Renovate update Terraform

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	5.77.0 -> 5.82.2
hashicorp/terraform	required_version	minor	1.9.8 -> 1.10.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v5.82.2

Compare Source

BUG FIXES:

• data-source/aws_lb_listener: Add mutual_authentication.advertise_trust_store_ca_names attribute. This fixes a regression introduced in v5.82.0 causing setting mutual_authentication: Invalid address to set: []string{"mutual_authentication", "0", "advertise_trust_store_ca_names"} errors (#​40658)

v5.82.1

Compare Source

ENHANCEMENTS:

• resource/aws_autoscaling_group: Add availability_zone_distribution argument (#​40634)

BUG FIXES:

• data-source/aws_iam_policy_document: Reverts plan-time validation for statement sid (#​40639)

v5.82.0

Compare Source

NOTES:

• resource/aws_resourcegroups_resource: The format of the read-only id attribute has changed to prevent inconsistent parsing which resulted in provider crashes under certain conditions. The new format is a comma-delimited string combining group_arn and resource_arn in their entirety. Configuarations relying on the previous format may need to be updated to continue functioning correctly. (#​40579)

FEATURES:

• New Data Source: aws_servicecatalogappregistry_attribute_group_associations (#​38306)
• New Resource: aws_api_gateway_domain_name_access_association (#​40566)
• New Resource: aws_cloudfront_vpc_origin (#​40239)
• New Resource: aws_memorydb_multi_region_cluster (#​40376)
• New Resource: aws_networkmanager_dx_gateway_attachment (#​40546)
• New Resource: aws_rds_cluster_snapshot_copy (#​40398)

ENHANCEMENTS:

• data-source/aws_dx_gateway: Add arn attribute (#​40546)
• data-source/aws_iam_policy_document: Add plan-time validation that the statement sid is valid, including on alphanumeric characters (#​40562)
• data-source/aws_vpc_endpoint: Add service_region attribute (#​40583)
• resource/aws_bedrockagent_agent: Add agent_collaboration attribute to configure agent collaboration role (#​40543)
• resource/aws_cloudfront_distribution: Add origin.vpc_origin_config argument (#​40239)
• resource/aws_db_parameter_group: Support import of name_prefix argument (#​40622)
• resource/aws_dx_gateway: Add arn attribute (#​40546)
• resource/aws_fsx_lustre_file_system: Add efa_enabled argument (#​40381)
• resource/aws_lb_listener: Add advertise_trust_store_ca_names attribute to the mutual_authentication configuration block (#​40550)
• resource/aws_memorydb_cluster: Add multi_region_cluster_name argument (#​40376)
• resource/aws_networkmanager_attachment_accepter: Add edge_locations attribute (#​40546)
• resource/aws_resourcegroups_resource: Add import support (#​40579)
• resource/aws_vpc_endpoint: Add service_region argument (#​40583)

BUG FIXES:

• data-source/aws_acmpca_certificate_authority: Ignore AccessDeniedException: ... is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: ... errors for RAM-shared CAs (#​39952)
• data-source/aws_licensemanager_received_license: Fix setting entitlements: Invalid address to set: []string{"entitlements", "0", "overage"} errors (#​40621)
• resource/aws_amplify_domain_association: No longer ignores changes to certificate_settings when updating. (#​40589)
• resource/aws_amplify_domain_association: Prevent "unexpected state" error when setting certificate_settings.type to CUSTOM. (#​40589)
• resource/aws_amplify_domain_association: Prevent ValidationException when setting certificate_settings.type to AMPLIFY_MANAGED. (#​40589)
• resource/aws_amplify_domain_association: Prevent permanent diff when certificate_settings not set. (#​40589)
• resource/aws_amplify_domain_association: Prevents panic in some circumstances when certificate_settings is not set during update. (#​40589)
• resource/aws_api_gateway_domain_name: Correct arn for private custom domain names (#​40566)
• resource/aws_codeconnections_host: Mark vpc_configuration.tls_certificate as Optional (#​40574)
• resource/aws_elasticache_replication_group: Prevent perpetual diff which triggers resource replacement on at_rest_encryption_enabled when engine is valkey. (#​40514)
• resource/aws_lakeformation_permissions: Add support for IAMPrincipals principal group (#​38600)
• resource/aws_lakeformation_permissions: Fix refreshing state so order is not considered in permissions and permissions_with_grant_option attributes (#​38047)
• resource/aws_lakeformation_resource_lf_tag: Fix panic when resource tries to destroy a LFTag reference that does not exist (#​40584)
• resource/aws_lambda_invocation: Set new computed value for result attribute when changing input attribute, for lifecycle scope "CRUD" (#​34263)
• resource/aws_medialive_channel: Added missing teletext_destination_settings. (#​33797)
• resource/aws_rds_cluster: Fix issue with waiter when modifying allocated_storage (#​40601)
• resource/aws_resourcegroups_resource: Fix crash when parsing certain ARN formats (#​40579)
• resource/aws_s3_bucket: Destroying a bucket with force_destroy = true can now delete objects with non-XML-safe keys (#​40537)
• resource/aws_s3_directory_bucket: Destroying a directory bucket with force_destroy = true can now delete objects with non-XML-safe keys (#​40537)
• resource/aws_secretsmanager_secret_rotation: Fix bug where automatically_after_days was not being set properly when schedule_expression had been set previously (#​34295)
• resource/aws_secretsmanager_secret_rotation: Retry rotation in case it has not yet propagated when previously an error would occur: InvalidRequestException: A previous rotation isn't complete. That rotation will be reattempted. (#​34295)
• resource/aws_sqs_queue_redrive_allow_policy: Fix perpetual redrive_allow_policy diffs (#​40604)

v5.81.0

Compare Source

FEATURES:

• New Data Source: aws_servicecatalogappregistry_attribute_group (#​38188)
• New Ephemeral Resource: aws_ssm_parameter (#​40313)
• New Resource: aws_bedrock_inference_profile (#​40294)
• New Resource: aws_cloudwatch_log_anomaly_detector (#​40437)
• New Resource: aws_ecr_account_setting (#​40219)
• New Resource: aws_msk_single_scram_secret_association (#​37056)
• New Resource: aws_servicecatalogappregistry_attribute_group (#​38183)
• New Resource: aws_servicecatalogappregistry_attribute_group_association (#​38290)

ENHANCEMENTS:

• data-source/aws_api_gateway_domain_name: Add policy and domain_name_id attributes (#​40364)
• data-source/aws_servicecatalogappregistry_application: Add tags attribute (#​38243)
• data-source/aws_sesv2_configuration_set: Add delivery_options.max_delivery_seconds and tracking_options.https_policy attributes (#​40194)
• resource/aws_api_gateway_base_path_mapping: Add domain_name_id argument (#​40447)
• resource/aws_api_gateway_domain_name: Add policy argument and domain_name_id attribute (#​40364)
• resource/aws_api_gateway_domain_name: Support PRIVATE as a valid value for endpoint_configuration.types argument, enabling custom domain name support for private REST API endpoints (#​40364)
• resource/aws_ebs_snapshot_copy: Add completion_duration_minutes argument (#​40336)
• resource/aws_glue_catalog_table_optimizer: Add configuration.retention_configuration and configuration.orphan_file_deletion_configuration attributes. (#​40199)
• resource/aws_instance: Add enable_primary_ipv6 argument to add support for enabling primary IPv6 addresses on EC2 instances (#​36425)
• resource/aws_kinesis_stream: Add plan-time validation that shard_count would not exceed the AWS account's shard quota when the data stream capacity mode is PROVISIONED, preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the kinesis:DescribeLimits IAM permission (#​40499)
• resource/aws_kinesis_stream: Add plan-time validation that creation of an on-demand stream would not exceed the AWS account's data stream quota, preventing the provider from retrying for 1 hour in the case that the quota is exceeded. This functionality requires the kinesis:DescribeLimits IAM permission (#​40499)
• resource/aws_msk_replicator: Add topic_replication.topic_name_configuration argument (#​40101)
• resource/aws_network_interface: Add enable_primary_ipv6 argument to add support for enabling primary IPv6 addresses for network interfaces (#​36425)
• resource/aws_networkfirewall_firewall_policy: Add stateful_engine_options.flow_timeouts argument (#​39996)
• resource/aws_rds_cluster: Add serverlessv2_scaling_configuration.seconds_until_auto_pause argument (#​40441)
• resource/aws_rds_global_cluster: Add tags argument and tags_all attribute (#​40470)
• resource/aws_sagemaker_notebook_instance: Support notebook-al2-v3 value for platform_identifier (#​40484)
• resource/aws_servicecatalogappregistry_application: Add tags argument and tags_all attribute (#​38243)
• resource/aws_sesv2_configuration_set: Add delivery_options.max_delivery_seconds and tracking_options.https_policy arguments (#​40194)

BUG FIXES:

• data-source/aws_kinesis_stream: Fix InvalidArgumentException: NextToken and StreamName cannot be provided together errors when the data stream has more than 1000 shards (#​40499)
• resource/aws_ce_cost_category: Change rule from TypeSet to TypeList as order is significant (#​40521)
• resource/aws_fsx_windows_file_system: Fix plan-time validation of throughput_capacity validation to allow values up to 12228 (#​40468)
• resource/aws_networkfirewall_logging_configuration: Correctly manage all configured logging_configuration.log_destination_configs (#​40092)
• resource/aws_rds_cluster: Fix InvalidDBClusterStateFault errors when deleting clusters that are members of a global cluster (#​40333)
• resource/aws_rds_cluster: Fix InvalidParameterValue: Serverless v2 maximum capacity 0.0 isn't valid. The maximum capacity must be at least 1.0. errors when removing serverlessv2_scaling_configuration in an update (#​40511)
• resource/aws_rds_cluster: Respect storage_type when restoring from S3 (#​40471)
• resource/aws_rds_cluster: Respect storage_type when restoring from snapshot (#​40471)
• resource/aws_rds_cluster: Respect storage_type when restoring to a point in time (#​40471)
• resource/aws_rds_global_cluster: Mark database_name as Computed. This prevents resource recreation when the source cluster specifies a database_name (#​40469)

v5.80.0

Compare Source

FEATURES:

• New Resource: aws_codeconnections_connection (#​40300)
• New Resource: aws_codeconnections_host (#​40300)
• New Resource: aws_s3tables_namespace (#​40420)
• New Resource: aws_s3tables_table (#​40420)
• New Resource: aws_s3tables_table_bucket (#​40420)
• New Resource: aws_s3tables_table_bucket_policy (#​40420)
• New Resource: aws_s3tables_table_policy (#​40420)

ENHANCEMENTS:

• resource/aws_bedrockagent_agent: Increase instruction max length for validation to 8000 (#​40279)
• resource/aws_dynamodb_table_replica: Add deletion_protection_enabled argument (#​35359)
• resource/aws_rds_cluster: Adjust serverlessv2_scaling_configuration.max_capacity and serverlessv2_scaling_configuration.min_capacity minimum values to 0 to support Amazon Aurora Serverless v2 scaling to 0 ACUs (#​40230)
• resource/aws_s3_directory_bucket: Support LocalZone as a valid value for location.type, enabling support for Amazon S3 Express One Zone in AWS Dedicated Local Zones (#​40339)

BUG FIXES:

• resource/aws_bedrock_provisioned_model_throughput: Properly manages tags_all when planning. (#​40305)
• resource/aws_connect_contact_flow: Fix deserialization failed, failed to decode response body with invalid JSON errors on Read (#​40419)
• resource/aws_rds_cluster_instance: Fix error when destroying from a read replica cluster (#​40409)

v5.79.0

Compare Source

FEATURES:

• New Resource: aws_vpc_block_public_access_exclusion (#​40235)
• New Resource: aws_vpc_block_public_access_options (#​40233)

ENHANCEMENTS:

• resource/aws_eks_cluster: Add compute_config, storage_config, and kubernetes_network_config.elastic_load_balancing arguments for EKS Auto Mode (#​40370)
• resource/aws_eks_cluster: Add remote_network_config argument for EKS Auto Mode (#​40371)
• resource/aws_lambda_event_source_mapping: Add metrics_config argument (#​40322)
• resource/aws_lambda_event_source_mapping: Add provisioned_poller_config argument (#​40303)
• resource/aws_rds_cluster: Add ability to promote read replica cluster to standalone (#​40337)
• resource/aws_vpc_endpoint_service: Add supported_regions argument (#​40346)

BUG FIXES:

• resource/aws_fsx_openzfs_file_system: Increase maximum value of disk_iops_configuration.iops from 350000 to 400000 for deployment_type = "SINGLE_AZ_2" (#​40359)

v5.78.0

Compare Source

NOTES:

• resource/aws_s3_bucket_lifecycle_configuration: Lifecycle configurations can now be applied to directory buckets (#​40268)

FEATURES:

• New Resource: aws_iam_organizations_features (#​40164)

ENHANCEMENTS:

• data-source/aws_memorydb_cluster: Add engine attribute (#​40224)
• data-source/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#​40224)
• resource/aws_memorydb_cluster: Add engine argument (#​40224)
• resource/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#​40224)

BUG FIXES:

• data-source/aws_rds_reserved_instance_offering: When product_description (e.g., "postgresql") is a substring of multiple products, fix Error: multiple RDS Reserved Instance Offerings matched; use additional constraints to reduce matches to a single RDS Reserved Instance Offering (#​40281)
• provider: Suppress Warning: AWS account ID not found for provider when skip_requesting_account_id is true (#​40264)
• resource/aws_batch_job_definition: Fix crash when specifying eksProperties or ecsProperties block (#​40172)
• resource/aws_bedrock_guardrail: Fix perpetual diff if multiple content_policy_config.filters_configs are specified. (#​40304)
• resource/aws_chatbot_slack_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#​40253)
• resource/aws_chatbot_teams_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#​40291)
• resource/aws_db_instance: When changing storage_type from io1 or io2 to gp3, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#​37257)
• resource/aws_db_instance: When changing a gp3 volume's allocated_storage to a value larger than the threshold value for engine, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#​28847)

hashicorp/terraform (hashicorp/terraform)

v1.10.3

Compare Source

1.10.3 (December 18, 2024)

BUG FIXES:

• Terraform could panic when encountering an error during plan encoding (#​36212)

v1.10.2

Compare Source

1.10.2 (December 11, 2024)

BUG FIXES:

• cli: variables in an auto-loaded tfvars file which were overridden during plan incorrectly show as changed during apply [GH-36180]

v1.10.1

Compare Source

1.10.1 (December 4, 2024)

BUG FIXES:

• cli: Complex variables values set via environment variables were parsed incorrectly during apply (#​36121)
• config: templatefile would panic if given and entirely unknown map of variables (#​36118)
• config: templatefile would panic if the variables map contains marked values (#​36127)
• config: Remove constraint that an expanded resource block must only be used in conjunction with imports using for_each (#​36119)
• backend/s3: Lock files could not be written to buckets with object locking enabled (#​36120)

v1.10.0

Compare Source

1.10.0 (November 27, 2024)

NEW FEATURES:

• Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
• Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.
  • ephemeralasnull function: a function takes a value of any type and returns a similar value of the same type with any ephemeral values replaced with non-ephemeral null values and all non-ephemeral values preserved.

BUG FIXES:

• The secret_suffix in the kubernetes backend now includes validation to prevent errors when the secret_suffix ends with a number (#​35666).
• The error message for an invalid default value for an input variable now indicates when the problem is with a nested value in a complex data type. (#​35465)
• Sensitive marks could be incorrectly transferred to nested resource values, causing erroneous changes during a plan (#​35501)
• Allow unknown error_message values to pass the core validate step, so variable validation can be completed later during plan
  (#​35537)
• Unencoded slashes within GitHub module source refs were being truncated and incorrectly used as subdirectories in the request path (#​35552)
• Terraform refresh-only plans with output only changes are now applyable. (#​35812)
• Postconditions referencing self with many instances could encounter an error during evaluation (#​35895)
• The plantimestamp() function would return an invalid date during validation (#​35902)
• Updates to resources which were forced to use create_before_destroy could lose that flag in the state temporarily and cause cycles if immediately removed from the configuration (#​35966)
• backend/cloud: Prefer KV tags, even when tags are defined as set (#​35937)
• Simplify config generation (plan -generate-config-out) for string attributes that contain primitive types (e.g. numbers or booleans) (#​35984)
• config: issensitive could incorrectly assert that an unknown value was not sensitive during plan, but later became sensitive during apply, causing failures where changes did not match the planned result (#​36012)
• config: The evaluation of conditional expressions and for expression in HCL could lose marks with certain combinations of unknown values (#​36017)

ENHANCEMENTS:

• The element function now accepts negative indices (#​35501)
• Import block validation has been improved to provide more useful errors and catch more invalid cases during terraform validate (#​35543)
• Performance enhancements for resource evaluation, especially when large numbers of resource instances are involved (#​35558)
• The plan, apply, and refresh commands now produce a deprecated warning when using the -state flag. Instead use the path attribute within the local backend to modify the state file. (#​35660)
• backend/cos: Add new auth for Tencent Cloud backend (#​35888)

UPGRADE NOTES:

• backend/s3: Removes deprecated attributes for assuming IAM role. Must use the assume_role block (#​35721)
• backend/s3: The s3 backend now supports S3 native state locking. When used with DynamoDB-based locking, locks will be acquired from both sources. In a future minor release of Terraform the DynamoDB locking mechanism and associated arguments will be deprecated. (#​35661)
• moved: Moved blocks now respect reserved keywords when parsing resource addresses. Configurations that reference resources with type names that match top level blocks and keywords from moved blocks will need to prepend the resource. identifier to these references. (#​35850)
• config: In order to ensure consistency in results from HCL conditional expressions, marks must be combined from all values within the expression to avoid losing mark information. This typically improves accuracy when validating configuration, but users may see sensitive results where they were lost previously.

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.