Update Terraform aws to v6

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	4.64.0 → 6.36.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.36.0

Compare Source

NOTES:

• provider: Update Go version to v1.25.8. Addresses GO-2026-4602, FileInfo can escape from a Root in os, GO-2026-4603, URLs in meta content attribute actions are not escaped in html/template, and GO-2026-4601, Incorrect parsing of IPv6 host literals in net/url (#​46820)

FEATURES:

• New Data Source: aws_iam_outbound_web_identity_federation (#​46503)
• New Ephemeral Resource: aws_sts_web_identity_token (#​46173)
• New List Resource: aws_s3_bucket_versioning (#​46802)

ENHANCEMENTS:

• listresource/aws_s3_bucket: No longer returns values for deprecated parameters (#​46852)
• resource/aws_bedrockagentcore_agent_runtime: Add authorizer_config.custom_jwt_authorizer.allowed_scopes argument (#​46828)
• resource/aws_cloudwatch_log_resource_policy: Add resource_arn argument and policy_scope and revision_id attributes. policy_name is now optional (#​46813)
• resource/aws_glue_catalog_table: Add open_table_format_input.iceberg_input.iceberg_table_input argument (#​46843)
• resource/aws_glue_catalog_table: Add view_definition argument (#​46843)
• resource/aws_glue_catalog_table: Change open_table_format_input.iceberg_input.metadata_operation and open_table_format_input.iceberg_input.version to ForceNew (#​46843)
• resource/aws_glue_catalog_table: Change parameters, storage_descriptor, and table_type to Optional and Computed (#​46843)
• resource/aws_guardduty_ipset: Add ip_set_id attribute (#​46703)
• resource/aws_guardduty_publishing_destination: Add arn and destination_id attributes (#​46703)
• resource/aws_guardduty_publishing_destination: Add tagging support (#​46703)
• resource/aws_guardduty_threatintelset: Add threat_intel_set_id attribute (#​46703)
• resource/aws_observabilityadmin_centralization_rule_for_organization: Add rule.destination.destination_logs_configuration.log_group_name_configuration block (#​46811)

BUG FIXES:

• data-source/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• list-resource/aws_iam_role_policy_attachment: Prevent infinite loop when IAM Role deleted during list (#​46763)
• listresource/aws_s3_bucket: No longer appears to hang when buckets are deleted concurrently with listing (#​46852)
• resource/aws_appconfig_deployment_strategy: Fix panic due to "interface conversion: interface {} is float64, not float32" when updating growth_factor (#​46810)
• resource/aws_glue_catalog_table: Use the table's catalog ID when reading partition indexes, fixing EntityNotFoundException errors (#​46843)
• resource/aws_vpc_endpoint: Allow in-place update of private_dns_enabled when vpc_endpoint_type is Interface (#​46800)
• resource/aws_vpc_endpoint: Set new computed value for network_interface_ids attribute when changing subnet_configuration or subnet_ids (#​46800)
• resource/aws_vpn_concentrator: Retry VpnConcentratorLimitExceeded: The maximum number of mutating objects has been reached errors on Create (#​46823)

v6.35.1

Compare Source

BUG FIXES:

• provider: Fix regression causing "Incompatible Types" errors during flattening (#​46778)
• resource/aws_bedrockagentcore_gateway_target: Fix "Incompatible Types" errors during schema definition flattening (#​46778)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Incompatible Types" errors for LifecycleRuleAndOperator while flattening configuration (#​46778)

v6.35.0

Compare Source

FEATURES:

• New List Resource: aws_ecs_service (#​46678)
• New List Resource: aws_lb (#​46660)
• New List Resource: aws_lb_listener (#​46679)
• New List Resource: aws_lb_listener_rule (#​46731)
• New List Resource: aws_lb_target_group (#​46662)
• New List Resource: aws_sns_topic (#​46744)
• New List Resource: aws_sns_topic_subscription (#​46738)
• New Resource: aws_observabilityadmin_telemetry_pipeline (#​46698)
• New Resource: aws_sagemaker_mlflow_app (#​45565)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Add layer_version_arn argument to support cross-account Lambda layer access (#​46673)
• resource/aws_emrserverless_application: Add job_level_cost_allocation_configuration block (#​46107)
• resource/aws_ram_resource_share: Add resource_share_configuration block (#​46715)

BUG FIXES:

• resource/aws_ce_cost_category: Change split_charge_rule targets from TypeSet to TypeList to retain order (#​42856)
• resource/aws_dms_endpoint: Fix InvalidParameterCombinationException errors when oracle_settings is configured (#​46689)
• resource/aws_elasticache_replication_group: Remove hard-coded upper limit of 5 for replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#​46670)
• resource/aws_networkmanager_attachment_routing_policy_label: Fix attachment state waiter to handle all Cloud WAN attachment lifecycle states (#​46672)

v6.34.0

Compare Source

FEATURES:

• New List Resource: aws_ec2_secondary_network (#​46552)
• New List Resource: aws_ec2_secondary_subnet (#​46552)
• New List Resource: aws_ecr_task_definition (#​46628)
• New List Resource: aws_elb (#​46639)
• New List Resource: aws_s3_bucket_lifecycle_configuration (#​46531)
• New Resource: aws_networkmanager_prefix_list_association (#​46566)

ENHANCEMENTS:

• data-source/aws_grafana_workspace: Add kms_key_id attribute (#​46584)
• data-source/aws_memorydb_cluster: Add network_type and ip_discovery attributes (#​46636)
• resource/aws_athena_workgroup: Add configuration.query_results_s3_access_grants_configuration argument (#​46376)
• resource/aws_bedrockagentcore_api_key_credential_provider: Add tagging support (#​46591)
• resource/aws_bedrockagentcore_gateway_target: Add metadata_configuration block for HTTP header and query parameter propagation (#​45808)
• resource/aws_bedrockagentcore_oauth2_credential_provider: Add tagging support (#​46590)
• resource/aws_cloudwatch_event_connection: Add auth_parameters.connectivity_parameters argument (#​41561)
• resource/aws_ecs_service: Add service_connect_configuration.access_log_configuration argument (#​45820)
• resource/aws_ecs_service: Add resource identity support (#​46644)
• resource/aws_eip_domain_name: Add import support (#​46582)
• resource/aws_grafana_workspace: Add kms_key_id argument (#​46584)
• resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#​46568)
• resource/aws_lb_target_group_attachment: Add import support (#​46646)
• resource/aws_lb_target_group_attachment: Add resource identity (#​46646)
• resource/aws_memorydb_cluster: Add network_type and ip_discovery arguments (#​46636)
• resource/aws_opensearch_domain: Add jwt_options attribute (#​46439)
• resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#​44426)

BUG FIXES:

• data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#​46616)
• data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#​46226)
• list-resource/aws_s3_object: Includes parent bucket in display name. (#​46596)
• resource/aws_autoscaling_group: Fix couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#​46622)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#​46127)
• resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#​46127)
• resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#​46462)
• resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#​46150)
• resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#​46556)
• resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#​46102)

v6.33.0

Compare Source

FEATURES:

• New Resource: aws_networkmanager_attachment_routing_policy_label (#​46489)

ENHANCEMENTS:

• data-source/aws_launch_template: Add cpu_options.nested_virtualization and network_performance_options attributes (#​46540)
• data/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_budgets_budget: Add filter_expression attribute (#​46501)
• resource/aws_dms_endpoint: Add access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#​46516)
• resource/aws_dms_endpoint: Add use_update_lookup argument to mongodb_settings configuration block (#​46253)
• resource/aws_ecs_task_definition: Add resource identity support (#​46411)
• resource/aws_instance: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add secondary_interfaces configuration block (#​46540)
• resource/aws_lexv2models_intent: Add qna_intent_configuration attribute (#​46419)
• resource/aws_sagemaker_domain: Add domain_settings.trusted_identity_propagation_settings argument (#​44965)

BUG FIXES:

• data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#​46478)
• resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#​46475)
• resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#​45049)
• resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#​46496)
• resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#​44960)
• resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#​46453)
• resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#​46515)

v6.32.1

Compare Source

BUG FIXES:

• resource/aws_autoscaling_group: Fix couldn't find resource error during creation when waiting for capacity to be satisfied (#​46452)
• resource/aws_cloudwatch_log_delivery: Fix s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#​46455)
• resource/aws_dynamodb_table: Fix perpetual diff when using key_schema with a single range key on a global secondary index (#​46442)
• resource/aws_elasticache_replication_group: Fix false validation error when auth_token references another resource (#​46454)

v6.32.0

Compare Source

FEATURES:

• New List Resource: aws_ecr_repository (#​46344)
• New List Resource: aws_lambda_permission (#​46341)
• New List Resource: aws_route (#​46370)
• New List Resource: aws_route53_resolver_rule_association (#​46349)
• New List Resource: aws_route_table (#​46337)
• New List Resource: aws_s3_directory_bucket (#​46373)
• New List Resource: aws_secretsmanager_secret (#​46318)
• New List Resource: aws_secretsmanager_secret_version (#​46342)
• New List Resource: aws_vpc_security_group_egress_rule (#​46368)
• New List Resource: aws_vpc_security_group_ingress_rule (#​46367)
• New Resource: aws_ec2_secondary_network (#​46408)
• New Resource: aws_ec2_secondary_subnet (#​46408)

ENHANCEMENTS:

• resource/aws_instance: Add secondary_network_interface argument (#​46408)
• resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#​42687)

BUG FIXES:

• data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#​46384)
• list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#​46401)
• resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#​46427)
• resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#​46375)
• resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#​45637)

v6.31.0

Compare Source

NOTES:

• resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)

FEATURES:

• New Data Source: aws_account_regions (#​41746)
• New Ephemeral Resource: aws_ecrpublic_authorization_token (#​45841)
• New List Resource: aws_cloudwatch_event_rule (#​46304)
• New List Resource: aws_cloudwatch_event_target (#​46297)
• New List Resource: aws_cloudwatch_metric_alarm (#​46268)
• New List Resource: aws_iam_role_policy (#​46293)
• New List Resource: aws_lambda_function (#​46295)
• New List Resource: aws_s3_bucket_acl (#​46305)
• New List Resource: aws_s3_bucket_policy (#​46312)
• New List Resource: aws_s3_bucket_public_access_block (#​46309)
• New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#​46191)

ENHANCEMENTS:

• resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45583)
• resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#​45882)

BUG FIXES:

• list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#​46305)
• resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#​45518)
• resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#​45893)
• resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#​45571)
• resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#​45087)
• resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#​46211)

v6.30.0

Compare Source

FEATURES:

• New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#​46176)

BUG FIXES:

• resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#​46195)

v6.29.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​43331)
• resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#​46185)
• resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​45834)

FEATURES:

• New Data Source: aws_arcregionswitch_plan (#​43781)
• New Data Source: aws_arcregionswitch_route53_health_checks (#​43781)
• New Data Source: aws_organizations_entity_path (#​45890)
• New Data Source: aws_resourcegroupstaggingapi_required_tags (#​45994)
• New Data Source: aws_s3_bucket_object_lock_configuration (#​45990)
• New Data Source: aws_s3_bucket_replication_configuration (#​42662)
• New Data Source: aws_s3control_access_points (#​45949)
• New Data Source: aws_s3control_multi_region_access_points (#​45974)
• New Data Source: aws_savingsplans_savings_plan (#​45834)
• New Data Source: aws_wafv2_managed_rule_group (#​45899)
• New List Resource: aws_appflow_connector_profile (#​45983)
• New List Resource: aws_appflow_flow (#​45980)
• New List Resource: aws_cleanrooms_collaboration (#​45953)
• New List Resource: aws_cleanrooms_configured_table (#​45956)
• New List Resource: aws_cloudfront_key_value_store (#​45957)
• New List Resource: aws_opensearchserverless_collection (#​46001)
• New List Resource: aws_route53_record (#​46059)
• New List Resource: aws_s3_bucket (#​46004)
• New List Resource: aws_s3_object (#​46002)
• New List Resource: aws_security_group (#​46062)
• New Resource: aws_apigatewayv2_routing_rule (#​42961)
• New Resource: aws_arcregionswitch_plan (#​43781)
• New Resource: aws_cloudfront_anycast_ip_list (#​43331)
• New Resource: aws_notifications_managed_notification_account_contact_association (#​45185)
• New Resource: aws_notifications_managed_notification_additional_channel_association (#​45186)
• New Resource: aws_notifications_organizational_unit_association (#​45197)
• New Resource: aws_notifications_organizations_access (#​45273)
• New Resource: aws_opensearch_application (#​43822)
• New Resource: aws_ram_permission (#​44114)
• New Resource: aws_ram_resource_associations_exclusive (#​45883)
• New Resource: aws_sagemaker_labeling_job (#​46041)
• New Resource: aws_sagemaker_model_card (#​45993)
• New Resource: aws_sagemaker_model_card_export_job (#​46009)
• New Resource: aws_savingsplans_savings_plan (#​45834)
• New Resource: aws_sesv2_tenant_resource_association (#​45904)
• New Resource: aws_vpc_security_group_rules_exclusive (#​45876)

ENHANCEMENTS:

• aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#​46157)
• data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#​45928)
• data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#​46163)
• data-source/aws_vpc_ipam_pool: Add source_resource attribute (#​44705)
• resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#​45966)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#​46056)
• resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#​45984)
• resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#​45357)
• resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#​45934)
• resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#​46092)
• resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#​45852)
• resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#​45852)
• resource/aws_invoicing_invoice_unit: Adds resource identity support. (#​46185)
• resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#​46185)
• resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#​46065)
• resource/aws_launch_template: Add network_performance_options argument (#​46071)
• resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#​45636)
• resource/aws_opensearchserverless_collection: Add resource identity support (#​45981)
• resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#​44881)
• resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Make monitoring_schedule_config.monitoring_job_definition_name argument optional (#​45951)
• resource/aws_vpc_ipam_pool: Add source_resource argument in support of provisioning of VPC Resource Planning Pools (#​44705)
• resource/aws_vpc_ipam_resource_discovery: Add organizational_unit_exclusion argument (#​45890)
• resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#​44705)
• resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#​44705)

BUG FIXES:

• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#​45909)
• data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#​46160)
• provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#​46000)
• provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#​46159)
• resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#​45972)
• resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#​45713)
• resource/aws_billing_view: Fix handling of data_filter_expression (#​45293)
• resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#​45992)
• resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#​45977)
• resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#​45921)
• resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#​46110)
• resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#​46094)
• resource/aws_dynamodb_table: Fixes error when name is known after apply (#​45917)
• resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#​45997)
• resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#​45967)
• resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lb_target_group: Fix update error when switching health_check.protocol from HTTP to TCP when protocol is TCP (#​46036)
• resource/aws_multitenant_cloudfront_distribution: Prevent mistakenly importing a standard distribution (#​45873)
• resource/aws_networkfirewall_firewall_policy: Support partner-managed rule groups via firewall_policy.stateful_rule_group_reference.resource_arn (#​46124)
• resource/aws_odb_network: Fix delete_associated_resources being set when value is unknown (#​45636)
• resource/aws_pipes_pipe: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_placement_group: Correct validation of partition_count ([#​45042](https://redirect.github.com/hashicorp/terraform-pr

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.