data_store: suspend now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_cognito_user_in_group: The id attribute is now a comma-delimited string concatenating the user_pool_id, group_name, and username arguments (#​34082)
• resource/aws_cur_report_definition: The s3_prefix argument is now required (#​38446)
• resource/aws_db_instance: character_set_name now cannot be set with replicate_source_db, restore_to_point_in_time, s3_import, or snapshot_identifier. (#​42348)
• resource/aws_dms_endpoint: Remove s3_settings attribute. Use aws_dms_s3_endpoint instead (#​42379)
• resource/aws_dx_gateway_association: vpn_gateway_id has been removed (#​42323)
• resource/aws_ec2_spot_instance_fleet: terminate_instances_on_delete now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_ec2_spot_instance_request: Remove block_duration_minutes attribute (#​42060)
• resource/aws_ecs_task_definition: Remove inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#​42137)
• resource/aws_eip: vpc has been removed. Use domain instead. (#​42340)
• resource/aws_eks_addon: resolve_conflicts has been removed. Use resolve_conflicts_on_create and resolve_conflicts_on_update instead. (#​42318)
• resource/aws_elasticache_cluster: auto_minor_version_upgrade now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_elasticache_replication_group: at_rest_encryption_enabled and auto_minor_version_upgrade now only accept one of "" (empty string), true, or false (#​42434)
• resource/aws_elasticache_replication_group: auth_token_update_strategy no longer has a default value. If auth_token is set, auth_token_update_strategy must also be explicitly configured. (#​42336)
• resource/aws_evidently_feature: variations.value.bool_value now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_flow_log: log_group_name has been removed. Use log_destination instead. (#​42333)
• resource/aws_globalaccelerator_accelerator: The id attribute is now computed only (#​42097)
• resource/aws_guardduty_detector: Deprecates datasources. Use aws_guardduty_detector_feature resources instead. (#​42436)
• resource/aws_guardduty_organization_configuration: The auto_enable attribute has been removed (#​42251)
• resource/aws_identitystore_group: filter has been removed (#​42325)
• resource/aws_imagebuilder_container_recipe: instance_configuration.block_device_mapping.ebs.delete_on_termination and instance_configuration.block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#​42434)
• resource/aws_imagebuilder_image_recipe: block_device_mapping.ebs.delete_on_termination and block_device_mapping.ebs.encrypted now only accept one of "" (empty string), true, or false (#​42434)
• resource/aws_instance: Remove cpu_core_count and cpu_threads_per_core. Instead, use cpu_options. (#​42280)
• resource/aws_instance: user_data now displays cleartext instead of a hash. Base64 encoded content should use user_data_base64 instead. (#​42078)
• resource/aws_launch_template: block_device_mappings.ebs.delete_on_termination, block_device_mappings.ebs.encrypted, ebs_optimized, network_interfaces.associate_carrier_ip_address, network_interfaces.associate_public_ip_address, network_interfaces.delete_on_termination, and network_interfaces.primary_ipv6 now only accept one of "" (empty string), true, or false (#​42434)
• resource/aws_launch_template: Remove elastic_inference_accelerator attribute. Amazon Elastic Inference reached end of life on April, 2024. (#​42137)
• resource/aws_launch_template: elastic_gpu_specifications has been removed (#​42312)
• resource/aws_lb_listener: mutual_authentication attributes advertise_trust_store_ca_names, ignore_client_certificate_expiry, and trust_store_arn are only valid if mode is verify (#​42326)
• resource/aws_lb_target_group: preserve_client_ip now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_mq_broker: logs.audit now only accepts one of "" (empty string), true, or false (#​42434)
• resource/aws_networkmanager_core_network: The base_policy_region argument has been removed. Use base_policy_regions instead. (#​38398)
• resource/aws_opensearch_domain: kibana_endpoint has been removed (#​42268)
• resource/aws_opensearchserverless_security_config: saml_options is now a list nested block instead of a single nested block (#​42270)
• resource/aws_paymentcryptography_key: key_attributes and key_attributes.key_modes_of_use are now list nested blocks instead of single nested blocks. (#​42264)
• resource/aws_quicksight_data_set: tags_all has been removed (#​42260)
• resource/aws_redshift_cluster: Attributes cluster_public_key, cluster_revision_number, and endpoint are now read only and should not be set (#​42119)
• resource/aws_redshift_cluster: The logging attribute has been removed (#​42013)
• resource/aws_redshift_cluster: The publicly_accessible attribute now defaults to false (#​41978)
• resource/aws_redshift_cluster: The snapshot_copy attribute has been removed (#​41995)
• resource/aws_rekognition_stream_processor: regions_of_interest.bounding_box is now a list nested block instead of a single nested block (#​41380)
• resource/aws_resiliencehub_resiliency_policy: policy, policy.az, policy.hardware, policy.software, and policy.region are now list nested blocks instead of single nested blocks (#​42297)
• resource/aws_sagemaker_app_image_config: Exactly one code_editor_app_image_config, jupyter_lab_image_config, or kernel_gateway_image_config block must be configured (#​42753)
• resource/aws_sagemaker_image_version: id is now a comma-delimited string concatenating image_name and version (#​42536)
• resource/aws_sagemaker_notebook_instance: Remove accelerator_types from your configuration—it no longer exists. Instead, use instance_type to use Inferentia. (#​42099)
• resource/aws_ssm_association: Remove instance_id argument (#​42224)
• resource/aws_verifiedpermissions_schema: definition is now a list nested block instead of a single nested block (#​42305)
• resource/aws_wafv2_web_acl: rule.statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_bot_control_rule_set.enable_machine_learning now defaults to false (#​39858)

NOTES:

• data-source/aws_cloudtrail_service_account: This data source is deprecated. AWS recommends using a service principal name instead of an AWS account ID in any relevant IAM policy. (#​42320)
• data-source/aws_kms_secret: This data source will be removed in a future version (#​42524)
• data-source/aws_region: The name attribute has been deprecated. All configurations using name should be updated to use the region attribute instead (#​42131)
• data-source/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#​42014)
• data-source/aws_servicequotas_templates: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#​42131)
• data-source/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#​42014)
• data-source/aws_vpc_endpoint_service: The region attribute has been deprecated. All configurations using region should be updated to use the service_region attribute instead (#​42014)
• data-source/aws_vpc_peering_connection: The region attribute has been deprecated. All configurations using region should be updated to use the requester_region attribute instead (#​42014)
• provider: Support for the global S3 endpoint is deprecated, along with the s3_us_east_1_regional_endpoint argument. The ability to use the global S3 endpoint will be removed in v7.0.0. (#​42375)
• resource/aws_cloudformation_stack_set_instance: The region attribute has been deprecated. All configurations using region should be updated to use the stack_set_instance_region attribute instead (#​42014)
• resource/aws_codeconnections_host: Deprecates id in favor of arn (#​42232)
• resource/aws_config_aggregate_authorization: The region attribute has been deprecated. All configurations using region should be updated to use the authorized_aws_region attribute instead (#​42014)
• resource/aws_dx_hosted_connection: The region attribute has been deprecated. All configurations using region should be updated to use the connection_region attribute instead (#​42014)
• resource/aws_elasticache_replication_group: The ability to provide an uppercase engine value is deprecated (#​42419)
• resource/aws_elasticache_user: The ability to provide an uppercase engine value is deprecated (#​42419)
• resource/aws_elasticache_user_group: The ability to provide an uppercase engine value is deprecated (#​42419)
• resource/aws_elastictranscoder_pipeline: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#​42313)
• resource/aws_elastictranscoder_preset: This resource is deprecated. Use AWS Elemental MediaConvert instead. (#​42313)
• resource/aws_evidently_feature: This resource is deprecated. Use AWS AppConfig feature flags instead. (#​42227)
• resource/aws_evidently_launch: This resource is deprecated. Use AWS AppConfig feature flags instead. (#​42227)
• resource/aws_evidently_project: This resource is deprecated. Use AWS AppConfig feature flags instead. (#​42227)
• resource/aws_evidently_segment: This resource is deprecated. Use AWS AppConfig feature flags instead. (#​42227)
• resource/aws_guardduty_organization_configuration: datasources now returns a deprecation warning (#​42251)
• resource/aws_kinesis_analytics_application: Effective January 27, 2026, AWS will no longer support Kinesis Data Analytics for SQL. This resource is deprecated and will be removed in a future version. Use the aws_kinesisanalyticsv2_application resource instead (#​42102)
• resource/aws_media_store_container: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#​42265)
• resource/aws_media_store_container_policy: This resource is deprecated. It will be removed in a future version. Use S3, AWS MediaPackage, or other storage solution instead. (#​42265)
• resource/aws_redshift_cluster: The default value of encrypted is now true to match the AWS API. (#​42631)
• resource/aws_s3_bucket: Add bucket_region attribute. Use of the bucket_region attribute instead of the region attribute is encouraged (#​42014)
• resource/aws_service_discovery_service: health_check_custom_config.failure_threshold is deprecated. The argument is no longer supported by AWS and is always set to 1 (#​40777)
• resource/aws_servicequotas_template: The region attribute has been deprecated. All configurations using region should be updated to use the aws_region attribute instead (#​42131)
• resource/aws_ssmincidents_replication_set: The region attribute has been deprecated. All configurations using region should be updated to use the regions attribute instead (#​42014)

ENHANCEMENTS:

• data-source/aws_ami: Add allow_unsafe_filter argument (#​42114)
• data-source/aws_availability_zone: Add group_long_name attribute (#​42014)
• data-source/aws_availability_zone: Mark region as Optional, allowing a value to be configured (#​42014)
• resource/aws_auditmanager_assessment: Add plan-time validation of roles.role_arn and roles.role_type (#​42131)
• provider: Add enhanced region support to most resources, data sources, and ephemeral resources, allowing per-resource Region targeting without requiring multiple provider configurations. See the Enhanced Region Support guide for more information. (#​43075)
• resource/aws_auditmanager_control: Add plan-time validation of control_mapping_sources.source_frequency, control_mapping_sources.source_set_up_option, and control_mapping_sources.source_type (#​42131)
• resource/aws_auditmanager_framework_share: Add plan-time validation of destination_account (#​42741)
• resource/aws_auditmanager_organization_admin_account_registration: Add plan-time validation of admin_account_id (#​42741)
• resource/aws_cognito_user_in_group: Add import support (#​34082)
• resource/aws_ecs_service: Add arn attribute (#​42733)
• resource/aws_guardduty_detector: Adds validation to finding_publishing_frequency. (#​42436)
• resource/aws_lb_listener: mutual_authentication attribute trust_store_arn is required if mode is verify (#​42326)
• resource/aws_quicksight_iam_policy_assignment: Add plan-time validation of policy_arn (#​42131)
• resource/aws_sagemaker_image_version: Add aliases argument (#​42610)
• resource/aws_securitylake_subscriber: Add plan-time validation of access_type source.aws_log_source_resource.source_name, and subscriber_identity.external_id (#​42131)

BUG FIXES:

• resource/aws_auditmanager_control: Fix Provider produced inconsistent result after apply errors (#​42131)
• resource/aws_redshift_cluster: Fixes permanent diff when encrypted is not explicitly set to true. (#​42631)
• resource/aws_rekognition_stream_processor: Fix regions_of_interest.bounding_box and regions_of_interest.polygon argument validation (#​41380)
• resource/aws_sagemaker_image_version: Read the correct image version after creation rather than always fetching the latest (#​42536)
• resource/aws_securitylake_subscriber: Change access_type to ForceNew (#​42131)

v5.100.0

Compare Source

NOTES:

• resource/aws_route53_vpc_association_authorization: Because we cannot easily replicate the highly concurrent environments in which these errors have been observed, this fix is best effort and we ask for community help in verifying the reported issues are resolved by this change (#​42948)

FEATURES:

• New Resource: aws_dsql_cluster (#​41868)
• New Resource: aws_dsql_cluster_peering (#​41868)
• New Resource: aws_prometheus_workspace_configuration (#​42478)
• New Resource: aws_s3control_directory_bucket_access_point_scope (#​42338)
• New Resource: aws_vpc_route_server (#​42392)
• New Resource: aws_vpc_route_server_endpoint (#​42392)
• New Resource: aws_vpc_route_server_peer (#​42392)
• New Resource: aws_vpc_route_server_propagation (#​42392)
• New Resource: aws_vpc_route_server_vpc_association (#​42392)
• New Resource: aws_workspacesweb_data_protection_settings (#​42852)
• New Resource: aws_workspacesweb_ip_access_settings (#​42863)
• New Resource: aws_workspacesweb_user_access_logging_settings (#​42868)

ENHANCEMENTS:

• data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-east-2 AWS Region (#​42915)
• data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-east-2 AWS Region (#​42915)
• data-source/aws_neptune_engine_version: Add several arguments and attributes to support dynamic selection of versions including latest, has_major_target, preferred_major_targets, and preferred_upgrade_targets (#​42854)
• data-source/aws_s3_bucket: Add hosted zone ID for ap-east-2 AWS Region (#​42915)
• provider: Support ap-east-2 as a valid AWS Region (#​42906)
• resource/aws_fsx_lustre_file_system: Add data_read_cache_configuration and throughput_capacity arguments in support of the Intelligent-Tiering storage class (#​42839)
• resource/aws_pinpointsmsvoicev2_phone_number: Add two_way_channel_role argument (#​42950)
• reso

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[infracost]

💰 Infracost report

Monthly estimate generated

_{This comment will be updated when code changes.}