hashicorp/terraform-provider-aws v6.38.0

on GitHub

6.38.0 (March 25, 2026)

FEATURES:

• New Action: aws_dms_start_replication_task_assessment_run (#47058)
• New Data Source: aws_dynamodb_backups (#47036)
• New Data Source: aws_msk_topic (#46490)
• New Data Source: aws_savingsplans_offerings (#47081)
• New List Resource: aws_msk_cluster (#46490)
• New List Resource: aws_msk_serverless_cluster (#46490)
• New List Resource: aws_msk_topic (#46490)
• New List Resource: aws_route53_resolver_rule (#47063)
• New List Resource: aws_sagemaker_algorithm (#47051)
• New List Resource: aws_ssm_document (#46974)
• New List Resource: aws_ssoadmin_account_assignment (#47067)
• New List Resource: aws_vpc_endpoint (#46977)
• New List Resource: aws_workmail_domain (#46931)
• New Resource: aws_msk_topic (#46490)
• New Resource: aws_observabilityadmin_telemetry_enrichment (#47089)
• New Resource: aws_sagemaker_algorithm (#47051)
• New Resource: aws_workmail_default_domain (#46931)
• New Resource: aws_workmail_domain (#46931)

ENHANCEMENTS:

• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding attribute (#47065)
• resource/aws_bedrockagentcore_agent_runtime: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
• resource/aws_bedrockagentcore_gateway: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#47049)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.api_gateway configuration block (#46916)
• resource/aws_dynamodb_table: Add restore_backup_arn argument (#47068)
• resource/aws_fis_experiment_template: Support KinesisStreams as a value for action.target.key (#47010)
• resource/aws_fis_experiment_template: Support VPCEndpoints as a value for action.target.key (#47045)
• resource/aws_mq_broker: Change user block to Optional (#46883)
• resource/aws_msk_cluster: Add resource identity support (#46490)
• resource/aws_msk_serverless_cluster: Add resource identity support (#46490)
• resource/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding argument (#47065)
• resource/aws_securityhub_insight: Add filters.aws_account_name configuration block (#47027)
• resource/aws_securityhub_insight: Add filters.compliance_associated_standards_id configuration block (#47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_id configuration block (#47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_name configuration block (#47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_value configuration block (#47027)
• resource/aws_ssoadmin_account_assignment: Add Resource Identity support (#47067)

BUG FIXES:

• resource/aws_api_gateway_method: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_apigatewayv2_integration: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_apigatewayv2_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_apigatewayv2_stage: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_gateway_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_route: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_virtual_gateway: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_virtual_node: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_virtual_router: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_appmesh_virtual_service: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_cloudfront_distribution_tenant: Fix panic when managed certificate is not found during creation (#46982)
• resource/aws_controltower_control: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_default_route_table: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_gateway_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_private_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_public_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_hosted_transit_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_dx_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_ecs_express_gateway_service: Fix Provider produced inconsistent result after apply error when environment variables are defined in non-alphabetical order (#46771)
• resource/aws_elasticache_reserved_cache_node: Fix Provider returned invalid result object after apply errors where computed attributes remained unknown after create (#47012)
• resource/aws_kinesis_stream: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_mq_broker: Fix non-idempotent behavior for RabbitMQ brokers with user block (#46883)
• resource/aws_network_acl: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_network_interface_sg_attachment: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_opensearch_domain: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_route53recoverycontrolconfig_routing_control: Fix panic on concurrent creates when API returns ConflictException (#47038)
• resource/aws_route_table_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_serverlessapplicationrepository_cloudformation_stack: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_servicecatalog_product: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_ses_active_receipt_rule_set: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_ssm_default_patch_baseline: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_vpc_dhcp_options_association: Fix import to honor @region suffix when using resource-level region attribute (#47043)
• resource/aws_wafv2_web_acl_rule: Fix Unable to unmarshal DynamicValue error when statement.managed_rule_group_statement.rule_action_override block is specified (#46998)
• resource/aws_wafv2_web_acl_rule_group_association: Fix WAFOptimisticLockException errors when multiple associations target the same Web ACL (#47037)