Update Terraform aws to v5.19.0

[staff-infrastructure-moj]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	5.14.0 -> 5.19.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v5.19.0

Compare Source

BREAKING CHANGES:

• data-source/aws_s3_bucket_object: Following migration to AWS SDK for Go v2, the metadata attribute's keys are always returned in lowercase (#​33660)
• data-source/aws_s3_object: Following migration to AWS SDK for Go v2, the metadata attribute's keys are always returned in lowercase (#​33660)

NOTES:

• data-source/aws_s3_bucket_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#​33660)
• data-source/aws_s3_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#​33660)
• resource/aws_iam_*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. (#​33570)

FEATURES:

• New Resource: aws_cleanrooms_configured_table (#​33602)
• New Resource: aws_dms_replication_config (#​32908)
• New Resource: aws_lexv2models_bot (#​33475)
• New Resource: aws_rds_custom_db_engine_version (#​33285)
• New Resource: aws_vpclattice_service_network (#​30482)

ENHANCEMENTS:

• data-source/aws_opensearch_domain: Add off_peak_window_options attribute (#​30965)
• resource/aws_cloud9_environment_ec2: Add ubuntu-22.04-x86_64 and resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64 as valid values for image_id (#​33662)
• resource/aws_fsx_ontap_volume: Add bypass_snaplock_enterprise_retention argument and snaplock_configuration configuration block to support SnapLock (#​32530)
• resource/aws_fsx_ontap_volume: Add copy_tags_to_backups and snapshot_policy arguments (#​32530)
• resource/aws_fsx_openzfs_volume: Add delete_volume_options argument (#​32530)
• resource/aws_lightsail_bucket: Add force_delete argument (#​33586)
• resource/aws_opensearch_domain: Add off_peak_window_options configuration block (#​30965)
• resource/aws_opensearch_outbound_connection: Add connection_properties, connection_mode and accept_connection arguments (#​32990)
• resource/aws_schemas_schema: Add JSONSchemaDraft4 schema type support (#​33442)
• resource/aws_wafv2_rule_group: Add rate_based_statement.custom_key configuration block (#​33594)
• resource/aws_wafv2_web_acl: Add rate_based_statement.custom_key configuration block (#​33594)

BUG FIXES:

• resource/aws_batch_job_queue: Correctly validates elements of compute_environments as ARNs (#​33577)
• resource/aws_cloudfront_continuous_deployment_policy: Fix IllegalUpdate errors when updating a staging aws_cloudfront_distribution that is part of continuous deployment (#​33578)
• resource/aws_cloudfront_distribution: Fix IllegalUpdate errors when updating a staging distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
• resource/aws_cloudfront_distribution: Fix PreconditionFailed errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
• resource/aws_cloudfront_distribution: Fix StagingDistributionInUse errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
• resource/aws_datasync_location_fsx_ontap_file_system: Correct handling of protocol.smb.domain, protocol.smb.user and protocol.smb.password (#​33641)
• resource/aws_glacier_vault_lock: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_iam_group_policy: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_iam_policy: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_iam_role: Fail validation if duplicated keys are found in assume_role_policy (#​33570)
• resource/aws_iam_role_policy: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_iam_user_policy: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_mediastore_container_policy: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_s3_bucket_policy: Fix intermittent couldn't find resource errors on resource Create (#​33537)
• resource/aws_ssoadmin_permission_set_inline_policy: Fail validation if duplicated keys are found in inline_policy (#​33570)
• resource/aws_transfer_access: Fail validation if duplicated keys are found in policy (#​33570)
• resource/aws_transfer_user: Fail validation if duplicated keys are found in policy (#​33570)

v5.18.1

Compare Source

NOTES:

• documentation: Duplicate CDKTF guides with differing file extensions have been removed to resolve failures in the provider release workflow. (#​33630)

v5.18.0

Compare Source

FEATURES:

• New Data Source: aws_fsx_ontap_file_system (#​32503)
• New Data Source: aws_fsx_ontap_storage_virtual_machine (#​32621)
• New Data Source: aws_fsx_ontap_storage_virtual_machines (#​32624)
• New Data Source: aws_organizations_organizational_unit (#​33408)
• New Resource: aws_opensearch_package (#​33227)
• New Resource: aws_opensearch_package_association (#​33227)

ENHANCEMENTS:

• resource/aws_fsx_ontap_storage_virtual_machine: Remove ForceNew from active_directory_configuration.self_managed_active_directory_configuration.domain_name, active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group and active_directory_configuration.self_managed_active_directory_configuration.organizational_unit_distinguished_name allowing an SVM to join AD after creation (#​33466)

BUG FIXES:

• data-source/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#​33477)
• resource/aws_db_instance: Fix so that storage_throughput can be changed when iops and allocated_storage are not changed (#​33529)
• resource/aws_db_option_group: Avoid erroneous differences being reported when an option port and/or version is not set (#​33511)
• resource/aws_fsx_ontap_storage_virtual_machine: Avoid recreating resource when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is configured (#​33466)
• resource/aws_fsx_ontap_storage_virtual_machine: Change file_system_id to ForceNew (#​32621)
• resource/aws_s3_bucket_accelerate_configuration: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
• resource/aws_s3_bucket_policy: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
• resource/aws_s3_bucket_versioning: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
• resource/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#​33477)

v5.17.0

Compare Source

NOTES:

• data-source/aws_s3_object: Migration to AWS SDK for Go v2 means that the edge case of specifying a single / as the value for key is no longer supported (#​33358)

FEATURES:

• New Resource: aws_shield_application_layer_automatic_response (#​33432)
• New Resource: aws_verifiedaccess_instance (#​33459)

ENHANCEMENTS:

• data-source/aws_s3_object: Add checksum_mode argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
• data-source/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id attribute (#​33416)
• resource/aws_s3_object: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
• resource/aws_s3_object_copy: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
• resource/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id argument to support cross-account Multi-Region Access Points (#​33416)
• resource/aws_s3control_multi_region_access_point: Add details.region.region attribute (#​33416)
• resource/aws_schemas_schema: Add JSONSchemaDraft4 schema type support (#​33442)
• resource/aws_transfer_connector: Add sftp_config argument and make as2_config optional (#​32741)
• resource/aws_wafv2_web_acl: Retry resource Update on WAFOptimisticLockException errors (#​33432)

BUG FIXES:

• resource/aws_dms_replication_task: Fix error when replication_task_settings is nil (#​33456)
• resource/aws_elasticache_cluster: Fix regression for redis engine types caused by the new transit_encryption_enabled argument (#​33451)
• resource/aws_neptune_cluster: Fix ignored kms_key_arn on restore from DB cluster snapshot (#​33413)
• resource/aws_servicecatalog_product: Allow import on provisioning_artifact_parameters attribute (#​33448)
• resource/aws_subnet: Fix destroy error when there is a lingering ENI for DMS (#​33375)

v5.16.2

Compare Source

FEATURES:

• New Data Source: aws_cognito_identity_pool (#​33053)
• New Resource: aws_verifiedaccess_trust_provider (#​33195)

ENHANCEMENTS:

• resource/aws_autoscaling_group: Change the default values of instance_refresh.preferences.scale_in_protected_instances and instance_refresh.preferences.standby_instances from Wait to the Amazon EC2 Auto Scaling console recommended value of Ignore (#​33382)
• resource/aws_s3control_object_lambda_access_point: Add alias attribute (#​33388)

BUG FIXES:

• resource/aws_autoscaling_group: Fix ValidationError errors when starting Auto Scaling group instance refresh (#​33382)
• resource/aws_iot_topic_rule: Fix InvalidParameter errors on Update with Kafka destinations (#​33360)
• resource/aws_lightsail_certificate: Fix validation of name (#​33405)
• resource/aws_lightsail_database: Fix validation of name (#​33405)
• resource/aws_lightsail_disk: Fix validation of name (#​33405)
• resource/aws_lightsail_instance: Fix validation of name (#​33405)
• resource/aws_lightsail_lb: Fix validation of lb_name (#​33405)
• resource/aws_lightsail_lb_attachment: Fix validation of lb_name (#​33405)
• resource/aws_lightsail_lb_certificate: Fix validation of lb_name (#​33405)
• resource/aws_lightsail_lb_certificate_attachment: Fix validation of lb_name (#​33405)
• resource/aws_lightsail_lb_https_redirection_policy: Fix validation of lb_name (#​33405)
• resource/aws_lightsail_lb_stickiness_policy: Fix validation of lb_name (#​33405)

v5.16.1

Compare Source

BUG FIXES:

• data-source/aws_efs_file_system: Fix Search returned 0 results errors when there are more than 101 file systems in the configured Region (#​33336)
• resource/aws_db_instance_automated_backups_replication: Fix unexpected state errors on resource Create (#​33369)
• resource/aws_glue_catalog_table: Fix removal of metadata_location and table_type parameters when updating Iceberg tables (#​33374)
• resource/aws_service_discovery_instance: Fix validation error "expected to match regular expression" (#​33371)

v5.16.0

Compare Source

NOTES:

• provider: Performance regression introduced in v5.14.0 should be largely mitigated (#​33317)

FEATURES:

• New Resource: aws_shield_drt_access_log_bucket_association (#​33328)
• New Resource: aws_shield_drt_access_role_arn_association (#​33328)

ENHANCEMENTS:

• data-source/aws_api_gateway_api_key: Add customer_id attribute (#​33281)
• data-source/aws_fsx_windows_file_system: Add disk_iops_configuration attribute (#​33303)
• data-source/aws_opensearch_domain: Add software_update_options attribute (#​32234)
• data-source/aws_s3_objects: Add request_payer argument and request_charged attribute (#​33304)
• data-source/aws_s3_objects: Add plan-time validation of encoding_type (#​33304)
• resource/aws_api_gateway_account: Add api_key_version and features attributes (#​33279)
• resource/aws_api_gateway_api_key: Add customer_id argument (#​33281)
• resource/aws_api_gateway_api_key: Allow updating name (#​33281)
• resource/aws_autoscaling_group: Add scale_in_protected_instances and standby_instances attributes to instance_refresh.preferences configuration block (#​33310)
• resource/aws_dms_endpoint: Add redshift-serverless as valid value for engine_name (#​33316)
• resource/aws_elasticache_cluster: Add transit_encryption_enabled argument, enabling in-transit encryption for Memcached clusters inside a VPC (#​26987)
• resource/aws_fsx_windows_file_system: Add disk_iops_configuration configuration block (#​33303)
• resource/aws_glue_catalog_table: Add open_table_format_input configuration block to support open table formats such as Apache Iceberg (#​33274)
• resource/aws_medialive_channel: Implement expand/flatten functions for automatic_input_failover_settings in input_attachments (#​33129)
• resource/aws_opensearch_domain: Add software_update_options attribute (#​32234)
• resource/aws_ssm_association: Add sync_compliance attribute (#​23515)

BUG FIXES:

• data-source/aws_identitystore_group: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#​33311)
• data-source/aws_identitystore_user: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#​33311)
• data-source/aws_s3_objects: Respect configured max_keys value if it's greater than 1000 (#​33304)
• resource/aws_api_gateway_account: Allow setting cloudwatch_role_arn to an empty value and set it correctly on Read, allowing its value to be determined on import (#​33279)
• resource/aws_fsx_ontap_file_system: Increase maximum value of disk_iops_configuration.iops to 160000 (#​33263)
• resource/aws_servicecatalog_principal_portfolio_association: Fix ResourceNotFoundException errors on resource Delete when configured principal_type is IAM_PATTERN (#​32243)

v5.15.0

Compare Source

ENHANCEMENTS:

• data-source/aws_efs_file_system: Add name attribute (#​33243)
• data-source/aws_lakeformation_data_lake_settings: Add read_only_admins attribute (#​33189)
• data-source/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled attribute (#​33031)
• resource/aws_cloudformation_stack_set: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,CallAs syntax for import block or terraform import command (#​19092)
• resource/aws_cloudformation_stack_set_instance: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,AccountID,Region,CallAs syntax for import block or terraform import command (#​19092)
• resource/aws_datasync_location_fsx_openzfs_file_system: Fix setting protocol: Invalid address to set errors (#​33225)
• resource/aws_efs_file_system: Add name attribute (#​33243)
• resource/aws_fsx_openzfs_file_system: Add endpoint_ip_address_range, preferred_subnet_id and route_table_ids arguments to support the Multi-AZ deployment type (#​33245)
• resource/aws_lakeformation_data_lake_settings: Add read_only_admins argument (#​33189)
• resource/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled argument (#​33031)
• resource/aws_wafv2_rule_group: Add name_prefix argument (#​33206)
• resource/aws_wafv2_web_acl: Add statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_atp_rule_set.enable_regex_in_path argument (#​33217)

BUG FIXES:

• provider: Correctly use old and new tag values when updating tags that are computed (#​33226)
• resource/aws_appflow_connector_profile: Fix validation on oauth2 in custom_connector_profile (#​33192)
• resource/aws_cloudformation_stack_set: Fix Can only set RetainStacksOnAccountRemoval if AutoDeployment is enabled errors (#​19092)
• resource/aws_cloudwatch_event_bus_policy: Fix error during plan when the associated aws_cloudwatch_event_bus resource is manually deleted (#​33203)
• resource/aws_codeartifact_domain: Change the type of asset_size_bytes to TypeString instead of TypeInt to prevent value out of range panic (#​33220)
• resource/aws_efs_file_system_policy: Retry IAM eventual consistency errors (#​21734)
• resource/aws_fsx_openzfs_file_system: Wait for administrative action completion when updating root volume (#​33245)
• resource/aws_iot_thing_type: Fix error during plan when resource is manually deleted (#​33203)
• resource/aws_kms_key: Fix tag propagation: timeout while waiting for state to become 'TRUE' errors when any tag value is empty ("") (#​33226)
• resource/aws_wafv2_web_acl: Prevent deletion of the AWS-managed ShieldMitigationRuleGroup rule on resource Update (#​33216)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[smjmoj]

aws provider - should be safe but requires some caution and testing. Look at release notes for provider.