chore(deps): update terraform aws to v6.28.0 #66

Merged

renovate-bot merged 1 commit from renovate/aws-6.x into main 2026-01-08 15:07:56 +00:00

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2026-01-08 15:07:55 +00:00

Member

Copy link

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	6.27.0 → 6.28.0

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.28.0

Compare Source

NOTES:

• resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#​44999)

FEATURES:

• New Data Source: aws_cloudfront_connection_group (#​44885)
• New Data Source: aws_cloudfront_distribution_tenant (#​45088)
• New List Resource: aws_kms_alias (#​45700)
• New List Resource: aws_sqs_queue (#​45691)
• New Resource: aws_cloudfront_connection_function (#​45664)
• New Resource: aws_cloudfront_connection_group (#​44885)
• New Resource: aws_cloudfront_distribution_tenant (#​45088)
• New Resource: aws_cloudfront_multitenant_distribution (#​45535)
• New Resource: aws_dynamodb_global_secondary_index (#​44999)
• New Resource: aws_ecr_pull_time_update_exclusion (#​45765)
• New Resource: aws_organizations_tag (#​45730)
• New Resource: aws_redshift_idc_application (#​37345)
• New Resource: aws_secretsmanager_tag (#​45825)
• New Resource: aws_sesv2_tenant (#​45706)

ENHANCEMENTS:

• data-source/aws_apigateway_domain_name : Add endpoint_access_mode attribute (#​45741)
• data-source/aws_db_proxy: Add endpoint_network_type and target_connection_network_type attributes (#​45634)
• data-source/aws_dx_gateway: Add tags attribute (#​45766)
• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class arguments, and new valid values for rule.action.type and rule.selection.count_type arguments (#​45752)
• data-source/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• data-source/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• data-source/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• data-source/aws_route53_resolver_firewall_rules: Add dns_threat_protection, confidence_threshold, firewall_threat_protection_id, firewall_domain_redirection_action, and q_type attributes (#​45711)
• data-source/aws_route53_resolver_rule: Add target_ips attribute (#​45492)
• data-source/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains attributes (#​45679)
• data-source/aws_vpc_endpoint: Promote service_region and vpc_endpoint_type from attributes to arguments for filtering (#​45679)
• resource/aws_alb: Enforce tag policy compliance for the elasticloadbalancing:loadbalancer tag type (#​45671)
• resource/aws_alb_listener: Enforce tag policy compliance for the elasticloadbalancing:listener tag type (#​45671)
• resource/aws_alb_listener_rule: Enforce tag policy compliance for the elasticloadbalancing:listener-rule tag type (#​45671)
• resource/aws_alb_target_group: Enforce tag policy compliance for the elasticloadbalancing:targetgroup tag type (#​45671)
• resource/aws_apigateway_domain_name: Add endpoint_access_mode argument and configurable timeout for create and update (#​45741)
• resource/aws_athena_workgroup: Add customer_content_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add enable_minimum_encryption_configuration argument (#​45744)
• resource/aws_athena_workgroup: Add monitoring_configuration argument (#​45744)
• resource/aws_cleanrooms_collaboration: Add resource identity support (#​45548)
• resource/aws_cloudfront_distribution: Add connection_function_association and viewer_mtls_config arguments (#​45847)
• resource/aws_cloudfront_distribution: Add owner_account_id argument to vpc_origin_config for cross-account VPC origin support (#​45011)
• resource/aws_cloudwatch_log_subscription_filter: Add apply_on_transformed_logs argument (#​45826)
• resource/aws_cloudwatch_log_subscription_filter: Add emit_system_fields argument (#​45760)
• resource/aws_db_proxy: Add endpoint_network_type and target_connection_network_type arguments (#​45634)
• resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_docdb_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_dx_gateway: Add tags argument and tags_all attribute. This functionality requires the directconnect:TagResource and directconnect:UntagResource IAM permissions (#​45766)
• resource/aws_ecr_repository_creation_template: Support CREATE_ON_PUSH as a valid value for applied_for (#​45720)
• resource/aws_ecs_capacity_provider: Add managed_instances_provider.instance_launch_template.capacity_option_type argument (#​45667)
• resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the fsx:snapshot tag type (#​45671)
• resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the fsx:volume tag type (#​45671)
• resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the fsx:file-system tag type (#​45671)
• resource/aws_guardduty_filter: Add finding_criteria.criterion.matches and finding_criteria.criterion.not_matches arguments (#​45758)
• resource/aws_iam_policy: Add delay_after_policy_creation_in_ms argument. This functionality requires the iam:SetDefaultPolicyVersion IAM permission (#​42054)
• resource/aws_iam_saml_provider: Add saml_provider_uuid attribute (#​45707)
• resource/aws_iam_virtual_mfa_device: Add serial_number attribute (#​45751)
• resource/aws_imagebuilder_image: Add logging_configuration argument (#​45749)
• resource/aws_imagebuilder_image_pipeline: Add logging_configuration argument (#​45749)
• resource/aws_inspector_assessment_target: Add plan-time validation of resource_group_arn (#​45688)
• resource/aws_inspector_assessment_template: Add plan-time validation of rules_package_arns and target_arn (#​45688)
• resource/aws_lambda_event_source_mapping: Add provisioned_poller_config.poller_group_name argument (#​45313)
• resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (kafka://topic-name) for destination_config.on_failure.destination_arn argument (#​45802)
• resource/aws_lambda_function: Add response_streaming_invoke_arn attribute (#​45652)
• resource/aws_lambda_function: Support code_signing_config_arn in AWS GovCloud (US) Regions (#​45652)
• resource/aws_lambda_function_url: Automatically add the lambda:InvokeFunction permission, with the InvokedViaFunctionUrl flag set to true, to the function on creation when authorization_type is NONE (#​44858)
• resource/aws_lambda_permission: Add invoked_via_function_url argument (#​44858)
• resource/aws_lb_target_group_attachment: Add quic_server_id argument (#​45666)
• resource/aws_lb_target_group_attachment: Add plan-time validation of target_group_arn (#​45666)
• resource/aws_neptune_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the rds:db tag type (#​45671)
• resource/aws_neptune_global_cluster: Enforce tag policy compliance for the rds:global-cluster tag type (#​45671)
• resource/aws_networkmanager_vpc_attachment: Enable in-place updates of routing_policy_label argument. This functionality requires the networkmanager: PutAttachmentRoutingPolicyLabel and networkmanager: RemoveAttachmentRoutingPolicyLabel IAM permissions (#​45728)
• resource/aws_osis_pipeline: Add pipeline_role_arn argument to support specifying a IAM role at the pipeline level (#​45806)
• resource/aws_rds_cluster: Enforce tag policy compliance for the rds:cluster tag type (#​45671)
• resource/aws_redshift_data_share_consumer_association: Add plan-time validation of consumer_region (#​45688)
• resource/aws_route53_resolver_firewall_rule: Add dns_threat_protection, confidence_threshold, and firewall_threat_protection_id arguments to support DNS Firewall Advanced rules (#​45711)
• resource/aws_transfer_web_app: Add endpoint_details.vpc configuration block to support VPC hosted Transfer Family web app (#​45745)
• resource/aws_vpc_endpoint: Add dns_options.private_dns_preference and dns_options.private_dns_specified_domains arguments (#​45679)
• resource/aws_vpclattice_service_network_resource_association: Add private_dns_enabled argument (#​45673)
• resource/aws_vpn_connection: Support in-place updates for tunnel*_inside_cidr and tunnel*_inside_ipv6_cidr arguments (#​45781)

BUG FIXES:

• data-source/aws_ecr_authorization_token: Fix value of proxy_endpoint when registry_id is specified (#​45754)
• data-source/aws_networkmanager_core_network_policy_document: Support account-id, not account, as a valid value for attachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#​45788)
• data-source/aws_vpc_endpoint: Add missing implementation for service_region attribute (#​45679)
• provider: Fix handling of user_agent values where the product name contains a forward slash (#​45715)
• resource/aws_batch_job_definition: Fix crash during update when node_properties has NodeRangeProperties.ecsProperties set (#​45676)
• resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#​45694)
• resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs: PutSubscriptionFilter: Retry ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role (#​43762)
• resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#​45778)
• resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#​45842)
• resource/aws_vpc: Fix reading EC2 VPC (...) default Security Group: empty result and reading EC2 VPC (...) main Route Table: empty result errors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#​45780)
• resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#​45849)
• resource/aws_vpc_endpoint: private_dns_enabled argument is now marked as ForceNew (#​45679)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.27.0` → `6.28.0` | --- ### Release Notes <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.28.0`](https://github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6280-January-7-2026) [Compare Source](https://github.com/hashicorp/terraform-provider-aws/compare/v6.27.0...v6.28.0) NOTES: - resource/aws\_dynamodb\_global\_secondary\_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. ([#&#8203;44999](https://github.com/hashicorp/terraform-provider-aws/issues/44999)) FEATURES: - **New Data Source:** `aws_cloudfront_connection_group` ([#&#8203;44885](https://github.com/hashicorp/terraform-provider-aws/issues/44885)) - **New Data Source:** `aws_cloudfront_distribution_tenant` ([#&#8203;45088](https://github.com/hashicorp/terraform-provider-aws/issues/45088)) - **New List Resource:** `aws_kms_alias` ([#&#8203;45700](https://github.com/hashicorp/terraform-provider-aws/issues/45700)) - **New List Resource:** `aws_sqs_queue` ([#&#8203;45691](https://github.com/hashicorp/terraform-provider-aws/issues/45691)) - **New Resource:** `aws_cloudfront_connection_function` ([#&#8203;45664](https://github.com/hashicorp/terraform-provider-aws/issues/45664)) - **New Resource:** `aws_cloudfront_connection_group` ([#&#8203;44885](https://github.com/hashicorp/terraform-provider-aws/issues/44885)) - **New Resource:** `aws_cloudfront_distribution_tenant` ([#&#8203;45088](https://github.com/hashicorp/terraform-provider-aws/issues/45088)) - **New Resource:** `aws_cloudfront_multitenant_distribution` ([#&#8203;45535](https://github.com/hashicorp/terraform-provider-aws/issues/45535)) - **New Resource:** `aws_dynamodb_global_secondary_index` ([#&#8203;44999](https://github.com/hashicorp/terraform-provider-aws/issues/44999)) - **New Resource:** `aws_ecr_pull_time_update_exclusion` ([#&#8203;45765](https://github.com/hashicorp/terraform-provider-aws/issues/45765)) - **New Resource:** `aws_organizations_tag` ([#&#8203;45730](https://github.com/hashicorp/terraform-provider-aws/issues/45730)) - **New Resource:** `aws_redshift_idc_application` ([#&#8203;37345](https://github.com/hashicorp/terraform-provider-aws/issues/37345)) - **New Resource:** `aws_secretsmanager_tag` ([#&#8203;45825](https://github.com/hashicorp/terraform-provider-aws/issues/45825)) - **New Resource:** `aws_sesv2_tenant` ([#&#8203;45706](https://github.com/hashicorp/terraform-provider-aws/issues/45706)) ENHANCEMENTS: - data-source/aws\_apigateway\_domain\_name : Add `endpoint_access_mode` attribute ([#&#8203;45741](https://github.com/hashicorp/terraform-provider-aws/issues/45741)) - data-source/aws\_db\_proxy: Add `endpoint_network_type` and `target_connection_network_type` attributes ([#&#8203;45634](https://github.com/hashicorp/terraform-provider-aws/issues/45634)) - data-source/aws\_dx\_gateway: Add `tags` attribute ([#&#8203;45766](https://github.com/hashicorp/terraform-provider-aws/issues/45766)) - data-source/aws\_ecr\_lifecycle\_policy\_document: Add `rule.action.target_storage_class` and `rule.selection.storage_class` arguments, and new valid values for `rule.action.type` and `rule.selection.count_type` arguments ([#&#8203;45752](https://github.com/hashicorp/terraform-provider-aws/issues/45752)) - data-source/aws\_iam\_saml\_provider: Add `saml_provider_uuid` attribute ([#&#8203;45707](https://github.com/hashicorp/terraform-provider-aws/issues/45707)) - data-source/aws\_lambda\_function: Add `response_streaming_invoke_arn` attribute ([#&#8203;45652](https://github.com/hashicorp/terraform-provider-aws/issues/45652)) - data-source/aws\_lambda\_function: Support `code_signing_config_arn` in AWS GovCloud (US) Regions ([#&#8203;45652](https://github.com/hashicorp/terraform-provider-aws/issues/45652)) - data-source/aws\_route53\_resolver\_firewall\_rules: Add `dns_threat_protection`, `confidence_threshold`, `firewall_threat_protection_id`, `firewall_domain_redirection_action`, and `q_type` attributes ([#&#8203;45711](https://github.com/hashicorp/terraform-provider-aws/issues/45711)) - data-source/aws\_route53\_resolver\_rule: Add `target_ips` attribute ([#&#8203;45492](https://github.com/hashicorp/terraform-provider-aws/issues/45492)) - data-source/aws\_vpc\_endpoint: Add `dns_options.private_dns_preference` and `dns_options.private_dns_specified_domains` attributes ([#&#8203;45679](https://github.com/hashicorp/terraform-provider-aws/issues/45679)) - data-source/aws\_vpc\_endpoint: Promote `service_region` and `vpc_endpoint_type` from attributes to arguments for filtering ([#&#8203;45679](https://github.com/hashicorp/terraform-provider-aws/issues/45679)) - resource/aws\_alb: Enforce tag policy compliance for the `elasticloadbalancing:loadbalancer` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_alb\_listener: Enforce tag policy compliance for the `elasticloadbalancing:listener` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_alb\_listener\_rule: Enforce tag policy compliance for the `elasticloadbalancing:listener-rule` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_alb\_target\_group: Enforce tag policy compliance for the `elasticloadbalancing:targetgroup` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_apigateway\_domain\_name: Add `endpoint_access_mode` argument and configurable timeout for create and update ([#&#8203;45741](https://github.com/hashicorp/terraform-provider-aws/issues/45741)) - resource/aws\_athena\_workgroup: Add `customer_content_encryption_configuration` argument ([#&#8203;45744](https://github.com/hashicorp/terraform-provider-aws/issues/45744)) - resource/aws\_athena\_workgroup: Add `enable_minimum_encryption_configuration` argument ([#&#8203;45744](https://github.com/hashicorp/terraform-provider-aws/issues/45744)) - resource/aws\_athena\_workgroup: Add `monitoring_configuration` argument ([#&#8203;45744](https://github.com/hashicorp/terraform-provider-aws/issues/45744)) - resource/aws\_cleanrooms\_collaboration: Add resource identity support ([#&#8203;45548](https://github.com/hashicorp/terraform-provider-aws/issues/45548)) - resource/aws\_cloudfront\_distribution: Add `connection_function_association` and `viewer_mtls_config` arguments ([#&#8203;45847](https://github.com/hashicorp/terraform-provider-aws/issues/45847)) - resource/aws\_cloudfront\_distribution: Add `owner_account_id` argument to `vpc_origin_config` for cross-account VPC origin support ([#&#8203;45011](https://github.com/hashicorp/terraform-provider-aws/issues/45011)) - resource/aws\_cloudwatch\_log\_subscription\_filter: Add `apply_on_transformed_logs` argument ([#&#8203;45826](https://github.com/hashicorp/terraform-provider-aws/issues/45826)) - resource/aws\_cloudwatch\_log\_subscription\_filter: Add `emit_system_fields` argument ([#&#8203;45760](https://github.com/hashicorp/terraform-provider-aws/issues/45760)) - resource/aws\_db\_proxy: Add `endpoint_network_type` and `target_connection_network_type` arguments ([#&#8203;45634](https://github.com/hashicorp/terraform-provider-aws/issues/45634)) - resource/aws\_docdb\_cluster\_instance: Enforce tag policy compliance for the `rds:db` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_docdb\_global\_cluster: Enforce tag policy compliance for the `rds:global-cluster` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_dx\_gateway: Add `tags` argument and `tags_all` attribute. This functionality requires the `directconnect:TagResource` and `directconnect:UntagResource` IAM permissions ([#&#8203;45766](https://github.com/hashicorp/terraform-provider-aws/issues/45766)) - resource/aws\_ecr\_repository\_creation\_template: Support `CREATE_ON_PUSH` as a valid value for `applied_for` ([#&#8203;45720](https://github.com/hashicorp/terraform-provider-aws/issues/45720)) - resource/aws\_ecs\_capacity\_provider: Add `managed_instances_provider.instance_launch_template.capacity_option_type` argument ([#&#8203;45667](https://github.com/hashicorp/terraform-provider-aws/issues/45667)) - resource/aws\_fsx\_lustre\_file\_system: Enforce tag policy compliance for the `fsx:file-system` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_fsx\_ontap\_file\_system: Enforce tag policy compliance for the `fsx:file-system` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_fsx\_openzfs\_file\_system: Enforce tag policy compliance for the `fsx:file-system` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_fsx\_openzfs\_snapshot: Enforce tag policy compliance for the `fsx:snapshot` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_fsx\_openzfs\_volume: Enforce tag policy compliance for the `fsx:volume` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_fsx\_windows\_file\_system: Enforce tag policy compliance for the `fsx:file-system` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_guardduty\_filter: Add `finding_criteria.criterion.matches` and `finding_criteria.criterion.not_matches` arguments ([#&#8203;45758](https://github.com/hashicorp/terraform-provider-aws/issues/45758)) - resource/aws\_iam\_policy: Add `delay_after_policy_creation_in_ms` argument. This functionality requires the `iam:SetDefaultPolicyVersion` IAM permission ([#&#8203;42054](https://github.com/hashicorp/terraform-provider-aws/issues/42054)) - resource/aws\_iam\_saml\_provider: Add `saml_provider_uuid` attribute ([#&#8203;45707](https://github.com/hashicorp/terraform-provider-aws/issues/45707)) - resource/aws\_iam\_virtual\_mfa\_device: Add `serial_number` attribute ([#&#8203;45751](https://github.com/hashicorp/terraform-provider-aws/issues/45751)) - resource/aws\_imagebuilder\_image: Add `logging_configuration` argument ([#&#8203;45749](https://github.com/hashicorp/terraform-provider-aws/issues/45749)) - resource/aws\_imagebuilder\_image\_pipeline: Add `logging_configuration` argument ([#&#8203;45749](https://github.com/hashicorp/terraform-provider-aws/issues/45749)) - resource/aws\_inspector\_assessment\_target: Add plan-time validation of `resource_group_arn` ([#&#8203;45688](https://github.com/hashicorp/terraform-provider-aws/issues/45688)) - resource/aws\_inspector\_assessment\_template: Add plan-time validation of `rules_package_arns` and `target_arn` ([#&#8203;45688](https://github.com/hashicorp/terraform-provider-aws/issues/45688)) - resource/aws\_lambda\_event\_source\_mapping: Add `provisioned_poller_config.poller_group_name` argument ([#&#8203;45313](https://github.com/hashicorp/terraform-provider-aws/issues/45313)) - resource/aws\_lambda\_event\_source\_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (`kafka://topic-name`) for `destination_config.on_failure.destination_arn` argument ([#&#8203;45802](https://github.com/hashicorp/terraform-provider-aws/issues/45802)) - resource/aws\_lambda\_function: Add `response_streaming_invoke_arn` attribute ([#&#8203;45652](https://github.com/hashicorp/terraform-provider-aws/issues/45652)) - resource/aws\_lambda\_function: Support `code_signing_config_arn` in AWS GovCloud (US) Regions ([#&#8203;45652](https://github.com/hashicorp/terraform-provider-aws/issues/45652)) - resource/aws\_lambda\_function\_url: Automatically add the `lambda:InvokeFunction` permission, with the `InvokedViaFunctionUrl` flag set to `true`, to the function on creation when `authorization_type` is `NONE` ([#&#8203;44858](https://github.com/hashicorp/terraform-provider-aws/issues/44858)) - resource/aws\_lambda\_permission: Add `invoked_via_function_url` argument ([#&#8203;44858](https://github.com/hashicorp/terraform-provider-aws/issues/44858)) - resource/aws\_lb\_target\_group\_attachment: Add `quic_server_id` argument ([#&#8203;45666](https://github.com/hashicorp/terraform-provider-aws/issues/45666)) - resource/aws\_lb\_target\_group\_attachment: Add plan-time validation of `target_group_arn` ([#&#8203;45666](https://github.com/hashicorp/terraform-provider-aws/issues/45666)) - resource/aws\_neptune\_cluster: Enforce tag policy compliance for the `rds:cluster` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_neptune\_cluster\_instance: Enforce tag policy compliance for the `rds:db` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_neptune\_global\_cluster: Enforce tag policy compliance for the `rds:global-cluster` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_networkmanager\_vpc\_attachment: Enable in-place updates of `routing_policy_label` argument. This functionality requires the `networkmanager: PutAttachmentRoutingPolicyLabel` and `networkmanager: RemoveAttachmentRoutingPolicyLabel` IAM permissions ([#&#8203;45728](https://github.com/hashicorp/terraform-provider-aws/issues/45728)) - resource/aws\_osis\_pipeline: Add `pipeline_role_arn` argument to support specifying a IAM role at the pipeline level ([#&#8203;45806](https://github.com/hashicorp/terraform-provider-aws/issues/45806)) - resource/aws\_rds\_cluster: Enforce tag policy compliance for the `rds:cluster` tag type ([#&#8203;45671](https://github.com/hashicorp/terraform-provider-aws/issues/45671)) - resource/aws\_redshift\_data\_share\_consumer\_association: Add plan-time validation of `consumer_region` ([#&#8203;45688](https://github.com/hashicorp/terraform-provider-aws/issues/45688)) - resource/aws\_route53\_resolver\_firewall\_rule: Add `dns_threat_protection`, `confidence_threshold`, and `firewall_threat_protection_id` arguments to support DNS Firewall Advanced rules ([#&#8203;45711](https://github.com/hashicorp/terraform-provider-aws/issues/45711)) - resource/aws\_transfer\_web\_app: Add `endpoint_details.vpc` configuration block to support VPC hosted Transfer Family web app ([#&#8203;45745](https://github.com/hashicorp/terraform-provider-aws/issues/45745)) - resource/aws\_vpc\_endpoint: Add `dns_options.private_dns_preference` and `dns_options.private_dns_specified_domains` arguments ([#&#8203;45679](https://github.com/hashicorp/terraform-provider-aws/issues/45679)) - resource/aws\_vpclattice\_service\_network\_resource\_association: Add `private_dns_enabled` argument ([#&#8203;45673](https://github.com/hashicorp/terraform-provider-aws/issues/45673)) - resource/aws\_vpn\_connection: Support in-place updates for `tunnel*_inside_cidr` and `tunnel*_inside_ipv6_cidr` arguments ([#&#8203;45781](https://github.com/hashicorp/terraform-provider-aws/issues/45781)) BUG FIXES: - data-source/aws\_ecr\_authorization\_token: Fix value of `proxy_endpoint` when `registry_id` is specified ([#&#8203;45754](https://github.com/hashicorp/terraform-provider-aws/issues/45754)) - data-source/aws\_networkmanager\_core\_network\_policy\_document: Support `account-id`, not `account`, as a valid value for `attachment_policies.conditions.type`. This fixes a regression introduced in [v6.27.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6270-december-17-2025) ([#&#8203;45788](https://github.com/hashicorp/terraform-provider-aws/issues/45788)) - data-source/aws\_vpc\_endpoint: Add missing implementation for `service_region` attribute ([#&#8203;45679](https://github.com/hashicorp/terraform-provider-aws/issues/45679)) - provider: Fix handling of `user_agent` values where the product name contains a forward slash ([#&#8203;45715](https://github.com/hashicorp/terraform-provider-aws/issues/45715)) - resource/aws\_batch\_job\_definition: Fix crash during update when `node_properties` has `NodeRangeProperties.ecsProperties` set ([#&#8203;45676](https://github.com/hashicorp/terraform-provider-aws/issues/45676)) - resource/aws\_batch\_job\_definition: Fix handling of logically deleted results in List ([#&#8203;45694](https://github.com/hashicorp/terraform-provider-aws/issues/45694)) - resource/aws\_cloudwatch\_log\_subscription\_filter: CloudWatch Logs: `PutSubscriptionFilter`: Retry `ValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role` ([#&#8203;43762](https://github.com/hashicorp/terraform-provider-aws/issues/43762)) - resource/aws\_ec2\_subnet\_cidr\_reservation: Fix 255 subnet CIDR reservation limit ([#&#8203;45778](https://github.com/hashicorp/terraform-provider-aws/issues/45778)) - resource/aws\_nat\_gateway: Handle eventual consistency with attached appliances on delete ([#&#8203;45842](https://github.com/hashicorp/terraform-provider-aws/issues/45842)) - resource/aws\_vpc: Fix `reading EC2 VPC (...) default Security Group: empty result` and `reading EC2 VPC (...) main Route Table: empty result` errors when importing RAM-shared VPCs. This fixes a regression introduced in [v6.17.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6170-october-16-2025) ([#&#8203;45780](https://github.com/hashicorp/terraform-provider-aws/issues/45780)) - resource/aws\_vpc\_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled ([#&#8203;45849](https://github.com/hashicorp/terraform-provider-aws/issues/45849)) - resource/aws\_vpc\_endpoint: `private_dns_enabled` argument is now marked as `ForceNew` ([#&#8203;45679](https://github.com/hashicorp/terraform-provider-aws/issues/45679)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNzQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

renovate-bot added 1 commit 2026-01-08 15:07:55 +00:00

chore(deps): update terraform aws to v6.28.0 e034014407

renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-01-08 15:07:56 +00:00

renovate-bot merged commit 0dcae43433 into main 2026-01-08 15:07:56 +00:00

renovate-bot referenced this pull request from a commit 2026-01-08 15:07:57 +00:00

Merge pull request 'chore(deps): update terraform aws to v6.28.0' (#66) from renovate/aws-6.x into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

infrastructure/tofu-template!66

No description provided.