chore(deps): update terraform by renovate[bot] · Pull Request #514 · overmindtech/terraform-example

renovate · 2026-03-27T00:52:51Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
archive (source)	required_provider	minor	`2.7.1` → `2.8.0`
aws (source)	required_provider	minor	`< 6.38` → `< 6.47`
aws (source)	required_provider	minor	`6.37.0` → `6.46.0`
google (source)	required_provider	minor	`7.25.0` → `7.33.0`
null (source)	required_provider	minor	`3.2.4` → `3.3.0`
random (source)	required_provider	minor	`3.8.1` → `3.9.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

hashicorp/terraform-provider-archive (archive)

`v2.8.0`

Compare Source

ENHANCEMENTS:

Added linux/s390x build target for IBM Z platform support (#504)

hashicorp/terraform-provider-aws (aws)

`v6.46.0`

Compare Source

NOTES:

resource/aws_xray_resource_policy: Changes to policy_name now force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updating policy_name would leave an orphaned policy with the old name in AWS (#47948)

FEATURES:

New List Resource: aws_bedrockagentcore_harness (#47725)
New List Resource: aws_iam_access_key (#47966)
New List Resource: aws_observabilityadmin_telemetry_rule_for_organization (#47920)
New List Resource: aws_route53_vpc_association_authorization (#47905)
New List Resource: aws_route53_zone_association (#47950)
New List Resource: aws_securityhub_automation_rule_v2 (#47677)
New Resource: aws_bedrockagentcore_harness (#47725)
New Resource: aws_observabilityadmin_telemetry_rule_for_organization (#47920)
New Resource: aws_securityhub_automation_rule_v2 (#47677)
New Resource: aws_xray_indexing_rule (#47975)
New Resource: aws_xray_trace_segment_destination (#47961)

ENHANCEMENTS:

data-source/aws_ec2_local_gateway_virtual_interface: Add outpost_lag_id and local_gateway_virtual_interface_group_id attributes (#47974)
data-source/aws_opensearch_domain: Add jwt_options block to fix "Invalid address to set" error (#47874)
resource/aws_bedrockagent_agent: Increase maximum value of idle_session_ttl_in_seconds from 3600 to 5400 to match the AWS API limit (#47890)
resource/aws_bedrockagentcore_agent_runtime: Add filesystem_configuration argument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#47810)
resource/aws_cloudfront_distribution: Add cache_tag_config configuration block (#47872)
resource/aws_iam_access_key: Add resource identity support (#47966)
resource/aws_route53_vpc_association_authorization: Add resource identity support (#47905)
resource/aws_route53_zone_association: Add resource identity support (#47950)
resource/aws_vpclattice_resource_gateway: Add resource_config_dns_resolution argument (#47879)
resource/aws_xray_resource_policy: Add Resource Identity support (#47948)
resource/aws_xray_sampling_rule: Add Resource Identity support (#47948)

BUG FIXES:

resource/aws_s3_bucket: Defer to the corresponding dedicated standalone resource for each deprecated nested attribute (acceleration_status, acl, cors_rule, grant, lifecycle_rule, logging, object_lock_configuration, policy, replication_configuration, request_payer, server_side_encryption_configuration, versioning, website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#47962)
resource/aws_s3_bucket: Fix InvalidRequest: SourceSelectionCriteria cannot be empty errors on unrelated updates (e.g. tags) when replication is managed by the dedicated aws_s3_bucket_replication_configuration resource using replica_modifications (#47962)
resource/aws_xray_resource_policy: Fix Provider returned invalid result object after apply errors on Update (#47948)
resource/aws_xray_resource_policy: Mark policy_name as as ForceNew (#47948)

`v6.45.0`

Compare Source

FEATURES:

New List Resource: aws_observabilityadmin_telemetry_rule (#47857)
New List Resource: aws_securityhub_connector_v2 (#47678)
New Resource: aws_observabilityadmin_telemetry_evaluation (#47799)
New Resource: aws_observabilityadmin_telemetry_evaluation_for_organization (#47808)
New Resource: aws_observabilityadmin_telemetry_rule (#47857)
New Resource: aws_securityhub_aggregator_v2 (#47651)
New Resource: aws_securityhub_connector_v2 (#47678)

ENHANCEMENTS:

resource/aws_lambda_function: Add support for ruby4.0 as a runtime value (#47841)
resource/aws_lambda_function: Support mounting Amazon S3 buckets as file systems with S3 Files (#47838)
resource/aws_lambda_layer_version: Add support for ruby4.0 as a compatible_runtimes value (#47841)
resource/aws_secretsmanager_secret_version: Allow switching from secret_string to secret_string_wo without re-creating the resource. (#47815)
resource/aws_timestreaminfluxdb_db_instance: Add maintenance_schedule configuration block (#47853)

BUG FIXES:

resource/aws_elasticache_cluster: Fixed by removing valkey as an engine option to keep an alignment with aws sdk CreateCacheCluster (#45017)
resource/aws_elasticache_replication_group: Fix engine_version returning full patch version instead of minor version for Valkey engine (#46109)
resource/aws_elasticache_replication_group: Fix engine, engine_version, and parameter_group_name changes being ignored after disassociating from a global replication group (#46109)
resource/aws_grafana_workspace: Fix network_access_control regression causing ValidationException when only one of vpce_ids or prefix_list_ids is set (#47646)

`v6.44.0`

Compare Source

NOTES:

resource/aws_dynamodb_global_secondary_index: This resource type is no longer experimental. The schema and behavior are now subject to the backwards compatibility guarantee of the provider. (#47747)
resource/aws_outposts_capacity_task: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#47681)

FEATURES:

New Data Source: aws_glue_catalog (#43583)
New List Resource: aws_alb_target_group_attachment (#47724)
New List Resource: aws_appautoscaling_policy (#47718)
New List Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New List Resource: aws_dynamodb_global_secondary_index (#47785)
New List Resource: aws_dynamodb_table (#47518)
New List Resource: aws_ecr_repository_policy (#47763)
New List Resource: aws_glue_catalog (#43583)
New List Resource: aws_lb_target_group_attachment (#47724)
New List Resource: aws_s3_bucket_logging (#47766)
New List Resource: aws_securityhub_standards_control (#47702)
New List Resource: aws_vpc_endpoint_route_table_association (#47751)
New Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New Resource: aws_glue_catalog (#43583)
New Resource: aws_outposts_capacity_task (#47681)
New Resource: aws_redshift_namespace_registration (#43583)

ENHANCEMENTS:

data-source/aws_glue_connection: Add authentication_configuration attribute (#43583)
resource/aws_appautoscaling_policy: Add resource identity support (#47718)
resource/aws_ec2_client_vpn_endpoint: Add transit_gateway_configuration block (#47635)
resource/aws_fsx_lustre_file_system: Support in-place modification of file_system_type_version (#47703)
resource/aws_fsx_windows_file_system: Add self_managed_active_directory.password_wo and self_managed_active_directory.password_wo_version arguments (#47752)
resource/aws_glue_connection: Add authentication_configuration argument (#43583)
resource/aws_timestreaminfluxdb_db_cluster: Add Resource Identity support (#47052)
resource/aws_timestreaminfluxdb_db_cluster: Add maintenance_schedule configuration block (#47354)
resource/aws_timestreaminfluxdb_db_instance: Add Resource Identity support (#47052)
resource/aws_vpc_endpoint_route_table_association: Add resource identity support (#47751)

BUG FIXES:

resource/aws_odb_cloud_vm_cluster: Attempt to read GI Version from resource tags to avoid failures due to new API response values (#46589)
resource/aws_s3files_synchronization_configuration: Fix Delete to use the file system prefix when resetting the synchronization configuration (#47760)
resource/aws_securityhub_configuration_policy_association: Fix waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s) errors on Create. This fixes a regression introduced in v6.34.0 (#47783)
resource/aws_timestreaminfluxdb_db_cluster: Correct plan-time validation of db_parameter_group_identifier (#47052)

`v6.43.0`

Compare Source

FEATURES:

New Data Source: aws_securityhub_enabled_standards (#43947)
New Data Source: aws_securityhub_security_controls (#43947)
New List Resource: aws_db_subnet_group (#47637)
New List Resource: aws_ec2_network_insights_access_scope (#47582)
New List Resource: aws_iam_group_policy_attachment (#47667)
New List Resource: aws_lambda_event_source_mapping (#47686)
New List Resource: aws_securityhub_insight (#47622)
New Resource: aws_arczonalshift_autoshift_observer_notification_status (#46343)
New Resource: aws_ec2_network_insights_access_scope (#47582)
New Resource: aws_securityhub_account_v2 (#47356)

ENHANCEMENTS:

resource/aws_arczonalshift_autoshift_observer_notification_status: Add resource identity support (#46343)
resource/aws_auditmanager_assessment: Add resource identity support (#47674)
resource/aws_auditmanager_control: Add resource identity support (#47674)
resource/aws_auditmanager_framework: Add resource identity support (#47674)
resource/aws_auditmanager_framework_share: Add resource identity support (#47674)
resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#47589)
resource/aws_ecs_express_gateway_service: Deprecates current_deployment. (#47694)
resource/aws_iam_group_policy_attachment: Add resource identity support (#47667)
resource/aws_lambda_event_source_mapping: Add resource identity support (#47686)
resource/aws_securityhub_action_target: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#47078)
resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#47543)
resource/aws_securityhub_finding_aggregator: Add arn attribute (#47543)
resource/aws_securityhub_insight: Add Resource Identity support (#47543)
resource/aws_securityhub_member: Add Resource Identity support (#47543)
resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#47543)
resource/aws_securityhub_product_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control_association: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add arn attribute (#47543)
resource/aws_subnet: Automatically detect and dissociate GuardDuty-managed VPC endpoints during terraform destroy when they block subnet deletion (#46953)
resource/aws_vpc: Automatically detect and remove GuardDuty-managed VPC endpoints and security groups during terraform destroy when they block VPC deletion (#46953)

BUG FIXES:

resource/aws_cloudwatch_metric_alarm: Fix invalid One of 'metric_name', 'metric_query', or 'evaluation_criteria' must be set for a cloudwatch metric alarm plan-time errors. This fixes a regression introduced in v6.42.0 (#47666)
resource/aws_ecs_express_gateway_service: Handles more transient API errors during creation and deletion. (#47568)
resource/aws_ecs_express_gateway_service: Marks resource for re-creation if it fails while waiting for creation. (#47568)
resource/aws_ecs_express_gateway_service: Prevents errors when value of current_deployment changes. (#47694)
resource/aws_ecs_express_gateway_service: Waits until the service is INACTIVE instead of DRAINING. (#47568)
resource/aws_flow_log: Prevents error when updating from earlier versions of the provider or importing VPC Flow Logs (#47699)
resource/aws_globalaccelerator_cross_account_attachment: Fix runtime error: invalid memory address or nil pointer dereference panics when removing resource blocks (#47625)
resource/aws_pinpoint_app: Lower minimum of limits.messages_per_second from 50 to 1 to match the AWS API. (#47636)
resource/aws_s3_bucket: Fix bucket creation on third-party S3-compatible APIs (e.g. OVH, Ceph RGW) by handling MalformedXML errors during tag-on-create and CreateBucketConfiguration operations (#47530)

`v6.42.0`

Compare Source

BREAKING CHANGES:

resource/aws_mq_configuration: Destruction of this resource will now delete the configuration. Previously delete was a no-op due to missing API operations, leaving resources in an unmanaged state. For this reason a breaking change was deemed acceptable in a minor version. This functionality requires the mq:DeleteConfiguration IAM permission. To restore the previous no-op behavior, set skip_destroy to true. (#47273)

NOTES:

documentation: CDKTF documentation has been removed from the provider (#47484)
resource/aws_eip: Because we cannot easily test this behavior in isolated regions, it is best effort and we ask for community help in testing (#47091)

FEATURES:

New Data Source: aws_ec2_service_link_virtual_interface (#47478)
New Data Source: aws_ec2_service_link_virtual_interfaces (#47478)
New List Resource: aws_apigatewayv2_api (#47472)
New List Resource: aws_cloudwatch_log_metric_filter (#47495)
New List Resource: aws_config_remediation_configuration (#47514)
New List Resource: aws_ebs_volume (#47551)
New List Resource: aws_ebs_volume_attachment (#47561)
New List Resource: aws_eip (#47557)
New List Resource: aws_iam_user_policy_attachment (#47467)
New List Resource: aws_internet_gateway (#47529)
New List Resource: aws_lambda_layer_version (#47496)
New List Resource: aws_launch_template (#47540)
New List Resource: aws_route53_zone (#47494)
New List Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)
New List Resource: aws_sqs_queue_policy (#47489)
New Resource: aws_cloudwatch_otel_enrichment (#47275)
New Resource: aws_ebs_volume_copy (#47311)
New Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)

ENHANCEMENTS:

data-source/aws_identitystore_user: Add user_status attribute (#47323)
data-source/aws_identitystore_users: Add user_status attribute (#47323)
data-source/aws_network_interface: Add ena_srd_specification attribute (#46669)
data-source/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_cloudwatch_log_metric_filter: Add Resource Identity support (#47495)
resource/aws_cloudwatch_metric_alarm: Add evaluation_criteria and evaluation_interval arguments in support of PromQL queries. Change comparison_operator and evaluation_periods to Optional (#47449)
resource/aws_ebs_volume_attachment: Add resource identity support (#47561)
resource/aws_eip: Add resource identity support (#47557)
resource/aws_eks_access_entry: Add Resource Identity support (#47428)
resource/aws_eks_access_policy_association: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add namespace_config argument (#44087)
resource/aws_eks_capability: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add identity_provider_config_name attribute (#47428)
resource/aws_eks_node_group: Add Resource Identity support (#47428)
resource/aws_eks_pod_identity_association: Add Resource Identity support (#47428)
resource/aws_fargate_profile: Add Resource Identity support (#47428)
resource/aws_identitystore_user: Add user_status attribute (#47323)
resource/aws_imagebuilder_lifecycle_policy: Support wildcard semantic version for resource_selection.recipe.semantic_version (#47443)
resource/aws_lambda_layer_version: Add resource identity support (#47496)
resource/aws_launch_template: Add resource identity support (#47540)
resource/aws_mq_configuration: Add skip_destroy argument (#47273)
resource/aws_mq_configuration: Implement resource deletion (#47273)
resource/aws_network_interface: Add ena_srd_specification argument to support ENA Express (#46669)
resource/aws_networkmanager_site_to_site_vpn_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#47541)
resource/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_rds_integration: Add integration_identifier attribute (#45632)
resource/aws_rds_integration: Support in-place update of data_filter and integration_name (#45632)
resource/aws_s3_bucket_inventory: Support S3 Inventory for directory buckets (#47555)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.expanded_prefixes_data_export and storage_lens_configuration.prefix_delimiter arguments (#47205)
resource/aws_s3files_file_system: Add accept_bucket_warning argument (#47510)
resource/network_peering_connection: Peer cidr management through peer_network_cidrs argument. (#46207)

BUG FIXES:

resource/aws_appintegrations_data_integration: Fix source_uri regular expression validation (#47498)
resource/aws_bedrock_guardrail: Update maximum length of topic_policy_config.topics_config.definition from 200 to 1000 to support standard tier. (#47574)
resource/aws_cloudwatch_alarm_mute_rule: Fix mute_targets.alarm_names ordering causing "Provider produced inconsistent result after apply" errors (#47507)
resource/aws_ecs_service: Excludes Express-Mode Services from listing. (#47533)
resource/aws_eip: Gracefully handle UnsupportedOperation errors in isolated regions (#47091)
resource/aws_msk_cluster: Fix a request parameter error when updating broker_node_group_info.vpc_connectivity configuration block. This fixes a regression introduced in v6.40.0 (#47515)
resource/aws_odb_network: Fix runtime error: invalid memory address or nil pointer dereference panic in statusManagedService() and statusNetwork() when FindOracleDBNetworkResourceByID returns a nil result during resource creation (#47159)
resource/aws_securityhub_member: Only set email if returned by AWS API and don't recompute invite from member_status. This prevents drift for organization members (#47106)

`v6.41.0`

Compare Source

FEATURES:

New List Resource: aws_api_gateway_integration (#47370)
New List Resource: aws_api_gateway_integration_response (#47388)
New List Resource: aws_api_gateway_method (#47365)
New List Resource: aws_api_gateway_method_response (#47387)
New List Resource: aws_api_gateway_resource (#47382)
New List Resource: aws_api_gateway_rest_api (#47404)
New List Resource: aws_apigatewayv2_route (#47452)
New List Resource: aws_cloudfront_distribution (#47459)
New List Resource: aws_cloudwatch_alarm_mute_rule (#46750)
New List Resource: aws_cloudwatch_log_subscription_filter (#47451)
New List Resource: aws_nat_gateway (#47349)
New List Resource: aws_sns_topic_policy (#47445)
New Resource: aws_cloudwatch_alarm_mute_rule (#46750)

ENHANCEMENTS:

data-source/aws_ecs_task_definition: Add volume.s3files_volume_configuration attribute (#47363)
data-source/aws_opensearch_domain: Add deployment_strategy_options block (#47401)
resource/aws_api_gateway_integration: Add resource identity support (#47357)
resource/aws_api_gateway_integration_response: Add resource identity support (#47366)
resource/aws_api_gateway_method: Add resource identity support (#47310)
resource/aws_api_gateway_method_response: Add resource identity support (#47360)
resource/aws_api_gateway_resource: Add resource identity support (#47358)
resource/aws_api_gateway_rest_api: Add resource identity support (#47384)
resource/aws_apigatewayv2_api: Add resource identity support (#47465)
resource/aws_apigatewayv2_route: Add resource identity support (#47441)
resource/aws_autoscaling_group: Add Resource Identity support (#47381)
resource/aws_autoscaling_lifecycle_hook: Add Resource Identity support (#47381)
resource/aws_autoscaling_notification: Add plan-time validation of topic_arn (#47381)
resource/aws_autoscaling_policy: Add Resource Identity support (#47381)
resource/aws_autoscaling_traffic_source_attachment: Add import support (#47381)
resource/aws_budgets_budget: Add metrics attribute (#47047)
resource/aws_cloudwatch_log_subscription_filter: Add Resource Identity support (#47451)
resource/aws_directory_service_directory: add enable_directory_data_access argument (#44736)
resource/aws_dynamodb_table: Add Resource Identity support (#47301)
resource/aws_ecs_task_definition: Add volume.s3files_volume_configuration argument (#47363)
resource/aws_elasticache_user: Add passwords_wo and passwords_wo_version write-only arguments (#45988)
resource/aws_launch_configuration: Add Resource Identity support (#47381)
resource/aws_opensearch_domain: Add deployment_strategy_options configuration block (#47401)

BUG FIXES:

data-source/aws_outposts_asset: Fix nil pointer dereference panic when asset has no ComputeAttributes or AssetLocation (#47450)
list-resource/aws_lb: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener_rule: Fixes error when no results are returned (#47455)
list-resource/aws_lb_target_group: Fixes error when no results are returned (#47455)
resource/aws_autoscaling_traffic_source_attachment: Change traffic_source to Required (#47381)
resource/aws_budgets_budget: Add missing metrics attribute required for filter_expression (#47047)
resource/aws_cloudfront_multitenant_distribution: Allows disabling the enforcement of a response_completion_timeout for Origins, by removing its default value (#46329)
resource/aws_cloudfront_multitenant_distribution: Fix function_association and lambda_function_association block ordering producing inconsistent result after apply when multiple associations are configured (#46378)
resource/aws_cloudfront_multitenant_distribution: Fix origin block ordering producing inconsistent result after apply when multiple origins are configured (#47199)
resource/aws_dynamodb_global_secondary_index: Fixes error when key_type is unknown during plan-time. (#47456)
resource/aws_dynamodb_table: Prevents validation error when global secondary index range_key is set to empty string (#47427)
resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)
resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)

`v6.40.0`

Compare Source

FEATURES:

New Data Source: aws_opensearchserverless_collection_group (#46308)
New Data Source: aws_opensearchserverless_collection_groups (#46308)
New Data Source: aws_s3files_access_point (#47352)
New Data Source: aws_s3files_file_system (#47344)
New Data Source: aws_s3files_file_systems (#47344)
New Data Source: aws_s3files_mount_target (#47347)
New List Resource: aws_config_config_rule (#47319)
New List Resource: aws_glue_job (#47266)
New List Resource: aws_opensearchserverless_collection_group (#46308)
New List Resource: aws_s3files_access_point (#47352)
New List Resource: aws_s3files_file_system (#47325)
New List Resource: aws_s3files_file_system_policy (#47355)
New List Resource: aws_s3files_mount_target (#47347)
New List Resource: aws_s3files_synchronization_configuration (#47353)
New List Resource: aws_ssm_association (#47321)
New List Resource: aws_ssm_patch_group (#47329)
New Resource: aws_opensearchserverless_collection_group (#46308)
New Resource: aws_s3files_access_point (#47352)
New Resource: aws_s3files_file_system (#47325)
New Resource: aws_s3files_file_system_policy (#47355)
New Resource: aws_s3files_mount_target (#47347)
New Resource: aws_s3files_synchronization_configuration (#47353)
New Resource: aws_servicequotas_auto_management (#45968)

ENHANCEMENTS:

data-source/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type attribute (#47279)
resource/aws_cloudformation_stack_set: Add depends_on_stack_sets to auto_deployment configuration block (#47269)
resource/aws_config_config_rule: Add Resource Identity support (#47286)
resource/aws_config_configuration_aggregator: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder_status: Add Resource Identity support (#47286)
resource/aws_config_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_delivery_channel: Add Resource Identity support (#47286)
resource/aws_config_organization_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_policy_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_managed_rule: Add Resource Identity support (#47286)
resource/aws_config_remediation_configuration: Add Resource Identity support (#47286)
resource/aws_config_retention_configuration: Add Resource Identity support (#47286)
resource/aws_controltower_landing_zone: Add remediation_types attribute (#46549)
resource/aws_glue_job: Add Resource Identity support (#47266)
resource/aws_iam_instance_profile: Add resource identity support (#47307)
resource/aws_kinesisanalyticsv2_application: Support FLINK-2_2 as a valid value for runtime_environment (#47207)
resource/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type argument (#47279)
resource/aws_opensearchserverless_access_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_lifecycle_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_config: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_vpc_endpoint: Add Resource Identity support (#47262)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.data_export.storage_lens_table_destination argument (#47152)
resource/aws_ssm_patch_group: Add resource identity support (#47318)

BUG FIXES:

resource/aws_bcmdataexports_export: Allows empty values in export.data_query.table_configurations (#47261)
resource/aws_cloudwatch_log_metric_filter: Fix validation to count pattern length in UTF-8 characters (#47287)
resource/aws_config_configuration_recorder_status: Mark name as as ForceNew (#47286)
resource/aws_organizations_account: Fix AccountAlreadyClosedException error when deleting an account that has already been closed with close_on_deletion set to true (#46627)
resource/aws_s3_bucket_server_side_encryption_configuration: Change rule.apply_server_side_encryption_by_default.kms_master_key_id, rule.blocked_encryption_types, and rule.bucket_key_enabled to Optional and Computed, preventings diffs once SSE-C is disabled for all new general purpose buckets (#47359)
resource/aws_uxc_account_customizations: Fix inconsistent result error when visible_regions or visible_services is set to an explicit empty set ([]) (#47290)

`v6.39.0`

Compare Source

NOTES:

data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version ([#47

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/London)

Branch creation
- "before 10am on friday"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-03-27T00:58:53Z

Warning

[Medium Risk] New API access instance exposes an unauthenticated port 9090 service to the entire internal network

The change creates a new EC2 instance github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server in subnet-07b5b1fb2ba02f964 and starts a custom Python health server bound to 0.0.0.0:9090. It is attached to sg-03cf38efd953aa056 and sg-089e5107637083db5, and the plan also registers it with the api-health-terraform-example target group on port 9090. Current security-group state shows sg-089e5107637083db5 allows inbound 9090 from all of 10.0.0.0/8, so the new listener will be reachable across a very large internal address space instead of only from the monitoring load balancer or a tightly scoped source.

This weakens segmentation and expands attack surface in production. Any instance or peered network path that can source traffic from 10.0.0.0/8 will be able to probe the unauthenticated HTTP service, and the instance is being placed in a subnet already used for public-facing ALB infrastructure rather than an isolated private application tier. That is a real security and network-boundary risk under SEC05-BP01 and SEC05-BP02, even though the stronger claims about IP exhaustion, ENI reassignment, or EBS data loss were not substantiated by this plan.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS infrastructure resources showing unusual, infrequent change patterns at 1-2 events/week for the last 3 months, with some related resources at 1 event/week for the last 5 weeks, which is rare compared to typical patterns.
Policies → S3 storage resources are missing required tags and do not have server-side encryption configured, while a security group allows SSH (port 22) access from anywhere (0.0.0.0/0), showing unusual policy violations that may need review.

_{Additional Change Details:} Items 223 Edges 325 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

github-actions

⛔ Auto-Blocked

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

Routine 🔴 -5

Policies 🔴 -3

🔥 Risks Summary

High 1 · Medium 0 · Low 0

💥 Blast Radius

Items 77 · Edges 252

View full analysis in Overmind ↗

renovate Bot added dependencies Renovatebot and dependabot updates terraform labels Mar 27, 2026

renovate Bot enabled auto-merge (squash) March 27, 2026 00:52

github-actions Bot requested changes Mar 27, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from ba884cb to 12213ca Compare March 31, 2026 20:58

renovate Bot changed the title ~~chore(deps): update terraform aws to v6.38.0~~ chore(deps): update terraform Mar 31, 2026

renovate Bot force-pushed the renovate/terraform branch from 12213ca to 97c66a8 Compare April 1, 2026 23:30

github-actions Bot requested changes Apr 1, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 97c66a8 to 602c793 Compare April 7, 2026 21:51

github-actions Bot requested changes Apr 7, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 602c793 to 0f43049 Compare April 9, 2026 00:33

github-actions Bot requested changes Apr 9, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 0f43049 to a110d8e Compare April 15, 2026 03:03

github-actions Bot requested changes Apr 15, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from a110d8e to 23a5eca Compare April 16, 2026 03:02

github-actions Bot requested changes Apr 16, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch 3 times, most recently from 68cb654 to 23ab534 Compare April 28, 2026 20:33

renovate Bot force-pushed the renovate/terraform branch 3 times, most recently from b2a3f42 to 9b4ae74 Compare May 6, 2026 22:45

renovate Bot force-pushed the renovate/terraform branch 4 times, most recently from 7e23daa to eee63e9 Compare May 19, 2026 21:52

chore(deps): update terraform

198048f

renovate Bot force-pushed the renovate/terraform branch from eee63e9 to 198048f Compare May 21, 2026 01:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update terraform#514

chore(deps): update terraform#514
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/terraform

renovate Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Configuration

Uh oh!

github-actions Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Signals

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Mar 27, 2026 •

edited

Loading

github-actions Bot commented Mar 27, 2026 •

edited

Loading