chore(deps): update terraform (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
aws (source)	required_provider	major	< 6.0 → < 6.36
aws (source)	required_provider	major	~> 5.0 → ~> 6.0
google (source)	required_provider	major	~> 5.0 → ~> 7.0
terraform-aws-modules/cloudfront/aws (source)	module	major	~> 3.0 → ~> 6.0
terraform-aws-modules/ecs/aws (source)	module	major	5.12.1 → 7.4.0
terraform-aws-modules/s3-bucket/aws (source)	module	major	~> 4.0 → ~> 5.0
terraform-aws-modules/vpc/aws (source)	module	major	< 6.0 → < 6.7

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.35.1

Compare Source

BUG FIXES:

• provider: Fix regression causing "Incompatible Types" errors during flattening (#​46778)
• resource/aws_bedrockagentcore_gateway_target: Fix "Incompatible Types" errors during schema definition flattening (#​46778)
• resource/aws_s3_bucket_lifecycle_configuration: Fix "Incompatible Types" errors for LifecycleRuleAndOperator while flattening configuration (#​46778)

v6.35.0

Compare Source

FEATURES:

• New List Resource: aws_ecs_service (#​46678)
• New List Resource: aws_lb (#​46660)
• New List Resource: aws_lb_listener (#​46679)
• New List Resource: aws_lb_listener_rule (#​46731)
• New List Resource: aws_lb_target_group (#​46662)
• New List Resource: aws_sns_topic (#​46744)
• New List Resource: aws_sns_topic_subscription (#​46738)
• New Resource: aws_observabilityadmin_telemetry_pipeline (#​46698)
• New Resource: aws_sagemaker_mlflow_app (#​45565)

ENHANCEMENTS:

• data-source/aws_lambda_layer_version: Add layer_version_arn argument to support cross-account Lambda layer access (#​46673)
• resource/aws_emrserverless_application: Add job_level_cost_allocation_configuration block (#​46107)
• resource/aws_ram_resource_share: Add resource_share_configuration block (#​46715)

BUG FIXES:

• resource/aws_ce_cost_category: Change split_charge_rule targets from TypeSet to TypeList to retain order (#​42856)
• resource/aws_dms_endpoint: Fix InvalidParameterCombinationException errors when oracle_settings is configured (#​46689)
• resource/aws_elasticache_replication_group: Remove hard-coded upper limit of 5 for replicas_per_node_group and node_group_configuration.replica_count to support quota increases (#​46670)
• resource/aws_networkmanager_attachment_routing_policy_label: Fix attachment state waiter to handle all Cloud WAN attachment lifecycle states (#​46672)

v6.34.0

Compare Source

FEATURES:

• New List Resource: aws_ec2_secondary_network (#​46552)
• New List Resource: aws_ec2_secondary_subnet (#​46552)
• New List Resource: aws_ecr_task_definition (#​46628)
• New List Resource: aws_elb (#​46639)
• New List Resource: aws_s3_bucket_lifecycle_configuration (#​46531)
• New Resource: aws_networkmanager_prefix_list_association (#​46566)

ENHANCEMENTS:

• data-source/aws_grafana_workspace: Add kms_key_id attribute (#​46584)
• data-source/aws_memorydb_cluster: Add network_type and ip_discovery attributes (#​46636)
• resource/aws_athena_workgroup: Add configuration.query_results_s3_access_grants_configuration argument (#​46376)
• resource/aws_bedrockagentcore_api_key_credential_provider: Add tagging support (#​46591)
• resource/aws_bedrockagentcore_gateway_target: Add metadata_configuration block for HTTP header and query parameter propagation (#​45808)
• resource/aws_bedrockagentcore_oauth2_credential_provider: Add tagging support (#​46590)
• resource/aws_cloudwatch_event_connection: Add auth_parameters.connectivity_parameters argument (#​41561)
• resource/aws_ecs_service: Add service_connect_configuration.access_log_configuration argument (#​45820)
• resource/aws_ecs_service: Add resource identity support (#​46644)
• resource/aws_eip_domain_name: Add import support (#​46582)
• resource/aws_grafana_workspace: Add kms_key_id argument (#​46584)
• resource/aws_instance: Allow cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place (#​46568)
• resource/aws_lb_target_group_attachment: Add import support (#​46646)
• resource/aws_lb_target_group_attachment: Add resource identity (#​46646)
• resource/aws_memorydb_cluster: Add network_type and ip_discovery arguments (#​46636)
• resource/aws_opensearch_domain: Add jwt_options attribute (#​46439)
• resource/aws_wafv2_web_acl_rule_group_association: Add support for managed_rule_group_configs within managed_rule_group and root-level visibility_config block for CloudWatch metrics configuration (#​44426)

BUG FIXES:

• data-source/aws_dms_endpoint: Add missing mongodb_settings.use_update_lookup attribute to fix "invalid address to set" error (#​46616)
• data-source/aws_iam_policy_document: Fix crash when statement.principals.identifiers contains a non-string value (#​46226)
• list-resource/aws_s3_object: Includes parent bucket in display name. (#​46596)
• resource/aws_autoscaling_group: Fix couldn't find resource (21 retries) errors updating load_balancers, target_group_arns, and traffic_source (#​46622)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments (#​46127)
• resource/aws_bedrockagentcore_gateway_target: Retry IAM eventual consistency errors on Create (#​46127)
• resource/aws_billing_view: Fix "inconsistent result after apply" errors caused by ordering of data_filter_expression.dimensions.values (#​46462)
• resource/aws_s3tables_table_bucket: Change encryption_configuration to Optional and Computed, fixing unexpected new value: .encryption_configuration: was null, but now cty.ObjectVal(map[string]cty.Value{"kms_key_arn":cty.NullVal(cty.String),"sse_algorithm":cty.StringVal("AES256")}) errors (#​46150)
• resource/aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets. (#​46556)
• resource/aws_vpc_endpoint: Fix InvalidParameter: DnsOptions PrivateDnsOnlyForInboundResolverEndpoint is applicable only to Interface VPC Endpoints errors when creating S3Tables VPC endpoints (#​46102)

v6.33.0

Compare Source

FEATURES:

• New Resource: aws_networkmanager_attachment_routing_policy_label (#​46489)

ENHANCEMENTS:

• data-source/aws_launch_template: Add cpu_options.nested_virtualization and network_performance_options attributes (#​46540)
• data/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_acmpca_certificate_authority: Add custom_path argument to revocation_configuration.crl_configuration configuration block (#​46487)
• resource/aws_budgets_budget: Add filter_expression attribute (#​46501)
• resource/aws_dms_endpoint: Add access_alternate_directly, add_supplemental_logging, additional_archived_log_dest_id, allow_selected_nested_tables, archived_log_dest_id, archived_logs_only, asm_password, asm_server, asm_user, authentication_method, char_length_semantics, convert_timestamp_with_zone_to_utc, direct_path_no_log, direct_path_parallel_load, enable_homogenous_tablespace, extra_archived_log_dest_ids, fail_task_on_lob_truncation, number_datatype_scale, open_transaction_window, oracle_path_prefix, parallel_asm_read_threads, read_ahead_blocks, read_table_space_name, replace_path_prefix, retry_interval, secrets_manager_oracle_asm_access_role_arn, secrets_manager_oracle_asm_secret_id, security_db_encryption, security_db_encryption_name, spatial_data_option_to_geo_json_function_name, standby_delay_time, trim_space_in_char, use_alternate_folder_for_online, use_bfile, use_direct_path_full_load, use_logminer_reader, and use_path_prefixarguments to theoracle_settings` configuration block (#​46516)
• resource/aws_dms_endpoint: Add use_update_lookup argument to mongodb_settings configuration block (#​46253)
• resource/aws_ecs_task_definition: Add resource identity support (#​46411)
• resource/aws_instance: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add nested_virtualization attribute to cpu_options configuration block (#​46533)
• resource/aws_launch_template: Add secondary_interfaces configuration block (#​46540)
• resource/aws_lexv2models_intent: Add qna_intent_configuration attribute (#​46419)
• resource/aws_sagemaker_domain: Add domain_settings.trusted_identity_propagation_settings argument (#​44965)

BUG FIXES:

• data-source/aws_route53_records: Fix runtime error: invalid memory address or nil pointer dereference panics when name_regex is an invalid regular expression (#​46478)
• resource/aws_cur_report_definition: Support ap-southeast-5 and eusc-de-east-1 as valid values for s3_region (#​46475)
• resource/aws_docdb_cluster: Allow adding and modifying serverless_v2_scaling_configuration without forcing cluster replacement (#​45049)
• resource/aws_lb: Fix ValidationError ... Member must have length less than or equal to 20 errors when more than 20 load balancer attributes are being modified (#​46496)
• resource/aws_sagemaker_image_version: Fix race condition when creating multiple versions concurrently (#​44960)
• resource/aws_subnet: Allows providing a cidr_block when allocating a subnet from an IPAM resource pool. (#​46453)
• resource/aws_subnet: Fix expected ipv6_netmask_length to be one of [44 48 52 56 60], got 64 validation error (#​46515)

v6.32.1

Compare Source

BUG FIXES:

• resource/aws_autoscaling_group: Fix couldn't find resource error during creation when waiting for capacity to be satisfied (#​46452)
• resource/aws_cloudwatch_log_delivery: Fix s3_delivery_configuration.suffix_path losing AWS-added prefix on update (#​46455)
• resource/aws_dynamodb_table: Fix perpetual diff when using key_schema with a single range key on a global secondary index (#​46442)
• resource/aws_elasticache_replication_group: Fix false validation error when auth_token references another resource (#​46454)

v6.32.0

Compare Source

FEATURES:

• New List Resource: aws_ecr_repository (#​46344)
• New List Resource: aws_lambda_permission (#​46341)
• New List Resource: aws_route (#​46370)
• New List Resource: aws_route53_resolver_rule_association (#​46349)
• New List Resource: aws_route_table (#​46337)
• New List Resource: aws_s3_directory_bucket (#​46373)
• New List Resource: aws_secretsmanager_secret (#​46318)
• New List Resource: aws_secretsmanager_secret_version (#​46342)
• New List Resource: aws_vpc_security_group_egress_rule (#​46368)
• New List Resource: aws_vpc_security_group_ingress_rule (#​46367)
• New Resource: aws_ec2_secondary_network (#​46408)
• New Resource: aws_ec2_secondary_subnet (#​46408)

ENHANCEMENTS:

• resource/aws_instance: Add secondary_network_interface argument (#​46408)
• resource/aws_quicksight_data_set: Support use_as property to create special RLS rules dataset (#​42687)

BUG FIXES:

• data-source/aws_odb_network_peering_connections: Fix plan phase failure of listing. (#​46384)
• list-resource/aws_s3_bucket_policy: Now supports listing Bucket Policies for S3 Directory Buckets (#​46401)
• resource/aws_athena_workgroup: Allows unsetting configuration.result_configuration or child attributes. (#​46427)
• resource/aws_cloudfront_multitenant_distribution: Fix the "inconsistent result" error when custom_error_response is configured and custom_error_response.response_code and custom_error_response.response_page_path are omitted (#​46375)
• resource/aws_grafana_workspace: Fix perpetual diff when network_access_control is configured with empty prefix_list_ids and vpce_ids (#​45637)

v6.31.0

Compare Source

NOTES:

• resource/aws_s3_bucket_abac: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_abac: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_accelerate_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_accelerate_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_acl: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_acl: Removes expected_bucket_owner and acl attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_cors_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_cors_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_lifecycle_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_lifecycle_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_logging: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_logging: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_metadata_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_metadata_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_object_lock_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_object_lock_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_request_payment_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_request_payment_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_server_side_encryption_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_server_side_encryption_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_versioning: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_versioning: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)
• resource/aws_s3_bucket_website_configuration: Deprecates expected_bucket_owner attribute. (#​46262)
• resource/aws_s3_bucket_website_configuration: Removes expected_bucket_owner attribute from Resource Identity. (#​46272)

FEATURES:

• New Data Source: aws_account_regions (#​41746)
• New Ephemeral Resource: aws_ecrpublic_authorization_token (#​45841)
• New List Resource: aws_cloudwatch_event_rule (#​46304)
• New List Resource: aws_cloudwatch_event_target (#​46297)
• New List Resource: aws_cloudwatch_metric_alarm (#​46268)
• New List Resource: aws_iam_role_policy (#​46293)
• New List Resource: aws_lambda_function (#​46295)
• New List Resource: aws_s3_bucket_acl (#​46305)
• New List Resource: aws_s3_bucket_policy (#​46312)
• New List Resource: aws_s3_bucket_public_access_block (#​46309)
• New Resource: aws_ssoadmin_customer_managed_policy_attachments_exclusive (#​46191)

ENHANCEMENTS:

• resource/aws_odb_cloud_autonomous_vm_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45583)
• resource/aws_opensearch_domain: Add serverless_vector_acceleration to aiml_options (#​45882)

BUG FIXES:

• list-resource/aws_s3_bucket: Restricts listed buckets to expected region. (#​46305)
• resource/aws_elasticache_replication_group: Fixed AUTH to RBAC migration. Previously, auth_token_update_strategy always required auth_token, which caused an error when migrating from AUTH to RBAC. Now, auth_token_update_strategy still requires auth_token except when auth_token_update_strategy is DELETE. (#​45518)
• resource/aws_elasticache_replication_group: Fixed an issue with downscaling aws_elasticache_replication_group when cluster_mode="enabled" and num_node_groups is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes 0001, 0002, 0003, 0004, and 0005 exist, and a user manually removes 0003 and 0005, then sets num_node_groups = 2, terraform would attempt to delete 0003, 0004, and 0005. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. (#​45893)
• resource/aws_elasticache_serverless_cache: Fix user_group_id removal during modification. (#​45571)
• resource/aws_elasticache_serverless_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey (#​45087)
• resource/aws_network_interface: Fix UnauthorizedOperation error when detaching resource that does not have an attachment (#​46211)

v6.30.0

Compare Source

FEATURES:

• New Resource: aws_ssoadmin_managed_policy_attachments_exclusive (#​46176)

BUG FIXES:

• resource/aws_dynamodb_table: Fix panic when global_secondary_index or global_secondary_index.key_schema are dynamic (#​46195)

v6.29.0

Compare Source

NOTES:

• data-source/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_cloudfront_anycast_ip_list: Because we cannot easily test all this functionality, it is best effort and we ask for community help in testing (#​43331)
• resource/aws_invoicing_invoice_unit: Deprecates region attribute, as the resource is global. (#​46185)
• resource/aws_organizations_organization: Add return_organization_only argument to return only the results of the DescribeOrganization API and avoid API limits (#​40884)
• resource/aws_savingsplans_savings_plan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing (#​45834)

FEATURES:

• New Data Source: aws_arcregionswitch_plan (#​43781)
• New Data Source: aws_arcregionswitch_route53_health_checks (#​43781)
• New Data Source: aws_organizations_entity_path (#​45890)
• New Data Source: aws_resourcegroupstaggingapi_required_tags (#​45994)
• New Data Source: aws_s3_bucket_object_lock_configuration (#​45990)
• New Data Source: aws_s3_bucket_replication_configuration (#​42662)
• New Data Source: aws_s3control_access_points (#​45949)
• New Data Source: aws_s3control_multi_region_access_points (#​45974)
• New Data Source: aws_savingsplans_savings_plan (#​45834)
• New Data Source: aws_wafv2_managed_rule_group (#​45899)
• New List Resource: aws_appflow_connector_profile (#​45983)
• New List Resource: aws_appflow_flow (#​45980)
• New List Resource: aws_cleanrooms_collaboration (#​45953)
• New List Resource: aws_cleanrooms_configured_table (#​45956)
• New List Resource: aws_cloudfront_key_value_store (#​45957)
• New List Resource: aws_opensearchserverless_collection (#​46001)
• New List Resource: aws_route53_record (#​46059)
• New List Resource: aws_s3_bucket (#​46004)
• New List Resource: aws_s3_object (#​46002)
• New List Resource: aws_security_group (#​46062)
• New Resource: aws_apigatewayv2_routing_rule (#​42961)
• New Resource: aws_arcregionswitch_plan (#​43781)
• New Resource: aws_cloudfront_anycast_ip_list (#​43331)
• New Resource: aws_notifications_managed_notification_account_contact_association (#​45185)
• New Resource: aws_notifications_managed_notification_additional_channel_association (#​45186)
• New Resource: aws_notifications_organizational_unit_association (#​45197)
• New Resource: aws_notifications_organizations_access (#​45273)
• New Resource: aws_opensearch_application (#​43822)
• New Resource: aws_ram_permission (#​44114)
• New Resource: aws_ram_resource_associations_exclusive (#​45883)
• New Resource: aws_sagemaker_labeling_job (#​46041)
• New Resource: aws_sagemaker_model_card (#​45993)
• New Resource: aws_sagemaker_model_card_export_job (#​46009)
• New Resource: aws_savingsplans_savings_plan (#​45834)
• New Resource: aws_sesv2_tenant_resource_association (#​45904)
• New Resource: aws_vpc_security_group_rules_exclusive (#​45876)

ENHANCEMENTS:

• aws_api_gateway_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• aws_apigatewayv2_domain_name: Add routing_mode argument to support dynamic routing via routing rules (#​42961)
• data-source/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• data-source/aws_dynamodb_table: Add global_secondary_index.key_schema attribute (#​46157)
• data-source/aws_networkmanager_core_network_policy_document: Add segment_actions.routing_policy_names argument (#​45928)
• data-source/aws_s3_object: Add body_base64 and download_body attributes. For improved performance, set download_body = false to ensure bodies are never downloaded (#​46163)
• data-source/aws_vpc_ipam_pool: Add source_resource attribute (#​44705)
• resource/aws_batch_job_definition: Add allow_privilege_escalation attribute to eks_properties.pod_properties.containers.security_context (#​45896)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_data_automation_configuration block (#​45966)
• resource/aws_bedrockagent_data_source: Add vector_ingestion_configuration.parsing_configuration.bedrock_foundation_model_configuration.parsing_modality argument (#​46056)
• resource/aws_docdb_cluster_instance: Add certificate_rotation_restart argument (#​45984)
• resource/aws_dynamodb_table: Add support for multi-attribute keys in global secondary indexes. Introduces hash_keys and range_keys to the gsi block and makes hash_key optional for backwards compatibility. (#​45357)
• resource/aws_dynamodb_table: Adds warning when stream_view_type is set and stream_enabled is either false or unset. (#​45934)
• resource/aws_ecr_account_setting: Add support for BLOB_MOUNTING account setting name with ENABLED and DISABLED values (#​46092)
• resource/aws_fsx_windows_file_system: Add domain_join_service_account_secret argument to self_managed_active_directory configuration block (#​45852)
• resource/aws_fsx_windows_file_system: Change self_managed_active_directory.password to Optional and self_managed_active_directory.username to Optional and Computed (#​45852)
• resource/aws_invoicing_invoice_unit: Adds resource identity support. (#​46185)
• resource/aws_invoicing_invoice_unit: Adds validation to restrict rules to a single element. (#​46185)
• resource/aws_lambda_function: Increase upper limit of memory_size from 10240 MB to 32768 MB (#​46065)
• resource/aws_launch_template: Add network_performance_options argument (#​46071)
• resource/aws_odb_network: Enhancements to support KMS and STS parameters in CreateOdbNetwork and UpdateOdbNetwork. (#​45636)
• resource/aws_opensearchserverless_collection: Add resource identity support (#​45981)
• resource/aws_osis_pipeline: Updates pipeline_configuration_body maximum length validation to 2,621,440 bytes to align with AWS API specification. (#​44881)
• resource/aws_sagemaker_endpoint: Retry IAM eventual consistency errors on Create (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Add monitoring_schedule_config.monitoring_job_definition argument (#​45951)
• resource/aws_sagemaker_monitoring_schedule: Make monitoring_schedule_config.monitoring_job_definition_name argument optional (#​45951)
• resource/aws_vpc_ipam_pool: Add source_resource argument in support of provisioning of VPC Resource Planning Pools (#​44705)
• resource/aws_vpc_ipam_resource_discovery: Add organizational_unit_exclusion argument (#​45890)
• resource/aws_vpc_subnet: Add ipv4_ipam_pool_id, ipv4_netmask_length, ipv6_ipam_pool_id, and ipv6_netmask_length arguments in support of provisioning of subnets using IPAM (#​44705)
• resource/aws_vpc_subnet: Change ipv6_cidr_block to Optional and Computed (#​44705)

BUG FIXES:

• data-source/aws_ecr_lifecycle_policy_document: Add rule.action.target_storage_class and rule.selection.storage_class to JSON serialization (#​45909)
• data-source/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• data-source/aws_networkmanager_core_network_policy_document: Fix panic when attachment_routing_policy_rules.action.associate_routing_policies is empty (#​46160)
• provider: Fix crash when using custom S3 endpoints with non-standard region strings (e.g., S3-compatible storage like Ceph or MinIO) (#​46000)
• provider: When importing resources with region defined, in AWS European Sovereign Cloud, prevent failing due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_athena_workgroup: Fix error when removing configuration.result_configuration.encryption_configuration argument (#​46159)
• resource/aws_bcmdataexports_export: Fix Provider produced inconsistent result after apply error when querying CARBON_EMISSIONS table without table_configurations (#​45972)
• resource/aws_bedrock_inference_profile: Fixed forced replacement following import when model_source is set (#​45713)
• resource/aws_billing_view: Fix handling of data_filter_expression (#​45293)
• resource/aws_cloudformation_stack_set: Fix perpetual diff when using auto_deployment with permission_model set to SERVICE_MANAGED (#​45992)
• resource/aws_cloudfront_distribution: Fix runtime error: invalid memory address or nil pointer dereference panic when mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_distribution: Prevent mistakenly importing a multi-tenant distribution (#​45873)
• resource/aws_cloudfront_multitenant_distribution: Fix "specified origin server does not exist or is not valid" errors when attempting to use Origin Access Control (OAC) (#​45977)
• resource/aws_cloudfront_multitenant_distribution: Fix origin_group to use correct id attribute name and fix field mapping to resolve missing required field errors (#​45921)
• resource/aws_cloudwatch_event_rule: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_config_configuration_recorder: Fix InvalidRecordingGroupException: The recording group provided is not valid errors when the recording_group.exclusion_by_resource_type or recording_group.recording_strategy argument is removed during update (#​46110)
• resource/aws_datazone_environment_profile: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_dynamodb_table: Fix perpetual diff for warm_throughput in global_secondary_index when not set in configuration. (#​46094)
• resource/aws_dynamodb_table: Fixes error when name is known after apply (#​45917)
• resource/aws_eks_cluster: Fix kubernetes_network_config argument name in EKS Auto Mode validation error message (#​45997)
• resource/aws_emrserverless_application: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lakeformation_permissions: Remove incorrect validation from catalog_id, data_location.catalog_id, database.catalog_id, lf_tag_policy.catalog_id, table.catalog_id, and table_with_columns.catalog_id arguments (#​43931)
• resource/aws_lambda_event_source_mapping: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lambda_invocation: Fix panic when deleting or replacing resource with empty input in CRUD lifecycle scope (#​45967)
• resource/aws_lambda_permission: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_lb_target_group: Fix update error when switching health_check.protocol from HTTP to TCP when protocol is TCP (#​46036)
• resource/aws_multitenant_cloudfront_distribution: Prevent mistakenly importing a standard distribution (#​45873)
• resource/aws_networkfirewall_firewall_policy: Support partner-managed rule groups via firewall_policy.stateful_rule_group_reference.resource_arn (#​46124)
• resource/aws_odb_network: Fix delete_associated_resources being set when value is unknown (#​45636)
• resource/aws_pipes_pipe: Prevent failing on AWS European Sovereign Cloud regions due to region validation requiring region names to start with "[a-z]{2}-" (#​45895)
• resource/aws_placement_group: Correct validation of partition_count (#​45042)
• resource/aws_rds_cluster: Properly set iam_database_authentication_enabled when restored from snapshot (#​39461)
• resource/aws_redshift_cluster: Changing port now works. (#​45870)
• resource/aws_redshiftserverless_workgroup: Fix ValidationException: Base capacity cannot be updated when PerformanceTarget is Enabled error when updating price_performance_target and base_capacity (#​46137)
• resource/aws_route53_health_check: Mark regions argument as Computed to fix an unexpected regions diff when it is not specified (#​45829)
• resource/aws_route53_zone: Fix InvalidChangeBatch errors during ForceNew operations when zone name changes (#​45242)
• resource/aws_route53_zone: Fixes error where Delete would fail if the remote resource had already been deleted. (#​45985)
• resource/aws_route53profiles_resource_association: Fix Invalid JSON String Value error on initial apply and ConflictException on subsequent apply when associating Route53 Resolver Query Log Configs (#​45958)
• resource/aws_route53recoverycontrolconfig_control_panel: Fix crash when create returns an error (#​45954)
• resource/aws_s3_bucket: Fix bucket creation with tags in non-commercial AWS regions by handling UnsupportedArgument errors during tag-on-create operations (#​46122)
• resource/aws_s3_bucket: Fix tag read and update operations in non-commercial AWS regions by handling MethodNotAllowed errors when S3 Control APIs are unavailable (#​46122)
• resource/aws_servicecatalog_portfolio_share: Support organization and OU IDs in addition to ARNs for GovCloud compatibility (#​39863)
• resource/aws_subnet: Mark ipv6_cidr_block as ForceNew when the existing IPv6 subnet was created with assign_ipv6_address_on_create = true (#​46043)
• resource/aws_vpc_endpoint: Fix persistent diffs caused by case differences in ip_address_type (#​45947)

v6.28.0

Compare Source

NOTES:

• resource/aws_dynamodb_global_secondary_index: This resource type is experimental. The schema or behavior may change without notice, and it is not subject to the backwards compatibility guarantee of the provider. (#​44999)

FEATURES:

• New Data Source: aws_cloudfront_connection_group (#​44885)
• New Data Source: aws_cloudfront_distribution_tenant (#​45088)
• New List Resource: `aws

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ AWS instances and related resources are showing infrequent updates with only 1 event/week for the last 2 months, which is unusual compared to typical patterns.
Policies 🔴 ▃▂▁ Multiple S3 buckets are missing required tags and server-side encryption, while security groups allow SSH access from anywhere, which is a security risk.

View signals ↗

---

🔥 Risks

Replacing the only target attachment will leave the 9090 NLB with zero backends, causing brief traffic loss and health flapping ❗Medium Open Risk ↗
The internal NLB listener on port 9090 forwards exclusively to target group api-health-terraform-example, which currently has a single registered target 10.0.101.177:9090. This change replaces the target group attachment resource for that IP.

When applied, the attachment will be detached and then re-attached, leaving the target group with no registered targets in the interim. During that window, connections through the NLB will fail and health will flap, driving UnHealthyHostCount and related CloudWatch/Route53 alerts.

---

🧠 Reasoning · ✖ 4 · ✔ 1

ALB/ELB target group attachment replacement affecting backend routing and health

Observations 17

Hypothesis

Changes to target group attachments for an internal or internet-facing load balancer can modify which IPs or instances are registered as targets, causing listener rules to forward traffic to different, unhealthy, or missing endpoints. In this environment, repeatedly replacing the aws_lb_target_group_attachment.api_server_ip for the api-health/API server target group changes registration of IP 10.0.101.177:9090, which can momentarily deregister or recreate the target. This leads to transient loss of load-balanced traffic to that IP, health flapping, increased UnHealthyHostCount, and potential Route53 health-check–driven failover or CloudWatch alarms. Resulting effects include temporary downtime, altered routing within the VPC, and noisy or misleading health metrics and alerts while registration churning occurs.

Investigation

Evidence Gathered

• Reviewed planned changes: the resource github.com/overmindtech/terraform-example.aws_lb_target_group_attachment.module.api_access[0].aws_lb_target_group_attachment.api_server_ip is marked ITEM_DIFF_STATUS_REPLACED with an empty diff, indicating a forced replacement by the provider. Also noted unrelated EC2/NAT updates, but no changes to the NLB, listener, or target group themselves.
• Queried current state (blast radius): Target group 540044833068.eu-west-2.elbv2-target-group.api-health-terraform-example is a TCP 9090 IP-type TG on VPC vpc-096b686376892bb49, fronted by the internal NLB mon-internal-terraform-example listener on port 9090. Its only listed registered target is IP 10.0.101.177:9090, and its health is currently healthy. Listener default action forwards exclusively to this TG. CloudWatch/Route53 health check resources and alarms are present in the blast radius, indicating monitoring will react to target health changes.
• Verified no additional targets surfaced in the TG via relationships shown in blast radius; only one elbv2-target-health item is associated with the TG.

Impact Assessment

• Directly affected service: the internal NLB mon-internal-terraform-example (network, scheme=internal) with a single backend target in TG api-health-terraform-example. Count of registered targets: 1 (10.0.101.177:9090).
• During apply, replacing the aws_lb_target_group_attachment for the same target requires detaching before re-attaching because a duplicate attachment of the same target cannot be created concurrently. This will temporarily leave the TG with zero registered targets.
• Operational consequence: while the target is detached, all connections routed via the NLB listener on port 9090 will have no healthy backend, causing connection failures for any clients using this internal endpoint. Health will flap from healthy to unhealthy and back, likely incrementing UnHealthyHostCount and triggering CloudWatch alarms; Route53 health checks that depend on this path could also flip, causing noisy or misleading failover signals.
• Scope: limited to traffic that depends on the internal NLB listener on 9090 in eu-west-2; external ALB-backed traffic on the separate HTTP target group is unaffected.

Conclusion

Risk is real. The plan replaces the sole target group attachment for IP 10.0.101.177:9090. Because the TG currently has only that single target and the listener forwards exclusively to it, the detach/reattach sequence will create a brief zero-target window, interrupting load-balanced traffic and causing health/alert flapping.

✔ Hypothesis proven

---

NAT Gateway updates impacting private subnet egress and DNS/IP associations

Observations 11

Hypothesis

Changes to NAT Gateways nat-019b2865124bca19d and nat-0bcff9aa2633b680e may alter their ENI and Elastic IP associations and routing behavior, affecting outbound internet connectivity for private subnets and any DNS entries relying on their addresses. Private subnet 10.0.102.0/24 and subnet subnet-0c5bac530d4e52739, as well as subnet subnet-09605cfe202ef69e7, route via these NAT gateways through route tables rtb-0fa8d71472f3214bd and rtb-0fd627aea94dee6ea. Updates may change or disrupt use of ENIs eni-030542fb12761bd4f and eni-0c502e..., private IP 10.0.102.25, and public IP 13.42.93.249, breaking egress, invalidating DNS record global.dns.ip-10-0-102-25.eu-west-2.compute.internal and any records pointing at 13.42.93.249, and causing downtime for instances (e.g., i-060c5af731ee54cc9) depending on these NAT gateways for internet access. During update windows, changes to NAT state or attachment can temporarily or permanently cause egress failures for subnets using routes to nat-0bcff9aa2633b680e or nat-019b2865124bca19d, disrupting outbound traffic, software updates, external API calls, and DNS resolution that requires external connectivity. NAT updates in subnets such as subnet-0c5bac530d4e52739 can also indirectly affect ALB behavior if health checks or backends rely on stable egress paths.

Investigation

Evidence Gathered

• Reviewed planned changes for both NAT Gateways and related resources using planned-changes-query:
  • 540044833068.eu-west-2.ec2-nat-gateway.nat-0bcff9aa2633b680e → status updated, no diffs shown.
  • 540044833068.eu-west-2.ec2-nat-gateway.nat-019b2865124bca19d → status updated, no diffs shown.
  • 540044833068.eu-west-2.ec2-address.13.134.236.98 (EIP on an instance, not a NAT) → status updated, no diffs.
  • No planned changes listed for NAT EIPs 13.42.93.249 or 52.56.230.253.
• Queried current state via blast-radius-query for NATs, ENIs, EIPs, subnets, and route tables:
  • nat-0bcff9aa2633b680e is available in subnet-07b5b1fb2ba02f964 with ENI eni-0c502e5a8c20f4df7, private IP 10.0.101.182, EIP 13.42.93.249 associated and in-use.
  • nat-019b2865124bca19d is available in subnet-0c5bac530d4e52739 with ENI eni-030542fb12761bd4f, private IP 10.0.102.25, EIP 52.56.230.253 associated and in-use.
  • Route tables:
    • rtb-0fd627aea94dee6ea routes 0.0.0.0/0 to nat-0bcff9aa2633b680e and is associated to subnet-09605cfe202ef69e7.
    • rtb-0fa8d71472f3214bd routes 0.0.0.0/0 to nat-019b2865124bca19d and is associated to subnet-025746ecaa54aec58.
  • ENI/DNS:
    • eni-030542fb12761bd4f has private DNS global.dns.ip-10-0-102-25.eu-west-2.compute.internal (10.0.102.25) and public DNS for 52.56.230.253.
    • eni-0c502e5a8c20f4df7 has private DNS ip-10-0-101-182… and public DNS for 13.42.93.249.
• No diffs indicate replacement, EIP re-association, subnet move, or route table changes. The only actual resource replacement in the plan is an EC2 instance (i-06cf927a3103fd613), unrelated to NAT egress.

Impact Assessment

• NAT Gateways affected by the hypothesis: 2 (nat-0bcff9aa2633b680e, nat-019b2865124bca19d).
• Current routing shows two private subnets using these NATs via rtb-0fd627aea94dee6ea (subnet-09605cfe202ef69e7) and rtb-0fa8d71472f3214bd (subnet-025746ecaa54aec58). No planned route changes are present, so egress paths remain stable.
• Egress-identifying EIPs that external services might allowlist: 13.42.93.249 and 52.56.230.253. Neither appears in planned changes and both remain attached to their respective NAT ENIs.
• The DNS record cited for 10.0.102.25 corresponds to the NAT’s ENI private DNS, which is auto-managed and not being altered by this plan. No downstream ALB health checks or services are configured to depend on NAT IP/DNS stability in the diffs.
• Expected disruption: none. No resources lose their default route, no NAT is replaced, and no EIP is re-bound. Therefore, zero instances or services should experience outbound connectivity loss due to this change.

Conclusion

Risk not real. The plan contains no functional changes to the NAT Gateways, their ENIs/EIPs, or the route tables that direct private subnet egress. Both NATs remain available with the same ENIs and EIPs, and the default routes remain pointed at the same NAT IDs. The hypothesis is speculative in this context and not supported by the diffs.

✖ Hypothesis disproven

---

Elastic IP association changes affecting external connectivity and DNS

Observations 8

Hypothesis

Updates to Elastic IP 13.134.236.98 (540044833068.eu-west-2.ec2-address.13.134.236.98) and related allocations can change associations with ENIs eni-0312952a951e151ed, eni-09c9f293fedb9b074, eni-0437deef1a093b6fd, and eni-0c502e5a8c20f4df7, as well as public IPs such as 18.132.111.118 and 18.135.143.108. If these EIP associations or allocations are reassigned or removed, DNS entries and services depending on these public IPs may lose connectivity or resolve incorrectly. This impacts any external traffic (including ALB-managed endpoints and other public-facing services) that rely on stable public IP/DNS mappings backed by these EIPs and ENIs.

Investigation

Evidence Gathered

• Reviewed planned changes for the resources involved:
  • 540044833068.eu-west-2.ec2-address.13.134.236.98 → change type: updated, but the diff is empty, indicating no attribute-level change is planned for the EIP itself.
  • 540044833068.eu-west-2.ec2-instance.i-06cf927a3103fd613 → change type: replaced; AMI changes from ami-0c2b0adc4f380c44c to ami-0143609a368a2265a. This implies the instance will be recreated.
  • NAT gateways nat-0bcff9aa2633b680e and nat-019b2865124bca19d → change type: updated, with empty diffs.
  • github.com/overmindtech/terraform-example.aws_lb_target_group_attachment.module.api_access[0].aws_lb_target_group_attachment.api_server_ip → change type: replaced, but diff is empty (likely driven by the instance replacement).
• Queried current state (blast radius) for EIPs and ENIs:
  • 13.134.236.98 is currently associated to ENI eni-0312952a951e151ed on instance i-06cf927a3103fd613 (private IP 10.0.101.177). Tags: Name=production-api-eip, Environment=production. Domain=vpc.
  • 18.132.111.118 is ServiceManaged by ALB on ENI eni-0437deef1a093b6fd (private IP 10.0.102.167). No planned changes reference this EIP.
  • 18.135.143.108 is ServiceManaged by ALB on ENI eni-09c9f293fedb9b074 (private IP 10.0.101.75). No planned changes reference this EIP.
  • 13.42.93.249 is associated to the NAT gateway interface eni-0c502e5a8c20f4df7. NAT gateway shows an empty diff update.
  • 52.56.230.253 is associated to eni-030542fb12761bd4f; no planned change to this EIP.
  • The ALB api-207c90ee-alb is internet-facing and healthy; its public addressing is via the ServiceManaged ALB EIPs above, which are not in the plan's modified resources.
• No Route53 or other customer-managed DNS records tied directly to these EIPs are shown in the plan; the DNS entries listed are AWS-provided hostnames that resolve to the same EIPs and would remain correct if the EIP itself does not change.

Impact Assessment

• Directly touched public EIPs by this plan: 1 (13.134.236.98), and its diff is empty. Other public EIPs cited in the hypothesis (18.132.111.118, 18.135.143.108, 13.42.93.249, 52.56.230.253) are not being modified by the plan.
• The only disruptive operation is the replacement of instance i-06cf927a3103fd613 to a new AMI. Terraform routinely re-associates the same EIP to the new instance/ENI; the EIP resource itself is not being destroyed or recreated. This preserves the public IP and its AWS-provided DNS name (ec2-13-134-236-98.eu-west-2.compute.amazonaws.com).
• ALB-managed public connectivity (18.132.111.118, 18.135.143.108) is unaffected, as those EIPs are ServiceManaged by ALB and not changing in the plan. NAT gateway egress EIPs show no attribute changes, so internal egress stability is preserved.
• At worst, there may be a brief interruption during instance replacement and target-group reattachment, but there is no evidence of EIP reassignment to a different service, removal of allocations, or DNS mis-pointing. Scope of any transient impact would be limited to the single instance behind 13.134.236.98 and would not affect ALB endpoints.

Conclusion

Risk not real. The hypothesis predicts loss of external connectivity or incorrect DNS resolution due to EIP association changes across multiple EIPs/ENIs, but the plan only replaces one instance and shows no concrete EIP allocation/association changes beyond an empty-diff update to 13.134.236.98. The ALB-managed and NAT gateway EIPs are not being modified. Therefore, there is no evidence of the long-lived DNS or connectivity breakage described.

✖ Hypothesis disproven

---

EC2 instance replacement and AMI/config changes impacting workloads and dependencies

Observations 9

Hypothesis

Replacement of EC2 instance i-06cf927a3103fd613 with a new AMI (ami-0143609a368a2265a) and changes to attributes such as force_destroy and hibernation can alter runtime behavior, OS/kernel, packages, architecture compatibility, and instance lifecycle handling. Instance termination and recreation may impact attached ENIs, EIPs, DNS records, security groups, EBS volumes (e.g., vol-0eb85477ca52c89a3), and CloudWatch metrics. Network attachment changes (ENI detachment/reattachment or reassignment) can change or remove private IPs such as 10.0.101.177 and 10.0.101.75, breaking ELB/ALB target registrations that point at those IPs and disrupting traffic to services (e.g., on port 9090). Replacement may also detach or reassign ENIs such as eni-09c9f293fedb9b074 and their EIPs (e.g., 18.135.143.108), causing DNS A records pointing to those public IPs to resolve to unreachable or changed backends and impacting traffic to ALB endpoints and other consumers.

Investigation

Evidence Gathered

• Reviewed the planned diff for EC2 instance i-06cf927a3103fd613: it is being replaced and its AMI changes from ami-0c2b0adc4f380c44c to ami-0143609a368a2265a; force_destroy becomes false; hibernation becomes null; instance type remains t4g.nano. No security-group, subnet, or port changes are shown. (Planned change: 540044833068.eu-west-2.ec2-instance.i-06cf927a3103fd613.)
• Checked live state of the instance prior to change: current AMI is ami-0c2b0adc4f380c44c, architecture arm64, root volume vol-0eb85477ca52c89a3 with DeleteOnTermination=true, primary ENI eni-0312952a951e151ed on private IP 10.0.101.177, and associated EIP 13.134.236.98. Security groups are sg-089e5107637083db5 and sg-03cf38efd953aa056. (Blast radius queries.)
• Verified the new AMI ami-0143609a368a2265a exists and is Amazon Linux 2023 arm64, which is architecture-compatible with t4g.nano. (Live Query: ec2-image ami-0143609a368a2265a.)
• Observed planned changes include an update to the EIP resource 13.134.236.98 and a replacement of aws_lb_target_group_attachment.api_server_ip, indicating Terraform will re-associate the EIP to the new primary ENI and update the IP-based target registration accordingly. (Planned changes list.)
• Checked current load balancing: target group api-health-terraform-example (target type ip, TCP 9090) currently has healthy target 10.0.101.177:9090. (Blast radius elbv2-target-group and elbv2-target-health.)
• Validated that ALB/NLB interface eni-09c9f293fedb9b074 with EIP 18.135.143.108 belongs to the load balancer, not to the EC2 instance being replaced. Its association is independent of the instance change. (Blast radius for the ENI and EIP.)

Impact Assessment

• Directly affected by replacement: 1 EC2 instance (i-06cf927a3103fd613), 1 primary ENI (eni-0312952a951e151ed), 1 EIP (13.134.236.98), and 1 IP-based target group attachment (api-health-terraform-example -> 10.0.101.177:9090).
• Downstream dependencies: the NLB mon-internal-terraform-example that targets the IP address; consumers of the EIP 13.134.236.98.
• Expected behavior given the plan: Terraform will replace the instance, re-associate EIP 13.134.236.98 to the new primary ENI, and replace the target group attachment so the new private IP is registered on port 9090. The ALB/NLB’s own ENI and EIP (18.135.143.108) are unrelated to the instance and remain attached to the load balancer.
• Potential transient effects: brief health-check blips are possible during replacement, but there is no concrete evidence in the diffs of a lasting breakage such as port mismatch, security group restriction, wrong architecture, or a dangling target registration. Architecture remains arm64, port 9090 stays consistent on the target group, and the plan explicitly updates both the EIP and the target group attachment to follow the new instance.

Conclusion

Not a real risk. The change replaces the instance but also updates the EIP association and replaces the IP-based target group attachment, preserving reachability and health checks. The new AMI is architecture-compatible with the existing t4g.nano, and no conflicting configuration changes (ports, SGs, VPC/subnet, or listener rules) are present.

✖ Hypothesis disproven

---

EC2 force_destroy behavior blocking automated teardown and leaving orphaned or stale resources

Observations 5

Hypothesis

Changing EC2 instance resource configuration to set force_destroy from null to false introduces stricter deletion behavior, preventing force deletion of associated resources such as EBS volumes and ENIs during instance destroy. This can cause automation or pipeline failures when destroying instances, leave orphaned volumes and ENIs that continue to incur cost, and require manual cleanup, impacting operational workflows that assume full teardown of dependent storage and networking. It may also delay or prevent instance termination and deregistration from ALB/ELB target groups, leading to stale targets, altered deregistration timing, and routing issues during decommission or replacement processes; this can distort target health metrics and alarms or cause them not to reflect actual service state.

Investigation

Evidence Gathered

• Reviewed the planned diff for 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123: the only change is force_destroy: null -> false.
• Queried current state of the instance i-09d6479fb9b97d123. Its root block device /dev/xvda is an EBS volume vol-090e750179b5fa681 with DeleteOnTermination: true.
• Queried the primary ENI eni-0a8dc8648170059f4 attached at device index 0; the attachment shows DeleteOnTermination: true.
• Checked ELB target group api-207c90ee-tg and target health for this instance; the instance is currently healthy on port 80 and there are no planned changes to the TG itself in the provided diff for this instance.
• Attempted to query the EBS volume directly by GUN; not present in the precomputed blast snapshot, but the instance’s own BlockDeviceMappings confirm the volume id and DeleteOnTermination behavior.

Impact Assessment

• Directly affected compute: 1 EC2 instance (api-207c90ee-api-server, i-09d6479fb9b97d123).
• Attached resources: 1 root EBS volume (vol-090e750179b5fa681, DeleteOnTermination: true); 1 primary ENI (eni-0a8dc8648170059f4, attachment DeleteOnTermination: true). No additional data volumes are present in BlockDeviceMappings.
• Load balancing: 1 ALB target group membership (api-207c90ee-tg on port 80) with current health = healthy. No evidence of configuration changes that would alter deregistration timing or cause stale targets.
• Because both the root EBS volume and the primary ENI are set to be deleted on instance termination, standard termination will clean up these dependencies. Therefore, the hypothesized outcomes—blocked teardown, orphaned volumes/ENIs, or stale ALB targets—do not follow from the observed configuration or the provided diff.

Conclusion

Risk not real. The only planned change is setting force_destroy from null to false, while deletion of the instance’s dependent resources is already governed by DeleteOnTermination=true on both the root EBS volume and the ENI attachment. With these flags set, termination will remove the attached resources and not leave orphans, so the hypothesized automation failures or stale ALB targets are not supported by the evidence.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 135

Edges 218

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 34 · Edges 128

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 74 · Edges 219

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 67 · Edges 205

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 40 · Edges 146

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 31 · Edges 161

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 135 · Edges 218

---

View full analysis in Overmind ↗