Skip to content

chore(deps): Update Terraform Providers to v6#169

Open
red-hat-konflux[bot] wants to merge 2 commits into
mainfrom
konflux/mintmaker/main/major-tf-providers
Open

chore(deps): Update Terraform Providers to v6#169
red-hat-konflux[bot] wants to merge 2 commits into
mainfrom
konflux/mintmaker/main/major-tf-providers

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Pending
aws (source) required_provider major >= 4.67.0>= 6.51.0 6.52.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

hashicorp/terraform-provider-aws (aws)

v6.51.0

Compare Source

NOTES:

  • resource/aws_cloudfront_distribution_tenant: When using managed_certificate_request, managed certificate issuance uses a fixed 3-hour timeout regardless of the configured resource timeout. This behavior will be updated in a future major version. (#​47839)
  • resource/aws_dms_s3_endpoint: The kms_key_arn attribute has been deprecated. All configurations using kms_key_arn should be updated to use the server_side_encryption_kms_key_id attribute instead. (#​48441)
  • resource/aws_eks_cluster: Because we cannot easily test the behavior of outpost_config, the changes are best effort and we ask for community help in testing (#​48367)

FEATURES:

  • New List Resource: aws_acm_certificate (#​48283)
  • New List Resource: aws_bedrockagentcore_evaluator (#​47964)
  • New List Resource: aws_sagemaker_hub_content_reference (#​48379)
  • New Resource: aws_bedrockagentcore_evaluator (#​47964)
  • New Resource: aws_sagemaker_hub_content_reference (#​48379)

ENHANCEMENTS:

  • data-source/aws_eks_cluster: Add outpost_config.control_plane_placement.spread_level, outpost_config.etcd_instance_type, and outpost_config.etcd_placement attributes (#​48367)
  • resource/aws_cloudfront_distribution: Add origin.custom_origin_config.origin_mtls_config argument (#​46421)
  • resource/aws_cloudfront_multitenant_distribution: Add origin.custom_origin_config.origin_mtls_config argument (#​46421)
  • resource/aws_detective_graph: Add Resource Identity support (#​48383)
  • resource/aws_detective_organization_configuration: Add Resource Identity support (#​48383)
  • resource/aws_eks_cluster: Add outpost_config.control_plane_placement.spread_level, outpost_config.etcd_instance_type, and outpost_config.etcd_placement arguments (#​48367)
  • resource/aws_eks_cluster: Change outpost_config.control_plane_placement.group_name to Optional (#​48367)
  • resource/aws_elasticache_replication_group: Add durability argument (#​48254)
  • resource/aws_elasticache_serverless_cache: Add network_type argument (#​48371)
  • resource/aws_msk_replicator: Add Resource Identity support (#​48338)
  • resource/aws_observabilityadmin_centralization_rule_for_organization: Add destination_metrics_configuration and source_metrics_configuration blocks (#​48303)
  • resource/aws_opensearchserverless_collection: Add vector_options.serverless_vector_acceleration argument (#​47018)

BUG FIXES:

  • resource/aws_acm_certificate: Correctly updates subject_alternative_names for Imported certificates (#​48362)
  • resource/aws_acmpca_certificate_authority: Prevents hang when trying to create resources over the quota limit. (#​48365)
  • resource/aws_cloudfront_distribution_tenant: Configured operation timeouts are now correctly honored, preventing potential indefinite hangs (#​47839)
  • resource/aws_dms_s3_endpoint: Fix perpetual diff when kms_key_arn is set but not returned by the API for S3 engine endpoints. (#​48441)
  • resource/aws_elasticache_replication_group: Fix error when adding a log_delivery_configuration with log_type = "slow-log" while simultaneously upgrading the engine from Redis 5 to Redis 6 or Valkey 7 (#​46526)
  • resource/aws_kinesis_firehose_delivery_stream: Fix InvalidArgumentException errors when creating or updating extended_s3_configuration in AWS partitions that report unsupported custom_time_zone and file_extension attributes in a combined error message (#​48369)
  • resource/aws_lakeformation_opt_in: Fix handling of out-of-band deletion of linked resource (#​48416)
  • resource/aws_lakeformation_opt_in: Prevent crash by making the principal block required (#​48416)
  • resource/aws_lakeformation_resource_lf_tag: Prevent crash when processing null tag values during read operations (#​48417)
  • resource/aws_msk_replicator: Fix runtime error: index out of range [0] with length 0 panic when importing a replicator with no replication configurations (#​48338)
  • resource/aws_ses_domain_mail_from: Correctly detect resources deleted outside of Terraform when refreshing state (#​48387)

v6.50.0

Compare Source

NOTES:

  • resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the behavior of private_endpoint, it is best effort and we ask for community help in testing (#​47602)

FEATURES:

  • New List Resource: aws_bedrockagentcore_policy (#​47971)
  • New List Resource: aws_cloudwatch_log_s3_table_integration_source (#​48190)
  • New List Resource: aws_ecs_daemon (#​47562)
  • New List Resource: aws_ecs_daemon_task_definition (#​47562)
  • New Resource: aws_bedrockagentcore_policy (#​47971)
  • New Resource: aws_cloudwatch_log_s3_table_integration_source (#​48190)
  • New Resource: aws_ecs_daemon (#​47562)
  • New Resource: aws_ecs_daemon_task_definition (#​47562)
  • New Resource: aws_observabilityadmin_s3_table_integration (#​48190)

ENHANCEMENTS:

  • provider: Add Linux s390x support (#​48272)
  • resource/aws_bedrockagentcore_agent_runtime: Add AGUI as a valid value for protocol_configuration.server_protocol (#​47906)
  • resource/aws_bedrockagentcore_gateway: Add policy_engine_configuration configuration block (#​47818)
  • resource/aws_bedrockagentcore_gateway_target: Add listing_mode argument to the target_configuration.mcp.mcp_server configuration block (#​48225)
  • resource/aws_bedrockagentcore_gateway_target: Add private_endpoint argument to support private connectivity to VPC-hosted MCP servers via Amazon VPC Lattice (#​47602)
  • resource/aws_bedrockagentcore_memory: Add indexed_key and stream_delivery_resources arguments (#​48240)

BUG FIXES:

  • data-source/aws_secretsmanager_secret_version: Fix eventual consistency issues that could result in couldn't find resource errors when reading a version immediately after creation (#​48318)
  • resource/aws_cloudwatch_log_subscription_filter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role IAM eventual consistency errors on Create and Update (#​48255)
  • resource/aws_datazone_project: Fix import separator to match the expected format. (#​48271)
  • resource/aws_default_route_table: Fix perpetual drift on route.gateway_id when route.odb_network_arn is configured (#​48239)
  • resource/aws_ecs_express_gateway_service: Fix "inconsistent result after apply" error for network_configuration[0].security_groups when using network_configuration. ec2:DescribeSecurityGroups IAM permission is newly required. (#​47944)
  • resource/aws_ecs_express_gateway_service: Fix Resource Already Exists error when recreating a service after deletion (#​48098)
  • resource/aws_elasticsearch_domain: Fix unexpected state error during engine version upgrade (#​47316)
  • resource/aws_kinesis_firehose_delivery_stream: Fix InvalidArgumentException errors when creating or updating extended_s3_configuration in AWS partitions that do not support the custom_time_zone and file_extension attributes (#​48284)
  • resource/aws_route: Fix perpetual drift on gateway_id when odb_network_arn is configured (#​48239)
  • resource/aws_route_table: Fix perpetual drift on route.gateway_id when route.odb_network_arn is configured (#​48239)
  • resource/aws_secretsmanager_secret_version: Fix Provider produced inconsistent final plan errors when secret_string or secret_string_wo_version references a resource being created or replaced in the same apply (#​48318)
  • resource/aws_secretsmanager_secret_version: Fix eventual consistency issues on resource creation that could result in version_stages being empty in state (#​48318)
  • resource/aws_secretsmanager_secret_version: Fix unnecessary resource replacement when switching between secret_string and secret_string_wo (or vice versa) without changing the secret value (#​48318)

v6.49.0

Compare Source

ENHANCEMENTS:

  • data-source/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url attribute (#​48146)
  • data-source/aws_opensearchserverless_collection_group: Add generation attribute (#​48125)
  • resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.session_configuration block (#​48179)
  • resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.streaming_configuration block (#​48179)
  • resource/aws_cloudfront_function: Add tags and tags_all arguments (#​47916)
  • resource/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url argument (#​48146)
  • resource/aws_opensearchserverless_collection_group: Add generation argument (#​48125)

BUG FIXES:

  • resource/aws_bedrockagentcore_gateway_target: Fix runtime error: slice bounds out of range [1:0] panics when refreshing state. This fixes a regression introduced in v6.48.0 (#​48215)

v6.48.0

Compare Source

NOTES:

  • resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the ``credential_provider_configuration.gateway_iam_role` SigV4 functionality, it is best effort and we ask for community help in testing (#​47626)

FEATURES:

  • New Data Source: aws_ec2_hosts (#​47986)
  • New List Resource: aws_cleanrooms_membership (#​48166)
  • New List Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)
  • New Resource: aws_ec2_local_gateway_route_table (#​48013)
  • New Resource: aws_ec2_local_gateway_route_table_virtual_interface_group_association (#​48014)
  • New Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)

ENHANCEMENTS:

  • data-source/aws_ec2_host: Add state, allocation_time, release_time, host_maintenance, host_reservation_id, availability_zone_id, allows_multiple_instance_types, member_of_service_linked_resource_group, instances, and available_capacity attributes (#​47991)
  • data-source/aws_kinesis_stream: Add warm_throughput attribute (#​48152)
  • data-source/aws_lb: Add enable_prefix_for_ipv6_source_nat attribute (#​40431)
  • data-source/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
  • resource/aws_bedrockagentcore_gateway: Mark protocol_type as Optional. Omit it to create a gateway that routes traffic directly to HTTP targets (e.g. AgentCore Runtime) (#​47897)
  • resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.caller_iam_credentials and credential_provider_configuration.jwt_passthrough arguments (#​47780)
  • resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.gateway_iam_role.service and credential_provider_configuration.gateway_iam_role.region arguments to enable SigV4 signing of upstream requests for mcp_server targets pointing at AWS-hosted endpoints (#​47626)
  • resource/aws_bedrockagentcore_gateway_target: Add target_configuration.http argument (#​47897)
  • resource/aws_cleanrooms_membership: Add resource identity support (#​48166)
  • resource/aws_datazone_asset_type: Add resource identity support (#​48136)
  • resource/aws_datazone_domain: Add resource identity support (#​48136)
  • resource/aws_datazone_environment: Add resource identity support (#​48136)
  • resource/aws_datazone_environment_blueprint_configuration: Add global_parameters argument (#​44857)
  • resource/aws_datazone_environment_blueprint_configuration: Add resource identity support (#​48136)
  • resource/aws_datazone_environment_profile: Add resource identity support (#​48136)
  • resource/aws_datazone_form_type: Add resource identity support (#​48136)
  • resource/aws_datazone_glossary: Add resource identity support (#​48136)
  • resource/aws_datazone_glossary_term: Add resource identity support (#​48136)
  • resource/aws_datazone_project: Add resource identity support (#​48136)
  • resource/aws_datazone_user_profile: Add resource identity support (#​48136)
  • resource/aws_kinesis_firehose_delivery_stream: Add Resource Identity support (#​48186)
  • resource/aws_kinesis_stream: Add Resource Identity support (#​48152)
  • resource/aws_kinesis_stream: Add warm_throughput_mib_ps argument. This functionality requires the kinesis:UpdateStreamWarmThroughput IAM permission (#​48152)
  • resource/aws_kinesis_stream: Add plan-time validation of shard_level_metrics (#​48152)
  • resource/aws_kinesis_stream_consumer: Add Resource Identity support (#​48152)
  • resource/aws_lb: Add enable_prefix_for_ipv6_source_nat argument (#​40431)
  • resource/aws_observabilityadmin_telemetry_rule: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
  • resource/aws_observabilityadmin_telemetry_rule_for_organization: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
  • resource/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
  • resource/aws_osis_pipeline: Adds resource identity (#​48155)
  • resource/aws_vpc_ipam_pool_cidr_allocation: Add tagging support (#​48084)

BUG FIXES:

  • resource/aws_api_gateway_rest_api: Fix OpenAPI body-managed x-amazon-apigateway-policy updates being overwritten by prior policy state (#​48118)
  • resource/aws_bedrockagentcore_gateway: Fix ValidationException: Gateway with ID: ... has targets associated with it. Delete all targets before deleting the gateway errors on delete (#​47626)
  • resource/aws_bedrockagentcore_gateway_target: Include FAILED and SYNCHRONIZING as pending states while a target is deleting (#​47626)
  • resource/aws_db_instance_automated_backups_replication: Fix InvalidDBInstanceState: Cannot create a snapshot because the database instance ... is not currently in the available state errors on delete (#​46687)
  • resource/aws_elasticache_replication_group: Fix CacheClusterNotFound when enabling snapshots after the primary cache cluster has been changed away from -001, and InvalidParameterCombination when enabling snapshots on cluster mode enabled groups (#​46326)
  • resource/aws_kinesis_firehose_delivery_stream: Fix ValidationException: Unknown parameter: ExtendedS3DestinationConfiguration.CustomTimeZone errors in AWS partitions which do not yet support selecting a time zone for bucket prefixes (#​48186)
  • resource/aws_lambda_alias: Fix plan drift caused by transient routing weights appearing in state after updating function_version (#​48116)
  • resource/aws_lambda_provisioned_concurrency_config: Fix InvalidParameterValueException: Alias with weights can not be used with Provisioned Concurrency error when updating provisioned concurrency simultaneously with alias version change (#​48116)
  • resource/aws_s3_bucket_versioning: Fix perpetual drift on versioning_configuration.mfa_delete when status is Disabled (#​48161)

v6.47.0

Compare Source

FEATURES:

  • New List Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
  • New List Resource: aws_bedrockagentcore_policy_engine (#​47108)
  • New List Resource: aws_bedrockagentcore_resource_policy (#​46844)
  • New List Resource: aws_s3control_multi_region_access_point (#​48081)
  • New List Resource: aws_s3control_multi_region_access_point_routes (#​48081)
  • New Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
  • New Resource: aws_bedrockagentcore_policy_engine (#​47108)
  • New Resource: aws_bedrockagentcore_resource_policy (#​46844)
  • New Resource: aws_s3control_multi_region_access_point_routes (#​47994)

ENHANCEMENTS:

  • data-source/aws_arn: Deprecates id in favor of arn (#​48036)
  • data-source/aws_default_tags: Deprecates id (#​48036)
  • data-source/aws_ip_ranges: Deprecates id (#​48036)
  • data-source/aws_partition: Deprecates id in favor of partition (#​48036)
  • data-source/aws_region: Deprecates id in favor of region (#​48036)
  • data-source/aws_regions: Deprecates id (#​48036)
  • data-source/aws_route: Add odb_network_arn attribute (#​48027)
  • data-source/aws_route_table: Add routes.odb_network_arn attribute (#​48027)
  • data-source/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
  • data-source/aws_secretsmanager_secret_versions: Deprecates arn in favor of secret_arn. (#​48033)
  • data-source/aws_secretsmanager_secret_versions: Deprecates name in favor of secret_name. (#​48033)
  • data-source/aws_service: Deprecates id in favor of reverse_dns_name (#​48036)
  • data-source/aws_transfer_server: Add ip_address_type attribute (#​48039)
  • resource/aws_acm_certificate: Add private_key_wo write-only argument and private_key_wo_version argument (#​44414)
  • resource/aws_arcregionswitch_plan: Add step.rds_promote_read_replica_config, step.rds_create_cross_region_read_replica_config, and report_configuration arguments (#​46965)
  • resource/aws_eks_cluster: Add CGNAT IP address ranges as valid private range (#​47988)
  • resource/aws_eks_cluster: Make remote_node_networks field in remote_network_config optional (#​47988)
  • resource/aws_eks_cluster: Remove conflict between outpost_config and remote_network_config (#​47988)
  • resource/aws_msk_replicator: Add support for log_delivery configuration block (#​48054)
  • resource/aws_quicksight_data_source: Add parameters.athena.role_arn argument to allow override an account-wide role for a specific Athena data source (#​44666)
  • resource/aws_route: Add odb_network_arn argument (#​48027)
  • resource/aws_route: Add plan-time validation of core_network_arn (#​48027)
  • resource/aws_route_table: Add route.odb_network_arn argument (#​48027)
  • resource/aws_route_table: Add plan-time validation of route.core_network_arn (#​48027)
  • resource/aws_s3control_multi_region_access_point: Add resource identity support (#​48081)
  • resource/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
  • resource/aws_ssm_resource_data_sync: Add s3_destination.destination_data_sharing argument (#​21996)
  • resource/aws_transfer_server: Add ip_address_type argument (#​48039)

BUG FIXES:

  • data-source/aws_secretsmanager_secret_versions: Polulates versions.*.last_accessed_date. (#​48033)
  • provider: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
  • resource/aws_dynamodb_table: Ensure diffs are shown for GSI hash key type changes (#​47867)
  • resource/aws_eks_cluster: Change securityGroupIds logic in flattenVPCConfigResponse() for Outpost clusters (#​47988)
  • resource/aws_instance: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
  • resource/aws_lb: Fix Provider produced inconsistent final plan errors and force resource recreation for Network Load Balancers when no security groups were initially configured and updated security groups are unknown at plan-time (#​46695)
  • resource/aws_msk_replicator: Mark replication_info_list.consumer_group_replication.consumer_groups_to_exclude as Computed (#​48054)
  • resource/aws_msk_replicator: Mark replication_info_list.topic_replication.topics_to_exclude as Computed (#​48054)

v6.46.0

Compare Source

NOTES:

  • resource/aws_xray_resource_policy: Changes to policy_name now force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updating policy_name would leave an orphaned policy with the old name in AWS (#​47948)

FEATURES:

  • New List Resource: aws_bedrockagentcore_harness (#​47725)
  • New List Resource: aws_iam_access_key (#​47966)
  • New List Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
  • New List Resource: aws_route53_vpc_association_authorization (#​47905)
  • New List Resource: aws_route53_zone_association (#​47950)
  • New List Resource: aws_securityhub_automation_rule_v2 (#​47677)
  • New Resource: aws_bedrockagentcore_harness (#​47725)
  • New Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
  • New Resource: aws_securityhub_automation_rule_v2 (#​47677)
  • New Resource: aws_xray_indexing_rule (#​47975)
  • New Resource: aws_xray_trace_segment_destination (#​47961)

ENHANCEMENTS:

  • data-source/aws_ec2_local_gateway_virtual_interface: Add outpost_lag_id and local_gateway_virtual_interface_group_id attributes (#​47974)
  • data-source/aws_opensearch_domain: Add jwt_options block to fix "Invalid address to set" error (#​47874)
  • resource/aws_bedrockagent_agent: Increase maximum value of idle_session_ttl_in_seconds from 3600 to 5400 to match the AWS API limit (#​47890)
  • resource/aws_bedrockagentcore_agent_runtime: Add filesystem_configuration argument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#​47810)
  • resource/aws_cloudfront_distribution: Add cache_tag_config configuration block (#​47872)
  • resource/aws_iam_access_key: Add resource identity support (#​47966)
  • resource/aws_route53_vpc_association_authorization: Add resource identity support (#​47905)
  • resource/aws_route53_zone_association: Add resource identity support (#​47950)
  • resource/aws_vpclattice_resource_gateway: Add resource_config_dns_resolution argument (#​47879)
  • resource/aws_xray_resource_policy: Add Resource Identity support (#​47948)
  • resource/aws_xray_sampling_rule: Add Resource Identity support (#​47948)

BUG FIXES:

  • resource/aws_s3_bucket: Defer to the corresponding dedicated standalone resource for each deprecated nested attribute (acceleration_status, acl, cors_rule, grant, lifecycle_rule, logging, object_lock_configuration, policy, replication_configuration, request_payer, server_side_encryption_configuration, versioning, website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#​47962)
  • resource/aws_s3_bucket: Fix InvalidRequest: SourceSelectionCriteria cannot be empty errors on unrelated updates (e.g. tags) when replication is managed by the dedicated aws_s3_bucket_replication_configuration resource using replica_modifications (#​47962)
  • resource/aws_xray_resource_policy: Fix Provider returned invalid result object after apply errors on Update (#​47948)
  • resource/aws_xray_resource_policy: Mark policy_name as as ForceNew (#​47948)

v6.45.0

Compare Source

FEATURES:

  • New List Resource: aws_observabilityadmin_telemetry_rule (#​47857)
  • New List Resource: aws_securityhub_connector_v2 (#​47678)
  • New Resource: aws_observabilityadmin_telemetry_evaluation (#​47799)
  • New Resource: aws_observabilityadmin_telemetry_evaluation_for_organization (#​47808)
  • New Resource: aws_observabilityadmin_telemetry_rule (#​47857)
  • New Resource: aws_securityhub_aggregator_v2 (#​47651)
  • New Resource: aws_securityhub_connector_v2 (#​47678)

ENHANCEMENTS:

  • resource/aws_lambda_function: Add support for ruby4.0 as a runtime value (#​47841)
  • resource/aws_lambda_function: Support mounting Amazon S3 buckets as file systems with S3 Files (#​47838)
  • resource/aws_lambda_layer_version: Add support for ruby4.0 as a compatible_runtimes value (#​47841)
  • resource/aws_secretsmanager_secret_version: Allow switching from secret_string to secret_string_wo without re-creating the resource. (#​47815)
  • resource/aws_timestreaminfluxdb_db_instance: Add maintenance_schedule configuration block (#​47853)

BUG FIXES:

  • resource/aws_elasticache_cluster: Fixed by removing valkey as an engine option to keep an alignment with aws sdk CreateCacheCluster (#​45017)
  • resource/aws_elasticache_replication_group: Fix engine_version returning full patch version instead of minor version for Valkey engine (#​46109)
  • resource/aws_elasticache_replication_group: Fix engine, engine_version, and parameter_group_name changes being ignored after disassociating from a global replication group (#​46109)
  • resource/aws_grafana_workspace: Fix network_access_control regression causing ValidationException when only one of vpce_ids or prefix_list_ids is set (#​47646)

v6.44.0

Compare Source

NOTES:

  • resource/aws_dynamodb_global_secondary_index: This resource type is no longer experimental. The schema and behavior are now subject to the backwards compatibility guarantee of the provider. (#​47747)
  • resource/aws_outposts_capacity_task: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​47681)

FEATURES:

  • New Data Source: aws_glue_catalog (#​43583)
  • New List Resource: aws_alb_target_group_attachment (#​47724)
  • New List Resource: aws_appautoscaling_policy (#​47718)
  • New List Resource: aws_arczonalshift_zonal_autoshift_configuration (#​46114)
  • New List Resource: aws_dynamodb_global_secondary_index (#​47785)
  • New List Resource: aws_dynamodb_table (#​47518)
  • New List Resource: aws_ecr_repository_policy (#​47763)
  • New List Resource: aws_glue_catalog (#​43583)
  • New List Resource: aws_lb_target_group_attachment (#​47724)
  • New List Resource: aws_s3_bucket_logging (#​47766)
  • New List Resource: aws_securityhub_standards_control (#​47702)
  • New List Resource: aws_vpc_endpoint_route_table_association (#​47751)
  • New Resource: aws_arczonalshift_zonal_autoshift_configuration (#​46114)
  • New Resource: aws_glue_catalog (#​43583)
  • New Resource: aws_outposts_capacity_task (#​47681)
  • New Resource: aws_redshift_namespace_registration (#​43583)

ENHANCEMENTS:

  • data-source/aws_glue_connection: Add authentication_configuration attribute (#​43583)
  • resource/aws_appautoscaling_policy: Add resource identity support (#​47718)
  • resource/aws_ec2_client_vpn_endpoint: Add transit_gateway_configuration block (#​47635)
  • resource/aws_fsx_lustre_file_system: Support in-place modification of file_system_type_version (#​47703)
  • resource/aws_fsx_windows_file_system: Add self_managed_active_directory.password_wo and self_managed_active_directory.password_wo_version arguments (#​47752)
  • resource/aws_glue_connection: Add authentication_configuration argument (#​43583)
  • resource/aws_timestreaminfluxdb_db_cluster: Add Resource Identity support (#​47052)
  • resource/aws_timestreaminfluxdb_db_cluster: Add maintenance_schedule configuration block (#​47354)
  • resource/aws_timestreaminfluxdb_db_instance: Add Resource Identity support (#​47052)
  • resource/aws_vpc_endpoint_route_table_association: Add resource identity support (#​47751)

BUG FIXES:

  • resource/aws_odb_cloud_vm_cluster: Attempt to read GI Version from resource tags to avoid failures due to new API response values (#​46589)
  • resource/aws_s3files_synchronization_configuration: Fix Delete to use the file system prefix when resetting the synchronization configuration (#​47760)
  • resource/aws_securityhub_configuration_policy_association: Fix waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s) errors on Create. This fixes a regression introduced in v6.34.0 (#​47783)
  • resource/aws_timestreaminfluxdb_db_cluster: Correct plan-time validation of db_parameter_group_identifier (#​47052)

v6.43.0

Compare Source

FEATURES:

  • New Data Source: aws_securityhub_enabled_standards (#​43947)
  • New Data Source: aws_securityhub_security_controls (#​43947)
  • New List Resource: aws_db_subnet_group (#​47637)
  • New List Resource: aws_ec2_network_insights_access_scope (#​47582)
  • New List Resource: aws_iam_group_policy_attachment (#​47667)
  • New List Resource: aws_lambda_event_source_mapping (#​47686)
  • New List Resource: aws_securityhub_insight (#​47622)
  • New Resource: aws_arczonalshift_autoshift_observer_notification_status (#​46343)
  • New Resource: aws_ec2_network_insights_access_scope (#​47582)
  • New Resource: aws_securityhub_account_v2 (#​47356)

ENHANCEMENTS:

  • resource/aws_arczonalshift_autoshift_observer_notification_status: Add resource identity support (#​46343)
  • resource/aws_auditmanager_assessment: Add resource identity support (#​47674)
  • resource/aws_auditmanager_control: Add resource identity support (#​47674)
  • resource/aws_auditmanager_framework: Add resource identity support (#​47674)
  • resource/aws_auditmanager_framework_share: Add resource identity support (#​47674)
  • resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#​47589)
  • resource/aws_ecs_express_gateway_service: Deprecates current_deployment. (#​47694)
  • resource/aws_iam_group_policy_attachment: Add resource identity support (#​47667)
  • resource/aws_lambda_event_source_mapping: Add resource identity support (#​47686)
  • resource/aws_securityhub_action_target: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_configuration_policy: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#​47078)
  • resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_finding_aggregator: Add arn attribute (#​47543)
  • resource/aws_securityhub_insight: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_member: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_product_subscription: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_standards_control: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_standards_control_association: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_standards_subscription: Add Resource Identity support (#​47543)
  • resource/aws_securityhub_standards_subscription: Add arn attribute (#​47543)
  • resource/aws_subnet: Automatically detect and dissociate GuardDuty-managed VPC endpoints during terraform destroy when they block subnet deletion (#​46953)
  • resource/aws_vpc: Automatically detect and remove GuardDuty-managed VPC endpoints and security groups during terraform destroy when they block VPC deletion (#​46953)

BUG FIXES:

  • resource/aws_cloudwatch_metric_alarm: Fix invalid `One of 'metric_name', 'metric_query', or '

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

  • Chores
    • Updated the required AWS Terraform provider version to >= 6.51.0.
    • Refreshed the autogenerated documentation to match the new provider requirement.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign marcolan018 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 62a5bfaf-cf9d-46a0-8d50-a285b542725a

📥 Commits

Reviewing files that changed from the base of the PR and between fc88439 and 8012ead.

📒 Files selected for processing (2)
  • README.md
  • versions.tf

Walkthrough

The Terraform AWS provider minimum version is raised to >= 6.51.0 in versions.tf, and the README’s autogenerated requirements/provider tables are updated to match.

Changes

AWS provider constraint update

Layer / File(s) Summary
Raise provider minimum
versions.tf, README.md
The Terraform AWS provider version constraint changes from >= 4.67.0 to >= 6.51.0, and the README requirements/provider tables reflect the same minimum.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested labels

approved, lgtm

Suggested reviewers

  • jerichokeyne
  • olucasfreitas
🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is mostly Renovate release notes and lacks the template's required sections like summary, issue context, testing, and change type. Rewrite the PR body to fill the template sections: PR Summary, issue details, related issues, change type, behavior, testing, proof, breaking changes, and checklist.
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the provider dependency bump, even though it is broader than the single aws provider change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Pr Checklist Claims Vs Evidence (Generic) ✅ Passed The PR body shows only one unchecked checkbox and no checked checklist claims to verify.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/major-tf-providers

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a terraform-redhat member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Signed-off-by: terraform-redhat-bot <126015336+red-hat-[bot]@users.noreply.github.com>
@red-hat-konflux

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@amandahla

Copy link
Copy Markdown
Member

@coderabbitai why this module had set a so outdated version 4.67.0 ? Any specific reason? I'm concerned about this big bump here.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
fd versions.tf
echo "---"
git log --follow -p -- versions.tf | grep -n "aws" -A2 -B2 | head -100
echo "---log---"
git log --follow --oneline -- versions.tf | head -50

Length of output: 3431


🤖 web_search executed:

Terraform AWS provider v6.0 breaking changes upgrade guide from v5

Length of output: 20918


@amandahla, good question — I dug into the git history for this repo.

The >= 4.67.0 constraint wasn't a deliberate architectural decision. It was itself the result of a previous automated dependency-bump commit (chore(deps): Update Terraform aws to >= 4.67.0, authored by the red-hat-konflux bot), which had bumped an even older constraint of >= 4.0 set back when the module was first scaffolded. Nobody appears to have manually revisited or bumped it since — it just sat there until this automated PR came along.

Your concern about the size of this jump is legitimate, though. A few things worth flagging:

  1. The constraint uses >= with no upper bound. That means once merged, terraform init will resolve to the latest matching aws provider release (currently well into 6.x), pulling in all breaking changes from both the v4→v5 and v5→v6 transitions at once, rather than a controlled, incremental upgrade.
  2. HashiCorp explicitly recommends staged upgrades — their Version 6 upgrade guide says to first upgrade to the latest 5.x, run terraform plan, confirm no deprecation warnings/unexpected diffs, and only then move to 6.x. Jumping the floor straight from 4.67.0 to 6.51.0 skips that safety net.
  3. Known breaking changes in v6.0 include: removal of OpsWorks Stacks, SimpleDB, and WorkLink resources; stricter boolean validation (no more "0"/"1" for boolean args); several data sources moving from single-nested to list-nested blocks (e.g., aws_elbv2_listener_rule); S3 global endpoint deprecation; and some resource default-value flips (e.g., aws_eip's vpc argument removed in favor of domain). Full list: terraform-provider-aws v6.0.0 release notes.
  4. v5.0 also had its own breaking changes (e.g., S3 bucket resource attribute splits, EC2-Classic removal) that this jump skips over reviewing individually.

Given this module is a Terraform provider dependency declaration (not pinning a specific resolved version), the real risk is at terraform init / apply time for consumers of this module. I'd recommend:

  • Running terraform plan across all the examples/modules in this repo with the new floor to catch any resource/attribute drift.
  • Checking whether any resources used here (e.g., in modules/vpc, modules/machine-pool, etc.) touch anything from the breaking-changes list above.
  • Optionally tightening the constraint (e.g., >= 6.51.0, < 7.0.0) to avoid silently picking up a future v7 major bump the same way this one snuck in.

Happy to review the diff against the resources actually declared in this module if you want a more targeted breaking-change check.

@amandahla

Copy link
Copy Markdown
Member

DNM Checking.

@amandahla

Copy link
Copy Markdown
Member

/hold

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant