[Major Version]: Terraform AWS Provider v6.0.0

[breathingdust]

Description

The next major version of the Terraform AWS Provider is planned to release in beta in April 2025. There will be a 6 week beta period in which we will ask the community for feedback, to better understand the impact of the upgrade experience, to assess the implementation of multi-region and other enhancements and to resolve any issues found. Please submit any feedback by creating an issue in the provider using the beta-feedback form.

After the release of the beta, we will endeavor to maintain and keep both v5 and v6 branches up to date with new service/resource coverage and bugfixes during the beta period. After v6.0.0 exits beta with a stable release, v5 will only receive critical security updates.

Opting into the v6.0.0 beta

The builds will be versioned as "beta" pre-releases and uploaded to the Terraform Registry as usual. Users with permissive version constraints, such as > 5.8, will not automatically use the new beta version. Instead, they will need to opt-in by specifying the pre-release version in their provider requirements:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "= 6.0.0-beta"
    }
  }
}

Terraform 0.12

Terraform 0.12 does not support pre-releases in provider version constraints. For this reason, 0.12 users will receive a runtime error when attempting to use the v6.0.0 beta either by specifying the version or via a non-specific version constraint. This will be removed after the stable release so that 0.12 users can use v6.0.0. We advise that users of v0.12 should upgrade to a more recent version of Terraform at the earliest opportunity.

• [Enhancement]: Add region argument/parameter where appropriate #27758 (comment)

Upgrade Instructions

As always comprehensive upgrade instructions will be found in the Registry. We would welcome in particular contributions to documentation if these instructions are unclear in any way to ensure that the upgrade process is as easy as possible for practitioners.

Note: The upgrade guide is under development and will be added to as we work though the scope of the major version.

• Terraform AWS Provider v6.0.0 Upgrade Guide (WIP)

Summary of Changes

Enhanced Multi-Region Support

• region meta-argument #25308
• [Enhancement]: Add region argument/parameter where appropriate #27758
• [WIP] Proposal to modify provider meta to enable specifying the region at each resource #31517

We will introduce a new approach to managing AWS resources across multiple Regions in Terraform by allowing a single provider configuration to handle multiple Regions. Currently, each provider configuration in Terraform targets a single AWS Region, leading to increased memory consumption and complexity when managing multi-Region deployments. The new approach leverages an injected region attribute at the resource level, reducing memory overhead and simplifying configuration.

Key Highlights:

• Single Provider Configuration: Reduces the need to load multiple instances of the AWS provider, lowering memory usage.
• Region Attribute Injection: The region argument will be automatically added to all resources without requiring explicit schema changes.
• Global Resources: The region argument will still exist on global resources, however in this case changing the region in reconfiguration will not result in resource recreation.
• Terraform Plugin Framework Updates: Adjustments to the AWS API client mechanism will support per-Region API client mappings.
• Resource Import Enhancements: A new @ suffix allows importing resources from different Regions.
• Documentation & Testing: Changes will be documented at the provider level, and testing will ensure backward compatibility.
• Certain resources that already have a top level region attribute will need special handling and a deprecation cycle leading to a breaking change in a future major version.
• The initial refresh after an upgrade to v6.0 will show diffs for each resource where the meta region attribute is added. We are looking into way to suppress this.

Thanks to @brittandeyoung for inspiration and prototyping in #31517

EC2 Instance User Data Improvements

• aws_instance user_data as cleartext, not hash #7625
• Show user_data diff on change #13805

We will modify the aws_instance resource to display cleartext diffs for user_data changes instead of hashed values. Currently, user_data is stored as a hash in the Terraform state, making it difficult for users to evaluate unexpected modifications. The proposal outlines a strategy to safely transition to storing and displaying the raw user_data content while addressing backward compatibility concerns, including state migration and legacy base64 encoding behavior. The goal is to improve visibility and usability for practitioners managing EC2 instances with Terraform.

Deprecations

Service Deprecations

These AWS services have an announced EOL date so should now be deprecated in the provider.

• Amazon Chime end of life #41506: AWS has announced the end of life for this service on February 20, 2026, giving AWS Wickr as a potential replacement. announcement
• Amazon CloudWatch Evidently end of life #39915: AWS is discontinuing this service on October 17, 2025; users should explore other feature flagging and experimentation tools. announcement
• Amazon Elastic Transcoder end of life #40318: AWS has announced the end of life for this service will be November 13, 2025, recommending AWS MediaConvert as a replacement. announcement
• Deprecate: AWS Elemental MediaStore prior to end of life #40317: Service is being phased out and ends on November 13, 2025. Users should transition to S3, AWS MediaPackage, or other storage solutions. announcement

Resource and Data Source Deprecations

There will be a set of deprecations to signal to users that certain resources or attributes should not be used and will be removed in the next major version (v7.0.0). Generally, this will correspond to upstream AWS service EOL events, or when attributes are not working as expected and cannot be fixed in their current form. In some specific cases (typically when features are widely used) we may use deprecations to signal to users that a resource/attribute should not be used but have no intentions to actually remove it.

• [Data Source Deprecation] d/aws_cloudtrail_service_account #35130
• [Resource Deprecation] r/aws_kinesis_analytics_application #36582

Attribute Deprecations

• [Attribute Deprecation] aws_batch_compute_environment: add name and name_prefix parameters and deprecate compute_environment_name and compute_environment_name_prefix #37943
• [Attribute Deprecation] r/aws_service_discovery_service: Deprecate `health_check_custom_config.failure_threshold #37955
• [Attribute Deprecation]: deprecate block_duration_minutes from aws_spot_instance_request resource #37613
• [Attribute Deprecation] r/aws_guardduty_detector.datasources #33730

Behaviour Deprecations

• [Enhancement]: Deprecate uppercase versions of engine attribute in elasticache resource types #40813
• provider: Deprecate support for S3 global endpoint #33305

Removals

Service Removals

• [Service EOL]: Amazon Elastic Inference reached end of life on April, 2024 #40992 Amazon Elastic Inference is no longer available. Please see Amazon SageMaker for similar capabilities. Several properties in EC2/ECS will need to be removed. announcement

• [Service EOL]: Amazon Elastic Graphics reached end of life on January 8, 2024 #40991 Elastic Graphics has been end of lifed on January, 2024. Related properties from EC2 resources will need to be removed. announcement

• [Service EOL] AWS OpsWorks Stacks end of life #35701 AWS has end-of-lifed AWS OpsWorks Stacks as of May 26, 2024, advising users to consider AWS Systems Manager or other infrastructure management solutions. We will remove resources, data sources, the service client, and the package belonging to the service. announcement

• r/aws_simpledb_domain: Remove deprecated resource #39537 The provider has now migrated to use AWS SDK for Go v2 apart from the aws_simpledb_domain resource. SimpleDB is not supported by version 2 of the SDK at all so cannot be migrated. We will remove support for this resource in v6.0.0, practitioners who still need to use it will need to stay on v5.x of the provider.

Resource and Data Source Removals

• [Data Source Removal] d/aws_redshift_service_account #31045

Attribute Removals

• aws_api_gateway_deployment - Remove stage_name, stage_description, canary_settings attributes #39958
• aws_dms_endpoint - Remove s3_settings attribute #29726
• aws_dx_gateway_association - Remove vpn_gateway_id attribute #31383
• aws_eip - Remove vpc attribute #26715
• aws_eks_addon - Remove resolve_conflicts attribute #31292
• aws_flog_log - Remove log_group_name attribute #31381
• aws_identitystore_group - Remove filter attribute #33312
• aws_identitystore_user - Remove filter attribute #33312
• aws_instance - Remove cpu_threads_per_core, cpu_core_count attributes #31165
• aws_networkmanager_core_network - Remove base_policy_region attribute #29780
• aws_opensearch_domain - Remove kibana_endpoint attribute #31491
• aws_quicksight_data_set - Remove tags_all attribute #31164
• aws_service_discovery_service - Remove tags_all attribute #31163
• aws_ssm_association - Remove instance_id attribute #31379
• aws_batch_job_queue - Remove compute_environments attribute #40751

Behavior Changes

• aws_redshift_cluster - We will update the aws_redshift_cluster resource to align with AWS's changes to default public accessibility settings. As of January 10, 2025, AWS disabled public accessibility by default for newly provisioned Redshift clusters. Currently, the provider sets a default value of true rather than leaving the attribute unset to inherit AWS's default, which is both inconsistent with best practices and unsafe. We will remove this default so that new clusters follow AWS's intended behavior. Additionally, we will correct the attribute types for cluster_public_key, cluster_revision_number, and endpoint, which are currently marked as Optional, Computed but should be Computed only, as they are set by AWS and cannot be configured by the user.#41041, #41044
• aws_apigateway_account - We will update the behavior of the so that deleting it will always reset account settings. As part of this change, we will also remove the reset_on_delete attribute, which was introduced as a temporary workaround to avoid breaking changes. #40043
• aws_cloudfront_response_headers_policy - We will update the behavior of the resource to make the etag attribute computed and read-only. We will also document the attribute to clarify its purpose. #38244
• aws_ami - We will update the behavior of the data source to improve security and prevent unintended AMI selections. Currently, if a user queries for an AMI without specifying an owner, they may receive results from an unexpected source, posing a security risk as highlighted in CVE-2018-15869. Previously, we added a warning to inform users of this risk, but we will now enforce stricter behavior by returning an error if narrowing criteria, such as an owner, are not provided. To maintain flexibility, we will introduce an optional allow_unsafe_filter attribute, allowing users to explicitly accept the risk of searching without constraints. #40198
• aws_db_instance - We will update the behavior of the aws_db_instance resource to enforce correct usage of the character_set_name attribute. Currently, this attribute is only valid when creating a new database instance, but users have been able to specify it for replicated or restored databases without effect. Previously, we added a warning to inform users that their character set selection was not being applied in these cases. To prevent confusion and ensure expected behavior, we will now return an error when character_set_name is set for a database that is not newly created. #36519
• aws_elasticache_replication_group - We will update the resource by removing the default value for the auth_token_update_strategy argument. This argument was originally introduced with a default value of ROTATE to maintain backward compatibility with earlier provider versions where this behavior was hardcoded. However, to ensure users explicitly define their preferred token update strategy when setting an auth_token, we will now make auth_token_update_strategy a required argument. This change improves clarity and control over credential rotation. #34496
• aws_lb_listener - We will update the resource to improve validation and handling of the mutual_authentication attributes. Currently, the provider schema incorrectly defaults ignore_client_certificate_expiry to false in all cases and allows both ignore_client_certificate_expiry and trust_store_arn to be set regardless of the mode value.
  We will modify the schema to enforce the correct behavior: ignore_client_certificate_expiry will default to false only when mode is validate and will be null otherwise. Additionally, we will introduce validation rules to ensure ignore_client_certificate_expiry can only be set when mode is validate, and trust_store_arn can only be set when mode is validate or passthrough. Finally, we will remove the incorrect requirement that trust_store_arn must be set when mode is passthrough, aligning the provider with the AWS API behavior. #35452
• aws_globalaccelerator_accelerator - We will update the data source so that the id attribute is no longer settable. Currently, users can provide a value for id, but it is ignored and does not influence the data source’s behavior. This change aligns with common patterns in Terraform, where id is typically a read-only attribute reflecting a resource’s actual identifier. #39236
• aws_cloudfront_key_value_store - We will update the resource so that the id attribute correctly reflects the actual ID returned by the AWS API. Currently, the provider sets id to the name, which is inconsistent with typical Terraform behavior and may cause confusion when managing resources. This change ensures that id aligns with AWS's expected identifier for the key-value store. #40839
• aws_cognito_user_in_group - We will update the resource to use a composite key instead of the unique id currently implemented. This will allow import for the resource to work correctly. #34082
• aws_wafv2_web_acl - Changes the default value for the enable_machine_learning attribute. The current default value of true is significantly more expensive than leaving it disabled and has been reported by the community as a source of significant unintended cost. #39858

Disallow use of SingleNestedBlock in resource schemas

• Disallow use of SingleNestedBlock in resource schemas #35813

This change should not generally be practitioner facing and will not require resource config updates. However there may be reliance on the previous state structure in scripts or outputs. In such cases, they will need to update references accordingly (e.g., changing attribute.thing to attribute[0].thing).

This will include changes to the following resources and attributes

Resource	Attribute
aws_bedrock_model_invocation_logging_configuration	logging_config, cloudwatch_config, large_data_delivery_s3_config, s3_config
aws_lb_listener_rule	authenticate_cognito, authenticate_oidc, fixed_response, forward, stickiness, redirect, host_header, http_header, http_request_method, path_pattern, query_string, source_ip
aws_opensearchserverless_security_config	saml_options
aws_paymentcryptography_key	key_attributes, key_modes_of_use
aws_rekognition_stream_processor	bounding_box
aws_resiliencehub_resiliency_policy	policy az, hardware, software, and region
aws_verifiedpermissions_schema	definition

Nullable Boolean Values Behavior Change

• Restrict parsing of nullable Bool values to "", false, and true #29379

We will update the TypeNullableBool schema type, for the 14 plugin SDK resources that use it, to remove support for the values “0” and “1,” which were previously deprecated. Currently, users can set these attributes to an empty string, “false,” “true,” “0,” or “1.” We will restrict the allowed values to only "", “false,” and “true” to align with modern Terraform practices and ensure clearer, more consistent behavior. This change will enforce the use of false or true for boolean values, improving the integrity of the configuration. Any configurations currently using “0” or “1” for boolean attributes will result in an error when applied. Users will need to update their configurations to use either an empty string, false, or true to avoid errors. While this change enforces stricter validation, it will improve consistency and reduce ambiguity in handling boolean values.

Type	Name	Attribute
Resource	aws_ec2_launch_template	delete_on_termination, encrypted, ebs_optimized, associate_carrier_ip_address, associate_public_ip_address, primary_ipv6
Resource	aws_accessanalyzer_archive_rule	exists
Resource	aws_cloudtrail_event_data_store	suspend
Resource	aws_spot_fleet_request	terminate_instances_on_delete
Resource	aws_elasticache_cluster	auto_minor_version_upgrade
Resource	aws_elasticache_replication_group	at_rest_encryption_enabled, auto_minor_version_upgrade
Resource	aws_lb_target_group	preserve_client_ip
Resource	aws_evidently_feature	bool_value
Resource	aws_imagebuilder_container_recipe	delete_on_termination, encrypted
Resource	aws_imagebuilder_image_recipe	delete_on_termination, encrypted
Data Source	aws_imagebuilder_image_recipe	delete_on_termination, encrypted
Resource	aws_mq_broker	audit
Data Source	aws_mq_broker	audit

Resource Structure Changes

• aws_securitylake_aws_log_source - We will move all the sub-attributes of the source attribute to top-level attributes to simplify configurations. #37160

Non-User Facing Changes

Removal of aws-sdk-go (V1)

We have completed the migration of the provider codebase to use v2 of the AWS SDK. The only remaining holdout is the single SimpleDB resource which is due to be removed in this version as this service is not supported in v2 of the SDK. Users of SimpleDB will need to continue to use v5 of the provider.

Upgrade to Go 1.24

Go 1.24 introduces several performance optimizations, security enhancements, and standard library improvements that benefit large-scale applications like the Terraform AWS Provider. By staying current with Go releases, we ensure compatibility with modern tooling and libraries while leveraging the latest language and runtime improvements. Additionally, Go 1.24 may offer optimizations that improve provider execution efficiency, reducing memory usage, and improving runtime performance.

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ddouglas]

Will the removal of all of the legacy attributes on the aws_s3_bucket resource be removed in this version? I work in a strict environment and got questioned today on why so many of the s3:Get permissions were required when we setup the policy for a new workspace even though we don't use those features. It was because of the numerous legacy calls that are made for the deprecated attributes on this resource. Without the Get permissions, 403s are thrown during the state refresh phase. I can open a dedicated issue for this if needed, but I'm sure everybody has moved to the new resources by now. It's been almost 3 years i think, and if they haven't then they've been getting flooded with all the warnings that the provider generated.