NOTES:
- provider: Terraform AWS Provider version 2.45.0 included AWS Go SDK version 1.28.0, which contained a regression in error handling behavior across many services that either prevented or incorrectly modified error messages from being surfaced by the API. Other than confusing errors in certain cases, this also affected automatic retry logic in a few resources. This release contains an AWS Go SDK update which should resolve these issues.
ENHANCEMENTS:
- data-source/aws_api_gateway_api_key: Add
created_date
,description
,enabled
,last_updated_date
, andtags
attributes (#10821) - data-source/aws_cloudwatch_log_group: Add
kms_key_id
,retention_in_days
, andtags
attributes (#10755) - data-source/aws_db_instance: Add
multi_az
attribute (#10795) - data-source/aws_sqs_queue: Add
tags
attribute (#10820) - resource/aws_acm_certificate: Support tag-on-create (#11073)
- resource/aws_api_gateway_rest_api: Add
endpoint_configuration
configuration blockvpc_endpoint_ids
argument (#10627) - resource/aws_cloudfront_distribution: Validate
origin_group
configuration blockmember
argument contains max 2 items (#10357) - resource/aws_cognito_user_pool_client: Support plan-time validation values of
ALLOW_*
variations forexplicit_auth_flows
argument (#10976) - resource/aws_ecs_task_definition: Add
volume
configuration blockefs_volume_configuration
configuration block (support preview EFS volume configuration) (#11707) - resource/aws_ecs_task_definition: Add plan-time validation for
execution_role_arn
argument,placement_constraints
configuration blocktype
argument, andtask_role_arn
argument (#11707) - resource/aws_egress_only_internet_gateway: Support resource import (#11071)
- resource/aws_key_pair: Add
tags
argument andkey_pair_id
attribute (#11481) - resource/aws_network_interface: Add
mac_address
attribute (#10633) - resource/aws_organization_organization: Support plan-time validation value of
TAG_POLICY
inenabled_policy_types
argument (#11535) - resource/aws_placement_group: Add
tags
argument andplacement_group_id
attribute (#11482) - resource/aws_rds_cluster_endpoint: Add
tags
argument (#11074)
BUG FIXES:
- data-source/aws_acmpca_certificate_authority: Properly set
not_after
andnot_before
values into the Terraform state (#11491) - provider: Upgrade AWS Go SDK dependency to fix missing/incorrect API error messages and missing retries regression introduced in Terraform AWS Provider version 2.45.0 (#11727)
- resource/aws_acmpca_certificate_authority: Properly set
not_after
andnot_before
values into the Terraform state (#11491) - resource/aws_api_gateway_account: Update retryable error message handling for recent API update (#11735)
- resource_aws_cognito_resource_server: Increase
scope
max limit to match API (#10505) - resource_aws_cognito_user_pool_client: Increase
allowed_oauth_scopes
max limit to match API (#10505) - resource/aws_dms_certificate: Properly set
certificate_wallet
value into Terraform state (#11496) - resource/aws_ec2_client_vpn_endpoint: Properly set
status
value into Terraform state (#11497) - resource/aws_ecs_task_definition: Properly refresh
ipc_mode
andpid_mode
attributes in Terraform state for drift detection (#11707) - resource/aws_emr_security_configuration: Properly set
creation_date
value into the Terraform state (#11491) - resource/aws_iam_service_linked_role: Properly set
create_date
value into the Terraform state (#11491) - resource/aws_iot_topic_rule: Trigger resource recreation on
name
argument updates (#10366) - resource/aws_lambda_event_source_mapping: Properly set
last_modified
value into the Terraform state (#11491) - resource/aws_organizations_account: Properly set
joined_timestamp
value into the Terraform state (#11491) - resource/aws_redshift_cluster: Handle
available, prep-for-resize
pending status during creation and update (#10530) - resource/aws_ssm_activation: Properly set
expiration_date
value into the Terraform state and perform drift detection when configured (#11491) - resource/aws_ssm_document: Properly set
created_date
value into the Terraform state (#11491) - resource/aws_waf_sql_injection_match_set: Properly set
sql_injection_match_tuples
value into Terraform state (#11498)
ENHANCEMENTS:
- resource/aws_codepipeline_webhook: Support in-place
tags
updates (#11387) - resource/aws_db_parameter_group: Support resetting parameter group values (#11540)
- resource/aws_docdb_cluster: Support
profiler
CloudWatch export type (#11051) - resource/aws_gamelift_alias: Add
tags
argument (#11486) - resource/aws_gamelift_build: Add
tags
argument andarn
attribute (#11486) - resource/aws_gamelift_fleet - Add support for instance_role_arn (#11553)
- resource/aws_gamelift_game_session_queue: Add
tags
argument (#11486) - resource/aws_neptune_parameter_group: Support tag-on-create (#11245)
- resource/aws_pinpoint_app: Add plan-time validation for
limit
configuration blockdaily
,maximum_duration
,messages_per_second
andtotal
arguments (#11368) - resource/aws_rds_cluster: Allow enabling Aurora Serverless HTTP endpoint (Data API) with
enable_http_endpoint
(#11048) - resource/aws_rds_cluster_parameter_group: Support resetting parameter group values (#11540)
- resource/aws_ssm_document: Add support for "Package" document type (#11492)
- resource/aws_vpc_peering_connection_accepter: Support resource import (#4486)
BUG FIXES:
- resource/aws_autoscaling_group: Prevent indefinite wait for desired capacity to be available when instance_weight specified and >=1 (#11357)
- resource/aws_cloudwatch_event_rule: Retry deletion on CloudWatch Events Target deletion eventual consistency (#11475)
- resource/aws_cloudwatch_event_target: Return failed entry error code and message if provided in
RemoveTargets
response (#11475) - resource/aws_codepipeline_webhook: Properly trigger resource recreation when
authentication_configuration
configuration blockallowed_ip_range
andsecret_token
arguments change (#11387) - resource/aws_emr_cluster: Prevent perpetual difference with
ec2_attributes
configuration blockemr_managed_master_security_group
,emr_managed_slave_security_group
, andservice_access_security_groups
arguments when omitted (support EMR Managed Security Groups) (#5493) - resource/aws_opsworks_permission: Prevent
Unable to change own permission level
error during self updates (#11379)
FEATURES:
- New Data Source:
aws_directory_service_directory
(#11282) - New Resource:
aws_workspaces_directory
(#11023)
ENHANCEMENTS:
- data-source/aws_launch_configuration: Add
arn
attribute (#11416) - data-source/aws_eks_cluster: Add
vpc_config
listpublic_access_cidrs
attribute (#11442) - resource/aws_ami_launch_permission: Support resource import (#11437)
- resource/aws_api_gateway_authorizer: Support resource import (#11436)
- resource/aws_api_gateway_authorizer: Add plan time validation for
provider_arns
argument (#11436) - resource/aws_api_gateway_usage_plan_key: Support resource import (#11439)
- resource/aws_batch_compute_environment: Add
compute_environment_name_prefix
argument and makecompute_enviroment_name
argument optional (support full name generation) (#10682) - resource/aws_batch_compute_environment: Add
compute_resources
configuration blockallocation_strategy
argument (#10894) - resource/aws_batch_job_queue: Support resource import (#11406)
- resource/aws_cloudformation_stack: Prevent difference with
Transform
templates showing processed template (support SAM templates) (#9006) - resource/aws_cloudwatch_event_rule: Support tag-on-create (#11346)
- resource/aws_db_instance: Remove
identifier_prefix
16 character truncation forsqlserver
engine (#9040) - resource/aws_ecs_service: Add plan time validation for
launch_type
,load_balancer
configuration blocktarget_group_arn
andcontainer_port
, andplacement_constraints
configuration blocktype
arguments (#11423) - resource/aws_eks_cluster: Add
vpc_config
configuration blockpublic_access_cidrs
argument (#11442) - resource/aws_elasticache_cluster: Add
arn
attribute (#11243) - resource/aws_launch_configuration: Add
arn
attribute (#11416) - resource/aws_lb: Add plan-time validation for
ip_address_type
andload_balancer_type
arguments (#11419) - resource/aws_rds_cluster_instance: Allow updating
ca_cert_identifier
foraws_rds_cluster_instance
(#10954) - resource/aws_wafregional_xss_match_set: Support resource import (#11432)
BUG FIXES:
- provider: Allow
aws
account ID in ARN validation (support ARNs such as AWS Managed IAM Policies) (#11450) - provider: Support AWS C2S/SC2S Regional ARNs in ARN validation (#11471)
- resource/aws_api_gateway_usage_plan_key: Ensure Terraform performs drift detection of
key_type
argument (#11439) - resource/aws_appautoscaling_policy: Prevent potential state removal of resource immediately after creation due to eventual consistency (#11222)
- resource/aws_cloudwatch_dashboard: Trigger resource recreation on
dashboard_name
updates (prevent dangling resource) (#9784) - resource/aws_cloudwatch_event_rule: Improved handling of
is_enabled
argument (#11346) - resource/aws_ecs_service: Automatically retry IAM Service Linked Role assume role error on creation due to asynchronous creation of role on first usage and IAM eventual consistency (#11423)
- resource/aws_iam_instance: Allows for instance profiles to be changed when instances are in stopped state (#11104)
- resource/aws_opsworks_stack: Ensure
tags
are refreshed in Terraform state during read for drift detection (#11373) - resource/aws_rds_cluster_instance: Prevent
is already being deleted
error on deletion and wait for deletion completion (#11468)
NOTES:
- This will be the last planned release until early January. Enjoy the rest of your year!
FEATURES:
- New Data Source:
aws_organizations_organizational_units
(#10395) - New Resource:
aws_accessanalyzer_analyzer
(#11169) - New Resource:
aws_lambda_function_event_invoke_config
(#11165)
ENHANCEMENTS:
- data-source/aws_elb: Add
arn
attribute (#11345) - resource/aws_batch_compute_environment: Support resource import (#11299)
- resource/aws_codebuild_project: Add
queued_timeout
argument (#11261) - resource/aws_fsx_windows_file_system: Support
storage_capacity
minimum value of32
in validation to match recent updates to the API (#11272) - resource/aws_opsworks_custom_layer: Add
encrypted
ebs_volume
configuration (#7110)
BUG FIXES:
- resource/aws_datasync_agent: Trigger resource recreation on updated
InvalidRequestException
error for agents deleted outside Terraform (#11005) - resource/aws_ecs_cluster: Fixes intermittent failures on update when cluster dependencies are updating (#11310)
- resource/aws_ecs_cluster: Fixes bug where ECS cluster capacity providers are updated but default provider strategy is not changed (#11316)
- resource/aws_globalaccelerator_endpoint_group: Allow
traffic_dial_percentage
to be set to0
(#11253) - resource/aws_lb_listener_rule: Fixes regression from version 2.42.0 when updating a rule without modifying condition (#11364)
- resource/aws_ssm_activation: Ensure
tags
are refreshed into Terraform state during read for drift detection (#11290)
FEATURES:
- New Resource:
aws_ecs_capacity_provider
(#11151) - New Resource:
aws_media_convert_queue
(#10041) - New Resource:
aws_workspaces_ip_group
(#10904)
ENHANCEMENTS:
- resource/aws_apigateway_usage_plan: Add
tags
argument andarn
attribute (#10566) - resource/aws_codebuild_project: Add
ARM_CONTAINER
as validenvironment
configuration blockcompute_type
argument value (#11206) - resource/aws_ecs_cluster: Add
capacity_providers
argument anddefault_capacity_provider_strategy
configuration block (support ECS Capacity Providers) (#11151) - resource/aws_ecs_service: Add
capacity_provider_strategy
configuration block (support ECS Capacity Providers) (#11151) - resource/aws_emr_cluster: Add
step_concurrency_level
argument (#11196) - resource/aws_lb_listener_rule: Support ALB advanced routing rules (#8268)
BUG FIXES:
- provider: Prevent crash in planning IAM Policy equivalency checking with invalid
Resource
declarations (e.g. a list of list of strings) (#11107) - resource/aws_eks_cluster: Handle additional
InvalidParameterException: Error in role params
error during creation for IAM eventual consistency (#11127) - resource/aws_iam_role: Ignore additional
NoSuchEntity
errors on deletion (#11125) - resource/aws_network_interface: Prevent extraneous
ModifyNetworkInterfaceAttribute
API call during update (#11277) - resource/aws_security_group: Support ampersand (
&
) iningress
andegress
configuration blockdescription
argument value validation (#9528) - resource/aws_security_group_rule: Support ampersand (
&
) indescription
argument value validation (#9528)
FEATURES:
- New Resource:
aws_eks_fargate_profile
(#11111) - New Resource:
aws_lambda_provisioned_concurrency_config
(#11129)
ENHANCEMENTS:
- data-source/aws_route_table: adds attributes
gateway_id
andassociations.gateway_id
(#11122) - resource/aws_autoscaling_group: Add
max_instance_lifetime
argument (#10951) - resource/aws_autoscaling_group: Add
mixed_instances_policy
launch_template
override
configuration blockweighted_capacity
argument (#11004) - resource/aws_codebuild_project: Add Linux GPU worker (#11035)
- resource/aws_docdb_cluster_instance: Add support for
ca_cert_identifier
parameter (#11041) - resource/aws_emr_cluster: Outputs EMR cluster ARN (#11078)
- resource/aws_iam_access_key: Remove deprecation from
secret
and marksecret
andses_smtp_password
to sensitive (#10908) - resource/aws_iam_user: Delete a user's virtual MFA devices when
force_destroy
is enabled (#11040) - resource/aws_route_table_association: adds attribute
gateway_id
(#11122)
BUG FIXES:
- resource/aws_batch_compute_environment: Forces new resource when
launch_template
contents are changed (#11057) - resource/aws_datasync_location_s3: Automatically retry creation for IAM errors due to eventual consistency (#10984)
- resource/aws_launch_template: Only set associate_public_ip_address on network interfaces if it's explicitly set to avoid problems with multiple network interfaces (#10157)
NOTES:
- resource/aws_datasync_task: The DataSync API and SDK have removed
BEST_EFFORT
as a valid value for theoptions
configuration blockposix_permissions
argument. The value has been removed from the validation in this resource to match those changes. (#10985)
FEATURES:
- New Resource:
aws_dx_hosted_transit_virtual_interface
(#8523) - New Resource:
aws_dx_hosted_transit_virtual_interface_accepter
(#8523)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
vpc_config
nested blockcluster_security_group_id
attribute (#11002) - resource/aws_cloudwatch_metric_alarm: Add
threshold_metric_id
argument (support Anomaly Detection metrics) (#9828) - resource/aws_codebuild_project: Add support for BUILD_GENERAL1_2XLARGE CodeBuild compute type [GH11015]
- resource/aws_dx_private_virtual_interface: Support tagging-on-create (#9572)
- resource/aws_dx_private_virtual_interface: Validate Virtual Interface type on import (#9572)
- resource/aws_dx_public_virtual_interface: Validate Virtual Interface type on import (#9572)
- resource/aws_ebs_snapshot: Support tagging-on-create and in-place
tags
updates (#10935) - resource/aws_ebs_snapshot_copy: Support tagging-on-create and in-place
tags
updates (#10936) - resource/aws_eks_cluster: Add
vpc_config
configuration blockcluster_security_group_id
attribute (#11002) - resource/aws_lambda_function: Support waiting for function creation and configuration updates (#11016)
BUG FIXES:
- data-source/aws_iam_group: Ensure
users
attribute populates fully when group contains more than 100 users (#10993) - resource/aws_default_route_table: Return helpful not found error on resource creation instead of generic
Provider produced inconsistent result after apply
error when given invaliddefault_route_table_id
argument value (#10981) - resource/aws_default_route_table: Propose resource recreation for missing Default Route Table on refresh instead of returning an error (#10981)
FEATURES:
ENHANCEMENTS:
- provider: Support for EC2 Metadata secure tokens (#10940)
- resource/aws_glue_job: Add
number_of_workers
andworker_type
arguments (#9115) - resource/aws_glue_job: Add
tags
argument andarn
attribute (#10968) - resource/aws_glue_trigger: Add
workflow_name
argument (#9762) - resource/aws_glue_trigger: Add
actions
configuration blockcrawler_name
argument (#10190) - resource/aws_glue_trigger: Add
predicate
conditions
configuration blockcrawler_name
andcrawl_state
arguments (#10190) - resource/aws_glue_trigger: Add
tags
argument andarn
attribute (#10967) - resource/aws_iam_group_policy: Add IAM Policy JSON difference suppression and validation to
policy
argument (#9660) - resource/aws_lambda_event_source_mapping: Add
maximum_batching_window_in_seconds
argument (#10051) - resource/aws_lambda_function: Support
java11
,nodejs12.x
, andpython3.8
as validruntime
argument values in validation (#10938) - resource/aws_lambda_layer_version: Support
java11
,nodejs12.x
, andpython3.8
as validcompatible_runtimes
argument values in validation (#10938) - resource/aws_resourcegroups_group: Add
tags
argument (#10640)
BUG FIXES:
- data_source/aws_instance: Fixes a bug where multiple EBS volumes would get collapsed and only one would return (#10045)
- resource/aws_appmesh_virtual_node: Allow FQDN values in
service_discovery
aws_cloud_map
configuration blocknamespace_name
andservice_name
argument validations (#9788) - resource/aws_batch_compute_environment: Propose resource recreation when updating
compute_resources
configuration blocktags
argument (#10937) - resource/aws_iam_instance_profile: Remove requirement to specify a role, as it is not required by the API (#10525)
- resource/aws_opsworks_application: Fixes issue where
terraform apply
continuously suggests applying changes tossh_key
orpassword
inapp_source
property (#10175) - resource/aws_opsworks_stack: Fixes issue where
terraform apply
continuously suggests applying changes tossh_key
orpassword
incustom_cookbooks_source
property (#10175)
FEATURES:
- New Resource:
aws_eks_node_group
(#10916)
ENHANCEMENTS:
- resource/aws_api_gateway_rest_api: Add
tags
argument andarn
attribute (#10581) - resource/aws_db_instance: Add
ca_cert_identifier
argument (#10490) - resource/aws_dlm_lifecycle_policy: Add
tags
argument andarn
attribute (#10864) - resource/aws_efs_file_system: Add
AFTER_7_DAYS
as a validlifecycle_policy
configuratio blocktransition_to_ia
argument value (#10825) - resource/aws_glue_crawler: Add
tags
argument (#10805) - resource/aws_s3_bucket_inventory: Add
IntelligentTieringAccessTier
as valid value foroptional_fields
argument (#10746) - resource/aws_waf_geo_match_set: Support resource import and add
arn
attribute (#10480) - resource/aws_waf_regex_match_set: Support resource import and add
arn
attribute (#10481) - resource/aws_waf_regex_pattern_set: Support resource import and add
arn
attribute (#10482) - resource/aws_waf_size_constraint_set: Support resource import and add
arn
attribute (#10484) - resource/aws_waf_xss_match_set: Support resource import and add
arn
attribute (#10485) - resource/aws_wafregional_rate_based_rule: Add
tags
argument andarn
attribute (#10897) - resource/aws_wafregional_rule_group: Add
tags
argument andarn
attribute (#10896) - resource/aws_wafregional_rule: Add
tags
argument andarn
attribute (#10895) - resource/aws_wafregional_web_acl: Add
tags
argument (#10889) - resource/aws_wafregional_web_acl_association: Support resource import (#10538)
- resource/aws_cloudtrail: support Tag on create (#10818)
BUG FIXES:
- data-source/aws_iam_policy_document: Prevent panic when combining single principal identifier with multiple principal identifiers (#10780)
- data-source/aws_iam_policy_document: Prevent losing identifier elements when combining single and multiple principals identifiers (#10844)
- resource/aws_servicequotas_service_quota: Remove resource from Terraform state on
NoSuchResourceException
error (#10735)
ENHANCEMENTS:
- data-source/aws_iam_group: Add
users
attribute (#7132) - resource/aws_apigateway_stage: Add
arn
attribute (#10570) - resource/aws_s3_bucket: Retry reading tags on
NoSuchBucket
errors due to eventual inconsistency (#10863) - resource/aws_waf_rule: Add
arn
attribute (#10798) - resource/aws_waf_rule_group: Add
arn
attribute (#10799)
NOTES:
- provider: New
ignore_tag_prefixes
andignore_tags
arguments are being tested as a public preview for ignoring tags across all resources under a provider. Support for the functionality must be added to individual resources in the codebase and is only implemented for theaws_subnet
andaws_vpc
resources at this time. Until a general availability announcement, no compatibility promises are made with these provider arguments and their functionality. (#10418)
FEATURES:
ENHANCEMENTS:
- data-source/aws_db_cluster_snapshot: Add
tags
attribute (#10488) - data-source/aws_db_instance: Add
tags
attribute (#10550) - data-source/aws_vpc_endpoint: Add
filter
andtags
arguments (#10503) - provider: Add
ignore_tag_prefixes
andignore_tags
arguments (in public preview, see note above) (#10418) - resource/aws_acmpca_certificate_authority: Support tagging on creation (#10736)
- resource/aws_api_gateway_api_key: Add
tags
argument andarn
attribute (#10568) - resource/aws_api_gateway_client_certificate: Add
tags
argument andarn
attribute (#10569) - resource/aws_api_gateway_domain_name: Add
tags
argument andarn
attribute (#10567) - resource/aws_api_gateway_vpc_link: Add
tags
argument andarn
attribute (#10561) - resource/aws_cloudwatch_log_group: Support tagging on creation (#10753)
- resource/aws_db_cluster_snapshot: Add
tags
argument (#10488) - resource/aws_ec2_fleet: Support in-place
tags
updates (#10761) - resource/aws_launch_template: Support tagging on creation (#10759)
- resource/aws_mq_broker: Support in-place
security_groups
updates (#10442) - resource/aws_storagegateway_cached_iscsi_volume: Add
tags
argument (#10613) - resource/aws_storagegateway_gateway: Add
tags
argument (#10588) - resource/aws_storagegateway_nfs_file_share: Add
tags
argument (#10722) - resource/aws_subnet: Support provider-wide ignore tags (in public preview, see note above) (#10418)
- resource/aws_swf_domain: Add
tags
argument andarn
attribute (#10763) - resource/aws_vpc: Support provider-wide ignore tags (in public preview, see note above) (#10418)
- resource/aws_waf_rate_based_rule: Add
tags
argument andarn
attribute (#10479)
BUG FIXES:
- data-source/aws_route53_resolver_rule: Do not retrieve tags for rules shared with the AWS account that owns the data source (#10348)
- resource/aws_api_gateway_authorizer: Set
authorizer_result_ttl_in_seconds
argument default to 300 to match API default which properly allows setting to 0 for disabling caching (#9605) - resource/aws_autoscaling_group: Batch ELB attachments and detachments by 10 to prevent API and rate limiting errors (#10445)
- resource/aws_s3_bucket_public_access_block: Remove from Terraform state when S3 Bucket is already destroyed (#10534)
- resource/aws_ssm_maintenance_window_task: Prevent crashes with empty configuration blocks (#10713)
ENHANCEMENTS:
- resource/aws_ecr_repository: Add
image_scanning_configuration
configuration block (support image scanning on push) (#10671) - resource/aws_elasticache_replication_group: Add
kms_key_id
argument (support KMS encryption) (#10380) - resource/aws_flow_log: Add
log_format
argument (#10374) - resource/aws_glue_job: Add
glue_version
argument (#10237) - resource/aws_storagegateway_smb_file_share: Add
tags
argument (#10620)
BUG FIXES:
- resource/aws_backup_plan: Correctly handle changes to
recovery_point_tags
arguments (#10641) - resource/aws_backup_plan: Prevent
diffs didn't match
errors withrule
configuration blocks (#10641) - resource/aws_cloudhsm_v2_cluster: Ensure multiple tag configurations are applied correctly (#10309)
- resource/aws_cloudhsm_v2_cluster: Perform drift detection with tags (#10309)
- resource/aws_dx_gateway_association: Fix backwards compatibility issue with missing
dx_gateway_association_id
attribute (#8776) - resource/aws_s3_bucket: Bypass
MethodNotAllowed
errors for Object Lock Configuration on read (support AWS C2S) (#10657)
FEATURES:
- New Data Source:
aws_waf_rate_based_rule
(#10124) - New Data Source:
aws_wafregional_rate_based_rule
(#10125) - New Resource:
aws_quicksight_user
(#10401)
ENHANCEMENTS:
- resource/aws_glue_classifier: Add
csv_classifier
configuration block (support CSV classifiers) (#9824) - resource/aws_waf_byte_match_set: Support resource import (#10477)
- resource/aws_waf_rate_based_rule: Support resource import (#10475)
- resource/aws_waf_rule: Add
tags
argument (#10408) - resource/aws_waf_rule_group: Add
tags
argument (#10408) - resource/aws_waf_web_acl: Add
tags
argument (#10408)
BUG FIXES:
- resource/aws_gamelift_fleet: Increase default deletion timeout to 20 minutes to match service timing (#10443)
NOTES:
- provider: The underlying Terraform codebase dependency for the provider SDK and acceptance testing framework has been migrated from
github.com/hashicorp/terraform
togithub.com/hashicorp/terraform-plugin-sdk
. They are functionality equivalent and this should only impact codebase development to switch imports. For more information see the Terraform Plugin SDK page in the Extending Terraform documentation. (#10367)
ENHANCEMENTS:
- resource/aws_emr_instance_group: Add
configurations_json
argument (#10426)
BUG FIXES:
- provider: Fix session handling to correctly validate and use assume_role credentials (#10379)
- resource/aws_autoscaling_group: Batch ALB/NLB attachments and detachments by 10 to prevent API and rate limiting errors (#10435)
- resource/aws_emr_instance_group: Remove terminated instance groups from the Terraform state (#10425)
- resource/aws_s3_bucket: Prevent infinite deletion recursion with
force_destroy
argument and object keys with empty "directory" prefixes present since version 2.29.0 (#10388) - resource/aws_vpc_endpoint_route_table_association: Fix resource import support (#10454)
NOTES:
- resource/aws_lambda_function: Environments using Lambda functions with VPC configurations should upgrade their Terraform AWS Provider to this version or later to appropriately handle the networking changes introduced by the improved VPC networking for AWS Lambda functions deployment. These changes prevent proper deletion of EC2 Subnets and Security Groups for accounts and regions updated to the new Lambda networking infrastructure in older versions of the Terraform AWS Provider. Additional information and configuration workarounds for prior versions can be found in this GitHub issue.
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
tags
attribute (#10307) - resource/aws_efs_filesystem: Support tag-on-create (#10254)
- resource/aws_eks_cluster: Add
tags
argument (#10307) - resource/aws_mq_broker: Add
encryption_options
configuration block (support AWS and customer managed KMS CMKs) (#10276)
BUG FIXES:
- provider: Upstream AWS Go SDK fix for parsing AWS shared credentials files missing right-hand values (#10310)
- resource/aws_lb_listener_certificate: Retry
CertificateNotFound
errors on creation for eventual consistency (#10294) - resource/aws_s3_bucket_object: Fix object deletion for non-versioned objects (#10352)
- resource/aws_security_group: Handle updated ENI description and longer deletion timeframe for new Lambda Hyperplane ENIs (#10114] / [#10347)
- resource/aws_subnet: Handle updated ENI description and longer deletion timeframe for new Lambda Hyperplane ENIs (#10114] / [#10347)
- resource/aws_vpc_peering_connection: Ensure
allow_remote_vpc_dns_resolution
usage works with inter-region peering (#7627) - resource/aws_vpc_peering_connection_accepter: Ensure
allow_remote_vpc_dns_resolution
usage works with inter-region peering (#7627) - resource/aws_vpc_peering_connection_options: Ensure
allow_remote_vpc_dns_resolution
usage works with inter-region peering (#7627) - resource/aws_waf_rate_based_rule: Upstream AWS Go SDK fix to allow
rate_limit
arguments between 100 and 1999 (#10310) - resource/aws_wafregional_rate_based_rule: Upstream AWS Go SDK fix to allow
rate_limit
arguments between 100 and 1999 (#10310) - resource/aws_wafregional_web_acl_association: Ensure missing resource triggers state removal (#10216)
- service/waf: Prevent incorrect
Error getting WAF change token
errors for API calls that should be retried or specially handled (#10242) - service/wafregional: Prevent incorrect
Error getting WAF regional change token
errors for API calls that should be retried or specially handled (#10242)
NOTES:
- provider: The default development, testing, and building of the Terraform AWS Provider binary is now done with Go 1.13. This version of Go now requires macOS 10.11 El Capitan or later and FreeBSD 11.2 or later. Support for previous versions of those operating systems has been discontinued. (#10206)
- provider: The actual Terraform version running the provider will now be included the AWS Go SDK
User-Agent
headers for Terraform 0.12 and later. Terraform 0.11 and earlier will useTerraform/0.11+compatible
as this information was not accessible in those versions. Previously, the Terraform version in theUser-Agent
header was based on the github.com/hashicorp/terraform dependency in the provider codebase. (#9570)
ENHANCEMENTS:
- data-source/aws_cloudtrail_service_account: Support
cn-north-1
region (#10134) - data-source/aws_elastic_beanstalk_hosted_zone: Support
ap-east-1
,ap-northeast-3
,us-gov-east-1
andus-gov-west-1
regions (#10134) - data-source/aws_elb_hosted_zone_id: Support
cn-northwest-1
region (#10134) - data-source/aws_redshift_service_account: Support
ap-northeast-3
,cn-north-1
,eu-north-1
andme-south-1
regions (#10134) - provider: Use real Terraform version in User-Agent header (#9570)
- resource/aws_appsync_graphql_api: Add
additional_authentication_providers
configuration blocks (#8587) - resource/aws_elastic_beanstalk_environment: Add
endpoint_url
attribute (#10015) - resource/aws_lightsail_static_ip_attachment: Add
ip_address
attribute (#10109) - resource/aws_opsworks_stack: Switch legacy Opsworks client User-Agent to real Terraform version (#10246)
- resource/aws_sns_topic_policy: Support resource import (#10163)
- resource/aws_sqs_queue: Support tag-on-create in AWS Commercial regions (#10156)
BUG FIXES:
- data-source/aws_elb_hosted_zone_id: Correct value for
cn-north-1
region (#10134) - resource/aws_ec2_client_vpn_endpoint: Ensure missing resource triggers state removal (#10187)
- resource/aws_instance: Prevent panic when updating
credit_specification
to empty configuration block (#10212) - resource/aws_security_group: Ensure deletion errors are properly raised (#10165)
- resource/aws_spot_fleet_request: Ensure
launch_specification
configuration blockplacement_group
argument is passed through to the API when it is specified (#10103)
ENHANCEMENTS:
- data-source/aws_s3_bucket_object: Add
object_lock_legal_hold_status
,object_lock_mode
andobject_lock_retain_until_date
attributes (#9942) - resource/aws_glue_job: Add ability to specify python version for pythonshell in glue jobs (#9409)
- resource/aws_s3_bucket_object: Add
force_destroy
,object_lock_legal_hold_status
,object_lock_mode
andobject_lock_retain_until_date
attributes (#9942) - resource/aws_ssm_association: Add import support (#10055)
- resource/aws_waf_rate_based_rule: Update rate based rule limit for WAF (#9946)
- resource/aws_wafregional_rate_based_rule: Update rate based rule limit for WAF (#9946)
BUG FIXES:
- resource/aws_ecs_task_definition: Fix a crash if
containers_definition
argument JSON definesenvironment
withoutname
value (#10074)
BUG FIXES:
- Revert "resource/aws_cloudfront_distribution: Fix
active_trusted_signers
attribute for Terraform 0.12" (#10093)
NOTES:
- resource/aws_cloudfront_distribution: This attribute implemented a legacy Terraform library (flatmap), which does not work with Terraform 0.12's data types and whose only usage was on this single attribute across all Terraform Providers. The attribute now implements (in the closest approximation to the previous implementation) the nested object data into the Terraform state in all Terraform versions. Any references to nested attributes such as
active_trusted_signers.enabled
will need to be updated toactive_trusted_signers.0.enabled
. (#10013)
FEATURES:
- New Data Source:
aws_route53_resolver_rule
(#9805) - New Data Source:
aws_route53_resolver_rules
(#9805)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
identity
attribute (support getting OIDC issuer URL) (#10006) - resource/aws_eks_cluster: Add
identity
attribute (support getting OIDC issuer URL) (#10006) - resource/aws_elasticache_cluster: Support
cluster_id
validation up to 50 characters (#9941) - resource/aws_elasticache_replication_group: Support
replication_group_id
validation up to 40 characters (#9941)
BUG FIXES:
- resource/aws_instance: Final retries after timeouts creating and updating instance and getting instance password data
- resource/aws_cloudfront_distribution: Support accessing
active_trusted_signers
attributeitems
in Terraform 0.12 (#10013) - resource/aws_cognito_user_pool: Fix perpetual diffs on
sms_verification_message
(#9758) - resource/aws_elasticsearch_domain: Final retries after timeouts creating, updating, and deleting domains (#9892)
- resource/aws_elasticsearch_domain_policy: Final retries after timeouts upserting and deleting domain policies (#9892)
- resource/aws_iam_policy_attachment: Revert a change causing errors with policies not being found during attachment (#10063)
- resource/aws_lightsail_instance: Fixes an issue where 2-character lightsail instance names didn't get validated properly (#10046)
ENHANCEMENTS:
- data-source/aws_ecs_cluster: Add
setting
attribute (#9720) - provider: Support AWS C2S and SC2S endpoints (#9998)
- resource/aws_ecs_cluster: Add
setting
configuration blocks (support enabling Container Insights) (#9720) - resource/aws_kinesis_firehose_delivery_stream: Add
server_side_encryption
configuration block (support Server Side Encryption) (#6523)
BUG FIXES:
- resource/aws_s3_bucket: Include any system tags that Terraform ignores when setting S3 bucket tags (#7342)
FEATURES:
- New Data Source:
aws_elasticsearch_domain
(#1867)
BUG FIXES:
- resource/aws_ec2_capacity_reservation: Fixes error handling when an EC2 Capacity Reservation is deleted manually but is still in state (#9862)
- resource/aws_s3_bucket: Final retries after timeouts creating, updating and updating replication configuration for s3 buckets (#9861)
- resource/aws_s3_bucket_inventory: Final retries after timeout reading and putting bucket inventories (#9861)
- resource/aws_s3_bucket_metric: Final retry after timeout putting bucket metric (#9861)
- resource/aws_s3_bucket_notification: Final retry after timeout putting notification (#9861)
- resource/aws_s3_bucket_policy: Final retry after timeout putting policy (#9861)
- resource/aws_s3_bucket_public_access_block: Final retries after timeouts creating and reading blocks (#9861)
ENHANCEMENTS:
- resource/aws_rds_cluster: Support
postgresql
in plan time validation forenabled_cloudwatch_logs_exports
argument (#9740)
BUG FIXES:
- resource/aws_cloudwatch_event_target: Add default setting for ecs_target task_count (#9773)
- resource/aws_cloudwatch_log_subscription_filter: Prevent difference when omitting default
distribution
argument value ofByLogStream
(#9265) - resource/aws_db_instance: Fix enabling Enhanced Monitoring on update to handle IAM eventual consistency (#9747)
- resource/aws_elb: Final retries after timeouts creating and updating ELBs (#9765)
- resource/aws_elb_attachment: Final retry after timout creating ELB attachment (#9765)
- resource/aws_iam_instance_profile: Final retry after timeout adding role to profile (#9766)
- resource/aws_iam_policy: Final retry after timeout reading policy (#9766)
- resource/aws_iam_role: Final retries after timeouts creating and deleting IAM roles (#9766)
- resource/aws_iam_user: Final retry after timeout deleting user login profile (#9766)
- resource/aws_inspector_assessment_target: Final retry after timeout deleting target (#9767)
- resource/aws_internet_gateway: Final retries after timeouts creating, attaching, and deleting gateways (#9779)
- resource/aws_iot_thing_type: Final retry after timeout deleting IOT thing type (#9780)
- resource/aws_kinesis_firehose_delivery_stream: Prevent differences with disabled
data_format_conversion_configuration
andprocessing_configuration
after changes outside Terraform (#9103) - resource/aws_launch_configuration: Final retry after timeout creating launch configuration (#9781)
- resource/aws_lb: Final retry after timeout waiting for network interfaces to detach (#9787)
- resource/aws_lb_listener_certificate: Final retry after timeout reading listener certificate (#9787)
- resource/aws_lb_listener_rule: Final retries after timeout reading and creating listener rules (#9787)
- resource/aws_msk_cluster: Final retries after timeouts creating and deleting clusters (#9793)
- resource/aws_network_acl: Final retry after timeout deleting ACLs (#9830)
- resource/aws_network_acl_rule: Final retry after timeout creating ACL rules (#9830)
- resource/aws_network_acl_rule: Remove resource from Terraform state on
InvalidNetworkAclID.NotFound
errors (#9710) - resource/aws_opsworks_stack: Final retry after timeout creating stack (#9818)
- resource/aws_rds_cluster_instance: Ensure
monitoring_interval
andmonitoring_role_arn
attributes are always written to the Terraform state (#9748) - resource/aws_redshift_cluster: Final retry after timeout deleting cluster (#9796)
- resource/aws_redshift_snapshot_copy_grant: Final retries after timeouts finding and deleting grants (#9796)
- resource/aws_route: Final retry after timeout creating route (#9797)
- resource/aws_route_table: Final retry after timeout updating route table (#9797)
- resource/aws_route_table_association: Final retry after timeout creating route table association (#9797)
- resource/aws_s3_bucket_object: Allow using SSE-S3 encryption with
etag
argument (#9442) - resource/aws_sagemaker_model: Final retry after timeout deleting model (#9799)
- resource/aws_sagemaker_notebook_instance: Final retry after timeout updating instance (#9799)
- resource/aws_security_group: Final retry after timeout deleting security group (#9812)
- resource/aws_security_group_rule: Final retry after timeout creating security group rule (#9812)
- resource/aws_sqs_queue: Final retry after timeout creating queue (#9813)
- resource/aws_sqs_queue_policy: Final retru after timeout updating queue policy (#9813)
- resource/aws_transfer_server: Final retry after timeout waiting for transfer server deletion (#9815)
- resource/aws_wafregional_web_acl_association: Final retry after timeout creating association (#9820)
- service/dynamodb: Final retries after timeouts setting dynamodb tags (#9821)
- service/sagemaker: Final retries after timeouts setting sagemaker tags (#9821)
- service/waf: Final retry after timeout getting change token (#9826)
- service/wafregional: Final retry after timeout getting change token (#9826)
FEATURES:
- New Resource:
aws_config_organization_custom_rule
(#9716) - New Resource:
aws_config_organization_managed_rule
(#9716) - New Resource:
aws_fsx_lustre_file_system
(#7074] / [#9761) - New Resource:
aws_fsx_windows_file_system
(#7074] / [#9761) - New Resource:
aws_ram_resource_share_accepter
(#8259)
ENHANCEMENTS:
- resource/aws_codebuild_project: Add
artifacts
configuration blockartifact_identifier
argument (#9652) - resource/aws_codebuild_project: Add plan time validation for
artifacts
andsecondary_artifacts
configuration blockspackaging
argument (#9652) - resource/aws_rds_cluster: Add
multimaster
toengine_mode
argument validation (support Aurora Multi-Master Clusters) (#9691) - resource/aws_rds_cluster_instance: Allow
aurora-mysql
(MySQL 5.7) engine to enable Performance Insights (#9635) - resource/aws_wafregional_regex_match_set: Support resource import (#9699)
- resource/aws_wafregional_regex_pattern_set: Support resource import (#9712)
- resource/aws_wafregional_size_constraint_set: Support resource import (#9713)
- resource/aws_wafregional_sql_injection_match_set: Support resource import (#9717)
BUG FIXES:
- resource/aws_acm_certificate_validation: Final retries after timeouts creating and checking validation for ACM certificates (#9661)
- resource/aws_ami: Final retry after timeout reading AMI (#9674)
- resource/aws_cloudhsm2_cluster: Final retries after timeouts creating, updating, and deleting CloudHSM clusters (#9675)
- resource/aws_cloudhsm2_hsm: Final retries after timeouts creating and deleting CloudHSM modules (#9675)
- resource/aws_cloudtrail: Final retries after timeouts creating and updating cloudtrails (#9678)
- resource/aws_codebuild_project: Final retries after timeouts creating and updating codebuild projects (#9682)
- resource/aws_codebuild_project: Properly perform drift detection and updates for
secondary_artifacts
configuration block arguments (exceptname
which will require a separate fix) (#9652) - resource/aws_codedeploy_deployment_group: Final retries after timeouts creating and updating deployment groups (#9682)
- resource/aws_codepipeline: Final retry after timeout creating codepipeline (#9682)
- resource/aws_cognito_user_pool: Final retries after timeouts creating and updating Cognito user pools (#9684)
- resource/aws_db_instance: Fix enabling Performance Insights on update without Performance Insights KMS Key ID (#9745)
- resource/aws_dms_endpoint: Final retry after timeout creating DMS endpoint (#9695)
- resource/aws_docdb_cluster_instance: Final retries after timeouts creating and updating DocDB cluster instances (#9696)
- resource/aws_docdb_cluster_parameter_group: Final retry after timeout deleting DocDB cluster parameter groups (#9696)
- resource/aws_docdb_subnet_group: Final retry after timeout deleting DocDB subnet groups (#9696)
- resource/aws_dynamodb_table: Final retries after timeouts creating, updating, and deleting DynamoDB tables (#9697)
- resource/aws_ebs_snapshot: Final retries after timeouts creating, deleting or waiting for available EBS snapshots (#9698)
- resource/aws_ebs_snapshot_copy: Final retry after timeout deleting EBS snapshot copies (#9698)
- resource/aws_ecs_cluster: Final retries after timeouts reading and deleting ECS cluster (#9704)
- resource/aws_ecs_service: Final retries after timeouts creating, updating, and deleting ECS service (#9704)
- resource/aws_eip: Final retries after timeouts reading, updating, and deleting EIPs (#9728)
- resource/aws_eip_association: Final retry after timeout creating EIP association (#9728)
- resource/aws_eks_cluster: Final retry after timeout creating EKS cluster (#9729)
- resource/aws_elastic_beanstalk_application: Final retries after timeouts reading and deleting beanstalk applications (#9731)
- resource/aws_gamelift_build: Final retry after timeout creating gamelift build (#9752)
- resource/aws_gamelift fleet: Final retry after timeout deleting gamelift fleet (#9752)
- resource/aws_glue_crawler: Final retry after timeout creating glue crawler (#9753)
- resource/aws_guardduty_member: Final retry after timeout waiting for email invitation (#9757)
- resource/aws_lb_target_group_attachment: Perform drift detection on attachments using target health description (trigger resource recreation for manually deregistered attachments) (#9610)
- resource/aws_vpn_gateway: Retry after timeouts attaching and deleting VPN gateways, and retrying attachment after pending VPN errors (#9641)
FEATURES:
- New Data Source:
aws_s3_bucket_objects
(#6968) - New Resource:
aws_dx_transit_virtual_interface
(#8522) - New Resource:
aws_redshift_snapshot_schedule
(#8064) - New Resource:
aws_redshift_snapshot_schedule_association
(#8064)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
status
attribute (#9582) - data-source/aws_instance: Add
ebs_block_device
androot_block_device
configuration blockencryption
andkms_key_id
attributes (#4861] / [#7757) - data-source/aws_partition: Add
dns_suffix
attribute (e.g.amazonaws.com
in AWS Commercial,amazonaws.com.cn
in AWS China) (#5602) - resource/aws_acm_certificate: Support
options
configuration blockcertificate_transparency_logging_preference
argument (#9413) - resource/aws_acm_certificate: Add
certificate_authority_arn
argument (support issuance of ACM private certificates) (#6666) - resource/aws_cognito_identity_pool: Add
tags
argument (#9639) - resource/aws_ecr_repository: Add
image_tag_mutability
argument (support immutable image tags) (#9557) - resource/aws_efs_file_system: Add
lifecycle_policy
configuration block (support transition to IA storage after 14, 30, 60, or 90 days) (#9636) - resource/aws_eks_cluster: Add
status
attribute (#9582) - resource/aws_glue_crawler: Add
catalog_target
configuration block (#9430) - resource/aws_instance: Add
ebs_block_device
androot_block_device
configuration blockencryption
andkms_key_id
arguments (support encryption on launch) (#4861] / [#7757) - resource/aws_iot_certificate: Mark
csr
argument as optional and addcertificate_pem
,public_key
, andprivate_key
attributes (support creating key and certificate) (#9283) - resource/aws_lambda_permission: Support resource import (#9369)
- resource/aws_launch_configuration: Add
root_block_device
configuration blockencrypted
argument (support encryption on launch) (#7759) - resource/aws_s3_bucket_object: Added plan time validation for
bucket
andkey
arguments (#9591) - resource/aws_spot_fleet_request: Add
ebs_block_device
androot_block_device
configuration blockkms_key_id
argument (support encryption on launch) (#9599) - resource/aws_wafregional_geo_match_set: Support resource import (#9620)
- resource/aws_wafregional_rate_based_rule: Support resource import (#9621)
BUG FIXES:
- provider: Environment credentials have precedence over shared config credentials even if the
AWS_PROFILE
environment credentials are present. Explicitly configure the providerprofile
to override this behavior. The AWS Go SDK change that was released in version 2.21.0 of the Terraform AWS Provider has been mostly reverted. (#9555) - resource/aws_acm_certificate: Wait for presence of
DomainValidationOptions
when requesting ACM certificates (previously the API would always immediately return this information during creation) (#9598) - resource/aws_autoscaling_group: Final retries after timeouts creating, draining, and deleting ASGs and autoscaling helpers (#9649)
- resource/aws_cloud9_environment_ec2: Final retries after timeouts creating and deleting Cloud9 environments (#9629)
- resource/aws_cloudfront_distribution: Ensure deployment timeout matches documentation at 90 minutes (#9642)
- resource/aws_datasync_agent: Final retries after timeouts creating datasync agent (#9608)
- resource/aws_datasync_task: Final retry after timeout error creating datasync task (#9608)
- resource/aws_dax_cluster: Final retries after timeouts when creating and deleting Dax clusters (#9630)
- resource/aws_egress_only_internet_gateway: Final retry after timeout when reading gateway (#9638)
- resource/aws_lambda_event_source_mapping: Final retries after timeout when creating, updating, and deleting event source mappings (#9553)
- resource/aws_lambda_function: Final retry when creating lambda function (#9553)
- resource/aws_lambda_permission: Final retries when creating, reading, and deleting lambda permissions (#9553)
- resource/aws_media_package_channel: Final retries after timeouts deleting media package channels (#9633)
- resource/aws_media_store_container: Final retries after timeouts deleting media store containers (#9633)
- resource/aws_organizations_organizational_unit: Final retry after timeout when creating organizational unit (#9631)
- resource/aws_organizations_policy: Final retry after timeout creating policy (#9631)
- resource/aws_organizations_policy_attachment: Final retry after timeout creating policy attachment (#9631)
- resource/aws_secretsmanager_secret: Fianl retries after timeouts creating and updating secrets (#9632)
- resource/aws_sns_platform_application: Final retry after timeout error updating SNS platform application (#9607)
- resource/aws_vpc: Final retry after timeout deleting VPC (#9644)
NOTES:
- provider: Region validation now automatically supports the new
me-south-1
Middle East (Bahrain) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the previous new region announcement blog post. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g.error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
) or AWS operations will throw their own errors (e.g.data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials
). (#9538)
FEATURES:
ENHANCEMENTS:
- data-source/aws_cloudtrail_service_account: Support
me-south-1
region (#9547) - data-source/aws_elastic_beanstalk_hosted_zone: Support
me-south-1
region (#9547) - data-source/aws_elb_hosted_zone_id: Support
me-south-1
region (#9547) - data-source/aws_elb_service_account: Support
me-south-1
region (#9547) - data-source/aws_s3_bucket: Support
me-south-1
region forhosted_zone_id
attribute (#9547) - provider: Support automatic region validation for
me-south-1
(#9538) - resource/aws_codebuild_project: Add
override_artifact_name
argument toartifacts
andsecondary_artifacts
configuration blocks (#7824) - resource/aws_config_aggregate_authorization: Add
tags
argument (#9561) - resource/aws_config_config_rule: Add
tags
argument (#9561) - resource/aws_config_configuration_aggregator: Add
tags
argument (#9561) - resource/aws_ec2_client_vpn_endpoint: Add
split_tunnel
argument (#9566) - resource/aws_ecs_service: Allow multiple
load_balancer
configuration blocks (support for multiple target groups) (#9411) - resource/aws_pinpoint_app: Add
tags
argument (#9460) - resource/aws_route_table_association: Support resource import (#6999)
- resource/aws_route_table_association: Allow in-place updates of
subnet_id
argument (#6999) - resource/aws_s3_bucket: Support
me-south-1
region forhosted_zone_id
attribute (#9547)
BUG FIXES:
- resource/aws_codebuild_project: Properly perform drift detection and updates for
artifacts
configuration block arguments (#9559) - resource/aws_ec2_client_vpn_endpoint: Remove hardcoded one minute timeout during resource creation (#9558)
- resource/aws_route53_record: Prevent error when removing
weighted_routing_policy
(#9565) - resource/aws_storagegateway_cached_iscsi_volume: Retry after timeout deleting volume (#9536)
- resource/aws_storagegateway_cached_iscsi_volume: Fix errors deleting volumes when volumes don't exist (#9543)
- resource/aws_storagegateway_gateway: Retry after timeouts creating gateway (#9536)
BUG FIXES:
- resource/aws_autoscaling_group: Revert change from version 2.21.0 to
load_balancers
andtarget_group_arns
arguments that removes attachments when using theaws_autoscaling_attachment
resource (#9513) (#9518)
NOTES:
- provider: After this update, the AWS Go SDK will prefer credentials found via the
AWS_PROFILE
environment variable when both theAWS_PROFILE
environment variable and theAWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
environment variables are statically defined. Previously the SDK would ignore theAWS_PROFILE
environment variable, if static environment credentials were also specified. This is listed as a bug fix in the AWS Go SDK release notes. (#9428)
FEATURES:
- New Data Source:
aws_organizations_organization
(#9419) - New Data Source:
aws_waf_ipset
(#9481) - New Data Source:
aws_wafregional_ipset
(#9484)
ENHANCEMENTS:
- provider: Add support for assuming role via web identity token via the
AWS_WEB_IDENTITY_TOKEN_FILE
andAWS_ROLE_ARN
environment variables (#9428) - resource/aws_cloudwatch_event_target: Support resource import (#9431)
- resource/aws_s3_bucket_object: Add
metadata
argument (#1945) - resource/aws_wafregional_ipset: Support resource import (#9424)
BUG FIXES:
- provider: Load credentials via the
AWS_PROFILE
environment variable (if available) whenAWS_PROFILE
is defined along withAWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
(#9428) - resource/aws_autoscaling_group: Always perform drift detection with
load_balancers
andtarget_group_arns
arguments (#9478) - resource/aws_cloudfront_distribution: Prevent
DistributionAlreadyExists
errors during concurrent distribution creation (#9470) - resource/aws_cognito_user_pool_client: Properly update name value (#9437)
- resource/aws_config_config_rule: Retries after timeouts when creating and deleting config rules (#9438)
- resource/aws_config_delivery_channel: Retries after timeouts when creating and deleting config delivery channels (#9438)
- resource/aws_customer_gateway: Final retry after timeout deleting customer gateway (#9421)
- resource/aws_db_instance: Redact
MasterUserPassword
from user interface when displayingInvalidParameterValue
error during resource creation (#9446) - resource/aws_db_instance: Retries after timeouts creating DB instances (#9477)
- resource/aws_db_option_group: Retry after timeout deleting DB option group (#9477)
- resource/aws_db_parameter_group: Retry after timeout deleting DB parameter group (#9477)
- resource/aws_kms_grant: Final retries after timeouts when creating, finding, and revoking grants (#9415)
- resource/aws_kms_key: Final retries after timeouts when creating keys and updating key rotation status (#9415)
- resource/aws_rds_cluster: Properly update
master_password
during snapshot restore (#9505) - resource/aws_s3_bucket: Ensure
website_endpoint
andwebsite_domain
attributes have correct DNS suffix in AWS China (#9444) - resource/aws_ses_domain_identity_verification: Retry after timeout when creating SES domain identity verification (#9417)
- resource/aws_sfn_activity: Retry after timeout deleting SFN activity (#9498)
- resource/aws_sfn_state_machine: Retry after timeouts deleting and creating SFN state machines (#9498)
NOTES:
- resource/aws_ssm_maintenance_window_task: The
logging_info
andtask_parameters
configuration blocks have been deprecated in favor of a newtask_invocation_parameters
configuration block to match the API (#7823)
FEATURES:
- New Data Source
aws_waf_rule
(#9318) - New Data Source:
aws_waf_web_acl
(#9320) - New Data Source
aws_wafregional_rule
(#9319) - New Data Source:
aws_wafregional_web_acl
(#9321) - New Resource:
aws_quicksight_group
(#8233) - New Resource:
aws_servicequotas_service_quota
(#9192)
ENHANCEMENTS:
- data-source/aws_route53_zone: Add
linked_service_principal
andlinked_service_description
attributes (#9390) - provider: Support for assuming role using credential process from the shared AWS configuration file (#9305)
- resource/aws_api_gateway_domain_name: Add
security_policy
argument (#9128) - resource/aws_athena_named_query: Add
workgroup
argument (#9383) - resource/aws_autoscaling_lifecycle_hook: Support resource import (#9336)
- resource/aws_elasticsearch_domain: Add
cluster_config
configuration blockzone_awareness_config
configuration block (support three Availability Zone awareness) (#9398) - resource/aws_emr_cluster: Add
master_instance_group
configuration blockinstance_count
argument (support multiple master nodes) (#9235) - resource/aws_media_store_container: Add
tags
argument (#9379) - resource/aws_rds_cluster: Support
scaling_configuration
configuration blocktimeout_action
argument (#9374) - resource/aws_s3_bucket_object: Allow empty object (#7544)
- resource/aws_ssm_maintenance_window_task: Support resource import and in-place updates (#7823)
- resource/aws_ssm_maintenance_window_task: Add
task_invocation_parameters
configuration block and deprecatelogging_info
andtask_parameters
configuration blockss to match API (#7823)
BUG FIXES:
- resource/aws_appautoscaling_policy: Properly support importing of dynamodb policies (#8397)
- resource/aws_cloudwatch_event_permissions: Clean up error handling when reading event permissions (#9065)
- resource/aws_cloudwatch_event_rule: Retry error handling when creating and updating event rules (#9065)
- resource/aws_cloudwatch_log_destination: Clean up error handling when putting log destination (#9065)
- resource/aws_cloudwatch_log_subscription_filter: Clean up error handling when creating log subscription filter (#9065)
- resource/aws_cognito_identity_provider: Properly pass all attributes during update (#9396)
- resource/aws_db_event_subscription: Handle
SubscriptionNotFound
errors during refresh and deletion (#9371) - resource/aws_s3_account_public_access_block: Retry after timeout when reading s3 account public access block (#9387)
- resource/aws_ssm_maintenance_window_task: Bypass
DoesNotExistException
error on deletion (#7823) - resource/aws_ssm_maintenance_window_task: Prevent
task_parameters
ordering differences (#9364)
FEATURES:
- New Data Source:
aws_msk_configuration
(#9088) - New Resource:
aws_athena_workgroup
(#9290) - New Resource:
aws_datapipeline_pipeline
(#9267) - New Resource:
aws_directory_service_log_subscription
(#9261)
ENHANCEMENTS:
- resource/aws_acmpca_certificate_authority: Support validation for
ROOT
certificate authority type (#9292) - resource/aws_appmesh_virtual_node: Add
aws_cloud_map
configuration block underspec
andservice_discovery
(#9271) - resource/aws_appmesh_virtual_router: Add
tags
argument (#9249) - resource/aws_appmesh_virtual_service: Add
tags
argument (#9252) - resource/aws_codebuild_project: Add
environment
configuration blockregistry_credential
configuration block (support Secrets Manager registry credentials) (#9168) - resource/aws_codebuild_project: Add
logs_config
configuration block (support CloudWatch and S3 logging configuration) (#7534) - resource/aws_ebs_snapshot: Support customizable create/delete timeouts and increase defaults to 10 minutes (#9157)
- resource/aws_lightsail_instance: Add validation for
name
argument (#8667) - resource/aws_lightsail_instance: Add
tags
argument (#9273) - resource/aws_organizations_account: Add
tags
argument (#9202) - resource/aws_service_discovery_service: Add
namespace_id
argument (Support HTTP namespaces) (#7341) - resource/aws_ssm_document: Support resource import (#9313)
- resource/aws_waf_rule_group: Support resource import (#9254)
- resource/aws_wafregional_byte_match_set: Support resource import (#9258)
- resource/aws_wafregional_rule: Support resource import (#9239)
- resource/aws_wafregional_rule_group: Support resource import (#9240)
- resource/aws_wafregional_web_acl: Support resource import (#9248)
BUG FIXES:
- resource/aws_backup_selection: Retry creation for IAM eventual consistency error (#9298)
- resource/aws_db_event_subscription: Prevent
Unable to find RDS Event Subscription
error during deletion and refresh (#9274) - resource/aws_iam_policy_attachment: Bypass
NoSuchEntity
error when detaching groups, roles, and users (support group, role (whenforce_detach_policies
is enabled), and user renames (whenforce_destroy
is enabled)) (#9278) - resource/aws_s3_bucket: Properly handle the creation of tags defined in
lifecycle_rule
when no prefix argument is specified (#7162) - resource/aws_ssm_document: Ensure
content
attribute is always refreshed (#9313) - resource/aws_transfer_user: Final retry after timeout waiting for deletion of transfer user (#9241)
- service/organizations: Automatically retry API calls on
ConcurrentModificationException
error (#9195)
FEATURES:
- New Data Source:
aws_servicequotas_service
(#9177) - New Data Source:
aws_servicequotas_service_quota
(#9177)
ENHANCEMENTS:
- resource/aws_appmesh_route: Add
tags
argument (#9206) - resource/aws_appmesh_virtual_node: Add
tags
argument (#9207) - resource/aws_codecommit_repository: Add
tags
argument (#9215) - resource/aws_ec2_transit_gateway_route: Add
blackhole
argument (#9224) - resource/aws_iam_group_policy: Support resource import (#9217)
BUG FIXES:
- resource/aws_db_instance: Properly include
allow_major_version_upgrade
value when creating an RDS instance from a replica or snapshot to allow RDS to perform a major version upgrade if necessary (#9178) - resource/aws_db_instance: Prevent
InvalidParameterCombination: No modifications were requested
error when updating onlyallow_major_version_upgrade
argument (#9193) - resource/aws_emr_cluster: Skip refreshing the
kerberos_attributes
configuration blockad_domain_join_user
argument from the API as it does not contain the real configuration value (#8559)
FEATURES:
- New Data Source:
aws_ebs_default_kms_key
(#8884) - New Data Source:
aws_ebs_encryption_by_default
(#8884) - New Resource:
aws_appsync_function
(#8502)
ENHANCEMENTS:
- data-source/aws_acm_certificate: Add
key_types
argument (support searching for non-default key algorithm certificates such as RSA 4096 bit) (#8553) - data-source/aws_ssm_parameter: Add
version
attribute (#9127) - resource/aws_appmesh_mesh: Add
tags
argument (#8111) - resource/aws_appsync_resolver: Add
kind
argument andpipeline_config
configuration block (#8502) - resource/aws_db_instance: Add
max_allocated_storage
argument (support Storage Autoscaling) (#9087) - resource/aws_directory_service_directory: Tag on create (support tag limiting IAM policies) (#7937)
- resource/aws_dms_endpoint: Support
db2
inengine_name
validation (#9097) - resource/aws_kinesis_firehose_delivery_stream: Tag on create (support tag limiting IAM policies) (#7981)
- resource/aws_lb_listener: Support
TCP_UDP
andUDP
inprotocol
validation (#9111) - resource/aws_lb_target_group: Support
TCP_UDP
andUDP
inprotocol
validation (#9111) - resource/aws_route53_healthcheck: Add validation for
request_interval
argument (#9158) - resource/aws_ssm_parameter: Add
version
attribute (#9127)
BUG FIXES:
- resource/aws_api_gateway_account: Fix error handling during update (#9068)
- resource/aws_api_gateway_base_path_mapping: Fix error handling during create (#9068)
- resource/aws_api_gateway_domain_name: Remove unnecessary retry during delete (#9068)
- resource/aws_api_gateway_gateway_response: Remove unnecessary retry during delete (#9068)
- resource/aws_api_gateway_model: Remove unnecessary retry during delete (#9068)
- resource/aws_api_gateway_usage_plan: Remove unnecessary retry during delete (#9068)
- resource/aws_api_gateway_usage_plan_key: Remove unnecessary retry during delete (#9068)
- resource/aws_db_snapshot: Prevent not found error when deleted outside Terraform (#9099)
- resource/aws_ebs_snapshot_copy: Prevent error when resource is deleted outside Terraform (#9106)
- resource/aws_ecr_repository: Final retries when reading and deleting ECR repositories (#9079)
- resource/aws_ecr_repository_policy: Final retries when creating and updating ECR repository policies (#9079)
- resource/aws_lb_target_group: Properly validate up to
120
seconds forhealth_check
configuration blocktimeout
argument (#9152) - resource/aws_spot_fleet_request: Add final retry when creating spot fleet request (#9078)
- resource/aws_spot_instance_request: Add final retry when creating spot instance request (#9078)
- resource/aws_ssm_maintenance_window_target: Prevent
InvalidParameter
error on resource creation when optionalname
ordescription
were missing (#9165)
FEATURES:
- New Resource:
aws_globalaccelerator_endpoint_group
(#8328) - New Resource:
aws_ebs_default_kms_key
(#8771) - New Resource:
aws_ebs_encryption_by_default
(#8771) - New Resource:
aws_ses_identity_policy
(#5128)
ENHANCEMENTS:
- data-source/aws_vpc_endpoint: Add
owner_id
andtags
attributes (#8674) - data-source/aws_vpc_endpoint: Add
requester_managed
attribute (#8396) - data-source/aws_vpc_endpoint_service: Add
manages_vpc_endpoints
attribute (#8396) - data-source/aws_vpc_endpoint_service: Add
service_id
andtags
attributes (#8674) - provider: Support for chaining assume IAM role from AWS shared configuration files (#8987)
- resource/aws_backup_vault: Support resource import (#9041)
- resource/aws_codepipeline: Add
tags
argument (#8993) - resource/aws_codepipeline_webhook: Add
tags
argument (#8993) - resource/aws_ecs_task_definition: Add
proxy_configuration
configuration block (support AppMesh proxying) (#8780) - resource/aws_instance: Prevent panic when
credit_specification
configuration block is missing arguments (#9003) - resource/aws_organizations_organization: Add
non_master_accounts
attribute (#8926) - resource/aws_secretsmanager_secret: Tag on create (support tag limiting IAM policies) (#9023)
- resource/aws_vpc_endpoint: Add
owner_id
attribute (#8674) - resource/aws_vpc_endpoint: Add
requester_managed
attribute (#8396) - resource/aws_vpc_endpoint: Add
tags
argument (#8674) - resource/aws_vpc_endpoint_service: Add
manages_vpc_endpoints
attribute (#8396) - resource/aws_vpc_endpoint_service: Add
tags
argument (#8674)
BUG FIXES:
- provider: Fix AWS shared configuration file credential source not assuming a role with environment and ECS credentials (#8987)
- provider: Properly configure Route 53 service client in AWS GovCloud (US) (#9010)
- provider: Properly configure Route 53 service client in AWS China (#9060)
- resource/aws_api_gateway_resource: Removes an extraneous retry when deleting API gateway resource (#9054)
- resource/aws_appautoscaling_policy: Retries after timeouts in creating and reading policies (#9039)
- resource/aws_appautoscaling_scheduled_action: Retry after timeout putting scheduled actions (#9039)
- resource/aws_cloudwatch_event_permission: Prevent not found error when deleted outside Terraform (#9044)
- resource/aws_dx_gateway: Fix resource import with associations (#8970)
- resource/aws_elasticache_parameter_group: Final retry deleting parameter group (#9013)
- resource/aws_elasticache_replication_group: Final retry deleting replication group (#9013)
- resource/aws_elasticache_subnet_group: Final retry deleting subnet group (#9013)
- resource/aws_emr_cluster: Final retry after timeout error when deleting EMR cluster (#9053)
- resource/aws_kinesis_firehose_delivery_stream: Add final retries when creating and updating firehose delivery streams (#9017)
- resource/aws_neptune_cluster: Final retries when creating, updating, and deleting Neptune clusters (#9036)
- resource/aws_neptune_cluster_instance: Final retries creating and updating cluster instances (#9036)
- resource/aws_neptune_parameter_group: Final retries updating and deleting parameter groups (#9036)
- resource/aws_opsworks_permission: Improves error handing when setting opsworks permissions (#9055)
- resource/aws_rds_cluster: Final retries after timeout creating and updating cluster (#8994)
- resource/aws_rds_cluster_instance: Final retry after timeout creating cluster instance (#8994)
- resource/aws_rds_global_cluster: Final retry after timeout deleting global cluster (#8994)
- resource/aws_ses_receipt_rule_set: Prevent missing Terraform state for newly created resources (#9045)
- resource/aws_ssm_document: Final retries when creating and deleting SSM documents (#8992)
- resource/aws_ssm_resource_data_sync: Final retry when creating SSM resource data sync (#8992)
FEATURES:
- New Data Source:
aws_customer_gateway
(#8977)
ENHANCEMENTS:
- resource/aws_cognito_user_pool: Add
email_sending_account
attribute to the email configuration block (#8626) - resource/aws_redshift_cluster: Add
arn
attribute (#8894) - resource/aws_redshift_event_subscription: Add
arn
attribute and supporttags
updates (#8894) - resource/aws_redshift_parameter_group: Add
arn
attribute andtags
argument (#8894) - resource/aws_redshift_snapshot_copy_grant: Add
arn
attribute and supporttags
updates (#8894) - resource/aws_redshift_subnet_group: Add
arn
attribute (#8894) - resource/aws_ses_identity_notification_topic: Add
include_original_headers
argument (#7293)
BUG FIXES:
- resource/aws_api_gateway_resource: Final retry for deleting api gateway resource (#8893)
- resource/aws_appautoscaling_target: Final retry for registering autoscaling target (#8893)
- resource/aws_default_vpc_dhcp_options: Add pagination to get the default DHCP options correctly (#8907)
- resource/aws_docdb_cluster: Retries after timeout errors for docdb cluster operations (#8986)
- resource/aws_dx_connection_association: Final retry for deleting dx connection association (#8893)
- resource/aws_dynamodb_table_item: add a nil check when building the table item ID (#8900)
- resource/aws_eks_cluster: Increase default creation timeout to 30 minutes (#8909)
- resource/aws_elasticache_cluster: Final retry when deleting elasticache cluster (#8893)
- resource/aws_elasticache_replication_group: Implement passthrough state migration for upstream
missing MigrateState function
error in Terraform 0.12 (#8887) - resource/aws_elasticache_security_group: Final retry for deleting elasticache security group (#8981)
- resource/aws_iam_server_certificate: Final retry for deleting IAM server cert (#8893)
- resource/aws_iam_service_linked_role: Automatically suppress Application Autoscaling
custom_suffix
differences (#8931) - resource/aws_kinesis_analytics_application: Final retries for kinesis applications (#8984)
- resource/aws_sns_topic_subscription: Final retry for SNS topic subscription (#8893)
- resource/aws_ssm_activation: Final retry for creating SSM activation (#8893)
- resource/aws_vpc_dhcp_options: Add final retry to deleting DHCP options (#8907)
FEATURES:
- New Data Source:
aws_ec2_transit_gateway_dx_gateway_attachment
(#8678)
ENHANCEMENTS:
- data-source/aws_msk_cluster: Add
bootstrap_brokers_tls
attribute (#8850) - resource/aws_codebuild_webhook: Add
filter_groups
configuration blocks (#8110) - resource/aws_msk_cluster: Add
client_authentication
,configuration_info
, andencryption_in_transit
configuration blocks (#8850) - resource/aws_msk_cluster: Add
bootstrap_brokers_tls
andcurrent_version
attributes (#8850) - resource/aws_msk_cluster: Support
broker_node_group_into
configuration blockebs_volume_size
argument updates (#8850) - resource/aws_msk_cluster: Support tagging on creation (#8850)
- resource/aws_subnet: Use customizable timeouts for pending creation and waiting for
DependencyViolation
errors on deletion (#6322)
BUG FIXES:
- resource/aws_acmpca_certificate_authority: Add retry after timeout when creating CA (#8856)
- resource/aws_launch_template: Add a nil check for
spot_options
to avoiding panicking if options are empty (#8844) - resource/aws_s3_bucket_metric: Add a nil check for
filter
to avoid panicking if empty (#8852) - resource/aws_subnet: Bump default timeout for deletion from 10 to 20 minutes to better handle ELBv2 ENI deletions (#6322)
FEATURES:
- New Resource:
aws_ec2_transit_gateway_vpc_attachment_accepter
(#8679)
ENHANCEMENTS:
- resource/aws_iot_role_alias: Add
arn
attribute (#8812)
BUG FIXES:
- data-source/aws_rds_cluster: Add missing
hosted_zone_id
attribute (#8799) - resource/aws_dms_endpoint: Fix casing for
mongodb_settings
configuration blockauth_type
,auth_mechanism
, andnesting_level
argument defaults (#8008] / [#8795)
NOTES:
- resource/aws_dx_gateway_association: The
vpn_gateway_id
attribute is being deprecated in favor of the newassociated_gateway_id
attribute to support transit gateway associations (#8528) - resource/aws_dx_gateway_association_proposal: The
vpn_gateway_id
attribute is being deprecated in favor of the newassociated_gateway_id
attribute to support transit gateway associations (#8528)
FEATURES:
- New Data Source:
aws_msk_cluster
(#8743) - New Resource:
aws_msk_cluster
(#8635) - New Resource:
aws_msk_configuration
(#8740)
ENHANCEMENTS:
- resource/aws_codebuild_project: Add
cache
configuration blockmodes
argument and addtype
argument validation oflocal
(support local cache) (#8215) - resource/aws_db_instance: Add
performance_insights_enabled
,performance_insights_kms_key_id
, andperformance_insights_retention_period
arguments (#6453) - resource/aws_dx_gateway_association: New attributes
associated_gateway_owner_account_id
andproposal_id
added to support the acceptance of a Direct Connect gateway association proposal and create a cross-account Direct Connect gateway association. New exported attributesassociated_gateway_type
anddx_gateway_owner_account_id
(#8528) - resource/aws_dx_gateway_association_proposal: New attribute
associated_gateway_id
replaces deprecatedvpn_gateway_id
attribute to support transit gateway associations. New exported attributesassociated_gateway_owner_account_id
andassociated_gateway_type
(#8528) - resource/aws_ec2_transit_gateway: Handle deletion of transit gateways with DirectConnect Attachments (#8752)
- resource/aws_ec2_transit_gateway_route: Add retry to read method after timeout (#8726)
- resource/aws_kinesis_stream: Add
enforce_consumer_deletion
argument (#8682) - resource/aws_ssm_maintenance_window_target: Add support for name and description for maintenance window targets (#8671)
BUG FIXES:
- resource/aws_iam_group: Prevent state removal during name attribute update (#8707)
NOTES:
- resource/aws_emr_cluster: The
instance_group
configuration block,master_instance_type
argument,core_instance_count
argument, andcore_instance_type
argument have been deprecated in favor of newmaster_instance_group
andcore_instance_group
configuration blocks. The older, conflicting configurations were problematic in update scenarios. Task instance groups can be managed with theaws_emr_instance_group
resource. Upgrade instructions can be found in the new Version 3 Upgrade Guide. (#8459) - resrouce/aws_emr_instance_group: The addition of
autoscaling_policy
andbid_price
arguments allow for the migration of task instance groups from the deprecatedinstance_group
configuration block in theaws_emr_cluster
resource. Import instructions foraws_emr_instance_group
can be found in the resource documentation. (#8078)
FEATURES:
- New Data Source:
aws_ecr_image
(#8403) - New Data Source:
aws_ram_resource_share
(#8491) - New Guide: Version 3 Upgrade Guide (#8459)
- New Resource:
aws_ses_email_identity
(#6575) - New Resource:
aws_shield_protection
(#7721)
ENHANCEMENTS:
- resource/aws_autoscaling_schedule: Support resource import (#8300)
- resource/aws_backup_selection: Support resource import (#8546)
- resource/aws_dynamodb_table: Support tagging on creation (where available) (#8469)
- resource/aws_elastic_beanstalk_application: Add
tags
argument andarn
attribute (#8614) - resource/aws_elastic_beanstalk_application_version: Add
tags
argument andarn
attribute (#8614) - resource/aws_emr_cluster: Add
master_instance_group
andcore_instance_group
configuration blocks (deprecates other instance group configuration methods) (#8459) - resource/aws_emr_instance_group: Add support for
autoscaling_policy
,bid_price
, and resource import (#8078) - resource/aws_kinesis_analytics_application: Add
tags
argument (#8643) - resource/aws_lambda_function: Support
nodejs10.x
inruntime
validation (#8622) - resource/aws_organizations_account: Add parent_id argument (support moving accounts) (#8583)
- resource/aws_sfn_activity: Support tagging on creation (#8395)
- resource/aws_sfn_state_machine: Support tagging on creation (#8395)
- resource/aws_sns_topic: Add
tags
argument (#8468)
BUG FIXES:
- resource/aws_backup_selection: Properly trigger resource recreation with
selection_tag
updates (#8546) - resource/aws_cloudwatch_event_rule: Ignore
UnknownOperationException
error on reading tags (fixes ap-east-1 support) (#8659) - resource/aws_ssm_parameter: Remove
Tier
fromPutParameter
if unsupported (fixes AWS China support) (#8664) - resource/aws_vpn_gateway: Handle
attaching
anddetaching
attachment status (#8576) - resource/aws_vpn_gateway_attachment: Handle
attaching
anddetaching
attachment status (#8576)
FEATURES:
- New Data Source:
aws_lambda_layer_version
(#8577) - New Resource:
aws_organizations_organizational_unit
(#4207) - New Resource:
aws_xray_sampling_rule
(#8535)
ENHANCEMENTS:
- data-source/aws_rds_cluster: Add
resource_id
attribute (#8317) - resource/aws_appsync_graphql_api: Add
tags
argument (#8567) - resource/aws_cloudfront_distribution: Validate
*_cache_behavior
forwarded_values
cookies
configuration blockforward
argument (#8563) - resource/aws_glue_job: Add
pythonshell
job support by adding themax_capacity
argument and deprecating theallocated_capacity
argument (#7340) - resource/aws_lambda_alias: Support resource import (#8513)
- resource/aws_organizations_organization: Add
roots
attribute (#8399) - resource/aws_organizations_organization: Add
accounts
attribute (#8581) - resource/aws_organizations_organization: Add
enabled_policy_types
argument (#8588) - resource/aws_rds_cluster: Add
copy_tags_to_snapshot
argument (#8544) - resource/aws_ssm_parameter: Add
tier
argument (supportAdvanced
parameters) (#8525)
FEATURES:
- New Resource: aws_db_instance_role_association (#8466)
ENHANCEMENTS:
- data-source/aws_availability_zones: Add blacklisted_names and blacklisted_zone_ids arguments (#8463)
- resource/aws_elb_attachment: Retry ELB attachment on
InvalidTarget
error (#8483) - resource/aws_sfn_state_machine: Bypass
UnknownOperationException
error forListTagsForResource
API call (additional LocalStack support) (#8467) - resource/aws_ssm_activation: Add
tags
argument (#8426) - resource/aws_ssm_document: Add
tags
argument (#8426) - resource/aws_ssm_maintenance_window: Add
tags
argument (#8426) - resource/aws_ssm_patch_baseline: Add
tags
argument (#8426)
NOTES:
- provider: Region validation now automatically supports the new
ap-east-1
Asia Pacific (Hong Kong) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the announcement blog post. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g.provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
) or AWS operations will throw their own errors (e.g.data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials
).
FEATURES:
- New Resource:
aws_dx_gateway_association_proposal
(#8320)
ENHANCEMENTS:
- data-source/aws_cloudtrail_service_account: Support new
ap-east-1
region (#8437) - data-source/aws_dx_gateway: Add
owner_account_id
attribute (#8320) - data-source/aws_eks_cluster: Add
enabled_cluster_log_types
attribute (#8402) - data-source/aws_elb_hosted_zone_id: Support new
ap-east-1
region (#8437) - data-source/aws_elb_service_account: Support new
ap-east-1
region (#8437) - data-source/aws_redshift_service_account: Support new
ap-east-1
region (#8437) - data-source/aws_s3_bucket: Support new
ap-east-1
region inhosted_zone_id
attribute (#8437) - provider: Support automatic region validation for
ap-east-1
(#8440) - resource/aws_dx_gateway: Add
owner_account_id
attribute (#8320) - resource/aws_dx_gateway_association: Support resource import (#8222)
- resource/aws_dx_gateway_association: Add
allowed_prefixes
argument (#8222) - resource/aws_lb: Support Network Load Balancer (NLB) access logs (#8282)
- resource/aws_s3_bucket: Support new
ap-east-1
region inhosted_zone_id
attribute (#8437) - resource/aws_transfer_user: Support
user_name
containing uppercase letters, hyphens, and underscores (#8304)
BUG FIXES:
- resource/aws_eks_cluster: Ignore ordering and properly handle removals with
enabled_cluster_log_types
argument (#8402) - resource/aws_emr_cluster: Increase deletion timeout from 10 to 20 minutes to match AWS documentation (#8428)
- resource/aws_lb: Prevent difference when
subnet_mapping
configuration blockallocation_id
argument was omitted (#8282) - resource/aws_lb: Properly disable access logs with
access_logs
configuration blockenabled
argument set tofalse
(#8282) - resource/aws_network_interface: Refresh private_ips_count into Terraform state and allow for updates from 0 to greater than 0 (#8353)
- resource/aws_vpc: Set ipv6_association_id and ipv6_cidr_block attributes as updated for assign_generated_ipv6_cidr_block updates (#6721)
NOTES:
- provider: This release includes only a Terraform SDK upgrade with compatibility for Terraform v0.12. The provider remains backwards compatible with Terraform v0.11 and this update should have no significant changes in behavior for the provider. Please report any unexpected behavior in new GitHub issues (Terraform core: https://github.com/hashicorp/terraform/issues or Terraform AWS Provider: https://github.com/terraform-providers/terraform-provider-aws/issues) (#8366)
NOTES:
- resource/aws_route53_record: Remove deprecation from
allow_overwrite
argument as there are some use cases where it is helpful. We discourage its usage in most environments (in preference of usingterraform import
) as it can easily cause conflicting management of the same Route53 Record. (#8274)
FEATURES:
- New Resource:
aws_worklink_website_certificate_authority_association
(#7459)
ENHANCEMENTS:
- resource/aws_appmesh_mesh: Add
spec
configuration block (support egress filter rules) (#8119) - resource/aws_appmesh_route: Add
spec
configuration blocktcp_route
configuration block (support TCP routing) (#8119) - resource/aws_appmesh_virtual_node: Add
spec
configuration blocklogging
configuration block (support access logging) (#8119) - resource/aws_eks_cluster: Add
enabled_cluster_log_types
argument (support EKS control plane logging) (#8216) - resource/aws_iam_user_group_membership: Support resource import (#6976)
- resource/aws_launch_template: Add
elastic_inference_accelerator
configuration block (#8247) - resource/aws_redshift_cluster: Add configurable timeouts (#8241)
- resource/aws_transfer_server: Add
endpoint_details
configuration block andendpoint_type
argument (support Private Link) (#8121) - resource/aws_wafregional_web_acl_association: Support additional
resource_arn
types (e.g. API Gateway) (#7205)
BUG FIXES:
- data-source/aws_lb_target_group: Add missing schema attributes (#8213)
- resource/aws_appautoscaling_policy: Retry creation on
ObjectNotFound
errors for eventual consistency (#8273) - resource/aws_backup_plan: Prevent the sending of empty lifecycle attributes (#8236)
- resource/aws_glue_catalog_table: Properly trigger resource recreation when deleted outside Terraform (#8174)
- resource/aws_secretsmanager_secret: Handle additional scheduled for deletion error message on immediate secret recreation (#8219)
- provider: Prevent panic when setting
endpoints
configuration (#8226)
FEATURES:
- New Guide:
Custom Service Endpoints
(#8092) - New Resource:
aws_backup_selection
(#7382) - New Resource:
aws_sagemaker_endpoint
(#2479) - New Resource:
aws_sagemaker_notebook_instance_lifecycle_configuration
(#7585)
ENHANCEMENTS:
- provider: Support customization of all service endpoints (#8096)
- resource/aws_acmpca_certificate_authority: Add
permanent_deletion_time_in_days
argument (#7366) - resource/aws_budgets_budget: Add
notification
configuration block (support notifications) (#4523) - resource/aws_cloudfront_distribution: Add
wait_for_deployment
argument (#8116) - resource/aws_cloudwatch_log_subscription_filter: Support resource import (#8147)
- resource/aws_cloudwatch_metric_alarm: Add
tags
argument (#8168) - resource/aws_ecr_repository: Tag on creation (support tag limiting IAM policies) (#8198)
- resource/aws_lb_target_group: Add
enabled
argument to target group health checks (#7570) - resource/aws_sagemaker_notebook_instance: Add
lifecycle_config_name
argument (#7586) - service/ec2: Automatically retry
CreateVpnConnection
andCreateVpnGateway
requests for concurrency errors (#8161)
BUG FIXES:
- resource/aws_cloudfront_distribution: Ignore attribute ordering of cache behavior forwarded values
headers
and cookieswhitelisted_names
arguments (#8150)
NOTES:
- service/ec2: Due to an upcoming update to the EC2 service, both the
aws_instance
data source and resource will no longer make the EC2 API callDescribeInstanceCreditSpecifications
unless they are in the T2 or T3 instance families. Previously, the EC2 service would allow this API call for instance families that did not support credit specifications, however the upcoming update will return an error and prevent Terraform runs from completing.
FEATURES:
- New Data Source:
aws_ec2_transit_gateway_vpn_attachment
(#8071) - New Resource:
aws_appsync_resolver
(#6451) - New Resource:
aws_kms_ciphertext
(#6993) - New Resource:
aws_kms_external_key
(#8066) - New Resource:
aws_sagemaker_endpoint_configuration
(#2477)
ENHANCEMENTS:
- data-source/aws_instance: Only call
DescribeInstanceCreditSpecifications
for T2 and T3 Instance Families (#8107) - data-source/aws_kms_ciphertext: Hide
plaintext
in logs and user interface (#6100) - resource/aws_appsync_graphql_api: Add
schema
argument (#4840) - resource/aws_batch_compute_environment: Add
compute_resources
configuration blocklaunch_template
configuration block (support EC2 Launch Templates) (#8026) - resource/aws_cloudwatch_event_rule: Add
tags
argument (#8076) - resource/aws_instance: Only call
DescribeInstanceCreditSpecifications
for T2 and T3 Instance Families (#8107) - resource/aws_ram_principal_association: Validate
principal
as AWS Account ID or ARN (#8048) - resource/aws_s3_bucket: Support
DEEP_ARCHIVE
in storage class validations (#8109) - resource/aws_s3_bucket_object: Support
DEEP_ARCHIVE
instorage_class
validation (#8109) - resource/aws_vpn_connection: Add
transit_gateway_attachment_id
attribute (#8070)
BUG FIXES:
- resource/aws_cloudwatch_metric_alarm: Prevent
ValidationError
when updatingmetric_query
alarms (#8085)
BREAKING CHANGES:
- service/appmesh: Changes to support AppMesh General Availability (GA) release. The AppMesh resources were added while the API was under Public Preview and the GA release earlier this month introduced breaking changes which prevented further AWS Go SDK updates. This is a very atypical situation for the Terraform AWS Provider as most AWS API and SDK changes are additive. To prevent this situation in the future we may introduce separate Terraform AWS Provider(s) specifically for Public Preview or Beta APIs. If or when this occurs, it will be separately announced. The maintainers will continue following Terraform Provider compatibility promises outlined on the HashiCorp Blog and Extending Terraform documentation as best as possible except other existing Public Preview resources. (#7659)
- resource/aws_appmesh_virtual_node: Replace
backends
configuration block(s) withbackend
configuration blocks (#7858) - resource/aws_appmesh_virtual_node: Replace
service_discovery
configuration blockservice_name
argument withservice_discovery
configuration blockdns
configuration block (#7858) - resource/aws_appmesh_virtual_router: Remove
spec
configuration blockservice_names
argument (#7858)
FEATURES:
- New Data Source:
aws_transfer_server
(#7977) - New Resource:
aws_appmesh_virtual_service
(#7858) - New Resource:
aws_backup_plan
(#7350) - New Resource:
aws_cloudformation_stack_set
(#8020) - New Resource:
aws_cloudformation_stack_set_instance
(#8020)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
vpc_config
configuration blockendpoint_private_access
andendpoint_public_access
attributes (#8024) - data-source/aws_instance: Add
get_user_data
argument anduser_data_base64
attribute (#8001) - provider: Support custom endpoint for
ses
(#7986) - provider: Support custom endpoints for
firehose
andredshift
(#8007) - resource/aws_api_gateway_deployment: Allow
stage_name
argument to be optional (#6459) - resource/aws_appautoscaling_policy: Support resource import (#8032)
- resource/aws_appautoscaling_target: Support resource import (#8032)
- resource/aws_appmesh_route: Support resource import (#7858)
- resource/aws_appmesh_virtual_node: Support resource import (#7858)
- resource/aws_appmesh_virtual_router: Support resource import (#7858)
- resource/aws_appmesh_virtual_router: Add
spec
configuration blocklistener
configuration block (#7858) - resource/aws_cloudfront_distribution: Add
origin_group
configuration block (support Origin Groups and failover) (#7202) - resource/aws_codebuild_project: Add
project_environment
configuration blockimage_pull_credentials_type
argument (support cross-account images) (#7458) - resource/aws_ecr_repository_policy: Support resource import (#7974)
- resource/aws_eks_cluster: Add
vpc_config
configuration blockendpoint_private_access
andendpoint_public_access
arguments (support disabling public access) (#8024) - resource/aws_iam_access_key: Support
status
updates (support disabling/enabling access keys) (#7961) - resource/aws_kinesis_analytics_application: Support resource import (#8027)
- resource/aws_media_package_channel: Add
tags
argument (#7984) - resource/aws_route53_zone_association: Support resource import (#7966)
- resource/aws_s3_bucket_inventory: Support plan-time validation of
optional_fields
valuesObjectLockRetainUntilDate
,ObjectLockMode
andObjectLockLegalHoldStatus
(#7952) - resource/aws_ssm_association: Add
compliance_severity
argument (#7852) - resource/aws_ssm_association: Add
max_concurrency
andmax_errors
arguments (#7970)
BUG FIXES:
- resource/aws_appautoscaling_policy: Recreate resource for
resource_id
updates (#7982) - resource/aws_appautoscaling_policy: Ignore
ObjectNotFoundException
on deletion (#7982) - resource/aws_route53_zone_association: Properly trigger resource recreation on all updates (#7966)
FEATURES:
- New Resource:
aws_globalaccelerator_listener
(#7003) - New Resource:
aws_guardduty_invite_accepter
(#4610) - New Resource:
aws_route53_resolver_rule
(#7799) - New Resource:
aws_route53_resolver_rule_association
(#7799)
ENHANCEMENTS:
- data-source/aws_eip: Add
private_dns
andpublic_dns
attributes (#7349) - resource/aws_backup_vault: Support
tags
updates (#7933) - resource/aws_dx_bgp_peer: Add
aws_device
andbgp_peer_id
attributes (#7131) - resource/aws_dx_connection: Add
aws_device
andhas_logical_redundancy
attributes (#7131) - resource/aws_dx_hosted_private_virtual_interface: Add
aws_device
attribute (#7131) - resource/aws_dx_hosted_public_virtual_interface: Add
aws_device
attribute (#7131) - resource/aws_dx_lag: Add
has_logical_redundancy
attribute (#7131) - resource/aws_dx_private_virtual_interface: Add
aws_device
attribute (#7131) - resource/aws_dx_public_virtual_interface: Add
aws_device
attribute (#7131) - resource/aws_eip: Add
private_dns
andpublic_dns
attributes (#7349) - resource/aws_glue_crawler: Add
arn
attribute (#7948) - resource/aws_ssm_patch_baseline: Support resource import (#7838)
BUG FIXES:
- resource/aws_cloudfront_distribution: Ensure retain_on_delete disables the CloudFront Distribution before exiting (#7875)
- resource/aws_cloudwatch_log_metric_filter: Serialize create, update, and delete operations on the same CloudWatch Log Group to prevent
OperationAbortedException
errors (#7880) - resource/aws_codebuild_webhook: Only pass BranchFilter configuration if non-empty (#7841)
- resource/aws_ec2_transit_gateway_vpc_attachment: Prevent errors with Resource Access Manager shared EC2 Transit Gateways (#7513)
- resource/aws_ecr_repository_policy: Properly read
policy
into the Terraform state (#7853) - resource/aws_iam_role_policy_attachment: Prevent
NoSuchEntity
errors from race conditions (#7855) - resource/aws_kms_alias: Prevent state removal of resource immediately after creation due to eventual consistency (#7891)
- resource/aws_s3_bucket: Prevent empty
replication_configuration
rules
filter
crash (#7887) - resource/aws_s3_bucket: Continue supporting empty string (
""
)bucket
argument (#7881) - resource/aws_s3_bucket: Prevent
NoSuchBucket
errors when putting lifecycle configuration on resource creation (#7930) - resource/aws_ses_domain_mail_from: Prevent crash with deleted SES Domain Identity (#7883)
FEATURES:
- New Resource:
aws_route53_resolver_endpoint
(#6563)
ENHANCEMENTS:
- data-source/aws_elastic_beanstalk_hosted_zone: Add eu-north-1 region support (#7829)
- data-source/aws_redshift_service_account: Add us-gov-east-1 and us-gov-west-1 region mappings (#7635)
- data-source/aws_s3_bucket: Add
bucket_regional_domain_name
attribute (#7765) - resource/aws_autoscaling_group: Support new
mixed_instances_policy
instance_distribution
spot_max_price
ability to unset with empty string (#7821) - resource/aws_dlm_lifecycle_policy: Add validation support for 2, 3, 4, 6, and 8 in
policy_details
schedule
create_rule
interval
argument (support shorter intervals) (#7751) - resource/aws_ec2_client_vpn_endpoint: Add
tags
argument (#7619) - resource/aws_ecs_service: Support plan time validation of new
health_check_grace_period_seconds
max of2147483647
(#7806) - resource/aws_lb_target_group: Add
lambda_multi_value_headers_enabled
argument (#7648) - resource/aws_ram_resource_share: Add
arn
attribute (#7634) - resource/aws_s3_bucket: Add plan time length validation for
bucket
andbucket_prefix
arguments (#7778)
BUG FIXES:
- resource/aws_autoscaling_group: Allow configuration of
mixed_instances_policy
instance_distribution
on_demand_base_capacity
argument to 0 (#7821) - resource/aws_cloudfront_distribution: Remove problematic
viewer_certificate
configuration block argumentConflictsWith
usage from version 2.0.0 (#7794) - resource/aws_cloudfront_distribution: Skip disabling distributions on deletion for previously disabled distributions (#7794)
- resource/aws_cloudfront_distribution: Retry on
PreconditionFailed
error messages after disabling distribution on deletion (#7794) - resource/aws_cloudfront_distribution: Wait for creation and update deployments to complete (#7794)
- resource/aws_cloudfront_distribution: Prevent one minute timeout error for creation and update errors due to throttling (#7809)
- resource/aws_db_instance: Properly set
engine_version
withsnapshot_identifier
(#7738) - resource/aws_dynamodb_table: Prevent perpetual plan differences with
ttl
configuration blockenabled
argument set tofalse
(#3960) - resource/aws_ecs_service: Ensure
placement_strategy
removal in version 2.0.0 does not force recreation (#7790) - resource/aws_guardduty_detector: Prevent GuardDuty member accounts with unconfigured
finding_publishing_frequency
from triggering update errors (#7804) - resource/aws_launch_configuration: Prevent
ResourceInUse
errors caused by eventual consistency during deletion (#7819) - resource/aws_s3_bucket_notification: Prevent crash with empty filters configuration (#7791)
NOTES:
- Full documentation about this update, including Terraform provider version pinning and configuration examples, can be found in the Terraform AWS Provider Version 2 Upgrade Guide
BREAKING CHANGES:
- provider: Return error on AWS Account ID lookup failure during initialization (unlesss
skip_requesting_account_id = true
) (#7737) - data-source/aws_ami: Require
owners
argument (#5576) - data-source/aws_ami_ids: Require
owners
argument (#5576) - data-source/aws_iam_role: Remove deprecated attributes (#7696)
- data-source/aws_kms_secret: Remove data source (replaced with
aws_kms_secrets
data source) (#7657) - data-source/aws_lambda_function: Returns unqualified (no
:QUALIFIER
or:VERSION
suffix) value inarn
attribute by default and qualified (includes:QUALIFIER
or:VERSION
suffix) value inqualified_arn
attribute. Previously thearn
attribute included:$LATEST
suffix by default which was not compatible with many other resources. To restore the previous default behavior, set thequalifier
argument to$LATEST
and reference thequalified_arn
attribute. (#7663) - data-source/aws_region: Remove deprecated
current
argument (#7697) - resource/aws_api_gateway_api_key: Remove deprecated
stage_key
configuration block (#7698) - resource/aws_api_gateway_integration: Remove deprecated
request_parameters_in_json
argument (replaced withrequest_parameters
argument) (#7699) - resource/aws_api-gateway_integration_response: Remove deprecated
response_parameters_in_json
argument (replaced withresponse_parameters
argument) (#7700) - resource/aws_api_gateway_method: Remove deprecated
request_parameters_in_json
argument (replaced withrequest_parameters
argument) (#7701) - resource/aws_api_gateway_method_response: Remove deprecated
response_parameters_in_json
argument (replaced withresponse_parameters
argument) (#7704) - resource/aws_appautoscaling_policy: Remove deprecated arguments (replaced with
step_scaling_policy_configuration
configuration block) (#7706) - resource/aws_autoscaling_policy: Remove deprecated
min_adjustment_step
argument (replaced withmin_adjustment_magnitude
argument) (#7707) - resource/aws_batch_compute_environment: Remove deprecated
ecc_cluster_arn
attribute (replaced withecs_cluster_arn
attribute) (#7708) - resource/aws_cloudfront_distribution: Remove deprecated
cache_behaviors
configuration block (replaced withordered_cache_behaviors
configuration block) (#7710) - resource/aws_cognito_user_pool: Ensure only
email_verification_message
argument orverification_message_template
configuration blockemail_message
argument is configured (#2425) - resource/aws_cognito_user_pool: Ensure only
email_verification_subject
argument orverification_message_template
configuration blockemail_subject
argument is configured (#2425) - resource/aws_cognito_user_pool: Ensure only
sms_verification_message
argument orverification_message_template
configuration blocksms_message
argument is defined (#2425) - resource/aws_dx_lag: Remove deprecated
number_of_connections
argument and delete unmanaged connection during resource creation (#7711) - resource/aws_ecs_service: Remove deprecated
placement_strategy
configuration block (replaced withordered_placement_strategy
configuration block) (#7712) - resource/aws_efs_file_system: Remove deprecated
reference_name
argument (replaced withcreation_token
argument) (#7713) - resource/aws_elasticache_cluster: Remove deprecated
availability_zones
argument (replaced withpreferred_availability_zones
argument) (#7714) - resource/aws_instance: Remove deprecated top-level
network_interface_id
attribute (#1193] / [#7715) - resource/aws_instance: Remove hardcoded AWS China prevention of tagging on creation (#7654)
- resource/aws_lambda_function: Setting
reserved_concurrent_executions
to0
will now disable Lambda Function invocations, causing downtime for the Lambda Function. Previouslyreserved_concurrent_executions
accepted0
and below for unreserved concurrency, which means it was not previously possible to disable invocations. The argument now differentiates between a new value for unreserved concurrency (-1
) and disabling Lambda invocations (0
). If previously configuring this value to0
for unreserved concurrency, update the configured value to-1
or the resource will disable Lambda Function invocations on update. If previously unconfigured, the argument does not require any changes. See the Lambda User Guide for more information about concurrency. - resource/aws_lambda_layer_version: Swap
arn
andlayer_arn
attribute values (#7664) - resource/aws_network_acl: Remove deprecated
subnet_id
argument (replaced withsubnet_ids
argument) (#7716) - resource/aws_redshift_cluster: Remove deprecated
bucket_name
,enable_logging
, ands3_key_prefix
arguments (replaced withlogging
configuration block) (#7717) - resource/aws_route_table: Resource import no longer imports
aws_route
,aws_route_table_association
, andaws_main_route_table_association
resources into the Terraform state (#5657) - resource/aws_route53_record: Require import for existing records (use deprecated
allow_overwrite
argument to temporarily reinstate the old behavior) (#7734) - resource/aws_route53_zone: Remove deprecated
vpc_id
andvpc_region
arguments (replaced withvpc
configuration block) (#7695) - resource/aws_s3_bucket_object: Remove hardcoded AWS China prevention of tagging (#7654)
- resource/aws_wafregional_byte_match_set: Remove deprecated
byte_match_tuple
configuration block (replaced withbyte_match_tuples
configuration block) (#7718)
ENHANCEMENTS:
- data-source/aws_lambda_function: Add
tags
attribute (#7663) - resource/aws_dx_lag: Delete unmanaged connection during resource creation (#7711)
- resource/aws_lambda_function: Disable Lambda Function invocations by setting
reserved_concurrent_executions
to0
(#3806)
BUG FIXES:
- data-source/aws_lambda_function: Properly return error for missing function (#7663)
- resource/aws_appautoscaling_policy: Properly read
step_scaling_policy_configuration
into Terraform state (#7706) - resource/aws_cloudfront_distribution: Adjust TypeSet and TypeList attributes for better difference handling (#7732)
- resource/aws_redshift_cluster: Properly read logging into Terraform state (#7717)
- resource/aws_route53_record: Existing Route 53 Records are no longer silently overwritten during resource creation by default (use
terraform import
or deprecatedallow_overwrite
argument) (#7734) - resource/aws_vpn_connection: Remove configurability of read-only
customer_gateway_configuration
,routes
, andvgw_telemetry
attributes (#7636)
ENHANCEMENTS:
- resource/aws_route53_record: Add validation for alias
name
andzone_id
arguments (#7606)
BUG FIXES:
- resource/aws_db_instance: Prevent snapshot restore error with
allocated_storage
and io1storage_type
(#5800] / [#7426) - resource/aws_flow_log: Prevent crash on unsuccessful flow log creation (#7528)
- resource/aws_kinesis_analytics_application: Retry input Kinesis Firehose Delivery Stream
InvalidArgumentException
permission errors for IAM eventual consistency during creation (#7578) - resource/aws_launch_template: Properly read and write
description
(#7569) - resource/aws_rds_cluster: Remove requirement for
master_password
andmaster_username
when creating viaglobal_cluster_identifier
(#7213) - resource/aws_vpc_endpoint: Suppress equivalent
policy
differences (#7645)
FEATURES:
- New Data Source:
aws_cur_report_definition
(#7432) - New Resource:
aws_cur_report_definition
(#7432) - New Resource:
aws_docdb_cluster_instance
(#7143) - New Resource:
aws_ram_principal_association
(#7219] / [#7563) - New Resource:
aws_ram_resource_association
(#7449)
ENHANCEMENTS:
- data-source/aws_dynamodb_table: Add
billing_mode
andpoint_in_time_recovery
attributes (#7497) - resource/aws_appmesh_virtual_node: Add support for listener health checks (#7446)
- resource/aws_cloudwatch_metric_alarm: Add
metric_query
argument (support math expressions) (#6833) - resource/aws_cognito_user_pool: Add
user_pool_add_ons
argument (support advanced security mode) (#7361) - resource/aws_directory_service_directory: Set
security_group_id
attribute when type isADConnector
(#7487) - resource/aws_dynamodb_table: Use
update
customizable timeout for individual Global Secondary Index updates and increase defaultupdate
timeout from 10 minutes to 60 minutes (#7453) - resource/aws_dms_endpoint: Add
docdb
forengine_name
validation (#7491) - resource/aws_ses_identity_notification_topic: Support resource import (#7343)
- resource/aws_waf_web_acl: Add
arn
attribute andlogging_configuration
argument (#6059) - resource/aws_wafregional_web_acl: Add
arn
attribute andlogging_configuration
argument (#7480)
BUG FIXES:
- resource/aws_api_gateway_rest_api: Prevent timeout errors with large amounts of concurrent resource deletions (#7554)
- resource/aws_dynamodb_table: Prevent error when updating
billing_mode
fromPAY_PER_REQUEST
toPROVISIONED
for Tables with Global Secondary Indexes (#7453) - resource/aws_ec2_transit_gateway_vpc_attachment: Allow
pendingAcceptance
as available state during resource creation (support shared Transit Gateways with manual acceptance) (#7489) - resource/aws_iam_user_login_profile: Properly return all errors during resource creation (#7519)
- resource/aws_iot_topic_rule: Allow optional
range_key_field
andrange_key_value
arguments (#7471) - resource/aws_kinesis_analytics_application: Correctly manage multiple outputs (#7535)
- resource/aws_ssm_maintenance_window_task: Prevent erroneous
name
anddescription
validation errors on resource creation (#7186) - resource/aws_ssm_resource_data_sync: Properly trigger resource recreation for argument updates under the
s3_destination
configuration block (#7490)
FEATURES:
- New Data Source:
aws_eks_cluster_auth
(#7438) - New Resource:
aws_backup_vault
(#7207) - New Resource:
aws_docdb_cluster
(#7122) - New Resource:
aws_docdb_cluster_snapshot
(#7123) - New Resource:
aws_ec2_client_vpn_endpoint
(#7009) - New Resource:
aws_ec2_client_vpn_network_association
(#7030) - New Resource:
aws_sagemaker_model
(#2478)
ENHANCEMENTS:
- resource/aws_s3_bucket: Limit no of
expiration
&noncurrent_version_expiration
blocks to 1 (#7462)
BUG FIXES:
- resource/aws_dynamodb_table: Prevent error when updating
billing_mode
fromPAY_PER_REQUEST
toPROVISIONED
(#7363)
NOTES:
- provider: Fairly light release this week due to Terraform 0.12 upgrade and Terraform AWS Provider 2.0 related activities happening behind the scenes, which will continue through at least next week. For additional tracking information about those efforts, see the v2.0.0 milestone in GitHub.
ENHANCEMENTS
- data-source/aws_mq_broker: Add
tags
attribute (#7193) - provider: Switch codebase dependency management from
govendor
to Go modules (#7165) - resource/aws_autoscaling_policy: Support resource import (#7195)
- resource/aws_lb_listener: Add
TLS
toprotocol
argument validation (#7338) - resource/aws_lb_target_group: Add
TLS
toprotocol
argument validation (#7338) - resource/aws_mq_broker: Add
tags
argument (#7193) - resource/aws_mq_configuration: Add
tags
argument (#7193)
BUG FIXES
- resource/aws_autoscaling_policy: Properly read
step_adjustment
into Terraform state (#7336) - resource/aws_emr_cluster: Fix regression with
instance_group
differences when usingname
(#7324) - resource/aws_iot_topic_rule: Prevent panic with missing SQS UseBase64 attribute in API response (#7337)
- resource/aws_lambda_permission: Retry for Lambda function eventual consistency on creation (#7327)
- resource/aws_rds_cluster_parameter_group: Prevent missing DBClusterParameterGroupName error on creation with generated names and
name_prefix
(#7326) - resource/aws_s3_bucket_object: Delete S3 objects with leading '/' in the key name (#7268)
NOTES
- resource/aws_db_option_group: The Terraform resource is now able to perform drift detection on and import the state of the
option
attribute. The caveat is that while RDS returns only modified options, it will return all option settings whether modified or not from their default values. To workaround this option settings issue, we pass in the options from the Terraform configuration and ignore default values that are not present in the configuration. Some Terraform configurations may require minor updates to match the expected values.
FEATURES
- New Data Source:
aws_elastic_beanstalk_application
(#7144) - New Resource:
aws_docdb_subnet_group
(#7106) - New Resource:
aws_globalaccelerator_accelerator
(#7002) - New Resource:
aws_lambda_layer_version
(#6782) - New Resource:
aws_ram_resource_share
(#6528) - New Resource:
aws_sagemaker_notebook_instance
(#7139)
ENHANCEMENTS
- data-source/aws_lambda_function: Add
layers
attribute (#7126) - resource/aws_emr_cluster: Support resource import (#4488] / [#6498)
- resource/aws_emr_cluster: Support
instance_group
autoscaling_policy
updates (#6498) - resource/aws_inspector_assessment_target: Allow omitting resource_group_arn argument (support matching all EC2 instances) (#7112)
- resource/aws_inspector_assessment_target: Support resource import (#7112)
- resource/aws_lambda_function: Add
layers
argument (#7126) - resource/aws_s3_bucket: Add
object_lock_configuration
argument (support S3 Object Lock) (#6964)
BUG FIXES
- resource/aws_acm_certificate: Prevent crash with empty
SubjectAlternativeNames
(e.g.IMPORTED
type certificates with IP addressCommonName
) (#7127) - resource/aws_api_gateway_method_settings: Prevent crash when using
cache_data_encrypted
(#7133) - resource/aws_db_option_group: Read
option
attribute into Terraform state for drift detection (#7125) - resource/aws_db_option_group: Skip erroneous
ModifyOptionGroup
error when no option updates are being performed (#7125) - resource/aws_ec2_transit_gateway_route: Prevent crash with externally removed attachment (#7117)
- resource/aws_emr_cluster: Properly read
core_instance_count
,master_instance_type
, andtermination_policies
into Terraform state (#4488] / [#6498) - resource/aws_inspector_assessment_target: Properly read resource_group_arn attribute into Terraform state (#7112)
- resource/aws_launch_template: Prevent crashes with empty configuration blocks for top-level attributes (#7134)
- resource/aws_s3_bucket_object: Prevent creating new S3 object version when updating ACL or tags (#7138)
- resource/aws_s3_bucket_object: Prevent
NoSuchKey
errors reading tags on resource creation (#7138) - service/applicationautoscaling: Use proper endpoint information in AWS GovCloud (US) (#7142)
- service/servicediscovery: Return full error messaging for failed operations (#7118)
FEATURES
- New Resource:
aws_docdb_cluster_parameter_group
(#7090) - New Resource:
aws_media_package_channel
(#6957) - New Resource:
aws_resourcegroups_group
(#6217)
ENHANCEMENTS
- resource/aws_app_cookie_stickiness_policy: Support resource import (#7080)
- resource/aws_elasticsearch_domain: Support in-place updates of
elasticsearch_version
(#6243) - resource/aws_kinesis_firehose_delivery_stream: Add
extended_s3_configuration
error_output_prefix
argument (#7026) - resource/aws_sfn_activity: Add
tags
argument (#7024) - resource/aws_sfn_state_machine: Add
tags
argument (#7024) - resource/aws_ssm_maintenance_window: Add
end_date
,schedule_timezone
, andstart_date
arguments (#7040)
BUG FIXES
- resource/aws_batch_job_queue: Properly read
compute_environments
into Terraform state (#7079) - resource/aws_dynamodb_table: Prevent
BillingMode
ValidationError
on table creation (#7064) - resource/aws_iam_group_policy: Skip
NoSuchEntity
errors on resource deletion without refresh (#7071) - resource/aws_iam_role_policy: Skip
NoSuchEntity
errors on resource deletion without refresh (#7070) - resource/aws_iam_policy: Present more human readable error message during resource deletion (#7072)
- resource/aws_iam_user_policy: Skip
NoSuchEntity
errors on resource deletion without refresh (#7069) - resource/aws_instance: Skip
InvalidInstanceID.NotFound
error on resource deletion (#6978) - resource/aws_kinesis_analytics_application: Retry Lambda permission
InvalidArgumentException
errors for IAM eventual consistency (#7039)
NOTES
- This will be the last release until early January. Enjoy the rest of your year!
FEATURES
- New Data Source:
aws_autoscaling_group
(#6849) - New Resource:
aws_licensemanager_association
(#6926) - New Resource:
aws_s3_bucket_public_access_block
(#6607) - New Resource:
aws_securityhub_product_subscription
(#6921)
ENHANCEMENTS
- resource/aws_acm_certificate: Add
certificate_body
,certificate_chain
, andprivate_key
arguments (Support importing/uploading certificate into ACM) (#5453) - resource/aws_launch_template: Add
license_specification
argument (#6926) - resource/aws_redshift_cluster: Support in-place updates for adding or removing KMS encryption (#6865)
- resource/aws_transfer_server: Add
force_destroy
argument (#6935)
BUG FIXES
- resource/aws_acm_certificate: Prevent error using Terraform resource import with certificates missing domain validation options (#5472)
FEATURES
- New Resource:
aws_licensemanager_license_configuration
(#6835) - New Resource:
aws_rds_global_cluster
(#6861) - New Resource:
aws_s3_account_public_access_block
(#6851) - New Resource:
aws_securityhub_standards_subscription
(#6862) - New Resource:
aws_service_discovery_http_namespace
(#6864) - New Resource:
aws_transfer_ssh_key
(#6932) - New Resource:
aws_transfer_user
(#6850)
ENHANCEMENTS
- data-source/aws_cloudtrail_service_account: Support
us-gov-east-1
andus-gov-west-1
regions (#6893) - data-source/aws_ecr_repository: Add
tags
attribute (#6911) - resource/aws_codebuild_project: Support
source
report_build_status
for GitHub Enterprise (#6929) - resource/aws_db_snapshot: Add
tags
argument (#6881) - resource/aws_ecr_repository: Add
tags
argument (#6911) - resource/aws_ecs_service: Add
platform_version
argument (ECS Fargate Platform Version Support) (#6510) - resource/aws_guardduty_detector: Add
finding_publishing_frequency
argument (#6922) - resource/aws_lb_target_group: Add
lambda
as supportedtarget_type
with omittingport
,protocol
, andvpc_id
arguments (support Lambda target groups) (#6719) - resource/aws_rds_cluster: Allow
global
inengine_mode
validation and addglobal_cluster_identifier
argument (#6861)
BUG FIXES
- resource/aws_cloudwatch_log_stream: Trigger resource recreation on
ResourceNotFoundException
error (#6776) - resource/aws_s3_bucket: Skip
MethodNotAllowed
error during read for missing S3 Bucket Acceleration functionality (eu-north-1
region support) (#6873) - resource/aws_transfer_server: Prevent error when no
tags
are assigned on resource creation (#6883)
FEATURES
- New Data Source:
aws_api_gateway_vpc_link
(#6763) - New Resource:
aws_appmesh_route
(#6766) - New Resource:
aws_appmesh_virtual_node
(#6764) - New Resource:
aws_rds_cluster_endpoint
(#6576) - New Resource:
aws_securityhub_account
(#6839) - New Resource:
aws_transfer_server
(#6639)
ENHANCEMENTS
- data-source/aws_cloudtrail_service_account: Support
ap-northeast-3
andeu-north-1
regions (#6836) - data-source/aws_elb_hosted_zone_id: Support
ap-northeast-3
andeu-north-1
regions (#6836) - data-source/aws_elb_service_account: Support
ap-northeast-3
,eu-north-1
, andus-gov-east-1
regions (#6836) - data-source/aws_instance: Add
host_id
attribute (#6767) - data-source/aws_ip_ranges: Add
url
argument (#6756) - data-source/aws_s3_bucket: Support
ap-northeast-3
andeu-north-1
regions forhosted_zone_id
(#6836) - provider: Support automatic region validation for
eu-north-1
(#6815) - resource/aws_acm_certificate: Automatically trim trailing period from
domain_name
andsubject_alternative_names
arguments (#6844) - resource/aws_db_instance: Allow
postgresql
andupgrade
values forenabled_cloudwatch_logs_exports
(e.g. Postgres specific log exports) (#6829) - resource/aws_dynamodb_table: Allow
global_secondary_index
configuration blockread_capacity
andwrite_capacity
to be omitted withbilling_mode
set toPAY_PER_REQUEST
(support on-demand billing with GSIs) (#6737) - resource/aws_eks_cluster: Support
version
update (#6843) - resource/aws_glue_crawler: Add
security_configuration
argument (#6797) - resource/aws_iam_user_ssh_key: Support resource import (#6727)
- resource/aws_instance: Add
host_id
argument (#6767) - resource/aws_s3_bucket: Support
ap-northeast-3
andeu-north-1
regions forhosted_zone_id
(#6836) - resource/aws_ssm_maintenance_window: Support resource import (#6747)
BUG FIXES
- data-source/aws_lb_listener: Add missing
default_action
attributes from resource (#6830) - resource/aws_cloudwatch_log_subscription_filter: Ignore
ResourceNotFound
error on deletion (#6760) - resource/aws_ec2_transit_gateway_route: Trigger resource recreation with deleted/deleting route state (#6817)
- resource/aws_elasticache_parameter_group: Handle API reset issues with
reserved-memory
parameter updates (#6752) - resource/aws_lambda_permission: Ignore
ResourceNotFoundException
error on deletion (#6770) - resource/aws_lb_listener: Properly return an error when there are issues setting
default_action
attributes in Terraform state (#6830) - resource/aws_route53_record: Prevent scanning entire zone for missing record (#6753)
- resource/aws_ssm_document: Properly batch large
permissions
updates for API limits (#6735)
FEATURES
ENHANCEMENTS
- data-source/aws_availability_zone: Add
zone_id
attribute (#6686) - data-source/aws_availability_zones: Add
zone_ids
attribute (#6686) - data-source/aws_iam_policy_document: Provide error if duplicate
sid
are configured across statements (#6675) - data-source/aws_iam_policy_document: Add
version
argument (#6699) - data-source/aws_internet_gateway: Add
owner_id
attribute (#6642) - data-source/aws_route_table: Add
owner_id
attribute (#6642) - data-source/aws_subnet: Add
availability_zone_id
argument andowner_id
attribute (#6642) - data-source/aws_subnet: Use API provided
arn
attribute (#6642) - data-source/aws_vpc: Add
owner_id
attribute (#6642) - data-source/aws_vpc_dhcp_options: Add
owner_id
attribute (#6642) - resource/aws_cloudtrail: Add
is_organization_trail
argument (#6580) - resource/aws_codedeploy_config: Add
compute_platform
andtraffic_routing_config
arguments (support Lambda) (#6644) - resource/aws_default_network_acl: Add
owner_id
attribute (#6642) - resource/aws_default_route_table: Add
owner_id
attribute (#6642) - resource/aws_default_subnet: Add
owner_id
attribute (#6642) - resource/aws_default_vpc: Add
owner_id
attribute (#6642) - resource/aws_default_vpc_dhcp_options: Add
owner_id
attribute (#6642) - resource/aws_dynamodb_table: Add
billing_mode
argument (support on-demand capacity) (#6648) - resource/aws_ecs_service: Add
propagate_tags
argument (#6603) - resource/aws_ecs_task_definition: Support resource import (#6723)
- resource/aws_iam_group_policy_attachment: Support resource import (#6625)
- resource/aws_iam_user_policy_attachment: Support resource import (#6487)
- resource/aws_internet_gateway: Add
owner_id
attribute (#6642) - resource/aws_lambda_alias: Add
invoke_arn
attribute (#6329) - resource/aws_lambda_function: Support
provided
inruntime
validation (#6676) - resource/aws_lambda_function: Support
python3.7
inruntime
validation (#6583) - resource/aws_lambda_function: Support
ruby2.5
inruntime
validation (#6657) - resource/aws_network_acl: Add
owner_id
attribute (#6642) - resource/aws_rds_cluster_instance: Add
copy_tags_to_snapshot
argument (#6582) - resource/aws_route_table: Add
owner_id
attribute (#6642) - resource/aws_s3_bucket: Support
INTELLIGENT_TIERING
in storage class validations (#6589) - resource/aws_s3_bucket: Support replication rule destination storage class
GLACIER
(#6613) - resource/aws_s3_bucket_inventory: Support destination bucket
Parquet
informat
validation (#6729) - resource/aws_s3_bucket_object: Support
GLACIER
instorage_class
validation (#6610) - resource/aws_s3_bucket_object: Support
INTELLIGENT_TIERING
instorage_class
validation (#6589) - resource/aws_ses_event_destination: Support multiple
cloudwatch_destination
configuration blocks (#6690) - resource/aws_subnet: Add
availability_zone_id
argument andowner_id
attribute (#6642) - resource/aws_subnet: Use API provided
arn
attribute (#6642) - resource/aws_vpc: Add
owner_id
attribute (#6642) - resource/aws_vpc_dhcp_options: Add
owner_id
attribute (#6642)
BUG FIXES:
- resource/aws_db_instance: Allow
configuring-iam-database-auth
as pending state (#6597) - resource/aws_ec2_transit_gateway_vpc_attachment: Prevent error when Transit Gateway does not have default route table (#6665)
- resource/aws_iam_user_ssh_key: Properly trigger resource recreation with
encoding
andpublic_key
updates (#6718) - resource/aws_iot_topic_rule: Omit sending empty string
cloudwatch_metric
configuration blockmetric_timestamp
argument to AWS (#6618)
ENHANCEMENTS
- resource/aws_codedeploy_app: Support
ECS
compute_platform
(#6647) - resource/aws_codedeploy_deployment_group: Add
ecs_service
argument andload_balancer_info
configuration blocktarget_group_pair_info
argument (Support ECS Blue/Green Deployment) (#6647) - resource/aws_ecs_service: Add
deployment_controller
argument (#6647)
FEATURES
- New Data Source:
aws_ec2_transit_gateway
(#6605) - New Data Source:
aws_ec2_transit_gateway_route_table
(#6605) - New Data Source:
aws_ec2_transit_gateway_vpc_attachment
(#6605) - New Resource:
aws_ec2_transit_gateway
(#6605) - New Resource:
aws_ec2_transit_gateway_route
(#6605) - New Resource:
aws_ec2_transit_gateway_route_table
(#6605) - New Resource:
aws_ec2_transit_gateway_route_table_association
(#6605) - New Resource:
aws_ec2_transit_gateway_route_table_propagation
(#6605) - New Resource:
aws_ec2_transit_gateway_vpc_attachment
(#6605)
ENHANCEMENTS
- data-source/aws_route: Add
transit_gateway_id
attribute (#6605) - data-source/aws_route_table: Add
route
attribute blocktransit_gateway_id
attribute (#6605) - resource/aws_default_route_table: Add
route
configuration blocktransit_gateway_id
argument (#6605) - resource/aws_route: Add
transit_gateway_id
argument (#6605) - resource/aws_route_table: Add
route
configuration blocktransit_gateway_id
argument (#6605) - resource/aws_vpn_connection: Add
transit_gateway_id
argument, markvpn_gateway_id
as optional (#6605)
FEATURES
- New Resource:
aws_datasync_agent
(#6591) - New Resource:
aws_datasync_location_efs
(#6591) - New Resource:
aws_datasync_location_nfs
(#6591) - New Resource:
aws_datasync_location_s3
(#6591) - New Resource:
aws_datasync_task
(#6591)
FEATURES:
ENHANCEMENTS:
- resource/aws_ecs_service: Add
enable_ecs_managed_tags
argument (#6544) - resource/aws_kinesis_firehose_delivery_stream: Add
tags
argument (#6548) - resource/aws_organizations_organization: Add
aws_service_access_principals
argument (#6581) - resource/aws_s3_bucket_policy: Support resource import (#6543)
- resource/aws_vpc: Support plan-time validation for
cidr_block
block size (#6577)
BUG FIXES:
- resource/aws_elastic_transcoder_preset: Properly read
video_codec_options
into Terraform state (#6545) - resource/aws_subnet: Always set
ipv6_cidr_block_association_id
andipv6_cidr_block
attributes in Terraform state (#6533)
FEATURES:
- New Data Source:
aws_api_gateway_api_key
(#6449)
ENHANCEMENTS:
- data-source/aws_eip: Add
association_id
,domain
,instance_id
,network_interface_id
,network_interface_owner_id
,private_ip
, andpublic_ipv4_pool
attributes (#6463] / [#6518) - resource/aws_ecs_cluster: Add
tags
argument (#6486) - resource/aws_ecs_service: Add
tags
argument (#6486) - resource/aws_ecs_task_definition: Add
tags
argument (#6486) - resource/aws_ecs_task_definition: Add
ipc_mode
andpid_mode
arguments (#6515) - resource/aws_eip: Add
public_ipv4_pool
argument (#6518) - resource/aws_iam_role: Add
tags
argument (#6499) - resource/aws_iam_user: Add
tags
argument (#6497) - resource/aws_sns_topic: Add
kms_master_key_id
argument (support server-side encryption) (#6502)
BUG FIXES:
- resource/aws_kinesis_analytics_application: Properly handle
processing_configuration
argument (#6495)
ENHANCEMENTS:
- resource/aws_autoscaling_group: Mixed Instances Policy support (#6465)
FEATURES:
ENHANCEMENTS:
- data-source/aws_eip: Add
filter
argument (#3525) - data-source/aws_eip: Add
tags
argument (#3505) - data-source/aws_eip: Support EC2-Classic Elastic IPs (#3522)
- resource/aws_codebuild_project: Support
source
report_build_status
for Bitbucket (#6426) - resource/aws_dlm_lifecycle_policy: Add
copy_tags
argument (#6445) - resource/aws_ebs_snapshot: Allow retries for
SnapshotCreationPerVolumeRateExceeded
errors on creation (#6414) - resource/aws_ebs_volume: Switch to tagging on creation (#6396)
- resource/aws_elastic_transcoder_pipeline: Support resource import (#6388)
- resource/aws_elastic_transcoder_preset: Support resource import (#6388)
- resource/aws_lambda_event_source_mapping: Add
starting_position_timestamp
argument (#6437) - resource/aws_route53_health_check: Provide plan-time validation for
type
(#6460) - resource/aws_ses_receipt_rule: Support resource import (#6237)
- resource/aws_ssm_maintenance_window_task: Add
description
andname
arguments (#5762)
BUG FIXES:
- data-source/aws_ebs_snapshot: Fix
most_recent
ordering (#6414) - resource/aws_cloudwatch_log_metric_filter: Properly leave
default_value
empty when unset (#5933) - resource/aws_route53_health_check: Properly read
child_healthchecks
into Terraform state (#6460) - resource/aws_security_group_rule: Support all non-zero
from_port
andto_port
configurations withprotocol
ALL/-1 (#6423) - resource/aws_sns_platform_application: Properly trigger resource recreation when deleted outside Terraform (#6436)
- service/ec2: Allow
tags
andvolume_tags
updates to retry based on SDK retries instead of time bounds for EC2 throttling (#3586)
BUG FIXES:
- resource/aws_security_group_rule: Prevent crash when reading rules from groups containing an
ALL
/-1
protocol
rule (#6419)
BUG FIXES:
- resource/aws_cloudwatch_metric_alarm: Accept EC2 automate reboot ARN (#6405)
- resource/aws_lambda_function: Handle slower code uploads on creation with configurable timeout (#6409)
- resource/aws_rds_cluster: Prevent
InvalidParameterCombination
error withengine_version
andsnapshot_identifier
on creation (#6391) - resource/aws_security_group_rule: Properly handle updating description when
protocol
is -1/ALL (#6407) - resource/aws_vpc: Always set
assign_generated_ipv6_cidr_block
,ipv6_association_id
, andipv6_cidr_block
attributes in Terraform state (#2103) - resource/aws_vpc: Always wait for IPv6 CIDR block association on resource creation if
assign_generated_ipv6_cidr_block
is set (#6394) - service/ec2: Properly ignore sending existing tags during updates (#5108] / [#6370)
NOTES:
- resource/aws_lb_listener: This resource will now sort the API response based on action ordering. If necessary, sorting your configuration based on
order
should resolve any plan difference. - resource/aws_lb_listener_rule: This resource will now sort the API response based on action ordering. If necessary, sorting your configuration based on
order
should resolve any plan difference.
FEATURES:
- New Resource:
aws_dlm_lifecycle_policy
(#5558) - New Resource:
aws_kinesis_analytics_application
(#5456)
ENHANCEMENTS:
- data-source/aws_efs_file_system: Add
arn
attribute (#6371) - data-source/aws_efs_mount_target: Add
file_system_arn
attribute (#6371) - data-source/aws_mq_broker: Add
logs
attribute (#6122) - resource/aws_efs_file_system: Add
arn
attribute (#6371) - resource/aws_efs_mount_target: Add
file_system_arn
attribute (#6371) - resource/aws_launch_configuration: Add
capacity_reservation_specification
argument (#6325) - resource/aws_mq_broker: Add
logs
argument (#6122)
BUG FIXES:
- resource/aws_ecs_service: Continue supporting replica
deployment_minimum_healthy_percent = 0
anddeployment_maximum_percent = 100
(#6316) - resource/aws_flow_log: Automatically trim
:*
suffix fromlog_destination
argument (#6377) - resource/aws_iam_user: Delete SSH keys with
force_delete
(#6337) - resource/aws_lb_listener: Prevent panics with actions deleted outside Terraform (#6319)
- resource/aws_lb_listener_rule: Prevent panics with actions deleted outside Terraform (#6319)
- resource/aws_opsworks_application: Properly recreate resource on
short_name
updates (#6359) - resource/aws_s3_bucket: Prevent
MalformedXML
error when using cross-region replication V1 with an emptyprefix
(#6344)
NOTES:
- resource/aws_route53_zone: The
vpc_id
andvpc_region
arguments have been deprecated in favor ofvpc
configuration block(s). To upgrade, wrap existingvpc_id
andvpc_region
arguments withvpc { ... }
. Sincevpc
is an exclusive set of VPC associations, you may need to define othervpc
configuration blocks to match the infrastructure, or use lifecycle configurationignore_changes
to suppress the plan difference. - resource/aws_route53_zone_association: Due to the multiple VPC association support now available in the
aws_route53_zone
resource, we recommend removing usage of this resource unless necessary for ordering. To remove this resource from management (without disassociating VPCs), you can useterraform state rm
. If necessary to keep this resource for ordering, you can use the lifecycleignore_changes
in theaws_route53_zone
resource to suppress plan differences.
FEATURES:
- New Resource:
aws_ec2_capacity_reservation
(#6291) - New Resource:
aws_glue_security_configuration
(#6288) - New Resource:
aws_iot_policy_attachment
(#5864) - New Resource:
aws_iot_thing_principal_attachment
(#5868) - New Resource:
aws_pinpoint_apns_sandbox_channel
(#6233) - New Resource:
aws_pinpoint_apns_voip_channel
(#6234) - New Resource:
aws_pinpoint_apns_voip_sandbox_channel
(#6235)
ENHANCEMENTS:
- data-source/aws_iot_endpoint: Add
endpoint_type
argument (#6215) - data-source/aws_nat_gateway: Support
tags
as argument and attribute (#6231) - resource/aws_budgets_budget: Support resource import (#6226)
- resource/aws_cloudwatch_event_permission: Add
condition
argument (support Organizations access) (#6261) - resource/aws_codepipeline_webhook: Support resource import (#6202)
- resource/aws_cognito_user_pool_domain: Add
certificate_arn
argument (support custom domains) (#6185) - resource/aws_dx_hosted_private_virtual_interface: Add
mtu
argument andjumbo_frame_capable
attribute (#6142) - resource/aws_dx_private_virtual_interface: Add
mtu
argument andjumbo_frame_capable
attribute (#6141) - resource/aws_ecs_service: Support
deployment_minimum_healthy_percent
forDAEMON
strategy (#6150) - resource/aws_flow_log: Add
log_destination
andlog_destination_type
arguments (support sending to S3) (#5509) - resource/aws_glue_job: Add
security_configuration
argument (#6232) - resource/aws_lb_target_group: Improve
name
andname_prefix
argument plan-time validation (#6168) - resource/aws_s3_bucket: Support S3 Cross-Region Replication filtering based on S3 object tags (#6095)
- resource/aws_secretsmanager_secret: Add
name_prefix
argument (#6277) - resource/aws_secretsmanager_secret: Add plan-time validation for
name
argument (#6277) - resource/aws_route53_zone: Add
vpc
argument, deprecatevpc_id
andvpc_region
arguments (support multiple VPC associations) (#6299) - resource/aws_waf_rule: Support resource import (#6247)
BUG FIXES:
- data-source/aws_network_interface: Properly handle reading
private_ip
into Terraform state (#6284) - resource/aws_ami_launch_permission: Prevent panic reading public permissions (#6224)
- resource/aws_budgets_budget: Properly read
time_period_start
andtime_period_end
into Terraform state (#6226) - resource/aws_cloudwatch_metric_alarm: Allow EC2 Automate ARNs with
alarm_actions
(#6206) - resource/aws_dx_gateway: Allow legacy
amazon_side_asn
in plan-time validation (#6253) - resource/aws_egress_only_internet_gateway: Improve eventual consistency logic during creation (#6190)
- resource/aws_glue_crawler: Suppress
role
difference when using ARN (#6293) - resource/aws_iam_role_policy: Properly handle reading attributes into Terraform state after creation and update (#6304)
- resource/aws_kinesis_firehose_delivery_stream: Properly recreate resource when updating
elasticsearch_configuration
s3_backup_mode
(#6305) - resource/aws_nat_gateway: Remove
network_interface_id
,private_ip
, andpublic_ip
as configurable (they continue to be available as read-only attributes) (#6225) - resource/aws_network_acl: Properly handle ICMP code and type with IPv6 ICMP (protocol 58) (#6264)
- resource/aws_network_acl_rule: Suppress
protocol
differences between name and number (#2454) - resource/aws_network_acl_rule: Properly handle ICMP code and type with IPv6 ICMP (protocol 58) (#6263)
- resource/aws_rds_cluster_parameter_group: Properly read
parameter
apply_method
into Terraform state (#6295)
FEATURES:
- New Data Source:
aws_cloudhsm_v2_cluster
(#4125) - New Resource:
aws_cloudhsm_v2_cluster
(#4125) - New Resource:
aws_cloudhsm_v2_hsm
(#4125) - New Resource:
aws_codepipeline_webhook
(#5875) - New Resource:
aws_pinpoint_apns_channel
(#6194) - New Resource:
aws_redshift_event_subscription
(#6146)
ENHANCEMENTS:
- resource/aws_appsync_datasource: Support resource import (#6139)
- resource/aws_appsync_datasource: Support
HTTP
type
and addhttp_config
argument (#6139) - resource/aws_appsync_datasource: Make
dynamodb_config
andelasticsearch_config
region
configuration optional based on resource current region (#6139) - resource/aws_appsync_graphql_api: Add
log_config
argument (#6138) - resource/aws_appsync_graphql_api: Add
openid_connect_config
argument (#6138) - resource/aws_appsync_graphql_api: Add
uris
attribute (#6138) - resource/aws_appsync_graphql_api: Make
user_pool_config
aws_region
configuration optional based on resource current region (#6138) - resource/aws_athena_database: Add
encryption_configuration
argument (#6117) - resource/aws_cloudwatch_metric_alarm: Validate
alarm_actions
(#6151) - resource/aws_codebuild_project: Support
NO_SOURCE
insource
type
(#6140) - resource/aws_db_instance: Directly restore snapshot with
parameter_group_name
set (#6200) - resource/aws_dx_connection: Add
jumbo_frame_capable
attribute (#6143) - resource/aws_dynamodb_table: Prevent error
UnknownOperationException: Tagging is not currently supported in DynamoDB Local
(#6149) - resource/aws_lb_listener: Allow
default_action
order
to be based on Terraform configuration ordering (#6124) - resource/aws_lb_listener_rule: Allow
action
order
to be based on Terraform configuration ordering (#6124) - resource/aws_rds_cluster: Directly restore snapshot with
db_cluster_parameter_group_name
set (#6200)
BUG FIXES:
- resource/aws_appsync_graphql_api: Properly handle updates by passing all parameters (#6138)
- resource/aws_ecs_service: Properly handle
random
placement strategy (#6176) - resource/aws_lb_listener: Prevent unconfigured
default_action
order
from showing difference (#6119) - resource/aws_lb_listener_rule: Prevent unconfigured
action
order
from showing difference (#6119) - resource/aws_lb_listener_rule: Retry read for eventual consistency after resource creation (#6154)
FEATURES:
- New Data Source:
aws_launch_template
(#6064) - New Data Source:
aws_workspaces_bundle
(#3243) - New Guide:
AWS IAM Policy Documents
(#6016) - New Resource:
aws_ebs_snapshot_copy
(#3086) - New Resource:
aws_pinpoint_adm_channel
(#6038) - New Resource:
aws_pinpoint_baidu_channel
(#6111) - New Resource:
aws_pinpoint_email_channel
(#6110) - New Resource:
aws_pinpoint_event_stream
(#6069) - New Resource:
aws_pinpoint_gcm_channel
(#6089) - New Resource:
aws_pinpoint_sms_channel
(#6088) - New Resource:
aws_redshift_snapshot_copy_grant
(#5134)
ENHANCEMENTS:
- data-source/aws_iam_policy_document: Make
statement
argument optional (#6052) - data-source/aws_secretsmanager_secret: Add
policy
attribute (#6091) - data-source/aws_secretsmanager_secret_version: Add
secret_binary
attribute (#6070) - resource/aws_codebuild_project: Add
environment
certificate
argument (#6087) - resource/aws_ecr_repository: Add configurable
delete
timeout (#3910) - resource/aws_elastic_beanstalk_environment: Add
platform_arn
argument (support custom platforms) (#6093) - resource/aws_lb_listener: Support Cognito and OIDC authentication (#6094)
- resource/aws_lb_listener_rule: Support Cognito and OIDC authentication (#6094)
- resource/aws_mq_broker: Add
instances
ip_address
attribute (#6103) - resource/aws_rds_cluster: Support
engine_version
updates (#5010) - resource/aws_s3_bucket: Add replication
access_control_translation
andaccount_id
arguments (support cross-account replication ownership) (#3577) - resource/aws_secretsmanager_secret_version: Add
secret_binary
argument (#6070) - resource/aws_security_group_rule: Support resource import (#6027)
BUG FIXES:
- resource/aws_appautoscaling_policy: Properly handle negative values in step scaling metric intervals (#3480)
- resource/aws_appsync_datasource: Properly pass all attributes during update (#5814)
- resource/aws_batch_job_queue: Prevent error during read of non-existent Job Queue (#6085)
- resource/aws_ecr_repository: Retry read for eventual consistency after resource creation (#3910)
- resource/aws_ecs_service: Properly remove non-existent services from Terraform state (#6039)
- resource/aws_iam_instance_profile: Retry for eventual consistency when adding a role (#6079)
- resource/aws_lb_listener: Retry read for eventual consistency after resource creation (#5167)
FEATURES:
ENHANCEMENTS:
- resource/aws_cloudwatch_event_target: Support additional ECS target arguments (#5982)
- resource/aws_codedeploy_app: Support resource import (#6025)
- resource/aws_codedeploy_deployment_config: Support resource import (#6025)
- resource/aws_codedeploy_deployment_group: Support resource import (#6025)
- resource/aws_db_instance: Add
deletion_protection
argument (#6011) - resource/aws_dx_connection: Support 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps as valid
bandwidth
values (#6057) - resource/aws_dx_lag: Support 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps as valid
connections_bandwidth
values (#6057) - resource/aws_elasticsearch_domain: Add
node_to_node_encryption
argument (#5997) - resource/aws_rds_cluster: Add
deletion_protection
argument (#6010) - resource/aws_sns_topic_subscription: Add
delivery_policy
argument (#3289) - resource/aws_spot_fleet_request: Add
instance_pools_to_use_count
argument (#5955)
BUG FIXES:
- resource/aws_api_gateway_deployment: Do not delete stage if it is in use by another deployment (#3896)
- resource/aws_codedeploy_deployment_group: Include autoscaling groups when updating blue green config (#5827)
- resource/aws_codedeploy_deployment_group: Properly read
autoscaling_groups
into Terraform state (#6025) - resource/aws_ecs_task_definition: Properly handle task scoped docker volume configurations (#5907)
- resource/aws_network_interface_sg_attachment: Properly handle
InvalidNetworkInterfaceID.NotFound
errors (#6048) - resource/aws_rds_cluster: Properly handle
kms_key_id
when restoring from snapshot (#6012) - resource/aws_s3_bucket_object: Mark
version_id
as recomputed onetag
updates (#3861) - resource/aws_security_group: Prevent
InvalidNetworkInterfaceID.NotFound
errors when deleting lingering network interfaces (#6037) - resource/aws_sns_topic_subscription: Properly read all attributes into Terraform state on reads (#6023)
- resource/aws_sns_topic_subscription: Properly handle
filter_policy
removal (#6023) - resource/aws_subnet: Prevent
InvalidNetworkInterfaceID.NotFound
errors when deleting lingering network interfaces (#6037)
FEATURES:
- New Data Source:
aws_db_event_categories
(#5514)
ENHANCEMENTS:
- data-source/aws_autoscaling_groups: Add
arns
attribute (#5766) - resource/aws_ami: Support resource import (#5990)
- resource/aws_codebuild_project: Add
secondary_artifacts
andsecondary_sources
arguments (#5939) - resource/aws_codebuild_project: Add
arn
attribute (#5973) - resource/aws_launch_template: Support
credit_specification
configuration of T3 instance types (#5922) - resource/aws_launch_template: Allow
network_interface
ipv6_address_count
configuration (#5771) - resource/aws_rds_cluster: Support
parallelquery
engine_mode
argument (#5980)
BUG FIXES:
- data-source/aws_ami: Prevent panics with AMIs in failed image state (#5968)
- resource/aws_db_instance: Properly set
backup_retention_period = 0
withsnapshot_identifier
(#5970) - resource/aws_dms_replication_instance: Properly handle
engine_version
updates (#5948) - resource/aws_launch_template: Prevent
Auto Scaling only supports the 'one-time' Spot instance type with no duration.
error when usinginstance_market_options
and AutoScaling Groups (#5957) - resource/aws_launch_template: Properly recreate existing resource when deleted (#5967)
- resource/aws_launch_template: Continue accepting string
"true"
and"false"
values forebs_optimized
argument (#5995) - resource/aws_load_balancer_policy: Properly handle resource when ELB is deleted (#5972)
- resource/aws_rds_cluster_instance: Properly handle
publicly_accessible
updates (#5991) - resource/aws_security_group: Properly handle lingering ENIs from Lambda and similar services (#4884)
- resource/aws_subnet: Properly handle lingering ENIs from Lambda and similar services (#4884)
FEATURES:
- New Resource:
aws_dx_bgp_peer
(#5886)
ENHANCEMENTS:
- data-source/aws_ami_ids: Add
sort_ascending
argument (#5912) - resource/aws_iam_role_policy_attachment: Support resource import (#5910)
- resource/aws_s3_bucket_inventory: Allow SSE-S3 encryption (#5870)
- resource/aws_security_group: Add
prefix_list_ids
argument foringress
rules (#5916)
BUG FIXES:
- resource/aws_config_config_rule: Prevent panic when specifying empty
scope
(#5852) - resource/aws_iam_policy: Ensure
description
is properly read into Terraform state during resource creation (#5884) - resource/aws_instance: Properly handle
credit_specifications
with T3 instance types (#5805) - resource/aws_launch_template: Fix handling of
network_interface
ipv6_addresses
(#5883) - resource/aws_redshift_cluster: Properly disable logging when using
logging
nested argument (#5895) - resource/aws_s3_bucket: Prevent panics with various API read failures (#5842)
- resource/aws_s3_bucket: Prevent
NoSuchBucket
error on deletion (#5842) - resource/aws_wafregional_byte_match_set: Properly read
byte_match_tuple
into Terraform state (#5902)
FEATURES:
- New Resource:
aws_cloudfront_public_key
(#5737)
ENHANCEMENTS:
- data-source/aws_db_instance: Add
enabled_cloudwatch_logs_exports
attribute (#5801) - resource/aws_api_gateway_stage: Add
xray_tracing_enabled
argument (#5817) - resource/aws_cloudfront_distribution: Add
lambda_function_association
include_body
argument (#5681) - resource/aws_db_instance: Add
domain
anddomain_iam_role_name
arguments (support for domain joining RDS instances) (#5378) - resource/aws_ecs_task_definition: Suppress
container_definition
differences for equivalent port and host mappings (#5833) - resource/aws_ecs_task_definition: Add docker volume configuration (#5727)
- resource/aws_iam_user: Allow empty string (
""
) value forpermissions_boundary
argument (#5859) - resource/aws_iot_topic_rule: Add
firehose
seperator
argument (#5734) - resource/aws_launch_template: Allow
network_interface
ipv4_address_count
configuration (#5830) - resource/aws_ssm_document: Add support for
Session
document_type
(#5850)
BUG FIXES:
- resource/aws_iam_policy: Ensure
description
is available as an attribute when empty (#5815) - resource/aws_iam_user: Remove extraneous
DeleteUserPermissionsBoundary
API call during deletion (#5857) - resource/aws_lambda_function: Retry on
InvalidParameterValueException
errors relating to KMS-backed environment variables (#5849) - resource/aws_launch_template: Ensure
ebs_optimized
argument accepts "unspecified" value (#5627)
ENHANCEMENTS:
- data-source/aws_eks_cluster: Add
platform_version
attribute (#5797) - resource/aws_eks_cluster: Add
platform_version
attribute (#5797) - resource/aws_lambda_function: Allow empty lists for
vpc_config
security_group_ids
andsubnet_ids
arguments to unconfigure VPC (#1341) - resource/aws_iam_role: Allow empty string (
""
) value forpermissions_boundary
argument (#5740)
BUG FIXES:
- resource/aws_ecr_repository: Use
RepositoryUri
instead of our building our own URI for therepository_url
attribute (AWS China fix) (#5748) - resource/aws_lambda_function: Properly handle
vpc_config
removal (#5798) - resource/aws_redshift_cluster: Properly force new resource when updating
availability_zone
argument (#5758)
NOTES:
- provider: This is the first release tested against and built with Go 1.11, which required
go fmt
changes to the code. If you are building a custom version of this provider or running tests using the repository Make targets (e.g.make build
) when using a previous version of Go, you will receive errors. You can use the underlyinggo
commands (e.g.go build
) to workaround thego fmt
check in the Make targets until you are able to upgrade Go.
ENHANCEMENTS:
- provider:
NO_PROXY
environment variable can accept CIDR notation and port - data-source/aws_ip_ranges: Add
ipv6_cidr_blocks
attribute (#5675) - resource/aws_codebuild_project: Add
artifacts
encryption_disabled
argument (#5678) - resource/aws_route: Support route import (#5687)
BUG FIXES:
- data-source/aws_rds_cluster: Prevent error setting
engine_mode
andscaling_configuration
(#5660) - resource/aws_autoscaling_group: Retry creation for eventual consistency with launch template IAM instance profile (#5633)
- resource/aws_dax_cluster: Properly recreate cluster when updating
server_side_encryption
(#5664) - resource/aws_db_instance: Prevent double apply when using
replicate_source_db
parameters that requireModifyDBInstance
during resource creation (#5672) - resource/aws_db_instance: Prevent
pending-reboot
parameter group status on creation withparameter_group_name
(#5672) - resource/aws_lambda_event_source_mapping: Prevent perpetual difference when using function name with
function_name
(argument accepts both name and ARN) (#5454) - resource/aws_launch_template: Prevent encrypted flag cannot be specified error with
block_device_mappings
ebs
argument (#5632) - resource/aws_key_pair: Ensure
fingerprint
attribute is saved in Terraform state during creation (#5732) - resource/aws_ssm_association: Properly handle updates when multiple arguments are used (#5537)
- resource/aws_ssm_document: Properly handle deletion of privately shared documents (#5668)
- resource/aws_ssm_document: Properly update
permissions.account_ids
(#5685)
FEATURES:
- New Data Source:
aws_api_gateway_resource
(#5629)
ENHANCEMENTS:
- data-source/aws_storagegateway_local_disk: Add
disk_node
argument (#5595) - resource/aws_api_gateway_base_path_mapping: Support resource import (#5566)
- resource/aws_api_gateway_gateway_response: Support resource import (#5567)
- resource/aws_api_gateway_integration: Support resource import (#5568)
- resource/aws_api_gateway_integration_response: Support resource import (#5569)
- resource/aws_api_gateway_method: Support resource import (#5571)
- resource/aws_api_gateway_method_response: Support resource import (#5570)
- resource/aws_api_gateway_model: Support resource import (#5572)
- resource/aws_api_gateway_request_validator: Support resource import (#5573)
- resource/aws_api_gateway_resource: Support resource import (#5574)
- resource/aws_api_gateway_rest_api: Support resource import (#5564)
- resource/aws_api_gateway_stage: Support resource import (#5575)
- resource/aws_dax_cluster: Add
server_side_encryption
argument (support encryption at rest) (#5508) - resource/aws_ecs_service: Add retries for target group attachment (#3535)
- resource/aws_lb_listener: Add support for 'redirect' and 'fixed-response' actions (#5430)
- resource/aws_lb_listener_rule: Add support for 'redirect' and 'fixed-response' actions (#5430)
- resource/aws_rds_cluster: Add
scaling_configuration
argument (#5531) - resource/aws_secretsmanager_secret: Support
ForceDeleteWithoutRecovery
(viarecovery_window_in_days = 0
) and secret recreation after immediate deletion (#5583)
BUG FIXES:
- provider: Disable AWS SDK retries faster by default for
connection refused
errors (#5614) - resource/aws_api_gateway_integration: Properly read
integration_http_method
into Terraform state (#5568) - resource/aws_api_gateway_integration_response: Properly read
content_handling
into Terraform state (#5569) - resource/aws_api_gateway_integration_response: Properly read
response_templates
into Terraform state (#5569) - resource/aws_cloudfront_distribution: Import into
ordered_cache_behavior
instead of deprecatedcache_behavior
(#5586) - resource/aws_db_instance: Prevent error when using
snapshot_identifier
withmulti_az
enabled and sqlserverengine
(#5613) - resource/aws_db_instance: Prevent double apply when using
snapshot_identifier
parameters that requireModifyDBInstance
during resource creation (#5613] / [#5621) - resource/aws_db_instance: Prevent
is already being deleted
error on deletion and wait for deletion completion (#5624) - resource/aws_ecs_task_definition: Treat
INACTIVE
task definitions as removed (#5565) - resource/aws_elasticache_cluster: Allow
availability_zone
to be specified withreplication_group_id
(#5585) - resource/aws_instance: Ignore change of
user_data
from omission to empty string (#5467) - resource/aws_service_discovery_public_dns_namespace: Prevent creation error with names longer than 34 characters (#5610)
- resource/aws_waf_ipset: Properly handle updates and deletions over 1000 IP set descriptors (#5588)
- resource/aws_wafregional_ipset: Properly handle updates and deletions over 1000 IP set descriptors (#5588)
FEATURES:
- New Resource:
aws_neptune_cluster_snapshot
(#5492) - New Resource:
aws_storagegateway_cached_iscsi_volume
(#5476)
ENHANCEMENTS:
- data-source/aws_secretsmanager_secret_version: Add
arn
attribute (#5488) - data-source/aws_subnet: Add
arn
attribute (#5486) - resource/aws_cloudwatch_metric_alarm: Add
arn
attribute (#5487) - resource/aws_db_instance: Allow
alert
,listener
, andtrace
forenabled_cloudwatch_logs_exports
(e.g. Oracle specific log exports) (#5494) - resource/aws_emr_cluster: Support
st1
type EBS volumes (#5534) - resource/aws_neptune_event_subscription: Support resource import (#5491)
- resource/aws_rds_cluster: Add
engine_mode
argument (support RDS Aurora Serverless) (#5507) - resource/aws_rds_cluster: Allow
aurora
(MySQL 5.6)engine_type
to enable Performance Insights (#5468) - resource/aws_secretsmanager_secret_version: Add
arn
attribute (#5488) - resource/aws_subnet: Add
arn
attribute (#5486)
BUG FIXES:
- storagegateway: Retry API calls on busy gateway proxy connection errors (#5476)
- resource/aws_cloudtrail: Increase IAM retry threshold from 15 seconds to 1 minute (#5499)
- resource/aws_cognito_user_pool: Properly pass all attributes during update (prevent perpetual flip-flop apply) (#3458)
- resource/aws_cognito_user_pool_client: Properly pass all attributes during update (prevent perpetual flip-flop apply) (#5478)
- resource/aws_db_instance: During S3 restore, lower retry threshold for IAM eventual consistency from 5 minutes to 2 minutes and retry on additional error (#5536)
- resource/aws_dynamodb_table: Allow simultaneous region deletion retry of 5 minutes to better handle global table deletions (#5518)
- resource/aws_glue_crawler: Additional IAM eventual consistency retry logic for create and update (#5502)
- resource/aws_iam_role: Remove extraneous
DeleteRolePermissionsBoundary
API call when deleting IAM role (#5544) - resource/aws_kinesis_firehose_delivery_stream: Retry on additional IAM eventual consistency error with ElasticSearch destinations (#5541)
- resource/aws_storagegateway_cache: Prevent resource recreation due to disk identifier changes after creation (#5476)
FEATURES:
- New Data Source:
aws_db_cluster_snapshot
(#4526) - New Resource:
aws_db_cluster_snapshot
(#4526) - New Resource:
aws_neptune_event_subscription
(#5480) - New Resource:
aws_storagegateway_cache
(#5282) - New Resource:
aws_storagegateway_smb_file_share
(#5276)
ENHANCEMENTS:
- provider: Allow provider configuration AssumeRoleARN and sts:GetCallerIdentity credential validation call to shortcut account ID and partition lookup (#5177)
- provider: Improved output for multiple error handler (#5442)
- data-source/aws_instance: Add
arn
attribute (#5432) - resource/aws_elasticsearch_domain: Support
ES_APPLICATION_LOGS
log_type
in plan-time validation (#5474) - resource/aws_instance: Add
arn
attribute (#5432) - resource/aws_storagegateway_gateway: Add
smb_active_directory_settings
andsmb_guest_password
arguments (#5269)
BUG FIXES:
- provider: Prefer
USERPROFILE
overHOMEPATH
for home directory expansion on Windows (#5443) - resource/aws_ami_copy: Prevent
ena_support
attribute incorrectly reporting force new resource (#5433) - resource/aws_ami_from_instance: Prevent
ena_support
attribute incorrectly reporting force new resource (#5433) - resource/aws_elasticsearch_domain: Prevent crash when missing
AutomatedSnapshotStartHour
in API response (#5451) - resource/aws_elasticsearch_domain: Suppress plan differences for
dedicated_master_count
anddedicated_master_type
whendedicated_master_enabled
is disabled (#5423) - resource/aws_rds_cluster: Prevent error when restoring cluster from snapshot with tagging enabled (#5479)
- resource/aws_ssm_maintenance_window: Properly recreate resource when deleted outside Terraform (#5416)
- resource/aws_ssm_patch_baseline: Properly recreate resource when deleted outside Terraform (#5438)
- resource/aws_vpn_gateway: Allow legacy
amazon_side_asn
in plan-time validation (ASNs 10124 and 17493) (#5441)
FEATURES:
- New Data Source:
aws_storagegateway_local_disk
(#5279) - New Resource:
aws_macie_member_account_association
(#5283) - New Resource:
aws_neptune_cluster_instance
(#5376) - New Resource:
aws_storagegateway_nfs_file_share
(#5255) - New Resource:
aws_storagegateway_upload_buffer
(#5284) - New Resource:
aws_storagegateway_working_storage
(#5285)
ENHANCEMENTS:
- data-source/aws_rds_cluster: Add
arn
attribute (#5221) - resource/aws_ami: Add
ena_support
argument (#5395) - resource/aws_api_gateway_domain_name: Support resource import (#5368)
- resource/aws_efs_file_system: Add
provisioned_throughput_in_mibps
andthroughput_mode
arguments (#5210) - resource/aws_elasticsearch_domain: Add
cognito_options
arguments (support Cognito authentication) (#5346) - resource/aws_glue_crawler: Add
dynamodb_target
argument (#5152) - resource/aws_iam_role: Add
permissions_boundary
argument (#5184) - resource/aws_iam_user: Add
permissions_boundary
argument (#5183) - resource/aws_neptune_cluster: Support resource import (#5227)
- resource/aws_rds_cluster: Add
arn
attribute (#5221) - resource/aws_ssm_patch_baseline: Add
AMAZON_LINUX_2
andSUSE
tooperating_system
plan time validation (#5371)
BUG FIXES:
- resource/aws_codebuild_project: Handle additional IAM retry condition during update (#5238)
- resource/aws_codebuild_project: Remove extraneous UpdateProject API call after CreateProject API call (#5238)
- resource/aws_db_instance: Prevent error when restoring database from snapshot with tagging enabled (#5370)
- resource/aws_db_option_group: Prevent error when creating options with new IAM role (#5389)
- resource/aws_eip: Properly handle if multiple EIPs are returned during API read (#5331)
- resource/aws_emr_cluster: Add
configurations_json
argument (handles drift detection as compared toconfigurations
argument) (#5191) - resource/aws_emr_cluster: Ensure
keep_job_flow_alive_when_no_step = false
automatically terminates cluster (#5415) - resource/aws_lambda_event_source_mapping: Properly read
enabled
into Terraform state (#5292) - resource/aws_launch_template: Exclude
network_interfaces
associate_public_ip_address
when conflictingnetwork_interface_id
is set (#5314) - resource/aws_launch_template: Set
latest_version
as re-computed on updates (prevent need for double apply) (#5250) - resource/aws_lb_listener: Prevent crash from new
fixed-response
andredirect
actions (#5367) - resource/aws_lb_listener_rule: Prevent crash from new
fixed-response
andredirect
actions (#5367) - resource/aws_vpn_gateway: Allow legacy
amazon_side_asn
in plan-time validation (ASNs 7224 and 9059) (#5291) - resource/aws_waf_web_acl: Properly read
rules
into Terraform state (#5342) - resource/aws_waf_web_acl: Properly update
rules
(#5380) - resource/aws_wafregional_rate_based_rule: Fix
rate_limit
updates (#5356) - resource/aws_wafregional_web_acl: Properly read
rules
into Terraform state (#5342)
NOTES:
- data-source/aws_kms_secret: This data source has been deprecated and will be removed in the next major version. This is required to support the upcoming Terraform 0.12. A new
aws_kms_secrets
data source is available that allows for the same multiple KMS secret decryption functionality, but requires different attribute references. Full migration information is available in the AWS Provider Version 2 Upgrade Guide.
FEATURES:
- New Data Source:
aws_kms_secrets
(#5195) - New Data Source:
aws_network_interfaces
(#5324) - New Guide:
AWS Provider Version 2 Upgrade
(#5195)
ENHANCEMENTS:
- data-source/aws_iam_role: Add
permissions_boundary
attribute (#5186) - data-source/aws_vpc: Add
arn
attribute (#5300) - resource/aws_default_vpc: Add
arn
attribute (#5300) - resource/aws_instance: Add
cpu_core_count
andcpu_threads_per_core
arguments (#5159) - resource/aws_lambda_permission: Add
event_source_token
argument (support Alexa Skills) (#5264) - resource/aws_launch_template: Add
arn
attribute (#5306) - resource/aws_secretsmanager_secret: Add
policy
argument (#5290) - resource/aws_vpc: Add
arn
attribute (#5300) - resource/aws_waf_web_acl: Support resource import (#5337)
BUG FIXES:
- data-source/aws_vpc_endpoint_service: Perform client side filtering to workaround server side filtering issues in AWS China and AWS GovCloud (US) (#4592)
- resource/aws_kinesis_firehose_delivery_stream: Force new resource for
kinesis_source_configuration
argument changes (#5332) - resource/aws_route53_record: Prevent DomainLabelEmpty errors when expanding record names with trailing period (#5312)
- resource/aws_ses_identity_notification_topic: Prevent panic when API returns no attributes (#5327)
- resource/aws_ssm_parameter: Reduce DescribeParameters API calls by switching filtering logic (#5325)
FEATURES:
- New Resource:
aws_macie_s3_bucket_association
(#5201) - New Resource:
aws_neptune_cluster
(#5050) - New Resource:
aws_storagegateway_gateway
(#5208)
ENHANCEMENTS:
- data-source/aws_iam_user: Add
permissions_boundary
attribute (#5187) - resource/aws_api_gateway_integration: Add
timeout_milliseconds
argument (#5199) - resource/aws_cloudwatch_log_group: Allow
tags
handling in AWS GovCloud (US) and AWS China (#5175) - resource/aws_codebuild_project: Add
report_build_status
argument undersource
(support report build status for GitHub source type) (#5156) - resource/aws_launch_template: Ignore
credit_specification
when not using T2instance_type
(#5190) - resource/aws_rds_cluster_instance: Add
arn
attribute (#5220) - resource/aws_route: Print more useful error message when missing valid target type (#5198)
- resource/aws_vpc_endpoint: Add configurable timeouts (#3418)
- resource/aws_vpc_endpoint_subnet_association: Add configurable timeouts (#3418)
BUG FIXES:
- resource/aws_glue_crawler: Prevent error when deleted outside Terraform (#5158)
- resource/aws_vpc_endpoint_subnet_association: Add mutex to prevent errors with concurrent
ModifyVpcEndpoint
calls (#3418)
NOTES:
- resource/aws_codebuild_project: The
service_role
argument is now required to match the API behavior and provide plan time validation. Additional details from AWS Support can be found in: #4826 - resource/aws_wafregional_byte_match_set: The
byte_match_tuple
argument name has been deprecated in preference of a newbyte_match_tuples
argument name, for consistency with theaws_waf_byte_match_set
resource to reduce any confusion working between the two resources and to denote its multiple value support. Its behavior is exactly the same as the old argument. Simply changing the argument name (adding thes
) to configurations should upgrade without other changes.
FEATURES:
ENHANCEMENTS:
- data-source/aws_region: Add
description
attribute (#5077) - data-source/aws_vpc: Add
cidr_block_associations
attribute (#5098) - resource/aws_cloudwatch_metric_alarm: Add
datapoints_to_alarm
andevaluation_period
plan time validation (#5095) - resource/aws_db_parameter_group: Clarify naming validation error messages (#5090)
- resource/aws_glue_connection: Add
physical_connection_requirements
argumentavailability_zone
(currently required by the API) (#5039) - resource/aws_instance: Ignore
credit_specifications
when not using T2instance_type
(#5114) - resource/aws_instance: Allow AWS GovCloud (US) to perform tagging on creation (#5106)
- resource/aws_lambda_function: Support
dotnetcore2.1
inruntime
validation (#5150) - resource/aws_route_table: Ignore propagated routes during resource import (#5100)
- resource/aws_security_group: Authorize and revoke only changed individual
ingress
/egress
rules despite their configuration grouping (e.g. replacing an individual element in a multiple elementcidr_blocks
list) (#4726) - resource/aws_ses_receipt_rule: Add plan time validation for
s3_action
argumentposition
(#5092) - resource/aws_vpc_ipv4_cidr_block_association: Support resource import (#5069)
- resource/aws_waf_web_acl: Add
rules
override_action
argument and supportGROUP
type (#5053) - resource/aws_wafregional_web_acl: Add
rules
override_action
argument and supportGROUP
type (#5053)
BUG FIXES:
- resource/aws_codebuild_project: Prevent panic when empty
vpc_config
block is configured (#5070) - resource/aws_codebuild_project: Mark
service_role
as required (#4826) - resource/aws_glue_catalog_database: Properly return error when missing colon during import (#5123)
- resource/aws_glue_catalog_database: Prevent error when deleted outside Terraform (#5141)
- resource/aws_instance: Allow AWS China to perform volume tagging post-creation on first apply (#5106)
- resource/aws_kms_grant: Properly return error when listing KMS grants (#5063)
- resource/aws_rds_cluster_instance: Support
configuring-log-exports
status (#5124) - resource/aws_s3_bucket: Prevent extraneous ACL update during resource creation (#5107)
- resource/aws_wafregional_byte_match_set: Deprecate
byte_match_tuple
argument forbyte_match_tuples
(#5043)
FEATURES:
- New Data Source:
aws_launch_configuration
(#3624) - New Data Source:
aws_pricing_product
(#5057) - New Resource:
aws_s3_bucket_inventory
(#5019) - New Resource:
aws_vpc_ipv4_cidr_block_association
(#3723)
ENHANCEMENTS:
- data-source/aws_elasticache_replication_group: Add
member_clusters
attribute (#5056) - data-source/aws_instances: Add
instance_state_names
argument (support non-running
instances) (#4950) - data-source/aws_route_tables: Add
filter
argument (#5035) - data-source/aws_subnet_ids: Add
filter
argument (#5038) - resource/aws_eip_association: Support resource import (#5006)
- resource/aws_elasticache_replication_group: Add
member_clusters
attribute (#5056) - resource/aws_lambda_alias: Add
routing_config
argument (support traffic shifting) (#3316) - resource/aws_lambda_event_source_mapping: Make
starting_position
optional and allowbatch_size
to support default of 10 for SQS (#5024) - resource/aws_network_acl_rule: Add plan time conflict validation with
cidr_block
andipv6_cidr_block
(#3951) - resource/aws_spot_fleet_request: Add
fleet_type
argument (#5032) - resource/aws_ssm_document: Add
tags
argument (support tagging) (#5020)
BUG FIXES:
- resource/aws_codebuild_project: Prevent panic with missing environment variable type (#5052)
- resource/aws_kms_alias: Fix perpetual plan when
target_key_id
is ARN (#4010)
NOTES:
- resource/aws_instance: Starting around June 21, 2018, the EC2 API began responding with an empty string value for user data for some instances instead of a completely empty response. In Terraform, it would show as a difference of
user_data: "da39a3ee5e6b4b0d3255bfef95601890afd80709" => "" (forces new resource)
if theuser_data
argument was not defined in the Terraform configuration for the resource. This release ignores that difference as equivalent.
FEATURES:
- New Data Source:
aws_codecommit_repository
(#4934) - New Data Source:
aws_dx_gateway
(#4988) - New Data Source:
aws_network_acls
(#4966) - New Data Source:
aws_route_tables
(#4841) - New Data Source:
aws_security_groups
(#2947) - New Resource:
aws_dx_hosted_private_virtual_interface
(#3255) - New Resource:
aws_dx_hosted_private_virtual_interface_accepter
(#3255) - New Resource:
aws_dx_hosted_public_virtual_interface
(#3254) - New Resource:
aws_dx_hosted_public_virtual_interface_accepter
(#3254) - New Resource:
aws_dx_private_virtual_interface
(#3253) - New Resource:
aws_dx_public_virtual_interface
(#3252) - New Resource:
aws_media_store_container_policy
(#3507)
ENHANCEMENTS:
- provider: Support custom endpoint for
autoscaling
(#4970) - resource/aws_codebuild_project: Support
WINDOWS_CONTAINER
as valid environment type (#4960) - resource/aws_codebuild_project: Support resource import (#4976)
- resource/aws_ecs_service: Add
scheduling_strategy
argument (supportDAEMON
scheduling strategy) (#4825) - resource/aws_iam_instance_profile: Add
create_date
attribute (#4932) - resource/aws_media_store_container: Support resource import (#3501)
- resource/aws_network_acl: Add full mapping of protocol names to protocol numbers (#4956)
- resource/aws_network_acl_rule: Add full mapping of protocol names to protocol numbers (#4956)
- resource/aws_sqs_queue: Add .fifo suffix for FIFO queues using
name_prefix
(#4929) - resource/aws_vpc: Support update of
instance_tenancy
fromdedicated
todefault
(#2514) - resource/aws_waf_ipset: Support resource import (#4979)
- resource/aws_wafregional_web_acl: Add rule
type
argument (support rate limited rules) (#4307] / [#4978)
BUG FIXES:
- data-source/aws_rds_cluster: Prevent panic with new CloudWatch logs support (
enabled_cloudwatch_logs_exports
) introduced in 1.23.0 (#4927) - resource/aws_codebuild_webhook: Prevent panic when webhook is missing during read (#4917)
- resource/aws_db_instance: Properly raise any
ListTagsForResource
error instead of presenting a perpetual difference withtags
(#4943) - resource/aws_instance: Prevent extraneous ModifyInstanceAttribute call for
disable_api_termination
on resource creation (#4941) - resource/aws_instance: Ignore empty string SHA (
da39a3ee5e6b4b0d3255bfef95601890afd80709
)user_data
difference due to EC2 API response changes (#4991) - resource/aws_launch_template: Prevent error when using
valid_until
(#4952) - resource/aws_route: Properly force resource recreation when updating
route_table_id
(#4946) - resource/aws_route53_zone: Further prevent HostedZoneAlreadyExists with specified caller reference errors (#4903)
- resource/aws_ses_receipt_rule: Prevent error with
s3_action
whenkms_key_arn
is not specified (#4965)
FEATURES:
- New Data Source:
aws_cloudformation_export
(#2180) - New Data Source:
aws_vpc_dhcp_options
(#4878) - New Resource:
aws_dx_gateway
(#4896) - New Resource:
aws_dx_gateway_association
(#4896) - New Resource:
aws_glue_crawler
(#4484) - New Resource:
aws_neptune_cluster_parameter_group
(#4860) - New Resource:
aws_neptune_subnet_group
(#4782)
ENHANCEMENTS:
- resource/aws_api_gateway_rest_api: Support
PRIVATE
endpoint type (#4888) - resource/aws_codedeploy_app: Add
compute_platform
argument (#4811) - resource/aws_kinesis_firehose_delivery_stream: Support extended S3 destination
data_format_conversion_configuration
(#4842) - resource/aws_kms_grant: Support ARN for
key_id
argument (external CMKs) (#4886) - resource/aws_neptune_parameter_group: Add
tags
argument andarn
attribute (#4873) - resource/aws_rds_cluster: Add
enabled_cloudwatch_logs_exports
argument (#4875)
BUG FIXES:
- resource/aws_batch_job_definition: Force resource recreation on retry_strategy attempts updates (#4854)
- resource/aws_cognito_user_pool_client: Prevent panic with updating
refresh_token_validity
(#4868) - resource/aws_instance: Prevent extraneous ModifyInstanceCreditSpecification call on resource creation (#4898)
- resource/aws_s3_bucket: Properly detect
cors_rule
drift when it is deleted outside Terraform (#4887) - resource/aws_vpn_gateway_attachment: Fix error handling for missing VPN gateway (#4895)
NOTES:
- resource/aws_elasticache_cluster: The
availability_zones
argument has been deprecated in favor of a newpreferred_availability_zones
argument to allow specifying the same Availability Zone more than once in larger Memcached clusters that also need to specifically set Availability Zones. The argument is still optional and the API will continue to automatically choose Availability Zones for nodes if not specified. The new argument will also continue to match the APIs required behavior that the length of the list must be the same asnum_cache_nodes
. Migration will require recreating the resource or using the resource lifecycle configuration ofignore_changes = ["availability_zones"]
to prevent recreation. See the resource documentation for additional details.
FEATURES:
ENHANCEMENTS:
- resource/aws_db_instance: Display input arguments when receiving InvalidParameterValue error on resource creation (#4803)
- resource/aws_elasticache_cluster: Migrate from
availability_zones
TypeSet attribute topreferred_availability_zones
TypeList attribute (allow duplicate Availability Zone elements) (#4741) - resource/aws_launch_template: Add
tags
argument (support tagging the resource itself) (#4763) - resource/aws_launch_template: Add plan time validation for tag_specifications
resource_type
(#4765) - resource/aws_waf_ipset: Add
arn
attribute (#4784) - resource/aws_wafregional_ipset: Add
arn
attribute (#4816)
BUG FIXES:
- resource/aws_codebuild_webhook: Properly export
secret
(the CodeBuild API only provides its value during resource creation) (#4775) - resource/aws_codecommit_repository: Prevent error and trigger recreation when not found during read (#4761)
- resource/aws_eks_cluster: Properly export
arn
attribute (#4766] / [#4767) - resource/aws_elasticsearch_domain: Skip EBS options update/refresh if EBS is not enabled (#4802)
FEATURES:
- New Data Source:
aws_ecs_service
(#3617) - New Data Source:
aws_eks_cluster
(#4749) - New Guide: EKS Getting Started
- New Resource:
aws_config_aggregate_authorization
(#4263) - New Resource:
aws_config_configuration_aggregator
(#4262) - New Resource:
aws_eks_cluster
(#4749)
ENHANCEMENTS:
- provider: Support custom endpoint for EFS (#4716)
- resource/aws_api_gateway_method: Add
authorization_scopes
argument (#4533) - resource/aws_api_gateway_rest_api: Add
api_key_source
argument (#4717) - resource/aws_cloudfront_distribution: Allow create and update retries on InvalidViewerCertificate for eventual consistency with ACM/IAM services (#4698)
- resource/aws_cognito_identity_pool: Add
arn
attribute (#4719) - resource/aws_cognito_user_pool: Add
endpoint
attribute (#4718)
BUG FIXES:
- resource/aws_service_discovery_private_dns_namespace: Prevent creation error with names longer than 34 characters (#4702)
- resource/aws_vpn_connection: Allow period in
tunnel[1-2]_preshared_key
validation (#4731)
FEATURES:
- New Data Source:
aws_route
(#4529) - New Resource:
aws_codebuild_webhook
(#4473) - New Resource:
aws_cognito_identity_provider
(#3601) - New Resource:
aws_cognito_resource_server
(#4530) - New Resource:
aws_glue_classifier
(#4472)
ENHANCEMENTS:
- provider: Support custom endpoint for SSM (#4670)
- resource/aws_codebuild_project: Add
badge_enabled
argument andbadge_url
attribute (#3504) - resource/aws_codebuild_project: Add
environment_variable
argumenttype
(support parameter store environment variables) (#2811] / [#4021) - resource/aws_codebuild_project: Add
source
argumentgit_clone_depth
andinsecure_ssl
(#3929) - resource/aws_elasticache_replication_group: Support
number_cache_nodes
updates (#4504) - resource/aws_lb_target_group: Add
slow_start
argument (#4661) - resource/aws_redshift_cluster: Add
dns_name
attribute (#4582) - resource/aws_s3_bucket: Add
bucket_regional_domain_name
attribute (#4556)
BUG FIXES:
- data-source/aws_lambda_function: Qualifiers explicitly set are now honoured (#4654)
- resource/aws_batch_job_definition: Properly force new resource when updating timeout
attempt_duration_seconds
argument (#4697) - resource/aws_budgets_budget: Force new resource when updating
name
(#4656) - resource/aws_dms_endpoint: Additionally specify MongoDB connection info in the top-level API namespace to prevent issues connecting (#4636)
- resource/aws_rds_cluster: Prevent additional retry error during S3 import for IAM/S3 eventual consistency (#4683)
- resource/aws_sns_sms_preferences: Properly add SNS preferences to website docs (#4694)
NOTES:
- resource/aws_guardduty_member: Terraform will now try to properly detect if a member account has been invited based on its relationship status (
Disabled
/Enabled
/Invited
) and appropriately flag the newinvite
argument for update. You will want to setinvite = true
in your Terraform configuration if you previously handled the invitation process for a member, otherwise the resource will attempt to disassociate the member upon updating the provider to this version.
FEATURES:
ENHANCEMENTS:
- resource/aws_api_gateway_domain_name: Add
endpoint_configuration
argument,regional_certificate_arn
argument,regional_certificate_name
argument,regional_domain_name
attribute, andregional_zone_id
attribute (support regional domain names) (#2866) - resource/aws_api_gateway_rest_api: Add
endpoint_configuration
argument (support regional endpoint type) (#2866) - resource/aws_appautoscaling_policy: Add retry logic for rate exceeded errors during read, update and delete (#4594)
- resource/aws_ecs_service: Add
container_name
andcontainer_port
arguments forservice_registry
(support bridge and host network mode for service registry) (#4623) - resource/aws_emr_cluster: Add
additional_info
argument (#4590) - resource/aws_guardduty_member: Support member account invitation on creation (#4357)
- resource/aws_guardduty_member: Support
invite
argument updates (invite or disassociate on update) (#4604) - resource/aws_ssm_patch_baseline: Add
approval_rule
enable_non_security
argument (#4546)
BUG FIXES:
- resource/aws_api_gateway_rest_api: Prevent error with
policy
containing special characters (e.g. forward slashes in CIDRs) (#4606) - resource/aws_cloudwatch_event_rule: Prevent multiple names on creation (#4579)
- resource/aws_dynamodb_table: Prevent error with APIs that do not support point in time recovery (e.g. AWS China) (#4573)
- resource/aws_glue_catalog_table: Prevent multiple potential panic scenarios (#4621)
- resource/aws_kinesis_stream: Handle tag additions/removals of more than 10 tags (#4574)
- resource/aws_kinesis_stream: Prevent perpetual
encryption_type
difference with APIs that do not support encryption (e.g. AWS China) (#4575) - resource/aws_s3_bucket: Prevent panic from CORS reading errors (#4603)
- resource/aws_spot_fleet_request: Prevent empty
iam_instance_profile_arn
from overwritingiam_instance_profile
(#4591)
NOTES:
- data-source/aws_iam_policy_document: Please note there is a behavior change in the rendering of
principal
/not_principal
in the case oftype = "AWS"
andidentifiers = ["*"]
. This will now render asPrincipal": {"AWS": "*"}
instead of"Principal": "*"
. This change is required for IAM role trust policy support as well as differentiating between anonymous access versus AWS access in policies. To keep the old behavior of anonymous access, usetype = "*"
andidentifiers = ["*"]
, which will continue to render as"Principal": "*"
. For additional information, see theaws_iam_policy_document
documentation.
FEATURES:
- New Data Source:
aws_arn
(#3996) - New Data Source:
aws_lambda_invocation
(#4222) - New Resource:
aws_sns_sms_preferences
(#3858)
ENHANCEMENTS:
- data-source/aws_iam_policy_document: Allow rendering of
"Principal": {"AWS": "*"}
(required for IAM role trust policies) (#4248) - resource/aws_api_gateway_rest_api: Add
execution_arn
attribute (#3968) - resource/aws_db_event_subscription: Add
name_prefix
argument (#2754) - resource/aws_dms_endpoint: Add
azuredb
forengine_name
validation (#4506) - resource/aws_rds_cluster: Add
backtrack_window
argument and wait for updates to complete (#4524) - resource/aws_spot_fleet_request: Add
launch_specification
iam_instance_profile_arn
argument (#4511)
BUG FIXES:
- data-source/aws_autoscaling_groups: Use pagination function for DescribeTags filtering (#4535)
- resource/aws_elb: Ensure
bucket_prefix
for access logging can be updated to""
(#4383) - resource/aws_kinesis_firehose_delivery_stream: Retry on Elasticsearch destination IAM role errors and update IAM errors (#4518)
- resource/aws_launch_template: Allow
network_interfaces
device_index
to be set to 0 (#4367) - resource/aws_lb: Ensure
bucket_prefix
for access logging can be updated to""
(#4383) - resource/aws_lb: Ensure
access_logs
is properly set into Terraform state (#4517) - resource/aws_security_group: Fix rule description handling when gathering multiple rules with same permissions (#4416)
FEATURES:
- New Data Source:
aws_acmpca_certificate_authority
(#4458) - New Resource:
aws_acmpca_certificate_authority
(#4458) - New Resource:
aws_glue_catalog_table
(#4368)
ENHANCEMENTS:
- provider: Lower retry threshold for DNS resolution failures (#4459)
- resource/aws_dms_endpoint: Support
s3
engine_name
and adds3_settings
argument (#1685] and [#4447) - resource/aws_glue_job: Add
timeout
argument (#4460) - resource/aws_lb_target_group: Add
proxy_protocol_v2
argument (#4365) - resource/aws_spot_fleet_request: Mark
spot_price
optional (defaults to on-demand price) (#4424) - resource/aws_spot_fleet_request: Add plan time validation for
valid_from
andvalid_until
arguments (#4463) - resource/aws_spot_instance_request: Mark
spot_price
optional (defaults to on-demand price) (#4424)
BUG FIXES:
- data-source/aws_autoscaling_groups: Correctly paginate through over 50 results (#4433)
- resource/aws_elastic_beanstalk_environment: Correctly handle
cname_prefix
attribute in China partition (#4485) - resource/aws_glue_job: Remove
allocated_capacity
andmax_concurrent_runs
upper plan time validation limits (#4461) - resource/aws_instance: Fix
root_device_mapping
matching of expected root device name with multiple block devices. (#4489) - resource/aws_launch_template: Prevent
parameter iops is not supported for gp2 volumes
error (#4344) - resource/aws_launch_template: Prevent
'iamInstanceProfile.name' may not be used in combination with 'iamInstanceProfile.arn'
error (#4344) - resource/aws_launch_template: Prevent
parameter groupName cannot be used with the parameter subnet
error (#4344) - resource/aws_launch_template: Separate usage of
ipv4_address_count
/ipv6_address_count
fromipv4_addresses
/ipv6_addresses
(#4344) - resource/aws_redshift_cluster: Properly send all required parameters when resizing (#3127)
- resource/aws_s3_bucket: Prevent crash from empty string CORS arguments (#4465)
- resource/aws_ssm_document: Add missing account ID to
arn
attribute (#4436)
NOTES:
- resource/aws_ecs_service: Please note the
placement_strategy
argument (an unordered list) has been marked deprecated in favor of theordered_placement_strategy
argument (an ordered list based on the Terraform configuration ordering).
FEATURES:
- New Data Source:
aws_mq_broker
(#3163) - New Resource:
aws_budgets_budget
(#1879) - New Resource:
aws_iam_user_group_membership
(#3365) - New Resource:
aws_vpc_peering_connection_options
(#3909)
ENHANCEMENTS:
- data-source/aws_route53_zone: Add
name_servers
attribute (#4336) - resource/aws_api_gateway_stage: Add
access_log_settings
argument (Support access logging) (#4369) - resource/aws_autoscaling_group: Add
launch_template
argument (#4305) - resource/aws_batch_job_definition: Add
timeout
argument (#4386) - resource/aws_cloudwatch_event_rule: Add
name_prefix
argument (#2752) - resource/aws_cloudwatch_event_rule: Make
name
optional (Terraform can generate unique ID) (#2752) - resource/aws_codedeploy_deployment_group: Add
ec2_tag_set
argument (tag group support) (#4324) - resource/aws_default_subnet: Allow
map_public_ip_on_launch
updates (#4396) - resource/aws_dms_endpoint: Support
mongodb
engine_name andmongodb_settings
argument (#4406) - resource/aws_dynamodb_table: Add
point_in_time_recovery
argument (#4063) - resource/aws_ecs_service: Add
ordered_placement_strategy
argument, deprecateplacement_strategy
argument (#4390) - resource/aws_ecs_service: Allow
health_check_grace_period_seconds
up to 7200 seconds (#4420) - resource/aws_lambda_permission: Add
statement_id_prefix
argument (#2743) - resource/aws_lambda_permission: Make
statement_id
optional (Terraform can generate unique ID) (#2743) - resource/aws_rds_cluster: Add
s3_import
argument (Support MySQL Backup Restore from S3) (#4366) - resource/aws_vpc_peering_connection: Support configurable timeouts (#3909)
BUG FIXES:
- data-source/aws_instance: Bypass
UnsupportedOperation
errors withDescribeInstanceCreditSpecifications
call (#4362) - resource/aws_iam_group_policy: Properly handle generated policy name updates (#4379)
- resource/aws_instance: Bypass
UnsupportedOperation
errors withDescribeInstanceCreditSpecifications
call (#4362) - resource/aws_launch_template: Appropriately set
security_groups
in network interfaces (#4364) - resource/aws_rds_cluster: Add retries for IAM eventual consistency (#4371)
- resource/aws_rds_cluster_instance: Add retries for IAM eventual consistency (#4370)
- resource/aws_route53_zone: Add domain name to CallerReference to prevent creation issues with count greater than one (#4341)
FEATURES:
- New Data Source:
aws_batch_compute_environment
(#4270) - New Data Source:
aws_batch_job_queue
(#4288) - New Data Source:
aws_iot_endpoint
(#4303) - New Data Source:
aws_lambda_function
(#2984) - New Data Source:
aws_redshift_cluster
(#2603) - New Data Source:
aws_secretsmanager_secret
(#4272) - New Data Source:
aws_secretsmanager_secret_version
(#4272) - New Resource:
aws_dax_parameter_group
(#4299) - New Resource:
aws_dax_subnet_group
(#4302) - New Resource:
aws_organizations_policy
(#4249) - New Resource:
aws_organizations_policy_attachment
(#4253) - New Resource:
aws_secretsmanager_secret
(#4272) - New Resource:
aws_secretsmanager_secret_version
(#4272)
ENHANCEMENTS:
- data-source/aws_cognito_user_pools: Add
arns
attribute (#4256) - data-source/aws_ecs_cluster Return error on multiple clusters (#4286)
- data-source/aws_iam_instance_profile: Add
role_arn
androle_name
attributes (#4300) - data-source/aws_instance: Add
disable_api_termination
attribute (#4314) - resource/aws_api_gateway_rest_api: Add
policy
argument (#4211) - resource/aws_api_gateway_stage: Add
tags
argument (#2858) - resource/aws_api_gateway_stage: Add
execution_arn
andinvoke_url
attributes (#3469) - resource/aws_api_gateway_vpc_link: Support import (#4306)
- resource/aws_cloudwatch_event_target: Add
batch_target
argument (#4312) - resource/aws_cloudwatch_event_target: Add
kinesis_target
andsqs_target
arguments (#4323) - resource/aws_cognito_user_pool: Support
user_migration
inlambda_config
(#4301) - resource/aws_db_instance: Add
s3_import
argument (#2728) - resource/aws_elastic_beanstalk_application: Add
appversion_lifecycle
argument (#1907) - resource/aws_instance: Add
credit_specification
argument (e.g. t2.unlimited support) (#2619) - resource/aws_kinesis_firehose_delivery_stream: Support Redshift
processing_configuration
(#4251) - resource/aws_launch_configuration: Add
user_data_base64
argument (#4257) - resource/aws_s3_bucket: Add support for
ONEZONE_IA
storage class (#4287) - resource/aws_s3_bucket_object: Add support for
ONEZONE_IA
storage class (#4287) - resource/aws_spot_instance_request: Add
valid_from
andvalid_until
arguments (#4018) - resource/aws_ssm_patch_baseline: Support
CENTOS
operating_system
argument (#4268)
BUG FIXES:
- data-source/aws_iam_policy_document: Prevent crash with multiple value principal identifiers (#4277)
- data-source/aws_lb_listener: Ensure attributes are properly set when not used as arguments (#4317)
- resource/aws_codebuild_project: Mark auth resource attribute as sensitive (#4284)
- resource/aws_cognito_user_pool_client: Fix import to include user pool ID (#3762)
- resource/aws_elasticache_cluster: Remove extraneous plan-time validation for
node_type
andsubnet_group_name
(#4333) - resource/aws_launch_template: Allow dashes in
name
andname_prefix
arguments (#4321) - resource/aws_launch_template: Properly set
block_device_mappings
EBS information into Terraform state (#4321) - resource/aws_launch_template: Properly pass
block_device_mappings
information to EC2 API (#4321) - resource/aws_s3_bucket: Prevent panic on lifecycle rule reading errors (#4282)
NOTES:
- resource/aws_cloudfront_distribution: Please note the
cache_behavior
argument (an unordered list) has been marked deprecated in favor of theordered_cache_behavior
argument (an ordered list based on the Terraform configuration ordering). This is to support proper cache behavior precedence within a CloudFront distribution.
FEATURES:
- New Data Source:
aws_api_gateway_rest_api
(#4172) - New Data Source:
aws_cloudwatch_log_group
(#4167) - New Data Source:
aws_cognito_user_pools
(#4212) - New Data Source:
aws_sqs_queue
(#2311) - New Resource:
aws_directory_service_conditional_forwarder
(#4071) - New Resource:
aws_glue_connection
(#4016) - New Resource:
aws_glue_job
(#4028) - New Resource:
aws_iam_service_linked_role
(#2985) - New Resource:
aws_launch_template
(#2927) - New Resource:
aws_ses_domain_identity_verification
(#4108)
ENHANCEMENTS:
- data-source/aws_iam_server_certificate: Filter by
path_prefix
(#3801) - resource/aws_api_gateway_integration: Support VPC connection (#3428)
- resource/aws_cloudfront_distribution: Added
ordered_cache_behavior
argument, deprecatecache_behavior
(#4117) - resource/aws_db_instance: Support
enabled_cloudwatch_logs_exports
argument (#4111) - resource/aws_db_option_group: Support option version argument (#2590)
- resource/aws_ecs_service: Support ServiceRegistries (#3906)
- resource/aws_iam_service_linked_role: Support
custom_suffix
anddescription
arguments (#4188) - resource/aws_service_discovery_service: Support
health_check_custom_config
argument (#4083) - resource/aws_spot_fleet_request: Support configurable delete timeout (#3940)
- resource/aws_spot_instance_request: Support optionally fetching password data (#4189)
- resource/aws_waf_rate_based_rule: Support
RegexMatch
predicate type (#4069) - resource/aws_waf_rule: Support
RegexMatch
predicate type (#4069) - resource/aws_wafregional_rate_based_rule: Support
RegexMatch
predicate type (#4069)
BUG FIXES:
- resource/aws_athena_database: Handle database names with uppercase and underscores (#4133)
- resource/aws_codebuild_project: Retry UpdateProject for IAM eventual consistency (#4238)
- resource/aws_codedeploy_deployment_config: Force new resource for
minimum_healthy_hosts
updates (#4194) - resource/aws_cognito_user_group: Fix
role_arn
updates (#4237) - resource/aws_elasticache_replication_group: Increase default create timeout to 60 minutes (#4093)
- resource/aws_emr_cluster: Force new resource if any of the
ec2_attributes
change (#4218) - resource/aws_iam_role: Suppress
NoSuchEntity
errors while detaching policies from role during deletion (#4209) - resource/aws_lb: Force new resource if any of the
subnet_mapping
attributes change (#4086) - resource/aws_rds_cluster: Properly handle
engine_version
withsnapshot_identifier
(#4215) - resource/aws_route53_record: Improved handling of non-alphanumeric record names (#4183)
- resource/aws_spot_instance_request: Fix
instance_interuption_behaviour
hibernate and stop handling with placement (#1986) - resource/aws_vpc_dhcp_options: Handle plural and non-plural
InvalidDhcpOptionsID.NotFound
errors (#4136)
ENHANCEMENTS:
- resource/aws_db_event_subscription: Add
arn
attribute (#4151) - resource/aws_db_event_subscription: Support configurable timeouts (#4151)
BUG FIXES:
- resource/aws_codebuild_project: Properly handle setting cache type
NO_CACHE
(#4134) - resource/aws_db_event_subscription: Fix
tag
ARN handling (#4151) - resource/aws_dynamodb_table_item: Trigger destructive update if range_key has changed (#3821)
- resource/aws_elb: Return any errors when updating listeners (#4159)
- resource/aws_emr_cluster: Prevent crash with missing StateChangeReason (#4165)
- resource/aws_iam_user: Retry user login profile deletion on
EntityTemporarilyUnmodifiable
(#4143) - resource/aws_kinesis_firehose_delivery_stream: Prevent crash with missing CloudWatch logging options (#4148)
- resource/aws_lambda_alias: Force new resource on
name
change (#4106) - resource/aws_lambda_function: Prevent perpetual difference when removing
dead_letter_config
(#2684) - resource/aws_launch_configuration: Properly read
security_groups
,user_data
, andvpc_classic_link_security_groups
attributes into Terraform state (#2800) - resource/aws_network_acl: Prevent error on deletion with already deleted subnets (#4119)
- resource/aws_network_acl: Prevent error on update with removing associations for already deleted subnets (#4119)
- resource/aws_rds_cluster: Properly handle
engine_version
during regular creation (#4139) - resource/aws_rds_cluster: Set
port
updates to force new resource (#4144) - resource/aws_route53_zone: Suppress
name
difference with trailing period (#3982) - resource/aws_vpc_peering_connection: Allow active pending state during deletion for eventual consistency (#4140)
NOTES:
- resource/aws_organizations_account: As noted in the resource documentation, resource deletion from Terraform will not automatically close AWS accounts due to the behavior of the AWS Organizations service. There are also various manual steps required by AWS before the account can be removed from an organization and made into a standalone account, then manually closed if desired.
FEATURES:
- New Resource:
aws_organizations_account
(#3524) - New Resource:
aws_ses_identity_notification_topic
(#2640)
ENHANCEMENTS:
- provider: Fallback to SDK default credential chain if credentials not found using provider credential chain (#2883)
- data-source/aws_iam_role: Add
max_session_duration
attribute (#4092) - resource/aws_cloudfront_distribution: Add cache_behavior
field_level_encryption_id
attribute (#4102) - resource/aws_codebuild_project: Support
cache
configuration (#2860) - resource/aws_elasticache_replication_group: Support Cluster Mode Enabled online shard reconfiguration (#3932)
- resource/aws_elasticache_replication_group: Configurable create, update, and delete timeouts (#3932)
- resource/aws_iam_role: Add
max_session_duration
argument (#3977) - resource/aws_kinesis_firehose_delivery_stream: Add Elasticsearch destination processing configuration support (#3621)
- resource/aws_kinesis_firehose_delivery_stream: Add Extended S3 destination backup mode support (#2987)
- resource/aws_kinesis_firehose_delivery_stream: Add Splunk destination processing configuration support (#3944)
- resource/aws_lambda_function: Support
nodejs8.10
runtime (#4020) - resource/aws_launch_configuration: Add support for
ebs_block_device.*.no_device
(#4070) - resource/aws_ssm_maintenance_window_target: Make resource updatable (#4074)
- resource/aws_wafregional_rule: Validate all predicate types (#4046)
BUG FIXES:
- resource/aws_cognito_user_pool: Trim
custom:
prefix ofdeveloper_only_attribute = false
schema attributes (#4041) - resource/aws_cognito_user_pool: Fix
email_message_by_link
max length validation (#4051) - resource/aws_elasticache_replication_group: Properly set
cluster_mode
in state (#3932) - resource/aws_iam_user_login_profile: Changed password generation to use
crypto/rand
(#3989) - resource/aws_kinesis_firehose_delivery_stream: Prevent additional crash scenarios with optional configurations (#4047)
- resource/aws_lambda_function: IAM retry for "The role defined for the function cannot be assumed by Lambda" on update (#3988)
- resource/aws_lb: Suppress differences for non-applicable attributes (#4032)
- resource/aws_rds_cluster_instance: Prevent crash on importing non-cluster instances (#3961)
- resource/aws_route53_record: Fix ListResourceRecordSet pagination (#3900)
NOTES:
This release is happening outside the normal release schedule to accomodate a crash fix for the aws_lb_target_group
resource. It appears an ELBv2 service update rolling out currently is the root cause. The potential for this crash has been present since the initial resource in Terraform 0.7.7 and all versions of the AWS provider up to v1.13.0.
FEATURES:
- New Resource:
aws_appsync_datasource
(#2758) - New Resource:
aws_waf_regex_match_set
(#3947) - New Resource:
aws_waf_regex_pattern_set
(#3913) - New Resource:
aws_waf_rule_group
(#3898) - New Resource:
aws_wafregional_geo_match_set
(#3915) - New Resource:
aws_wafregional_rate_based_rule
(#3871) - New Resource:
aws_wafregional_regex_match_set
(#3950) - New Resource:
aws_wafregional_regex_pattern_set
(#3933) - New Resource:
aws_wafregional_rule_group
(#3948)
ENHANCEMENTS:
- provider: Support custom Elasticsearch endpoint (#3941)
- resource/aws_appsync_graphql_api: Support import (#3500)
- resource/aws_elasticache_cluster: Allow port to be optional (#3835)
- resource/aws_elasticache_cluster: Add
replication_group_id
argument (#3869) - resource/aws_elasticache_replication_group: Allow port to be optional (#3835)
BUG FIXES:
- resource/aws_autoscaling_group: Fix updating of
service_linked_role
(#3942) - resource/aws_autoscaling_group: Properly set empty
enabled_metrics
in the state during read (#3899) - resource/aws_autoscaling_policy: Fix conditional logic based on
policy_type
(#3739) - resource/aws_batch_compute_environment: Correctly set
compute_resources
in state (#3824) - resource/aws_cognito_user_pool: Correctly set
schema
in state (#3789) - resource/aws_iam_user_login_profile: Fix
password_length
validation function regression from 1.12.0 (#3919) - resource/aws_lb: Store correct state for http2 and ensure attributes are set on create (#3854)
- resource/aws_lb: Correctly set
subnet_mappings
in state (#3822) - resource/aws_lb_listener: Retry CertificateNotFound errors on update for IAM eventual consistency (#3901)
- resource/aws_lb_target_group: Prevent crash from missing matcher during read (#3954)
- resource/aws_security_group: Retry read on creation for EC2 eventual consistency (#3892)
NOTES:
- provider: For resources implementing the IAM policy equivalence library (https://github.com/jen20/awspolicyequivalence/) on an attribute via
suppressEquivalentAwsPolicyDiffs
, the dependency has been updated, which should mark additional IAM policies as equivalent. (#3832)
FEATURES:
- New Resource:
aws_kms_grant
(#3038) - New Resource:
aws_waf_geo_match_set
(#3275) - New Resource:
aws_wafregional_rule
(#3756) - New Resource:
aws_wafregional_size_constraint_set
(#3796) - New Resource:
aws_wafregional_sql_injection_match_set
(#1013) - New Resource:
aws_wafregional_web_acl
(#3754) - New Resource:
aws_wafregional_web_acl_association
(#3755) - New Resource:
aws_wafregional_xss_match_set
(#1014)
ENHANCEMENTS:
- provider: Treat IAM policies with account ID principals as equivalent to IAM account root ARN (#3832)
- provider: Treat additional IAM policy scenarios with empty principal trees as equivalent (#3832)
- resource/aws_acm_certificate: Retry on ResourceInUseException during deletion for eventual consistency (#3868)
- resource/aws_api_gateway_rest_api: Add support for content encoding (#3642)
- resource/aws_autoscaling_group: Add
service_linked_role_arn
argument (#3812) - resource/aws_cloudfront_distribution: Validate origin
domain_name
andorigin_id
at plan time (#3767) - resource/aws_eip: Support configurable timeouts (#3769)
- resource/aws_elasticache_cluster: Support plan time validation of az_mode (#3857)
- resource/aws_elasticache_cluster: Support plan time validation of node_type requiring VPC for cache.t2 instances (#3857)
- resource/aws_elasticache_cluster: Support plan time validation of num_cache_nodes > 1 for redis (#3857)
- resource/aws_elasticache_cluster: ForceNew on node_type changes for memcached engine (#3857)
- resource/aws_elasticache_cluster: ForceNew on engine_version downgrades (#3857)
- resource/aws_emr_cluster: Add step support (#3673)
- resource/aws_instance: Support optionally fetching encrypted Windows password data (#2219)
- resource/aws_launch_configuration: Validate
user_data
length during plan (#2973) - resource/aws_lb_target_group: Validate health check threshold for TCP protocol during plan (#3782)
- resource/aws_security_group: Add arn attribute (#3751)
- resource/aws_ses_domain_identity: Support trailing period in domain name (#3840)
- resource/aws_sqs_queue: Support lack of ListQueueTags for all non-standard AWS implementations (#3794)
- resource/aws_ssm_document: Add
document_format
argument to support YAML (#3814) - resource/aws_s3_bucket_object: New
content_base64
argument allows uploading raw binary data created in-memory, rather than reading from disk as withsource
. (#3788)
BUG FIXES:
- resource/aws_api_gateway_client_certificate: Export
*_date
fields correctly (#3805) - resource/aws_cognito_user_pool: Detect
auto_verified_attributes
changes (#3786) - resource/aws_cognito_user_pool_client: Fix
callback_urls
updates (#3404) - resource/aws_db_instance: Support
incompatible-parameters
andstorage-full
state (#3708) - resource/aws_dynamodb_table: Update and validate attributes correctly (#3194)
- resource/aws_ecs_task_definition: Correctly read
volume
attribute into Terraform state (#3823) - resource/aws_kinesis_firehose_delivery_stream: Prevent crash on malformed ID for import (#3834)
- resource/aws_lambda_function: Only retry IAM eventual consistency errors for one minute (#3765)
- resource/aws_ssm_association: Prevent AssociationDoesNotExist error (#3776)
- resource/aws_vpc_endpoint: Prevent perpertual diff in non-standard partitions (#3317)
FEATURES:
- New Data Source:
aws_kms_key
(#2224) - New Resource:
aws_organizations_organization
(#903) - New Resource:
aws_iot_thing
(#3521)
ENHANCEMENTS:
- resource/aws_api_gateway_authorizer: Support COGNITO_USER_POOLS type (#3156)
- resource/aws_cloud9_environment_ec2: Retry creation for IAM eventual consistency (#3651)
- resource/aws_cloudfront_distribution: Make
default_ttl
,max_ttl
, andmin_ttl
arguments optional (#3571) - resource/aws_dms_endpoint: Add aurora-postgresql as a target (#2615)
- resource/aws_dynamodb_table: Support Server Side Encryption (#3303)
- resource/aws_elastic_beanstalk_environment: Support modifying
tags
(#3513) - resource/aws_emr_cluster: Add Kerberos support (#3553)
- resource/aws_iam_account_alias: Improve error messages to include API errors (#3590)
- resource/aws_iam_user_policy: Add support for import (#3198)
- resource/aws_lb: Add
enable_cross_zone_load_balancing
argument for NLBs (#3537) - resource/aws_lb: Add
enable_http2
argument for ALBs (#3609) - resource/aws_route: Add configurable timeouts (#3639)
- resource/aws_security_group: Add configurable timeouts (#3599)
- resource/aws_spot_fleet_request: Add
load_balancers
andtarget_group_arns
arguments (#2564) - resource/aws_ssm_parameter: Add
allowed_pattern
,description
, andtags
arguments (#1520) - resource/aws_ssm_parameter: Allow
key_id
updates (#1520)
BUG FIXES:
- data-source/aws_db_instance: Prevent crash with EC2 Classic (#3619)
- data-source/aws_vpc_endpoint_service: Fix aws-us-gov partition handling (#3514)
- resource/aws_api_gateway_vpc_link: Ensure
target_arns
is properly read (#3569) - resource/aws_batch_compute_environment: Fix
state
updates (#3508) - resource/aws_ebs_snapshot: Prevent crash with outside snapshot deletion (#3462)
- resource/aws_ecs_service: Prevent crash when importing non-existent service (#3672)
- resource/aws_eip_association: Prevent deletion error InvalidAssociationID.NotFound (#3653)
- resource/aws_instance: Ensure at least one security group is being attached when modifying vpc_security_group_ids (#2850)
- resource/aws_lambda_function: Allow PutFunctionConcurrency retries on creation (#3570)
- resource/aws_spot_instance_request: Retry for 1 minute instead of 15 seconds for IAM eventual consistency (#3561)
- resource/aws_ssm_activation: Prevent crash with expiration_date (#3597)
NOTES:
- resource/aws_dx_lag:
number_of_connections
was deprecated and will be removed in future major version. Useaws_dx_connection
andaws_dx_connection_association
resources instead. Default connections will be removed as part of LAG creation automatically in future major version. (#3367)
FEATURES:
- New Data Source:
aws_inspector_rules_packages
(#3175) - New Resource:
aws_api_gateway_vpc_link
(#2512) - New Resource:
aws_appsync_graphql_api
(#2494) - New Resource:
aws_dax_cluster
(#2884) - New Resource:
aws_gamelift_alias
(#3353) - New Resource:
aws_gamelift_fleet
(#3327) - New Resource:
aws_lb_listener_certificate
(#2686) - New Resource:
aws_s3_bucket_metric
(#916) - New Resource:
aws_ses_domain_mail_from
(#2029) - New Resource:
aws_iot_thing_type
(#3302)
ENHANCEMENTS:
- data-source/aws_kms_alias: Always return
target_key_arn
(#3304) - resource/aws_autoscaling_policy: Add support for
target_tracking_configuration
(#2611) - resource/aws_codebuild_project: Support VPC configuration (#2547] [#3324)
- resource/aws_cloudtrail: Add
event_selector
argument (#2258) - resource/aws_codedeploy_deployment_group: Validate DeploymentReady and InstanceReady
trigger_events
(#3412) - resource/aws_db_parameter_group: Validate underscore
name
during plan (#3396) - resource/aws_directory_service_directory Add
edition
argument (#3421) - resource/aws_directory_service_directory Validate
size
argument (#3453) - resource/aws_dx_connection: Add support for tagging (#2990)
- resource/aws_dx_connection: Add support for import (#2992)
- resource/aws_dx_lag: Add support for tagging (#2990)
- resource/aws_dx_lag: Add support for import (#2992)
- resource/aws_emr_cluster: Add
autoscaling_policy
argument (#2877) - resource/aws_emr_cluster: Add
scale_down_behavior
argument (#3063) - resource/aws_instance: Expose reason of
shutting-down
state during creation (#3371) - resource/aws_instance: Include size of user_data in validation error message (#2971)
- resource/aws_instance: Remove extra API call on creation for SGs (#3426)
- resource/aws_lambda_function: Recompute
version
andqualified_arn
attributes on publish (#3032) - resource/aws_lb_target_group: Allow stickiness block set to false with TCP (#2954)
- resource/aws_lb_listener_rule: Validate
priority
over 50000 (#3379) - resource/aws_lb_listener_rule: Make
priority
argument optional (#3219) - resource/aws_rds_cluster: Add
hosted_zone_id
attribute (#3267) - resource/aws_rds_cluster: Add support for
source_region
(encrypted cross-region replicas) (#3415) - resource/aws_rds_cluster_instance: Support
availability_zone
(#2812) - resource/aws_rds_cluster_parameter_group: Validate underscore
name
during plan (#3396) - resource/aws_route53_record Add
allow_overwrite
argument (#2926) - resource/aws_s3_bucket Ssupport for SSE-KMS replication configuration (#2625)
- resource/aws_spot_fleet_request: Validate
iam_fleet_role
as ARN during plan (#3431) - resource/aws_sqs_queue: Validate
name
during plan (#2837) - resource/aws_ssm_association: Allow updating
targets
(#2807) - resource/aws_service_discovery_service: Support routing policy and update the type of DNS record (#3273)
BUG FIXES:
- data-source/aws_elb_service_account: Correct GovCloud region (#3315)
- resource/aws_acm_certificate_validation: Prevent crash on
validation_record_fqdns
(#3336) - resource/aws_acm_certificate_validation: Fix
validation_record_fqdns
handling with combined root and wildcard requests (#3366) - resource/aws_autoscaling_policy:
cooldown
with zero value not set correctly (#2809) - resource/aws_cloudtrail: Now respects initial
include_global_service_events = false
(#2817) - resource/aws_dynamodb_table: Retry deletion on ResourceInUseException (#3355)
- resource/aws_dx_lag:
number_of_connections
deprecated (made Optional). Omitting field may now prevent spurious diffs. (#3367) - resource/aws_ecs_service: Retry DescribeServices after creation (#3387)
- resource/aws_ecs_service: Fix reading
load_balancer
into state (#3502) - resource/aws_elasticsearch_domain: Retry creation on
ValidationException
(#3375) - resource/aws_iam_user_ssh_key: Correctly set status after creation (#3390)
- resource/aws_instance: Bump deletion timeout to 20mins (#3452)
- resource/aws_kinesis_firehose_delivery_stream: Retry on additional IAM eventual consistency errors (#3381)
- resource/aws_route53_record: Trim trailing dot during import (#3321)
- resource/aws_s3_bucket: Prevent crashes on location and replication read retry timeouts (#3338)
- resource/aws_s3_bucket: Always set replication_configuration in state (#3349)
- resource/aws_security_group: Allow empty rule description (#2846)
- resource/aws_sns_topic: Fix exit after updating first attribute (#3360)
- resource/aws_spot_instance_request: Bump delete timeout to 20mins (#3435)
- resource/aws_sqs_queue: Skip SQS ListQueueTags in aws-us-gov partition (#3376)
- resource/aws_vpc_endpoint: Treat pending as expected state during deletion (#3370)
- resource/aws_vpc_peering_connection: Treat
pending-acceptance
as expected during deletion (#3393) - resource/aws_cognito_user_pool_client: support
USER_PASSWORD_AUTH
for explicit_auth_flows (#3417)
NOTES:
- data-source/aws_region:
current
field is deprecated and the data source defaults to the provider region if no endpoint or name is specified (#3157) - data-source/aws_iam_policy_document: Statements are now de-duplicated per
Sid
s (#2890)
FEATURES:
- New Data Source:
aws_elastic_beanstalk_hosted_zone
(#3208) - New Data Source:
aws_iam_policy
(#1999) - New Resource:
aws_acm_certificate
(#2813) - New Resource:
aws_acm_certificate_validation
(#2813) - New Resource:
aws_api_gateway_documentation_version
(#3287) - New Resource:
aws_cloud9_environment_ec2
(#3291) - New Resource:
aws_cognito_user_group
(#3010) - New Resource:
aws_dynamodb_table_item
(#3238) - New Resource:
aws_guardduty_ipset
(#3161) - New Resource:
aws_guardduty_threatintelset
(#3200) - New Resource:
aws_iot_topic_rule
(#1858) - New Resource:
aws_sns_platform_application
(#1101] [#3283) - New Resource:
aws_vpc_endpoint_service_allowed_principal
(#2515) - New Resource:
aws_vpc_endpoint_service_connection_notification
(#2515) - New Resource:
aws_vpc_endpoint_service
(#2515) - New Resource:
aws_vpc_endpoint_subnet_association
(#2515)
ENHANCEMENTS:
- provider: Automatically determine AWS partition from configured region (#3173)
- provider: Automatically validate new regions from AWS SDK (#3159)
- data-source/aws_acm_certificate Add
most_recent
attribute for filtering (#1837) - data-source/aws_iam_policy_document: Support layering via source_json and override_json attributes (#2890)
- data-source/aws_lb_listener: Support load_balancer_arn and port arguments (#2886)
- data-source/aws_network_interface: Add filter attribute (#2851)
- data-source/aws_region: Remove EC2 API call and default to current if no endpoint or name specified (#3157)
- data-source/aws_vpc_endpoint: Support AWS PrivateLink (#2515)
- data-source/aws_vpc_endpoint_service: Support AWS PrivateLink (#2515)
- resource/aws_athena_named_query: Support import (#3231)
- resource/aws_dynamodb_table: Add custom creation timeout (#3195)
- resource/aws_dynamodb_table: Validate attribute types (#3188)
- resource/aws_ecr_lifecycle_policy: Support import (#3246)
- resource/aws_ecs_service: Support import (#2764)
- resource/aws_ecs_service: Add public_assign_ip argument for Fargate services (#2559)
- resource/aws_kinesis_firehose_delivery_stream: Add splunk configuration (#3117)
- resource/aws_mq_broker: Validate user password (#3164)
- resource/aws_service_discovery_public_dns_namespace: Support import (#3229)
- resource/aws_service_discovery_service: Support import (#3227)
- resource/aws_rds_cluster: Add support for Aurora MySQL 5.7 (#3278)
- resource/aws_sns_topic: Add support for delivery status (#2872)
- resource/aws_sns_topic: Add support for name prefixes and fully generated names (#2753)
- resource/aws_sns_topic_subscription: Support filter policy (#2806)
- resource/aws_ssm_resource_data_sync: Support import (#3232)
- resource/aws_vpc_endpoint: Support AWS PrivateLink (#2515)
- resource/aws_vpc_endpoint_service: Support AWS PrivateLink (#2515)
- resource/aws_vpn_gateway: Add support for Amazon side private ASN (#1888)
BUG FIXES:
- data-source/aws_kms_alias: Prevent crash on aliases without target key (#3203)
- data-source/aws_ssm_parameter: Fix wrong arn attribute for full path parameter names (#3211)
- resource/aws_instance: Fix perpertual diff on default VPC instances using vpc_security_group_ids (#2338)
- resource/aws_codebuild_project: Prevent crash when using source auth configuration (#3271)
- resource/aws_cognito_identity_pool_roles_attachment: Fix validation for Token types (#2894)
- resource/aws_db_parameter_group: fix permanent diff when specifying parameters with database-default values (#3182)
- resource/aws_ecs_service: Retry only on ECS and IAM related InvalidParameterException (#3240)
- resource/aws_kinesis_firehose_delivery_stream: Prevent crashes on empty CloudWatchLoggingOptions (#3301)
- resource/aws_kinesis_firehose_delivery_stream: Fix extended_s3_configuration kms_key_arn handling from AWS API (#3301)
- resource/aws_kinesis_stream: Retry deletion on
LimitExceededException
(#3108) - resource/aws_route53_record: Fix dualstack alias name regression trimming too many characters (#3187)
- resource/aws_ses_template: Send only specified attributes for update (#3214)
- resource/aws_dynamodb_table: Allow disabling stream with empty
stream_view_type
(#3197] [#3224) - resource/aws_dx_connection_association: Retry disassociation (#3212)
- resource/aws_volume_attachment: Allow updating
skip_destroy
andforce_detach
(#2810)
FEATURES:
ENHANCEMENTS:
- provider:
cn-northwest-1
region is now supported (#3142) - data-source/aws_kms_alias: Add target_key_arn attribute (#2551)
- resource/aws_api_gateway_integration: Allow update of content_handling attributes (#3123)
- resource/aws_appautoscaling_target: Support updating max_capacity, min_capacity, and role_arn attributes (#2950)
- resource/aws_cloudwatch_log_subscription_filter: Add support for distribution (#3046)
- resource/aws_cognito_user_pool: support pre_token_generation in lambda_config (#3093)
- resource/aws_elasticsearch_domain: Add support for encrypt_at_rest (#2632)
- resource/aws_emr_cluster: Support CustomAmiId (#2766)
- resource/aws_kms_alias: Add target_key_arn attribute (#3096)
- resource/aws_route: Allow adding IPv6 routes to instances and network interfaces (#2265)
- resource/aws_sqs_queue: Retry queue creation on QueueDeletedRecently error (#3113)
- resource/aws_vpn_connection: Add inside CIDR and pre-shared key attributes (#1862)
BUG FIXES:
- resource/aws_appautoscaling_policy: Support additional predefined metric types in validation [#3122]]
- resource/aws_dynamodb_table: Recognize changes in
non_key_attributes
(#3136) - resource/aws_ebs_snapshot: Fix
kms_key_id
attribute handling (#3085) - resource/aws_eip_assocation: Retry association for pending instances (#3072)
- resource/aws_elastic_beanstalk_application: Prevent crash on reading missing application (#3171)
- resource/aws_kinesis_firehose_delivery_stream: Prevent panic on missing S3 configuration prefix (#3073)
- resource/aws_lambda_function: Retry updates for IAM eventual consistency (#3116)
- resource/aws_route53_record: Suppress uppercase alias name diff (#3119)
- resource/aws_sqs_queue_policy: Prevent missing policy error on read (#2739)
- resource/aws_rds_cluster: Retry deletion on InvalidDBClusterStateFault (#3028)
BUG FIXES:
- data-source/aws_db_snapshot: Prevent crash on unfinished snapshots (#2960)
- resource/aws_cloudfront_distribution: Retry deletion on DistributionNotDisabled (#3034)
- resource/aws_codebuild_project: Prevent crash on empty source buildspec and location (#3011)
- resource/aws_codepipeline: Prevent crash on empty artifacts (#2998)
- resource/aws_appautoscaling_policy: Match correct policy when multiple policies with same name and service (#3012)
- resource/aws_eip: Do not disassociate EIP on tags-only update (#2975)
- resource/aws_elastic_beanstalk_application: Retry DescribeApplication after creation (#3064)
- resource/aws_emr_cluster: Retry creation on
ValidationException
(IAM) (#3027) - resource/aws_emr_cluster: Retry creation on
AccessDeniedException
(IAM) (#3050) - resource/aws_iam_instance_profile: Allow cleanup during destruction without refresh (#2983)
- resource/aws_iam_role: Prevent missing attached policy results (#2857)
- resource/aws_iam_user: Prevent state removal during name attribute update (#2979)
- resource/aws_iam_user: Allow path attribute update (#2940)
- resource/aws_iam_user_policy: Fix updates with generated policy names and validate JSON (#3031)
- resource/aws_instance: Retry IAM instance profile (re)association for eventual consistency on update (#3055)
- resource/aws_lambda_function: Make EC2 rate limit errors retryable on update (#2964)
- resource/aws_lambda_function: Retry creation on EC2 throttle error (#3062)
- resource/aws_lb_target_group: Allow a blank health check path, for TCP healthchecks (#2980)
- resource/aws_sns_topic_subscription: Prevent crash on subscription attribute update (#2967)
- resource/aws_kinesis_firehose_delivery_stream: Fix import for S3 destinations (#2970)
- resource/aws_kinesis_firehose_delivery_stream: Prevent crash on empty Redshift's S3 Backup Description (#2970)
- resource/aws_kinesis_firehose_delivery_stream: Detect drifts in
processing_configuration
(#2970) - resource/aws_kinesis_firehose_delivery_stream: Prevent crash on empty CloudWatch logging opts (#3052)
FEATURES:
- New Resource:
aws_api_gateway_documentation_part
(#2893) - New Resource:
aws_cloudwatch_event_permission
(#2888) - New Resource:
aws_cognito_user_pool_client
(#1803) - New Resource:
aws_cognito_user_pool_domain
(#2325) - New Resource:
aws_glue_catalog_database
(#2175) - New Resource:
aws_guardduty_detector
(#2524) - New Resource:
aws_guardduty_member
(#2911) - New Resource:
aws_route53_query_log
(#2770) - New Resource:
aws_service_discovery_service
(#2613)
ENHANCEMENTS:
- provider:
eu-west-3
is now supported (#2707) - provider: Endpoints can now be specified for ACM, ECR, ECS, STS and Route 53 (#2795)
- provider: Endpoints can now be specified for API Gateway and Lambda (#2641)
- data-source/aws_iam_server_certificate: Add support for retrieving public key (#2749)
- data-source/aws_vpc_peering_connection: Add support for cross-region VPC peering (#2508)
- data-source/aws_ssm_parameter: Support returning raw encrypted SecureString value (#2777)
- resource/aws_kinesis_firehose_delivery_stream: Import is now supported (#2082)
- resource/aws_cognito_user_pool: The ARN for the pool is now computed and exposed as an attribute (#2723)
- resource/aws_directory_service_directory: Add
security_group_id
field (#2688) - resource/aws_rds_cluster_instance: Support Performance Insights (#2331)
- resource/aws_rds_cluster_instance: Set
db_subnet_group_name
in state on read if available (#2606) - resource/aws_eip: Tagging is now supported (#2768)
- resource/aws_codepipeline: ARN is now exposed as an attribute (#2773)
- resource/aws_appautoscaling_scheduled_action:
min_capacity
argument is now honoured (#2794) - resource/aws_rds_cluster: Clusters in the
resetting-master-credentials
state no longer cause an error (#2791) - resource/aws_cloudwatch_metric_alarm: Support optional datapoints_to_alarm configuration (#2609)
- resource/aws_ses_event_destination: Add support for SNS destinations (#1737)
- resource/aws_iam_role: Delete inline policies when
force_detach_policies = true
(#2388) - resource/aws_lb_target_group: Improve
health_check
validation (#2580) - resource/aws_ecs_service: Add
health_check_grace_period_seconds
attribute (#2788) - resource/aws_vpc_peering_connection: Add support for cross-region VPC peering (#2508)
- resource/aws_vpc_peering_connection_accepter: Add support for cross-region VPC peering (#2508)
- resource/aws_elasticsearch_domain: export kibana endpoint (#2804)
- resource/aws_ssm_association: Allow for multiple targets (#2297)
- resource/aws_instance: Add computed field for volume_id of block device (#1489)
- resource/aws_api_gateway_integration: Allow update of URI attributes (#2834)
- resource/aws_ecs_cluster: Support resource import (#2762)
BUG FIXES:
- resource/aws_cognito_user_pool: Update Cognito email message length to 20,000 (#2692)
- resource/aws_volume_attachment: Changing device name without changing volume or instance ID now correctly produces a diff (#2720)
- resource/aws_s3_bucket_object: Object tagging is now supported in GovCloud (#2665)
- resource/aws_elasticsearch_domain: Fixed a crash when no Cloudwatch log group is configured (#2787)
- resource/aws_s3_bucket_policy: Set the resource ID after successful creation (#2820)
- resource/aws_db_event_subscription: Set the source type when updating categories (#2833)
- resource/aws_db_parameter_group: Remove group from state if it's gone (#2868)
- resource/aws_appautoscaling_target: Make
role_arn
optional & computed (#2889) - resource/aws_ssm_maintenance_window: Respect
enabled
during updates (#2818) - resource/aws_lb_target_group: Fix max prefix length check (#2790)
- resource/aws_config_delivery_channel: Retry deletion (#2910)
- resource/aws_lb+aws_elb: Fix regression with undefined
name
(#2939) - resource/aws_lb_target_group: Fix validation rules for LB's healthcheck (#2906)
- provider: Fix regression affecting empty Optional+Computed fields (#2348)
FEATURES:
- New Data Source:
aws_network_interface
(#2316) - New Data Source:
aws_elb
(#2004) - New Resource:
aws_dx_connection_association
(#2360) - New Resource:
aws_appautoscaling_scheduled_action
(#2231) - New Resource:
aws_cloudwatch_log_resource_policy
(#2243) - New Resource:
aws_media_store_container
(#2448) - New Resource:
aws_service_discovery_public_dns_namespace
(#2569) - New Resource:
aws_service_discovery_private_dns_namespace
(#2589)
IMPROVEMENTS:
- resource/aws_ssm_association: Add
association_name
(#2257) - resource/aws_ecs_service: Add
network_configuration
(#2299) - resource/aws_lambda_function: Add
reserved_concurrent_executions
(#2504) - resource/aws_ecs_service: Add
launch_type
(Fargate support) (#2483) - resource/aws_ecs_task_definition: Add
cpu
,memory
,execution_role_arn
&requires_compatibilities
(Fargate support) (#2483) - resource/aws_ecs_cluster: Add arn attribute (#2552)
- resource/aws_elasticache_security_group: Add import support (#2277)
- resource/aws_sqs_queue_policy: Support import by queue URL (#2544)
- resource/aws_elasticsearch_domain: Add
log_publishing_options
(#2285) - resource/aws_athena_database: Add
force_destroy
field (#2363) - resource/aws_elasticache_replication_group: Add support for Redis auth, in-transit and at-rest encryption (#2090)
- resource/aws_s3_bucket: Add
server_side_encryption_configuration
block (#2472)
BUG FIXES:
- data-source/aws_instance: Set
placement_group
if available (#2400) - resource/aws_elasticache_parameter_group: Add StateFunc to make name lowercase (#2426)
- resource/aws_elasticache_replication_group: Modify validation, make replication_group_id lowercase (#2432)
- resource/aws_db_instance: Treat
storage-optimization
as valid state (#2409) - resource/aws_dynamodb_table: Ensure
ttl
is properly read (#2452) - resource/aws_lb_target_group: fixes to behavior based on protocol type (#2380)
- resource/aws_mq_broker: Fix crash in hashing function (#2598)
- resource/aws_ebs_volume_attachment: Allow attachments to instances which are stopped (#1444)
- resource/aws_ssm_parameter: Path names with a leading '/' no longer generate incorrect ARNs (#2604)
FEATURES:
BUG FIXES:
- resource/aws_cognito_user_pool: Fix
email_subject_by_link
(#2395) - resource/aws_api_gateway_method_response: Fix conflict exception in API gateway method response (#2393)
- resource/aws_api_gateway_method: Fix typo
authorization_type
->authorization
(#2430)
IMPROVEMENTS:
- data-source/aws_nat_gateway: Add missing address attributes to the schema (#2209)
- resource/aws_ssm_maintenance_window_target: Change MaxItems of targets (#2361)
- resource/aws_sfn_state_machine: Support Update State machine call (#2349)
- resource/aws_instance: Set placement_group in state on read if available (#2398)
BUG FIXES:
- resource/aws_ecs_task_definition: Fix equivalency comparator (#2339)
- resource/aws_batch_job_queue: Return errors correctly if deletion fails (#2322)
- resource/aws_security_group_rule: Parse
description
correctly (#1959) - Fixed Cognito Lambda Config Validation for optional ARN configurations (#2370)
- resource/aws_cognito_identity_pool_roles_attachment: Fix typo "authenticated" -> "unauthenticated" (#2358)
NOTES:
- resource/aws_redshift_cluster: Field
enable_logging
,bucket_name
ands3_key_prefix
were deprecated in favour of a newlogging
block (#2230) - resource/aws_lb_target_group: We no longer provide defaults for
health_check
'spath
normatcher
in order to support network load balancers where these arguments aren't valid. Creating new ALB will therefore require you to specify these two arguments. Existing deployments are unaffected. (#2251)
FEATURES:
- New Data Source:
aws_rds_cluster
(#2070) - New Data Source:
aws_elasticache_replication_group
(#2124) - New Data Source:
aws_instances
(#2266) - New Resource:
aws_ses_template
(#2003) - New Resource:
aws_dx_lag
(#2154) - New Resource:
aws_dx_connection
(#2173) - New Resource:
aws_athena_database
(#1922) - New Resource:
aws_athena_named_query
(#1893) - New Resource:
aws_ssm_resource_data_sync
(#1895) - New Resource:
aws_cognito_user_pool
(#1419)
IMPROVEMENTS:
- provider: Add support for assuming roles via profiles defined in
~/.aws/config
(#1608) - data-source/efs_file_system: Added dns_name (#2105)
- data-source/aws_ssm_parameter: Add
arn
attribute (#2273) - data-source/aws_ebs_volume: Add
arn
attribute (#2271) - resource/aws_batch_job_queue: Add validation for
name
(#2159) - resource/aws_batch_compute_environment: Improve validation for
compute_environment_name
(#2159) - resource/aws_ssm_parameter: Add support for import (#2234)
- resource/aws_redshift_cluster: Add support for
snapshot_copy
(#2238) - resource/aws_ecs_task_definition: Print
container_definitions
as JSON instead of checksum (#1195) - resource/aws_ssm_parameter: Add
arn
attribute (#2273) - resource/aws_elb: Add listener
ssl_certificate_id
ARN validation (#2276) - resource/aws_cloudformation_stack: Support updating
tags
(#2262) - resource/aws_elb: Add
arn
attribute (#2272) - resource/aws_ebs_volume: Add
arn
attribute (#2271)
BUG FIXES:
- resource/aws_appautoscaling_policy: Retry putting policy on invalid token (#2135)
- resource/aws_batch_compute_environment:
compute_environment_name
allows hyphens (#2126) - resource/aws_batch_job_definition:
name
allows hyphens (#2126) - resource/aws_elasticache_parameter_group: Raise timeout for retry on pending changes (#2134)
- resource/aws_kms_key: Retry GetKeyRotationStatus on NotFoundException (#2133)
- resource/aws_lb_target_group: Fix issue that prevented using
aws_lb_target_group
with Network type load balancers (#2251) - resource/aws_lb: mark subnets as
ForceNew
for network load balancers (#2310) - resource/aws_redshift_cluster: Make master_username ForceNew (#2202)
- resource/aws_cloudwatch_log_metric_filter: Fix pattern length check (#2107)
- resource/aws_cloudwatch_log_group: Use ID as name (#2190)
- resource/aws_elasticsearch_domain: Added ForceNew to vpc_options (#2157)
- resource/aws_redshift_cluster: Make snapshot identifiers
ForceNew
(#2212) - resource/aws_elasticsearch_domain_policy: Fix typo in err code (#2249)
- resource/aws_appautoscaling_policy: Retry PutScalingPolicy on rate exceeded message (#2275)
- resource/aws_dynamodb_table: Retry creation on
LimitExceededException
w/ different error message (#2274)
INTERNAL:
- Remove
id
fields from schema definitions (#1626)
FEATURES:
- New Resource:
aws_servicecatalog_portfolio
(#1694) - New Resource:
aws_ses_domain_dkim
(#1786) - New Resource:
aws_cognito_identity_pool_roles_attachment
(#863) - New Resource:
aws_ecr_lifecycle_policy
(#2096) - New Data Source:
aws_nat_gateway
(#1294) - New Data Source:
aws_dynamodb_table
(#2062) - New Data Source:
aws_cloudtrail_service_account
(#1774)
IMPROVEMENTS:
- resource/aws_ami: Support configurable timeouts (#1811)
- resource/ami_copy: Support configurable timeouts (#1811)
- resource/ami_from_instance: Support configurable timeouts (#1811)
- data-source/aws_security_group: add description (#1943)
- resource/aws_cloudfront_distribution: Change the default minimum_protocol_version to TLSv1 (#1856)
- resource/aws_sns_topic: Support SMS in protocols (#1813)
- resource/aws_spot_fleet_request: Add support for
tags
(#2042) - resource/aws_kinesis_firehose_delivery_stream: Add
s3_backup_mode
option (#1830) - resource/aws_elasticsearch_domain: Support VPC configuration (#1958)
- resource/aws_alb_target_group: Add support for
target_type
(#1589) - resource/aws_sqs_queue: Add support for
tags
(#1987) - resource/aws_security_group: Add
revoke_rules_on_delete
option to force a security group to revoke rules before deleting the grou (#2074) - resource/aws_cloudwatch_log_metric_filter: Add support for DefaultValue (#1578)
- resource/aws_emr_cluster: Expose error on
TERMINATED_WITH_ERRORS
(#2081)
BUG FIXES:
- resource/aws_elasticache_parameter_group: Add missing return to retry logic (#1891)
- resource/aws_batch_job_queue: Wait for update completion when disabling (#1892)
- resource/aws_snapshot_create_volume_permission: Raise creation timeout to 10mins (#1894)
- resource/aws_snapshot_create_volume_permission: Raise creation timeout to 20mins (#2049)
- resource/aws_kms_alias: Retry creation on
NotFoundException
(#1896) - resource/aws_kms_key: Retry reading tags on
NotFoundException
(#1900) - resource/aws_db_snapshot: Raise creation timeout to 20mins (#1905)
- resource/aws_lb: Allow assigning EIP to network LB (#1956)
- resource/aws_s3_bucket: Retry tagging on OperationAborted (#2008)
- resource/aws_cognito_identity_pool: Fixed refresh of providers (#2015)
- resource/aws_elasticache_replication_group: Raise creation timeout to 50mins (#2048)
- resource/aws_api_gateway_usag_plan: Fixed setting of rate_limit (#2076)
- resource/aws_elastic_beanstalk_application: Expose error leading to failed deletion (#2080)
- resource/aws_s3_bucket: Accept query strings in redirect hosts (#2059)
NOTES:
- resource/aws_alb_* & data-source/aws_alb_*: In order to support network LBs, ALBs were renamed to
aws_lb_*
due to the way APIs "new" (non-Classic) load balancers are structured in AWS. All existing ALB functionality remains untouched and new resources work the same way.aws_alb_*
resources are still in place as "aliases", but documentation will only mentionaws_lb_*
.aws_alb_*
aliases will be removed in future major version. (#1806) - Deprecated:
- data-source/aws_alb
- data-source/aws_alb_listener
- data-source/aws_alb_target_group
- resource/aws_alb
- resource/aws_alb_listener
- resource/aws_alb_listener_rule
- resource/aws_alb_target_group
- resource/aws_alb_target_group_attachment
FEATURES:
- New Resource:
aws_batch_job_definition
(#1710) - New Resource:
aws_batch_job_queue
(#1710) - New Resource:
aws_lb
(#1806) - New Resource:
aws_lb_listener
(#1806) - New Resource:
aws_lb_listener_rule
(#1806) - New Resource:
aws_lb_target_group
(#1806) - New Resource:
aws_lb_target_group_attachment
(#1806) - New Data Source:
aws_lb
(#1806) - New Data Source:
aws_lb_listener
(#1806) - New Data Source:
aws_lb_target_group
(#1806) - New Data Source:
aws_iam_user
(#1805) - New Data Source:
aws_s3_bucket
(#1505)
IMPROVEMENTS:
- data-source/aws_redshift_service_account: Add
arn
attribute (#1775) - data-source/aws_vpc_endpoint: Expose
prefix_list_id
(#1733) - resource/aws_kinesis_stream: Add support for encryption (#1139)
- resource/aws_cloudwatch_log_group: Add support for encryption via
kms_key_id
(#1751) - resource/aws_spot_instance_request: Add support for
instance_interruption_behaviour
(#1735) - resource/aws_ses_event_destination: Add support for
open
&click
event types (#1773) - resource/aws_efs_file_system: Expose
dns_name
(#1825) - resource/aws_security_group+aws_security_group_rule: Add support for rule description (#1587)
- resource/aws_emr_cluster: enable configuration of ebs root volume size (#1375)
- resource/aws_ami: Add
root_snapshot_id
attribute (#1572) - resource/aws_vpn_connection: Mark preshared keys as sensitive (#1850)
- resource/aws_codedeploy_deployment_group: Support blue/green and in-place deployments with traffic control (#1162)
- resource/aws_elb: Update ELB idle timeout to 4000s (#1861)
- resource/aws_spot_fleet_request: Add support for instance_interruption_behaviour (#1847)
- resource/aws_kinesis_firehose_delivery_stream: Specify kinesis stream as the source of a aws_kinesis_firehose_delivery_stream (#1605)
- resource/aws_kinesis_firehose_delivery_stream: Output complete error when creation fails (#1881)
BUG FIXES:
- data-source/aws_db_instance: Make
db_instance_arn
expose ARN instead of identifier (usedb_cluster_identifier
for identifier) (#1766) - data-source/aws_db_snapshot: Expose
storage_type
(was not exposed) (#1833) - data-source/aws_ami: Update the
tags
structure for easier referencing (#1706) - data-source/aws_ebs_snapshot: Update the
tags
structure for easier referencing (#1706) - data-source/aws_ebs_volume: Update the
tags
structure for easier referencing (#1706) - data-source/aws_instance: Update the
tags
structure for easier referencing (#1706) - resource/aws_spot_instance_request: Handle
closed
request correctly (#1903) - resource/aws_cloudtrail: Raise update retry timeout (#1820)
- resource/aws_elasticache_parameter_group: Retry resetting group on pending changes (#1821)
- resource/aws_kms_key: Retry getting rotation status (#1818)
- resource/aws_kms_key: Retry getting key policy (#1854)
- resource/aws_vpn_connection: Raise timeout to 40mins (#1819)
- resource/aws_kinesis_firehose_delivery_stream: Fix crash caused by missing
processing_configuration
(#1738) - resource/aws_rds_cluster_instance: Treat
configuring-enhanced-monitoring
as pending state (#1744) - resource/aws_rds_cluster_instance: Treat more states as pending (#1790)
- resource/aws_route_table: Increase number of not-found checks/retries after creation (#1791)
- resource/aws_batch_compute_environment: Fix ARN attribute name/value (
ecc_cluster_arn
->ecs_cluster_arn
) (#1809) - resource/aws_kinesis_stream: Retry creation of the stream on
LimitExceededException
(handle throttling) (#1339) - resource/aws_vpn_connection_route: Treat route in state
deleted
as deleted (#1848) - resource/aws_eip: Avoid disassociating if there's no association (#1683)
- resource/aws_elasticache_cluster: Allow scaling up cluster by modifying
az_mode
(avoid recreation) (#1758) - resource/aws_lambda_function: Fix Lambda Function Updates When Published (#1797)
- resource/aws_appautoscaling_*: Use dimension to uniquely identify target/policy (#1808)
- resource/aws_vpn_connection_route: Wait until route is available/deleted (#1849)
- resource/aws_cloudfront_distribution: Ignore
minimum_protocol_version
if default certificate is used (#1785) - resource/aws_security_group: Using
self = false
withcidr_blocks
should be allowed (#1839) - resource/aws_instance: Check VPC array size to avoid crashes on Eucalyptus Cloud (#1882)
NOTES:
- resource/aws_appautoscaling_policy: Nest step scaling policy fields, deprecate 1st level fields (#1620)
FEATURES:
IMPROVEMENTS:
- provider: Expand shared_credentials_file (#1511)
- provider: Add support for Task Roles when running on ECS or CodeBuild (#1425)
- resource/aws_instance: New
user_data_base64
attribute that allows non-UTF8 data (such as gzip) to be assigned to user-data without corruption (#850) - data-source/aws_vpc: Expose enable_dns_* in aws_vpc data_source (#1373)
- resource/aws_appautoscaling_policy: Add support for DynamoDB (#1650)
- resource/aws_directory_service_directory: Add support for
tags
(#1398) - resource/aws_rds_cluster: Allow setting of rds cluster engine (#1415)
- resource/aws_ssm_association: now supports update for
parameters
,schedule_expression
,output_location
(#1421) - resource/aws_ssm_patch_baseline: now supports update for multiple attributes (#1421)
- resource/aws_cloudformation_stack: Add support for Import (#1432)
- resource/aws_rds_cluster_instance: Expose availability_zone attribute (#1439)
- resource/aws_efs_file_system: Add support for encryption (#1420)
- resource/aws_db_parameter_group: Allow underscores in names (#1460)
- resource/aws_elasticsearch_domain: Assign tags right after creation (#1399)
- resource/aws_route53_record: Allow CAA record type (#1467)
- resource/aws_codebuild_project: Allowed for BITBUCKET source type (#1468)
- resource/aws_emr_cluster: Add
instance_group
parameter for EMR clusters (#1071) - resource/aws_alb_listener_rule: Populate
listener_arn
field (#1303) - resource/aws_api_gateway_rest_api: Add a body property to API Gateway RestAPI for Swagger import support (#1197)
- resource/aws_opsworks_stack: Add support for tags (#1523)
- Add retries for AppScaling policies throttling exceptions (#1430)
- resource/aws_ssm_patch_baseline: Add compliance level to patch approval rules (#1531)
- resource/aws_ssm_activation: Export ssm activation activation_code (#1570)
- resource/aws_network_interface: Added private_dns_name to network_interface (#1599)
- data-source/aws_redshift_service_account: updated with latest redshift service account ID's (#1614)
- resource/aws_ssm_parameter: Refresh from state on 404 (#1436)
- resource/aws_api_gateway_rest_api: Allow binary media types to be updated (#1600)
- resource/aws_waf_rule: Make
predicates
'data_id
required (it always was on the API's side, it's just reflected in the schema) (#1606) - resource/aws_waf_web_acl: Introduce new
type
field inrules
to allow referencingRATE_BASED
type (#1606) - resource/aws_ssm_association: Migrate the schema to use association_id (#1579)
- resource/aws_ssm_document: Added name validation (#1638)
- resource/aws_nat_gateway: Add tags support (#1625)
- resource/aws_route53_record: Add support for Route53 multi-value answer routing policy (#1686)
- resource/aws_instance: Read iops only when volume type is io1 (#1573)
- resource/aws_rds_cluster(+_instance) Allow specifying the engine (#1591)
- resource/aws_cloudwatch_event_target: Add Input transformer for Cloudwatch Events (#1343)
- resource/aws_directory_service_directory: Support Import functionality (#1732)
BUG FIXES:
- resource/aws_instance: Fix
associate_public_ip_address
(#1340) - resource/aws_instance: Fix import in EC2 Classic (#1453)
- resource/aws_emr_cluster: Avoid spurious diff of
log_uri
(#1374) - resource/aws_cloudwatch_log_subscription_filter: Add support for ResourceNotFound (#1414)
- resource/aws_sns_topic_subscription: Prevent duplicate (un)subscribe during initial creation (#1480)
- resource/aws_alb: Cleanup ENIs after deleting ALB (#1427)
- resource/aws_s3_bucket: Wrap s3 calls in retry to avoid race during creation (#891)
- resource/aws_eip: Remove from state on deletion (#1551)
- resource/aws_security_group: Adding second scenario where IPv6 is not supported (#880)
FEATURES:
- New Resource:
aws_cloudwatch_dashboard
(#1172) - New Data Source:
aws_internet_gateway
(#1196) - New Data Source:
aws_efs_mount_target
(#1255)
IMPROVEMENTS:
- AWS SDK to log extra debug details on request errors (#1210)
- resource/aws_spot_fleet_request: Add support for
wait_for_fulfillment
(#1241) - resource/aws_autoscaling_schedule: Allow empty value (#1268)
- resource/aws_ssm_association: Add support for OutputLocation and Schedule Expression (#1253)
- resource/aws_ssm_patch_baseline: Update support for Operating System (#1260)
- resource/aws_db_instance: Expose db_instance ca_cert_identifier (#1256)
- resource/aws_rds_cluster: Add support for iam_roles to rds_cluster (#1258)
- resource/aws_rds_cluster_parameter_group: Support > 20 parameters (#1298)
- data-source/aws_iam_role: Normalize the IAM role data source (#1330)
- resource/aws_kinesis_stream: Increase Timeouts, add Timeout Support (#1345)
BUG FIXES:
- resource/aws_instance: Guard check for aws_instance UserData to prevent panic (#1288)
- resource/aws_config: Set AWS Config Configuration recorder & Delivery channel names as ForceNew (#1247)
- resource/aws_cloudtrail: Retry if IAM role isn't propagated yet (#1312)
- resource/aws_cloudtrail: Fix CloudWatch role ARN/group updates (#1357)
- resource/aws_eip_association: Avoid crash in EC2 Classic (#1344)
- resource/aws_elasticache_parameter_group: Allow removing parameters (#1309)
- resource/aws_kinesis: add retries for Kinesis throttling exceptions (#1085)
- resource/aws_kinesis_firehose: adding support for
ExtendedS3DestinationConfiguration
(#1015) - resource/aws_spot_fleet_request: Ignore empty
key_name
(#1203) - resource/aws_emr_instance_group: fix crash when changing
instance_group.count
(#1287) - resource/aws_elasticsearch_domain: Fix updating config when update doesn't involve EBS (#1131)
- resource/aws_s3_bucket: Avoid crashing when no lifecycle rule is defined (#1316)
- resource/elastic_transcoder_preset: Fix provider validation (#1338)
- resource/aws_s3_bucket: Avoid crashing when
filter
is not set (#1350)
FEATURES:
- New Data Source:
aws_iam_instance_profile
(#1024) - New Data Source:
aws_alb_target_group
(#1037) - New Data Source:
aws_iam_group
(#1140) - New Resource:
aws_api_gateway_request_validator
(#1064) - New Resource:
aws_api_gateway_gateway_response
(#1168) - New Resource:
aws_iot_policy
(#986) - New Resource:
aws_iot_certificate
(#1225)
IMPROVEMENTS:
- resource/aws_sqs_queue: Add support for Server-Side Encryption (#962)
- resource/aws_vpc: Add support for classiclink_dns_support (#1079)
- resource/aws_lambda_function: Add support for lambda_function vpc_config update (#1080)
- resource/aws_lambda_function: Add support for lambda_function dead_letter_config update (#1080)
- resource/aws_route53_health_check: add support for health_check regions (#1116)
- resource/aws_spot_instance_request: add support for request launch group (#1097)
- resource/aws_rds_cluster_instance: Export the RDI Resource ID for the instance (#1142)
- resource/aws_sns_topic_subscription: Support password-protected HTTPS endpoints (#861)
BUG FIXES:
- provider: Remove assumeRoleHash (#1227)
- resource/aws_ami: Retry on
InvalidAMIID.NotFound
(#1035) - resource/aws_iam_server_certificate: Fix restriction on length of
name_prefix
(#1217) - resource/aws_autoscaling_group: Fix handling of empty
vpc_zone_identifier
(EC2 classic & default VPC) (#1191) - resource/aws_ecr_repository_policy: Add retry logic to work around IAM eventual consistency (#1165)
- resource/aws_ecs_service: Fixes normalization issues in placement_strategy (#1025)
- resource/aws_eip: Retry reading EIPs on creation (#1053)
- resource/aws_elastic_beanstalk_environment: Avoid spurious diffs of JSON-based
setting
s (#901) - resource/aws_opsworks_permission: Fix 'set permissions' failing to set ssh access (#1038)
- resource/aws_s3_bucket_notification: Fix missing
bucket
field after import (#978) - resource/aws_sfn_state_machine: Handle another NotFound exception type (#1062)
- resource/aws_ssm_parameter: ForceNew on ssm_parameter rename (#1022)
- resource/aws_instance: Update SourceDestCheck modification on new resources (#1065)
- resource/aws_spot_instance_request: fixed and issue with network interfaces configuration (#1070)
- resource/aws_rds_cluster: Modify RDS Cluster after restoring from snapshot, if required (#926)
- resource/aws_kms_alias: Retry lookups after creation (#1040)
- resource/aws_internet_gateway: Retry deletion properly on
DependencyViolation
(#1021) - resource/aws_elb: Cleanup ENIs after deleting ELB (#1036)
- resource/aws_kms_key: Retry lookups after creation (#1039)
- resource/aws_dms_replication_instance: Add modifying as a pending creation state (#1114)
- resource/aws_redshift_cluster: Trigger ForceNew aws_redshift_cluster on encrypted change (#1120)
- resource/aws_default_network_acl: Add support for ipv6_cidr_block (#1113)
- resource/aws_autoscaling_group: Suppress diffs when an empty set is specified for
availability_zones
(#1190) - resource/aws_vpc: Ignore ClassicLink DNS support in unsupported regions (#1176)
- resource/elastic_beanstalk_configuration_template: Handle missing platform (#1222)
- r/elasticache_parameter_group: support more than 20 parameters (#1221)
- data-source/aws_db_instance: Fix the output of subnet_group_name (#1141)
- data-source/aws_iam_server_certificate: Fix restriction on length of
name_prefix
(#1217)
FEATURES:
IMPROVEMENTS:
- Added ability to change the deadline for the EC2 metadata API endpoint (#950)
- resource/aws_api_gateway_integration: Add support for specifying cache key parameters (#893)
- resource/aws_cloudwatch_event_target: Add ecs_target (#977)
- resource/aws_vpn_connection: Add BGP related information on aws_vpn_connection (#973)
- resource/aws_cloudformation_stack: Add timeout support (#994)
- resource/aws_ssm_parameter: Add support for ssm parameter overwrite (#1006)
- resource/aws_codebuild_project: Add support for environment privileged_mode [GH1009]
- resource/aws_dms_endpoint: Add support for dynamodb as an endpoint target (#1002)
- resource/aws_s3_bucket: Support lifecycle tags filter (#899)
- resource/aws_s3_bucket_object: Allow to set WebsiteRedirect on S3 object (#1020)
BUG FIXES:
- resource/aws_waf: Only set FieldToMatch.Data if not empty (#953)
- resource/aws_elastic_beanstalk_application_version: Scope labels to application (#956)
- resource/aws_s3_bucket: Allow use of
days = 0
with lifecycle transition (#957) - resource/aws_ssm_maintenance_window_task: Make task_parameters updateable on aws_ssm_maintenance_window_task resource (#965)
- resource/aws_kinesis_stream: don't force stream destroy on shard_count update (#894)
- resource/aws_cloudfront_distribution: Remove validation from custom_origin params (#987)
- resource_aws_route53_record: Allow import of Route 53 records with underscores in the name (#14717)
- d/aws_db_snapshot: Id was being set incorrectly (#992)
- resource/aws_spot_fleet_request: Raise the create timeout to be 10m (#993)
- d/aws_ecs_cluster: Add ARN as an exported param for aws_ecs_cluster (#991)
- resource/aws_ebs_volume: Not setting the state for ebs_volume correctly (#999)
- resource/aws_network_acl: Make action in ingress / egress case insensitive (#1000)
BUG FIXES:
- Fixing malformed ARN attribute for aws_security_group data source (#910)
BACKWARDS INCOMPATIBILITIES / NOTES:
FEATURES:
- New Resource:
aws_vpn_gateway_route_propagation
[#15137](hashicorp/terraform#15137)
IMPROVEMENTS:
- resource/ebs_snapshot: Add support for tags (#3)
- resource/aws_elasticsearch_domain: now retries on IAM role association failure (#12)
- resource/codebuild_project: Increase timeout for creation retry (IAM) (#904)
- resource/dynamodb_table: Expose stream_label attribute (#20)
- resource/opsworks: Add support for configurable timeouts in AWS OpsWorks Instances. (#857)
- Fix handling of AdRoll's hologram clients (#17)
- resource/sqs_queue: Add support for name_prefix to aws_sqs_queue (#855)
- resource/iam_role: Add support for iam_role tp force_detach_policies (#890)
BUG FIXES:
- fix aws cidr validation error [#15158](hashicorp/terraform#15158)
- resource/elasticache_parameter_group: Retry deletion on InvalidCacheParameterGroupState (#8)
- resource/security_group: Raise creation timeout (#9)
- resource/rds_cluster: Retry modification on InvalidDBClusterStateFault (#18)
- resource/lambda: Fix incorrect GovCloud regexes (#16)
- Allow ipv6_cidr_block to be assigned to peering_connection (#879)
- resource/rds_db_instance: Correctly create cross-region encrypted replica (#865)
- resource/eip: dissociate EIP on update (#878)
- resource/iam_server_certificate: Increase deletion timeout (#907)