v5.53.0

FEATURES:

• New Resource: aws_paymentcryptography_key (#37017)
• New Resource: aws_paymentcryptography_key_alias (#37020)

ENHANCEMENTS:

• data-source/aws_customer_gateway: Add bgp_asn_extended argument (#37815)
• data-source/aws_rds_engine_version: Add supports_limitless_database attribute (#37271)
• provider: The use_fips_endpoint flag is now ignored for any service with a custom endpoint configured in endpoints. (#34233)
• resource/aws_apigatewayv2_authorizer: Add configurable delete timeout (#37732)
• resource/aws_customer_gateway: Add bgp_asn_extended argument (#37815)
• resource/aws_fsx_lustre_file_system: Add metadata_configuration argument (#37868)
• resource/aws_lb: Add support for IPv6-only Application Load Balancers (#37700)
• resource/aws_mwaa_environment: Add max_webservers and min_webservers attributes (#37632)
• resource/aws_pipes_pipe: Add log_configuration argument (#37135)
• resource/aws_route53_record: Fix InvalidChangeBatch errors on resource Delete (#37850)
• resource/aws_s3_bucket: Ignore UnsupportedOperation errors when reading acceleration_status, server_side_encryption_configuration and tags (#37801)
• resource/aws_transfer_ssh_key: Add ssh_key_id attribute (#37548)

BUG FIXES:

• resource/aws_apigatewayv2_authorizer: Fix ConflictException errors on resource Delete (#37732)
• resource/aws_bedrockagent_agent: Increase instruction max length for validation to 4000 (#37758)
• resource/aws_cloudwatch_log_group: Correctly handles tag updates with empty string tags (#37668)
• resource/aws_kms_external_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
• resource/aws_kms_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
• resource/aws_kms_replica_external_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
• resource/aws_kms_replica_key: Fixes timeout error on creation when ignore_tags matches tag assigned to resource (#37818)
• resource/aws_mq_broker: Do not reboot on changes to maintenance_window_start_time or auto_minor_version_upgrade (#36506)
• resource/aws_pipes_pipe: Mark source_parameters.self_managed_kafka_parameters.credentials.basic_auth as Optional (#34293)
• resource/aws_secretsmanager_secret: Tags with empty values no longer remove all tags. (#37743)
• resource/aws_ssm_parameter: Fix Cannot import non-existent remote object errors when importing resources with version (#37832)
• resource/aws_vpc_endpoint: Restore pre-v5.51.0 default of false for private_dns_enabled (#37715)
• service/chatbot: Correctly overrides region when using custom endpoint. (#37851)
• service/costoptimizationhub: Correctly overrides region when using custom endpoint. (#37851)
• service/cur: Correctly overrides region when using custom endpoint. (#37851)
• service/globalaccelerator: Correctly overrides region when using custom endpoint. (#37851)
• service/route53: Correctly overrides region when using custom endpoint. (#37851)
• service/route53domains: Correctly overrides region when using custom endpoint. (#37851)
• service/shield: Correctly overrides region when using custom endpoint. (#37851)

v5.52.0

ENHANCEMENTS:

• resource/aws_kinesisanalyticsv2_application: Add application_mode argument (#37714)
• resource/aws_lightsail_bucket: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_certificate: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_container_service: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_database: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_distribution: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_key_pair: Add support to ListTags function for proper key-only tag handling (#37711)
• resource/aws_lightsail_lb: Add support to ListTags function for proper key-only tag handling (#37711)

BUG FIXES:

• resource/aws_lightsail_database: Prevent destroy failure when resource is already deleted outside Terraform (#37711)
• resource/aws_lightsail_instance: Fix crash when reading a resource that has a key-only tag (#37587)
• resource/aws_lightsail_key_pair: Prevent destroy failure when resource is already deleted outside Terraform (#37711)
• resource/aws_lightsail_lb: Prevent destroy failure when resource is already deleted outside Terraform (#37711)

v5.51.1

ENHANCEMENTS:

• resource/aws_ecs_service: Add volume_configuration argument (#37019)
• resource/aws_ecs_task_definition: Add configure_at_launch parameter in volume argument (#37019)

BUG FIXES:

• data-source/aws_route53_zone: Fix incorrect name_servers values (#37685)
• data-source/aws_route53_zone: Permit both name and zone_id arguments when one is an empty string (#37686)
• resource/aws_route53_zone: Fix incorrect name_servers values (#37685)

v5.51.0

NOTES:

• data-source/aws_lambda_function: source_code_hash attribute has been deprecated in favor of code_sha256. Will be removed in a future major version (#37669)
• data-source/aws_lambda_layer_version: source_code_hash attribute has been deprecated in favor of code_sha256. Will be removed in a future major version (#37646)

FEATURES:

• New Data Source: aws_chatbot_slack_workspace (#37218)
• New Resource: aws_lambda_runtime_management_config (#37643)
• New Resource: aws_vpc_endpoint_private_dns (#37628)
• New Resource: aws_vpc_endpoint_service_private_dns_verification (#37176)

ENHANCEMENTS:

• data-source/aws_lambda_function: Add code_sha256 attribute (#37669)
• data-source/aws_lambda_layer_version: Add code_sha256 attribute (#37646)
• data-source/aws_route53_traffic_policy_document: Add support for application-load-balancer, elastic-beanstalk and network-load-balancer endpoint.type values (#37618)
• resource/aws_api_gateway_deployment: Add canary_settings attribute (#37573)
• resource/aws_iam_openid_connect_provider: Allow client_id_list to be updated in-place (#37612)
• resource/aws_lambda_function: Add code_sha256 attribute (#37669)
• resource/aws_lambda_function: Remove replace_security_group_on_destroy and replacement_security_group_ids deprecations, re-implement with alternate workflow (#37624)
• resource/aws_lambda_layer_version: Add code_sha256 attribute (#37646)
• resource/aws_route53_health_check: Add plan-time validation of cloudwatch_alarm_region (#37510)
• resource/aws_route53_record: Add plan-time validation of latency_routing_policy.region (#37510)
• resource/aws_route53_vpc_association_authorization: Add plan-time validation of vpc_region (#37510)
• resource/aws_route53_zone_association: Add plan-time validation of vpc_region (#37510)
• resource/aws_wafv2_web_acl: Add api_gateway, app_runner_service, cognito_user_pool, and verified_access_instance configuration blocks to association_config.request_body (#37588)

BUG FIXES:

• resource/aws_dynamodb_table_replica: Correctly set kms_key_arn on Read (#37570)
• resource/aws_kms_grant: Change grant_token to Sensitive (#37593)
• resource/aws_lambda_function: Fix issue when source_code_hash causes drift even if source code has not changed (#37669)
• resource/aws_lambda_layer_version: Fix issue when source_code_hash forces a replacement even if source code has not changed (#37646)
• resource/aws_m2_deployment: Fix state error on deployment_id during start/stop update (#37581)
• resource/aws_storagegateway_smb_file_share: Fix crash when cache_attributes is removed on update (#37611)

v5.50.0

ENHANCEMENTS:

• data-source/aws_budgets_budget: Add tags attribute (#37361)
• data-source/aws_instance: Add launch_time attribute (#37002)
• resource/aws_budgets_budget: Add tags argument (#37361)
• resource/aws_budgets_budget_action: Add tags argument (#37361)
• resource/aws_ecs_account_setting_default: Add support for fargateTaskRetirementWaitPeriod value in Name argument (#37018)
• resource/aws_ssm_resource_data_sync: Add plan-time validation of s3_destination.kms_key_arn, s3_destination.region and s3_destination.sync_format (#37481)

BUG FIXES:

• data-source/aws_bedrock_foundation_models: Fix validation regex for the by_provider argument (#37306)
• resource/aws_dynamodb_table: Fix UnknownOperationException: Tagging is not currently supported in DynamoDB Local errors on resource Read (#37472)
• resource/aws_glue_job: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when notify_delay_after is empty (null) (#37347)
• resource/aws_iam_server_certificate: Now correctly reads tags after update and on read. (#37483)
• resource/aws_lakeformation_data_cells_filter: Fix inconsistent state error when using row_filter.all_rows_wildcard (#37433)
• resource/aws_organizations_account: Allow import of accounts with IAM access to the AWS Billing and Cost Management console (#35662)
• resource/aws_ram_principal_association: Correct plan-time validation of principal to fix panic: unexpected format for ID parts ([...]), the following id parts indexes are blank ([1]) (#37450)
• resource/aws_route53_record: Change region default to us-east-1 (#37565)
• resource/aws_vpc_endpoint_service: Fix destroy error when endpoint service is deleted out-of-band (#37534)

v5.49.0

FEATURES:

• New Data Source: aws_datazone_environment_blueprint (#36600)
• New Resource: aws_bedrockagent_data_source (#37158)
• New Resource: aws_datazone_domain (#36600)
• New Resource: aws_datazone_environment_blueprint_configuration (#36600)

ENHANCEMENTS:

• data-source/aws_iam_policy_document: Add minified_json attribute (#35677)
• resource/aws_dynamodb_table_export: Add plan-time validation of table_arn (#37288)
• resource/aws_kms_key: Add rotation_period_in_days argument (#37140)
• resource/aws_securitylake_subscriber_notification: Better handles importing resource (#37332)
• resource/aws_securitylake_subscriber_notification: Deprecates endpoint_id in favor of subscriber_endpoint (#37332)
• resource/aws_securitylake_subscriber_notification: Handles configuration.https_notification_configuration.authorization_api_key_value as sensitive value (#37332)

BUG FIXES:

• data-source/aws_fsx_ontap_storage_virtual_machine: Correctly set tags on Read (#37353)
• data-source/aws_rds_orderable_db_instance: Fix InvalidParameterValue: Invalid value 3412 for MaxRecords. Must be between 20 and 1000 errors (#37251)
• data-source/aws_resourceexplorer2_search: Fix 401 unauthorized error due to missing view_arn in the AWS API request (#36778)
• data-source/aws_resourceexplorer2_search: Fix panic caused by bad mappping between Terraform and AWS schemas (#36778)
• data-source/aws_resourceexplorer2_search: Fix state persistence and data types (#36778)
• resource/aws_bedrockagent_agent: Fix to use the configured prepare_agent value (or default value of true when omitted) for all create and update operations (#37405)
• resource/aws_elasticsearch_domain: Fix handling of unset auto_tune_options.rollback_on_disable argument (#37394)
• resource/aws_fsx_ontap_storage_virtual_machine: Correctly set tags and tags_all on resource Read (#37353)
• resource/aws_fsx_openzfs_file_system: Correctly set tags and tags_all on resource Read (#37353)
• resource/aws_kms_custom_key_store: Change trust_anchor_certificate to ForceNew (#37092)
• resource/aws_opensearch_domain: Fix handling of unset auto_tune_options.rollback_on_disable argument (#37394)
• resource/aws_opensearch_domain: Wait for auto_tune_options to be applied during creation (#37394)
• resource/aws_securitylake_aws_log_source: Correctly handles unspecified source_version (#36268)
• resource/aws_securitylake_aws_log_source: Prevents errors when creating multiple log sources concurrently (#36268)
• resource/aws_securitylake_custom_log_source: Prevents errors when creating multiple log sources concurrently (#36268)
• resource/aws_securitylake_custom_log_source: Validates length of source_name parameter (#36268)
• resource/aws_securitylake_subscriber: Allow more than one log source (#36268)
• resource/aws_securitylake_subscriber: Correctly handles unspecified access_type (#36268)
• resource/aws_securitylake_subscriber: Correctly handles unspecified source_version parameter for aws_log_source_resource and custom_log_source_resource (#36268)
• resource/aws_securitylake_subscriber: Correctly requires source_name parameter for aws_log_source_resource and custom_log_source_resource (#36268)
• resource/aws_securitylake_subscriber_notification: No longer recreates resource when not needed (#37332)
• resource/aws_securitylake_subscriber_notification: Requires value for configuration.https_notification_configuration.endpoint (#37332)
• resource/provider: Change the AWS SDK for Go v2 API client BackoffDelayer to maintain behavioral compatibility with AWS SDK for Go v1 (#37404)

v5.48.0

FEATURES:

• New Resource: aws_bedrockagent_agent_knowledge_base_association (#37185)

ENHANCEMENTS:

• resource/aws_cloudwatch_event_target: Add force_destroy argument (#37130)
• resource/aws_elasticache_replication_group: Increase default Delete timeout to 45 minutes (#37182)
• resource/aws_elasticache_replication_group: Use the configured Delete timeout when detaching from any global replication group (#37182)
• resource/aws_fsx_ontap_file_system: Add support for specifying 1 ha_pair with SINGLE_AZ_1 and MULTI_AZ_1 deployment types (#36511)
• resource/aws_fsx_ontap_file_system: Increase storage_capacity maximum to 1PiB (#36511)
• resource/aws_fsx_ontap_file_system: Support up to 12 ha_pairs (#36511)
• resource/aws_fsx_ontap_file_system: Update throughput_capacity_per_ha_pair to support all values from throughput_capacity (#36511)
• resource/aws_fsx_ontap_volume: Add aggregate_configuration configuration block (#36511)
• resource/aws_fsx_ontap_volume: Add size_in_bytes and volume_style arguments (#36511)

BUG FIXES:

• resource/aws_bcmdataexports_export: Fix table_configurations expand/flatten (#37205)
• resource/aws_cloudwatch_event_connection: Add plan-time validation preventing empty auth_parameters.oauth.oauth_http_parameters or auth_parameters.invocation_http_parameters
body, header and query_string configuration blocks (#26755)
• resource/aws_elasticache_replication_group: Decrease replica count after other updates (#34819)
• resource/aws_elasticache_replication_group: Fix unexpected state 'snapshotting' errors when increasing or decreasing replica count (#30493)

v5.47.0

NOTES:

• provider: Updates to Go 1.22. This is the last Go release that will run on macOS 10.15 Catalina (#36996)
• resource/aws_bedrockagent_knowledge_base: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#36783)

FEATURES:

• New Data Source: aws_identitystore_groups (#36993)
• New Resource: aws_bcmdataexports_export (#36847)
• New Resource: aws_bedrockagent_agent (#36851)
• New Resource: aws_bedrockagent_agent_action_group (#36935)
• New Resource: aws_bedrockagent_agent_alias (#36905)
• New Resource: aws_bedrockagent_knowledge_base (#36783)
• New Resource: aws_globalaccelerator_cross_account_attachment (#35991)
• New Resource: aws_verifiedpermissions_policy (#35413)

ENHANCEMENTS:

• data-source/aws_eip: Add arn attribute (#35991)
• resource/aws_api_gateway_rest_api: Correctly set root_resource_id on resource Read (#37040)
• resource/aws_appmesh_mesh: Add spec.service_discovery argument (#37042)
• resource/aws_cloudformation_stack_set: Adds guidance on permissions when using delegated administrator account (#37069)
• resource/aws_db_instance: Add dedicated_log_volume argument (#36503)
• resource/aws_eip: Add arn attribute (#35991)
• resource/aws_elasticache_replication_group: Add transit_encryption_mode argument (#30403)
• resource/aws_elasticache_replication_group: Changes to the transit_encryption_enabled argument can now be done in-place for engine versions > 7.0.5 (#30403)
• resource/aws_kinesis_firehose_delivery_stream: Add snowflake_configuration argument (#36646)
• resource/aws_memorydb_user: Support IAM authentication mode (#32027)
• resource/aws_sagemaker_app_image_config: Add code_editor_app_image_config and jupyter_lab_image_config.jupyter_lab_image_config arguments (#37059)
• resource/aws_sagemaker_app_image_config: Change kernel_gateway_image_config.kernel_spec MaxItems to 5 (#37059)
• resource/aws_transfer_server: Add sftp_authentication_methods argument (#37015)

BUG FIXES:

• resource/aws_batch_job_definition: Fix issues where changes causing a new revision do not trigger changes in dependent resources and/or cause an error, "Provider produced inconsistent final plan" (#37111)
• resource/aws_ce_cost_category: Allow up to 3 levels of and, not and or operand nesting for the rule argument (#30862)
• resource/aws_elasticache_replication_group: Fix excessive delay on read (#30403)
• resource/aws_servicecatalog_portfolio: Fixes error where deletion fails if resource was deleted out of band. (#37066)
• resource/aws_servicecatalog_provisioned_product: Fixes error where tag values are not applied to products when tag values don't change. (#37066)

v5.46.0

NOTES:

• provider: When using YAML or JSON documents, such as in template_body of aws_cloudformation_stack, CRLF was previously treated as different from LF but these are now treated as equivalent in many situations (#14270)

FEATURES:

• New Resource: aws_eip_domain_name (#36963)

ENHANCEMENTS:

• data-source/aws_alb: Add client_keep_alive argument (#36969)
• data-source/aws_eip: Add ptr_record attribute (#36963)
• data-source/aws_iam_policy: Add attachment_count attribute (#36759)
• data-source/aws_lb: Add client_keep_alive argument (#36969)
• data-source/aws_organizations_organization: Add master_account_name attribute (#36797)
• data-source/aws_vpc_dhcp_options: Add ipv6_address_preferred_lease_time attribute (#36934)
• resource/aws_alb: Add client_keep_alive argument (#36969)
• resource/aws_autoscaling_group: Add alarm_specification to the instance_refresh.preferences configuration block (#36954)
• resource/aws_cloudformation_stack_set: Add retry when creating to potentially help with eventual consistency problems (#36982)
• resource/aws_cloudfront_origin_access_control: Add lambda and mediapackagev2 as valid values for origin_access_control_origin_type (#34362)
• resource/aws_cloudwatch_event_rule: Add force_destroy attribute (#34905)
• resource/aws_codebuild_project: Add GitLab and GitLab Self Managed support to the report_build_status and build_status_config arguments (#36942)
• resource/aws_default_vpc_dhcp_options: Add ipv6_address_preferred_lease_time as Computed attribute (#36934)
• resource/aws_dms_replication_task: Add resource_identifier argument (#36901)
• resource/aws_eip: Add ptr_record attribute (#36963)
• resource/aws_elasticache_serverless_cache: Add minimum attribute in cache_usage_limits.data_storage and cache_usage_limits.ecpu_per_second (#36766)
• resource/aws_fsx_openzfs_file_system: Add endpoint_ip_address attribute (#36767)
• resource/aws_iam_policy: Add attachment_count attribute (#36759)
• resource/aws_imagebuilder_image: Add execution_role and workflow arguments (#36953)
• resource/aws_lb: Add client_keep_alive argument (#36969)
• resource/aws_mwaa_environment: Add database_vpc_endpoint_service and webserver_vpc_endpoint_service attributes (#36903)
• resource/aws_organizations_organization: Add master_account_name attribute (#36797)
• resource/aws_transfer_connector: Add security_policy_name argument (#36893)
• resource/aws_vpc_dhcp_options: Add ipv6_address_preferred_lease_time attribute (#36934)
• resource/aws_vpc_ipam_pool: Add cascade argument (#36898)

BUG FIXES:

• data-source/aws_iam_policy_document: When using multiple principals, sort them to avoid differences based only on order (#25967)
• resource/aws_appconfig_deployment: Fix ConflictException errors on resource Create (#36980)
• resource/aws_ce_anomaly_monitor: Change monitor_dimension to ForceNew (#36773)
• resource/aws_ce_anomaly_subscription: Change account_id to ForceNew (#36773)
• resource/aws_cloudformation_stack: CRLF line endings in template_body no longer cause erroneous diffs (#14270)
• resource/aws_db_proxy: Fix interface conversion: interface {} is nil, not map[string]interface {} panic when auth is empty ({}) (#36967)
• resource/aws_dms_replication_config: Adds validation to replication_settings to disallow Logging.CloudWatchLogGroup and Logging.CloudWatchLogStream. (#36936)
• resource/aws_dms_replication_config: Suppresses differences in partial replication_settings JSON documents. (#36936)
• resource/aws_dms_replication_task: Adds validation to replication_task_settings to disallow Logging.CloudWatchLogGroup and Logging.CloudWatchLogStream. (#36936)
• resource/aws_dms_replication_task: Allows leaving replication_task_settings unset to use default settings. (#36936)
• resource/aws_dms_replication_task: Suppresses differences in partial replication_task_settings JSON documents. (#36936)
• resource/aws_fsx_windows_file_system: Fix error BadRequest: AuditLogDestination must not be provided when auditing is disabled when updating audit_log_configuration.0.file_access_audit_log_level and audit_log_configuration.0.file_share_access_audit_log_level to "DISABLED" (#36928)
• resource/aws_glue_job: Mark number_of_workers and worker_type as optional/computed, preventing persistent differences when max_capacity is set. (#36770)
• resource/aws_iam_user_login_profile: Fix forced re-creation when password_reset_required is true and initial password reset is completed (#36926)
• resource/aws_lightsail_distribution: Fix to properly set certificate_name on create and update (#36888)
• resource/aws_vpc_dhcp_options: Fix NotFound error handling on delete (#36933)

v5.45.0

NOTES:

• resource/aws_redshift_cluster: The logging argument is now deprecated. Use the aws_redshift_logging resource instead. (#36862)
• resource/aws_redshift_cluster: The snapshot_copy argument is now deprecated. Use the aws_redshift_snapshot_copy resource instead. (#36810)

FEATURES:

• New Resource: aws_redshift_logging (#36862)
• New Resource: aws_redshift_snapshot_copy (#36810)

ENHANCEMENTS:

• data-source/aws_sagemaker_prebuilt_ecr_image: Add registry_id for af-south-1 AWS Region (#36803)
• resource/aws_api_gateway_documentation_part: Add documentation_part_id attribute (#36445)
• resource/aws_wafregional_web_acl_association: Add configurable timeouts (#36445)
• resource/aws_wafregional_web_acl_association: Add plan-time validation of resource_arn (#36445)

BUG FIXES:

• provider: Change the default AWS SDK for Go v2 API client MaxBackoff value to 300 seconds so that services migrated to AWS SDK for Go v2 maintain behavioral compatibility with AWS SDK for Go v1 (#36855)
• resource/aws_datasync_location_object_storage: Allow update to agent_arns (#36819)
• resource/aws_devopsguru_notification_channel: Fix persistent diff when filters.message_types or filters.severities contains multiple elements (#36804)
• resource/aws_securityhub_configuration_policy: Mark configuration_policy.enabled_standard_arns as Optional, fixing InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled errors (#36740)