chore(deps): update terraform

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	5.87.0 -> 5.90.0
hashicorp/terraform	required_version	minor	1.10.5 -> 1.11.1

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v5.90.0

Compare Source

BREAKING CHANGES:

• resource/aws_s3_bucket_lifecycle_configuration: rule.noncurrent_version_expiration.noncurrent_days and rule.noncurrent_version_transition.noncurrent_days are Required (#​40796)

NOTES:

• data-source/aws_launch_template: elastic_gpu_specifications and elastic_inference_accelerator are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. (#​41677)
• provider: In preparation for Go 1.24, we are re-enabling the experimental post-quantum key exchange mechanism, X25519Kyber768Draft00. Previously, in environments using AWS Network Firewall, the Provider would hang due to a handshake issue between Go 1.23 and Network Firewall, which supported Suricata 6.0.9. We had disabled the post-quantum key exchange to resolve the issue. Since November 2024, AWS Network Firewall has upgraded to Suricata 7.0, which no longer has this issue. However, if you use AWS Network Firewall, we’d appreciate your help in identifying any remaining issues related to this change. (#​41655)
• provider: On December 3, 2024, Amazon SageMaker was renamed to Amazon SageMaker AI. While resource and data source names remain the same in the provider, documentation and error messages have been updated to reflect the name change. (#​41673)
• resource/aws_ecs_task_execution: overrides.inference_accelerator_overrides is deprecated. AWS no longer provides the Elastic Inference service. (#​41676)
• resource/aws_launch_template: elastic_gpu_specifications and elastic_inference_accelerator are deprecated. AWS no longer supports Elastic Graphics or Elastic Inference. (#​41677)
• resource/aws_opsworks_application: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_custom_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_ecs_cluster_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_ganglia_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_haproxy_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_java_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_memcached_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_mysql_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_nodejs_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_permission: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_php_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_rails_app_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_rds_db_instance: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_stack: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_static_web_layer: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_opsworks_user_profile: OpsWorks is no longer supported by AWS. This resource is deprecated and will be removed in the next major version. (#​41674)
• resource/aws_sagemaker_notebook_instance: accelerator_types is deprecated and will be removed in a future version. Use instance_type instead. (#​41673)

FEATURES:

• New Resource: aws_dataexchange_event_action (#​40552)
• New Resource: aws_lakeformation_opt_in (#​41611)

ENHANCEMENTS:

• data-source/aws_cloudfront_cache_policy: Add arn attribute (#​41660)
• data-source/aws_cloudfront_origin_access_control: Add arn attribute (#​41660)
• data-source/aws_cloudfront_origin_access_identity: Add arn attribute (#​41660)
• data-source/aws_cloudfront_origin_request_policy: Add arn attribute (#​41660)
• data-source/aws_cloudfront_response_headers_policy: Add arn attribute (#​41660)
• data-source/aws_dx_connection: Add state attribute (#​41575)
• data-source/aws_opensearch_domain: Add cluster_config.node_options attribute (#​40181)
• resource/aws_account_region: Allow adoption of regions in an ENABLED or DISABLED state without an explicit import operation (#​41678)
• resource/aws_account_region: Prevent errors when the region is an ENABLING or DISABLING state during creation (#​41678)
• resource/aws_cloudfront_cache_policy: Add arn attribute (#​41660)
• resource/aws_cloudfront_continuous_deployment_policy: Add arn attribute (#​41660)
• resource/aws_cloudfront_field_level_encryption_config: Add arn attribute (#​41660)
• resource/aws_cloudfront_field_level_encryption_profile: Add arn attribute (#​41660)
• resource/aws_cloudfront_origin_access_control: Add arn attribute (#​41660)
• resource/aws_cloudfront_origin_access_identity: Add arn attribute (#​41660)
• resource/aws_cloudfront_origin_request_policy: Add arn attribute (#​41660)
• resource/aws_cloudfront_response_headers_policy: Add arn attribute (#​41660)
• resource/aws_ec2_client_vpn_endpoint: Add disconnect_on_session_timeout attribute (#​41621)
• resource/aws_mwaa_environment: Lower the minimum value of the max_webservers and min_webservers arguments from 2 to 1 in support of Amazon MWAA micro environments (#​40244)
• resource/aws_opensearch_domain: Add cluster_config.node_options configuration block in support of dedicated coordinator nodes (#​40181)
• resource/aws_osis_pipeline: Add vpc_options.vpc_endpoint_management argument (#​38001)
• resource/aws_prometheus_rule_group_namespace: Add arn attribute (#​41645)
• resource/aws_prometheus_rule_group_namespace: Add tags argument and tags_all attribute (#​41645)
• resource/aws_route53_traffic_policy: Add arn attribute (#​41660)
• resource/aws_route53_traffic_policy_instance: Add arn attribute (#​41660)
• resource/aws_s3_bucket_lifecycle_configuration: Adds warning validation to require exactly one of the elements of rule.filter (#​41662)
• resource/aws_s3_bucket_lifecycle_configuration: rule.noncurrent_version_expiration.noncurrent_days and rule.noncurrent_version_transition.noncurrent_days are Required. Technically this is a breaking change, but failure to configure this attribute would have led to InvalidArgument or MalformedXML errors (#​40796)
• resource/aws_waf_byte_match_set: Add arn attribute (#​41660)
• resource/aws_waf_sql_injection_match_set: Add arn attribute (#​41660)

BUG FIXES:

• ephemeral/aws_secrets_manager_random_password: Change exclude_characters from Bool to String (#​41546)
• resource/aws_ecs_service: Fix removal of all vpc_lattice_configurations blocks (#​41594)
• resource/aws_s3_bucket_lifecycle_configuration: Fix error when converting rule configuration from filter.prefix to filter.and.prefix (#​41662)
• resource/aws_s3_bucket_lifecycle_configuration: Fix error when converting rule configuration from prefix to filter.prefix or filter.and.prefix (#​41662)
• resource/aws_sagemaker_mlflow_tracking_server: Increased the timeout from 30 to 45 minutes (#​41463)
• resource/aws_vpclattice_target_group: Retry ConflictException errors on delete (#​41594)

v5.89.0

Compare Source

FEATURES:

• New Resource: aws_macie2_organization_configuration (#​41475)
• New Resource: aws_neptunegraph_graph (#​41216)
• New Resource: aws_quicksight_role_membership (#​41589)
• New Resource: aws_rds_shard_group (#​41254)
• New Resource: aws_xray_resource_policy (#​41517)

ENHANCEMENTS:

• data-source/aws_cloudwatch_log_data_protection_policy_document: Add configuration argument (#​41524)
• data-source/aws_rds_cluster: Add cluster_scalability_type attribute (#​41254)
• data-source/aws_rds_cluster: Add database_insights_mode attribute (#​41254)
• data-source/aws_s3_bucket_object: Add application/yaml to the list of Content-Types that return a body (#​41443)
• data-source/aws_s3_object: Add application/yaml to the list of Content-Types that return a body (#​41443)
• data-source/aws_s3_object: Add checksum_crc64nvme attribute (#​41015)
• resource/aws_autoscaling_policy: Add target_tracking_configuration.customized_metric_specification.period argument to support high-resolution metrics (#​41385)
• resource/aws_db_instance: Add RequiredWith validation password_wo and password_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_docdb_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_dx_connection: Add 25Gbps and 400Gbps as supported bandwidth values (#​41547)
• resource/aws_dx_hosted_connection: Add 25Gbps as a supported bandwidth value (#​41547)
• resource/aws_dx_lag: Add 400Gbps as a supported connections_bandwidth value (#​41547)
• resource/aws_launch_template: Add network_interfaces.ena_srd_specification configuration block (#​41367)
• resource/aws_lb: Add enable_zonal_shift support for Application Load Balancers (#​41335)
• resource/aws_macie2_classification_job: Allow tags to be updated in-place (#​41266)
• resource/aws_macie2_custom_data_identifier: Allow tags to be updated in-place (#​41266)
• resource/aws_macie2_findings_filter: Allow tags to be updated in-place (#​41266)
• resource/aws_macie2_member: Allow tags to be updated in-place (#​41266)
• resource/aws_nat_gateway: Make it possible to move from secondary_private_ip_address_count to secondary_private_ip_addresses for private NAT Gateways (#​41403)
• resource/aws_rds_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_rds_cluster: Add cluster_scalability_type argument (#​41254)
• resource/aws_rds_cluster: Add database_insights_mode argument (#​41254)
• resource/aws_rds_cluster: Support "" as a valid value for engine_mode (#​41254)
• resource/aws_rds_instance: Support iam-db-auth-error as a valid value for enabled_cloudwatch_logs_exports (#​41408)
• resource/aws_redshift_cluster: Add RequiredWith validation master_password_wo and master_password_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_redshiftseverless_namespace: Add RequiredWith validation admin_user_password_wo and admin_user_password_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_s3_directory_bucket: The default value for data_redundancy is SingleLocalZone if location.type is LocalZone (#​40944)
• resource/aws_s3_object: Add checksum_crc64nvme attribute (#​41015)
• resource/aws_s3_object_copy: Add checksum_crc64nvme attribute (#​41015)
• resource/aws_secretsmanager_secret_version: Add RequiredWith validation secret_string_wo and secret_string_wo_version. Remove PreferWriteOnlyAttribute validation (#​41562)
• resource/aws_ssm_parameter: Remove PreferWriteOnlyAttribute validation (#​41562)

BUG FIXES:

• resource/aws_cloudwatch_log_delivery: Fix Provider produced inconsistent result error on s3_delivery_configuration.suffix_path (#​41497)
• resource/aws_ec2_fleet: Add spot_options.max_total_price, spot_options.min_target_capacity, spot_options.single_instance_type, and spot_options.single_availability_zone arguments (#​41272)
• resource/aws_lb_listener: Ensure that routing_http_response_server_enabled, routing_http_response_strict_transport_security_header_value, routing_http_response_access_control_allow_origin_header_value, routing_http_response_access_control_allow_methods_header_value, routing_http_response_access_control_allow_headers_header_value, routing_http_response_access_control_allow_credentials_header_value, routing_http_response_access_control_expose_headers_header_value, routing_http_response_access_control_max_age_header_value, routing_http_response_content_security_policy_header_value, routing_http_response_x_content_type_options_header_value, routing_http_response_x_frame_options_header_value, routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name, routing_http_request_x_amzn_mtls_clientcert_issuer_header_name, routing_http_request_x_amzn_mtls_clientcert_subject_header_name, routing_http_request_x_amzn_mtls_clientcert_validity_header_name, routing_http_request_x_amzn_mtls_clientcert_leaf_header_name, routing_http_request_x_amzn_mtls_clientcert_header_name, routing_http_request_x_amzn_tls_version_header_name, and routing_http_request_x_amzn_tls_cipher_suite_header_name are updated if tcp_idle_timeout_seconds does not change (#​41299)
• resource/aws_macie2_classification_job: Ensure that only status and tags can be updated in-place (#​41266)
• resource/aws_nat_gateway: Allow secondary_allocation_ids to be updated in-place (#​41403)
• resource/aws_redshift_cluster: Fix master_username validation (#​41556)
• resource/aws_s3_bucket_lifecycle_configuration: Prevents InvalidRequest error when rule.and.object_size_less_than not set. (#​41542)
• resource/aws_servicequotas_service_quota: Does not leave stuck resource in state when service quota not supported in current region. (#​41509)

v5.88.0

Compare Source

NOTES:

• resource/aws_s3_bucket_lifecycle_configuration: A warning diagnostic has been added for configurations where rule.expiration.expired_object_delete_marker is set with either rule.expiration.date or rule.expiration.days. While historically the provider allowed this invalid configuration, the migration of this resource to the Terraform Plugin Framework in v5.86.0 resulted in this misconfiguration surfacing as a hard inconsistent result after apply error. This diagnostic aims to direct users how to resolve the issue at plan time. See this issue comment for additional context. (#​41462)

FEATURES:

• New Data Source: aws_cloudwatch_contributor_managed_insight_rules (#​41472)
• New Resource: aws_cloudwatch_contributor_managed_insight_rule (#​41449)
• New Resource: aws_qbusiness_application (#​35249)

ENHANCEMENTS:

• resource/aws_bedrock_model_invocation_logging_configuration: Add video_data_delivery_enabled argument (#​41317)
• resource/aws_db_instance: Add password_wo write-only attribute (#​41366)
• resource/aws_docdb_cluster: Add master_password_wo write-only attribute (#​41413)
• resource/aws_glue_partition: Add storage_descriptor.additional_locations argument (#​41434)
• resource/aws_redshift_cluster: Add master_password_wo write-only attribute (#​41411)
• resource/aws_redshiftserverless_namespace: Add admin_user_password_wo write-only attribute (#​41412)
• resource/aws_secretsmanager_secret_version: Add secret_string_wo write-only attribute (#​41371)

BUG FIXES:

• data-source/aws_codebuild_fleet: Prevents panic when scaling_configuration is not empty. (#​41377)
• resource/aws_amplify_domain_association: Prevents unexpected state error when creating with multiple sub_domain (#​36961)
• resource/aws_bedrock_model_invocation_logging_configuration: Set embedding_data_delivery_enabled, image_data_delivery_enabled, and text_data_delivery_enabled arguments as optional with default value of true (#​41317)
• resource/aws_cloudwatch_contributor_insight_rule: Fix enable/disable rule state (#​41449)
• resource/aws_dynamodb_table: Fixes long delay in creation of replicas (#​41451)

hashicorp/terraform (hashicorp/terraform)

v1.11.1

Compare Source

1.11.1 (March 5, 2025)

BUG FIXES:

• Temporarily revert updated Windows symlink handling until we can account for known existing configurations using non-symlink junctions. (#​36575)

• terraform test: Fix crash when a run block attempts to cleanup after a non-applyable plan. (#​36582)

• Updated dependency golang.org/x/oauth2 from v0.23.0 => v0.27.0 to integrate latest changes (fix for CVE-2025-22868) (#​36584)

• lang/funcs/transpose: Avoid crash due to map with null values (#​36611)

• Combining ephemeral and sensitive marks could fail when serializing planned changes (#​36619)

v1.11.0

Compare Source

1.11.0 (February 27, 2025)

NEW FEATURES:

• Add write-only attributes to resources. Providers can specify that certain attributes are write-only. They are not persisted in state. You can use ephemeral values in write-only attributes. (#​36031)

• terraform test: The -junit-xml option for the terraform test command is now generally available. This option allows the command to create a test report in JUnit XML format. Feedback during the experimental phase helped map terraform test concepts to the JUnit XML format, and new additons may happen in future releases. (#​36324)

• S3 native state locking is now generally available. The use_lockfile argument enables users to adopt the S3-native mechanism for state locking. As part of this change, we've deprecated the DynamoDB-related arguments in favor of this new locking mechanism. While you can still use DynamoDB alongside S3-native state locking for migration purposes, we encourage migrating to the new state locking mechanism. (#​36338)

ENHANCEMENTS:

• init: Provider installation will utilise credentials configured in a .netrc file for the download and shasum URLs returned by provider registries. (#​35843)

• terraform test: Test runs now support using mocked or overridden values during unit test runs (e.g., with command = "plan"). Set override_during = plan in the test configuration to use the overridden values during the plan phase. The default value is override_during = apply. (#​36227)

• terraform test: Add new state_key attribute for run blocks, allowing test authors control over which internal state file should be used for the current test run. (#​36185)

• Updates the azure backend authentication to match the terraform-provider-azurermprovider authentication, in several ways:

  • github.com/hashicorp/go-azure-helpers: v0.43.0 -> v0.71.0
  • github.com/hashicorp/go-azure-sdk/[resource-manager/sdk]: v0.20241212.1154051. This replaces the deprecated Azure SDK used before
  • github.com/jackofallops/giovanni: v0.15.1 -> v0.27.0. Meanwhile, updating the azure storage API version from 2018-11-09 to 2023-11-03
  • Following new properties are added for the azure backend configuration:
    • use_cli
    • use_aks_workload_identity
    • client_id_file_path
    • client_certificate
    • client_id_file_path
    • client_secret_file_path
      (#​36258)

• Include ca-certificates package in our official Docker image to help with certificate handling by downstream (#​36486)

BUG FIXES:

• ephemeral values: correct error message when ephemeral values are included in provisioner output (#​36427)

• Attempting to override a variable during apply via TF_VAR_ environment variable will now yield warning instead of misleading error. (#​36435)

• backends: Fix crash when interrupting during interactive prompt for values (#​36448)

• Fixes hanging behavior seen when applying a saved plan with -auto-approve using the cloud backend (#​36453)

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.10
• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

---

Configuration

📅 Schedule: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.69%. Comparing base (44d4407) to head (c9ed218).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #211   +/-   ##
=======================================
  Coverage   71.69%   71.69%           
=======================================
  Files           1        1           
  Lines          53       53           
  Branches        6        6           
=======================================
  Hits           38       38           
  Misses         15       15           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.