Update Terraform aws to v6.39.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	minor	6.36.0 → 6.39.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.39.0

Compare Source

NOTES:

• data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version (#​47133)

FEATURES:

• New Data Source: aws_iam_role_policies (#​46936)
• New Data Source: aws_iam_role_policy_attachments (#​47119)
• New Data Source: aws_networkmanager_core_network (#​45798)
• New Data Source: aws_uxc_services (#​47115)
• New List Resource: aws_eks_cluster (#​47133)
• New List Resource: aws_organizations_aws_service_access (#​46993)
• New List Resource: aws_sagemaker_training_job (#​46892)
• New List Resource: aws_workmail_group (#​47131)
• New List Resource: aws_workmail_user (#​47131)
• New Resource: aws_organizations_aws_service_access (#​46993)
• New Resource: aws_sagemaker_training_job (#​46892)
• New Resource: aws_uxc_account_customizations (#​47115)
• New Resource: aws_workmail_group (#​47131)
• New Resource: aws_workmail_user (#​47131)

ENHANCEMENTS:

• data-source/aws_outposts_asset: Add instance_families attribute (#​47153)
• resource/aws_eks_cluster: Add resource identity support (#​47133)
• resource/aws_eks_cluster: Support tier-8xl as a valid value for control_plane_scaling_config.tier (#​46976)
• resource/aws_network_acl_rule: Add Resource Identity support (#​47090)
• resource/aws_observabilityadmin_centralization_rule_for_organization: Add source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#​47154)
• resource/aws_prometheus_scraper: Add source.vpc argument. Change source.eks to Optional (#​47155)
• resource/aws_s3_bucket_metric: Support bucket metrics for directory buckets (#​47184)
• resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#​46865)

BUG FIXES:

• data-source/aws_eks_access_entry: Fixed tags not being returned (#​47133)
• data-source/aws_service_principal: Fix service principal names for EC2 and S3 in the aws-cn partition (#​47141)
• resource/aws_config_organization_conformance_pack: Fix creation timeout when using a delegated administrator account (#​47072)
• resource/aws_dynamodb_table: Fix Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#​47143)
• resource/aws_eks_cluster: Set bootstrap_self_managed_addons to true when importing (#​47133)
• resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error when cache_usage_limits is removed (#​46134)
• resource/aws_glue_catalog_table: Detect and report failed view creation (#​47101)

v6.38.0

Compare Source

FEATURES:

• New Action: aws_dms_start_replication_task_assessment_run (#​47058)
• New Data Source: aws_dynamodb_backups (#​47036)
• New Data Source: aws_msk_topic (#​46490)
• New Data Source: aws_savingsplans_offerings (#​47081)
• New List Resource: aws_msk_cluster (#​46490)
• New List Resource: aws_msk_serverless_cluster (#​46490)
• New List Resource: aws_msk_topic (#​46490)
• New List Resource: aws_route53_resolver_rule (#​47063)
• New List Resource: aws_sagemaker_algorithm (#​47051)
• New List Resource: aws_ssm_document (#​46974)
• New List Resource: aws_ssoadmin_account_assignment (#​47067)
• New List Resource: aws_vpc_endpoint (#​46977)
• New List Resource: aws_workmail_domain (#​46931)
• New Resource: aws_msk_topic (#​46490)
• New Resource: aws_observabilityadmin_telemetry_enrichment (#​47089)
• New Resource: aws_sagemaker_algorithm (#​47051)
• New Resource: aws_workmail_default_domain (#​46931)
• New Resource: aws_workmail_domain (#​46931)

ENHANCEMENTS:

• data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding attribute (#​47065)
• resource/aws_bedrockagentcore_agent_runtime: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#​47049)
• resource/aws_bedrockagentcore_gateway: Add authorizer_configuration.custom_jwt_authorizer.custom_claim configuration block (#​47049)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.api_gateway configuration block (#​46916)
• resource/aws_dynamodb_table: Add restore_backup_arn argument (#​47068)
• resource/aws_fis_experiment_template: Support KinesisStreams as a value for action.target.key (#​47010)
• resource/aws_fis_experiment_template: Support VPCEndpoints as a value for action.target.key (#​47045)
• resource/aws_mq_broker: Change user block to Optional (#​46883)
• resource/aws_msk_cluster: Add resource identity support (#​46490)
• resource/aws_msk_serverless_cluster: Add resource identity support (#​46490)
• resource/aws_networkfirewall_firewall_policy: Add firewall_policy.enable_tls_session_holding argument (#​47065)
• resource/aws_securityhub_insight: Add filters.aws_account_name configuration block (#​47027)
• resource/aws_securityhub_insight: Add filters.compliance_associated_standards_id configuration block (#​47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_id configuration block (#​47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_name configuration block (#​47027)
• resource/aws_securityhub_insight: Add filters.compliance_security_control_parameters_value configuration block (#​47027)
• resource/aws_ssoadmin_account_assignment: Add Resource Identity support (#​47067)

BUG FIXES:

• resource/aws_api_gateway_method: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_apigatewayv2_integration: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_apigatewayv2_route: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_apigatewayv2_stage: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_gateway_route: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_route: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_virtual_gateway: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_virtual_node: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_virtual_router: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_appmesh_virtual_service: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_cloudfront_distribution_tenant: Fix panic when managed certificate is not found during creation (#​46982)
• resource/aws_controltower_control: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_default_route_table: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_gateway_association: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_private_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_public_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_hosted_transit_virtual_interface_accepter: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_private_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_public_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_dx_transit_virtual_interface: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_ecs_express_gateway_service: Fix Provider produced inconsistent result after apply error when environment variables are defined in non-alphabetical order (#​46771)
• resource/aws_elasticache_reserved_cache_node: Fix Provider returned invalid result object after apply errors where computed attributes remained unknown after create (#​47012)
• resource/aws_kinesis_stream: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_mq_broker: Fix non-idempotent behavior for RabbitMQ brokers with user block (#​46883)
• resource/aws_network_acl: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_network_interface_sg_attachment: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_opensearch_domain: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_route53recoverycontrolconfig_routing_control: Fix panic on concurrent creates when API returns ConflictException (#​47038)
• resource/aws_route_table_association: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_serverlessapplicationrepository_cloudformation_stack: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_servicecatalog_product: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_ses_active_receipt_rule_set: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_ssm_default_patch_baseline: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_vpc_dhcp_options_association: Fix import to honor @region suffix when using resource-level region attribute (#​47043)
• resource/aws_wafv2_web_acl_rule: Fix Unable to unmarshal DynamicValue error when statement.managed_rule_group_statement.rule_action_override block is specified (#​46998)
• resource/aws_wafv2_web_acl_rule_group_association: Fix WAFOptimisticLockException errors when multiple associations target the same Web ACL (#​47037)

v6.37.0

Compare Source

BREAKING CHANGES:

• resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values (#​46788)

NOTES:

• data-source/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#​46959)
• resource/aws_savingsplan_savingsplan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​46959)
• resource/aws_savingsplan_savingsplan: The offering_id attribute is deprecated. Use savings_plan_offering_id instead. (#​46959)

FEATURES:

• New List Resource: aws_ec2_transit_gateway_metering_policy (#​46812)
• New List Resource: aws_iam_user (#​46869)
• New List Resource: aws_s3_bucket_ownership_controls (#​46832)
• New List Resource: aws_wafv2_web_acl_rule (#​46682)
• New List Resource: aws_workmail_organization (#​46692)
• New Resource: aws_ec2_transit_gateway_metering_policy (#​46812)
• New Resource: aws_ec2_transit_gateway_metering_policy_entry (#​46812)
• New Resource: aws_wafv2_web_acl_rule (#​46682)
• New Resource: aws_workmail_organization (#​46692)

ENHANCEMENTS:

• resource/aws_datasync_task: Add schedule.status argument (#​46037)
• resource/aws_docdbelastic_cluster: Add shard_instance_count argument (#​46938)
• resource/aws_iam_user: Add resource identity support (#​46869)
• resource/aws_s3_bucket: Add bucket_namespace argument in support of account regional namespaces for general purpose buckets (#​46917)

BUG FIXES:

• data-source/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read (#​46959)
• resource/aws_bedrockagentcore_gateway: Fix "Unable to Convert Configuration" error caused by schema/model mismatch in authorizer_configuration.custom_jwt_authorizer. This fixes a regression introduced in v6.36.0 (#​46908)
• resource/aws_cloudfrontkeyvaluestore_key: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#​46898)
• resource/aws_cloudfrontkeyvaluestore_keys_exclusive: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS (#​46899)
• resource/aws_datasync_agent: Support activation of advanced mode agents. Previously, attempting to activate advanced mode agents would result in EOF errors when retrieving the activation key (#​46958)
• resource/aws_dynamodb_table: Fix GSI removal with key_schema syntax deleting all GSIs (#​46602)
• resource/aws_instance: Fix MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCore errors when updating cpu_options.core_count or cpu_options.threads_per_core (#​46879)
• resource/aws_lakeformation_opt_in: Rename resource_data.lf_tag.value to resource_data.lf_tag.values and change to a set of string values. Previously, attempting to use resource_data.lf_tag.value would result in missing required field errors (#​46788)
• resource/aws_msk_cluster: Properly handle removal of the client_authentication.sasl block (#​42163)
• resource/aws_msk_cluster: Properly handle removal of the client_authentication.tls block (#​42163)
• resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.sasl blocks (#​42163)
• resource/aws_msk_cluster: Suppress persistent differences in unset client_authentication.tls blocks (#​42163)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Missing Resource Identity After Read" error when resource created with provider version < 6.34.0 is deleted outside Terraform (#​46674)
• resource/aws_savingsplan_savingsplan: Properly set savings_plan_offering_id during read to prevent forced replacement following import (#​46959)
• resource/aws_wafv2_web_acl: Fix enable_machine_learning in aws_managed_rules_bot_control_rule_set incorrectly defaulting to false instead of reflecting the AWS default of true (#​46682)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Terraform plan in ./services/orchestrator/infrastructure in the prod workspace
With var files: ./services/orchestrator/infrastructure/prod.tfvars

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.orchestrator.aws_lambda_function.service will be updated in-place
!~  resource "aws_lambda_function" "service" {
        id                             = "coverage-orchestrator-prod"
!~      last_modified                  = "2026-03-29T02:30:34.000+0000" -> (known after apply)
!~      source_code_hash               = "VRoaB12NOscuDCNv/2sCRrNGKmu01eGwXE1Ve70WEA4=" -> "F/2dMYOTOWCTt/Ov9HhBzZExtdxeiIBm6HY17pXAMtI="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.event_store.aws_dynamodb_table.event_table,
  on event_store/main.tf line 1, in resource "aws_dynamodb_table" "event_table":
   1: resource "aws_dynamodb_table" "event_table" {

hash_key is deprecated. Use key_schema instead.

(and one more similar warning elsewhere)

📝 Plan generated in Orchestrator #2213

[github-actions]

Terraform plan in ./services/ingest/infrastructure in the prod workspace
With var files: ./services/ingest/infrastructure/prod.tfvars

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.ingest.aws_lambda_function.service will be updated in-place
!~  resource "aws_lambda_function" "service" {
        id                             = "coverage-ingest-prod"
!~      last_modified                  = "2026-03-29T02:47:04.000+0000" -> (known after apply)
!~      source_code_hash               = "axPT77ej/3FzmD9PpXgIAKd14BcKGgh0yMgVjXvoOlE=" -> "yYK/9VY7zr0H5m5UNrx5+rikMLYtnfTDjQ9lfi2ReEs="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

📝 Plan generated in Ingest #3141

[github-actions]

Terraform plan in ./services/api/infrastructure in the prod workspace
With var files: ./services/api/infrastructure/prod.tfvars

Plan: 0 to add, 3 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.api.aws_lambda_function.api will be updated in-place
!~  resource "aws_lambda_function" "api" {
        id                             = "coverage-api-prod"
!~      last_modified                  = "2026-03-29T02:31:38.000+0000" -> (known after apply)
!~      source_code_hash               = "gWnTSpdtHw6HHrKvY0zChJQF2IxtLJJFUztZWAzBe34=" -> "NYtCZLr+LE/y7+9d5/sR+O0B7u5hjkVIghOrKxuTq1o="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

  # module.event_listener.aws_lambda_function.events will be updated in-place
!~  resource "aws_lambda_function" "events" {
        id                             = "coverage-api-event-listener-prod"
!~      last_modified                  = "2026-03-29T02:31:29.000+0000" -> (known after apply)
!~      source_code_hash               = "gWnTSpdtHw6HHrKvY0zChJQF2IxtLJJFUztZWAzBe34=" -> "NYtCZLr+LE/y7+9d5/sR+O0B7u5hjkVIghOrKxuTq1o="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

  # module.webhook_handler.aws_lambda_function.webhooks will be updated in-place
!~  resource "aws_lambda_function" "webhooks" {
        id                             = "coverage-api-webhook-handler-prod"
!~      last_modified                  = "2026-03-29T02:31:46.000+0000" -> (known after apply)
!~      source_code_hash               = "gWnTSpdtHw6HHrKvY0zChJQF2IxtLJJFUztZWAzBe34=" -> "NYtCZLr+LE/y7+9d5/sR+O0B7u5hjkVIghOrKxuTq1o="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

📝 Plan generated in API #3195

[github-actions]

Terraform plan in ./services/analyse/infrastructure in the prod workspace
With var files: ./services/analyse/infrastructure/prod.tfvars

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.analyse.aws_lambda_function.analyse will be updated in-place
!~  resource "aws_lambda_function" "analyse" {
        id                             = "coverage-analyse-prod"
!~      last_modified                  = "2026-03-29T02:42:31.000+0000" -> (known after apply)
!~      source_code_hash               = "wbqTMcGdGyuBuApawsOY+aMEsvyjQs4aP4xr0S/WUx0=" -> "ydmqzfZrV1JcKfqBHafD0I575EkkxqEA0hQ6xj4yUKM="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

📝 Plan generated in Analyse #3454

[github-actions]

Terraform plan in ./services/publish/infrastructure in the prod workspace
With var files: ./services/publish/infrastructure/prod.tfvars

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.publish.aws_lambda_function.service will be updated in-place
!~  resource "aws_lambda_function" "service" {
        id                             = "coverage-publish-prod"
!~      last_modified                  = "2026-03-29T02:52:45.000+0000" -> (known after apply)
!~      source_code_hash               = "og+NCZoL3DOiEOpHxMxPt3urSYTK3elQ3Ex+RVt8zWE=" -> "Tm7kYL6fNp9pifRN5OOx/5JjxSa/wDx/wAM0CEwb078="
        tags                           = {}
#        (30 unchanged attributes hidden)

#        (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

📝 Plan generated in Publish #2419

[coverage-robot]

Coverage Report

Merging #2580 will not change the total coverage (compared to 16d91d9)

Total Coverage	Diff Coverage
78%	ø

Tags

Tag	Lines	Covered	Partial	Uncovered	Coverage
analyse-service	2430	2124	0	306	87.41%
api-service	1418	1013	0	405	71.44%
clients-package (Carried forward from 8d9a663)	95	88	0	7	92.63%
configuration-package (Carried forward from 8d9a663)	665	513	0	152	77.14%
event-package (Carried forward from 8d9a663)	166	107	0	59	64.46%
ingest-service	1040	852	0	188	81.92%
local-package (Carried forward from 8d9a663)	250	169	0	81	67.6%
message-package (Carried forward from 8d9a663)	92	56	0	36	60.87%
orchestrator-service	850	704	0	146	82.82%
publish-service	1116	718	0	398	64.34%
telemetry-package (Carried forward from 8d9a663)	108	75	0	33	69.44%

Impacted Files

No impacted files in #2580

Last update to a88814e at 23:59pm UTC