TL;DR
* Introduced six new resources to the provider, including aws_ec2_secondary_network, aws_ec2_secondary_subnet, and aws_s3_bucket_lifecycle_configuration.
* Enabled in-place updates for aws_instance CPU options, specifically core_count, nested_virtualization, and threads_per_core.
* Resolved multiple crash and consistency errors across aws_iam_policy_document, aws_billing_view, and aws_autoscaling_group.
* Added tagging and metadata configuration support for several aws_bedrockagentcore resources.
* Expanded aws_memorydb_cluster configurations by adding network_type and ip_discovery attributes.
Editor's Note: We see this release as a solid routine update that expands core EC2 and S3 resource coverage while resolving several frustrating state consistency bugs. The introduction of in-place CPU option updates for EC2 instances aligns with AWS's broader push toward minimizing instance replacement overhead. If you manage EC2 instances, check your modules to ensure you leverage these new in-place update capabilities rather than forcing unnecessary recreations.
What Changed
#### Feature
* New Resources: Added aws_ec2_secondary_network, aws_ec2_secondary_subnet, aws_ecr_task_definition, aws_elb, aws_s3_bucket_lifecycle_configuration, and aws_networkmanager_prefix_list_association.
* aws_instance: Allowed cpu_options.core_count, cpu_options.nested_virtualization, and cpu_options.threads_per_core to be updated in-place.
* aws_grafana_workspace: Added the kms_key_id argument and attribute.
* aws_memorydb_cluster: Added network_type and ip_discovery arguments.
* aws_athena_workgroup: Added the configuration.query_results_s3_access_grants_configuration argument.
* aws_bedrockagentcore_api_key_credential_provider: Added tagging support.
* aws_bedrockagentcore_oauth2_credential_provider: Added tagging support.
* aws_bedrockagentcore_gateway_target: Added the metadata_configuration block to support HTTP header and query parameter propagation.
* aws_cloudwatch_event_connection: Added the auth_parameters.connectivity_parameters argument.
* aws_ecs_service: Added the service_connect_configuration.access_log_configuration argument and resource identity support.
* aws_eip_domain_name: Added import support.
* aws_lb_target_group_attachment: Added import support and resource identity.
* aws_opensearch_domain: Added the jwt_options attribute.
* aws_wafv2_web_acl_rule_group_association: Added support for managed_rule_group_configs within managed_rule_group and a root-level visibility_config block for CloudWatch metrics configuration.
#### Behavior
* aws_dms_endpoint: Added the missing mongodb_settings.use_update_lookup attribute to fix an "invalid address to set" error.
* aws_iam_policy_document: Fixed a crash that occurred when statement.principals.identifiers contained a non-string value.
* aws_autoscaling_group: Fixed "couldn't find resource (21 retries)" errors when updating load_balancers, target_group_arns, and traffic_source.
* aws_bedrockagentcore_gateway_target: Added credential_provider_configuration.oauth.default_return_url and credential_provider_configuration.oauth.grant_type arguments; added retries for IAM eventual consistency errors on Create.
* aws_billing_view: Fixed "inconsistent result after apply" errors caused by the ordering of data_filter_expression.dimensions.values.
* aws_s3tables_table_bucket: Changed encryption_configuration to Optional and Computed, fixing unexpected new value errors related to kms_key_arn and sse_algorithm.
* aws_subnet: Fixed IPv6 CIDR block validation and assignment to IPAM-provisioned subnets.
* aws_vpc_endpoint: Fixed InvalidParameter errors regarding PrivateDnsOnlyForInboundResolverEndpoint when creating S3Tables VPC endpoints.
* aws_s3_object: Updated list-resource behavior to include the parent bucket in the display name.
Who's Impacted
* If you manage EC2 instances, you can now update CPU options without triggering a resource recreation.
* If you provision S3Tables VPC endpoints, you will no longer encounter InvalidParameter errors related to PrivateDnsOnlyForInboundResolverEndpoint.
* If you use aws_iam_policy_document with non-string values in principal identifiers, you will no longer experience provider crashes during plan or apply phases.
Action Checklist
aws_ec2_secondary_network resource.aws_ec2_secondary_subnet resource for your VPC configurations.aws_elb resource if applicable.aws_s3_bucket_lifecycle_configuration resource.aws_instance modules to take advantage of in-place updates for cpu_options.kms_key_id to existing aws_grafana_workspace resources to enforce encryption.network_type and ip_discovery on aws_memorydb_cluster resources where needed.query_results_s3_access_grants_configuration for aws_athena_workgroup if using S3 access grants.aws_bedrockagentcore_api_key_credential_provider and oauth2_credential_provider resources.metadata_configuration on aws_bedrockagentcore_gateway_target for HTTP header propagation.service_connect_configuration.access_log_configuration on aws_ecs_service resources.aws_eip_domain_name resources into your Terraform state.aws_lb_target_group_attachment resources into your Terraform state.aws_opensearch_domain configurations to include jwt_options if using JWT authentication.visibility_config to aws_wafv2_web_acl_rule_group_association to enable CloudWatch metrics.aws_dms_endpoint deployments no longer throw "invalid address to set" errors.aws_autoscaling_group updates to load balancers succeed without retry timeouts.aws_billing_view resources for resolved "inconsistent result after apply" errors.aws_subnet IPv6 CIDR block assignments for IPAM-provisioned subnets.Verification
Sources:
* [Release v6.34.0](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.34.0)
* [Release v6.33.0](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.33.0)
Verified At: 2026-02-26T00:38:55.947185+00:00