chore(deps): update terraform by renovate[bot] · Pull Request #514 · overmindtech/terraform-example

renovate · 2026-03-27T00:52:51Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
archive (source)	required_provider	minor	`2.7.1` → `2.8.0`
aws (source)	required_provider	minor	`< 6.38` → `< 6.46`
aws (source)	required_provider	minor	`6.37.0` → `6.45.0`
google (source)	required_provider	minor	`7.25.0` → `7.32.0`
null (source)	required_provider	minor	`3.2.4` → `3.3.0`
random (source)	required_provider	minor	`3.8.1` → `3.9.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

hashicorp/terraform-provider-archive (archive)

`v2.8.0`

Compare Source

ENHANCEMENTS:

Added linux/s390x build target for IBM Z platform support (#504)

hashicorp/terraform-provider-aws (aws)

`v6.45.0`

Compare Source

FEATURES:

New List Resource: aws_observabilityadmin_telemetry_rule (#47857)
New List Resource: aws_securityhub_connector_v2 (#47678)
New Resource: aws_observabilityadmin_telemetry_evaluation (#47799)
New Resource: aws_observabilityadmin_telemetry_evaluation_for_organization (#47808)
New Resource: aws_observabilityadmin_telemetry_rule (#47857)
New Resource: aws_securityhub_aggregator_v2 (#47651)
New Resource: aws_securityhub_connector_v2 (#47678)

ENHANCEMENTS:

resource/aws_lambda_function: Add support for ruby4.0 as a runtime value (#47841)
resource/aws_lambda_function: Support mounting Amazon S3 buckets as file systems with S3 Files (#47838)
resource/aws_lambda_layer_version: Add support for ruby4.0 as a compatible_runtimes value (#47841)
resource/aws_secretsmanager_secret_version: Allow switching from secret_string to secret_string_wo without re-creating the resource. (#47815)
resource/aws_timestreaminfluxdb_db_instance: Add maintenance_schedule configuration block (#47853)

BUG FIXES:

resource/aws_elasticache_cluster: Fixed by removing valkey as an engine option to keep an alignment with aws sdk CreateCacheCluster (#45017)
resource/aws_elasticache_replication_group: Fix engine_version returning full patch version instead of minor version for Valkey engine (#46109)
resource/aws_elasticache_replication_group: Fix engine, engine_version, and parameter_group_name changes being ignored after disassociating from a global replication group (#46109)
resource/aws_grafana_workspace: Fix network_access_control regression causing ValidationException when only one of vpce_ids or prefix_list_ids is set (#47646)

`v6.44.0`

Compare Source

NOTES:

resource/aws_dynamodb_global_secondary_index: This resource type is no longer experimental. The schema and behavior are now subject to the backwards compatibility guarantee of the provider. (#47747)
resource/aws_outposts_capacity_task: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#47681)

FEATURES:

New Data Source: aws_glue_catalog (#43583)
New List Resource: aws_alb_target_group_attachment (#47724)
New List Resource: aws_appautoscaling_policy (#47718)
New List Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New List Resource: aws_dynamodb_global_secondary_index (#47785)
New List Resource: aws_dynamodb_table (#47518)
New List Resource: aws_ecr_repository_policy (#47763)
New List Resource: aws_glue_catalog (#43583)
New List Resource: aws_lb_target_group_attachment (#47724)
New List Resource: aws_s3_bucket_logging (#47766)
New List Resource: aws_securityhub_standards_control (#47702)
New List Resource: aws_vpc_endpoint_route_table_association (#47751)
New Resource: aws_arczonalshift_zonal_autoshift_configuration (#46114)
New Resource: aws_glue_catalog (#43583)
New Resource: aws_outposts_capacity_task (#47681)
New Resource: aws_redshift_namespace_registration (#43583)

ENHANCEMENTS:

data-source/aws_glue_connection: Add authentication_configuration attribute (#43583)
resource/aws_appautoscaling_policy: Add resource identity support (#47718)
resource/aws_ec2_client_vpn_endpoint: Add transit_gateway_configuration block (#47635)
resource/aws_fsx_lustre_file_system: Support in-place modification of file_system_type_version (#47703)
resource/aws_fsx_windows_file_system: Add self_managed_active_directory.password_wo and self_managed_active_directory.password_wo_version arguments (#47752)
resource/aws_glue_connection: Add authentication_configuration argument (#43583)
resource/aws_timestreaminfluxdb_db_cluster: Add Resource Identity support (#47052)
resource/aws_timestreaminfluxdb_db_cluster: Add maintenance_schedule configuration block (#47354)
resource/aws_timestreaminfluxdb_db_instance: Add Resource Identity support (#47052)
resource/aws_vpc_endpoint_route_table_association: Add resource identity support (#47751)

BUG FIXES:

resource/aws_odb_cloud_vm_cluster: Attempt to read GI Version from resource tags to avoid failures due to new API response values (#46589)
resource/aws_s3files_synchronization_configuration: Fix Delete to use the file system prefix when resetting the synchronization configuration (#47760)
resource/aws_securityhub_configuration_policy_association: Fix waiting for Security Hub Configuration Policy Association (...) success: timeout while waiting for state to become 'SUCCESS' (last state: 'PENDING', timeout: 5m0s) errors on Create. This fixes a regression introduced in v6.34.0 (#47783)
resource/aws_timestreaminfluxdb_db_cluster: Correct plan-time validation of db_parameter_group_identifier (#47052)

`v6.43.0`

Compare Source

FEATURES:

New Data Source: aws_securityhub_enabled_standards (#43947)
New Data Source: aws_securityhub_security_controls (#43947)
New List Resource: aws_db_subnet_group (#47637)
New List Resource: aws_ec2_network_insights_access_scope (#47582)
New List Resource: aws_iam_group_policy_attachment (#47667)
New List Resource: aws_lambda_event_source_mapping (#47686)
New List Resource: aws_securityhub_insight (#47622)
New Resource: aws_arczonalshift_autoshift_observer_notification_status (#46343)
New Resource: aws_ec2_network_insights_access_scope (#47582)
New Resource: aws_securityhub_account_v2 (#47356)

ENHANCEMENTS:

resource/aws_arczonalshift_autoshift_observer_notification_status: Add resource identity support (#46343)
resource/aws_auditmanager_assessment: Add resource identity support (#47674)
resource/aws_auditmanager_control: Add resource identity support (#47674)
resource/aws_auditmanager_framework: Add resource identity support (#47674)
resource/aws_auditmanager_framework_share: Add resource identity support (#47674)
resource/aws_bedrockagentcore_memory_strategy: Support EPISODIC as a valid value for type (#47589)
resource/aws_ecs_express_gateway_service: Deprecates current_deployment. (#47694)
resource/aws_iam_group_policy_attachment: Add resource identity support (#47667)
resource/aws_lambda_event_source_mapping: Add resource identity support (#47686)
resource/aws_securityhub_action_target: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add Resource Identity support (#47543)
resource/aws_securityhub_configuration_policy_association: Add support for SELF_MANAGED_SECURITY_HUB as a policy_id value (#47078)
resource/aws_securityhub_finding_aggregator: Add Resource Identity support (#47543)
resource/aws_securityhub_finding_aggregator: Add arn attribute (#47543)
resource/aws_securityhub_insight: Add Resource Identity support (#47543)
resource/aws_securityhub_member: Add Resource Identity support (#47543)
resource/aws_securityhub_organization_admin_account: Add Resource Identity support (#47543)
resource/aws_securityhub_product_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_control_association: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add Resource Identity support (#47543)
resource/aws_securityhub_standards_subscription: Add arn attribute (#47543)
resource/aws_subnet: Automatically detect and dissociate GuardDuty-managed VPC endpoints during terraform destroy when they block subnet deletion (#46953)
resource/aws_vpc: Automatically detect and remove GuardDuty-managed VPC endpoints and security groups during terraform destroy when they block VPC deletion (#46953)

BUG FIXES:

resource/aws_cloudwatch_metric_alarm: Fix invalid One of 'metric_name', 'metric_query', or 'evaluation_criteria' must be set for a cloudwatch metric alarm plan-time errors. This fixes a regression introduced in v6.42.0 (#47666)
resource/aws_ecs_express_gateway_service: Handles more transient API errors during creation and deletion. (#47568)
resource/aws_ecs_express_gateway_service: Marks resource for re-creation if it fails while waiting for creation. (#47568)
resource/aws_ecs_express_gateway_service: Prevents errors when value of current_deployment changes. (#47694)
resource/aws_ecs_express_gateway_service: Waits until the service is INACTIVE instead of DRAINING. (#47568)
resource/aws_flow_log: Prevents error when updating from earlier versions of the provider or importing VPC Flow Logs (#47699)
resource/aws_globalaccelerator_cross_account_attachment: Fix runtime error: invalid memory address or nil pointer dereference panics when removing resource blocks (#47625)
resource/aws_pinpoint_app: Lower minimum of limits.messages_per_second from 50 to 1 to match the AWS API. (#47636)
resource/aws_s3_bucket: Fix bucket creation on third-party S3-compatible APIs (e.g. OVH, Ceph RGW) by handling MalformedXML errors during tag-on-create and CreateBucketConfiguration operations (#47530)

`v6.42.0`

Compare Source

BREAKING CHANGES:

resource/aws_mq_configuration: Destruction of this resource will now delete the configuration. Previously delete was a no-op due to missing API operations, leaving resources in an unmanaged state. For this reason a breaking change was deemed acceptable in a minor version. This functionality requires the mq:DeleteConfiguration IAM permission. To restore the previous no-op behavior, set skip_destroy to true. (#47273)

NOTES:

documentation: CDKTF documentation has been removed from the provider (#47484)
resource/aws_eip: Because we cannot easily test this behavior in isolated regions, it is best effort and we ask for community help in testing (#47091)

FEATURES:

New Data Source: aws_ec2_service_link_virtual_interface (#47478)
New Data Source: aws_ec2_service_link_virtual_interfaces (#47478)
New List Resource: aws_apigatewayv2_api (#47472)
New List Resource: aws_cloudwatch_log_metric_filter (#47495)
New List Resource: aws_config_remediation_configuration (#47514)
New List Resource: aws_ebs_volume (#47551)
New List Resource: aws_ebs_volume_attachment (#47561)
New List Resource: aws_eip (#47557)
New List Resource: aws_iam_user_policy_attachment (#47467)
New List Resource: aws_internet_gateway (#47529)
New List Resource: aws_lambda_layer_version (#47496)
New List Resource: aws_launch_template (#47540)
New List Resource: aws_route53_zone (#47494)
New List Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)
New List Resource: aws_sqs_queue_policy (#47489)
New Resource: aws_cloudwatch_otel_enrichment (#47275)
New Resource: aws_ebs_volume_copy (#47311)
New Resource: aws_sagemaker_hyper_parameter_tuning_job (#47138)

ENHANCEMENTS:

data-source/aws_identitystore_user: Add user_status attribute (#47323)
data-source/aws_identitystore_users: Add user_status attribute (#47323)
data-source/aws_network_interface: Add ena_srd_specification attribute (#46669)
data-source/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_cloudwatch_log_metric_filter: Add Resource Identity support (#47495)
resource/aws_cloudwatch_metric_alarm: Add evaluation_criteria and evaluation_interval arguments in support of PromQL queries. Change comparison_operator and evaluation_periods to Optional (#47449)
resource/aws_ebs_volume_attachment: Add resource identity support (#47561)
resource/aws_eip: Add resource identity support (#47557)
resource/aws_eks_access_entry: Add Resource Identity support (#47428)
resource/aws_eks_access_policy_association: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add Resource Identity support (#47428)
resource/aws_eks_addon: Add namespace_config argument (#44087)
resource/aws_eks_capability: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add Resource Identity support (#47428)
resource/aws_eks_identity_provider_config: Add identity_provider_config_name attribute (#47428)
resource/aws_eks_node_group: Add Resource Identity support (#47428)
resource/aws_eks_pod_identity_association: Add Resource Identity support (#47428)
resource/aws_fargate_profile: Add Resource Identity support (#47428)
resource/aws_identitystore_user: Add user_status attribute (#47323)
resource/aws_imagebuilder_lifecycle_policy: Support wildcard semantic version for resource_selection.recipe.semantic_version (#47443)
resource/aws_lambda_layer_version: Add resource identity support (#47496)
resource/aws_launch_template: Add resource identity support (#47540)
resource/aws_mq_configuration: Add skip_destroy argument (#47273)
resource/aws_mq_configuration: Implement resource deletion (#47273)
resource/aws_network_interface: Add ena_srd_specification argument to support ENA Express (#46669)
resource/aws_networkmanager_site_to_site_vpn_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#47541)
resource/aws_odb_network: Enhancements to support cross-region restore. (#46317)
resource/aws_rds_integration: Add integration_identifier attribute (#45632)
resource/aws_rds_integration: Support in-place update of data_filter and integration_name (#45632)
resource/aws_s3_bucket_inventory: Support S3 Inventory for directory buckets (#47555)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.expanded_prefixes_data_export and storage_lens_configuration.prefix_delimiter arguments (#47205)
resource/aws_s3files_file_system: Add accept_bucket_warning argument (#47510)
resource/network_peering_connection: Peer cidr management through peer_network_cidrs argument. (#46207)

BUG FIXES:

resource/aws_appintegrations_data_integration: Fix source_uri regular expression validation (#47498)
resource/aws_bedrock_guardrail: Update maximum length of topic_policy_config.topics_config.definition from 200 to 1000 to support standard tier. (#47574)
resource/aws_cloudwatch_alarm_mute_rule: Fix mute_targets.alarm_names ordering causing "Provider produced inconsistent result after apply" errors (#47507)
resource/aws_ecs_service: Excludes Express-Mode Services from listing. (#47533)
resource/aws_eip: Gracefully handle UnsupportedOperation errors in isolated regions (#47091)
resource/aws_msk_cluster: Fix a request parameter error when updating broker_node_group_info.vpc_connectivity configuration block. This fixes a regression introduced in v6.40.0 (#47515)
resource/aws_odb_network: Fix runtime error: invalid memory address or nil pointer dereference panic in statusManagedService() and statusNetwork() when FindOracleDBNetworkResourceByID returns a nil result during resource creation (#47159)
resource/aws_securityhub_member: Only set email if returned by AWS API and don't recompute invite from member_status. This prevents drift for organization members (#47106)

`v6.41.0`

Compare Source

FEATURES:

New List Resource: aws_api_gateway_integration (#47370)
New List Resource: aws_api_gateway_integration_response (#47388)
New List Resource: aws_api_gateway_method (#47365)
New List Resource: aws_api_gateway_method_response (#47387)
New List Resource: aws_api_gateway_resource (#47382)
New List Resource: aws_api_gateway_rest_api (#47404)
New List Resource: aws_apigatewayv2_route (#47452)
New List Resource: aws_cloudfront_distribution (#47459)
New List Resource: aws_cloudwatch_alarm_mute_rule (#46750)
New List Resource: aws_cloudwatch_log_subscription_filter (#47451)
New List Resource: aws_nat_gateway (#47349)
New List Resource: aws_sns_topic_policy (#47445)
New Resource: aws_cloudwatch_alarm_mute_rule (#46750)

ENHANCEMENTS:

data-source/aws_ecs_task_definition: Add volume.s3files_volume_configuration attribute (#47363)
data-source/aws_opensearch_domain: Add deployment_strategy_options block (#47401)
resource/aws_api_gateway_integration: Add resource identity support (#47357)
resource/aws_api_gateway_integration_response: Add resource identity support (#47366)
resource/aws_api_gateway_method: Add resource identity support (#47310)
resource/aws_api_gateway_method_response: Add resource identity support (#47360)
resource/aws_api_gateway_resource: Add resource identity support (#47358)
resource/aws_api_gateway_rest_api: Add resource identity support (#47384)
resource/aws_apigatewayv2_api: Add resource identity support (#47465)
resource/aws_apigatewayv2_route: Add resource identity support (#47441)
resource/aws_autoscaling_group: Add Resource Identity support (#47381)
resource/aws_autoscaling_lifecycle_hook: Add Resource Identity support (#47381)
resource/aws_autoscaling_notification: Add plan-time validation of topic_arn (#47381)
resource/aws_autoscaling_policy: Add Resource Identity support (#47381)
resource/aws_autoscaling_traffic_source_attachment: Add import support (#47381)
resource/aws_budgets_budget: Add metrics attribute (#47047)
resource/aws_cloudwatch_log_subscription_filter: Add Resource Identity support (#47451)
resource/aws_directory_service_directory: add enable_directory_data_access argument (#44736)
resource/aws_dynamodb_table: Add Resource Identity support (#47301)
resource/aws_ecs_task_definition: Add volume.s3files_volume_configuration argument (#47363)
resource/aws_elasticache_user: Add passwords_wo and passwords_wo_version write-only arguments (#45988)
resource/aws_launch_configuration: Add Resource Identity support (#47381)
resource/aws_opensearch_domain: Add deployment_strategy_options configuration block (#47401)

BUG FIXES:

data-source/aws_outposts_asset: Fix nil pointer dereference panic when asset has no ComputeAttributes or AssetLocation (#47450)
list-resource/aws_lb: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener: Fixes error when no results are returned (#47455)
list-resource/aws_lb_listener_rule: Fixes error when no results are returned (#47455)
list-resource/aws_lb_target_group: Fixes error when no results are returned (#47455)
resource/aws_autoscaling_traffic_source_attachment: Change traffic_source to Required (#47381)
resource/aws_budgets_budget: Add missing metrics attribute required for filter_expression (#47047)
resource/aws_cloudfront_multitenant_distribution: Allows disabling the enforcement of a response_completion_timeout for Origins, by removing its default value (#46329)
resource/aws_cloudfront_multitenant_distribution: Fix function_association and lambda_function_association block ordering producing inconsistent result after apply when multiple associations are configured (#46378)
resource/aws_cloudfront_multitenant_distribution: Fix origin block ordering producing inconsistent result after apply when multiple origins are configured (#47199)
resource/aws_dynamodb_global_secondary_index: Fixes error when key_type is unknown during plan-time. (#47456)
resource/aws_dynamodb_table: Prevents validation error when global secondary index range_key is set to empty string (#47427)
resource/aws_neptune_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)
resource/aws_rds_global_cluster: Fix a regression in the minor version upgrade workflow for MySQL engine types triggered by upstream changes to the API error response text (#47448)

`v6.40.0`

Compare Source

FEATURES:

New Data Source: aws_opensearchserverless_collection_group (#46308)
New Data Source: aws_opensearchserverless_collection_groups (#46308)
New Data Source: aws_s3files_access_point (#47352)
New Data Source: aws_s3files_file_system (#47344)
New Data Source: aws_s3files_file_systems (#47344)
New Data Source: aws_s3files_mount_target (#47347)
New List Resource: aws_config_config_rule (#47319)
New List Resource: aws_glue_job (#47266)
New List Resource: aws_opensearchserverless_collection_group (#46308)
New List Resource: aws_s3files_access_point (#47352)
New List Resource: aws_s3files_file_system (#47325)
New List Resource: aws_s3files_file_system_policy (#47355)
New List Resource: aws_s3files_mount_target (#47347)
New List Resource: aws_s3files_synchronization_configuration (#47353)
New List Resource: aws_ssm_association (#47321)
New List Resource: aws_ssm_patch_group (#47329)
New Resource: aws_opensearchserverless_collection_group (#46308)
New Resource: aws_s3files_access_point (#47352)
New Resource: aws_s3files_file_system (#47325)
New Resource: aws_s3files_file_system_policy (#47355)
New Resource: aws_s3files_mount_target (#47347)
New Resource: aws_s3files_synchronization_configuration (#47353)
New Resource: aws_servicequotas_auto_management (#45968)

ENHANCEMENTS:

data-source/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type attribute (#47279)
resource/aws_cloudformation_stack_set: Add depends_on_stack_sets to auto_deployment configuration block (#47269)
resource/aws_config_config_rule: Add Resource Identity support (#47286)
resource/aws_config_configuration_aggregator: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder: Add Resource Identity support (#47286)
resource/aws_config_configuration_recorder_status: Add Resource Identity support (#47286)
resource/aws_config_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_delivery_channel: Add Resource Identity support (#47286)
resource/aws_config_organization_conformance_pack: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_policy_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_custom_rule: Add Resource Identity support (#47286)
resource/aws_config_organization_managed_rule: Add Resource Identity support (#47286)
resource/aws_config_remediation_configuration: Add Resource Identity support (#47286)
resource/aws_config_retention_configuration: Add Resource Identity support (#47286)
resource/aws_controltower_landing_zone: Add remediation_types attribute (#46549)
resource/aws_glue_job: Add Resource Identity support (#47266)
resource/aws_iam_instance_profile: Add resource identity support (#47307)
resource/aws_kinesisanalyticsv2_application: Support FLINK-2_2 as a valid value for runtime_environment (#47207)
resource/aws_msk_cluster: Add broker_node_group_info.connectivity_info.network_type argument (#47279)
resource/aws_opensearchserverless_access_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_lifecycle_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_config: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_security_policy: Add Resource Identity support (#47262)
resource/aws_opensearchserverless_vpc_endpoint: Add Resource Identity support (#47262)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.data_export.storage_lens_table_destination argument (#47152)
resource/aws_ssm_patch_group: Add resource identity support (#47318)

BUG FIXES:

resource/aws_bcmdataexports_export: Allows empty values in export.data_query.table_configurations (#47261)
resource/aws_cloudwatch_log_metric_filter: Fix validation to count pattern length in UTF-8 characters (#47287)
resource/aws_config_configuration_recorder_status: Mark name as as ForceNew (#47286)
resource/aws_organizations_account: Fix AccountAlreadyClosedException error when deleting an account that has already been closed with close_on_deletion set to true (#46627)
resource/aws_s3_bucket_server_side_encryption_configuration: Change rule.apply_server_side_encryption_by_default.kms_master_key_id, rule.blocked_encryption_types, and rule.bucket_key_enabled to Optional and Computed, preventings diffs once SSE-C is disabled for all new general purpose buckets (#47359)
resource/aws_uxc_account_customizations: Fix inconsistent result error when visible_regions or visible_services is set to an explicit empty set ([]) (#47290)

`v6.39.0`

Compare Source

NOTES:

data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version (#47133)

FEATURES:

New Data Source: aws_iam_role_policies (#46936)
New Data Source: aws_iam_role_policy_attachments (#47119)
New Data Source: aws_networkmanager_core_network (#45798)
New Data Source: aws_uxc_services (#47115)
New List Resource: aws_eks_cluster (#47133)
New List Resource: aws_organizations_aws_service_access (#46993)
New List Resource: aws_sagemaker_training_job (#46892)
New List Resource: aws_workmail_group (#47131)
New List Resource: aws_workmail_user (#47131)
New Resource: aws_organizations_aws_service_access (#46993)
New Resource: aws_sagemaker_training_job (#46892)
New Resource: aws_uxc_account_customizations (#47115)
New Resource: aws_workmail_group (#47131)
New Resource: aws_workmail_user (#47131)

ENHANCEMENTS:

data-source/aws_outposts_asset: Add instance_families attribute (#47153)
resource/aws_eks_cluster: Add resource identity support (#47133)
resource/aws_eks_cluster: Support tier-8xl as a valid value for control_plane_scaling_config.tier (#46976)
resource/aws_network_acl_rule: Add Resource Identity support (#47090)
resource/aws_observabilityadmin_centralization_rule_for_organization: Add source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#47154)
resource/aws_prometheus_scraper: Add source.vpc argument. Change source.eks to Optional (#47155)
resource/aws_s3_bucket_metric: Support bucket metrics for directory buckets (#47184)
resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#46865)

BUG FIXES:

data-source/aws_eks_access_entry: Fixed tags not being returned (#47133)
data-source/aws_service_principal: Fix service principal names for EC2 and S3 in the aws-cn partition (#47141)
resource/aws_config_organization_conformance_pack: Fix creation timeout when using a delegated administrator account (#47072)
resource/aws_dynamodb_table: Fix Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)
resource/aws_eks_cluster: Set bootstrap_self_managed_addons to true when importing (#47133)
resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error when cache_usage_limits is removed (#46134)
resource/aws_glue_catalog_table: Detect and report failed view creation (#47101)

`v6.38.0`

Compare Source

FEATURES:

New Action: aws_dms_start_replication_task_assessment_run ([#47058](https://redirect.github.com/hashicorp/t

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/London)

Branch creation
- "before 10am on friday"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-03-27T00:58:53Z

Caution

[High Risk] Replacing the public ALB target group can leave the API listener with no healthy backends

The public ALB api-207c90ee-alb currently forwards its only listener directly to target group api-207c90ee-tg, and that target group is being replaced. Because the listener depends on that target group ARN and there is no evidence in the plan that existing target registrations are preserved or that a fully healthy replacement is attached before the old target group is removed, Terraform can leave the listener temporarily pointing at a new group with no healthy backends.

This is an availability risk for the public API endpoint behind api-207c90ee-alb. The backend side is already thin — the visible current target is a single instance in one AZ — and several EC2 instances are changing in the same apply, so a target group replacement can produce 503 responses or complete endpoint unavailability while targets are re-registered and health checks pass. This violates the HA expectation in REL10-BP01 and is more than routine churn because the replaced resource sits directly on the production request path.
_{View reasoning tree here.}

Caution

[High Risk] EC2 instance replacement will break consumers that depend on the current private IP and internal DNS identity

This change replaces or rehomes EC2 application instances in eu-west-2 while their private IPs, primary ENIs, and DNS names become unknown after apply. Current state shows 540044833068.eu-west-2.ec2-instance.i-038912859bce496c7 is reached at private IP 10.0.101.183 via ENI eni-061806f973f19b2d1, and there is a corresponding internal DNS record ip-10-0-101-183.eu-west-2.compute.internal that resolves directly to that address.

At the same time, the plan creates a new standalone API instance and attaches it by IP to the api-health-terraform-example target group on port 9090, while several related EC2 instances are fully replaced and lose their existing private-IP identity. Any service discovery, health-monitoring, or direct connectivity that currently depends on the old instance-private-IP DNS names will fail when those instances are replaced, causing broken routing and service downtime until every dependency is updated to the new IP-backed targets.
_{View reasoning tree here.}

Caution

[High Risk] New production EC2 health endpoint will be broadly reachable inside the peered network and continues an unmanaged instance pattern

This change adds a new production EC2 instance, github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server, that starts a Python health server bound to 0.0.0.0:9090 and attaches it directly to the internal NLB target group api-health-terraform-example. The instance is launched with security groups sg-03cf38efd953aa056 and sg-089e5107637083db5; the latter already allows port 9090 from 10.0.0.0/8, and the monitoring VPC route table shows peered connectivity between 10.50.0.0/16 and 10.0.0.0/16. That creates a broadly reachable internal endpoint rather than a narrowly scoped health check path, which conflicts with the organization’s network-access guidance for production EC2 backends.

The same change pattern also lacks evidence of a least-privilege instance role. The new instance’s iam_instance_profile is unspecified, and the current related instance 540044833068.eu-west-2.ec2-instance.i-06bc09bcdf07eed7e already shows the consequences of this pattern: it is running with no IAM instance profile, a public IP, and a root EBS volume vol-0ce1dc487246816ce that is both DeleteOnTermination=true and unencrypted. Extending this unmanaged-instance design increases the chance of exposed health endpoints, lateral movement from broad internal networks, weak credential handling, and data loss or non-compliant storage on replacement or compromise.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS API resources showing unusual infrequent update patterns, with many instance, subscription, and load-balancing resources changing only 1-2 events/week for the last 3 months. Several API server resources also show 2 events/week for the last 3 weeks, which is infrequent compared to typical patterns.
Policies → S3 storage resources are showing unusual policy violations that may need review, with the S3 bucket missing required tags and not having server-side encryption configured, while a security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

_{Additional Change Details:} Items 180 Edges 306 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

github-actions

⛔ Auto-Blocked

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

Routine 🔴 -5

Policies 🔴 -3

🔥 Risks Summary

High 1 · Medium 0 · Low 0

💥 Blast Radius

Items 77 · Edges 252

View full analysis in Overmind ↗

renovate Bot added dependencies Renovatebot and dependabot updates terraform labels Mar 27, 2026

renovate Bot enabled auto-merge (squash) March 27, 2026 00:52

github-actions Bot requested changes Mar 27, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from ba884cb to 12213ca Compare March 31, 2026 20:58

renovate Bot changed the title ~~chore(deps): update terraform aws to v6.38.0~~ chore(deps): update terraform Mar 31, 2026

renovate Bot force-pushed the renovate/terraform branch from 12213ca to 97c66a8 Compare April 1, 2026 23:30

github-actions Bot requested changes Apr 1, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 97c66a8 to 602c793 Compare April 7, 2026 21:51

github-actions Bot requested changes Apr 7, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 602c793 to 0f43049 Compare April 9, 2026 00:33

github-actions Bot requested changes Apr 9, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from 0f43049 to a110d8e Compare April 15, 2026 03:03

github-actions Bot requested changes Apr 15, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch from a110d8e to 23a5eca Compare April 16, 2026 03:02

github-actions Bot requested changes Apr 16, 2026

View reviewed changes

renovate Bot force-pushed the renovate/terraform branch 3 times, most recently from 68cb654 to 23ab534 Compare April 28, 2026 20:33

renovate Bot force-pushed the renovate/terraform branch 3 times, most recently from b2a3f42 to 9b4ae74 Compare May 6, 2026 22:45

renovate Bot force-pushed the renovate/terraform branch 2 times, most recently from f4b0b4f to 58d9ee6 Compare May 13, 2026 14:54

chore(deps): update terraform

7e23daa

renovate Bot force-pushed the renovate/terraform branch from 58d9ee6 to 7e23daa Compare May 13, 2026 22:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update terraform#514

chore(deps): update terraform#514
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/terraform

renovate Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

github-actions Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Configuration

Uh oh!

github-actions Bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Signals

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⛔ Auto-Blocked

🔴 Decision

📊 Signals Summary

🔥 Risks Summary

💥 Blast Radius

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Mar 27, 2026 •

edited

Loading

github-actions Bot commented Mar 27, 2026 •

edited

Loading