v2.66.0

FEATURES:

• New Data Source: aws_wafv2_rule_group (#12790)
• New Resource: aws_wafv2_rule_group (#12677)

BUG FIXES:

• resource/aws_autoscaling_group: Allow on_demand_base_capacity to be set to 0 [#13623]
• resource/aws_autoscaling_group: Add Computed field to instances_distribution and it's sub-fields on_demand_allocation_strategy, on_demand_base_capacity, on_demand_percentage_above_base_capacity, and spot_allocation_strategy (#13623)
• resource/aws_autoscaling_group: Remove Default field from instances_distribution sub-fields on_demand_allocation_strategy, on_demand_percentage_above_base_capacity, and spot_allocation_strategy (#13623)
• resource/aws_batch_job_definition: Prevent differences when no command is specified in container properties (#13634)
• resource/aws_instance: Continue supporting empty string ("") private_ip argument (#13640)

v2.65.0

ENHANCEMENTS:

• resource/aws_acm_certificate: Add status attribute (#13513)
• resource/aws_directory_servicedirectory: Add availability_zones attribute to vpc_settings block (#12654)
• resource/aws_directory_servicedirectory: Add availability_zones attribute to connect_settings block (#12654)
• resource/aws_directory_servicedirectory: Add plan time validation to customer_dns_ips in connect_settings block (#12654)
• resource/aws_ec2_client_vpn_endpoint: Add arn attribute and plan time validation to root_certificate_chain_arn (in authentication_options block), client_cidr_block, and server_certificate_arn [#13601]
• resource/aws_instance: Add plan time validation to volume_type(in ebs_block_device and root_block_device blocks), private_ip, ipv6_addresses, and tenancy (#13033)
• resource/aws_lb_listener_rule: Add support for multiple, weighted target groups in forward rules (#12574)
• resource/aws_lb_listener: Add support for multiple, weighted target groups in default actions (#12574)
• resource/aws_workspaces_ip_group: Add plan-time validation for rules.source (#13178)

BUG FIXES:

• resource/aws_acm_certificate: Detect AMAZON_ISSUED type validation_method value directly from API response instead of custom logic (#13513)
• resource/aws_acm_certificate: Increase deletion retries from 10 minutes to 20 minutes (better support API Gateway Custom Domain deletion) (#13513)
• resource/aws_apigatewayv2_stage: Prevent perpetual plan differences with default_route_settings.logging_level argument for HTTP APIs (#12904)
• resource/aws_appmesh_route: Allow configuration of spec http_route action weighted_target weight argument to be 0 (#13539)
• resource/aws_autoscaling_group: Prevent crash with tags argument containing boolean values in Terraform 0.11 and earlier (#13604)
• resource/aws_dynamodb_table: Prevent multiple replica creation/deletion errors (#13523)
• resource/aws_instance: Prevent perpetual plan differences, forcing replacement, with ebs_block_device configuration blocks [#13589]
• resource/aws_kinesis_firehose_delivery_stream: Correctly set kinesis_source_configuration during import to prevent resource recreation (#13536)
• resource/aws_ses_configuration_set: Prevent Provider produced inconsistent result after apply errors during creation or import [#12024]
• resource/aws_workspaces_ip_group: Remove resource from state if deleted outside of Terraform (#13178)

v2.64.0

ENHANCEMENTS:

• data-source/aws_directory_service_directory: connect_settings connect_ips attribute now set (#13395)
• resource/aws_directory_service_directory: connect_settings connect_ips attribute now set (#13395)
• resource/aws_iot_topic_rule: Add step_functions configuration block (#13520)
• resource/aws_ses_event_destination: Support resource import (#13464)

BUG FIXES:

• data-source/aws_elasticsearch_domain: processing is now correctly set (#13397)
• resource/aws_acm_certificate: Update pending DNS validation record creation time from 1 minute to 5 minutes (better support for certificates with high amount of Subject Alternative Names) (#12371)
• resource/aws_api_gateway_method_settings: settings now properly set (#13403)
• resource/aws_autoscaling_group: Ignore ordering differences for tags argument (prevent unexpected differences from version 2.63.0) (#13515)
• resource/aws_codebuild_project: Enable drift detection for environment_variable argument (#6427)
• resource/aws_codebuild_project: Prevent inconsistent final plan errors with source configuration block (#10615)
• resource/aws_ecs_task_definition: Ensure efs_volume_configuration changes are properly detected (#12571] / [#12751)
• resource/aws_lb_cookie_stickiness_policy: cookie_expiration_policy now properly set (#13418)
• resource/aws_lightsail_instance: ram_size now properly set (#13430)
• resource/aws_load_balancer_backend_server_policy: instance_port now properly set (#13418)
• resource/aws_load_balancer_listener_policy: load_balancer_port now properly set (#13418)
• resource/aws_opsworks_application: environment secure now properly set (#13435)
• resource/aws_security_group_rule: Correctly set description after state refresh when source_security_group_id refers to a security group across accounts (#13364)
• resource/aws_ses_active_receipt_rule_set: Recreate resource when destroyed outside of Terraform (#9086)
• resource/aws_ses_event_destination: Correctly refresh entire resource state (prevent unexpected differences from version 2.63.0 and properly perform drift detection) (#13464)
• resource/aws_ses_receipt_rule: Recreate resource when destroyed outside of Terraform (#9086)
• resource/aws_sns_topic: Attributes of type schema.TypeInt are now correctly set (#13437)

v2.63.0

FEATURES:

• New Data Source: aws_efs_access_point (#11965)
• New Data Source: aws_wafv2_ip_set (#12788)
• New Data Source: aws_wafv2_regex_pattern_set (#12789)
• New Resource: aws_efs_access_point (#11965)
• New Resource: aws_efs_file_system_policy (#11960)
• New Resource: aws_wafv2_ip_set (#12119)
• New Resource: aws_wafv2_regex_pattern_set (#12284)

ENHANCEMENTS:

• resource/aws_ssm_document: Add document_version attribute (#13438)
• data-source/aws_ram_resource_share: Add owning_account_id attribute (#13402)
• data-source/aws_lb: Add ip_address_type attribute (#13400)
• data-source/aws_lb_target_group: Add load_balancing_algorithm_type attribute (#13400)
• data-source/aws_rds_cluster: backtrack_window attribute now available (#13362)
• resource/aws_codebuild_webhook: Support COMMIT_MESSAGE value in filter types (#13436)
• resource/aws_cognito_identity_pool_roles_attachment: Add import support (#13440)
• resource/aws_ecs_service: Add force_new_deployment argument (#13376)
• resource/aws_ecs_service: Support in-place updates for ordered_placement_strategy and placement_constraints (#13376)
• resource/aws_eks_node_group: Add force_update_version argument (#13414)
• resource/aws_glue_connection: Add arn argument (#13404)
• resource/aws_iot_topic_rule: Add tags argument (#13293)

BUG FIXES:

• resource/aws_ssm_activation: expired now properly set (#13438)
• resource/aws_redshift_security_group: The resource is now importable (#13431)
• resource/cloudwatch_log_metric_filter: metric_transformation default_value now properly set (#13411)
• data-source/aws_db_instance: auto_minor_version_upgrade attribute now properly set (#13362)
• resource/aws_autoscaling_group: tags propagate_at_launch attribute now properly set (#13360)
• resource/aws_eks_node_group: Only pass release_version value during UpdateNodegroupVersion if changed (#13407)
• resource/aws_network_acl: Fix issue with updating subnet associations returning InvalidAssociationID.NotFound (#13382)

v2.62.0

FEATURES:

• New Resource: aws_workspaces_workspace (#11608)

ENHANCEMENTS:

• resource/aws_appsync_resolver: Add cache_config configuration block (#12747)
• resource/aws_codebuild_project: Support git_submodules_config with GITHUB and GITHUB_ENTERPRISE source types (#13285)
• resource/aws_codebuild_project: Support SECRETS_MANAGER environment variable type (#12572)
• resource/aws_datasync_task: Support ONLY_FILES_TRANSFERRED value in verify_mode argument (#12897)
• resource/aws_iot_topic_rule: Add dynamodbv2 configuration block (#7469)
• resource/aws_iot_topic_rule: Add iot_analytics configuration block (#9859)
• resource/aws_iot_topic_rule: Add iot_events configuration block (#9890)
• resource/aws_iot_topic_rule: Add operation argument to dynamodb configuration block (#12714)
• resource/aws_iot_topic_rule: Add qos argument republish configuration block (#12869)

BUG FIXES:

• resource/aws_codebuild_project: Allow empty value ("") environment variables (#11572)
• resource/aws_security_group_rule: Prevent recreation when source_security_group_id refers to a security group across accounts (#11809)

v2.61.0

FEATURES:

• New Data Source: aws_ec2_coip_pool (#12852)
• New Data Source: aws_ec2_coip_pools (#12852)
• New Data Source: aws_ec2_local_gateway (#12764)
• New Data Source: aws_ec2_local_gateways (#12764)
• New Data Source: aws_ec2_local_gateway_route_table (#13002)
• New Data Source: aws_ec2_local_gateway_route_tables (#13002)
• New Resource: aws_ec2_transit_gateway_peering_attachment_accepter (#11185)

ENHANCEMENTS:

• data-source/aws_ebs_volume: Add multi_attach_enabled attribute (#13108)
• data-source/aws_efs_file_system: Add size_in_bytes attribute (#13125)
• data-source/aws_eip: Add customer_owned_ip and customer_owned_ipv4_pool attributes (#12862)
• data-source/aws_launch_template: add partition_number attribute (#11655)
• resource/aws_api_gateway_deployment: Add triggers argument (#13054)
• resource/aws_apigatewayv2_deployment: Add triggers argument (#13055)
• resource/aws_ebs_volume: Add multi_attach_enabled attribute (#13108)
• resource/aws_eip: Add customer_owned_ip attribute and customer_owned_ipv4_pool argument (#12862)
• resource/aws_glue_connection: Support KAFKA for connection_type argument (#13141)
• resource/aws_launch_template: add partition_number attribute (#11655)
• resource/aws_launch_template: add plan time validation to volume_type, spot_instance_type, ipv6_addresses, ipv4_addresses, private_ip_address` (#11655)
• resource/aws_workspaces_directory: Add output attributes for workspace_security_group_id, iam_role_id, registration_code, directory_name, directory_type, customer_user_name, alias, ip_group_ids and dns_ip_addresses (#13089)

BUG FIXES:

• resource/aws_workspaces_directory: Fixes error when removing tags (#13089)

v2.60.0

NOTES:

• provider: Region validation now automatically supports the new eu-south-1 (Europe (Milan)) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the AWS Documentation. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g. error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid) or AWS operations will throw their own errors (e.g. data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials). (#12970)
• provider: Ignore tags functionality across all data sources and resources (except aws_autoscaling_group) via the provider-level ignore_tags configuration block has been enabled and this functionality is no longer considered in preview. (#13039)

FEATURES:

• New Data Source: aws_backup_plan (#13035)
• New Data Source: aws_backup_selection (#13035)
• New Data Source: aws_backup_vault (#13035)
• New Data Source: aws_ec2_transit_gateway_peering_attachment (#11162)
• New Resource: aws_ec2_transit_gateway_peering_attachment (#11162)
• New Resource: aws_guardduty_organization_admin_account (#13034)
• New Resource: aws_guardduty_organization_configuration (#13034)

ENHANCEMENTS:

• data-source/aws_cloudtrail_service_account: Support eu-south-1 region (#13061)
• data-source/aws_ebs_volume: Add outpost_arn attribute (#12439)
• data-source/aws_elastic_beanstalk_hosted_zone: Support eu-south-1 region (#13061)
• data-source/aws_elb_hosted_zone_id: Add us-gov-east-1 and us-gov-west-1 region values (#12976)
• data-source/aws_elb_hosted_zone_id: Support eu-south-1 region (#13061)
• data-source/aws_elb_service_account: Support eu-south-1 region (#13061)
• data-source/aws_instance: Add outpost_arn attribute (#12330)
• data-source/aws_network_interface: Add outpost_arn attribute (#12440)
• data-source/aws_s3_bucket: Support eu-south-1 region for hosted_zone_id attribute (#13061)
• data-source/aws_subnet: Add outposts_arn attribute (#12097)
• provider: Support automatic region validation for eu-south-1 (#12970)
• provider: Implement ignore tags functionality across all data sources and resources (except aws_autoscaling_group) (#13039)
• resource/aws_api_gateway_stage: Ignore NotFoundException error on destroy (#12826)
• resource/aws_db_snapshot: Support import (#12978)
• resource/aws_default_route_table: Add plan-time validation to cidr_block and ipv6_cidr_block arguments (#12858)
• resource/aws_default_route_table: Support import (#13030)
• resource/aws_dms_endpoint: Add kafka_settings configuration block and kafka to engine_name argument validation (#12835)
• resource/aws_ebs_volume: Add outpost_arn argument (#12439)
• resource/aws_elasticsearch_domain: Support customizable update timeout (#12916)
• resource/aws_glue_connection: Support MONGODB for connection_type argument (#13011)
• resource/aws_key_pair: Support tag-on-create (#12962)
• resource/aws_instance: Add outpost_arn attribute (#12330)
• resource/aws_mq_broker: Support import (#11841)
• resource/aws_network_interface: Add outpost_arn attribute (#12440)
• resource/aws_placement_group: Support tag-on-create (#12963)
• resource/aws_route_table: Add plan-time validation to cidr_block and ipv6_cidr_block arguments (#12858)
• resource/aws_route53_health_check: Support plan-time validation for reference_name argument (#12873)
• resource/aws_s3_bucket: Support eu-south-1 region for hosted_zone_id attribute (#13061)
• resource/aws_spot_fleet_request: Add launch_template_config configuration block (Support EC2 Launch Templates) (#12732)
• resource/aws_spot_fleet_request: Support import (#12767)
• resource/aws_storagegateway_gateway: Add gateway_vpc_endpoint argument (#9966)
• resource/aws_storagegateway_smb_file_share: Add path attribute (#12623)
• resource/aws_subnet: Add outposts_arn argument (#12097)
• resource/aws_wafregional_xss_match_set: Add plan-time validation for xss_match_tuple configuration block arguments (#13024)

BUG FIXES:

• data-source/aws_api_gateway_rest_api: Prevent error with VPC Endpoint configured APIs (#12825)
• resource/aws_appautoscaling_scheduled_action: Prevent error on refresh with multiple resources using the same scheduled action name (#12699)
• resource/aws_batch_job_queue: Prevent panic when ComputeEnvironmentOrder is updated outside Terraform (#12632)
• resource/aws_default_route_table: Proper tag on resource creation (#12858)
• resource/aws_efs_file_system: Prevent panic with empty lifecycle_policy configuration block (#12640)
• resource/aws_fsx_windows_file_system: Prevent panic when update includes self_managed_active_directory settings (#12630)
• resource/aws_glue_catalog_table: Prevent various panics with empty configuration blocks (#12611)
• resource/aws_kinesis_firehose_delivery_stream: Prevent panic with empty processing_configuration configuration block (#12613)
• resource/aws_kms_external_key: Prevent MalformedPolicyDocumentException errors on creation by retrying for up to 2 minutes to wait for IAM change propagation (#12863)
• resource/aws_kms_key: Prevent MalformedPolicyDocumentException errors on creation by retrying for up to 2 minutes to wait for IAM change propagation (#12863)
• resource/aws_lb_listener: Prevent panics on creation and refresh when API throttled (#12617)
• resource/aws_route53_zone: Prevent panic with A...

v2.59.0

NOTES:

• provider: Region validation now automatically supports the new af-south-1 (Africa (Cape Town)) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the AWS Documentation. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g. error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid) or AWS operations will throw their own errors (e.g. data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials). (#12715)
• resource/aws_iam_user: The additional force_destroy behavior for handling signing certificates requires two additional IAM permissions (iam:ListSigningCertificates and iam:DeleteSigningCertificate). Restrictive IAM permissions for Terraform runs may require updates. (#10542)
• resource/aws_rds_cluster: Due to recent API support for Aurora MySQL 5.7 and PostgreSQL Global Clusters which implemented the engine mode as provisioned instead of the previous global for Aurora MySQL 5.6, the resource now requires the DescribeGlobalClusters API call. Restrictive IAM permissions may require updates. (#12867)

FEATURES:

• New Resource: aws_apigatewayv2_api_mapping (#9461)
• New Resource: aws_apigatewayv2_vpc_link (#12577)

ENHANCEMENTS:

• data_source/aws_acm_certificate: Add tags output (#11659)
• data-source/aws_cloudtrail_service_account: Support af-south-1 region (#12967)
• data-source/aws_elastic_beanstalk_hosted_zone: Support af-south-1 region (#12967)
• data-source/aws_elb_hosted_zone_id: Support af-south-1 region (#12967)
• data-source/aws_elb_service_account: Support af-south-1 region (#12967)
• data-source/aws_s3_bucket: Support af-south-1 region for hosted_zone_id attribute (#12967)
• provider: Support automatic region validation for af-south-1 (#12715)
• resource/aws_apigatewayv2_api: Add cors_configuration, credentials_arn, route_key and target attributes (#12452)
• resource/aws_appsync_graphql_api: Add log_config configuration block exclude_verbose_content argument (#12884)
• resource/aws_config_configuration_recorder: Prevent error during deletion operation when resource is missing (#12734)
• resource/aws_default_network_acl: Support import (#12924)
• resource/aws_lambda_alias: Suppress differences for equivalent function_name argument values of name versus ARN (#12902)
• resource/aws_network_acl_rule: Support import (#12921)
• resource/aws_route: Add plan-time validation for destination_cidr_block and destination_ipv6_cidr_block arguments (#12890)
• resource/aws_s3_bucket: Support af-south-1 region for hosted_zone_id attribute (#12967)
• resource/aws_service_discovery_private_dns_namespace: Support import (#12929)
• resource/aws_ssm_activation: Support import (#12933)
• resource/aws_ssm_maintenance_window_target: Add plan-time validation to resource_type argument (#11783)
• resource/aws_ssm_maintenance_window_target: Support import (#12935)
• resource/aws_volume_attachment: Support import (#12948)
• resource/aws_waf_ipset: Add plan-time validation for ip_set_descriptors configuration block arguments (#12775)
• resource/aws_waf_sql_injection_match_set: Support import (#11657)
• resource/aws_waf_xss_match_set: Add plan-time validation for xss_match_tuples configuration block arguments (#12777)
• resource/aws_wafregional_web_acl: Add plan-time validation to various arguments (#12793)

BUG FIXES:

• data-source/aws_launch_template: Prevent type error with network_interfaces associate_public_ip_address attribute (#12936)
• resource/aws_glue_security_configuration: Prevent empty string KMS Key ARN in S3 Encryption settings (#12898)
• resource/aws_iam_user: Ensure force_destroy argument removes signing certificates when enabled (#10542)
• resource/aws_rds_cluster: Prevent unexpected global_cluster_identifier differences and deletion error with aurora-mysql and aurora-postgresql Global Cluster members (#12867)
• resource/aws_route: Prevent not found after creation error with destination_ipv6_cidr_block set to ::0/0 (#12890)

v2.58.0

FEATURES:

• New Data Source: aws_regions (#12269)
• New Resource: aws_apigatewayv2_deployment (#9245)
• New Resource: aws_apigatewayv2_domain_name (#9391)
• New Resource: aws_apigatewayv2_integration_response (#9365)
• New Resource: aws_apigatewayv2_route (#8881)
• New Resource: aws_apigatewayv2_route_response (#9373)
• New Resource: aws_apigatewayv2_stage (#9232)
• New Resource: aws_dms_event_subscription (#7170)

ENHANCEMENTS:

• data-source/aws_dynamodb_table: Add replica attribute (initial support for Global Tables V2 (version 2019.11.21)) (#12342)
• data-source/aws_instance: Exports volume_name for root_block_device (#12620)
• resource/aws_backup_plan: Add rule configuration block copy_action configuration block (support cross region copy) (#11923)
• resource/aws_cognito_identity_provider: Support plan-time validation for idp_identifiers, provider_name, and provider_type arguments (#10705)
• resource/aws_dms_endpoint: Add elasticsearch_settings configuration block and elasticsearch to engine_name validation (support Elasticsearch endpoints) (#11792)
• resource/aws_dms_endpoint: Add kinesis_settings configuration block and kinesis to engine_name validation (support Kinesis endpoints) (#8633)
• resource/aws_dynamodb_table: Add replica configuration block (initial support for Global Tables V2 (version 2019.11.21)) (#12342)
• resource/aws_ec2_client_vpn_endpoint: Allow two authentication_options configuration blocks (#12819)
• resource/aws_instance: Allow changing root volume size without re-creating resource (#12620)
• resource/aws_instance: Exports volume_name for root_block_device (#12620)

BUG FIXES:

• resource/aws_dlm_lifecycle_policy: Ensure plan-time validation for times argument only allows 24 hour format (#12800)

v2.57.0

BREAKING CHANGES:

• provider: The configuration for the preview ignore tags functionality has been updated to include a wrapping configuration block. For example:

provider "aws" {
  ignore_tags {
    keys = ["TagKey1"]
  }
}

FEATURES:

• New Data Source: aws_cloudfront_distribution (#6468)
• New Resource: aws_apigatewayv2_authorizer (#9228)
• New Resource: aws_apigatewayv2_integration (#8949)
• New Resource: aws_apigatewayv2_model (#8912)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Support plan-time validation for compatible_runtime argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_cloudhsm_v2_cluster: Support tag-on-create (#11683)
• resource/aws_docdb_cluster: Add deletion_protection argument (#12650)
• resource/aws_egress_only_internet_gateway: Add tags argument (#11568)
• resource/aws_lambda_function: Support plan-time validation for runtime argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_lambda_layer_version: Support plan-time validation for compatible_runtimes argument dotnetcore3.1 value (support .NET Core 3.1) (#12712)
• resource/aws_rds_global_cluster: Add aurora-postgresql to engine argument plan-time validation (#12401)
• resource/aws_redshift_snapshot_copy_grant: Support resource import (#10350)
• resource/aws_spot_fleet_request: Add tags argument (support tagging of Spot Fleet Request itself) (#12295)
• resource/aws_spot_fleet_request: Support plan-time validation for launch_specification configuration block ebs_block_device volume_type, iam_instance_profile_arn, placement_tenancy, and root_block_device volume_type arguments (#12295)
• resource/aws_spot_fleet_request: Support plan-time validation for allocation_strategy, instance_interruption_behaviour, and target_group_arns arguments (#12295)
• service/ec2: Prevent eventual consistency errors tagging resources on creation (#12735)

BUG FIXES:

• resource/aws_appautoscaling_policy: Fix error when importing DynamoDB Table Index policy (#11232)
• resource/aws_db_instance: Allow creating read replica into RAM shared Subnet with VPC Security Group (#12700)
• resource/aws_kms_key: Prevent eventual consistency related errors on creation (#12738)
• resource/aws_lb_target_group: Automatically propose resource recreation for TCP protocol Target Groups when health_check configuration block interval, protocol, or timeout argument values are updated (#4568)