6.28.0 (January 7, 2026)
NOTES:
- resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#44999)
FEATURES:
- New Data Source:
aws_cloudfront_connection_group(#44885) - New Data Source:
aws_cloudfront_distribution_tenant(#45088) - New List Resource:
aws_kms_alias(#45700) - New List Resource:
aws_sqs_queue(#45691) - New Resource:
aws_cloudfront_connection_function(#45664) - New Resource:
aws_cloudfront_connection_group(#44885) - New Resource:
aws_cloudfront_distribution_tenant(#45088) - New Resource:
aws_cloudfront_multitenant_distribution(#45535) - New Resource:
aws_dynamodb_global_secondary_index(#44999) - New Resource:
aws_ecr_pull_time_update_exclusion(#45765) - New Resource:
aws_organizations_tag(#45730) - New Resource:
aws_redshift_idc_application(#37345) - New Resource:
aws_secretsmanager_tag(#45825) - New Resource:
aws_sesv2_tenant(#45706)
ENHANCEMENTS:
- data-source/aws_apigateway_domain_name : Add
endpoint_access_modeattribute (#45741) - data-source/aws_db_proxy: Add
endpoint_network_typeandtarget_connection_network_typeattributes (#45634) - data-source/aws_dx_gateway: Add
tagsattribute (#45766) - data-source/aws_ecr_lifecycle_policy_document: Add
rule.action.target_storage_classandrule.selection.storage_classarguments, and new valid values forrule.action.typeandrule.selection.count_typearguments (#45752) - data-source/aws_iam_saml_provider: Add
saml_provider_uuidattribute (#45707) - data-source/aws_lambda_function: Add
response_streaming_invoke_arnattribute (#45652) - data-source/aws_lambda_function: Support
code_signing_config_arnin AWS GovCloud (US) Regions (#45652) - data-source/aws_route53_resolver_firewall_rules: Add
dns_threat_protection,confidence_threshold,firewall_threat_protection_id,firewall_domain_redirection_action, andq_typeattributes (#45711) - data-source/aws_route53_resolver_rule: Add
target_ipsattribute (#45492) - data-source/aws_vpc_endpoint: Add
dns_options.private_dns_preferenceanddns_options.private_dns_specified_domainsattributes (#45679) - data-source/aws_vpc_endpoint: Promote
service_regionandvpc_endpoint_typefrom attributes to arguments for filtering (#45679) - resource/aws_alb: Enforce tag policy compliance for the
elasticloadbalancing:loadbalancertag type (#45671) - resource/aws_alb_listener: Enforce tag policy compliance for the
elasticloadbalancing:listenertag type (#45671) - resource/aws_alb_listener_rule: Enforce tag policy compliance for the
elasticloadbalancing:listener-ruletag type (#45671) - resource/aws_alb_target_group: Enforce tag policy compliance for the
elasticloadbalancing:targetgrouptag type (#45671) - resource/aws_apigateway_domain_name: Add
endpoint_access_modeargument and configurable timeout for create and update (#45741) - resource/aws_athena_workgroup: Add
customer_content_encryption_configurationargument (#45744) - resource/aws_athena_workgroup: Add
enable_minimum_encryption_configurationargument (#45744) - resource/aws_athena_workgroup: Add
monitoring_configurationargument (#45744) - resource/aws_cleanrooms_collaboration: Add resource identity support (#45548)
- resource/aws_cloudfront_distribution: Add
connection_function_associationandviewer_mtls_configarguments (#45847) - resource/aws_cloudfront_distribution: Add
owner_account_idargument tovpc_origin_configfor cross-account VPC origin support (#45011) - resource/aws_cloudwatch_log_subscription_filter: Add
apply_on_transformed_logsargument (#45826) - resource/aws_cloudwatch_log_subscription_filter: Add
emit_system_fieldsargument (#45760) - resource/aws_db_proxy: Add
endpoint_network_typeandtarget_connection_network_typearguments (#45634) - resource/aws_docdb_cluster_instance: Enforce tag policy compliance for the
rds:dbtag type (#45671) - resource/aws_docdb_global_cluster: Enforce tag policy compliance for the
rds:global-clustertag type (#45671) - resource/aws_dx_gateway: Add
tagsargument andtags_allattribute. This functionality requires thedirectconnect:TagResourceanddirectconnect:UntagResourceIAM permissions (#45766) - resource/aws_ecr_repository_creation_template: Support
CREATE_ON_PUSHas a valid value forapplied_for(#45720) - resource/aws_ecs_capacity_provider: Add
managed_instances_provider.instance_launch_template.capacity_option_typeargument (#45667) - resource/aws_fsx_lustre_file_system: Enforce tag policy compliance for the
fsx:file-systemtag type (#45671) - resource/aws_fsx_ontap_file_system: Enforce tag policy compliance for the
fsx:file-systemtag type (#45671) - resource/aws_fsx_openzfs_file_system: Enforce tag policy compliance for the
fsx:file-systemtag type (#45671) - resource/aws_fsx_openzfs_snapshot: Enforce tag policy compliance for the
fsx:snapshottag type (#45671) - resource/aws_fsx_openzfs_volume: Enforce tag policy compliance for the
fsx:volumetag type (#45671) - resource/aws_fsx_windows_file_system: Enforce tag policy compliance for the
fsx:file-systemtag type (#45671) - resource/aws_guardduty_filter: Add
finding_criteria.criterion.matchesandfinding_criteria.criterion.not_matchesarguments (#45758) - resource/aws_iam_policy: Add
delay_after_policy_creation_in_msargument. This functionality requires theiam:SetDefaultPolicyVersionIAM permission (#42054) - resource/aws_iam_saml_provider: Add
saml_provider_uuidattribute (#45707) - resource/aws_iam_virtual_mfa_device: Add
serial_numberattribute (#45751) - resource/aws_imagebuilder_image: Add
logging_configurationargument (#45749) - resource/aws_imagebuilder_image_pipeline: Add
logging_configurationargument (#45749) - resource/aws_inspector_assessment_target: Add plan-time validation of
resource_group_arn(#45688) - resource/aws_inspector_assessment_template: Add plan-time validation of
rules_package_arnsandtarget_arn(#45688) - resource/aws_lambda_event_source_mapping: Add
provisioned_poller_config.poller_group_nameargument (#45313) - resource/aws_lambda_event_source_mapping: Support Amazon MSK and self-managed Apache Kafka destinations (
kafka://topic-name) fordestination_config.on_failure.destination_arnargument (#45802) - resource/aws_lambda_function: Add
response_streaming_invoke_arnattribute (#45652) - resource/aws_lambda_function: Support
code_signing_config_arnin AWS GovCloud (US) Regions (#45652) - resource/aws_lambda_function_url: Automatically add the
lambda:InvokeFunctionpermission, with theInvokedViaFunctionUrlflag set totrue, to the function on creation whenauthorization_typeisNONE(#44858) - resource/aws_lambda_permission: Add
invoked_via_function_urlargument (#44858) - resource/aws_lb_target_group_attachment: Add
quic_server_idargument (#45666) - resource/aws_lb_target_group_attachment: Add plan-time validation of
target_group_arn(#45666) - resource/aws_neptune_cluster: Enforce tag policy compliance for the
rds:clustertag type (#45671) - resource/aws_neptune_cluster_instance: Enforce tag policy compliance for the
rds:dbtag type (#45671) - resource/aws_neptune_global_cluster: Enforce tag policy compliance for the
rds:global-clustertag type (#45671) - resource/aws_networkmanager_vpc_attachment: Enable in-place updates of
routing_policy_labelargument. This functionality requires thenetworkmanager: PutAttachmentRoutingPolicyLabelandnetworkmanager: RemoveAttachmentRoutingPolicyLabelIAM permissions (#45728) - resource/aws_osis_pipeline: Add
pipeline_role_arnargument to support specifying a IAM role at the pipeline level (#45806) - resource/aws_rds_cluster: Enforce tag policy compliance for the
rds:clustertag type (#45671) - resource/aws_redshift_data_share_consumer_association: Add plan-time validation of
consumer_region(#45688) - resource/aws_route53_resolver_firewall_rule: Add
dns_threat_protection,confidence_threshold, andfirewall_threat_protection_idarguments to support DNS Firewall Advanced rules (#45711) - resource/aws_transfer_web_app: Add
endpoint_details.vpcconfiguration block to support VPC hosted Transfer Family web app (#45745) - resource/aws_vpc_endpoint: Add
dns_options.private_dns_preferenceanddns_options.private_dns_specified_domainsarguments (#45679) - resource/aws_vpclattice_service_network_resource_association: Add
private_dns_enabledargument (#45673) - resource/aws_vpn_connection: Support in-place updates for
tunnel*_inside_cidrandtunnel*_inside_ipv6_cidrarguments (#45781)
BUG FIXES:
- data-source/aws_ecr_authorization_token: Fix value of
proxy_endpointwhenregistry_idis specified (#45754) - data-source/aws_networkmanager_core_network_policy_document: Support
account-id, notaccount, as a valid value forattachment_policies.conditions.type. This fixes a regression introduced in v6.27.0 (#45788) - data-source/aws_vpc_endpoint: Add missing implementation for
service_regionattribute (#45679) - provider: Fix handling of
user_agentvalues where the product name contains a forward slash (#45715) - resource/aws_batch_job_definition: Fix crash during update when
node_propertieshasNodeRangeProperties.ecsPropertiesset (#45676) - resource/aws_batch_job_definition: Fix handling of logically deleted results in List (#45694)
- resource/aws_cloudwatch_log_subscription_filter: CloudWatch Logs:
PutSubscriptionFilter: RetryValidationException: Make sure you have given CloudWatch Logs permission to assume the provided role(#43762) - resource/aws_ec2_subnet_cidr_reservation: Fix 255 subnet CIDR reservation limit (#45778)
- resource/aws_nat_gateway: Handle eventual consistency with attached appliances on delete (#45842)
- resource/aws_vpc: Fix
reading EC2 VPC (...) default Security Group: empty resultandreading EC2 VPC (...) main Route Table: empty resulterrors when importing RAM-shared VPCs. This fixes a regression introduced in v6.17.0 (#45780) - resource/aws_vpc_endpoint: Fix "InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints" error when creating S3 gateway VPC endpoint with IPv6 enabled (#45849)
- resource/aws_vpc_endpoint:
private_dns_enabledargument is now marked asForceNew(#45679)