v3.0.0

🤖 Automatic Updates

chore(deps): update terraform aws to v6 (main) @[renovate[bot]](https://github.com/apps/renovate) (#159)

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	>= 4.9.0, < 6.0 -> < 6.13

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.12.0

Compare Source

NOTES:

• resource/aws_s3_bucket_acl: The access_control_policy.grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#​44090)
• resource/aws_s3_bucket_acl: The access_control_policy.owner.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#​44090)
• resource/aws_s3_bucket_logging: The target_grant.grantee.display_name attribute is deprecated. AWS has ended support for this attribute. API responses began inconsistently returning it on July 15, 2025, and will stop returning it entirely on November 21, 2025. This attribute will be removed in a future major version. (#​44090)

FEATURES:

• New Resource: aws_cognito_managed_login_branding (#​43817)

ENHANCEMENTS:

• data-source/aws_efs_mount_target: Add ip_address_type and ipv6_address attributes (#​44079)
• data-source/aws_instance: Add placement_group_id attribute (#​38527)
• data-source/aws_lambda_function: Add source_kms_key_arn attribute (#​44080)
• data-source/aws_launch_template: Add placement.group_id attribute (#​44097)
• provider: Support ap-southeast-6 as a valid AWS Region (#​44127)
• resource/aws_ecs_service: Remove Terraform default for availability_zone_rebalancing and change the attribute to Optional and Computed. This allow ECS to default to ENABLED for new resources compatible with AvailabilityZoneRebalancing and maintain an existing service's availability_zone_rebalancing value during update when not configured. If an existing service never had an availability_zone_rebalancing value configured and is updated, ECS will treat this as DISABLED (#​43241)
• resource/aws_efs_mount_target: Add ip_address_type and ipv6_address arguments to support IPv6 connectivity (#​44079)
• resource/aws_fsx_openzfs_file_system: Remove maximum items limit on the user_and_group_quotas argument (#​44120)
• resource/aws_fsx_openzfs_volume: Remove maximum items limit on the user_and_group_quotas argument (#​44118)
• resource/aws_instance: Add placement_group_id argument (#​38527)
• resource/aws_instance: Add resource identity support (#​44068)
• resource/aws_lambda_function: Add source_kms_key_arn argument (#​44080)
• resource/aws_launch_template: Add placement.group_id argument (#​44097)
• resource/aws_ssm_association: Add resource identity support (#​44075)
• resource/aws_ssm_document: Add resource identity support (#​44075)
• resource/aws_ssm_maintenance_window: Add resource identity support (#​44075)
• resource/aws_ssm_maintenance_window_target: Add resource identity support (#​44075)
• resource/aws_ssm_maintenance_window_task: Add resource identity support (#​44075)
• resource/aws_ssm_patch_baseline: Add resource identity support (#​44075)
• resource/aws_synthetics_canary: Add run_config.ephemeral_storage argument. (#​44105)

BUG FIXES:

• resource/aws_s3tables_table_policy: Remove plan-time validation of name and namespace (#​44072)
• resource/aws_servicecatalog_provisioned_product: Set provisioning_parameters and provisioning_artifact_id to the values from the last successful deployment when update fails (#​43956)
• resource/aws_wafv2_web_acl: Fix performance of update when the WebACL has a large number of rules (#​42740)

v6.11.0

Compare Source

FEATURES:

• New Resource: aws_timestreaminfluxdb_db_cluster (#​42382)
• New Resource: aws_workspacesweb_browser_settings_association (#​43735)
• New Resource: aws_workspacesweb_data_protection_settings_association (#​43773)
• New Resource: aws_workspacesweb_identity_provider (#​43729)
• New Resource: aws_workspacesweb_ip_access_settings_association (#​43774)
• New Resource: aws_workspacesweb_network_settings_association (#​43775)
• New Resource: aws_workspacesweb_portal (#​43444)
• New Resource: aws_workspacesweb_session_logger (#​43863)
• New Resource: aws_workspacesweb_session_logger_association (#​43866)
• New Resource: aws_workspacesweb_trust_store (#​43408)
• New Resource: aws_workspacesweb_trust_store_association (#​43778)
• New Resource: aws_workspacesweb_user_access_logging_settings_association (#​43776)
• New Resource: aws_workspacesweb_user_settings_association (#​43777)

ENHANCEMENTS:

• data-source/aws_ec2_client_vpn_endpoint: Add endpoint_ip_address_type and traffic_ip_address_type attributes (#​44059)
• data-source/aws_network_interface: Add attachment.network_card_index attribute (#​42188)
• data-source/aws_sesv2_email_identity: Add verification_status attribute (#​44045)
• data-source/aws_signer_signing_profile: Add signing_material and signing_parameters attributes (#​43921)
• data-source/aws_vpc_ipam: Add `me...

v2.3.0

Fixes "Error: no association of default Security Group (sg-XXX) with VPC Endpoint (vpce-YYY)" @j4zzcat (#158)

This PR updates the `vpc-endpoints` module to prevent recurring no association of default Security Group (...) with VPC Endpoint (...) errors when managing Interface VPC Endpoints. See also https://github.com/cloudposse-terraform-components/aws-vpc/issues/49.

The issue occurred because AWS automatically attaches the default VPC security group to an Interface endpoint when no SGs are specified at creation. The module previously relied on replace_default_association to swap it out for the desired SG. This worked only on the first run - subsequent runs failed because the default SG was no longer attached.

Changes

1. Attach first SG at creation time
   • Added security_group_ids to aws_vpc_endpoint.interface_endpoint with the first SG from var.interface_vpc_endpoints.
   • Prevents AWS from attaching the default SG and removes the need for replace_default_association.
2. Limit SG associations to index > 0
   • Updated security_group_associations_list and security_group_associations_map locals to only include SGs beyond the first one.
   • Ensures Terraform doesn’t try to re-attach the already-attached first SG.
3. Remove replace_default_association
   • Association resources now only attach additional SGs.
   • Eliminates fragile “replace default” logic that failed on repeated applies.

Benefits

• Idempotent applies — no more failing after the first run.
• Simpler logic — no special-case handling for the default SG.
• Clean AWS state — the default SG is never attached in the first place.

Testing

• Applied changes in a test environment with multiple endpoints and SGs.
• Verified that:
  • First SG is attached at endpoint creation.
  • Additional SGs are attached via association resources.
  • No errors occur on repeated terraform apply runs.

v2.2.0

🚀 Enhancements

feat(internet-gateways): add better tagging for naming visibility @oycyc (#157)

## what

1. Add additional label for set the attribute which sets the final "Name" tag for IGW and EIGW.

• @gberenice made a good comment below. This does not replace the resource. Only updates in place by updating the tags. See screenshot in comments. No actual AWS physical infra updated. Only tag/naming.

2. This also fixes TF test errors - VPC endpoint security sroup association "OperationInProgress" errors

• Problem: VPC endpoint tests were failing with "api error OperationInProgress: VpcEndpoint modify operation in progress" because multiple security group associations were attempting to modify the same VPC endpoint simultaneously.
• Root Cause: The module was using separate aws_vpc_endpoint_security_group_association resources with for_each, causing concurrent API calls that AWS doesn't allow.
• Solution: Replaced separate security group association resources with the built-in security_group_ids parameter on aws_vpc_endpoint. This approach eliminates concurrent modification conflicts and follows AWS Provider best practices.

why

1. Screenshot redacted. For IGW and EIGW, there's no name attribute. So on the AWS console UI, the name is determined by the "Name" tag. Without "igw", when looking at the resource map of the VPC, it looks very off when the subnets -> route tables -> network connection is all the same name.

I should easily be able to tell what network connection it is, igw, eigw, or NAT (which does have this): https://github.com/cloudposse/terraform-aws-dynamic-subnets/blob/main/nat-gateway.tf#L1

2. Tests were failing.

🤖 Automatic Updates

Fix go version in tests @osterman (#155)

## what - Update go `1.24`

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• golang/go#59305 (comment)
• cloudposse/terraform-aws-cloudfront-s3-cdn#294

Replace Makefile with atmos.yaml @osterman (#154)

## what - Remove `Makefile` - Add `atmos.yaml`

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

Migrate new test account @osterman (#150)

## what - Update `.github/settings.yml` - Update `.github/chatops.yml` files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @osterman (#149)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @osterman (#148)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update release workflow to allow pull-requests: write @osterman (#147)

## what - Update workflow (`.github/workflows/release.yaml`) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#146)

## what - Update workflows (`.github/workflows`) to use shared workflows from `.github` repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#145)

## what - Update workflows (`.github/workflows`) to add `issue: write` permission needed by ReviewDog `tflint` action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @osterman (#144)

## what - Update workflows (`.github/workflows/settings.yaml`)

why

• Support new readme generation workflow.
• Generate banners

Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#141)

## what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Bump golang.org/x/crypto from 0.0.0-20220926161630-eccd6366d1be to 0.17.0 in /test/src @[dependabot[bot]](https://github.com/apps/dependabot) (#132)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20220926161630-eccd6366d1be to 0.17.0.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Add GitHub Settings @osterman (#137)

## what - Install a repository config (`.github/settings.yaml`)

why

• Programmatically manage GitHub repo settings

Add GitHub Settings @osterman (#136)

## what - Install a `.github/settings.yaml`

why

• Programmatically manage GitHub repo settings

Add GitHub Settings @osterman (#130)

## what - Install a `.github/settings.yaml`

why

• Programmatically manage GitHub repo settings

Update Scaffolding @osterman (#129)

## what - Reran `make readme` to rebuild `README.md` from `README.yaml` - Migrate to square badges - Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

Update README.md and docs @cloudpossebot (#128)

## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update Scaffolding @osterman (#127)

## what - Reran `make readme` to rebuild `README.md` from `README.yaml` - Migrate to square badges - Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

Update README.md and docs @cloudpossebot (#126)

## what This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v2.2.0-alpha1 documentation only

🤖 Automatic Updates

Update README.md and docs @cloudpossebot (#126)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v2.1.1

Add support for network address usage metrics @lanzrein (#124)

what

This PR adds support for Network Address Usage Metrics on the VPC.
AWS documentation : https://docs.aws.amazon.com/vpc/latest/userguide/network-address-usage.html
Terraform documentation : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_network_address_usage_metrics

why

Network Address Usage metrics can help monitor the growth of a VPC and would be useful for any user.
Enable this after creating a VPC does not trigger recreation of the VPC.

references

closes #115

Sync github @max-lobur (#120)

Rebuild github dir from the template

🤖 Automatic Updates

Update README.md and docs @cloudpossebot (#125)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v2.1.0

• No changes

v2.0.0 Breaking changes, better VPC Endpoint support

🚀 Enhancements

Breaking changes: See migration notes for details.

Drop support for deprecated features, revamp VPC Endpoint support @Nuru (#112)

Note

This will be released as version 2.0.0-rc1 and possibly as 2.0.0 without changes.
See migration notes for details.

what

• Drop support for deprecated features
• Revamp VPC Endpoint support (modules/vpc-endpoints)
• Clean up documentation
• Update tests to current framework and current modules

why

• AWS is retiring ClassicLink. Closes #111
• AWS provider version 4 deprecates (and version 5 is set to remove) inline resource creation for VPC Endpoint Route Tables, Subnet associations, and Security Group associations. Convert to new architecture in preparation for v5.
• Add route table association for VPC Gateway Endpoints as a convenience, since they are always needed
• More clarity, more standardization
• Keep examples current, pull in bugfixes and security updates

references

• https://aws.amazon.com/blogs/aws/ec2-classic-is-retiring-heres-how-to-prepare/

Fix output description @ngoyal16 (#113)

what

• IPv6 related description typo fix

why

• In IPv6 related outputs vars description contains IPv4 instead of IPv6

v2.0.0-rc1 Enhanced VPC Endpoint support, drop deprecated features

Breaking changes: See migration notes for details.

Drop support for deprecated features, revamp VPC Endpoint support @Nuru (#112)

Note

This will be released as version 2.0.0-rc1 and possibly as 2.0.0 without changes.
See migration notes for details.

what

• Drop support for deprecated features
• Revamp VPC Endpoint support (modules/vpc-endpoints)
• Clean up documentation
• Update tests to current framework and current modules

why

• AWS is retiring ClassicLink. Closes #111
• AWS provider version 4 deprecates (and version 5 is set to remove) inline resource creation for VPC Endpoint Route Tables, Subnet associations, and Security Group associations. Convert to new architecture in preparation for v5.
• Add route table association for VPC Gateway Endpoints as a convenience, since they are always needed
• More clarity, more standardization
• Keep examples current, pull in bugfixes and security updates

references

• https://aws.amazon.com/blogs/aws/ec2-classic-is-retiring-heres-how-to-prepare/

v1.2.0

add/default-route-table @cdobbyn (#110)

what

• Manages the default route table created alongside aws_vpc resource automatically.

why

• If not managed there are no identifying features about this resource which is confusing.
• In our case we establish ownership via tags passed into this module, if no tags are present it is difficult to report on ownership

references

• Closes #109
• aws_default_route_table

v1.1.1

git.io->cloudposse.tools update @dylanbannon (#106)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

Fix broken & disabled tests @Nuru (#105)

what

• Fix broken & disabled tests

why

• Better test coverage

🚀 Enhancements

Fix syntax error in example @vanastassiou (#107)

Fixes a syntax error in the "Full example with terraform-aws-dynamic-subnets" code that results in a terraform plan failure.

what

• The example presented with dynamic-subnets generates a syntax error during terraform plan

why

• Improves documentation reliability