v6.14.0

6.14.0 (September 18, 2025)

FEATURES:

• New Data Source: aws_billing_views (#44272)
• New Data Source: aws_odb_cloud_autonomous_vm_cluster (#43809)
• New Data Source: aws_odb_cloud_exadata_infrastructure (#43650)
• New Data Source: aws_odb_cloud_vm_cluster (#43790)
• New Data Source: aws_odb_network (#43715)
• New Data Source: aws_odb_network_peering_connection (#43757)
• New Resource: aws_controltower_baseline (#42397)
• New Resource: aws_odb_cloud_autonomous_vm_cluster (#43809)
• New Resource: aws_odb_cloud_exadata_infrastructure (#43650)
• New Resource: aws_odb_cloud_vm_cluster (#43790)
• New Resource: aws_odb_network (#43715)
• New Resource: aws_odb_network_peering_connection (#43757)

ENHANCEMENTS:

• resource/aws_batch_job_queue: Adds List support (#43960)
• resource/aws_cloudwatch_log_group: Adds List support (#44129)
• resource/aws_ecs_service: Add deployment_configuration.lifecycle_hook.hook_details argument (#44289)
• resource/aws_iam_role: Adds List support (#44129)
• resource/aws_instance: Adds List support (#44129)
• resource/aws_rds_global_cluster: Remove provider-side conflict between source_db_cluster_identifier and engine arguments (#44252)
• resource/aws_scheduler_schedule: Add action_after_completion argument (#44264)
• resource/aws_sfn_state_machine: Add resource identity support (#44286)

BUG FIXES:

• resource/aws_elasticache_user_group: Ignore InvalidParameterValue: User xxx is not a member of user group xxx errors during group modification (#43520)
• resource/aws_sagemaker_endpoint_configuration: Fix panic when empty async_inference_config.output_config.notification_config block is specified (#44310)

v6.13.0

6.13.0 (September 11, 2025)

ENHANCEMENTS:

• data-source/aws_budgets_budget: Add billing_view_arn attribute (#44241)
• data-source/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput attributes (#41308)
• data-source/aws_elastic_beanstalk_hosted_zone: Add hosted zone IDs for ap-southeast-5, ap-southeast-7, eu-south-2, and me-central-1 AWS Regions (#44132)
• data-source/aws_elb_hosted_zone_id: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
• data-source/aws_lb_hosted_zone_id: Add hosted zone IDs for ap-southeast-6 AWS Region (#44132)
• data-source/aws_s3_bucket: Add hosted zone ID for ap-southeast-6 AWS Region (#44132)
• resource/aws_appautoscaling_policy: Add predictive_scaling_policy_configuration argument (#44211)
• resource/aws_appautoscaling_policy: Add plan-time validation of policy_type (#44211)
• resource/aws_appautoscaling_policy: Add plan-time validation of step_scaling_policy_configuration.adjustment_type and step_scaling_policy_configuration.metric_aggregation_type (#44211)
• resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled arguments to word_policy_config.managed_word_lists_config and word_policy_config.words_config configuration blocks (#44224)
• resource/aws_budgets_budget: Add billing_view_arn argument (#44241)
• resource/aws_cloudfront_distribution: Add origin.response_completion_timeout argument (#44163)
• resource/aws_codebuild_webhook: Add pull_request_build_policy configuration block (#44201)
• resource/aws_dynamodb_table: Add warm_throughput and global_secondary_index.warm_throughput arguments (#41308)
• resource/aws_ecs_account_setting_default: Support dualStackIPv6 as a valid value for name (#44165)
• resource/aws_glue_catalog_table_optimizer: Add iceberg_configuration.run_rate_in_hours argument to retention_configuration and orphan_file_deletion_configuration blocks (#44207)
• resource/aws_networkfirewall_rule_group: Add IPv6 CIDR block support to address_definition arguments in source and destination blocks within rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rule.rule_definition.match_attributes (#44215)
• resource/aws_networkmanager_vpc_attachment: Add options.dns_support and options.security_group_referencing_support arguments (#43742)
• resource/aws_networkmanager_vpc_attachment: Change options to Optional and Computed (#43742)
• resource/aws_opensearch_package: Add engine_version argument (#44155)
• resource/aws_opensearch_package: Add waiter to ensure package validation completes (#44155)
• resource/aws_synthetics_canary: Add schedule.retry_config configuration block (#44244)
• resource/aws_vpc_endpoint: Add resource identity support (#44194)
• resource/aws_vpc_security_group_egress_rule: Add resource identity support (#44198)
• resource/aws_vpc_security_group_ingress_rule: Add resource identity support (#44198)

BUG FIXES:

• resource/aws_appautoscaling_policy: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when step_scaling_policy_configuration is empty (#44211)
• resource/aws_cognito_managed_login_branding: Fix reading Cognito Managed Login Branding by client ... couldn't find resource errors when a user pool contains multiple client apps (#44204)
• resource/aws_eks_cluster: Supports null compute_config.node_role_arn when disabling auto mode or built-in node pools (#42483)
• resource/aws_flow_log: Fix Error decoding ... from prior state: unsupported attribute "log_group_name" errors when upgrading from a pre-v6.0.0 provider version (#44191)
• resource/aws_launch_template: Fix Error decoding ... from prior state: unsupported attribute "elastic_gpu_specifications" errors when upgrading from a pre-v6.0.0 provider version (#44195)
• resource/aws_rds_cluster_role_association: Make feature_name optional (#44143)
• resource/aws_s3_bucket_lifecycle_configuration: Ignore MethodNotAllowed errors when deleting non-existent lifecycle configurations (#44189)
• resource/aws_secretsmanager_secret: Return diagnostic warning when remote policy is invalid (#44228)
• resource/aws_servicecatalog_provisioned_product: Restore timeouts.read arguments removed in v6.12.0 (#44238)

v6.12.0

6.12.0 (September 4, 2025)

NOTES:

• resource/aws_s3_bucket_acl: The access_control_policy.grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
• resource/aws_s3_bucket_acl: The access_control_policy.owner.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)
• resource/aws_s3_bucket_logging: The target_grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#44090)

FEATURES:

• New Resource: aws_cognito_managed_login_branding (#43817)

ENHANCEMENTS:

• data-source/aws_efs_mount_target: Add ip_address_type and ipv6_address attributes (#44079)
• data-source/aws_instance: Add placement_group_id attribute (#38527)
• data-source/aws_lambda_function: Add source_kms_key_arn attribute (#44080)
• data-source/aws_launch_template: Add placement.group_id attribute (#44097)
• provider: Support ap-southeast-6 as a valid AWS Region (#44127)
• resource/aws_ecs_service: Remove Terraform default for availability_zone_rebalancing and change the attribute to Optional and Computed. This allow ECS to default to ENABLED for new resources compatible with AvailabilityZoneRebalancing and maintain an existing service's availability_zone_rebalancing value during update when not configured. If an existing service never had an availability_zone_rebalancing value configured and is updated, ECS will treat this as DISABLED (#43241)
• resource/aws_efs_mount_target: Add ip_address_type and ipv6_address arguments to support IPv6 connectivity (#44079)
• resource/aws_fsx_openzfs_file_system: Remove maximum items limit on the user_and_group_quotas argument (#44120)
• resource/aws_fsx_openzfs_volume: Remove maximum items limit on the user_and_group_quotas argument (#44118)
• resource/aws_instance: Add placement_group_id argument (#38527)
• resource/aws_instance: Add resource identity support (#44068)
• resource/aws_lambda_function: Add source_kms_key_arn argument (#44080)
• resource/aws_launch_template: Add placement.group_id argument (#44097)
• resource/aws_ssm_association: Add resource identity support (#44075)
• resource/aws_ssm_document: Add resource identity support (#44075)
• resource/aws_ssm_maintenance_window: Add resource identity support (#44075)
• resource/aws_ssm_maintenance_window_target: Add resource identity support (#44075)
• resource/aws_ssm_maintenance_window_task: Add resource identity support (#44075)
• resource/aws_ssm_patch_baseline: Add resource identity support (#44075)
• resource/aws_synthetics_canary: Add run_config.ephemeral_storage argument. (#44105)

BUG FIXES:

• resource/aws_s3tables_table_policy: Remove plan-time validation of name and namespace (#44072)
• resource/aws_servicecatalog_provisioned_product: Set provisioning_parameters and provisioning_artifact_id to the values from the last successful deployment when update fails (#43956)
• resource/aws_wafv2_web_acl: Fix performance of update when the WebACL has a large number of rules (#42740)

v6.11.0

6.11.0 (August 28, 2025)

FEATURES:

• New Resource: aws_timestreaminfluxdb_db_cluster (#42382)
• New Resource: aws_workspacesweb_browser_settings_association (#43735)
• New Resource: aws_workspacesweb_data_protection_settings_association (#43773)
• New Resource: aws_workspacesweb_identity_provider (#43729)
• New Resource: aws_workspacesweb_ip_access_settings_association (#43774)
• New Resource: aws_workspacesweb_network_settings_association (#43775)
• New Resource: aws_workspacesweb_portal (#43444)
• New Resource: aws_workspacesweb_session_logger (#43863)
• New Resource: aws_workspacesweb_session_logger_association (#43866)
• New Resource: aws_workspacesweb_trust_store (#43408)
• New Resource: aws_workspacesweb_trust_store_association (#43778)
• New Resource: aws_workspacesweb_user_access_logging_settings_association (#43776)
• New Resource: aws_workspacesweb_user_settings_association (#43777)

ENHANCEMENTS:

• data-source/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type attributes (#44059)
• data-source/aws_network_interface: Add attachment.network_card_index attribute (#42188)
• data-source/aws_sesv2_email_identity: Add verification_status attribute (#44045)
• data-source/aws_signer_signing_profile: Add signing_material and signing_parameters attributes (#43921)
• data-source/aws_vpc_ipam: Add metered_account attribute (#43967)
• resource/aws_datazone_domain: Add domain_version and service_role arguments to support V2 domains (#44042)
• resource/aws_dlm_lifecycle_policy: Add copy_tags, create_interval, exclusions, extend_deletion, policy_language, resource_type and retain_interval attributes to policy_details configuration block (#41055)
• resource/aws_dlm_lifecycle_policy: Add default_policy argument (#41055)
• resource/aws_dlm_lifecycle_policy: Add policy_details.create_rule.scripts argument (#41055)
• resource/aws_dlm_lifecycle_policy: Add policy_details.schedule.cross_region_copy_rule.target_region argument (#33796)
• resource/aws_dlm_lifecycle_policy: Make policy_details.schedule.cross_region_copy_rule.target optional (#33796)
• resource/aws_dlm_lifecycle_policy:Add policy_details.schedule.archive_rule argument (#41055)
• resource/aws_dynamodb_contributor_insights: Add mode argument in support of CloudWatch contributor insights modes (#43914)
• resource/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type arguments to support IPv6 connectivity in Client VPN (#44059)
• resource/aws_ec2_client_vpn_endpoint: Make client_cidr_block optional (#44059)
• resource/aws_ecr_lifecycle_policy: Add resource identity support (#44041)
• resource/aws_ecr_repository: Add resource identity support (#44041)
• resource/aws_ecr_repository_policy: Add resource identity support (#44041)
• resource/aws_ecs_service: Add sigint_rollback argument (#43986)
• resource/aws_ecs_service: Change deployment_configuration to Optional and Computed (#43986)
• resource/aws_eks_cluster: Allow remote_network_config to be updated in-place, enabling support for EKS hybrid nodes on existing clusters (#42928)
• resource/aws_elasticache_global_replication_group: Change engine to Optional and Computed (#42636)
• resource/aws_inspector2_filter: Support code_repository_project_name, code_repository_provider_type, ecr_image_in_use_count, and ecr_image_last_in_use_at in filter_criteria (#43950)
• resource/aws_iot_thing_principal_attachment: Add thing_principal_type argument (#43916)
• resource/aws_kms_alias: Add resource identity support (#44025)
• resource/aws_kms_external_key: Add key_spec argument (#44011)
• resource/aws_kms_external_key: Change key_usage to Optional and Computed (#44011)
• resource/aws_kms_key: Add resource identity support (#44025)
• resource/aws_lb: Add secondary_ips_auto_assigned_per_subnet argument for Network Load Balancers (#43699)
• resource/aws_mwaa_environment: Add worker_replacement_strategy argument (#43946)
• resource/aws_network_interface: Add attachment.network_card_index argument (#42188)
• resource/aws_network_interface_attachment: Add network_card_index argument (#42188)
• resource/aws_route53_resolver_rule: Add resource identity support (#44048)
• resource/aws_route53_resolver_rule_association: Add resource identity support (#44048)
• resource/aws_route: Add resource identity support (#43910)
• resource/aws_route_table: Add resource identity support (#43990)
• resource/aws_s3_bucket_acl: Add resource identity support (#44043)
• resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43976)
• resource/aws_s3_bucket_logging: Add resource identity support (#43976)
• resource/aws_s3_bucket_notification: Add resource identity support (#43976)
• resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43976)
• resource/aws_s3_bucket_policy: Add resource identity support (#43976)
• resource/aws_s3_bucket_public_access_block: Add resource identity support (#43976)
• resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43976)
• resource/aws_s3_bucket_versioning: Add resource identity support (#43976)
• resource/aws_s3_bucket_website_configuration: Add resource identity support (#43976)
• resource/aws_s3tables_table_bucket: Add force_destroy argument (#43922)
• resource/aws_secretsmanager_secret_version: Add resource identity support (#44031)
• resource/aws_sesv2_email_identity: Add verification_status attribute (#44045)
• resource/aws_s...

v6.10.0

6.10.0 (August 21, 2025)

NOTES:

• resource/aws_instance: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)
• resource/aws_spot_instance_request: The network_interface block has been deprecated. Use primary_network_interface for the primary network interface and aws_network_interface_attachment resources for other network interfaces. (#43953)

ENHANCEMENTS:

• data-source/aws_ecr_repository: Add image_tag_mutability_exclusion_filter attribute (#43886)
• data-source/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter attribute (#43886)
• resource/aws_cloudwatch_event_target: Add resource identity support (#43984)
• resource/aws_ecr_repository_creation_template: Add image_tag_mutability_exclusion_filter configuration block (#43886)
• resource/aws_glue_job: Support G.12X, G.16X, R.1X, R.2X, R.4X, and R.8X as valid values for worker_type (#43988)
• resource/aws_lambda_permission: Add resource identity support (#43954)
• resource/aws_lightsail_static_ip_attachment: Support resource import (#43874)
• resource/aws_s3_bucket_cors_configuration: Add resource identity support (#43876)
• resource/aws_s3_bucket_logging: Add resource identity support (#43876)
• resource/aws_s3_bucket_notification: Add resource identity support (#43876)
• resource/aws_s3_bucket_ownership_controls: Add resource identity support (#43876)
• resource/aws_s3_bucket_policy: Add resource identity support (#43876)
• resource/aws_s3_bucket_public_access_block: Add resource identity support (#43876)
• resource/aws_s3_bucket_server_side_encryption_configuration: Add resource identity support (#43876)
• resource/aws_s3_bucket_versioning: Add resource identity support (#43876)
• resource/aws_s3_bucket_website_configuration: Add resource identity support (#43876)
• resource/aws_secretsmanager_secret: Add resource identity support (#43872)
• resource/aws_secretsmanager_secret_policy: Add resource identity support (#43872)
• resource/aws_secretsmanager_secret_rotation: Add resource identity support (#43872)
• resource/aws_sqs_queue: Add resource identity support (#43918)
• resource/aws_sqs_queue_policy: Add resource identity support (#43918)
• resource/aws_sqs_queue_redrive_allow_policy: Add resource identity support (#43918)
• resource/aws_sqs_queue_redrive_policy: Add resource identity support (#43918)

BUG FIXES:

• resource/aws_batch_compute_environment: Allow in-place updates of compute environments that have the SPOT_PRICE_CAPACITY_OPTIMIZED strategy (#40148)
• resource/aws_imagebuilder_lifecycle_policy: Fix Provider produced inconsistent result after apply error when policy_detail.exclusion_rules.amis.is_public is omitted (#43925)
• resource/aws_instance: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)
• resource/aws_rds_cluster: Fixes the behavior when enabling database_insights_mode="advanced" without changing performance insights retention window (#43919)
• resource/aws_rds_cluster: Fixes the behavior when modifying database_insights_mode when using custom KMS key (#43942)
• resource/aws_spot_instance_request: Adds primary_network_interface to allow importing resources with custom primary network interface. (#43953)

v6.9.0

6.9.0 (August 14, 2025)

FEATURES:

• New Resource: aws_appsync_api (#43787)
• New Resource: aws_appsync_channel_namespace (#43787)

ENHANCEMENTS:

• data-source/aws_eks_cluster: Add deletion_protection attribute (#43779)
• resource/aws_cloudwatch_event_rule: Add resource identity support (#43758)
• resource/aws_cloudwatch_metric_alarm: Add resource identity support (#43759)
• resource/aws_dynamodb_table: Add replica.deletion_protection_enabled argument (#43240)
• resource/aws_eks_cluster: Add deletion_protection argument (#43779)
• resource/aws_lambda_function: Add resource identity support (#43821)
• resource/aws_sns_topic_data_protection_policy: Add resource identity support (#43830)
• resource/aws_sns_topic_policy: Add resource identity support (#43830)
• resource/aws_sns_topic_subscription: Add resource identity support (#43830)
• resource/aws_subnet: Add resource identity support (#43833)

BUG FIXES:

• data-source/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
• data-source/aws_networkfirewall_firewall_policy: Add missing schema definition for firewall_policy.stateful_engine_options.flow_timeouts (#43852)
• resource/aws_cognito_risk_configuration: Make account_takeover_risk_configuration.notify_configuration optional (#33624)
• resource/aws_ecs_service: Fix tagging failure after upgrading to v6 provider (#43816)
• resource/aws_ecs_service: Fix refreshing service_connect_configuration when deleted outside of Terraform (#43871)
• resource/aws_lambda_function: Fix missing value for reserved_concurrent_executions attribute when a published version exists. This functionality requires the lambda:GetFunctionConcurrency IAM permission (#43753)
• resource/aws_s3tables_table: Fix runtime error: invalid memory address or nil pointer dereference panics when GetTableMaintenanceConfiguration returns an error (#43764)
• resource/aws_sagemaker_user_profile: Fix incomplete regex for user_profile_name (#43807)
• resource/aws_servicequotas_service_quota: Add validation, during create, to check if new value is less than current value of quota (#43545)
• resource/aws_storagegateway_gateway: Handle InvalidGatewayRequestException: The specified gateway is not connected errors during Read by using the ListGateways API to return minimal information about a disconnected gateway. This functionality requires the storagegateway:ListGateways IAM permission (#43819)
• resource/aws_vpc_ipam_pool_cidr: Fix netmask_length not being saved and diffed correctly (#43262)

v6.8.0

6.8.0 (August 7, 2025)

FEATURES:

• New Resource: aws_networkfirewall_vpc_endpoint_association (#43675)
• New Resource: aws_quicksight_custom_permissions (#43613)
• New Resource: aws_quicksight_role_custom_permission (#43613)
• New Resource: aws_quicksight_user_custom_permission (#43613)
• New Resource: aws_wafv2_web_acl_rule_group_association (#43561)

ENHANCEMENTS:

• data-source/aws_quicksight_user: Add custom_permissions_name attribute (#43613)
• data-source/aws_wafv2_web_acl: Add resource_arn argument to enable finding web ACLs by resource ARN (#43597)
• data-source/aws_wafv2_web_acl: Add support for CLOUDFRONT scope web ACLs using resource_arn (#43597)
• resource/aws_bedrock_guardrail: Add input_action, output_action, input_enabled, and output_enabled attributes to sensitive_information_policy_config.pii_entities_config and sensitive_information_policy_config.regexes_config configuration blocks (#43702)
• resource/aws_cloudwatch_log_group: Add resource identity support (#43719)
• resource/aws_computeoptimizer_recommendation_preferences: Add AuroraDBClusterStorage as a valid resource_type (#43677)
• resource/aws_docdb_cluster: Add serverless_v2_scaling_configuration argument in support of Amazon DocumentDB serverless (#43667)
• resource/aws_ecr_repository: Add image_tag_mutability_exclusion_filter argument (#43642)
• resource/aws_ecr_repository: Support IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION as valid values for image_tag_mutability (#43642)
• resource/aws_inspector2_enabler: Support resource import (#43673)
• resource/aws_instance: Adds force_destroy argument that allows destruction even when disable_api_termination and disable_api_stop are true (#43722)
• resource/aws_ivs_channel: Add resource identity support (#43704)
• resource/aws_ivs_playback_key_pair: Add resource identity support (#43704)
• resource/aws_ivs_recording_configuration: Add resource identity support (#43704)
• resource/aws_ivschat_logging_configuration: Add resource identity support (#43697)
• resource/aws_ivschat_room: Add resource identity support (#43697)
• resource/aws_kinesis_firehose_delivery_stream: Add iceberg_configuration.append_only argument (#43647)
• resource/aws_lightsail_static_ip: Support resource import (#43672)
• resource/aws_opensearch_domain_policy: Support resource import (#43674)
• resource/aws_quicksight_user: Add plan-time validation of iam_arn (#43613)
• resource/aws_quicksight_user: Change user_name to Optional and Computed (#43613)
• resource/aws_quicksight_user: Support IAM_IDENTITY_CENTER as a valid value for identity_type (#43613)
• resource/aws_quicksight_user: Support RESTRICTED_AUTHOR and RESTRICTED_READER as valid values for user_role (#43613)
• resource/aws_security_group: Add parameterized resource identity support (#43744)
• resource/aws_sqs_queue: Increase upper limit of max_message_size from 256 KiB to 1024 KiB (#43710)
• resource/aws_ssm_parameter: Add resource identity support (#43736)

BUG FIXES:

• ephemeral-resource/aws_lambda_invocation: Fix plan inconsistency issue due to improperly assigned payload values (#43676)
• provider: Fix failure to detect resources deleted outside of Terraform as missing for numerous resource types (#43659)
• resource/aws_batch_compute_environment: Fix inconsistent final plan error when compute_resource.launch_template.version is unknown during an update (#43337)
• resource/aws_bedrockagent_flow: Prevent created_at becoming null on Update (#43654)
• resource/aws_ec2_managed_prefix_list: Fix PrefixListVersionMismatch: The prefix list has the incorrect version number errors when updating entry description (#43661)
• resource/aws_fsx_lustre_file_system: Fix validation of SSD read cache size for file systems using the Intelligent-Tiering storage class (#43605)
• resource/aws_instance: Prevent destruction of resource when disable_api_termination is true (#43722)
• resource/aws_kms_key: Restore pre-v6.3.0 retry delay behavior when waiting for continuous target state occurrences. This fixes certain tag update timeouts (#43716)
• resource/aws_s3tables_table_bucket: Fix crash on maintenance_configuration read failure (#43707)
• resource/aws_sagemaker_image: Fix image_name regular expression validation (#43751)
• resource/aws_timestreaminfluxdb_db_instance: Don't mark network_type as ForceNew if the value is not configured. This fixes a problem with terraform apply -refresh=false after upgrade from v5.90.0 and below (#43534)
• resource/aws_wafv2_regex_pattern_set: Remove maximum items limit on the regular_expression argument (#43693)

v6.7.0

6.7.0 (July 31, 2025)

FEATURES:

• New Resource: aws_quicksight_ip_restriction (#43596)
• New Resource: aws_quicksight_key_registration (#43587)

ENHANCEMENTS:

• data-source/aws_codebuild_fleet: Add instance_type attribute in compute_configuration block (#43449)
• data-source/aws_ebs_volume: Add volume_initialization_rate attribute (#43565)
• data-source/aws_ecs_service: Support load_balancer attribute (#43582)
• data-source/aws_s3_access_point: Add tags attribute. This functionality requires the s3:ListTagsForResource IAM permission (#43630)
• data-source/aws_verifiedpermissions_policy_store: Add deletion_protection attribute (#43452)
• resource/aws_athena_workgroup: Add configuration.identity_center_configuration argument (#38717)
• resource/aws_cleanrooms_collaboration: Add analytics_engine argument (#43614)
• resource/aws_codebuild_fleet: Add instance_type argument in compute_configuration block to support custom instance types (#43449)
• resource/aws_ebs_volume: Add volume_initialization_rate argument (#43565)
• resource/aws_s3_access_point: Add tags argument and tags_all attribute. This functionality requires the s3:ListTagsForResource, s3:TagResource, and s3:UntagResource IAM permissions (#43630)
• resource/aws_verifiedpermissions_policy_store: Add deletion_protection argument (#43452)

BUG FIXES:

• resource/aws_bedrockagent_flow: Fix missing required field, CreateFlowInput.Definition.Nodes[0].Configuration[prompt].SourceConfiguration[resource].PromptArn errors on Create (#43595)
• resource/aws_s3_bucket: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
• resource/aws_s3_object: Accept NoSuchTagSetError responses from S3-compatible services (#43589)
• resource/aws_servicequotas_service_quota: Fix error when updating a pending service quota request (#43606)
• resource/aws_ssm_parameter: Fix Provider produced inconsistent final plan errors when changing from using value to using value_wo (#42877)
• resource/aws_ssm_parameter: Fix version not being updated when description changes (#42595)

v6.6.0

6.6.0 (July 28, 2025)

FEATURES:

• New Resource: aws_connect_phone_number_contact_flow_association (#43557)
• New Resource: aws_nat_gateway_eip_association (#42591)

ENHANCEMENTS:

• data-source/aws_cloudwatch_event_bus: Add log_config attribute (#43453)
• data-source/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
• feature/aws_bedrock_guardrail: Add cross_region_config, content_policy_config.tier_config, and topic_policy_config.tier_config arguments (#43517)
• resource/aws_athena_database: Add workgroup argument (#36628)
• resource/aws_batch_compute_environment: Add compute_resources.ec2_configuration.image_kubernetes_version argument (#43454)
• resource/aws_cloudwatch_event_bus: Add log_config argument (#43453)
• resource/aws_cognito_resource_server: Allow name to be updated in-place (#41702)
• resource/aws_cognito_user_pool: Allow name to be updated in-place (#42639)
• resource/aws_globalaccelerator_custom_routing_endpoint_group: Add resource identity support (#43539)
• resource/aws_globalaccelerator_custom_routing_listener: Add resource identity support (#43539)
• resource/aws_globalaccelerator_endpoint_group: Add resource identity support (#43539)
• resource/aws_globalaccelerator_listener: Add resource identity support (#43539)
• resource/aws_imagebuilder_container_recipe: Add resource identity support (#43540)
• resource/aws_imagebuilder_distribution_configuration: Add resource identity support (#43540)
• resource/aws_imagebuilder_image: Add resource identity support (#43540)
• resource/aws_imagebuilder_image_pipeline: Add resource identity support (#43540)
• resource/aws_imagebuilder_image_recipe: Add resource identity support (#43540)
• resource/aws_imagebuilder_infrastructure_configuration: Add resource identity support (#43540)
• resource/aws_imagebuilder_workflow: Add resource identity support (#43540)
• resource/aws_inspector_assessment_target: Add resource identity support (#43542)
• resource/aws_inspector_assessment_template: Add resource identity support (#43542)
• resource/aws_inspector_resource_group: Add resource identity support (#43542)
• resource/aws_nat_gateway: Change secondary_allocation_ids to Optional and Computed (#42591)
• resource/aws_ssm_patch_baseline: Add available_security_updates_compliance_status argument (#43560)
• resource/aws_ssm_service_setting: Support short format (with /ssm/ prefix) for setting_id (#43562)

BUG FIXES:

• resource/aws_appsync_api_cache: Fix "missing required field" error during update (#43523)
• resource/aws_cloudwatch_log_delivery_destination: Fix update failure when tags are set (#43576)
• resource/aws_ecs_service: Fix unspecified test_listener_rule incorrectly being set as empty string in load_balancer.advanced_configuration block (#43558)

v6.5.0

6.5.0 (July 24, 2025)

NOTES:

• resource/aws_cognito_log_delivery_configuration: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#43396)
• resource/aws_ecs_service: Acceptance tests cannot fully reproduce scenarios with deployments older than 3 months. Community feedback on this fix is appreciated, particularly for long-running ECS services with in-place updates (#43502)

FEATURES:

• New Data Source: aws_ecr_images (#42577)
• New Resource: aws_cognito_log_delivery_configuration (#43396)
• New Resource: aws_networkfirewall_firewall_transit_gateway_attachment_accepter (#43430)
• New Resource: aws_s3_bucket_metadata_configuration (#41364)

ENHANCEMENTS:

• data-source/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn attributes (#43440)
• data-source/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, firewall_status.sync_states.attachment.status_message, firewall_status.transit_gateway_attachment_sync_states, transit_gateway_id, and transit_gateway_owner_account_id attributes (#43430)
• resource/aws_alb_listener: Add resource identity support (#43161)
• resource/aws_alb_listener_rule: Add resource identity support (#43155)
• resource/aws_alb_target_group: Add resource identity support (#43171)
• resource/aws_dms_endpoint: Add oracle_settings configuration block for authentication method (#43125)
• resource/aws_dms_endpoint: Add postgres_settings.authentication_method and postgres_settings.service_access_role_arn arguments (#43440)
• resource/aws_dms_endpoint: Add plan-time validation of postgres_settings.database_mode, postgres_settings.map_long_varchar_as, and postgres_settings.plugin_name arguments (#43440)
• resource/aws_dms_replication_instance: Add dns_name_servers attribute and kerberos_authentication_settings configuration block for Kerberos authentication settings (#43125)
• resource/aws_dx_gateway_association: Add transit_gateway_attachment_id attribute. This functionality requires the ec2:DescribeTransitGatewayAttachments IAM permission (#43436)
• resource/aws_globalaccelerator_accelerator: Add resource identity support (#43200)
• resource/aws_globalaccelerator_custom_routing_accelerator: Add resource identity support (#43423)
• resource/aws_glue_registry: Add resource identity support (#43450)
• resource/aws_glue_schema: Add resource identity support (#43450)
• resource/aws_iam_openid_connect_provider: Add resource identity support (#43503)
• resource/aws_iam_policy: Add resource identity support (#43503)
• resource/aws_iam_saml_provider: Add resource identity support (#43503)
• resource/aws_iam_service_linked_role: Add resource identity support (#43503)
• resource/aws_inspector2_enabler: Support CODE_REPOSITORY as a valid value for resource_types (#43525)
• resource/aws_inspector2_organization_configuration: Add auto_enable.code_repository argument (#43525)
• resource/aws_lb_listener: Add resource identity support (#43161)
• resource/aws_lb_listener_rule: Add resource identity support (#43155)
• resource/aws_lb_target_group: Add resource identity support (#43171)
• resource/aws_lb_trust_store: Add resource identity support (#43186)
• resource/aws_networkfirewall_firewall: Add availability_zone_change_protection, availability_zone_mapping, and transit_gateway_id arguments and firewall_status.transit_gateway_attachment_sync_states and transit_gateway_owner_account_id attributes (#43430)
• resource/aws_networkfirewall_firewall: Mark subnet_mapping and vpc_id as Optional (#43430)
• resource/aws_quicksight_account_subscription: Add import support. This resource can now be imported via the aws_account_id argument. (#43501)
• resource/aws_sns_topic: Add resource identity support (#43202)
• resource/aws_wafv2_rule_group: Add rules_json argument (#43397)
• resource/aws_wafv2_web_acl: Add statement.rate_based_statement.custom_key.asn argument (#43506)

BUG FIXES:

• provider: Prevent planned forces replacement on region for numerous resource types when upgrading from a pre-v6.0.0 provider version and -refresh=false is in effect (#43516)
• resource/aws_api_gateway_resource: Recompute path when path_part is updated (#43215)
• resource/aws_bedrockagent_flow: Remove definition.connection and definition.node list length limits (#43471)
• resource/aws_ecs_service: Improve stabilization logic to handle both new deployments and in-place updates correctly. This fixes a regression introduced in v6.4.0 (#43502)
• resource/aws_instance: Recompute ipv6_addresses when ipv6_address_count is updated (#43158)