chore(deps): update terraform by renovate[bot] · Pull Request #514 · overmindtech/terraform-example

renovate · 2026-03-27T00:52:51Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	`< 6.38` → `< 6.45`
aws (source)	required_provider	minor	`6.37.0` → `6.44.0`
google (source)	required_provider	minor	`7.25.0` → `7.31.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

hashicorp/terraform-provider-aws (aws)

`v6.44.0`

Compare Source

NOTES:

resource/aws_dynamodb_global_secondary_index: This resource type is no longer experimental. The schema and behavior are now subject to the backwards compatibility guarantee of the provider. (#47747)
resource/aws_outposts_capacity_task: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#47681)

FEATURES:

New Data Source: aws_glue_catalog (#43583)
New List Resource: aws_alb_target_group_attachment (#47724)
New List Resource: aws_appautoscaling_policy (#47718)
New List Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New List Resource: aws_dynamodb_global_secondary_index (#47785)
New List Resource: aws_dynamodb_table (#47518)
New List Resource: aws_ecr_repository_policy (#47763)
New List Resource: aws_glue_catalog (#43583)
New List Resource: aws_lb_target_group_attachment (#47724)
New List Resource: aws_s3_bucket_logging (#47766)
New List Resource: aws_securityhub_standards_control (#47702)
New List Resource: aws_vpc_endpoint_route_table_association (#47751)
New Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New Resource: aws_glue_catalog (#43583)
New Resource: aws_outposts_capacity_task (#47681)
New Resource: aws_redshift_namespace_registration (#43583)

ENHANCEMENTS:

data-source/aws_glue_connection: Add authentication_configuration attribute (#43583)
resource/aws_appautoscaling_policy: Add resource identity support (#47718)
resource/aws_ec2_client_vpn_endpoint: Add transit_gateway_configuration block (#47635)
resource/aws_fsx_lustre_file_system: Support in-place modification of file_system_type_version (#47703)
resource/aws_fsx_windows_file_system: Add self_managed_active_directory.password_wo and self_managed_active_directory.password_wo_version arguments (#47752)
resource/aws_glue_connection: Add authentication_configuration argument (#43583)
resource/aws_timestreaminfluxdb_db_cluster: Add Resource Identity support (#47052)
resource/aws_timestreaminfluxdb_db_cluster: Add maintenance_schedule configuration block (#47354)
resource/aws_timestreaminfluxdb_db_instance: Add Resource Identity support (#47052)
resource/aws_vpc_endpoint_route_table_association: Add resource identity support (#47751)

BUG FIXES:

resource/aws_odb_cloud_vm_cluster: Attempt to read GI Version from resource tags to avoid failures due to new API response values (#46589)
resource/aws_s3files_synchronization_configuration: Fix Delete to use the file system prefix when resetting the synchronization configuration (#47760)
resource/aws_securityhub_configuration_policy_association: Fix waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s) errors on Create. This fixes a regression introduced in v6.34.0 (#47783)
resource/aws_timestreaminfluxdb_db_cluster: Correct plan-time validation of db_parameter_group_identifier (#47052)

`v6.43.0`

Compare Source

FEATURES:

New Data Source: aws_securityhub_enabled_standards (#43947)
New Data Source: aws_securityhub_security_controls (#43947)
New List Resource: aws_db_subnet_group (#47637)
New List Resource: aws_ec2_network_insights_access_scope (#47582)
New List Resource: aws_iam_group_policy_attachment (#47667)
New List Resource: aws_lambda_event_source_mapping (#47686)
New List Resource: aws_securityhub_insight (#47622)
New Resource: aws_arczonalshift_autoshift_observer_notification_status (#46343)
New Resource: aws_ec2_network_insights_access_scope (#47582)
New Resource: aws_securityhub_account_v2 (#47356)

ENHANCEMENTS:

resource/aws_arczonalshift_autoshift_observer_notification_status: Add resource identity support (#46343)
resource/aws_auditmanager_assessment: Add resource identity support (#47674)
resource/aws_auditmanager_control: Add resource identity support (#47674)
resource/aws_auditmanager_framework: Add resource identity support (#47674)
resource/aws_auditmanager_framework_share: Add resource identity support (#47674)
resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#47589)
resource/aws_ecs_express_gateway_service: Deprecates current_deployment. (#47694)
resource/aws_iam_group_policy_attachment: Add resource identity support (#47667)
resource/aws_lambda_event_source_mapping: Add resource identity support (#47686)
resource/aws_securityhub_action_target: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#47078)
resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#47543)
resource/aws_securityhub_finding_aggregator: Add arn attribute (#47543)
resource/aws_securityhub_insight: Add Resource Identity support (#47543)
resource/aws_securityhub_member: Add Resource Identity support (#47543)
resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#47543)
resource/aws_securityhub_product_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control_association: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add arn attribute (#47543)
resource/aws_subnet: Automatically detect and dissociate GuardDuty-managed VPC endpoints during terraform destroy when they block subnet deletion (#46953)
resource/aws_vpc: Automatically detect and remove GuardDuty-managed VPC endpoints and security groups during terraform destroy when they block VPC deletion (#46953)

BUG FIXES:

resource/aws_cloudwatch_metric_alarm: Fix invalid One of 'metric_name', 'metric_query', or 'evaluation_criteria' must be set for a cloudwatch metric alarm plan-time errors. This fixes a regression introduced in v6.42.0 (#47666)
resource/aws_ecs_express_gateway_service: Handles more transient API errors during creation and deletion. (#47568)
resource/aws_ecs_express_gateway_service: Marks resource for re-creation if it fails while waiting for creation. (#47568)
resource/aws_ecs_express_gateway_service: Prevents errors when value of current_deployment changes. (#47694)
resource/aws_ecs_express_gateway_service: Waits until the service is INACTIVE instead of DRAINING. (#47568)
resource/aws_flow_log: Prevents error when updating from earlier versions of the provider or importing VPC Flow Logs (#47699)
resource/aws_globalaccelerator_cross_account_attachment: Fix runtime error: invalid memory address or nil pointer dereference panics when removing resource blocks (#47625)
resource/aws_pinpoint_app: Lower minimum of limits.messages_per_second from 50 to 1 to match the AWS API. (#47636)
resource/aws_s3_bucket: Fix bucket creation on third-party S3-compatible APIs (e.g. OVH, Ceph RGW) by handling MalformedXML errors during tag-on-create and CreateBucketConfiguration operations (#47530)

`v6.42.0`

Compare Source

BREAKING CHANGES:

resource/aws_mq_configuration: Destruction of this resource will now delete the configuration. Previously delete was a no-op due to missing API operations, leaving resources in an unmanaged state. For this reason a breaking change was deemed acceptable in a minor version. This functionality requires the mq:DeleteConfiguration IAM permission. To restore the previous no-op behavior, set skip_destroy to true. (#47273)

NOTES:

documentation: CDKTF documentation has been removed from the provider (#47484)
resource/aws_eip: Because we cannot easily test this behavior in isolated regions, it is best effort and we ask for community help in testing (#47091)

FEATURES:

New Data Source: aws_ec2_service_link_virtual_interface (#47478)
New Data Source: aws_ec2_service_link_virtual_interfaces (#47478)
New List Resource: aws_apigatewayv2_api (#47472)
New List Resource: aws_cloudwatch_log_metric_filter (#47495)
New List Resource: aws_config_remediation_configuration (#47514)
New List Resource: aws_ebs_volume (#47551)
New List Resource: aws_ebs_volume_attachment (#47561)
New List Resource: aws_eip (#47557)
New List Resource: aws_iam_user_policy_attachment (#47467)
New List Resource: aws_internet_gateway (#47529)
New List Resource: aws_lambda_layer_version (#47496)
New List Resource: aws_launch_template (#47540)
New List Resource: aws_route53_zone (#47494)
New List Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)
New List Resource: aws_sqs_queue_policy (#47489)
New Resource: aws_cloudwatch_otel_enrichment (#47275)
New Resource: aws_ebs_volume_copy (#47311)
New Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)

ENHANCEMENTS:

data-source/aws_identitystore_user: Add user_status attribute (#47323)
data-source/aws_identitystore_users: Add user_status attribute (#47323)
data-source/aws_network_interface: Add ena_srd_specification attribute (#46669)
data-source/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_cloudwatch_log_metric_filter: Add Resource Identity support (#47495)
resource/aws_cloudwatch_metric_alarm: Add evaluation_criteria and evaluation_interval arguments in support of PromQL queries. Change comparison_operator and evaluation_periods to Optional (#47449)
resource/aws_ebs_volume_attachment: Add resource identity support (#47561)
resource/aws_eip: Add resource identity support (#47557)
resource/aws_eks_access_entry: Add Resource Identity support (#47428)
resource/aws_eks_access_policy_association: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add namespace_config argument (#44087)
resource/aws_eks_capability: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add identity_provider_config_name attribute (#47428)
resource/aws_eks_node_group: Add Resource Identity support (#47428)
resource/aws_eks_pod_identity_association: Add Resource Identity support (#47428)
resource/aws_fargate_profile: Add Resource Identity support (#47428)
resource/aws_identitystore_user: Add user_status attribute (#47323)
resource/aws_imagebuilder_lifecycle_policy: Support wildcard semantic version for resource_selection.recipe.semantic_version (#47443)
resource/aws_lambda_layer_version: Add resource identity support (#47496)
resource/aws_launch_template: Add resource identity support (#47540)
resource/aws_mq_configuration: Add skip_destroy argument (#47273)
resource/aws_mq_configuration: Implement resource deletion (#47273)
resource/aws_network_interface: Add ena_srd_specification argument to support ENA Express (#46669)
resource/aws_networkmanager_site_to_site_vpn_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#47541)
resource/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_rds_integration: Add integration_identifier attribute (#45632)
resource/aws_rds_integration: Support in-place update of data_filter and integration_name (#45632)
resource/aws_s3_bucket_inventory: Support S3 Inventory for directory buckets (#47555)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.expanded_prefixes_data_export and storage_lens_configuration.prefix_delimiter arguments (#47205)
resource/aws_s3files_file_system: Add accept_bucket_warning argument (#47510)
resource/network_peering_connection: Peer cidr management through peer_network_cidrs argument. (#46207)

BUG FIXES:

resource/aws_appintegrations_data_integration: Fix source_uri regular expression validation (#47498)
resource/aws_bedrock_guardrail: Update maximum length of topic_policy_config.topics_config.definition from 200 to 1000 to support standard tier. (#47574)
resource/aws_cloudwatch_alarm_mute_rule: Fix mute_targets.alarm_names ordering causing "Provider produced inconsistent result after apply" errors (#47507)
resource/aws_ecs_service: Excludes Express-Mode Services from listing. (#47533)
resource/aws_eip: Gracefully handle UnsupportedOperation errors in isolated regions (#47091)
resource/aws_msk_cluster: Fix a request parameter error when updating broker_node_group_info.vpc_connectivity configuration block. This fixes a regression introduced in v6.40.0 (#47515)
resource/aws_odb_network: Fix runtime error: invalid memory address or nil pointer dereference panic in statusManagedService() and statusNetwork() when FindOracleDBNetworkResourceByID returns a nil result during resource creation (#47159)
resource/aws_securityhub_member: Only set email if returned by AWS API and don't recompute invite from member_status. This prevents drift for organization members (#47106)

`v6.41.0`

Compare Source

FEATURES:

New List Resource: aws_api_gateway_integration (#47370)
New List Resource: aws_api_gateway_integration_response (#47388)
New List Resource: aws_api_gateway_method (#47365)
New List Resource: aws_api_gateway_method_response (#47387)
New List Resource: aws_api_gateway_resource (#47382)
New List Resource: aws_api_gateway_rest_api (#47404)
New List Resource: aws_apigatewayv2_route (#47452)
New List Resource: aws_cloudfront_distribution (#47459)
New List Resource: aws_cloudwatch_alarm_mute_rule (#46750)
New List Resource: aws_cloudwatch_log_subscription_filter (#47451)
New List Resource: aws_nat_gateway (#47349)
New List Resource: aws_sns_topic_policy (#47445)
New Resource: aws_cloudwatch_alarm_mute_rule (#46750)

ENHANCEMENTS:

data-source/aws_ecs_task_definition: Add volume.s3files_volume_configuration attribute (#47363)
data-source/aws_opensearch_domain: Add deployment_strategy_options block (#47401)
resource/aws_api_gateway_integration: Add resource identity support (#47357)
resource/aws_api_gateway_integration_response: Add resource identity support (#47366)
resource/aws_api_gateway_method: Add resource identity support (#47310)
resource/aws_api_gateway_method_response: Add resource identity support (#47360)
resource/aws_api_gateway_resource: Add resource identity support (#47358)
resource/aws_api_gateway_rest_api: Add resource identity support (#47384)
resource/aws_apigatewayv2_api: Add resource identity support (#47465)
resource/aws_apigatewayv2_route: Add resource identity support (#47441)
resource/aws_autoscaling_group: Add Resource Identity support (#47381)
resource/aws_autoscaling_lifecycle_hook: Add Resource Identity support (#47381)
resource/aws_autoscaling_notification: Add plan-time validation of topic_arn (#47381)
resource/aws_autoscaling_policy: Add Resource Identity support (#47381)
resource/aws_autoscaling_traffic_source_attachment: Add import support (#47381)
resource/aws_budgets_budget: Add metrics attribute (#47047)
resource/aws_cloudwatch_log_subscription_filter: Add Resource Identity support (#47451)
resource/aws_directory_service_directory: add enable_directory_data_access argument (#44736)
resource/aws_dynamodb_table: Add Resource Identity support (#47301)
resource/aws_ecs_task_definition: Add volume.s3files_volume_configuration argument (#47363)
resource/aws_elasticache_user: Add passwords_wo and passwords_wo_version write-only arguments (#45988)
resource/aws_launch_configuration: Add Resource Identity support (#47381)
resource/aws_opensearch_domain: Add deployment_strategy_options configuration block (#47401)

BUG FIXES:

data-source/aws_outposts_asset: Fix nil pointer dereference panic when asset has no ComputeAttributes or AssetLocation (#47450)
list-resource/aws_lb: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener_rule: Fixes error when no results are returned (#47455)
list-resource/aws_lb_target_group: Fixes error when no results are returned (#47455)
resource/aws_autoscaling_traffic_source_attachment: Change traffic_source to Required (#47381)
resource/aws_budgets_budget: Add missing metrics attribute required for filter_expression (#47047)
resource/aws_cloudfront_multitenant_distribution: Allows disabling the enforcement of a response_completion_timeout for Origins, by removing its default value (#46329)
resource/aws_cloudfront_multitenant_distribution: Fix function_association and lambda_function_association block ordering producing inconsistent result after apply when multiple associations are configured (#46378)
resource/aws_cloudfront_multitenant_distribution: Fix origin block ordering producing inconsistent result after apply when multiple origins are configured (#47199)
resource/aws_dynamodb_global_secondary_index: Fixes error when key_type is unknown during plan-time. (#47456)
resource/aws_dynamodb_table: Prevents validation error when global secondary index range_key is set to empty string (#47427)
resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)
resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)

`v6.40.0`

Compare Source

FEATURES:

New Data Source: aws_opensearchserverless_collection_group (#46308)
New Data Source: aws_opensearchserverless_collection_groups (#46308)
New Data Source: aws_s3files_access_point (#47352)
New Data Source: aws_s3files_file_system (#47344)
New Data Source: aws_s3files_file_systems (#47344)
New Data Source: aws_s3files_mount_target (#47347)
New List Resource: aws_config_config_rule (#47319)
New List Resource: aws_glue_job (#47266)
New List Resource: aws_opensearchserverless_collection_group (#46308)
New List Resource: aws_s3files_access_point (#47352)
New List Resource: aws_s3files_file_system (#47325)
New List Resource: aws_s3files_file_system_policy (#47355)
New List Resource: aws_s3files_mount_target (#47347)
New List Resource: aws_s3files_synchronization_configuration (#47353)
New List Resource: aws_ssm_association (#47321)
New List Resource: aws_ssm_patch_group (#47329)
New Resource: aws_opensearchserverless_collection_group (#46308)
New Resource: aws_s3files_access_point (#47352)
New Resource: aws_s3files_file_system (#47325)
New Resource: aws_s3files_file_system_policy (#47355)
New Resource: aws_s3files_mount_target (#47347)
New Resource: aws_s3files_synchronization_configuration (#47353)
New Resource: aws_servicequotas_auto_management (#45968)

ENHANCEMENTS:

data-source/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type attribute (#47279)
resource/aws_cloudformation_stack_set: Add depends_on_stack_sets to auto_deployment configuration block (#47269)
resource/aws_config_config_rule: Add Resource Identity support (#47286)
resource/aws_config_configuration_aggregator: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder_status: Add Resource Identity support (#47286)
resource/aws_config_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_delivery_channel: Add Resource Identity support (#47286)
resource/aws_config_organization_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_policy_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_managed_rule: Add Resource Identity support (#47286)
resource/aws_config_remediation_configuration: Add Resource Identity support (#47286)
resource/aws_config_retention_configuration: Add Resource Identity support (#47286)
resource/aws_controltower_landing_zone: Add remediation_types attribute (#46549)
resource/aws_glue_job: Add Resource Identity support (#47266)
resource/aws_iam_instance_profile: Add resource identity support (#47307)
resource/aws_kinesisanalyticsv2_application: Support FLINK-2_2 as a valid value for runtime_environment (#47207)
resource/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type argument (#47279)
resource/aws_opensearchserverless_access_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_lifecycle_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_config: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_vpc_endpoint: Add Resource Identity support (#47262)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.data_export.storage_lens_table_destination argument (#47152)
resource/aws_ssm_patch_group: Add resource identity support (#47318)

BUG FIXES:

resource/aws_bcmdataexports_export: Allows empty values in export.data_query.table_configurations (#47261)
resource/aws_cloudwatch_log_metric_filter: Fix validation to count pattern length in UTF-8 characters (#47287)
resource/aws_config_configuration_recorder_status: Mark name as as ForceNew (#47286)
resource/aws_organizations_account: Fix AccountAlreadyClosedException error when deleting an account that has already been closed with close_on_deletion set to true (#46627)
resource/aws_s3_bucket_server_side_encryption_configuration: Change rule.apply_server_side_encryption_by_default.kms_master_key_id, rule.blocked_encryption_types, and rule.bucket_key_enabled to Optional and Computed, preventings diffs once SSE-C is disabled for all new general purpose buckets (#47359)
resource/aws_uxc_account_customizations: Fix inconsistent result error when visible_regions or visible_services is set to an explicit empty set ([]) (#47290)

`v6.39.0`

Compare Source

NOTES:

data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version (#47133)

FEATURES:

New Data Source: aws_iam_role_policies (#46936)
New Data Source: aws_iam_role_policy_attachments (#47119)
New Data Source: aws_networkmanager_core_network (#45798)
New Data Source: aws_uxc_services (#47115)
New List Resource: aws_eks_cluster (#47133)
New List Resource: aws_organizations_aws_service_access (#46993)
New List Resource: aws_sagemaker_training_job (#46892)
New List Resource: aws_workmail_group (#47131)
New List Resource: aws_workmail_user (#47131)
New Resource: aws_organizations_aws_service_access (#46993)
New Resource: aws_sagemaker_training_job (#46892)
New Resource: aws_uxc_account_customizations (#47115)
New Resource: aws_workmail_group (#47131)
New Resource: aws_workmail_user (#47131)

ENHANCEMENTS:

data-source/aws_outposts_asset: Add instance_families attribute (#47153)
resource/aws_eks_cluster: Add resource identity support (#47133)
resource/aws_eks_cluster: Support tier-8xl as a valid value for control_plane_scaling_config.tier (#46976)
resource/aws_network_acl_rule: Add Resource Identity support (#47090)
resource/aws_observabilityadmin_centralization_rule_for_organization: Add source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#47154)
resource/aws_prometheus_scraper: Add source.vpc argument. Change source.eks to Optional (#47155)
resource/aws_s3_bucket_metric: Support bucket metrics for directory buckets (#47184)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#46865)

BUG FIXES:

data-source/aws_eks_access_entry: Fixed tags not being returned (#47133)
data-source/aws_service_principal: Fix service principal names for EC2 and S3 in the aws-cn partition (#47141)
resource/aws_config_organization_conformance_pack: Fix creation timeout when using a delegated administrator account (#47072)
resource/aws_dynamodb_table: Fix Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)
resource/aws_eks_cluster: Set bootstrap_self_managed_addons to true when importing (#47133)
resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error when cache_usage_limits is removed (#46134)
resource/aws_glue_catalog_table: Detect and report failed view creation (#47101)

`v6.38.0`

Compare Source

FEATURES:

New Action: aws_dms_start_replication_task_assessment_run (#47058)
New Data Source: aws_dynamodb_backups (#47036)
New Data Source: aws_msk_topic (#46490)
New Data Source: aws_savingsplans_offerings (#47081)
New List Resource: aws_msk_cluster (#46490)
New List Resource: aws_msk_serverless_cluster (#46490)
New List Resource: aws_msk_topic (#46490)
New List Resource: aws_route53_resolver_rule (#47063)
New List Resource: aws_sagemaker_algorithm (#47051)
New List Resource: aws_ssm_document (#46974)
New List Resource: aws_ssoadmin_account_assignment (#47067)
New List Resource: aws_vpc_endpoint (#46977)
New List Resource: aws_workmail_domain (#46931)
New Resource: aws_msk_topic (#46490)
New Resource: aws_observabilityadmin_telemetry_enrichment (#47089)
New Resource: aws_sagemaker_algorithm (#47051)
New Resource: aws_workmail_default_domain (#46931)
New Resource: aws_workmail_domain (#46931)

ENHANCEMENTS:

data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding attribute (#47065)
resource/aws_bedrockagentcore_agent_runtime: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
resource/aws_bedrockagentcore_gateway: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.api_gateway configuration block (#46916)
resource/aws_dynamodb_table: Add restore_backup_arn argument (#47068)
resource/aws_fis_experiment_template: Support KinesisStreams as a value for action.target.key (#47010)
resource/aws_fis_experiment_template: Support VPCEndpoints as a value for action.target.key (#47045)
resource/aws_mq_broker: Change user block to Optional (#46883)
resource/aws_msk_cluster: Add resource identity support (#46490)
resource/aws_msk_serverless_cluster: Add resource identity support (#46490)
resource/aws_networkfirewall_firewall_policy: Add `firewall_

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/London)

Branch creation
- "before 10am on friday"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-03-27T00:58:53Z

Caution

[High Risk] Replacement API server will remain directly internet-reachable in a public subnet

The change replaces the existing api_server instance in subnet-07b5b1fb2ba02f964 with a new EC2 instance that runs an HTTP server bound to 0.0.0.0:9090 and attaches shared security groups sg-03cf38efd953aa056 and sg-089e5107637083db5. That subnet is a public subnet with 0.0.0.0/0 routed to igw-0beefc4b4a0653a6e, and the separate EIP resource 13.134.236.98 is being moved from the old instance to the replacement, so the new host will remain directly addressable from the internet rather than staying behind a load balancer-only entry path.

Because AWS applies the union of all attached security-group rules, the replacement instance will simultaneously inherit customer-facing 443 exposure from sg-03cf38efd953aa056 and broad internal 443/8080/9090 access from sg-089e5107637083db5. This creates a production EC2 host with a public endpoint and extra shared-trust network reachability, violating the org requirement that EC2 instances must not be directly internet reachable and increasing the attack surface of the API server. If this instance is compromised or misconfigured, the impact is a high-severity security exposure rather than a mere best-practice deviation.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS compute and access resources showing unusual and infrequent changes at 1-2 events/week for the last 3 months, with related load balancer attachment updates at 1 event/week for the last 5 weeks, which is infrequent compared to typical patterns.
Policies → Multiple infrastructure resources showing unusual policy violations that may need review: an S3 bucket does not have server-side encryption configured and is missing required tags, while a security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

_{Additional Change Details:} Items 165 Edges 277 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

github-actions

⛔ Auto-Blocked

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

Routine 🔴 -5

Policies 🔴 -3

🔥 Risks Summary

High 1 · Medium 0 · Low 0

💥 Blast Radius

Items 77 · Edges 252

View full analysis in Overmind ↗

renovate Bot added dependencies Renovatebot and dependabot updates terraform labels Mar 27, 2026

renovate Bot enabled auto-merge (squash) March 27, 2026 00:52

github-actions Bot requested changes Mar 27, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from ba884cb to 12213ca Compare March 31, 2026 20:58

renovate Bot changed the title ~~chore(deps): update terraform aws to v6.38.0~~ chore(deps): update terraform Mar 31, 2026

renovate Bot force-pushed the renovate/terraform branch from 12213ca to 97c66a8 Compare April 1, 2026 23:30

github-actions Bot requested changes Apr 1, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 97c66a8 to 602c793 Compare April 7, 2026 21:51

github-actions Bot requested changes Apr 7, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 602c793 to 0f43049 Compare April 9, 2026 00:33

github-actions Bot requested changes Apr 9, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 0f43049 to a110d8e Compare April 15, 2026 03:03

github-actions Bot requested changes Apr 15, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from a110d8e to 23a5eca Compare April 16, 2026 03:02

github-actions Bot requested changes Apr 16, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch 3 times, most recently from 68cb654 to 23ab534 Compare April 28, 2026 20:33

renovate Bot force-pushed the renovate/terraform branch 2 times, most recently from 3241f7e to b2a3f42 Compare May 5, 2026 19:46

chore(deps): update terraform

9b4ae74

renovate Bot force-pushed the renovate/terraform branch from b2a3f42 to 9b4ae74 Compare May 6, 2026 22:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update terraform#514

chore(deps): update terraform#514
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/terraform

renovate Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v6.44.0

v6.43.0

v6.42.0

v6.41.0

v6.40.0

v6.39.0

v6.38.0

Configuration

Uh oh!

github-actions Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Signals

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Mar 27, 2026 •

edited

Loading

`v6.44.0`

`v6.43.0`

`v6.42.0`

`v6.41.0`

`v6.40.0`

`v6.39.0`

`v6.38.0`

github-actions Bot commented Mar 27, 2026 •

edited

Loading