v2.35.0

NOTES:

• provider: New ignore_tag_prefixes and ignore_tags arguments are being tested as a public preview for ignoring tags across all resources under a provider. Support for the functionality must be added to individual resources in the codebase and is only implemented for the aws_subnet and aws_vpc resources at this time. Until a general availability announcement, no compatibility promises are made with these provider arguments and their functionality. (#10418)

FEATURES:

• New Data Source: aws_qldb_ledger (#10394)
• New Resource: aws_qldb_ledger (#10394)

ENHANCEMENTS:

• data-source/aws_db_cluster_snapshot: Add tags attribute (#10488)
• data-source/aws_db_instance: Add tags attribute (#10550)
• data-source/aws_vpc_endpoint: Add filter and tags arguments (#10503)
• provider: Add ignore_tag_prefixes and ignore_tags arguments (in public preview, see note above) (#10418)
• resource/aws_acmpca_certificate_authority: Support tagging on creation (#10736)
• resource/aws_api_gateway_api_key: Add tags argument and arn attribute (#10568)
• resource/aws_api_gateway_client_certificate: Add tags argument and arn attribute (#10569)
• resource/aws_api_gateway_domain_name: Add tags argument and arn attribute (#10567)
• resource/aws_api_gateway_vpc_link: Add tags argument and arn attribute (#10561)
• resource/aws_cloudwatch_log_group: Support tagging on creation (#10753)
• resource/aws_db_cluster_snapshot: Add tags argument (#10488)
• resource/aws_ec2_fleet: Support in-place tags updates (#10761)
• resource/aws_launch_template: Support tagging on creation (#10759)
• resource/aws_mq_broker: Support in-place security_groups updates (#10442)
• resource/aws_storagegateway_cached_iscsi_volume: Add tags argument (#10613)
• resource/aws_storagegateway_gateway: Add tags argument (#10588)
• resource/aws_storagegateway_nfs_file_share: Add tags argument (#10722)
• resource/aws_subnet: Support provider-wide ignore tags (in public preview, see note above) (#10418)
• resource/aws_swf_domain: Add tags argument and arn attribute (#10763)
• resource/aws_vpc: Support provider-wide ignore tags (in public preview, see note above) (#10418)
• resource/aws_waf_rate_based_rule: Add tags argument and arn attribute (#10479)

BUG FIXES:

• data-source/aws_route53_resolver_rule: Do not retrieve tags for rules shared with the AWS account that owns the data source (#10348)
• resource/aws_api_gateway_authorizer: Set authorizer_result_ttl_in_seconds argument default to 300 to match API default which properly allows setting to 0 for disabling caching (#9605)
• resource/aws_autoscaling_group: Batch ELB attachments and detachments by 10 to prevent API and rate limiting errors (#10445)
• resource/aws_s3_bucket_public_access_block: Remove from Terraform state when S3 Bucket is already destroyed (#10534)
• resource/aws_ssm_maintenance_window_task: Prevent crashes with empty configuration blocks (#10713)

v2.34.0

ENHANCEMENTS:

• resource/aws_ecr_repository: Add image_scanning_configuration configuration block (support image scanning on push) (#10671)
• resource/aws_elasticache_replication_group: Add kms_key_id argument (support KMS encryption) (#10380)
• resource/aws_flow_log: Add log_format argument (#10374)
• resource/aws_glue_job: Add glue_version argument (#10237)
• resource/aws_storagegateway_smb_file_share: Add tags argument (#10620)

BUG FIXES:

• resource/aws_backup_plan: Correctly handle changes to recovery_point_tags arguments (#10641)
• resource/aws_backup_plan: Prevent diffs didn't match errors with rule configuration blocks (#10641)
• resource/aws_cloudhsm_v2_cluster: Ensure multiple tag configurations are applied correctly (#10309)
• resource/aws_cloudhsm_v2_cluster: Perform drift detection with tags (#10309)
• resource/aws_dx_gateway_association: Fix backwards compatibility issue with missing dx_gateway_association_id attribute (#8776)
• resource/aws_s3_bucket: Bypass MethodNotAllowed errors for Object Lock Configuration on read (support AWS C2S) (#10657)

v2.33.0

FEATURES:

• New Data Source: aws_waf_rate_based_rule (#10124)
• New Data Source: aws_wafregional_rate_based_rule (#10125)
• New Resource: aws_quicksight_user (#10401)

ENHANCEMENTS:

• resource/aws_glue_classifier: Add csv_classifier configuration block (support CSV classifiers) (#9824)
• resource/aws_waf_byte_match_set: Support resource import (#10477)
• resource/aws_waf_rate_based_rule: Support resource import (#10475)
• resource/aws_waf_rule: Add tags argument (#10408)
• resource/aws_waf_rule_group: Add tags argument (#10408)
• resource/aws_waf_web_acl: Add tags argument (#10408)

BUG FIXES:

• resource/aws_gamelift_fleet: Increase default deletion timeout to 20 minutes to match service timing (#10443)

v2.32.0

NOTES:

• provider: The underlying Terraform codebase dependency for the provider SDK and acceptance testing framework has been migrated from github.com/hashicorp/terraform to github.com/hashicorp/terraform-plugin-sdk. They are functionality equivalent and this should only impact codebase development to switch imports. For more information see the Terraform Plugin SDK page in the Extending Terraform documentation. (#10367)

ENHANCEMENTS:

• resource/aws_emr_instance_group: Add configurations_json argument (#10426)

BUG FIXES:

• provider: Fix session handling to correctly validate and use assume_role credentials (#10379)
• resource/aws_autoscaling_group: Batch ALB/NLB attachments and detachments by 10 to prevent API and rate limiting errors (#10435)
• resource/aws_emr_instance_group: Remove terminated instance groups from the Terraform state (#10425)
• resource/aws_s3_bucket: Prevent infinite deletion recursion with force_destroy argument and object keys with empty "directory" prefixes present since version 2.29.0 (#10388)
• resource/aws_vpc_endpoint_route_table_association: Fix resource import support (#10454)

v2.31.0

NOTES:

• resource/aws_lambda_function: Environments using Lambda functions with VPC configurations should upgrade their Terraform AWS Provider to this version or later to appropriately handle the networking changes introduced by the improved VPC networking for AWS Lambda functions deployment. These changes prevent proper deletion of EC2 Subnets and Security Groups for accounts and regions updated to the new Lambda networking infrastructure in older versions of the Terraform AWS Provider. Additional information and configuration workarounds for prior versions can be found in this GitHub issue.

ENHANCEMENTS:

• data-source/aws_eks_cluster: Add tags attribute (#10307)
• resource/aws_efs_filesystem: Support tag-on-create (#10254)
• resource/aws_eks_cluster: Add tags argument (#10307)
• resource/aws_mq_broker: Add encryption_options configuration block (support AWS and customer managed KMS CMKs) (#10276)

BUG FIXES:

• resource/aws_lb_listener_certificate: Retry CertificateNotFound errors on creation for eventual consistency (#10294)
• resource/aws_s3_bucket_object: Fix object deletion for non-versioned objects (#10352)
• resource/aws_security_group: Handle updated ENI description and longer deletion timeframe for new Lambda Hyperplane ENIs (#10114] / [#10347)
• resource/aws_subnet: Handle updated ENI description and longer deletion timeframe for new Lambda Hyperplane ENIs (#10114] / [#10347)
• resource/aws_vpc_peering_connection: Ensure allow_remote_vpc_dns_resolution usage works with inter-region peering (#7627)
• resource/aws_vpc_peering_connection_accepter: Ensure allow_remote_vpc_dns_resolution usage works with inter-region peering (#7627)
• resource/aws_vpc_peering_connection_options: Ensure allow_remote_vpc_dns_resolution usage works with inter-region peering (#7627)
• resource/aws_wafregional_web_acl_association: Ensure missing resource triggers state removal (#10216)
• service/waf: Prevent incorrect Error getting WAF change token errors for API calls that should be retried or specially handled (#10242)
• service/wafregional: Prevent incorrect Error getting WAF regional change token errors for API calls that should be retried or specially handled (#10242)

v2.30.0

NOTES:

• provider: The default development, testing, and building of the Terraform AWS Provider binary is now done with Go 1.13. This version of Go now requires macOS 10.11 El Capitan or later and FreeBSD 11.2 or later. Support for previous versions of those operating systems has been discontinued. (#10206)
• provider: The actual Terraform version running the provider will now be included the AWS Go SDK User-Agent headers for Terraform 0.12 and later. Terraform 0.11 and earlier will use Terraform/0.11+compatible as this information was not accessible in those versions. Previously, the Terraform version in the User-Agent header was based on the github.com/hashicorp/terraform dependency in the provider codebase. (#9570)

ENHANCEMENTS:

• data-source/aws_cloudtrail_service_account: Support cn-north-1 region (#10134)
• data-source/aws_elastic_beanstalk_hosted_zone: Support ap-east-1, ap-northeast-3, us-gov-east-1 and us-gov-west-1 regions (#10134)
• data-source/aws_elb_hosted_zone_id: Support cn-northwest-1 region (#10134)
• data-source/aws_redshift_service_account: Support ap-northeast-3, cn-north-1, eu-north-1 and me-south-1 regions (#10134)
• provider: Use real Terraform version in User-Agent header (#9570)
• resource/aws_appsync_graphql_api: Add additional_authentication_providers configuration blocks (#8587)
• resource/aws_elastic_beanstalk_environment: Add endpoint_url attribute (#10015)
• resource/aws_lightsail_static_ip_attachment: Add ip_address attribute (#10109)
• resource/aws_opsworks_stack: Switch legacy Opsworks client User-Agent to real Terraform version (#10246)
• resource/aws_sns_topic_policy: Support resource import (#10163)
• resource/aws_sqs_queue: Support tag-on-create in AWS Commercial regions (#10156)

BUG FIXES:

• data-source/aws_elb_hosted_zone_id: Correct value for cn-north-1 region (#10134)
• resource/aws_ec2_client_vpn_endpoint: Ensure missing resource triggers state removal (#10187)
• resource/aws_instance: Prevent panic when updating credit_specification to empty configuration block (#10212)
• resource/aws_security_group: Ensure deletion errors are properly raised (#10165)
• resource/aws_spot_fleet_request: Ensure launch_specification configuration block placement_group argument is passed through to the API when it is specified (#10103)

v2.29.0

ENHANCEMENTS:

• data-source/aws_s3_bucket_object: Add object_lock_legal_hold_status, object_lock_mode and object_lock_retain_until_date attributes (#9942)
• resource/aws_glue_job: Add ability to specify python version for pythonshell in glue jobs (#9409)
• resource/aws_s3_bucket_object: Add force_destroy, object_lock_legal_hold_status, object_lock_mode and object_lock_retain_until_date attributes (#9942)
• resource/aws_ssm_association: Add import support (#10055)
• resource/aws_waf_rate_based_rule: Update rate based rule limit for WAF (#9946)
• resource/aws_wafregional_rate_based_rule: Update rate based rule limit for WAF (#9946)

BUG FIXES:

• ecs_task_definition_equivalency: Fix a crash if environment name is missing (#10074)

v2.28.1

BUG FIXES:

• Revert "resource/aws_cloudfront_distribution: Fix active_trusted_signers attribute for Terraform 0.12" (#10093)

v2.28.0

NOTES:

• resource/aws_cloudfront_distribution: This attribute implemented a legacy Terraform library (flatmap), which does not work with Terraform 0.12's data types and whose only usage was on this single attribute across all Terraform Providers. The attribute now implements (in the closest approximation to the previous implementation) the nested object data into the Terraform state in all Terraform versions. Any references to nested attributes such as active_trusted_signers.enabled will need to be updated to active_trusted_signers.0.enabled. (#10013)

FEATURES:

• New Data Source: aws_route53_resolver_rule (#9805)
• New Data Source: aws_route53_resolver_rules (#9805)

ENHANCEMENTS:

• data-source/aws_eks_cluster: Add identity attribute (support getting OIDC issuer URL) (#10006)
• resource/aws_eks_cluster: Add identity attribute (support getting OIDC issuer URL) (#10006)
• resource/aws_elasticache_cluster: Support cluster_id validation up to 50 characters (#9941)
• resource/aws_elasticache_replication_group: Support replication_group_id validation up to 40 characters (#9941)

BUG FIXES:

• resource/aws_instance: Final retries after timeouts creating and updating instance and getting instance password data
• resource/aws_cloudfront_distribution: Support accessing active_trusted_signers attribute items in Terraform 0.12 (#10013)
• resource/aws_cognito_user_pool: Fix perpetual diffs on sms_verification_message (#9758)
• resource/aws_elasticsearch_domain: Final retries after timeouts creating, updating, and deleting domains (#9892)
• resource/aws_elasticsearch_domain_policy: Final retries after timeouts upserting and deleting domain policies (#9892)
• resource/aws_iam_policy_attachment: Revert a change causing errors with policies not being found during attachment (#10063)
• resource/aws_lightsail_instance: Fixes an issue where 2-character lightsail instance names didn't get validated properly (#10046)

v2.27.0

ENHANCEMENTS:

• data-source/aws_ecs_cluster: Add setting attribute (#9720)
• provider: Support AWS C2S and SC2S endpoints (#9998)
• resource/aws_ecs_cluster: Add setting configuration blocks (support enabling Container Insights) (#9720)
• resource/aws_kinesis_firehose_delivery_stream: Add server_side_encryption configuration block (support Server Side Encryption) (#6523)

BUG FIXES:

• resource/aws_s3_bucket: Include any system tags that Terraform ignores when setting S3 bucket tags (#7342)