chore(deps): update terraform (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	< 6.0 → < 6.37
aws (source)	required_provider	major	~> 5.0 → ~> 6.0
google (source)	required_provider	major	~> 5.0 → ~> 7.0
terraform-aws-modules/cloudfront/aws (source)	module	major	~> 3.0 → ~> 6.0
terraform-aws-modules/ecs/aws (source)	module	major	5.12.1 → 7.4.0
terraform-aws-modules/s3-bucket/aws (source)	module	major	~> 4.0 → ~> 5.0
terraform-aws-modules/vpc/aws (source)	module	major	< 6.0 → < 6.7

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.36.0

Compare Source

NOTES:

• provider: Update Go version to v1.25.8. Addresses GO-2026-4602, FileInfo can escape from a Root in os, GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, and GO-2026-4601, Incorrect parsing of IPv6 host literals in net/url (#​46820)

FEATURES:

• New Data Source: aws_iam_outbound_web_identity_federation (#​46503)
• New Ephemeral Resource: aws_sts_web_identity_token (#​46173)
• New List Resource: aws_s3_bucket_versioning (#​46802)

ENHANCEMENTS:

• listresource/aws_s3_bucket: No longer returns values for deprecated parameters (#​46852)
• resource/aws_bedrockagentcore_agent_runtime: Add authorizer_config.custom_jwt_authorizer.allowed_scopes argument (#​46828)
• resource/aws_cloudwatch_log_resource_policy: Add resource_arn argument and policy_scope and revision_id attributes. policy_name is now optional (#​46813)
• resource/aws_glue_catalog_table: Add open_table_format_input.iceberg_input.iceberg_table_input argument (#​46843)
• resource/aws_glue_catalog_table: Add view_definition argument (#​46843)
• resource/aws_glue_catalog_table: Change open_table_format_input.iceberg_input.metadata_operation and open_table_format_input.iceberg_input.version to ForceNew (#​46843)
• resource/aws_glue_catalog_table: Change parameters, storage_descriptor, and table_type to Optional and Computed (#​46843)
• resource/aws_guardduty_ipset: Add ip_set_id attribute (#​46703)
• resource/aws_guardduty_publishing_destination: Add arn and destination_id attributes (#​46703)
• resource/aws_guardduty_publishing_destination: Add tagging support (#​46703)
• resource/aws_guardduty_threatintelset: Add threat_intel_set_id attribute (#​46703)
• resource/aws_observabilityadmin_centralization_rule_for_organization: Add rule.destination.destination_logs_configuration.log_group_name_configuration block (#​46811)

BUG FIXES:

• data-source/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• list-resource/aws_iam_role_policy_attachment: Prevent infinite loop when IAM Role deleted during list (#​46763)
• listresource/aws_s3_bucket: No longer appears to hang when buckets are deleted concurrently with listing (#​46852)
• resource/aws_appconfig_deployment_strategy: Fix panic due to "interface conversion: interface {} is float64, not float32" when updating growth_factor (#​46810)
• resource/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• resource/aws_vpc_endpoint: Allow in-place update of private_dns_enabled when vpc_endpoint_type is Interface (#​46800)
• resource/aws_vpc_endpoint: Set new computed value for network_interface_ids attribute when changing subnet_configuration or subnet_ids (#​46800)
• resource/aws_vpn_concentrator: Retry VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reached errors on Create (#​46823)

v6.35.1

Compare Source

BUG FIXES:

• provider: Fix regression causing "Incompatible Types" errors during flattening (#​46778)
• resource/aws_bedrockagentcore_gateway_target: Fix "Incompatible Types" errors during schema definition flattening (#​46778)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Incompatible Types" errors for LifecycleRuleAndOperator while flattening configuration (#​46778)

v6.35.0

Compare Source

FEATURES:

• New List Resource: aws_ecs_service (#​46678)
• New List Resource: aws_lb (#​46660)
• New List Resource: aws_lb_listener (#​46679)
• New List Resource: aws_lb_listener_rule (#​46731)
• New List Resource: aws_lb_target_group (#​46662)
• New List Resource: aws_sns_topic (#​46744)
• New List Resource: aws_sns_topic_subscription (#​46738)
• New Resource: aws_observabilityadmin_telemetry_pipeline (#​46698)
• New Resource: aws_sagemaker_mlflow_app (#​45565)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Add layer_version_arn argument to support cross-account Lambda layer access (#​46673)
• resource/aws_emrserverless_application: Add job_level_cost_allocation_configuration block (#​46107)
• resource/aws_ram_resource_share: Add resource_share_configuration block (#​46715)

BUG FIXES:

• resource/aws_ce_cost_category: Change split_charge_rule targets from TypeSet to TypeList to retain order (#​42856)
• resource/aws_dms_endpoint: Fix InvalidParameterCombinationException errors when oracle_settings is configured (#​46689)
• resource/aws_elasticache_replication_group: Remove hard-coded upper limit of 5 for replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#​46670)
• resource/aws_networkmanager_attachment_routing_policy_label: Fix attachment state waiter to handle all Cloud WAN attachment lifecycle states (#​46672)

v6.34.0

Compare Source

FEATURES:

• New List Resource: aws_ec2_secondary_network (#​46552)
• New List Resource: aws_ec2_secondary_subnet (#​46552)
• New List Resource: aws_ecr_task_definition (#​46628)
• New List Resource: aws_elb (#​46639)
• New List Resource: aws_s3_bucket_lifecycle_configuration (#​46531)
• New Resource: aws_networkmanager_prefix_list_association (#​46566)

ENHANCEMENTS:

• data-source/aws_grafana_workspace: Add kms_key_id attribute (#​46584)
• data-source/aws_memorydb_cluster: Add network_type and ip_discovery attributes (#​46636)
• resource/aws_athena_workgroup: Add configuration.query_results_s3_access_grants_configuration argument (#​46376)
• resource/aws_bedrockagentcore_api_key_credential_provider: Add tagging support (#​46591)
• resource/aws_bedrockagentcore_gateway_target: Add metadata_configuration block for HTTP header and query parameter propagation (#​45808)
• resource/aws_bedrockagentcore_oauth2_credential_provider: Add tagging support (#​46590)
• resource/aws_cloudwatch_event_connection: Add auth_parameters.connectivity_parameters argument (#​41561)
• resource/aws_ecs_service: Add service_connect_configuration.access_log_configuration argument (#​45820)
• resource/aws_ecs_service: Add resource identity support (#​46644)
• resource/aws_eip_domain_name: Add import support (#​46582)
• resource/aws_grafana_workspace: Add kms_key_id argument (#​46584)
• resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#​46568)
• resource/aws_lb_target_group_attachment: Add import support (#​46646)
• resource/aws_lb_target_group_attachment: Add resource identity (#​46646)
• resource/aws_memorydb_cluster: Add network_type and ip_discovery arguments (#​46636)
• resource/aws_opensearch_domain: Add jwt_options attribute (#​46439)
• resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#​44426)

BUG FIXES:

• data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#​46616)
• data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#​46226)
• list-resource/aws_s3_object: Includes parent bucket in display name. (#​46596)
• resource/aws_autoscaling_group: Fix couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#​46622)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#​46127)
• resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#​46127)
• resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#​46462)
• resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#​46150)
• resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#​46556)
• resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#​46102)

v6.33.0

Compare Source

FEATURES:

• New Resource: aws_networkmanager_attachment_routing_policy_label (#​46489)

ENHANCEMENTS:

• data-source/aws_launch_template: Add cpu_options.nested_virtualization and network_performance_options attributes (#​46540)
• data/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_budgets_budget: Add filter_expression attribute (#​46501)
• resource/aws_dms_endpoint: Add access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#​46516)
• resource/aws_dms_endpoint: Add use_update_lookup argument to mongodb_settings configuration block (#​46253)
• resource/aws_ecs_task_definition: Add resource identity support (#​46411)
• resource/aws_instance: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add secondary_interfaces configuration block (#​46540)
• resource/aws_lexv2models_intent: Add qna_intent_configuration attribute (#​46419)
• resource/aws_sagemaker_domain: Add domain_settings.trusted_identity_propagation_settings argument (#​44965)

BUG FIXES:

• data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#​46478)
• resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#​46475)
• resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#​45049)
• resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#​46496)
• resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#​44960)
• resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#​46453)
• resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#​46515)

v6.32.1

Compare Source

BUG FIXES:

• resource/aws_autoscaling_group: Fix couldn't find resource error during creation when waiting for capacity to be satisfied (#​46452)
• resource/aws_cloudwatch_log_delivery: Fix s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#​46455)
• resource/aws_dynamodb_table: Fix perpetual diff when using key_schema with a single range key on a global secondary index (#​46442)
• resource/aws_elasticache_replication_group: Fix false validation error when auth_token references another resource (#​46454)

v6.32.0

Compare Source

FEATURES:

• New List Resource: aws_ecr_repository (#​46344)
• New List Resource: aws_lambda_permission (#​46341)
• New List Resource: aws_route (#​46370)
• New List Resource: aws_route53_resolver_rule_association (#​46349)
• New List Resource: aws_route_table (#​46337)
• New List Resource: aws_s3_directory_bucket (#​46373)
• New List Resource: aws_secretsmanager_secret (#​46318)
• New List Resource: aws_secretsmanager_secret_version (#​46342)
• New List Resource: aws_vpc_security_group_egress_rule (#​46368)
• New List Resource: aws_vpc_security_group_ingress_rule (#​46367)
• New Resource: aws_ec2_secondary_network (#​46408)
• New Resource: aws_ec2_secondary_subnet (#​46408)

ENHANCEMENTS:

• resource/aws_instance: Add secondary_network_interface argument (#​46408)
• resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#​42687)

BUG FIXES:

• data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#​46384)
• list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#​46401)
• resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#​46427)
• resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#​46375)
• resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#​45637)

v6.31.0

Compare Source

NOTES:

• resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)

FEATURES:

• New Data Source: aws_account_regions (#​41746)
• New Ephemeral Resource: aws_ecrpublic_authorization_token (#​45841)
• New List Resource: aws_cloudwatch_event_rule (#​46304)
• New List Resource: aws_cloudwatch_event_target (#​46297)
• New List Resource: aws_cloudwatch_metric_alarm (#​46268)
• New List Resource: aws_iam_role_policy (#​46293)
• New List Resource: aws_lambda_function (#​46295)
• New List Resource: aws_s3_bucket_acl (#​46305)
• New List Resource: aws_s3_bucket_policy (#​46312)
• New List Resource: aws_s3_bucket_public_access_block (#​46309)
• New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#​46191)

ENHANCEMENTS:

• resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45583)
• resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#​45882)

BUG FIXES:

• list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#​46305)
• resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#​45518)
• resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#​45893)
• resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#​45571)
• resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#​45087)
• resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#​46211)

v6.30.0

Compare Source

FEATURES:

• New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#​46176)

BUG FIXES:

• resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#​46195)

v6.29.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​43331)
• resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#​46185)
• resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​45834)

FEATURES:

• New Data Source: aws_arcregionswitch_plan (#​43781)
• New Data Source: aws_arcregionswitch_route53_health_checks (#​43781)
• New Data Source: aws_organizations_entity_path (#​45890)
• New Data Source: aws_resourcegroupstaggingapi_required_tags (#​45994)
• New Data Source: aws_s3_bucket_object_lock_configuration (#​45990)
• New Data Source: aws_s3_bucket_replication_configuration (#​42662)
• New Data Source: aws_s3control_access_points (#​45949)
• New Data Source: aws_s3control_multi_region_access_points (#​45974)
• New Data Source: aws_savingsplans_savings_plan (#​45834)
• New Data Source: aws_wafv2_managed_rule_group (#​45899)
• New List Resource: aws_appflow_connector_profile (#​45983)
• New List Resource: aws_appflow_flow (#​45980)
• New List Resource: aws_cleanrooms_collaboration (#​45953)
• New List Resource: aws_cleanrooms_configured_table (#​45956)
• New List Resource: aws_cloudfront_key_value_store (#​45957)
• New List Resource: aws_opensearchserverless_collection (#​46001)
• New List Resource: aws_route53_record (#​46059)
• New List Resource: aws_s3_bucket (#​46004)
• New List Resource: aws_s3_object (#​46002)
• New List Resource: aws_security_group (#​46062)
• New Resource: aws_apigatewayv2_routing_rule (#​42961)
• New Resource: aws_arcregionswitch_plan (#​43781)
• New Resource: aws_cloudfront_anycast_ip_list (#​43331)
• New Resource: aws_notifications_managed_notification_account_contact_association (#​45185)
• New Resource: aws_notifications_managed_notification_additional_channel_association (#​45186)
• New Resource: aws_notifications_organizational_unit_association (#​45197)
• New Resource: aws_notifications_organizations_access (#​45273)
• New Resource: aws_opensearch_application (#​43822)
• New Resource: aws_ram_permission (#​44114)
• New Resource: aws_ram_resource_associations_exclusive (#​45883)
• New Resource: aws_sagemaker_labeling_job (#​46041)
• New Resource: aws_sagemaker_model_card (#​45993)
• New Resource: aws_sagemaker_model_card_export_job (#​46009)
• New Resource: aws_savingsplans_savings_plan (#​45834)
• New Resource: aws_sesv2_tenant_resource_association (#​45904)
• New Resource: aws_vpc_security_group_rules_exclusive (#​45876)

ENHANCEMENTS:

• aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#​46157)
• data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#​45928)
• data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#​46163)
• data-source/aws_vpc_ipam_pool: Add source_resource attribute (#​44705)
• resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#​45966)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#​46056)
• resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#​45984)
• resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#​45357)
• resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#​45934)
• resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#​46092)
• resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#​45852)
• resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#​45852)
• resource/aws_invoicing_invoice_unit: Adds resource identity support. (#​46185)
• resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#​46185)
• resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#​46065)
• resource/aws_launch_template: Add network_performance_options argument (#​46071)
• resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#​45636)
• resource/aws_opensearchserverless_collection: Add resource identity support (#​45981)
• resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#​44881)
• resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Make monitoring_schedule_config.monitoring_job_definition_name argument optional (#​45951)
• resource/aws_vpc_ipam_pool: Add source_resource argument in support of provisioning of VPC Resource Planning Pools (#​44705)
• resource/aws_vpc_ipam_resource_discovery: Add organizational_unit_exclusion argument (#​45890)
• resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#​44705)
• resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#​44705)

BUG FIXES:

• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#​45909)
• data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#​46160)
• provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#​46000)
• provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#​46159)
• resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#​45972)
• resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#​45713)
• resource/aws_billing_view: Fix handling of data_filter_expression (#​45293)
• resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#​45992)
• resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#​45977)
• resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#​45921)
• resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#​46110)
• resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#​46094)
• resource/aws_dynamodb_table: Fixes error when name is known after apply (#​45917)
• resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#​45997)
• resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#​45967)
• resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud region

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ Notification subscription showing 2 events/week for the last 2 months, which is infrequent compared to typical patterns.
Policies 🔴 ▃▂▁ Multiple storage resources lacking server-side encryption (6 occurrences) and multiple network access resources allowing SSH (port 22) from 0.0.0.0/0 (6 occurrences), which is unusual compared to typical patterns.

View signals ↗

---

🔥 Risks

Unconfirmed/invalid SNS email subscription will prevent production alerts from reaching on‑call staff ‼️High Open Risk ↗
This change creates an SNS email subscription to the production-api-alerts topic using alerts@example.com with endpoint_auto_confirms=false and a 1‑minute confirmation window. The topic currently has zero confirmed subscribers, while a critical production alarm (production-api-health-check-failed) already publishes to this topic.

Because email subscriptions require manual confirmation and alerts@example.com is not a monitored on‑call inbox, the subscription will remain unconfirmed or undeliverable. As a result, CloudWatch alarms will publish to the SNS topic but no notifications will reach on‑call responders, degrading incident detection and response for production (REL06-BP03, OPS04-BP02).

---

🧠 Reasoning · ✖ 2 · ✔ 1

SNS email subscription confirmation and monitoring risk for production alerts

Observations 1

Hypothesis

Creating an SNS email subscription (oncall_email) for the production-api-alerts topic introduces risk to the alerting pipeline if the subscription is not confirmed, monitored, or integrated correctly with CloudWatch alarms and incident workflows. If the email endpoint is unmonitored or the confirmation step is missed, alarms will publish to SNS but not reach on-call staff, degrading detection and response for production incidents.

Mitigations:

• Ensure the SNS subscription is confirmed and Active
• Verify the subscription endpoint is a monitored on-call email and part of the incident response process
• Confirm CloudWatch alarms and other producers reference this SNS topic and that test alerts are received end-to-end (REL06-BP03, OPS04-BP02).

Investigation

Evidence Gathered

• Loaded organizational guidance: aws-monitoring-detection (REL06-BP03, OPS04-BP02) which requires effective alerting with SNS targets that actually notify operators.
• Planned change diff shows creation of an SNS email subscription with endpoint alerts@example.com, protocol email, endpoint_auto_confirms=false, and confirmation_timeout_in_minutes=1 on topic arn:aws:sns:eu-west-2:540044833068:production-api-alerts (resource: github.com/overmindtech/terraform-example.aws_sns_topic_subscription.module.api_access[0].aws_sns_topic_subscription.oncall_email).
• Current SNS topic state (blast radius): SubscriptionsConfirmed=0, SubscriptionsPending=0 for 540044833068.eu-west-2.sns-topic.arn:aws:sns:eu-west-2:540044833068:production-api-alerts — there are no working subscribers today.
• Live CloudWatch data: At least one critical alarm publishes to this topic — 540044833068.eu-west-2.cloudwatch-alarm.production-api-health-check-failed has AlarmActions/OKActions set to arn:aws:sns:eu-west-2:540044833068:production-api-alerts. The alarm is enabled and intended to page on failures.
• Note: The chosen endpoint alerts@example.com is a documentation placeholder address and not a monitored on-call inbox; combined with manual confirmation required for email protocol and a 1-minute confirmation window, the subscription is very likely to remain unconfirmed or undeliverable, leaving the topic without an effective recipient.

Impact Assessment

• Directly affected: 1 SNS topic (production-api-alerts) and at least 1 critical production alarm (production-api-health-check-failed) that relies on it. Current confirmed subscribers on the topic: 0.
• Downstream effect: When the alarm fires, CloudWatch will publish to the SNS topic, but with the subscription unconfirmed/invalid, no notification will reach on-call. This eliminates paging for these incidents and significantly increases MTTD/MTTR in the production environment.
• Operational consequence: Missed or delayed response to production API outages or health check failures; this violates organizational best practices for monitoring and incident response (REL06-BP03, OPS04-BP02).

Conclusion

Risk is real. The plan adds an email subscription to a critical alert topic using a placeholder address and requires manual confirmation within 1 minute with no auto-confirm. Current topic has zero confirmed subscribers. Without a valid, confirmed, and monitored endpoint, alarms will publish but will not notify on-call staff.

✔ Hypothesis proven

---

NAT Gateway updates risking private subnet egress connectivity and segmentation

Observations 10

Hypothesis

Multiple updates to the NAT Gateway resource (nat-019b2865124bca19d) in VPC vpc-02901bcbb89561298 present a risk to outbound internet connectivity and network segmentation for private subnets, specifically subnet subnet-0c5bac530d4e52739. Even when the Terraform diff appears empty, state drift, ownership changes, or implicit updates can alter associated network interfaces (e.g., eni-0437deef1a093b6fd), Elastic IP associations (e.g., 18.132.111.118), routing behavior, availability zone placement, or attachment/state. Misconfiguration or replacement/removal of the NAT gateway can:

• Break egress connectivity for EC2 instances and outbound-dependent services in private subnets (e.g., i-077b8eff98b7b44be)
• Affect availability of ALB/ELB resources whose ENIs or subnets depend on this NAT gateway, reducing HA if subnet-level networking is impacted and degrading DNS/IP reachability for fronted services
• Change route table behavior or associations, causing packets to bypass the NAT or lose internet access, indirectly impacting DNS-based name resolution when external endpoints become unreachable
• Potentially expose private instances if routing or EIP/ENI associations change in a way that affects segmentation

Mitigations:

• Verify the NAT gateway remains in an Available state and that its ENI, subnet, and Elastic IP are unchanged as intended
• Confirm route tables for private subnets still target this NAT gateway for 0.0.0.0/0 (or equivalent) routes and that AZ coverage matches HA requirements
• Validate outbound connectivity from representative private instances and ALB-related ENIs, and ensure no unintended public exposure
• Ensure configuration aligns with network security, segmentation, and high-availability best practices (REL02-BP01, REL02-BP03, SEC05-B01).

Investigation

Evidence Gathered

• Consulted organizational knowledge: aws-network-security and aws-high-availability for best practices around NAT, subnet design, routing, and HA.
• Reviewed planned changes via diffs:
  • Both NAT Gateways 540044833068.eu-west-2.ec2-nat-gateway.nat-019b2865124bca19d and 540044833068.eu-west-2.ec2-nat-gateway.nat-0bcff9aa2633b680e show ITEM_DIFF_STATUS_UPDATED with empty diffs — no attribute changes, no replacements, and no EIP/ENI/subnet modifications.
  • Only other changes are trivial instance attribute normalization (force_destroy null → false) and creation of an SNS email subscription; no routing or networking resources changed.
• Queried current state (blast radius) of networking components:
  • NAT nat-019b2865124bca19d: State available; Subnet subnet-0c5bac530d4e52739; ENI eni-030542fb12761bd4f; EIP 52.56.230.253; Private IP 10.0.102.25; VPC vpc-02901bcbb89561298.
  • NAT nat-0bcff9aa2633b680e: State available; Subnet subnet-07b5b1fb2ba02f964; ENI eni-0c502e5a8c20f4df7; EIP 13.42.93.249; Private IP 10.0.101.182.
  • Route tables:
    • rtb-0fa8d71472f3214bd (private-eu-west-2b) has 0.0.0.0/0 → nat-019b2865124bca19d and is associated with subnet-025746ecaa54aec58.
    • rtb-0fd627aea94dee6ea (private-eu-west-2a) has 0.0.0.0/0 → nat-0bcff9aa2633b680e and is associated with subnet-09605cfe202ef69e7.
    • rtb-0279ca2304acbbb97 (public) is associated with subnets subnet-0c5bac530d4e52739 and subnet-07b5b1fb2ba02f964 and routes 0.0.0.0/0 → igw-0beefc4b4a0653a6e.
  • Subnet tags confirm: subnet-0c5bac530d4e52739 and subnet-07b5b1fb2ba02f964 are public subnets; private subnets are subnet-025746ecaa54aec58 and subnet-09605cfe202ef69e7.
  • ALB ENI eni-0437deef1a093b6fd with EIP 18.132.111.118 sits in public subnet subnet-0c5bac530d4e52739; this is expected and independent of the NAT gateways.
  • Instances:
    • i-060c5af731ee54cc9 resides in private subnet subnet-09605cfe202ef69e7 that routes to nat-0bcff9aa2633b680e.
    • i-077b8eff98b7b44be, i-0464c4413cb0c54aa, i-09d6479fb9b97d123 are in public subnet subnet-07b5b1fb2ba02f964 with public IPs; they do not depend on NAT for outbound.

Impact Assessment

• Directly affected NAT resources: 2 (one per AZ), both currently healthy and unchanged by the plan.
• Private subnets depending on NAT: 2 (subnet-025746ecaa54aec58 via nat-019b…, subnet-09605cfe202ef69e7 via nat-0bcf…). Observed one EC2 instance (i-060c5af731ee54cc9) in the private subnet; others are in public subnets behind the ALB or with public IPs.
• Routing and segmentation remain correct:
  • Private route tables continue to send 0.0.0.0/0 to the corresponding NAT in the same AZ (aligns with REL02-BP03 for HA and zonal NAT design).
  • Public subnets are correctly associated to the IGW route table; the NATs themselves live in these public subnets as required.
  • No planned changes touch route tables, NAT EIPs/ENIs, or subnet associations; therefore, egress, DNS reachability, and segmentation are preserved.
• The hypothesis’ key premise is incorrect: it labels subnet subnet-0c5bac530d4e52739 as private and at risk. Current state shows it is a public subnet associated with the IGW route table and tagged “public,” so it is not a private-subnet egress path.

Conclusion

Risk not real. There are no substantive NAT Gateway changes in the plan, both NATs are healthy with stable EIPs/ENIs, private route tables still point to the same NAT IDs, and the cited subnet is public rather than private. With no routing or attachment changes, the proposed Terraform upgrade will not disrupt private subnet egress or network segmentation.

✖ Hypothesis disproven

---

EC2 Terraform force_destroy=false changing instance, volume, ENI, ALB, and DNS cleanup behavior

Observations 12

Hypothesis

Terraform configuration changes setting the EC2 instance resource’s force_destroy attribute explicitly to false (from null) alter how Terraform handles termination, replacement, and cleanup of dependent resources. Across attached EBS volumes (including specific volume vol-090e750179b5fa681 with DeleteOnTermination semantics), ENIs, load balancer registrations, and DNS health checks, this can:

• Prevent automatic force deletion of instances/volumes, leading to leftover or orphaned EBS volumes that incur costs and increase attack surface
• Cause destroy or replacement operations to fail or require manual intervention, increasing operational overhead and risk of drift
• Leave instances lingering and still associated with ALB/ELB target groups (e.g., api-207c90ee-alb), impacting target health checks and automated replacement workflows, and causing availability or routing issues when instances are not deregistered or replaced cleanly
• Orphan or mismanage ENIs whose IPs are used by services, affecting network routing and discovery for instance- or ALB-backed endpoints
• Keep Route53 health checks (e.g., HTTPS /health for IP 44.207.52.17) in failing states (HEALTH_ERROR) if unhealthy or stale instances remain registered behind the ALB, undermining DNS-based failover

Mitigations:

• Review expected lifecycle for EC2 instances, EBS volumes, ENIs, ALB/ELB target registrations, and Route53 health checks to ensure force_destroy=false matches governance
• Implement explicit cleanup or lifecycle policies for volumes/ENIs where persistence is or is not desired, and monitor for idle/orphaned resources
• Validate that load balancer target groups, Route53 health checks, and DNS records are updated consistently during instance replacement, avoiding stale or unhealthy targets, and ensure deregistration/draining hooks are correctly configured (PERF02-BP04, COST6, COST04-BP02, aws-compute-configuration, aws-network-security REL02/SEC05).

Investigation

Evidence Gathered

• Loaded organizational guidance: aws-compute-configuration, aws-network-security, and security-compliance-requirements to check for any standards that would make this change risky.
• Reviewed diffs for the two EC2 instances being updated: 540044833068.eu-west-2.ec2-instance.i-0464c4413cb0c54aa and 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123. The only change is force_destroy: null -> false on each instance; no other lifecycle, volume, ENI, ALB, or DNS/Route53 attributes are changing.
• Queried current state (blast radius):
  • Instances i-0464c4413cb0c54aa and i-09d6479fb9b97d123 are running. Their primary ENI attachments have DeleteOnTermination: true. Their root EBS volumes vol-0a61278f4602fc12b and vol-090e750179b5fa681 both have DeleteOnTermination: true (root device /dev/xvda).
  • ALB api-207c90ee-alb is active; target group api-207c90ee-tg has instance i-09d6479fb9b97d123 registered and currently healthy on port 80.
  • Route53 health check 0771e285-11bf-4b60-9e00-7b4d71df1a0b is failing against IP 44.207.52.17, but this health check is not part of the proposed changes and appears unrelated to these instances/ALB in eu-west-2. (All evidence from blast-radius-query.)

Impact Assessment

• Directly affected resources: 2 EC2 instances (i-0464c4413cb0c54aa, i-09d6479fb9b97d123). No attached resources (volumes, ENIs, ALB/TG, Route53) are changing in this plan.
• Behavior on termination/replacement: Since both the root volumes and primary ENIs are configured with DeleteOnTermination: true, instance termination will continue to delete those resources regardless of the Terraform attribute being explicitly set to false. No secondary ENIs or non-root volumes are present that would be left behind.
• Load balancer and DNS: Target group membership is healthy and unchanged; there is no planned modification to deregistration/draining or to Route53. Therefore, no availability or routing issues are introduced by this plan.
• Net effect: Setting force_destroy from null to the explicit default false does not alter lifecycle semantics for these instances or their dependent resources. There is no indication of apply-time failures or increased manual intervention.

Conclusion

Risk not real. The only change is making the default force_destroy=false explicit on two EC2 instances. Current configuration shows DeleteOnTermination=true for both the root EBS volumes and primary ENIs, ALB target health is good, and no related lifecycle or registration changes are planned. There is no evidence this update will cause orphaned resources, apply failures, or availability issues.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 54

Edges 175

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 34 · Edges 128

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 74 · Edges 219

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 67 · Edges 205

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 40 · Edges 146

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 31 · Edges 161

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 135 · Edges 218

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 54 · Edges 175

---

View full analysis in Overmind ↗