Bump hashicorp/aws from 5.94.1 to 6.2.0

[dependabot]

Bumps hashicorp/aws from 5.94.1 to 6.2.0.

Release notes

Sourced from hashicorp/aws's releases.

v6.2.0

ENHANCEMENTS:

• data-source/aws_kinesis_stream_consumer: Add tags attribute. This functionality requires the kinesis:ListTagsForResource IAM permission (#43173)
• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection attribute (#43137)
• resource/aws_accessanalyzer_analyzer: Add configuration.internal_access argument (#43138)
• resource/aws_amplify_app: Add job_config argument (#43136)
• resource/aws_amplify_branch: Add enable_skew_protection argument (#43218)
• resource/aws_cloudtrail: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
• resource/aws_cloudtrail_event_data_store: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
• resource/aws_cloudwatch_event_archive: Add kms_key_identifier argument (#43139)
• resource/aws_cloudwatch_log_group: Support DELIVERY as a valid value for log_group_class (#42658)
• resource/aws_codebuild_project: Add environment.docker_server configuration block (#42982)
• resource/aws_eks_pod_identity_association: Add disable_session_tags and target_role_arn arguments and external_id attribute (#42979)
• resource/aws_emr_cluster: Add os_release_label argument (#43018)
• resource/aws_fms_policy: Add resource_tag_logical_operator argument (#43031)
• resource/aws_glue_job: Support job_mode argument (#42607)
• resource/aws_kinesis_stream_consumer: Add tags argument and tags_all attribute. This functionality requires the kinesis:ListTagsForResource, kinesis:TagResource, and kinesis:UntagResource IAM permissions (#43173)
• resource/aws_kms_key: Support HMAC_224, HMAC_384, HMAC_512, ML_DSA_44, ML_DSA_65, and ML_DSA_87 as valid values for customer_master_key_spec (#43128)
• resource/aws_lightsail_instance_public_ports: -1 is now a valid value for port_info.from_port and port_info.to_port (#37703)
• resource/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection argument (#43137)
• resource/aws_rbin_rule: Add exclude_resource_tags argument (#43189)
• resource/aws_s3_directory_bucket: Add tags argument and tags_all attribute. This functionality requires the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions (#43256)
• resource/aws_s3tables_table: Add metadata argument (#43112)
• resource/aws_wafv2_web_acl: Add aws_managed_rules_anti_ddos_rule_set to managed_rule_group_configs configuration block in support of L7 DDoS protection (#43149)

BUG FIXES:

• provider: Fix Unexpected Identity Change errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#43221)
• resource/aws_appflow_connector_profile: Fixes error refreshing resource state (#43221)
• resource/aws_bcmdataexports_export: Fixes error when refreshing state with resources created before v6.0.0 (#43090)
• resource/aws_bedrockagent_agent: Retry Exceeded the number of retries on OptLock failure. Too many concurrent requests. errors during update (#43179)
• resource/aws_bedrockagent_agent: Retry Prepare operation can't be performed on Agent when it is in Preparing state. errors during prepare (#43179)
• resource/aws_bedrockagent_agent: Retry Update operation can't be performed on Agent when it is in Preparing state. errors during update (#43179)
• resource/aws_bedrockagent_agent_collaborator: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent collaborator update and disassociation (#43179)
• resource/aws_cloudwatch_query_definition: Support ARNs as valid values for log_group_names (#43183)
• resource/aws_cur_report_definition: Allow an empty ("") value for s3_prefix. This fixes a regression introduced in v6.0.0 (#43159)
• resource/aws_elasticsearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
• resource/aws_elasticsearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
• resource/aws_lambda_function: Fix perpetual logging_config diffs when log_format is set to JSON and publish = true (#42660)
• resource/aws_lexv2models_intent: Add semantic equality check for confirmation_setting.prompt_specification.prompt_attempts_specification defaults (#43147)
• resource/aws_opensearch_domain: Disable publishing for log_publishing_options removed on Update. This prevents a perpetual diff (#43033)
• resource/aws_opensearch_domain: Fix ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group ... does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream IAM eventual consistency errors on Create (#43033)
• resource/aws_quicksight_analysis: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
• resource/aws_quicksight_dashboard: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
• resource/aws_quicksight_template: WHOLE is now a valid value for definition.sheets.visuals.pie_chart_visual.chart_configuration.donut_options.arc_options.arc_thickness (#37116)
• resource/aws_quicksight_user: Remove ForceNew from email (#43014)
• resource/aws_verifiedpermissions_schema: Fix Value Conversion Error errors when upgrading existing resources to Terraform AWS Provider v6.0.0 (#43116)

v6.0.0

... (truncated)

Changelog

Sourced from hashicorp/aws's changelog.

6.2.0 (July 2, 2025)

ENHANCEMENTS:

• data-source/aws_kinesis_stream_consumer: Add tags attribute. This functionality requires the kinesis:ListTagsForResource IAM permission (#43173)
• resource/aws_amplify_branch: Add enable_skew_protection argument (#43218)
• resource/aws_kinesis_stream_consumer: Add tags argument and tags_all attribute. This functionality requires the kinesis:ListTagsForResource, kinesis:TagResource, and kinesis:UntagResource IAM permissions (#43173)
• resource/aws_rbin_rule: Add exclude_resource_tags argument (#43189)
• resource/aws_s3_directory_bucket: Add tags argument and tags_all attribute. This functionality requires the s3express:ListTagsForResource, s3express:TagResource, and s3express:UntagResource IAM permissions (#43256)

BUG FIXES:

• provider: Fix Unexpected Identity Change errors for numerous resource types when refreshing resources created or refreshed by Terraform AWS Provider v6.0.0 (#43221)
• resource/aws_appflow_connector_profile: Fixes error refreshing resource state. (#43221)
• resource/aws_cloudwatch_query_definition: Support ARNs as valid values for log_group_names (#43183)

6.1.0 (June 26, 2025)

[!IMPORTANT] Terraform AWS Provider version v6.1.0 was removed from the Terraform Registry shortly after release due to a significant bug that could not be remediated quickly.

All changes originally included in the removed release will be included in version v6.2.0.

ENHANCEMENTS:

• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection attribute (#43137)
• resource/aws_accessanalyzer_analyzer: Add configuration.internal_access argument (#43138)
• resource/aws_amplify_app: Add job_config argument (#43136)
• resource/aws_cloudtrail: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
• resource/aws_cloudtrail_event_data_store: Support errorCode, eventType, sessionCredentialFromConsole, and vpcEndpointId as valid values for advanced_event_selector.field_selector.field (#43091)
• resource/aws_cloudwatch_event_archive: Add kms_key_identifier argument (#43139)
• resource/aws_cloudwatch_log_group: Support DELIVERY as a valid value for log_group_class (#42658)
• resource/aws_codebuild_project: Add environment.docker_server configuration block (#42982)
• resource/aws_eks_pod_identity_association: Add disable_session_tags and target_role_arn arguments and external_id attribute (#42979)
• resource/aws_emr_cluster: Add os_release_label argument (#43018)
• resource/aws_fms_policy: Add resource_tag_logical_operator argument (#43031)
• resource/aws_glue_job: Support job_mode argument (#42607)
• resource/aws_kms_key: Support HMAC_224, HMAC_384, HMAC_512, ML_DSA_44, ML_DSA_65, and ML_DSA_87 as valid values for customer_master_key_spec (#43128)
• resource/aws_lightsail_instance_public_ports: -1 is now a valid value for port_info.from_port and port_info.to_port (#37703)
• resource/aws_networkfirewall_firewall_policy: Add firewall_policy.stateful_rule_group_reference.deep_threat_inspection argument (#43137)
• resource/aws_s3tables_table: Add metadata argument (#43112)
• resource/aws_wafv2_web_acl: Add aws_managed_rules_anti_ddos_rule_set to managed_rule_group_configs configuration block in support of L7 DDoS protection (#43149)

BUG FIXES:

• resource/aws_bcmdataexports_export: Fixes error when refreshing state with resources created before v6.0. (#43090)
• resource/aws_bedrockagent_agent: Retry Exceeded the number of retries on OptLock failure. Too many concurrent requests. errors during update (#43179)
• resource/aws_bedrockagent_agent: Retry Prepare operation can't be performed on Agent when it is in Preparing state. errors during prepare (#43179)
• resource/aws_bedrockagent_agent: Retry Update operation can't be performed on Agent when it is in Preparing state. errors during update (#43179)
• resource/aws_bedrockagent_agent_collaborator: Retry operation can't be performed on Agent when it is in Preparing state. errors during agent collaborator update and disassociation (#43179)

... (truncated)

Commits

• 3e78043 Update CHANGELOG.md for #43221
• 9028847 Merge pull request #43221 from hashicorp/b-v6-0-identity
• 6b37750 Update CHANGELOG.md for #43256
• 636cfef Merge pull request #43256 from hashicorp/f-aws_s3_directory_bucket-tags
• 47930e7 Update CHANGELOG entry
• a80cef5 Merge branch 'main' into f-aws_s3_directory_bucket-tags
• ebfbd8a Correct CHANGELOG entry file name.
• 12e3536 Add '@​Testing(importIgnore="force_destroy")'.
• b9a993c r/aws_s3_directory_bucket: Use S3Control APIs for tagging.
• ad0bac8 r/aws_s3_directory_bucket: Some acceptance test niceties.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #13.