Impact Assessment
Severity: Moderate
This update introduces several new resources—ranging from core infrastructure like load balancers to specialized SageMaker MLflow applications—while resolving state ordering issues in Cost Explorer configurations. It also removes hardcoded quota limits for ElastiCache and fixes deployment blockers for DMS Oracle endpoints, enabling more flexible scaling and reliable provisioning.
Detailed Breakdown
#### Core Infrastructure Resource Additions
* What changed: The provider introduces support for several foundational resources: aws_ecs_service, aws_lb, aws_lb_listener, aws_lb_listener_rule, aws_lb_target_group, aws_sns_topic, and aws_sns_topic_subscription.
* Why this matters: Native representation of these resources allows direct management of core compute, load balancing, and messaging primitives within this specific provider context.
* Migration steps: If these resources already exist in your AWS environment, use the terraform import command to bring them into your state file. Otherwise, define the new resource blocks in your HCL to provision them from scratch.
#### Specialized Resource Additions
* What changed: Added the aws_observabilityadmin_telemetry_pipeline and aws_sagemaker_mlflow_app resources.
* Why this matters: Infrastructure teams can now codify MLflow environments within SageMaker and manage centralized telemetry routing pipelines, reducing manual console configuration for data science and observability platforms.
* Migration steps: Review the AWS documentation for the required IAM permissions, then define these resources in your modules where ML tracking or telemetry routing is needed.
#### Cost Explorer Ordering Changes
* What changed: In the aws_ce_cost_category resource, the targets argument within the split_charge_rule block changed from a TypeSet to a TypeList.
* Why this matters: Sets do not preserve order, which previously caused unexpected state diffs or incorrect rule evaluation during subsequent applies. Lists maintain the exact order defined in the configuration, ensuring predictable cost allocation behavior.
* Migration steps: Run a plan against your Cost Explorer configurations. If Terraform detects an ordering diff, update your HCL array to match the intended evaluation order to reconcile the state.
#### ElastiCache Quota Unblocking
* What changed: Removed the hard-coded upper limit of 5 for the replicas_per_node_group and node_group_configuration.replica_count arguments in the aws_elasticache_replication_group resource.
* Why this matters: AWS occasionally increases service quotas upon request. Hardcoded provider limits artificially restrict scaling capabilities, preventing deployments even when the underlying AWS account has a higher quota approved.
* Migration steps: If you previously relied on multiple node groups to bypass this replica limit, you can now simplify your architecture by increasing the replica count directly in your existing node groups.
#### Lambda Cross-Account Support
* What changed: Added the layer_version_arn argument to the aws_lambda_layer_version resource.
* Why this matters: This addition simplifies the consumption of Lambda layers published in external AWS accounts by allowing direct ARN referencing, rather than relying on complex data sources or manual string construction.
* Migration steps: Update external layer references in your Lambda functions to utilize the new layer_version_arn argument.
#### EMR Serverless & RAM Configurations
* What changed: Added the job_level_cost_allocation_configuration block to aws_emrserverless_application and the resource_share_configuration block to aws_ram_resource_share.
* Why this matters: These blocks provide granular cost tracking for individual EMR Serverless jobs and deeper configuration options for Resource Access Manager shares, improving billing visibility and cross-account resource governance.
* Migration steps: Implement the new blocks in your existing resource definitions if your organization requires job-level billing attribution or advanced RAM sharing parameters.
#### DMS and Network Manager Fixes
* What changed: Fixed InvalidParameterCombinationException errors in aws_dms_endpoint when oracle_settings is configured, and updated the attachment state waiter in aws_networkmanager_attachment_routing_policy_label.
* Why this matters: These fixes resolve deployment failures for Oracle database migrations and prevent timeout errors during Cloud WAN attachment state transitions, smoothing out automated pipeline executions.
* Migration steps: Re-run any deployment pipelines that previously failed due to Oracle parameter exceptions or Network Manager attachment timeouts.
Before You Upgrade
1. Verify your current provider version to ensure you are upgrading from the expected baseline:
terraform version
2. Check for potential state diffs in Cost Explorer categories caused by the TypeSet to TypeList change:
terraform plan -target=aws_ce_cost_category.main
3. Search your codebase for ElastiCache configurations to identify where replica counts can now be increased:
grep -r "replicas_per_node_group" .
4. Inspect existing DMS Oracle endpoints for configurations that previously required workarounds:
terraform state list | grep aws_dms_endpoint
5. Identify Lambda layers using manual ARN construction that can be refactored:
grep -r "aws_lambda_layer_version" .
6. Validate IAM permissions for the Terraform execution role before deploying new SageMaker MLflow apps:
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:role/TerraformRole --action-names sagemaker:CreateMlflowTrackingServer
7. Review Network Manager routing policies for any pending state issues that the new waiter will handle:
aws networkmanager list-attachments --core-network-id core-network-example
8. Execute a comprehensive plan to ensure no unexpected resource replacements occur across your infrastructure:
terraform plan -out=upgrade_plan.tfplan
Sources & Timeline
* [Release v6.35.0](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.35.0)
* [Release v6.34.0](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.34.0)
* Last Verified: 2026-03-04T22:07:06.384195+00:00