v2.59.0

NOTES:

• provider: Region validation now automatically supports the new af-south-1 (Africa (Cape Town)) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the AWS Documentation. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g. error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid) or AWS operations will throw their own errors (e.g. data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials). (#12715)
• resource/aws_iam_user: The additional force_destroy behavior for handling signing certificates requires two additional IAM permissions (iam:ListSigningCertificates and iam:DeleteSigningCertificate). Restrictive IAM permissions for Terraform runs may require updates. (#10542)
• resource/aws_rds_cluster: Due to recent API support for Aurora MySQL 5.7 and PostgreSQL Global Clusters which implemented the engine mode as provisioned instead of the previous global for Aurora MySQL 5.6, the resource now requires the DescribeGlobalClusters API call. Restrictive IAM permissions may require updates. (#12867)

FEATURES:

• New Resource: aws_apigatewayv2_api_mapping (#9461)
• New Resource: aws_apigatewayv2_vpc_link (#12577)

ENHANCEMENTS:

• data_source/aws_acm_certificate: Add tags output (#11659)
• data-source/aws_cloudtrail_service_account: Support af-south-1 region (#12967)
• data-source/aws_elastic_beanstalk_hosted_zone: Support af-south-1 region (#12967)
• data-source/aws_elb_hosted_zone_id: Support af-south-1 region (#12967)
• data-source/aws_elb_service_account: Support af-south-1 region (#12967)
• data-source/aws_s3_bucket: Support af-south-1 region for hosted_zone_id attribute (#12967)
• provider: Support automatic region validation for af-south-1 (#12715)
• resource/aws_apigatewayv2_api: Add cors_configuration, credentials_arn, route_key and target attributes (#12452)
• resource/aws_appsync_graphql_api: Add log_config configuration block exclude_verbose_content argument (#12884)
• resource/aws_config_configuration_recorder: Prevent error during deletion operation when resource is missing (#12734)
• resource/aws_default_network_acl: Support import (#12924)
• resource/aws_lambda_alias: Suppress differences for equivalent function_name argument values of name versus ARN (#12902)
• resource/aws_network_acl_rule: Support import (#12921)
• resource/aws_route: Add plan-time validation for destination_cidr_block and destination_ipv6_cidr_block arguments (#12890)
• resource/aws_s3_bucket: Support af-south-1 region for hosted_zone_id attribute (#12967)
• resource/aws_service_discovery_private_dns_namespace: Support import (#12929)
• resource/aws_ssm_activation: Support import (#12933)
• resource/aws_ssm_maintenance_window_target: Add plan-time validation to resource_type argument (#11783)
• resource/aws_ssm_maintenance_window_target: Support import (#12935)
• resource/aws_volume_attachment: Support import (#12948)
• resource/aws_waf_ipset: Add plan-time validation for ip_set_descriptors configuration block arguments (#12775)
• resource/aws_waf_sql_injection_match_set: Support import (#11657)
• resource/aws_waf_xss_match_set: Add plan-time validation for xss_match_tuples configuration block arguments (#12777)
• resource/aws_wafregional_web_acl: Add plan-time validation to various arguments (#12793)

BUG FIXES:

• data-source/aws_launch_template: Prevent type error with network_interfaces associate_public_ip_address attribute (#12936)
• resource/aws_glue_security_configuration: Prevent empty string KMS Key ARN in S3 Encryption settings (#12898)
• resource/aws_iam_user: Ensure force_destroy argument removes signing certificates when enabled (#10542)
• resource/aws_rds_cluster: Prevent unexpected global_cluster_identifier differences and deletion error with aurora-mysql and aurora-postgresql Global Cluster members (#12867)
• resource/aws_route: Prevent not found after creation error with destination_ipv6_cidr_block set to ::0/0 (#12890)

v2.58.0

FEATURES:

• New Data Source: aws_regions (#12269)
• New Resource: aws_apigatewayv2_deployment (#9245)
• New Resource: aws_apigatewayv2_domain_name (#9391)
• New Resource: aws_apigatewayv2_integration_response (#9365)
• New Resource: aws_apigatewayv2_route (#8881)
• New Resource: aws_apigatewayv2_route_response (#9373)
• New Resource: aws_apigatewayv2_stage (#9232)
• New Resource: aws_dms_event_subscription (#7170)

ENHANCEMENTS:

• data-source/aws_dynamodb_table: Add replica attribute (initial support for Global Tables V2 (version 2019.11.21)) (#12342)
• data-source/aws_instance: Exports volume_name for root_block_device (#12620)
• resource/aws_backup_plan: Add rule configuration block copy_action configuration block (support cross region copy) (#11923)
• resource/aws_cognito_identity_provider: Support plan-time validation for idp_identifiers, provider_name, and provider_type arguments (#10705)
• resource/aws_dms_endpoint: Add elasticsearch_settings configuration block and elasticsearch to engine_name validation (support Elasticsearch endpoints) (#11792)
• resource/aws_dms_endpoint: Add kinesis_settings configuration block and kinesis to engine_name validation (support Kinesis endpoints) (#8633)
• resource/aws_dynamodb_table: Add replica configuration block (initial support for Global Tables V2 (version 2019.11.21)) (#12342)
• resource/aws_ec2_client_vpn_endpoint: Allow two authentication_options configuration blocks (#12819)
• resource/aws_instance: Allow changing root volume size without re-creating resource (#12620)
• resource/aws_instance: Exports volume_name for root_block_device (#12620)

BUG FIXES:

• resource/aws_dlm_lifecycle_policy: Ensure plan-time validation for times argument only allows 24 hour format (#12800)

v2.57.0

BREAKING CHANGES:

• provider: The configuration for the preview ignore tags functionality has been updated to include a wrapping configuration block. For example:

provider "aws" {
  ignore_tags {
    keys = ["TagKey1"]
  }
}

FEATURES:

• New Data Source: aws_cloudfront_distribution (#6468)
• New Resource: aws_apigatewayv2_authorizer (#9228)
• New Resource: aws_apigatewayv2_integration (#8949)
• New Resource: aws_apigatewayv2_model (#8912)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Support plan-time validation for compatible_runtime argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_cloudhsm_v2_cluster: Support tag-on-create (#11683)
• resource/aws_docdb_cluster: Add deletion_protection argument (#12650)
• resource/aws_egress_only_internet_gateway: Add tags argument (#11568)
• resource/aws_lambda_function: Support plan-time validation for runtime argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_lambda_layer_version: Support plan-time validation for compatible_runtimes argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_rds_global_cluster: Add aurora-postgresql to engine argument plan-time validation (#12401)
• resource/aws_redshift_snapshot_copy_grant: Support resource import (#10350)
• resource/aws_spot_fleet_request: Add tags argument (support tagging of Spot Fleet Request itself) (#12295)
• resource/aws_spot_fleet_request: Support plan-time validation for launch_specification configuration block ebs_block_device volume_type, iam_instance_profile_arn, placement_tenancy, and root_block_device volume_type arguments (#12295)
• resource/aws_spot_fleet_request: Support plan-time validation for allocation_strategy, instance_interruption_behaviour, and target_group_arns arguments (#12295)
• service/ec2: Prevent eventual consistency errors tagging resources on creation (#12735)

BUG FIXES:

• resource/aws_appautoscaling_policy: Fix error when importing DynamoDB Table Index policy (#11232)
• resource/aws_db_instance: Allow creating read replica into RAM shared Subnet with VPC Security Group (#12700)
• resource/aws_kms_key: Prevent eventual consistency related errors on creation (#12738)
• resource/aws_lb_target_group: Automatically propose resource recreation for TCP protocol Target Groups when health_check configuration block interval, protocol, or timeout argument values are updated (#4568)

v2.56.0

NOTES:

• resource/aws_emr_cluster: The bug fix in this release will potentially re-create EMR Clusters with multiple bootstrap actions, since bootstrap actions cannot be modified in place. To avoid re-creation, temporarily add the ignore_changes lifecycle configuration argument and/or update the order in your Terraform configuration.

ENHANCEMENTS:

• data-source/aws_launch_template: Add hibernation_options attribute (#12492)
• resource/aws_codepipeline: Adds cross-region action support (#12549)
• resource/aws_dx_connection: Support 2Gbps and 5Gbps values in plan-time validation for bandwidth argument (#12559)
• resource/aws_dx_lag: Support 2Gbps and 5Gbps values in plan-time validation for bandwidth argument (#12559)
• resource/aws_elastic_transcoder_preset: Support plan-time validation for role argument (#12575)
• resource/aws_kms_grant: Support resource import (#11991)
• resource/aws_launch_template: Add hibernation_options configuration block (#12492)

BUG FIXES:

• resource/aws_codedeploy_deployment_group: Fix blue_green_deployment_config updates for ECS (#11885)
• resource/aws_emr_cluster: Now properly sets the order when multiple bootstrap actions are defined
• resource/aws_kms_grant: Remove resource from Terraform state instead of error if removed outside Terraform (#12560)
• resource/aws_s3_bucket: Prevent various panics with empty configuration blocks (#12614)
• resource/aws_volume_attachment: Ensure any error is shown while waiting for volume to detach (#12596)

v2.55.0

FEATURES:

• New Resource: aws_ec2_availability_zone_group (#12400)

ENHANCEMENTS:

• data-source/aws_availability_zone: Add all_availability_zones and filter arguments (#12400)
• data-source/aws_availability_zone: Add group_name, network_border_group, and opt_in_status attributes (#12400)
• data-source/aws_availability_zones: Add all_availability_zones and filter arguments (#12400)
• data-source/aws_availability_zones: Add group_names attribute (#12400)
• data-source/aws_ec2_transit_gateway_dx_gateway_attachement: Add filter and tags arguments (#12516)
• data-source/aws_ec2_transit_gateway_vpn_attachment: Add filter and tags arguments (#12415)
• data-source/aws_instance: Add metadata_options attribute (#12491)
• data-source/aws_launch_template: Add filter and tags arguments (#12403)
• data-source/aws_launch_template: Add metadata_options attribute (#12491)
• data-source/aws_prefix_list: Add filter argument (#12416)
• data-source/aws_vpc_endpoint_service: Add filter and tags arguments (#12404)
• resource/aws_athena_workgroup: Add force_destroy argument (#12254)
• resource/aws_cloudwatch_log_metric_filter: Support resource import (#11992)
• resource/aws_flow_log: Add max_aggregation_interval argument (#12483)
• resource/aws_instance: Add metadata_options configuration block (support IMDSv2) (#12491)
• resource/aws_launch_template: Add metadata_options configuration block (support IMDSv2) (#12491)
• resource/aws_msk_cluster: Add logging_info configuration block (support CloudWatch, Firehose, and S3 logging) (#12215)
• resource/aws_mq_configuration: Support plan-time validation for engine_type argument (#11843)
• resource/aws_route53_health_check: A dd plan-time validation to insufficient_data_health_status (#12305)
• resource/aws_storagegateway_nfs_file_share: Add path attribute (#12530)

BUG FIXES:

• resource/aws_db_instance: Allow restoring from snapshot into RAM shared Subnet with VPC Security Group (#12447)
• resource/aws_mq_configuration: Remove extraneous ListTags API call during refresh (#11843)
• resource/aws_neptune_cluster_instance: Add missing configuring-log-exports as allowed pending state (#12079)
• resource/aws_route53_health_check: Do not recreate health check when using compressed ipv6 address (#12305)

v2.54.0

FEATURES:

• New Resource: aws_kinesis_video_stream (#8291)
• New Resource: aws_securityhub_member (#6975)

ENHANCEMENTS:

• data-source/aws_iam_role: Add tags attribute (#12349)
• data-source/aws_lb: Add drop_invalid_header_fields attribute (#11257)
• provider: Support AWS shared configuration file duration_seconds setting for assume role (#12359)
• resource/aws_backup_plan: Support resource import (#12381)
• resource/aws_cognito_user_pool: Add email_configuration configuration block from_email_address argument (#11607)
• resource/aws_cognito_user_pool: Add username_configuration configuration block (Support case insensitive usernames) (#12317)
• resource/aws_cognito_user_pool_client: Add analytics_configuration configuration block (Support Pinpoint analytics) (#11762)
• resource/aws_cognito_user_pool_client: Add prevent_user_existence_errors argument (#11604)
• resource/aws_dlm_lifecycle_policy: Support plan-time validation for 1 hour schedules in policy_details schedule create_rule interval argument (#12327)
• resource/aws_inspector_assessment_template: Add tags argument (#12375)
• resource/aws_inspector_assessment_template: Support resource import (#12375)
• resource/aws_lambda_function: Support plan-time validation for handler argument (#12411)
• resource/aws_lb: Add drop_invalid_header_fields argument (#11257)
• resource/aws_nat_gateway: Support tag-on-create (#12347)
• resource/aws_opsworks_application: Support resource import (#12383)
• resource/aws_opsworks_application: Add plan-time validation to data_source_arn and data_source_type arguments and app_source configuration block type argument (#12383)
• resource/aws_opsworks_custom_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_ganglia_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_haproxy_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_java_app_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_memcached_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_mysql_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_nodejs_app_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_php_app_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_rails_app_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_opsworks_static_web_layer: Add tags argument, arn attribute, and plan-time validation to custom_instance_profile_arn argument (#11667)
• resource/aws_vpc_dhcp_options_association: Support resource import (#7252)

BUG FIXES:

• resource/aws_api_gateway_rest_api: Ignore ordering differences for endpoint_configuration configuration block vpc_endpoint_ids argument (#12350)
• resource/aws_backup_selection: Automatically retry on additional IAM Role eventual consistency error (#10687)
• resource/aws_backup_vault: Remove resource from Terraform state when deleted outside Terraform (#11845)
• resource/aws_cognito_user_pool_client: Ignore ordering differences for callback_urls, logout_urls, and supported_identity_providers arguments (#12388)
• resource/aws_ebs_snapshot_copy: Return API errors instead of panic if unable to read snapshot (#12283)
• resource/aws_kinesis_stream: Ensure kms_key_id argument in-place updates complete successfully (#12008)
• resource/aws_lambda_alias: Propose resource recreation for function_name argument updates (#11170)
• resource/aws_opsworks_application: Mark app_source configuration block ssh_key argument as sensitive (#11984)
• resource/aws_opsworks_stack: Mark custom_cookbooks_source configuration block ssh_key argument as sensitive (#11984)
• resource/aws_s3_bucket: Retry NoSuchBucket error when setting tags during resource creation (#12418)

v2.53.0

NOTES:

• resource/aws_cognito_user_pool: The addition of Software Token MFA support required the use of new GetUserPoolMfaConfig and SetUserPoolMfaConfig API calls. Restrictive IAM permissions for Terraform may require updates. (#12358)

FEATURES:

• New Resource: aws_apigatewayv2_api (#8842)

ENHANCEMENTS:

• resource/aws_appsync_graphql_api: Add xray_enabled argument (#11972)
• resource/aws_cloud9_environment_ec2: Add tags argument (#12132)
• resource/aws_cognito_user_pool: Add software_token_mfa_configuration configuration block (Support Time-based One-Time Password (TOTP) Multi-Factor Authentication) (#12358)
• resource/aws_ec2_traffic_mirror_filter: Add tags argument (#12133)
• resource/aws_ec2_traffic_mirror_session: Add tags argument (#12134)
• resource/aws_ec2_traffic_mirror_target: Add tags argument and network_load_balancer_arn plan-time validation (#12135)
• resource/aws_flow_log: Add tags argument (#12273)
• resource/aws_flow_log: Add iam_role_arn and log_destination plan-time validation (#12273)
• resource/aws_globalaccelerator_accelerator: Add tags argument (#12309)
• resource/aws_vpc_endpoint: Support tag-on-create (#12288)
• resource/aws_vpc_endpoint_service: Support tag-on-create and add network_load_balancer_arns plan-time validation (#12290)

BUG FIXES:

• resource/aws_vpn_gateway: Automatically retry on DetachVpnGateway calls receiving InvalidParameterValue: This call cannot be completed because there are pending VPNs or Virtual Interfaces (#11720)
• resource/aws_vpn_gateway_attachment: Automatically retry on DetachVpnGateway calls receiving InvalidParameterValue: This call cannot be completed because there are pending VPNs or Virtual Interfaces (#11720)

v2.52.0

FEATURES:

• New Data Source: aws_ec2_instance_type_offering (#12139)
• New Data Source: aws_ec2_instance_type_offerings (#12139)

ENHANCEMENTS:

• resource/aws_eks_cluster: Add encryption_config configuration block (#12280)
• resource/aws_globalaccelerator_accelerator: Add dns_name and hosted_zone_id attributes (#11670)
• resource/aws_lb_target_group: Add load_balancing_algorithm_type argument (support Least Outstanding Requests algorithm for Application Load Balancers) (#11141)
• resource/aws_s3_bucket: Add grant to implement ACL policy grants (#3728)

BUG FIXES:

• resource/aws_iam_service_linked_role: Allow aws_service_name argument validation to accept values in AWS partitions outside AWS Commercial and AWS GovCloud (US) (#11919)
• resource/aws_lambda_function_event_invoke_config: Retry on additional IAM eventual consistency error with SNS Topic destinations (#12171)
• resource/aws_media_store_container: Prevent ValidationException error on creation when no tags are configured (#12170)

v2.51.0

FEATURES:

• New Data Source: aws_sfn_activity (#11080)
• New Data Source: aws_sfn_state_machine (#10932)
• New Resource: aws_ec2_traffic_mirror_filter (#9372)
• New Resource: aws_ec2_traffic_mirror_filter_rule (#9372)
• New Resource: aws_ec2_traffic_mirror_session (#9372)
• New Resource: aws_ec2_traffic_mirror_target (#9372)
• New Resource: aws_s3_access_point (#11276)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Support plan-time validation for compatible_runtime argument ruby2.7 value (#12116)
• resource/aws_dx_hosted_private_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_dx_hosted_public_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_dx_hosted_transit_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_dx_private_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_dx_public_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_dx_transit_virtual_interface: Add amazon_side_asn attribute (#11415)
• resource/aws_glub_job: Add notification_property configuration block (#12115)
• resource/aws_lambda_event_source_mapping: Add bisect_batch_on_function_error, maximum_record_age_in_seconds, maximum_retry_attempts, and parallelization_factor arguments (#11100)
• resource/aws_lambda_event_source_mapping: Add destination_config configuration block (#11100)
• resource/aws_lambda_function: Support plan-time validation for runtime argument ruby2.7 value (#12116)
• resource/aws_lambda_layer_version: Support plan-time validation for compatible_runtimes argument ruby2.7 value (#12116)
• resource/aws_msk_cluster: Support in-place updates to enhanced_monitoring and number_of_broker_nodes arguments (#11451)
• resource/aws_msk_cluster: Add open_monitoring configuration block (support Prometheus monitoring configuration) (#11451)

BUG FIXES:

• resource/aws_workspaces_directory: Prevent panic and remove resource from Terraform state if removed outside Terraform (#11837)

v2.50.0

NOTES:

• resource/aws_lambda_function: The publish argument now will also publish versions for configuration updates. This is accomplished via a separate PublishVersion API call, where before the publishing only occured via the Publish parameter of the UpdateFunctionCode API call. Restrictive IAM permissions for Terraform may require updates. (#11211)
• resource/aws_ram_resource_share_accepter: The status attribute now reflects the status of the RAM Resource Share and not the RAM Resource Share Invitation (which expires after 7 days). (#11562)

FEATURES:

• New Data Source: aws_lambda_alias (#9490)

ENHANCEMENTS:

• resource/aws_appmesh_route: Add priority and header attributes to support route priorities and HTTP header-based routing (#10402)
• resource/aws_iam_access_key: Add ses_smtp_password_v4 attribute (add per-region SigV4 support) (#11144)
• resource/aws_security_group: Support import of name_prefix argument (#12052)
• resource/aws_transfer_server: Add host_key argument and host_key_fingerprint attribute (#8913)

BUG FIXES:

• resource/aws_lambda_function: If publish argument is enabled, also publish new versions on function configuration-only updates in addition to function code updates (#11211)
• resource/aws_lambda_permission: Fix error when Lambda permission is deleted out-of-band (#11924)
• resource/aws_ram_resource_share_accepter: Fix read operations after the RAM Resource Share Invitation is no longer present after 7 days (#11562)