chore(deps): update terraform (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	< 6.0 → < 6.38
aws (source)	required_provider	major	~> 5.0 → ~> 6.0
google (source)	required_provider	major	~> 5.0 → ~> 7.0
terraform-aws-modules/cloudfront/aws (source)	module	major	~> 3.0 → ~> 6.0
terraform-aws-modules/ecs/aws (source)	module	major	5.12.1 → 7.5.0
terraform-aws-modules/s3-bucket/aws (source)	module	major	~> 4.0 → ~> 5.0
terraform-aws-modules/vpc/aws (source)	module	major	< 6.0 → < 6.7

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.37.0

Compare Source

BREAKING CHANGES:

• resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values (#​46788)

NOTES:

• data-source/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#​46959)
• resource/aws_savingsplan_savingsplan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​46959)
• resource/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#​46959)

FEATURES:

• New List Resource: aws_ec2_transit_gateway_metering_policy (#​46812)
• New List Resource: aws_iam_user (#​46869)
• New List Resource: aws_s3_bucket_ownership_controls (#​46832)
• New List Resource: aws_wafv2_web_acl_rule (#​46682)
• New List Resource: aws_workmail_organization (#​46692)
• New Resource: aws_ec2_transit_gateway_metering_policy (#​46812)
• New Resource: aws_ec2_transit_gateway_metering_policy_entry (#​46812)
• New Resource: aws_wafv2_web_acl_rule (#​46682)
• New Resource: aws_workmail_organization (#​46692)

ENHANCEMENTS:

• resource/aws_datasync_task: Add schedule.status argument (#​46037)
• resource/aws_docdbelastic_cluster: Add shard_instance_count argument (#​46938)
• resource/aws_iam_user: Add resource identity support (#​46869)
• resource/aws_s3_bucket: Add bucket_namespace argument in support of account regional namespaces for general purpose buckets (#​46917)

BUG FIXES:

• data-source/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read (#​46959)
• resource/aws_bedrockagentcore_gateway: Fix "Unable to Convert Configuration" error caused by schema/model mismatch in authorizer_configuration.custom_jwt_authorizer. This fixes a regression introduced in v6.36.0 (#​46908)
• resource/aws_cloudfrontkeyvaluestore_key: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#​46898)
• resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#​46899)
• resource/aws_datasync_agent: Support activation of advanced mode agents. Previously, attempting to activate advanced mode agents would result in EOF errors when retrieving the activation key (#​46958)
• resource/aws_dynamodb_table: Fix GSI removal with key_schema syntax deleting all GSIs (#​46602)
• resource/aws_instance: Fix MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCore errors when updating cpu_options.core_count or cpu_options.threads_per_core (#​46879)
• resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values. Previously, attempting to use resource_data.lf_tag.value would result in missing required field errors (#​46788)
• resource/aws_msk_cluster: Properly handle removal of the client_authentication.sasl block (#​42163)
• resource/aws_msk_cluster: Properly handle removal of the client_authentication.tls block (#​42163)
• resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.sasl blocks (#​42163)
• resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.tls blocks (#​42163)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Missing Resource Identity After Read" error when resource created with provider version < 6.34.0 is deleted outside Terraform (#​46674)
• resource/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read to prevent forced replacement following import (#​46959)
• resource/aws_wafv2_web_acl: Fix enable_machine_learning in aws_managed_rules_bot_control_rule_set incorrectly defaulting to false instead of reflecting the AWS default of true (#​46682)

v6.36.0

Compare Source

NOTES:

• provider: Update Go version to v1.25.8. Addresses GO-2026-4602, FileInfo can escape from a Root in os, GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, and GO-2026-4601, Incorrect parsing of IPv6 host literals in net/url (#​46820)

FEATURES:

• New Data Source: aws_iam_outbound_web_identity_federation (#​46503)
• New Ephemeral Resource: aws_sts_web_identity_token (#​46173)
• New List Resource: aws_s3_bucket_versioning (#​46802)

ENHANCEMENTS:

• listresource/aws_s3_bucket: No longer returns values for deprecated parameters (#​46852)
• resource/aws_bedrockagentcore_agent_runtime: Add authorizer_config.custom_jwt_authorizer.allowed_scopes argument (#​46828)
• resource/aws_cloudwatch_log_resource_policy: Add resource_arn argument and policy_scope and revision_id attributes. policy_name is now optional (#​46813)
• resource/aws_glue_catalog_table: Add open_table_format_input.iceberg_input.iceberg_table_input argument (#​46843)
• resource/aws_glue_catalog_table: Add view_definition argument (#​46843)
• resource/aws_glue_catalog_table: Change open_table_format_input.iceberg_input.metadata_operation and open_table_format_input.iceberg_input.version to ForceNew (#​46843)
• resource/aws_glue_catalog_table: Change parameters, storage_descriptor, and table_type to Optional and Computed (#​46843)
• resource/aws_guardduty_ipset: Add ip_set_id attribute (#​46703)
• resource/aws_guardduty_publishing_destination: Add arn and destination_id attributes (#​46703)
• resource/aws_guardduty_publishing_destination: Add tagging support (#​46703)
• resource/aws_guardduty_threatintelset: Add threat_intel_set_id attribute (#​46703)
• resource/aws_observabilityadmin_centralization_rule_for_organization: Add rule.destination.destination_logs_configuration.log_group_name_configuration block (#​46811)

BUG FIXES:

• data-source/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• list-resource/aws_iam_role_policy_attachment: Prevent infinite loop when IAM Role deleted during list (#​46763)
• listresource/aws_s3_bucket: No longer appears to hang when buckets are deleted concurrently with listing (#​46852)
• resource/aws_appconfig_deployment_strategy: Fix panic due to "interface conversion: interface {} is float64, not float32" when updating growth_factor (#​46810)
• resource/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• resource/aws_vpc_endpoint: Allow in-place update of private_dns_enabled when vpc_endpoint_type is Interface (#​46800)
• resource/aws_vpc_endpoint: Set new computed value for network_interface_ids attribute when changing subnet_configuration or subnet_ids (#​46800)
• resource/aws_vpn_concentrator: Retry VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reached errors on Create (#​46823)

v6.35.1

Compare Source

BUG FIXES:

• provider: Fix regression causing "Incompatible Types" errors during flattening (#​46778)
• resource/aws_bedrockagentcore_gateway_target: Fix "Incompatible Types" errors during schema definition flattening (#​46778)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Incompatible Types" errors for LifecycleRuleAndOperator while flattening configuration (#​46778)

v6.35.0

Compare Source

FEATURES:

• New List Resource: aws_ecs_service (#​46678)
• New List Resource: aws_lb (#​46660)
• New List Resource: aws_lb_listener (#​46679)
• New List Resource: aws_lb_listener_rule (#​46731)
• New List Resource: aws_lb_target_group (#​46662)
• New List Resource: aws_sns_topic (#​46744)
• New List Resource: aws_sns_topic_subscription (#​46738)
• New Resource: aws_observabilityadmin_telemetry_pipeline (#​46698)
• New Resource: aws_sagemaker_mlflow_app (#​45565)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Add layer_version_arn argument to support cross-account Lambda layer access (#​46673)
• resource/aws_emrserverless_application: Add job_level_cost_allocation_configuration block (#​46107)
• resource/aws_ram_resource_share: Add resource_share_configuration block (#​46715)

BUG FIXES:

• resource/aws_ce_cost_category: Change split_charge_rule targets from TypeSet to TypeList to retain order (#​42856)
• resource/aws_dms_endpoint: Fix InvalidParameterCombinationException errors when oracle_settings is configured (#​46689)
• resource/aws_elasticache_replication_group: Remove hard-coded upper limit of 5 for replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#​46670)
• resource/aws_networkmanager_attachment_routing_policy_label: Fix attachment state waiter to handle all Cloud WAN attachment lifecycle states (#​46672)

v6.34.0

Compare Source

FEATURES:

• New List Resource: aws_ec2_secondary_network (#​46552)
• New List Resource: aws_ec2_secondary_subnet (#​46552)
• New List Resource: aws_ecr_task_definition (#​46628)
• New List Resource: aws_elb (#​46639)
• New List Resource: aws_s3_bucket_lifecycle_configuration (#​46531)
• New Resource: aws_networkmanager_prefix_list_association (#​46566)

ENHANCEMENTS:

• data-source/aws_grafana_workspace: Add kms_key_id attribute (#​46584)
• data-source/aws_memorydb_cluster: Add network_type and ip_discovery attributes (#​46636)
• resource/aws_athena_workgroup: Add configuration.query_results_s3_access_grants_configuration argument (#​46376)
• resource/aws_bedrockagentcore_api_key_credential_provider: Add tagging support (#​46591)
• resource/aws_bedrockagentcore_gateway_target: Add metadata_configuration block for HTTP header and query parameter propagation (#​45808)
• resource/aws_bedrockagentcore_oauth2_credential_provider: Add tagging support (#​46590)
• resource/aws_cloudwatch_event_connection: Add auth_parameters.connectivity_parameters argument (#​41561)
• resource/aws_ecs_service: Add service_connect_configuration.access_log_configuration argument (#​45820)
• resource/aws_ecs_service: Add resource identity support (#​46644)
• resource/aws_eip_domain_name: Add import support (#​46582)
• resource/aws_grafana_workspace: Add kms_key_id argument (#​46584)
• resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#​46568)
• resource/aws_lb_target_group_attachment: Add import support (#​46646)
• resource/aws_lb_target_group_attachment: Add resource identity (#​46646)
• resource/aws_memorydb_cluster: Add network_type and ip_discovery arguments (#​46636)
• resource/aws_opensearch_domain: Add jwt_options attribute (#​46439)
• resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#​44426)

BUG FIXES:

• data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#​46616)
• data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#​46226)
• list-resource/aws_s3_object: Includes parent bucket in display name. (#​46596)
• resource/aws_autoscaling_group: Fix couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#​46622)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#​46127)
• resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#​46127)
• resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#​46462)
• resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#​46150)
• resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#​46556)
• resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#​46102)

v6.33.0

Compare Source

FEATURES:

• New Resource: aws_networkmanager_attachment_routing_policy_label (#​46489)

ENHANCEMENTS:

• data-source/aws_launch_template: Add cpu_options.nested_virtualization and network_performance_options attributes (#​46540)
• data/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_budgets_budget: Add filter_expression attribute (#​46501)
• resource/aws_dms_endpoint: Add access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#​46516)
• resource/aws_dms_endpoint: Add use_update_lookup argument to mongodb_settings configuration block (#​46253)
• resource/aws_ecs_task_definition: Add resource identity support (#​46411)
• resource/aws_instance: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add secondary_interfaces configuration block (#​46540)
• resource/aws_lexv2models_intent: Add qna_intent_configuration attribute (#​46419)
• resource/aws_sagemaker_domain: Add domain_settings.trusted_identity_propagation_settings argument (#​44965)

BUG FIXES:

• data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#​46478)
• resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#​46475)
• resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#​45049)
• resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#​46496)
• resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#​44960)
• resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#​46453)
• resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#​46515)

v6.32.1

Compare Source

BUG FIXES:

• resource/aws_autoscaling_group: Fix couldn't find resource error during creation when waiting for capacity to be satisfied (#​46452)
• resource/aws_cloudwatch_log_delivery: Fix s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#​46455)
• resource/aws_dynamodb_table: Fix perpetual diff when using key_schema with a single range key on a global secondary index (#​46442)
• resource/aws_elasticache_replication_group: Fix false validation error when auth_token references another resource (#​46454)

v6.32.0

Compare Source

FEATURES:

• New List Resource: aws_ecr_repository (#​46344)
• New List Resource: aws_lambda_permission (#​46341)
• New List Resource: aws_route (#​46370)
• New List Resource: aws_route53_resolver_rule_association (#​46349)
• New List Resource: aws_route_table (#​46337)
• New List Resource: aws_s3_directory_bucket (#​46373)
• New List Resource: aws_secretsmanager_secret (#​46318)
• New List Resource: aws_secretsmanager_secret_version (#​46342)
• New List Resource: aws_vpc_security_group_egress_rule (#​46368)
• New List Resource: aws_vpc_security_group_ingress_rule (#​46367)
• New Resource: aws_ec2_secondary_network (#​46408)
• New Resource: aws_ec2_secondary_subnet (#​46408)

ENHANCEMENTS:

• resource/aws_instance: Add secondary_network_interface argument (#​46408)
• resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#​42687)

BUG FIXES:

• data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#​46384)
• list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#​46401)
• resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#​46427)
• resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#​46375)
• resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#​45637)

v6.31.0

Compare Source

NOTES:

• resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)

FEATURES:

• New Data Source: aws_account_regions (#​41746)
• New Ephemeral Resource: aws_ecrpublic_authorization_token (#​45841)
• New List Resource: aws_cloudwatch_event_rule (#​46304)
• New List Resource: aws_cloudwatch_event_target (#​46297)
• New List Resource: aws_cloudwatch_metric_alarm (#​46268)
• New List Resource: aws_iam_role_policy (#​46293)
• New List Resource: aws_lambda_function (#​46295)
• New List Resource: aws_s3_bucket_acl (#​46305)
• New List Resource: aws_s3_bucket_policy (#​46312)
• New List Resource: aws_s3_bucket_public_access_block (#​46309)
• New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#​46191)

ENHANCEMENTS:

• resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45583)
• resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#​45882)

BUG FIXES:

• list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#​46305)
• resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#​45518)
• resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#​45893)
• resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#​45571)
• resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#​45087)
• resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#​46211)

v6.30.0

Compare Source

FEATURES:

• New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#​46176)

BUG FIXES:

• resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#​46195)

v6.29.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​43331)
• resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#​46185)
• resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​45834)

FEATURES:

• New Data Source: aws_arcregionswitch_plan (#​43781)
• New Data Source: aws_arcregionswitch_route53_health_checks (#​43781)
• New Data Source: aws_organizations_entity_path (#​45890)
• New Data Source: aws_resourcegroupstaggingapi_required_tags (#​45994)
• New Data Source: aws_s3_bucket_object_lock_configuration (#​45990)
• New Data Source: aws_s3_bucket_replication_configuration (#​42662)
• New Data Source: aws_s3control_access_points (#​45949)
• New Data Source: aws_s3control_multi_region_access_points (#​45974)
• New Data Source: aws_savingsplans_savings_plan (#​45834)
• New Data Source: aws_wafv2_managed_rule_group (#​45899)
• New List Resource: aws_appflow_connector_profile (#​45983)
• New List Resource: aws_appflow_flow (#​45980)
• New List Resource: aws_cleanrooms_collaboration (#​45953)
• New List Resource: aws_cleanrooms_configured_table (#​45956)
• New List Resource: aws_cloudfront_key_value_store (#​45957)
• New List Resource: aws_opensearchserverless_collection (#​46001)
• New List Resource: aws_route53_record (#​46059)
• New List Resource: aws_s3_bucket (#​46004)
• New List Resource: aws_s3_object (#​46002)
• New List Resource: aws_security_group (#​46062)
• New Resource: aws_apigatewayv2_routing_rule (#​42961)
• New Resource: aws_arcregionswitch_plan (#​43781)
• New Resource: aws_cloudfront_anycast_ip_list (#​43331)
• New Resource: aws_notifications_managed_notification_account_contact_association (#​45185)
• New Resource: aws_notifications_managed_notification_additional_channel_association (#​45186)
• New Resource: aws_notifications_organizational_unit_association (#​45197)
• New Resource: aws_notifications_organizations_access (#​45273)
• New Resource: aws_opensearch_application (#​43822)
• New Resource: aws_ram_permission (#​44114)
• New Resource: aws_ram_resource_associations_exclusive (#​45883)
• New Resource: aws_sagemaker_labeling_job (#​46041)
• New Resource: aws_sagemaker_model_card (#​45993)
• New Resource: aws_sagemaker_model_card_export_job (#​46009)
• New Resource: aws_savingsplans_savings_plan (#​45834)
• New Resource: aws_sesv2_tenant_resource_association (#​45904)
• New Resource: aws_vpc_security_group_rules_exclusive (#​45876)

ENHANCEMENTS:

• aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#​46157)
• data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#​45928)
• data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#​46163)
• data-source/aws_vpc_ipam_pool: Add source_resource attribute (#​44705)
• resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#​45966)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#​46056)
• resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#​45984)
• resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#​45357)
• resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#​45934)
• resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#​46092)
• resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#​45852)
• resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#​45852)
• resource/aws_invoicing_invoice_unit: Adds resource identity support. (#​46185)
• resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#​46185)
• resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#​46065)
• resource/aws_launch_template: Add network_performance_options argument (#​46071)
• resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#​45636)
• resource/aws_opensearchserverless_collection: Add resource identity support (#​45981)
• resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#​44881)
• resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#​45951)
• resource/aws_sagemaker_monitorin

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ EC2 instances showing 1 event/week for the last 2 months and 1 event/week for the last 6 weeks, and an SNS subscription showing 2 events/week for the last 3 months, which is infrequent compared to typical patterns.
Policies 🔴 ▃▂▁ Storage and network resources showing unusual exposure: a security group allows SSH (port 22) access from anywhere (0.0.0.0/0) and an S3 bucket does not have server-side encryption configured, which is unusual compared to typical patterns.

View signals ↗

---

🔥 Risks

Pending SNS email subscription leaves production alerts undelivered during concurrent EC2/NAT updates ❗Medium Open Risk ↗
The change introduces a new SNS subscription to production-api-alerts using the email protocol and endpoint alerts@example.com with endpoint_auto_confirms=false. Email subscriptions require manual confirmation; the current topic state shows SubscriptionsConfirmed=0 and SubscriptionsPending=1, so messages will not be delivered to on-call until someone confirms the subscription. This violates AWS Well-Architected REL06-BP03 expectations for functioning alarm notification targets.

In the same run, both API server instances and both NAT gateways are being updated. While these diffs don’t show replacements, any incident during or shortly after this broad update will lack timely notification via the intended channel, increasing time-to-detect for production issues.

---

🧠 Reasoning · ✔ 1 · ✖ 2

Change rollout and alerting pattern increases blast radius and notification risk

Observations 2

Hypothesis

Operational and change-management patterns around this update introduce notification and blast-radius risks:

• A new aws_sns_topic_subscription.oncall_email for production-api-alerts (protocol email, endpoint alerts@example.com) requires out-of-band confirmation and may not be active during the same apply that changes EC2/NAT resources, creating a gap where incidents from this risky change are not delivered via the intended channel.
• Routing alerts to an email-only, potentially shared or external mailbox moves production incident telemetry outside the AWS IAM/CloudWatch control plane, weakening auditability and access control for sensitive operational data.
• The major Terraform/provider upgrade is being applied across both API server instances and both NAT gateways in a single run, reducing fault isolation and eliminating canary protection; any schema or provider regression affecting replacement, route association, or IP attachment can impact all ingress and egress paths simultaneously.

These factors combine to increase the operational risk of the change window: a broad blast radius with limited canarying and a potentially incomplete or weakly controlled alerting path during and after the rollout.

Investigation

Evidence Gathered

• Loaded org knowledge: aws-monitoring-detection (REL06-BP03 on alarms needing notification targets), engineering-change-process (SNS/SQS changes coordinated via Platform), and aws-resource-governance.
• Reviewed the planned diff creating aws_sns_topic_subscription.oncall_email for topic production-api-alerts with protocol email, endpoint alerts@example.com, and endpoint_auto_confirms=false (manual confirmation required).
• Queried blast radius for the SNS topic. Current attributes show SubscriptionsConfirmed: 0, SubscriptionsPending: 1, SubscriptionsDeleted: 1, confirming there are no active subscribers at present and at least one pending confirmation.
• Queried blast radius for affected compute/network components: two API servers (i-0464c4413cb0c54aa, i-09d6479fb9b97d123) and two NAT gateways (nat-019b2865124bca19d, nat-0bcff9aa2633b680e). Diffs indicate updates but no replacements; NAT changes are primarily provider/computed attributes (e.g., regional_nat_gateway_address: (known after apply)).

Impact Assessment

• Directly affected alerting surface: 1 SNS topic intended for on-call production alerts. With 0 confirmed subscriptions, 100% of notifications published to this topic will not reach the intended recipients until manual confirmation occurs. This creates an immediate detection gap in production.
• Concurrently changed infrastructure: 4 critical resources (2 API server EC2 instances and 2 NAT gateways) in eu-west-2. While no replacements are planned, any regression or incident during/after apply would not trigger effective notifications via the intended channel due to the pending subscription.
• Operational consequence: On-call may miss or be delayed in responding to failures (connectivity, health, or egress issues) affecting both ingress and egress paths, extending time-to-detect and time-to-mitigate during a broad change window. This contravenes AWS Well-Architected REL06-BP03, which expects alarms to have functioning notification targets.

Conclusion

Risk is real. The SNS topic used for production on-call alerts currently has zero confirmed subscribers, and the new email subscription requires out-of-band confirmation. During this change— which touches two API servers and two NAT gateways—alerts will not be delivered via the intended channel until the subscription is confirmed.

✔ Hypothesis proven

---

EC2 force_destroy set to false causing failed destroys and orphaned attached resources

Observations 22

Hypothesis

Terraform changes continue to set EC2 instance resources’ force_destroy attribute from null to false, altering lifecycle behavior for compute and attached resources:

• Prevents Terraform from forcibly deleting instances and dependencies (ENIs, EBS volumes, EIPs), increasing the chance of failed destroy/replace operations due to dependent-resource errors and blocked detaches.
• Can leave ENIs and their private IPs orphaned or still attached, causing stale target registrations in internal or external load balancers, blocking resource replacements, or failing deregistrations, which impacts network routing and availability (REL2-BP03, SEC05-BP01).
• Can leave EBS volumes and other attachments orphaned in subnets, blocking IP reuse and complicating replacements, and increases operational overhead by requiring manual cleanup or explicit detach workflows to avoid resource drift and destroy failures.

Overall, disabling forceful cleanup reduces automated decommissioning and raises the likelihood of blocked deployments, failed destroys, and lingering network/storage resources across affected subnets.

Investigation

Evidence Gathered

• Reviewed planned diffs for two EC2 instances: 540044833068.eu-west-2.ec2-instance.i-0464c4413cb0c54aa and 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123. Only notable change is force_destroy: null -> false, plus public_ip/public_dns switching to “(known after apply)”, which is expected provider behavior when values are computed at apply time.
• Queried blast radius state for the two instances and their attachments (root EBS volumes and primary ENIs):
  • i-0464c4413cb0c54aa: Root volume vol-0a61278f4602fc12b is attached with DeleteOnTermination=true. Primary ENI eni-069a58a392f35dce3 is attached with DeleteOnTermination=true.
  • i-09d6479fb9b97d123: Root volume vol-090e750179b5fa681 is attached with DeleteOnTermination=true. Primary ENI eni-0a8dc8648170059f4 is attached with DeleteOnTermination=true.
• No resources in the plan are being destroyed or replaced; these are simple updates. There are no diffs showing additional ENIs or EBS volumes with DeleteOnTermination=false attached to these instances.
• Organizational knowledge emphasizes proper decommissioning and avoiding unused resources, but nothing in this change weakens those controls. Attachments already have correct lifecycle flags to prevent orphaning when instances terminate.

Impact Assessment

• Directly affected compute resources: 2 EC2 instances (api servers). Directly attached storage: 2 root EBS volumes. Networking: 2 primary ENIs on those instances. All show DeleteOnTermination=true, so normal instance termination will clean up the root volume and detach the ENI automatically.
• Downstream dependencies (ALB/NAT/ELB ENIs) are separate managed resources and are not dependent on instance force_destroy. No target group or listener changes are planned that would create stale registrations.
• Because nothing is being destroyed in this plan, toggling force_destroy to false cannot on its own cause “failed destroys”, “blocked replacements”, or “orphaned ENIs/EBS”. Future destroys of these two instances will still behave correctly because their attachments are configured to delete or detach on termination.

Conclusion

Risk not real. The only behavioral change claimed by the hypothesis is unsupported by the evidence: the instances’ attachments already have DeleteOnTermination=true, and the plan does not perform any deletions. Setting force_destroy to false here does not introduce a failure mode or leave orphaned resources.

✖ Hypothesis disproven

---

NAT/public endpoint updates risking combined ingress/egress loss and address drift

Observations 7

Hypothesis

NAT gateways and EC2 instances that act as public endpoints are being updated under a major Terraform/provider upgrade, and several resources now show externally visible addresses as known after apply:

• Public EC2 API server endpoints and NAT gateway public addresses may both change during the same apply, breaking any hard-coded IP/DNS allowlists, probes, or operator tooling that rely on current addresses.
• If NAT gateway addresses change at the same time as public EC2 endpoints, both private-subnet egress and direct recovery/inbound access can fail together, creating a combined ingress/egress outage.
• Coupled with prior NAT gateway update risk, this concentrates connectivity changes into a single event, increasing the chance that route-association, IP-attachment, or replacement issues affect all paths simultaneously.

This reinforces the need to validate out-of-band consumers of these addresses and to stage connectivity-impacting updates to preserve at least one known-good path for validation and rollback.

Investigation

Evidence Gathered

• Loaded organizational knowledge: aws-network-security (SEC05/REL02 guidance on public endpoints and IP usage) and aws-high-availability (REL10 guidance on blast-radius reduction and staged rollouts).
• Reviewed planned diffs for the two NAT Gateways and the two EC2 instances flagged:
  • NAT Gateways nat-019b2865124bca19d and nat-0bcff9aa2633b680e: only the new attribute regional_nat_gateway_address changes from null to "(known after apply)". Their public_ip values remain explicitly set to 52.56.230.253 and 13.42.93.249 respectively; no replacement or EIP change is planned.
  • EC2 instances i-09d6479fb9b97d123 and i-0464c4413cb0c54aa: minor field normalization (force_destroy: null → false) plus public_dns and public_ip shown as "(known after apply)" in plan; neither instance is being replaced.
• Queried blast radius state to validate current connectivity:
  • NAT nat-019b2865124bca19d is available with EIP 52.56.230.253 via AllocationId eipalloc-07b90dc55fe7e78bd and ENI eni-030542fb12761bd4f; nat-0bcff9aa2633b680e is available with EIP 13.42.93.249 via AllocationId eipalloc-0746e1b2243bb99c3 and ENI eni-0c502e5a8c20f4df7.
  • Private subnet route tables rtb-0fa8d71472f3214bd and rtb-0fd627aea94dee6ea have 0.0.0.0/0 routes pointing to those same NAT Gateways.
  • The workload uses an internet-facing ALB (api-207c90ee-alb) in front of targets; inbound production API traffic resolves to the ALB DNS name, not to the instances' public IPs.
• Applied the "Interpreting (known after apply)" rule: these attributes are computed and commonly resolve to the existing values after apply when no replacement occurs; by themselves they are not evidence of address change.

Impact Assessment

• Directly changed resources: 2 NAT Gateways (nat-019b2865124bca19d, nat-0bcff9aa2633b680e) and 2 EC2 instances (i-09d6479fb9b97d123, i-0464c4413cb0c54aa). No replacements; states show healthy and stable identifiers.
• Egress paths: 2 private route tables continue to route 0.0.0.0/0 to the existing NAT GWs; NAT Gateway EIPs and ENIs are unchanged in plan and confirmed in current state. This preserves private-subnet egress.
• Ingress paths: External access to the API is via an internet-facing ALB (api-207c90ee-alb). No ALB or target group changes are planned. Even if an instance public IP were to change, client ingress would continue through the ALB.
• There is no evidence of concurrent changes that would remove or rotate both NAT EIPs and instance public endpoints during the same apply. Therefore, the hypothesized combined ingress/egress outage condition is not supported.

Conclusion

Risk not real. The plan does not rotate NAT Gateway public IPs, does not replace NAT Gateways or route-table associations, and does not replace the EC2 instances. The "(known after apply)" annotations reflect provider schema behavior, not an address change. Ingress remains through an unchanged ALB, and egress remains through unchanged NAT Gateways. No concrete mechanism exists in this change set that would simultaneously break both inbound and outbound connectivity.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 81

Edges 187

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 34 · Edges 128

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 74 · Edges 219

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 67 · Edges 205

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 40 · Edges 146

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 31 · Edges 161

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 135 · Edges 218

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 54 · Edges 175

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 134 · Edges 275

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 58 · Edges 177

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 81 · Edges 187

---

View full analysis in Overmind ↗