Update Terraform aws to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	5.42.0 -> 6.23.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.23.0

Compare Source

NOTES:

• resource/aws_s3_bucket: To support ABAC (Attribute Based Access Control) in general purpose buckets, this resource will now attempt to send tags in the create request and use the S3 Control tagging APIs TagResource, UntagResource, and ListTagsForResource for read and update operations. The calling principal must have the corresponding s3:TagResource, s3:UntagResource, and s3:ListTagsForResource IAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIs PutBucketTagging, DeleteBucketTagging, and GetBucketTagging instead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#​45251)

FEATURES:

• New Resource: aws_ecs_express_gateway_service (#​45235)
• New Resource: aws_s3_bucket_abac (#​45251)
• New Resource: aws_vpc_encryption_control (#​45263)
• New Resource: aws_vpn_concentrator (#​45175)

ENHANCEMENTS:

• action/aws_lambda_invoke: Add tenant_id argument (#​45170)
• data-source/aws_eks_cluster: Add control_plane_scaling_config attribute (#​45258)
• data-source/aws_lambda_function: Add tenancy_config attribute (#​45170)
• data-source/aws_lambda_invocation: Add tenant_id argument (#​45170)
• data-source/aws_vpn_connection: Add vpn_concentrator_id attribute (#​45175)
• resoource/aws_ecs_capacity_provider: Add managed_instances_provider.infrastructure_optimization argument (#​45142)
• resource/aws_docdb_cluster: Add network_type argument (#​45140)
• resource/aws_docdb_subnet_group: Add supported_network_types attribute (#​45140)
• resource/aws_eks_cluster: Add control_plane_scaling_config configuration block to support EKS Provisioned Control Plane (#​45258)
• resource/aws_lambda_function: Add tenancy_config argument (#​45170)
• resource/aws_lambda_invocation: Add tenant_id argument (#​45170)
• resource/aws_s3_bucket: Tag on creation when the s3:TagResource permission is present (#​45251)
• resource/aws_s3_bucket: Use the S3 Control tagging APIs when the s3:TagResource, s3:UntagResource, and s3:ListTagsForResource permissions are present (#​45251)
• resource/aws_vpn_connection: Add vpn_concentrator_id argument to support Site-to-Site VPN Concentrator (#​45175)

v6.22.1

Compare Source

ENHANCEMENTS:

• resource/aws_fsx_openzfs_file_system: Support INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#​45159)
• resource/aws_msk_cluster: Add rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#​45073)

BUG FIXES:

• provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in v6.22.0. (#​45201)
• provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in v6.22.0. (#​45201)
• resource/aws_accessanalyzer_analyzer: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#​45202)
• resource/aws_odb_cloud_vm_cluster: Fix incorrect validation error when arguments are configured using variables. This addresses a regression introduced in v6.22.0 (#​45205)

v6.22.0

Compare Source

NOTES:

• resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#​45105)

FEATURES:

• New Ephemeral Resource: aws_ecr_authorization_token (#​44949)
• New Guide: Tag Policy Compliance (#​45143)
• New Resource: aws_billing_view (#​45097)
• New Resource: aws_vpclattice_domain_verification (#​45085)

ENHANCEMENTS:

• data-source/aws_lb_listener: Add default_action.jwt_validation attribute (#​45089)
• data-source/aws_lb_listener_rule: Add action.jwt_validation attribute (#​45089)
• data-source/aws_route53_zone: Support filtering by tags only or by vpc_id only (#​39671)
• provider: Add support for enforcing tag policy compliance. This opt-in feature can be enabled via the new tag_policy_compliance provider argument, or the TF_AWS_TAG_POLICY_COMPLIANCE environment variable. When enabled, the principal executing Terraform must have the tags:ListRequiredTags IAM permission. (#​45143)
• resource/aws_backup_logically_air_gapped_vault: Add encryption_key_arn argument (#​45020)
• resource/aws_bedrock_guardrail: Add input_action, input_enabled, input_modalities, output_action, output_enabled, and output_modalities arguments to the content_policy_config.filters_config block (#​45104)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.rds_configuration.field_mapping.custom_metadata_field argument (#​45075)
• resource/aws_bedrockagentcore_agent_runtime: Add agent_runtime_artifact.code_configuration block (#​45091)
• resource/aws_bedrockagentcore_agent_runtime: Make agent_runtime_artifact.container_configuration block optional (#​45091)
• resource/aws_dynamodb_table: Add global_table_witness argument (#​43908)
• resource/aws_emr_managed_scaling_policy: Add scaling_strategy and utilization_performance_index arguments (#​45132)
• resource/aws_fis_experiment_template: Add plan-time validation of log_configuration.cloudwatch_logs_configuration.log_group_arn (#​35941)
• resource/aws_fis_experiment_template: Add support for Functions to action.*.target (#​41209)
• resource/aws_lambda_invocation: Add import support (#​41240)
• resource/aws_lb_listener: Support jwt-validation as a valid default_action.type and add default_action.jwt_validation configuration block (#​45089)
• resource/aws_lb_listener_rule: Support jwt-validation as a valid action.type and add action.jwt_validation configuration block (#​45089)
• resource/aws_odb_cloud_vm_cluster: vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45003)
• resource/aws_organizations_organization: Add SECURITYHUB_POLICY as a valid value for enabled_policy_types argument (#​45135)
• resource/aws_prometheus_query_logging_configuration: Add plan-time validation of destination.cloudwatch_logs.log_group_arn (#​35941)
• resource/aws_prometheus_workspace: Add plan-time validation of logging_configuration.log_group_arn (#​35941)
• resource/aws_s3_bucket_server_side_encryption_configuration: Add rule.blocked_encryption_types argument (#​45105)
• resource/aws_sagemaker_model: Add container.additional_model_data_source and primary_container.additional_model_data_source arguments (#​44407)
• resource/aws_sfn_state_machine: Add plan-time validation of logging_configuration.log_destination (#​35941)
• resource/aws_timestreaminfluxdb_db_cluster: Add engine_type attribute (#​44899)
• resource/aws_timestreaminfluxdb_db_cluster: Add validation to ensure InfluxDB V2 clusters have required fields and InfluxDB V3 clusters (when using V3 parameter groups) do not have forbidden V2 fields. This functionality requires the timestream-influxdb:GetDbParameterGroup IAM permission (#​44899)
• resource/aws_vpclattice_resource_configuration: Add custom_domain_name and domain_verification_id arguments and domain_verification_arn and domain_verification_status attributes to support custom domain names for resource configurations (#​45085)
• resource/aws_vpn_connection: Add tunnel_bandwidth argument to support higher bandwidth tunnels (#​45070)

BUG FIXES:

• resource/aws_db_instance: Fix blue/green deployments failing with "not in available state" by improving stability and handling storage-config-upgrade and storage-initialization statuses (#​41275)
• resource/aws_elastic_beanstalk_configuration_template: Fix updates not applying by including ResourceName for option settings and preventing duplicate add/remove operations (#​45077)
• resource/aws_odb_cloud_vm_cluster: support for hyphen in odb cloud vm cluster hostname prefix. (#​45003)
• resource/aws_quicksight_account_settings: Add region argument (#​45083)
• resource/aws_s3_directory_bucket: Fix plan-time AWS resource not found during refresh warnings causing resource replacement when ReadOnly s3express:SessionMode is enforced (#​45086)
• resource/aws_ssoadmin_account_assignment: Correct target_type argument to required (#​45092)
• resource/aws_timestreaminfluxdb_db_cluster: Make allocated_storage, bucket, organization, username, and password optional to support InfluxDB V3 clusters (#​44899)

v6.21.0

Compare Source

BREAKING CHANGES:

• resource/aws_bedrockagentcore_browser: Rename network_configuration.network_mode_config to network_configuration.vpc_config (#​44828)

FEATURES:

• New Action: aws_dynamodb_create_backup (#​45001)
• New Resource: aws_networkflowmonitor_monitor (#​44782)
• New Resource: aws_networkflowmonitor_scope (#​44782)
• New Resource: aws_observabilityadmin_centralization_rule_for_organization (#​44806)

ENHANCEMENTS:

• data-source/aws_ecs_service: Add capacity_provider_strategy, created_at, created_by, deployment_configuration, deployment_controller, deployments, enable_ecs_managed_tags, enable_execute_command, events, health_check_grace_period_seconds, iam_role, network_configuration, ordered_placement_strategy, pending_count, placement_constraints, platform_family, platform_version, propagate_tags, running_count, service_connect_configuration, service_registries, status, and task_sets attributes (#​44842)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.mcp_server block (#​44991)
• resource/aws_bedrockagentcore_gateway_target: Make credential_provider_configuration block optional (#​44991)
• resource/aws_cloudwatch_log_delivery_destination: Make delivery_destination_type and delivery_destination_configuration optional to support AWS X-Ray as a destination (#​44995)
• resource/aws_ecs_service: Add support for LINEAR and CANARY deployment strategies with deployment_configuration.linear_configuration and deployment_configuration.canary_configuration blocks (#​44842)
• resource/aws_lambda_function: Add support for java25 runtime value (#​45024)
• resource/aws_lambda_function: Add support for nodejs24.x runtime value (#​45024)
• resource/aws_lambda_function: Add support for python3.14 runtime value (#​45024)
• resource/aws_lambda_layer_version: Add support for java25 compatible_runtimes value (#​45024)
• resource/aws_lambda_layer_version: Add support for nodejs24.x compatible_runtimes value (#​45024)
• resource/aws_lambda_layer_version: Add support for python3.14 compatible_runtimes value (#​45024)
• resource/aws_s3tables_table: Add tagging support (#​44996)
• resource/aws_s3tables_table_bucket: Add tagging support (#​44996)
• resource/aws_sagemaker_endpoint_configuration: Add execution_role_arn argument and make model_name optional in production_variants and shadow_production_variants blocks to support Inference Components (#​44977)
• resource/aws_sns_topic: Fix AuthorizationError ... is not authorized to perform: iam:PassRole on resource ... IAM eventual consistency errors on Create and Update (#​45018)

BUG FIXES:

• provider: Fix situation where refreshes of removed infrastructure appear as errors rather than warnings (#​45022)
• resource/aws_acmpca_certificate_authority: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45050)
• resource/aws_apprunner_service: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45051)
• resource/aws_ec2_image_block_public_access: Add region argument (#​45023)
• resource/aws_ec2_serial_console_access: Add region argument (#​45064)
• resource/aws_emrcontainers_job_template: Fix ValidationException: Value null at 'jobTemplateData.configurationOverrides.monitoringConfiguration.cloudWatchMonitoringConfiguration.logGroupName' failed to satisfy constraint: Member must not be null error (#​45029)
• resource/aws_emrcontainers_job_template: Fix setting job_template_data: job_template_data.0.configuration_overrides.0.application_configuration.0: '' expected a map, got 'slice' error (#​45029)
• resource/aws_emrcontainers_job_template: Mark job_template_data.job_driver.configuration_overrides.monitoring_configuration.persistent_app_ui argument as computed (#​45029)
• resource/aws_invoicing_invoice_unit: Fix Provider returned invalid result object after apply error occurred when updating the resource (#​45030)
• resource/aws_opensearch_authorize_vpc_endpoint_access: Fix reading the resource when more than one principal is authorized. The import ID has changed from domain_name to domain_name and account separated by a comma (#​44982)
• resource/aws_redshift_cluster: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_integration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#​44952)
• resource/aws_sagemaker_endpoint: Fix bug where endpoint_config_name was not correctly updated, causing the endpoint to retain the old configuration (#​42843)
• resource/aws_wafv2_web_acl_logging_configuration: Fix the validation for redacted_fields.single_header.name (#​44987)

v6.20.0

Compare Source

FEATURES:

• New Resource: aws_ec2_allowed_images_settings (#​44800)
• New Resource: aws_fis_target_account_configuration (#​44875)
• New Resource: aws_invoicing_invoice_unit (#​44892)

ENHANCEMENTS:

• data-source/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior attribute (#​44934)
• data-source/aws_elasticache_replication_group: Add node_group_configuration attribute to expose node group details including availability zones, replica counts, and slot ranges (#​44879)
• data-source/aws_kinesis_stream: Add max_record_size_in_kib attribute (#​44915)
• data-source/aws_opensearch_domain: Add identity_center_options attribute (#​44626)
• provider: Support us-isob-west-1 as a valid AWS Region (#​44944)
• resource/aws_cloudfront_distribution: Add logging_v1_enabled attribute (#​44838)
• resource/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior argument (#​44934)
• resource/aws_ec2_client_vpn_route: Allow IPv6 address ranges for destination_cidr_block (#​44926)
• resource/aws_ec2_instance_connect_endpoint: Add ip_address_type argument (#​44616)
• resource/aws_eks_node_group: Add max_parallel_nodes_repaired_count, max_parallel_nodes_repaired_percentage, max_unhealthy_node_threshold_count, max_unhealthy_node_threshold_percentage, and node_repair_config_overrides to the node_repair_config schema (#​44894)
• resource/aws_elasticache_replication_group: Add node_group_configuration block to support availability zone specification and snapshot restoration for cluster mode enabled replication groups (#​44879)
• resource/aws_glue_job: Ensure that timeout is unconfigured for Ray jobs (#​35012)
• resource/aws_kinesis_stream: Add max_record_size_in_kib argument to support for Kinesis 10MiB payloads. This functionality requires the kinesis:UpdateMaxRecordSize IAM permission (#​44915)
• resource/aws_opensearch_domain: Add identity_center_options configuration block (#​44626)
• resource/aws_transfer_server: Add support for TransferSecurityPolicy-AS2Restricted-2025-07 security_policy_name value (#​44865)
• resource/aws_transfer_server: Support TransferSecurityPolicy-AS2Restricted-2025-07 as a valid value for security_policy_name (#​44652)

BUG FIXES:

• resource/aws_cloudfront_continuous_deployment_policy: Fix Source type "...cloudfront.stagingDistributionDNSNamesModel" does not implement attr.Value error. This fixes a regression introduced in v6.17.0 (#​44972)
• resource/aws_cloudfront_distribution: Change logging_config.bucket argument from Required to Optional (#​44838)
• resource/aws_cloudfront_distribution: Fix inability to configure logging_config.include_cookies argument while keeping V1 logging disabled (#​44838)
• resource/aws_cloudfront_vpc_origin: Fix Source type "...cloudfront.originSSLProtocolsModel" does not implement attr.Value and missing required field, CreateVpcOriginInput.VpcOriginEndpointConfig errors. This fixes a regression introduced in v6.17.0 (#​44861)
• resource/aws_glue_job: Allow Ray jobs to be updated (#​35012)
• resource/aws_glue_job: Allow a zero (0) value for timeout for Apache Spark streaming ETL jobs. This allows the job to be configured with no timeout (#​44920)
• resource/aws_lakeformation_lf_tags: Remove incorrect validation from catalog_id, database.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​44890)
• resource/aws_launch_template: Allow an empty ("") value for block_device_mappings.ebs.kms_key_id. This fixes a regression introduced in v6.16.0 (#​44708)
• resource/aws_redshift_cluster: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_integration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#​44952)

v6.19.0

Compare Source

FEATURES:

• New Data Source: aws_ecrpublic_images (#​44795)
• New Resource: aws_lakeformation_identity_center_configuration (#​44867)

ENHANCEMENTS:

• action/aws_lambda_invoke: Output logs in a progress message when log_type is Tail (#​44843)
• data-source/aws_imagebuilder_image_recipe: Add ami_tags attribute (#​44731)
• data-source/aws_lb_listener_rule: Add regex_values attribute to condition.host_header, condition.http_header and condition.path_pattern blocks (#​44741)
• data-source/aws_lb_listener_rule: Add transform attribute (#​44702)
• resource/aws_bedrockagentcore_gateway: Add validator to ensure correct authorizer_configuration and authorizer_type config (#​44826)
• resource/aws_emrserverless_application: Add monitoring_configuration argument (#​43317)
• resource/aws_emrserverless_application: Add runtime_configuration argument (#​43302)
• resource/aws_identitystore_group: Adds arn attribute. (#​44867)
• resource/aws_imagebuilder_image_recipe: Add ami_tags argument (#​44731)
• resource/aws_lb_listener_rule: Add regex_values argument to condition.host_header, condition.http_header and condition.path_pattern blocks (#​44741)
• resource/aws_lb_listener_rule: Add transform configuration block (#​44702)
• resource/aws_lb_listener_rule: The values argument in condition.host_header, condition.http_header and condition.path_pattern is now optional (#​44741)
• resource/aws_quicksight_data_set: Increase upper limit of physical_table_map.relational_table.name from 64 to 256 characters (#​44807)
• resource/aws_sagemaker_notebook_instance: Add notebook-al2023-v1 to valid platform_identifier values (#​44570)
• resource/aws_sqs_queue: Remove account_id and region from Resource Identity schema (#​44846)
• resource/aws_sqs_queue_policy: Remove account_id and region from Resource Identity schema (#​44846)
• resource/aws_sqs_queue_redrive_allow_policy: Remove account_id and region from Resource Identity schema (#​44846)
• resource/aws_sqs_queue_redrive_policy: Remove account_id and region from Resource Identity schema (#​44846)

BUG FIXES:

• data-source/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#​44867)
• provider: Fix crash when setting override region during provider initialization (#​44860)
• resource/aws_bedrockagentcore_gateway: Change authorizer_configuration block from Required to Optional (#​44812)
• resource/aws_bedrockagentcore_gateway: Mark authorizer_type argument as ForceNew (#​44812)
• resource/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#​44867)

v6.18.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#​44327)
• data-source/aws_organizations_organizational_unit_child_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#​44327)
• data-source/aws_organizations_organizational_unit_descendant_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#​44327)
• resource/aws_organizations_account: The status attribute is deprecated. Use state instead. (#​44327)
• resource/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#​44327)

FEATURES:

• New Resource: aws_bedrockagentcore_memory (#​44306)
• New Resource: aws_bedrockagentcore_memory_strategy (#​44306)
• New Resource: aws_bedrockagentcore_oauth2_credential_provider (#​44307)
• New Resource: aws_bedrockagentcore_token_vault_cmk (#​44606)
• New Resource: aws_bedrockagentcore_workload_identity (#​44308)

ENHANCEMENTS:

• data-source/aws_iam_policy: Adds validation for path_prefix attribute (#​44703)
• data-source/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#​44327)
• data-source/aws_organizations_organizational_unit_child_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#​44327)
• data-source/aws_organizations_organizational_unit_descendant_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#​44327)
• resource/aws_appstream_directory_config: Add certificate_based_auth_properties argument (#​44679)
• resource/aws_iam_policy: Adds List support (#​44703)
• resource/aws_iam_policy: Adds validation for path attribute (#​44703)
• resource/aws_iam_role_policy_attachment: Adds List support (#​44739)
• resource/aws_odb_network: Add delete_associated_resources attribute to enable practitioner to delete associated oci resource. (#​44754)
• resource/aws_organizations_account: Add state attribute (#​44327)
• resource/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#​44327)

BUG FIXES:

• data-source/aws_vpn_connection: Properly set tags attribute (#​44761)
• resource/aws_rds_cluster: Fix "When modifying Provisioned IOPS storage, specify a value for both allocated storage and iops" error when updating RDS clusters with Provisioned IOPS storage (#​44706)
• resource/guardduty_detector_feature: Fix additional_configuration block to ignore ordering (#​44627)

v6.17.0

Compare Source

NOTES:

• resource/aws_quicksight_account_subscription: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​44638)

FEATURES:

• New Data Source: aws_rds_global_cluster (#​37286)
• New Data Source: aws_vpn_connection (#​44622)
• New Resource: aws_bedrockagentcore_agent_runtime (#​44301)
• New Resource: aws_bedrockagentcore_agent_runtime_endpoint (#​44301)
• New Resource: aws_bedrockagentcore_api_key_credential_provider (#​44302)
• New Resource: aws_bedrockagentcore_browser (#​44303)
• New Resource: aws_bedrockagentcore_code_interpreter (#​44304)
• New Resource: aws_bedrockagentcore_gateway (#​44305)
• New Resource: aws_bedrockagentcore_gateway_target (#​44305)

ENHANCEMENTS:

• resource/aws_imagebuilder_container_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#​44604)
• resource/aws_imagebuilder_image_recipe: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#​44604)
• resource/aws_launch_template: Update EBS throughput maximum validation from 1000 to 2000 MiB/s for gp3 volumes (#​44604)
• resource/aws_quicksight_account_subscription: Add admin_pro_group, author_pro_group, and reader_pro_group arguments (#​44638)
• resource/aws_subnet: Adds List support (#​44671)
• resource/aws_vpc: Adds List support (#​44609)

BUG FIXES:

• resource/aws_ec2_transit_gateway_route_table_propagation.test: Fix bug causing inconsistent final plan errors (#​44542)
• resource/aws_lambda_function: Reset non-API attributes (source_code_hash, s3_bucket, s3_key, s3_object_version and filename) to their previous values when an update operation fails (#​42829)

v6.16.0

Compare Source

FEATURES:

• New Action: aws_transcribe_start_transcription_job (#​44445)
• New Data Source: aws_odb_cloud_autonomous_vm_clusters (#​44336)
• New Data Source: aws_odb_cloud_exadata_infrastructures (#​44336)
• New Data Source: aws_odb_cloud_vm_clusters (#​44336)
• New Data Source: aws_odb_network_peering_connections (#​44336)
• New Data Source: aws_odb_networks (#​44336)
• New Resource: aws_prometheus_resource_policy (#​44256)
• New Resource: aws_transfer_host_key (#​44559)
• New Resource: aws_transfer_web_app (#​42708)
• New Resource: aws_transfer_web_app_customization (#​42708)

ENHANCEMENTS:

• resource/aws_codebuild_project: Add auto_retry_limit argument (#​40035)
• resource/aws_emrserverless_application: Add scheduler_configuration block (#​44589)
• resource/aws_lambda_event_source_mapping: Add schema_registry_config configuration blocks to amazon_managed_kafka_event_source_config and self_managed_kafka_event_source_config blocks (#​44540)
• resource/aws_ssmcontacts_contact: Add resource identity support (#​44548)
• resource/aws_vpclattice_resource_gateway: Add ipv4_addresses_per_eni argument (#​44560)

BUG FIXES:

• provider: Correctly validate AWS European Sovereign Cloud Regions in ARNs (#​44573)
• provider: Fix Missing Resource Identity After Update errors for non-refreshed and failed updates of Plugin Framework based resources (#​44518)
• provider: Fix Unexpected Identity Change errors when fully-null identity values in state are updated to valid values for Plugin Framework based resources (#​44518)
• resource/aws_datazone_environment: Correctly updates glossary_terms. (#​44491)
• resource/aws_datazone_environment: Prevents unknown value error when optional account_identifier is not specified. (#​44491)
• resource/aws_datazone_environment: Prevents unknown value error when optional account_region is not specified. (#​44491)
• resource/aws_datazone_environment: Prevents error when updating. (#​44491)
• resource/aws_datazone_environment: Prevents occasional unexpected state error when deleting. (#​44491)
• resource/aws_datazone_environment: Properly passes blueprint_identifier on creation. (#​44491)
• resource/aws_datazone_environment: Sets values for user_parameters when importing. (#​44491)
• resource/aws_datazone_environment: Values in user_parameters should not be updateable. (#​44491)
• resource/aws_datazone_project: No longer ignores errors when deleting. (#​44491)
• resource/aws_datazone_project: No longer returns error when already deleting. (#​44491)
• resource/aws_dynamodb_table: Do not retry on LimitExceededException (#​44576)
• resource/aws_ivschat_room: Set maximum_message_rate_per_second validation maximum to 100 (#​44572)
• resource/aws_launch_template: kms_key_id validation now accepts key ID, alias, and alias ARN in addition to key ARN (#​44505)
• resource/aws_servicecatalog_portfolio_share: Add global mutex lock around create and delete operations to prevent ThrottlingException errors (#​24730)

v6.15.0

Compare Source

BREAKING CHANGES:

• resource/aws_ecs_service: Fix behavior when updating capacity_provider_strategy to avoid ECS service recreation after recent AWS changes (#​43533)

FEATURES:

• New Action: aws_codebuild_start_build (#​44444)
• New Action: aws_events_put_events (#​44487)
• New Action: aws_sfn_start_execution (#​44464)
• New Data Source: aws_appconfig_application (#​44168)
• New Data Source: aws_odb_db_node (#​43792)
• New Data Source: aws_odb_db_nodes (#​43792)
• New Data Source: aws_odb_db_server (#​43792)
• New Data Source: aws_odb_db_servers (#​43792)
• New Data Source: aws_odb_db_system_shapes (#​43825)
• New Data Source: aws_odb_gi_versions (#​43825)
• New Resource: aws_lakeformation_lf_tag_expression (#​43883)

ENHANCEMENTS:

• data-source/aws_dms_endpoint: Add mysql_settings attribute (#​44516)
• data-source/aws_ec2_instance_type_offering: Add location attribute (#​44328)
• data-source/aws_rds_proxy: Add default_auth_scheme attribute (#​44309)
• resource/aws_cleanrooms_configured_table: Add resource identity support (#​44435)
• resource/aws_cloudfront_distribution: Add ip_address_type argument to origin.custom_origin_config block (#​44463)
• resource/aws_connect_instance: Add resource identity support (#​44346)
• resource/aws_connect_phone_number: Add resource identity support ([#​44365](https://redirect.gith

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[env0]

🚀  env0 had composed a PR Plan for environment Autoupgrade / Renovate Terraform :

 🚨 PR Plan Failed 🚨

Failure Details

╷
│ Error: Failed to resolve provider packages
│ 
│ Could not resolve provider hashicorp/aws: no available releases match the
│ given constraints >= 5.27.0, 6.23.0
╵

Full PR Plan logs on env0

Get instant insights with AI Summary

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: AWS Provider Version Mismatch

The AWS provider was updated to version 6.17.0, but the PR description states the update should be to 6.16.0. This discrepancy means the actual change exceeds the documented intent, and version 6.17.0 is not covered by the provided release notes.