v5.3.0

NOTES:

• resource/aws_instance: The metadata_options.http_endpoint argument now correctly defaults to enabled. (#24774)
• resource/aws_lambda_function: The replace_security_groups_on_destroy and replacement_security_group_ids attributes are being deprecated as AWS no longer supports this operation. These attributes now have no effect, and will be removed in a future major version. (#31904)

FEATURES:

• New Data Source: aws_quicksight_theme (#31900)
• New Resource: aws_opensearchserverless_access_policy (#28518)
• New Resource: aws_opensearchserverless_security_policy (#28470)
• New Resource: aws_quicksight_theme (#31900)

ENHANCEMENTS:

• data-source/aws_redshift_cluster: Add cluster_namespace_arn attribute (#31884)
• resource/aws_redshift_cluster: Add cluster_namespace_arn attribute (#31884)
• resource/aws_vpc_endpoint: Add private_dns_only_for_inbound_resolver_endpoint attribute to the dns_options configuration block (#31873)

BUG FIXES:

• resource/aws_ecs_task_definition: Fix to prevent persistent diff when efs_volume_configuration has both root_volume and authorization_config set. (#26880)
• resource/aws_instance: Fix default for metadata_options.http_endpoint argument. (#24774)
• resource/aws_keyspaces_keyspace: Correct plan time validation for name (#31352)
• resource/aws_keyspaces_table: Correct plan time validation for keyspace_name, table_name and column names (#31352)
• resource/aws_quicksight_analysis: Fix assignment of KPI visual field well target values (#31901)
• resource/aws_redshift_cluster: Allow availability_zone_relocation_enabled to be true when publicly_accessible is true (#31886)
• resource/aws_vpc: Fix reading EC2 VPC (vpc-abcd1234) Attribute (enableDnsSupport): couldn't find resource errors when reading new resource (#31877)

v5.2.0

NOTES:

• resource/aws_mwaa_environment: Upgrading your environment to a new major version of Apache Airflow forces replacement of the resource (#31833)

FEATURES:

• New Data Source: aws_budgets_budget (#31691)
• New Data Source: aws_ecr_pull_through_cache_rule (#31696)
• New Data Source: aws_guardduty_finding_ids (#31711)
• New Data Source: aws_iam_principal_policy_simulation (#25569)
• New Resource: aws_chimesdkvoice_global_settings (#31365)
• New Resource: aws_finspace_kx_cluster (#31806)
• New Resource: aws_finspace_kx_database (#31803)
• New Resource: aws_finspace_kx_environment (#31802)
• New Resource: aws_finspace_kx_user (#31804)

ENHANCEMENTS:

• data/aws_ec2_transit_gateway_connect_peer: Add bgp_peer_address and bgp_transit_gateway_addresses attributes (#31752)
• provider: Adds retry_mode parameter (#31745)
• resource/aws_chime_voice_connector: Add tagging support (#31746)
• resource/aws_ec2_transit_gateway_connect_peer: Add bgp_peer_address and bgp_transit_gateway_addresses attributes (#31752)
• resource/aws_ec2_transit_gateway_route_table_association: Add replace_existing_association argument (#31452)
• resource/aws_fis_experiment_template: Add support for Volumes to actions.*.target (#31499)
• resource/aws_instance: Add instance_market_options configuration block and instance_lifecycle and spot_instance_request_id attributes (#31495)
• resource/aws_lambda_function: Add support for ruby3.2 runtime value (#31842)
• resource/aws_lambda_layer_version: Add support for ruby3.2 compatible_runtimes value (#31842)
• resource/aws_mwaa_environment: Consider CREATING_SNAPSHOT a valid pending state for resource update (#31833)
• resource/aws_networkfirewall_firewall_policy: Add stream_exception_policy option to firewall_policy.stateful_engine_options (#31541)
• resource/aws_redshiftserverless_workgroup: Additional supported values for config_parameter.parameter_key (#31747)
• resource/aws_sagemaker_model: Add container.model_package_name and primary_container.model_package_name arguments (#31755)

BUG FIXES:

• data-source/aws_redshift_cluster: Fix crash reading clusters in modifying state (#31772)
• provider/default_tags: Fix perpetual diff when identical tags are moved from default_tags to resource tags, and vice versa (#31826)
• resource/aws_autoscaling_group: Ignore any Failed scaling activities due to IAM eventual consistency (#31282)
• resource/aws_dx_connection: Convert vlan_id from TypeString to TypeInt in Terraform state for existing resources. This fixes a regression introduced in v5.1.0 causing a number is required errors (#31735)
• resource/aws_globalaccelerator_endpoint_group: Fix bug updating endpoint_configuration.weight to 0 (#31767)
• resource/aws_medialive_channel: Fix spelling in hls_cdn_settings expander. (#31844)
• resource/aws_redshiftserverless_namespace: Fix perpetual iam_roles diffs when the namespace contains a workgroup (#31749)
• resource/aws_redshiftserverless_workgroup: Change config_parameter from TypeList to TypeSet as order is not significant (#31747)
• resource/aws_redshiftserverless_workgroup: Fix ValidationException: Can't update multiple configurations at the same time errors (#31747)
• resource/aws_vpc_endpoint: Fix tagging error preventing use in ISO partitions (#31801)

v5.1.0

BREAKING CHANGES:

• resource/aws_iam_role: The role_last_used attribute has been removed. Use the aws_iam_role data source instead. (#31656)

NOTES:

• resource/aws_autoscaling_group: The load_balancers and target_group_arns attributes have been changed to Computed. This means that omitting this argument is interpreted as ignoring any existing load balancer or target group attachments. To remove all load balancer or target group attachments an empty list should be specified. (#31527)
• resource/aws_iam_role: The role_last_used attribute has been removed. Use the aws_iam_role data source instead. See the community feedback provided in the linked issue for additional justification on this change. As the attribute is read-only, unlikely to be used as an input to another resource, and available in the corresponding data source, a breaking change in a minor version was deemed preferable to a long deprecation/removal cycle in this circumstance. (#31656)
• resource/aws_redshift_cluster: Ignores the parameter aqua_configuration_status, since the AWS API ignores it. Now always returns auto. (#31612)

FEATURES:

• New Data Source: aws_vpclattice_resource_policy (#31372)
• New Resource: aws_autoscaling_traffic_source_attachment (#31527)
• New Resource: aws_emrcontainers_job_template (#31399)
• New Resource: aws_glue_data_quality_ruleset (#31604)
• New Resource: aws_quicksight_analysis (#31542)
• New Resource: aws_quicksight_dashboard (#31448)
• New Resource: aws_resourcegroups_resource (#31430)

ENHANCEMENTS:

• data-source/aws_autoscaling_group: Add traffic_source attribute (#31527)
• data-source/aws_opensearch_domain: Add off_peak_window_options attribute (#35970)
• provider: Increases size of HTTP request bodies in logs to 1 KB (#31718)
• resource/aws_appsync_graphql_api: Add visibility argument (#31369)
• resource/aws_appsync_graphql_api: Add plan time validation for log_config.cloudwatch_logs_role_arn (#31369)
• resource/aws_autoscaling_group: Add traffic_source configuration block (#31527)
• resource/aws_cloudformation_stack_set: Add managed_execution argument (#25210)
• resource/aws_fsx_ontap_volume: Add skip_final_backup argument (#31544)
• resource/aws_fsx_ontap_volume: Remove default value for security_style argument and mark as Computed (#31544)
• resource/aws_fsx_ontap_volume: Update ontap_volume_type attribute to be configurable (#31544)
• resource/aws_fsx_ontap_volume: junction_path is Optional (#31544)
• resource/aws_fsx_ontap_volume: storage_efficiency_enabled is Optional (#31544)
• resource/aws_grafana_workspace: Increase default Create and Update timeouts to 30 minutes (#31422)
• resource/aws_lambda_invocation: Add lifecycle_scope CRUD to invoke on each resource state transition (#29367)
• resource/aws_lambda_layer_version_permission: Add skip_destroy attribute (#29571)
• resource/aws_lambda_provisioned_concurrency_configuration: Add skip_destroy argument (#31646)
• resource/aws_opensearch_domain: Add off_peak_window_options configuration block (#35970)
• resource/aws_sagemaker_endpoint_configuration: Add and shadow_production_variants.serverless_config.provisioned_concurrency arguments (#31398)
• resource/aws_transfer_server: Add support for TransferSecurityPolicy-2023-05 security_policy_name value (#31536)

BUG FIXES:

• data-source/aws_dx_connection: Fix the vlan_id being returned as null (#31480)
• provider/tags: Fix crash when some tags are null and others are computed (#31687)
• provider: Limits size of HTTP response bodies in logs to 4 KB (#31718)
• resource/aws_autoscaling_group: Fix The AutoRollback parameter cannot be set to true when the DesiredConfiguration parameter is empty errors when refreshing instances (#31715)
• resource/aws_autoscaling_group: Now ignores previous failed scaling activities (#31551)
• resource/aws_cloudfront_distribution: Remove the upper limit on origin_keepalive_timeout (#31608)
• resource/aws_connect_instance: Fix crash when reading instances with CREATION_FAILED status (#31689)
• resource/aws_connect_security_profile: Set correct tags in state (#31716)
• resource/aws_dx_connection: Fix the vlan_id being returned as null (#31480)
• resource/aws_ecs_service: Fix crash when just alarms is updated (#31683)
• resource/aws_fsx_ontap_volume: Change storage_virtual_machine_id to ForceNew (#31544)
• resource/aws_fsx_ontap_volume: Change volume_type to ForceNew (#31544)
• resource/aws_kendra_index: Persist user_group_resolution_mode value to state after creation (#31669)
• resource/aws_medialive_channel: Fix attribute spelling in hls_cdn_settings expand (#31647)
• resource/aws_quicksight_data_set: Fix join_instruction not applied when creating dataset (#31424)
• resource/aws_quicksight_data_set: Ignore failure to read refresh properties for non-SPICE datasets (#31488)
• resource/aws_rbin_rule: Fix crash when multiple resource_tags blocks are configured (#31393)
• resource/aws_rds_cluster: Correctly update db_cluster_instance_class (#31709)
• resource/aws_redshift_cluster: No longer errors on deletion when status is Maintenance (#31612)
• resource/aws_route53_vpc_association_authorization: Fix ConcurrentModification error (#31588)
• resource/aws_s3_bucket_replication_configuration: Replication configs sometimes need more than a second or two. This resolves a race condition and adds retry logic when reading them. (#30995)

v5.0.1

BUG FIXES:

• provider/tags: Fix crash when tags are null (#31587)

v5.0.0

BREAKING CHANGES:

• data-source/aws_api_gateway_rest_api: minimum_compression_size is now a string type to allow values set via the body attribute to be properly computed. (#30969)
• data-source/aws_connect_hours_of_operation: The hours_of_operation_arn attribute has been removed (#31484)
• data-source/aws_db_instance: With the retirement of EC2-Classic the db_security_groups attribute has been removed (#30966)
• data-source/aws_elasticache_cluster: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
• data-source/aws_elasticache_replication_group: Remove number_cache_clusters, replication_group_description arguments -- use num_cache_clusters, and description, respectively, instead (#31008)
• data-source/aws_iam_policy_document: Don't add empty statement.sid values to json attribute value (#28539)
• data-source/aws_iam_policy_document: source_json and override_json have been removed -- use source_policy_documents and override_policy_documents, respectively, instead (#30829)
• data-source/aws_identitystore_group: The filter argument has been removed (#31312)
• data-source/aws_identitystore_user: The filter argument has been removed (#31312)
• data-source/aws_launch_configuration: With the retirement of EC2-Classic the vpc_classic_link_id and vpc_classic_link_security_groups attributes have been removed (#30966)
• data-source/aws_redshift_cluster: With the retirement of EC2-Classic the cluster_security_groups attribute has been removed (#30966)
• data-source/aws_secretsmanager_secret: The rotation_enabled, rotation_lambda_arn and rotation_rules attributes have been removed (#31487)
• data-source/aws_vpc_peering_connection: With the retirement of EC2-Classic the allow_classic_link_to_remote_vpc and allow_vpc_to_remote_classic_link attributes have been removed (#30966)
• provider: The assume_role.duration_seconds, assume_role_with_web_identity.duration_seconds, s3_force_path_style, shared_credentials_file and skip_get_ec2_platforms attributes have been removed (#31155)
• provider: The aws_subnet_ids data source has been removed (#31140)
• provider: With the retirement of EC2-Classic the aws_db_security_group resource has been removed (#30966)
• provider: With the retirement of EC2-Classic the aws_elasticache_security_group resource has been removed (#30966)
• provider: With the retirement of EC2-Classic the aws_redshift_security_group resource has been removed (#30966)
• provider: With the retirement of Macie Classic the aws_macie_member_account_association resource has been removed (#31058)
• provider: With the retirement of Macie Classic the aws_macie_s3_bucket_association resource has been removed (#31058)
• resource/aws_acmpca_certificate_authority: The status attribute has been removed (#31084)
• resource/aws_api_gateway_rest_api: minimum_compression_size is now a string type to allow values set via the body attribute to be properly computed. (#30969)
• resource/aws_autoscaling_attachment: alb_target_group_arn has been removed -- use lb_target_group_arn instead (#30828)
• resource/aws_autoscaling_group: Remove deprecated tags attribute (#30842)
• resource/aws_budgets_budget: The cost_filters attribute has been removed (#31395)
• resource/aws_ce_anomaly_subscription: The threshold attribute has been removed (#30374)
• resource/aws_cloudwatch_event_target: The ecs_target.propagate_tags attribute now has no default value (#25233)
• resource/aws_codebuild_project: The secondary_sources.auth and source.auth attributes have been removed (#31483)
• resource/aws_connect_hours_of_operation: The hours_of_operation_arn attribute has been removed (#31484)
• resource/aws_connect_queue: The quick_connect_ids_associated attribute has been removed (#31376)
• resource/aws_connect_routing_profile: The queue_configs_associated attribute has been removed (#31376)
• resource/aws_db_instance: Remove name - use db_name instead (#31232)
• resource/aws_db_instance: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
• resource/aws_db_instance: id is no longer the AWS database identifier - id is now the dbi-resource-id. Refer to identifier instead of id to use the database's identifier (#31232)
• resource/aws_default_vpc: With the retirement of EC2-Classic the enable_classiclink and enable_classiclink_dns_support attributes have been removed (#30966)
• resource/aws_dms_endpoint: s3_settings.ignore_headers_row has been removed (#30452)
• resource/aws_docdb_cluster: snapshot_identifier change now properly forces replacement (#29409)
• resource/aws_ec2_client_vpn_endpoint: The status attribute has been removed (#31223)
• resource/aws_ec2_client_vpn_network_association: The security_groups attribute has been removed (#31396)
• resource/aws_ec2_client_vpn_network_association: The status attribute has been removed (#31223)
• resource/aws_ecs_cluster: The capacity_providers and default_capacity_provider_strategy attributes have been removed (#31346)
• resource/aws_eip: With the retirement of EC2-Classic the standard domain is no longer supported (#30966)
• resource/aws_eip_association: With the retirement of EC2-Classic the standard domain is no longer supported (#30966)
• resource/aws_elasticache_cluster: With the retirement of EC2-Classic the security_group_names attribute has been removed (#30966)
• resource/aws_elasticache_replication_group: Remove availability_zones, number_cache_clusters, replication_group_description arguments -- use preferred_cache_cluster_azs, num_cache_clusters, and description, respectively, instead (#31008)
• resource/aws_elasticache_replication_group: Remove cluster_mode configuration block -- use top-level num_node_groups and replicas_per_node_group instead (#31008)
• resource/aws_kinesis_firehose_delivery_stream: Remove s3_configuration attribute from the root of the resource. s3_configuration is now a part of the following blocks: elasticsearch_configuration, opensearch_configuration, redshift_configuration, splunk_configuration, and http_endpoint_configuration (#31138)
• resource/aws_kinesis_firehose_delivery_stream: Remove s3 as an option for destination. Use extended_s3 instead (#31138)
• resource/aws_kinesis_firehose_delivery_stream: Rename extended_s3_configuration.0.s3_backup_configuration.0.buffer_size and extended_s3_configuration.0.s3_backup_configuration.0.buffer_interval to extended_s3_configuration.0.s3_backup_configuration.0.buffering_size and extended_s3_configuration.0.s3_backup_configuration.0.buffering_interval, resp...

v4.67.0

NOTES:

• resource/aws_lightsail_domain_entry: The id attribute is now comma-delimited (#30820)

FEATURES:

• New Data Source: aws_connect_user (#26156)
• New Data Source: aws_connect_vocabulary (#26158)
• New Data Source: aws_organizations_policy (#30920)
• New Data Source: aws_redshiftserverless_namespace (#31250)
• New Resource: aws_quicksight_template (#30453)
• New Resource: aws_quicksight_template_alias (#31310)
• New Resource: aws_quicksight_vpc_connection (#31309)

ENHANCEMENTS:

• aws_quicksight_data_set: Add support for configuring refresh properties (#30744)
• data-source/aws_acmpca_certificate_authority: Add key_storage_security_standard attribute (#31280)
• data-source/aws_elastic_beanstalk_hosted_zone: Add hosted zone ID for ap-southeast-3 AWS Region (#31248)
• data-source/aws_s3_bucket: Set hosted_zone_id for cn-north-1 AWS China Region (#31247)
• resource/aws_acmpca_certificate_authority: Add key_storage_security_standard argument (#31280)
• resource/aws_cloudwatch_metric_stream: Add metric_names to include_filter and exclude_filter configuration blocks (#31288)
• resource/aws_dms_endpoint: Add ability to use the db2-zos IBM DB2 for z/OS engine (#31291)
• resource/aws_fsx_ontap_file_system: Allow in-place update of route_table_ids (#31251)
• resource/aws_fsx_ontap_file_system: Support setting throughput_capacity to 4096 (#31251)
• resource/aws_rds_cluster: Add ability to specify Aurora IO Optimized storage_type (#31336)
• resource/aws_s3_bucket: Set hosted_zone_id for cn-north-1 AWS China Region (#31247)

BUG FIXES:

• resource/aws_appintegrations_data_integration: Correctly read tags into state (#31241)
• resource/aws_config_remediation_configuration: Change parameter attribute to TypeList for better diff calculation (#31315)
• resource/aws_iam_openid_connect_provider: Change client_id_list from TypeList to TypeSet as order is not significant (#31253)
• resource/aws_servicecatalog_provisioned_product: Fix to properly send stack_set_provisioned_preferences.0.accounts on create and update (#31293)
• resource/aws_servicecatalog_provisioned_product: Fix to properly set stack_set_provisioned_preferences integer types failure_tolerance_count, failure_tolerance_percentage, max_concurrency_count, max_concurrency_percentage (#31289)
• resource/aws_ssm_activation: Fix various ValidationException errors on resource Create (#31340)

v4.66.1

BUG FIXES:

• resource/aws_appautoscaling_target: Fix InvalidParameter: 1 validation error(s) found. minimum field size of 1, ListTagsForResourceInput.ResourceARN. related to Application Auto Scaling resource tagging introduced in v4.66.0 (#31214)

v4.66.0

NOTES:

• resource/aws_instance: The cpu_core_count argument is deprecated in favor of the cpu_options block. The cpu_options block can set core_count (#31035)
• resource/aws_instance: The cpu_threads_per_core argument is deprecated in favor of the cpu_options block. The cpu_options block can set threads_per_core (#31035)

FEATURES:

• New Data Source: aws_appintegrations_event_integration (#24965)
• New Data Source: aws_dms_replication_instance (#15406)
• New Data Source: aws_vpclattice_auth_policy (#30898)
• New Data Source: aws_vpclattice_service_network (#30904)
• New Resource: aws_account_primary_contact (#26123)
• New Resource: aws_appintegrations_data_integration (#24941)
• New Resource: aws_chimesdkvoice_voice_profile_domain (#30977)
• New Resource: aws_directory_service_trust (#31037)
• New Resource: aws_vpclattice_access_log_subscription (#30896)
• New Resource: aws_vpclattice_auth_policy (#30891)
• New Resource: aws_vpclattice_resource_policy (#30900)
• New Resource: aws_vpclattice_target_group_attachment (#31039)

ENHANCEMENTS:

• data-source/aws_autoscaling_group: Add max_instance_lifetime attribute (#31067)
• data-source/aws_autoscaling_group: Add mixed_instances_policy attribute (#31067)
• data-source/aws_autoscaling_group: Add predicted_capacity attribute (#31067)
• data-source/aws_autoscaling_group: Add suspended_processes attribute (#31067)
• data-source/aws_autoscaling_group: Add tag attribute (#31067)
• data-source/aws_autoscaling_group: Add warm_pool_size attribute (#31067)
• data-source/aws_autoscaling_group: Add warm_pool attribute (#31067)
• datasource/aws_launch_template: Add amd_sev_snp attribute (#31035)
• resource/aws_appautoscaling_policy: Add metrics to the target_tracking_scaling_policy_configuration.customized_metric_specification configuration block in support of metric math (#30172)
• resource/aws_appautoscaling_target: Add arn attribute (#30172)
• resource/aws_appautoscaling_target: Add tags argument and tags_all attribute to support resource tagging (#30172)
• resource/aws_autoscaling_group: Add predicted_capacity attribute (#31067)
• resource/aws_autoscaling_group: Add warm_pool_size attribute (#31067)
• resource/aws_directory_service_conditional_forwarder: Add plan time validation for remote_domain_name (#31037)
• resource/aws_directory_service_directory: Correct plan time validation for remote_domain_name (#31037)
• resource/aws_elasticache_user: Add support for defining custom timeouts (#31076)
• resource/aws_fsx_lustre_file_system: Add root_squash_configuration argument (#31073)
• resource/aws_glue_catalog_database: Add tagging support (#31071)
• resource/aws_grafana_workspace: Make grafana_version optional so that its value can be specified in configuration (#31083)
• resource/aws_instance: Add amd_sev_snp argument (#31035)
• resource/aws_instance: Add cpu_options argument (#31035)
• resource/aws_lambda_function: Add support for java17 runtime value (#31027)
• resource/aws_lambda_layer_version: Add support for java17 compatible_runtimes value (#31028)
• resource/aws_launch_template: Add amd_sev_snp argument (#31035)
• resource/aws_medialive_channel: Added H265 support. (#30908)
• resource/aws_rds_cluster_role_association: Add configurable Create and Delete timeouts (#31015)
• resource/aws_redshift_scheduled_action: Add plan time validation for name argument (#31020)
• resource/aws_redshiftserverless_workgroup: Add support for defining custom timeouts (#31054)
• resource/aws_sagemaker_domain: Add domain_settings.r_studio_server_pro_domain_settings, default_user_settings.canvas_app_settings.model_register_settings, and default_user_settings.r_studio_server_pro_app_settings arguments (#31031)
• resource/aws_sagemaker_endpoint_configuration: Add async_inference_config.output_config.notification_config.include_inference_response_in and async_inference_config.output_config.s3_failure_path arguments (#31070)
• resource/aws_sagemaker_user_profile: Add user_settings.canvas_app_settings.model_register_settings and user_settings.r_studio_server_pro_app_settings arguments (#31072)
• resource/aws_servicecatalog_provisioning_artifact: Add provisioning_artifact_id attribute (#31086)
• resource/aws_sfn_state_machine: Add configurable timeouts (#31097)
• resource/aws_spot_fleet_request: Add 'aws_spot_fleet_request.context' argument (#30918)
• resource/aws_vpn_connection: Add tunnel1_enable_tunnel_lifecycle_control and tunnel2_enable_tunnel_lifecycle_control arguments (#31064)

BUG FIXES:

• data-source/aws_nat_gateway: Guarantee that all attributes are set when the NAT Gateway is associated with a single address (#31118)
• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.override attribute, fixing setting firewall_policy: Invalid address to set error (#31089)
• resource/aws_connect_routing_profile: Remove the limit on the maximum number of queues that can be associated with a routing profile. Batch processing is now done when there are more than 10 queues associated or disassociated at a time. (#30895)
• resource/aws_db_instance: Consider delete-precheck a valid pending state for resource deletion (#31047)
• resource/aws_inspector2_enabler: Correctly supports LAMBDA resource scanning (#31038)
• resource/aws_inspector2_enabler: Correctly supports multiple accounts (#31038)
• resource/aws_inspector2_enabler: No longer calls Disable API for status checking (#31038)
• resource/aws_nat_gateway: Guarantee that all attributes are set when the NAT Gateway is associated with a single address (#31118)
• resource/aws_rds_cluster_instance: Consider delete-precheck a valid pending state for resource deletion (#31047)
• resource/aws_servicecatalog_provisioned_product: Changes in the provi...

v4.65.0

NOTES:

• data-source/aws_db_instance: With the retirement of EC2-Classic thedb_security_groups attribute has been deprecated and will be removed in a future version (#30919)
• data-source/aws_elasticache_cluster: With the retirement of EC2-Classic thesecurity_group_names attribute has been deprecated and will be removed in a future version (#30919)
• data-source/aws_launch_configuration: With the retirement of EC2-Classic thevpc_classic_link_id and vpc_classic_link_security_groups attributes have been deprecated and will be removed in a future version (#30919)
• data-source/aws_redshift_cluster: With the retirement of EC2-Classic the cluster_security_groups attribute has been deprecated and will be removed in a future version (#30919)
• resource/aws_config_organization_custom_policy_rule: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#21373)

FEATURES:

• New Data Source: aws_api_gateway_authorizer (#28148)
• New Data Source: aws_api_gateway_authorizers (#28148)
• New Data Source: aws_dms_replication_subnet_group (#30832)
• New Data Source: aws_dms_replication_task (#30967)
• New Data Source: aws_ssmcontacts_contact (#30667)
• New Data Source: aws_ssmcontacts_contact_channel (#30667)
• New Data Source: aws_ssmcontacts_plan (#30667)
• New Data Source: aws_ssmincidents_response_plan (#30665)
• New Resource: aws_config_organization_custom_policy_rule (#21373)
• New Resource: aws_quicksight_folder_membership (#30871)
• New Resource: aws_quicksight_refresh_schedule (#30788)
• New Resource: aws_ssmcontacts_contact (#30667)
• New Resource: aws_ssmcontacts_contact_channel (#30667)
• New Resource: aws_ssmcontacts_plan (#30667)
• New Resource: aws_ssmincidents_response_plan (#30665)
• New Resource: aws_synthetics_group (#30678)
• New Resource: aws_synthetics_group_association (#30678)

ENHANCEMENTS:

• data-source/aws_ami_ids: Add include_deprecated argument (#30294)
• data-source/aws_backup_report_plan: Add accounts, organization_units and regions attributes to the report_setting block (#28309)
• data-source/aws_imagebuilder_image: Add containers attribute to the output_resources block (#30899)
• resource/aws_appstream_stack: Add streaming_experience_settings attribute (#28512)
• resource/aws_backup_report_plan: Add accounts, organization_units and regions attributes to the report_setting block (#28309)
• resource/aws_chime_voice_connector_streaming: Add media_insights_configuration argument (#30713)
• resource/aws_db_subnet_group: Add vpc_id attribute (#30775)
• resource/aws_fis_experiment_template: Add support for Cluster Network Actions to actions.*.target (#27337)
• resource/aws_gamelift_game_session_queue: Add custom_event_data argument (#26206)
• resource/aws_imagebuilder_image: Add containers attribute to the output_resources block (#30899)
• resource/aws_networkfirewall_rule_group: Add limit for reference_sets (#30759)
• resource/aws_networkmanager_core_network: Wait for the network policy to be in the READY_TO_EXECUTE state before executing any changes (#30879)
• resource/aws_s3outposts_endpoint: Add access_type and customer_owned_ipv4_pool arguments (#23839)
• resource/aws_wafv2_web_acl: Add token_domains argument (#30340)
• various IAM resource types: more detailed error messages for invalid policy document JSON (#27502)

BUG FIXES:

• resource/aws_api_gateway_api_key: Fix value minimum length verification when specified. (#30894)
• resource/aws_apprunner_service: Allow additional instance_configuration.cpu and instance_configuration.memory values (#30889)
• resource/aws_dms_replication_task: Fix perpetual diff on dms replication_task settings (#30885)
• resource/aws_ds_shared_directory: Properly handle paged response objects on read (#30914)
• resource/aws_ecs_service: Fix removal of service_registries configuration block (#30852)
• resource/aws_redshiftdata_statement: Fix ValidationException errors reading expired statements (#26343)
• resource/aws_vpc_endpoint_route_table_association: Retry resource Create for EC2 eventual consistency (#30994)
• resource/aws_vpc_endpoint_service_allowed_principal: Fix too many results error (#30974)

v4.64.0

FEATURES:

• New Data Source: aws_dms_endpoint (#30717)
• New Data Source: aws_fsx_windows_file_system (#28622)
• New Data Source: aws_networkfirewall_resource_policy (#25474)
• New Data Source: aws_prometheus_workspaces (#28574)
• New Data Source: aws_redshiftserverless_workgroup (#29208)
• New Data Source: aws_route53_resolver_query_log_config (#29111)
• New Data Source: aws_sesv2_configuration_set (#30108)
• New Data Source: aws_vpclattice_listener (#30843)
• New Resource: aws_cloudwatch_event_endpoint (#25846)
• New Resource: aws_vpclattice_listener (#30711)
• New Resource: aws_vpclattice_listener_rule (#30784)

ENHANCEMENTS:

• data-source/aws_cloudfront_response_headers_policy: Add remove_headers_config attribute (#28940)
• data-source/aws_ecs_task_definition: Add execution_role_arn attribute (#28662)
• data-source/aws_eks_node_group: Add launch_template attribute (#30780)
• data-source/aws_iam_role: Add role_last_used attribute (#30750)
• data-source/aws_kms_key: Add cloud_hsm_cluster_id, custom_key_store_id, key_spec, pending_deletion_window_in_days, and xks_key_configuration attributes (#29250)
• data-source/aws_lakeformation_data_lake_settings: Add allow_external_data_filtering, external_data_filtering_allow_list and authorized_session_tag_value_list attributes (#30207)
• data-source/aws_outposts_outpost: Add lifecycle_status, site_arn, supported_hardware_type and tags attributes (#30754)
• data-source/aws_servicequotas_service_quota: Add usage_metric attribute (#29499)
• data-source/aws_subnet: Add enable_lni_at_device_index attribute (#30798)
• resource/aws_appsync_datasource: Add opensearchservice_config argument (#29578)
• resource/aws_cloudfront_response_headers_policy: Add remove_headers_config argument (#28940)
• resource/aws_cloudwatch_event_target: Add ecs_target.ordered_placement_strategy argument (#28384)
• resource/aws_cloudwatch_metric_stream: Add include_linked_accounts_metrics argument (#29281)
• resource/aws_dms_replication_instance: Increase default timeout for create (#29905)
• resource/aws_eks_node_group: Add plan time validation to node_group_name and node_group_name_prefix arguments (#29975)
• resource/aws_elastic_beanstalk_application: Add plan time validation to appversion_lifecycle.service_role and name arguments (#17727)
• resource/aws_emr_cluster: Add placement_group_config argument (#30121)
• resource/aws_fis_experiment_template: Add support for Subnets Network Actions to actions.*.target (#30211)
• resource/aws_iam_role: Add role_last_used attribute (#30750)
• resource/aws_iot_topic_rule: Add error_action.firehose.batch_mode, error_action.iot_analytics.batch_mode, error_action.iot_events.batch_mode, firehose.batch_mode, iot_analytics.batch_mode and iot_events.batch_mode arguments (#28568)
• resource/aws_kinesis_firehose_delivery_stream: Add opensearch_configuration block (#29112)
• resource/aws_kinesis_firehose_delivery_stream: Add opensearch as a valid destination value (#29112)
• resource/aws_lakeformation_data_lake_settings: Add allow_external_data_filtering, external_data_filtering_allow_list and authorized_session_tag_value_list arguments (#30207)
• resource/aws_lambda_event_source_mapping: Add document_db_event_source_config configuration block (#28586)
• resource/aws_lambda_function: Add support for python3.10 runtime value (#30781)
• resource/aws_lambda_layer_version: Add support for python3.10 compatible_runtimes value (#30781)
• resource/aws_main_route_table_association: Add configurable timeouts (#30755)
• resource/aws_route: Allow gateway_id value of local when updating a Route (#24507)
• resource/aws_route_table_association: Add configurable timeouts (#30755)
• resource/aws_s3_bucket: Correct S3 Object Lock error handling for third-party S3-compatible API implementations (#26317)
• resource/aws_s3_bucket_object_lock_configuration: Correct error handling for third-party S3-compatible API implementations (#26317)
• resource/aws_securityhub_account: Add control_finding_generator, auto_enable_controls and arn attributes (#30692)
• resource/aws_servicequotas_service_quota: Add usage_metric attribute (#29499)
• resource/aws_ssoadmin_account_assignment: Extend timeout delay and min timeout (#25849)
• resource/aws_ssoadmin_permission_set: Extend timeout delay and min timeout (#25849)
• resource/aws_subnet: Add enable_lni_at_device_index attribute (#30798)
• resource/aws_vpc_endpoint_service_allowed_principal: Changed id to use ServicePermissionId (#27640)
• resource/aws_wafv2_rule_group: Add rule.action.challenge argument (#29690)
• resource/aws_wafv2_rule_group: Add rule.captcha_config argument (#29608)
• resource/aws_wafv2_web_acl: Add captcha_config and rule.captcha_config arguments (#29608)

BUG FIXES:

• data-source/aws_lakeformation_permissions: Change lf_tag_policy.expression from TypeList to TypeSet as order is not significant (#26643)
• data-source/aws_lakeformation_permissions: Remove limit on number of lf_tag_policy.expression blocks (#26643)
• resource/aws_cloudwatch_event_rule: Add retry to read step, resolving couldn't find resource error (#25846)
• resource/aws_default_vpc: Fix adoption of default VPC with generated IPv6 (#29083)
• resource/aws_dx_gateway: Remove plan time validation from name argument (#30739)
• resource/aws_ecs_service: Fix error importing service with an IAM role with a path (#30170)
• resource/aws_fsx_windows_file_system: Increase throughput_capacity first to avoid BadRequest errors (#28622)
• resource/aws_lakeformation_permissions: Change lf_tag_policy.expression from TypeList to TypeSet as order is not significant (#26643)
• resource/aws_lakeformation_permissions: Change lf_tag, lf_tag.values, lf_tag_policy, lf_tag_policy.expression.key, lf_tag_policy.expression.values and `lf_tag_...