Skip to content

chore(deps): update terraform aws to v6.21.0

renovaterequested to merge
renovate/aws-6.x-lockfile into main

This MR contains the following updates:

Package Type Update Change
aws (source) required_provider minor 6.17.0 -> 6.21.0

View the Renovate pipeline for this MR

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.21.0

Compare Source

BREAKING CHANGES:

  • resource/aws_bedrockagentcore_browser: Rename network_configuration.network_mode_config to network_configuration.vpc_config (#​44828)

FEATURES:

  • New Action: aws_dynamodb_create_backup (#​45001)
  • New Resource: aws_networkflowmonitor_monitor (#​44782)
  • New Resource: aws_networkflowmonitor_scope (#​44782)
  • New Resource: aws_observabilityadmin_centralization_rule_for_organization (#​44806)

ENHANCEMENTS:

  • data-source/aws_ecs_service: Add capacity_provider_strategy, created_at, created_by, deployment_configuration, deployment_controller, deployments, enable_ecs_managed_tags, enable_execute_command, events, health_check_grace_period_seconds, iam_role, network_configuration, ordered_placement_strategy, pending_count, placement_constraints, platform_family, platform_version, propagate_tags, running_count, service_connect_configuration, service_registries, status, and task_sets attributes (#​44842)
  • resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.mcp_server block (#​44991)
  • resource/aws_bedrockagentcore_gateway_target: Make credential_provider_configuration block optional (#​44991)
  • resource/aws_cloudwatch_log_delivery_destination: Make delivery_destination_type and delivery_destination_configuration optional to support AWS X-Ray as a destination (#​44995)
  • resource/aws_ecs_service: Add support for LINEAR and CANARY deployment strategies with deployment_configuration.linear_configuration and deployment_configuration.canary_configuration blocks (#​44842)
  • resource/aws_lambda_function: Add support for java25 runtime value (#​45024)
  • resource/aws_lambda_function: Add support for nodejs24.x runtime value (#​45024)
  • resource/aws_lambda_function: Add support for python3.14 runtime value (#​45024)
  • resource/aws_lambda_layer_version: Add support for java25 compatible_runtimes value (#​45024)
  • resource/aws_lambda_layer_version: Add support for nodejs24.x compatible_runtimes value (#​45024)
  • resource/aws_lambda_layer_version: Add support for python3.14 compatible_runtimes value (#​45024)
  • resource/aws_s3tables_table: Add tagging support (#​44996)
  • resource/aws_s3tables_table_bucket: Add tagging support (#​44996)
  • resource/aws_sagemaker_endpoint_configuration: Add execution_role_arn argument and make model_name optional in production_variants and shadow_production_variants blocks to support Inference Components (#​44977)
  • resource/aws_sns_topic: Fix AuthorizationError ... is not authorized to perform: iam:PassRole on resource ... IAM eventual consistency errors on Create and Update (#​45018)

BUG FIXES:

  • provider: Fix situation where refreshes of removed infrastructure appear as errors rather than warnings (#​45022)
  • resource/aws_apprunner_service: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45050)
  • resource/aws_apprunner_service: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45051)
  • resource/aws_ec2_image_block_public_access: Add region argument (#​45023)
  • resource/aws_ec2_serial_console_access: Add region argument (#​45064)
  • resource/aws_emrcontainers_job_template: Fix ValidationException: Value null at 'jobTemplateData.configurationOverrides.monitoringConfiguration.cloudWatchMonitoringConfiguration.logGroupName' failed to satisfy constraint: Member must not be null error (#​45029)
  • resource/aws_emrcontainers_job_template: Fix setting job_template_data: job_template_data.0.configuration_overrides.0.application_configuration.0: '' expected a map, got 'slice' error (#​45029)
  • resource/aws_emrcontainers_job_template: Mark job_template_data.job_driver.configuration_overrides.monitoring_configuration.persistent_app_ui argument as computed (#​45029)
  • resource/aws_invoicing_invoice_unit: Fix Provider returned invalid result object after apply error occurred when updating the resource (#​45030)
  • resource/aws_opensearch_authorize_vpc_endpoint_access: Fix reading the resource when more than one principal is authorized. The import ID has changed from domain_name to domain_name and account separated by a comma (#​44982)
  • resource/aws_redshift_cluster: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_integration: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#​44952)
  • resource/aws_sagemaker_endpoint: Fix bug where endpoint_config_name was not correctly updated, causing the endpoint to retain the old configuration (#​42843)
  • resource/aws_wafv2_web_acl_logging_configuration: Fix the validation for redacted_fields.single_header.name (#​44987)

v6.20.0

Compare Source

FEATURES:

  • New Resource: aws_ec2_allowed_images_settings (#​44800)
  • New Resource: aws_fis_target_account_configuration (#​44875)
  • New Resource: aws_invoicing_invoice_unit (#​44892)

ENHANCEMENTS:

  • data-source/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior attribute (#​44934)
  • data-source/aws_elasticache_replication_group: Add node_group_configuration attribute to expose node group details including availability zones, replica counts, and slot ranges (#​44879)
  • data-source/aws_kinesis_stream: Add max_record_size_in_kib attribute (#​44915)
  • data-source/aws_opensearch_domain: Add identity_center_options attribute (#​44626)
  • provider: Support us-isob-west-1 as a valid AWS Region (#​44944)
  • resource/aws_cloudfront_distribution: Add logging_v1_enabled attribute (#​44838)
  • resource/aws_connect_routing_profile: Add media_concurrencies.cross_channel_behavior argument (#​44934)
  • resource/aws_ec2_client_vpn_route: Allow IPv6 address ranges for destination_cidr_block (#​44926)
  • resource/aws_ec2_instance_connect_endpoint: Add ip_address_type argument (#​44616)
  • resource/aws_eks_node_group: Add max_parallel_nodes_repaired_count, max_parallel_nodes_repaired_percentage, max_unhealthy_node_threshold_count, max_unhealthy_node_threshold_percentage, and node_repair_config_overrides to the node_repair_config schema (#​44894)
  • resource/aws_elasticache_replication_group: Add node_group_configuration block to support availability zone specification and snapshot restoration for cluster mode enabled replication groups (#​44879)
  • resource/aws_glue_job: Ensure that timeout is unconfigured for Ray jobs (#​35012)
  • resource/aws_kinesis_stream: Add max_record_size_in_kib argument to support for Kinesis 10MiB payloads. This functionality requires the kinesis:UpdateMaxRecordSize IAM permission (#​44915)
  • resource/aws_opensearch_domain: Add identity_center_options configuration block (#​44626)
  • resource/aws_transfer_server: Add support for TransferSecurityPolicy-AS2Restricted-2025-07 security_policy_name value (#​44865)
  • resource/aws_transfer_server: Support TransferSecurityPolicy-AS2Restricted-2025-07 as a valid value for security_policy_name (#​44652)

BUG FIXES:

  • resource/aws_cloudfront_continuous_deployment_policy: Fix Source type "...cloudfront.stagingDistributionDNSNamesModel" does not implement attr.Value error. This fixes a regression introduced in v6.17.0 (#​44972)
  • resource/aws_cloudfront_distribution: Change logging_config.bucket argument from Required to Optional (#​44838)
  • resource/aws_cloudfront_distribution: Fix inability to configure logging_config.include_cookies argument while keeping V1 logging disabled (#​44838)
  • resource/aws_cloudfront_vpc_origin: Fix Source type "...cloudfront.originSSLProtocolsModel" does not implement attr.Value and missing required field, CreateVpcOriginInput.VpcOriginEndpointConfig errors. This fixes a regression introduced in v6.17.0 (#​44861)
  • resource/aws_glue_job: Allow Ray jobs to be updated (#​35012)
  • resource/aws_glue_job: Allow a zero (0) value for timeout for Apache Spark streaming ETL jobs. This allows the job to be configured with no timeout (#​44920)
  • resource/aws_lakeformation_lf_tags: Remove incorrect validation from catalog_id, database.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​44890)
  • resource/aws_launch_template: Allow an empty ("") value for block_device_mappings.ebs.kms_key_id. This fixes a regression introduced in v6.16.0 (#​44708)
  • resource/aws_redshift_cluster: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_integration: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#​44952)
  • resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#​44952)

v6.19.0

Compare Source

FEATURES:

  • New Data Source: aws_ecrpublic_images (#​44795)
  • New Resource: aws_lakeformation_identity_center_configuration (#​44867)

ENHANCEMENTS:

  • action/aws_lambda_invoke: Output logs in a progress message when log_type is Tail (#​44843)
  • data-source/aws_imagebuilder_image_recipe: Add ami_tags attribute (#​44731)
  • data-source/aws_lb_listener_rule: Add regex_values attribute to condition.host_header, condition.http_header and condition.path_pattern blocks (#​44741)
  • data-source/aws_lb_listener_rule: Add transform attribute (#​44702)
  • resource/aws_bedrockagentcore_gateway: Add validator to ensure correct authorizer_configuration and authorizer_type config (#​44826)
  • resource/aws_emrserverless_application: Add monitoring_configuration argument (#​43317)
  • resource/aws_emrserverless_application: Add runtime_configuration argument (#​43302)
  • resource/aws_identitystore_group: Adds arn attribute. (#​44867)
  • resource/aws_imagebuilder_image_recipe: Add ami_tags argument (#​44731)
  • resource/aws_lb_listener_rule: Add regex_values argument to condition.host_header, condition.http_header and condition.path_pattern blocks (#​44741)
  • resource/aws_lb_listener_rule: Add transform configuration block (#​44702)
  • resource/aws_lb_listener_rule: The values argument in condition.host_header, condition.http_header and condition.path_pattern is now optional (#​44741)
  • resource/aws_quicksight_data_set: Increase upper limit of physical_table_map.relational_table.name from 64 to 256 characters (#​44807)
  • resource/aws_sagemaker_notebook_instance: Add notebook-al2023-v1 to valid platform_identifier values (#​44570)
  • resource/aws_sqs_queue: Remove account_id and region from Resource Identity schema (#​44846)
  • resource/aws_sqs_queue_policy: Remove account_id and region from Resource Identity schema (#​44846)
  • resource/aws_sqs_queue_redrive_allow_policy: Remove account_id and region from Resource Identity schema (#​44846)
  • resource/aws_sqs_queue_redrive_policy: Remove account_id and region from Resource Identity schema (#​44846)

BUG FIXES:

  • data-source/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#​44867)
  • provider: Fix crash when setting override region during provider initialization (#​44860)
  • resource/aws_bedrockagentcore_gateway: Change authorizer_configuration block from Required to Optional (#​44812)
  • resource/aws_bedrockagentcore_gateway: Mark authorizer_type argument as ForceNew (#​44812)
  • resource/aws_lakeformation_permissions: Allows IAM Identity Center Groups as principal. (#​44867)

v6.18.0

Compare Source

NOTES:

  • data-source/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#​44327)
  • data-source/aws_organizations_organizational_unit_child_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#​44327)
  • data-source/aws_organizations_organizational_unit_descendant_accounts: The accounts.status attribute is deprecated. Use accounts.state instead. (#​44327)
  • resource/aws_organizations_account: The status attribute is deprecated. Use state instead. (#​44327)
  • resource/aws_organizations_organization: The accounts.status and non_master_accounts.status attributes are deprecated. Use the accounts.state and non_master_accounts.state attributes instead. (#​44327)

FEATURES:

  • New Resource: aws_bedrockagentcore_memory (#​44306)
  • New Resource: aws_bedrockagentcore_memory_strategy (#​44306)
  • New Resource: aws_bedrockagentcore_oauth2_credential_provider (#​44307)
  • New Resource: aws_bedrockagentcore_token_vault_cmk (#​44606)
  • New Resource: aws_bedrockagentcore_workload_identity (#​44308)

ENHANCEMENTS:

  • data-source/aws_iam_policy: Adds validation for path_prefix attribute (#​44703)
  • data-source/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#​44327)
  • data-source/aws_organizations_organizational_unit_child_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#​44327)
  • data-source/aws_organizations_organizational_unit_descendant_accounts: Add state, joined_method, and joined_timestamp attributes to the accounts block (#​44327)
  • resource/aws_appstream_directory_config: Add certificate_based_auth_properties argument (#​44679)
  • resource/aws_iam_policy: Adds List support (#​44703)
  • resource/aws_iam_policy: Adds validation for path attribute (#​44703)
  • resource/aws_iam_role_policy_attachment: Adds List support (#​44739)
  • resource/aws_odb_network: Add delete_associated_resources attribute to enable practitioner to delete associated oci resource. (#​44754)
  • resource/aws_organizations_account: Add state attribute (#​44327)
  • resource/aws_organizations_organization: Add state, joined_method, and joined_timestamp attributes to the accounts and non_master_accounts blocks (#​44327)

BUG FIXES:

  • data-source/aws_vpn_connection: Properly set tags attribute (#​44761)
  • resource/aws_rds_cluster: Fix "When modifying Provisioned IOPS storage, specify a value for both allocated storage and iops" error when updating RDS clusters with Provisioned IOPS storage (#​44706)
  • resource/guardduty_detector_feature: Fix additional_configuration block to ignore ordering (#​44627)

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by renovate

Merge request reports