Terraform AWS Provider v6.52.0 Enhances S3, Bedrock, DynamoDB, and Fixes Bugs
HashiCorp's Terraform AWS Provider has released version 6.52.0, introducing new resources and data sources for S3, Bedrock, and DynamoDB, alongside numerous enhancements and bug fixes. Key updates include improved handling of LakeFormation permissions for views, a new random generator for provider names, and fixes for ElastiCache and CloudWatch Log Delivery issues. These changes primarily affect engineers and architects managing AWS infrastructure via Terraform, with some requiring manual state reconciliation for specific Serverless Application Repository deployments.
- →New Data Source: aws_s3_bucket_notification
- →New List Resource: aws_appautoscaling_target
- →New List Resource: aws_bedrockagentcore_registry
- →New List Resource: aws_dynamodb_table_item
- →New Resource: aws_bedrockagentcore_registry
Features (5) ›
- aws_s3_bucket_notification New Data Source: aws_s3_bucket_notification
- aws_appautoscaling_target New List Resource: aws_appautoscaling_target
- aws_bedrockagentcore_registry New List Resource: aws_bedrockagentcore_registry
- aws_dynamodb_table_item New List Resource: aws_dynamodb_table_item
- aws_bedrockagentcore_registry New Resource: aws_bedrockagentcore_registry
Enhancements (23) ›
- aws_eks_cluster Add control_plane_egress_mode attribute to vpc_config block
- provider
Generated names are now created using a cryptographically strong random generator instead of a timestamp and counter, so values are more uniformly distributed over the lowercase hexadecimal digit characters
- aws_appautoscaling_target Add resource identity support
- aws_cloudwatch_log_account_policy Add Resource Identity support
- aws_cloudwatch_log_anomaly_detector Add Resource Identity support
- aws_cloudwatch_log_data_protection_policy Add Resource Identity support
- aws_cloudwatch_log_delivery Add Resource Identity support
- aws_cloudwatch_log_delivery_destination Add Resource Identity support
- aws_cloudwatch_log_delivery_destination_policy Add Resource Identity support
- aws_cloudwatch_log_delivery_source Add Resource Identity support
- aws_cloudwatch_log_destination Add Resource Identity support
- aws_cloudwatch_log_destination_policy Add Resource Identity support
- aws_cloudwatch_log_index_policy Add Resource Identity support
- aws_cloudwatch_log_resource_policy Add Resource Identity support
- aws_cloudwatch_log_stream Add Resource Identity support
- aws_cloudwatch_query_definition Add Resource Identity support
- aws_cloudwatch_query_definition Add arn attribute
- aws_default_network_acl Prevents error on creation when tag-based authorization in use
- aws_dynamodb_table_item Add Resource Identity support
- aws_dynamodb_table_item Add import support
- aws_eks_cluster Add control_plane_egress_mode argument to vpc_config block
- aws_mq_broker
Known endpoints in instances.0.endpoints are now returned in a deterministic order based on protocol prefix and port, including the new https://...:16001 Prometheus metrics endpoint introduced in RabbitMQ 4.2 and later; any unrecognized endpoint types are appended afterward in API order
- aws_serverlessapplicationrepository_cloudformation_stack
Change capabilities from Required to Optional/Computed. Applications without required capabilities can now omit the argument and the value applied by AWS will be tracked in state
Fixes (12) ›
- provider
Fix AWS API errors such as EC2's IdempotentParameterMismatch by generating client-supplied idempotency tokens using a cryptographically strong random generator and extended alphabet
- provider
Restore HTTP request and response body content in TF_LOG=DEBUG output for resources, data sources, and list resources. Redaction continues to apply to ephemeral resources and actions
- aws_cloudwatch_log_delivery Add mutex lock around create, update, and delete operations to prevent ConflictException errors
- aws_cloudwatch_log_delivery Fix Provided delivery configuration is invalid for the destination type errors when s3_delivery_configuration is unchanged
- aws_elasticache_global_replication_group Fix persistent automatic_failover_enabled diff by reading the value from the primary member
- aws_elasticache_replication_group Fix persistent automatic_failover_enabled diff on member replication groups of an aws_elasticache_global_replication_group
- aws_elasticache_reserved_cache_node
Fix Provider returned invalid result object after apply and subsequent too many results warning that silently removed the resource from state when id was not set in configuration
- aws_elasticache_serverless_cache
Fix InvalidParameterCombination: Serverless Cache modifications only support modifying one field per request error when changing multiple attributes in a single apply
- aws_elasticache_user Fix user_id producing inconsistent final plan when using mixed-case values
- aws_elasticache_user_group Fix user_group_id producing inconsistent final plan when using mixed-case values
- aws_glue_catalog_table Allow in-place update of a VIRTUAL_VIEW table's view_definition by passing ViewUpdateAction to the Glue UpdateTable API
- aws_serverlessapplicationrepository_cloudformation_stack
Fix change set: unexpected state 'FAILED', wanted target 'CREATE_COMPLETE'. last error: No updates are to be performed errors on subsequent applies. Previously, parameters whose value matched the application's default were pruned from state, and NoEcho parameter values were stored as , both of which produced false drift
Notes (3) ›
- aws_lakeformation_permissions
Grants on aws_glue_catalog_table views (table_type = "VIRTUAL_VIEW") are now preserved when the view's view_definition is updated, as the underlying table is updated in place rather than recreated
- aws_serverlessapplicationrepository_cloudformation_stack
Existing affected resources whose state still contains for NoEcho parameters or is missing default-matching parameters keys require a one-time manual reconciliation after upgrading. To recover: (1) add lifecycle { ignore_changes = [parameters] } temporarily, (2) pull state with terraform state pull, (3) correct the affected parameters values and increment serial, (4) push state back with terraform state push, (5) remove the ignore_changes block, and (6) confirm with terraform plan. For non-sensitive parameters you can instead temporarily set the parameter to a non-default value, apply, revert,
- aws_serverlessapplicationrepository_cloudformation_stack
NoEcho parameter values are now persisted in Terraform state in plaintext rather than as . This is consistent with how Terraform stores other sensitive inputs (for example, aws_db_instance.password). Ensure your state backend is appropriately secured
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.52.0