Announcing v3.0. of the Terraform AWS Provider
The Terraform AWS Provider has grown significantly over the last five years, and now includes 583 resources and 191 data sources. While we have been hard at work extending the provider's coverage, we have needed to make space for significant changes and prepare for another major release.
Version 3.0 of the Terraform AWS Provider brings four major enhancements: updating the Amazon Certificate Manager (ACM) resources, the removal of hashing from state storage, improved authentication ordering, and the deprecation of Terraform 0.11. These changes along with a host of other minor updates aim to simplify your configurations and improve the overall experience of using the Terraform AWS Provider.
Starting with v3.0, we will be automatically redirecting AWS provider documentation links from https://www.terraform.io/ to https://registry.terraform.io. The content of the documentation is unchanged, but the documentation will now be versioned. You can review the docs for a specific version using the Terraform Registry navigation. Provider documentation is now also searchable.
» Updates to the Amazon Certificate Manager Resources
As we were evaluating open bug reports and enhancement requests for ACM, we determined that the resource needed to be refactored. As part of the refactor, a few breaking changes were made. We no longer store certificate_body
, certificate_chain
, and private_key attributes
in the Terraform state with hash values. Additionally, we have changed the domain_validation_options
attribute from a list to a set.
» Removing Hashing From State Storage
Hashing schema attribute values in Terraform state storage was implemented as a workaround for attribute-level encryption of some sensitive values. Terraform is designed to work with wholly known values during resource operations and when performing diffs. For example, if a resource only saves a hashed value in the state, during update operations the resource will incorrectly send the hashed value in API calls.
This change is expected to be transparent to users, and expanded reasoning as to the change can be found within the Terraform best practices. For a complete list of resources that will be affected by this change, consult the Terraform AWS provider changelog.
» Improved Authentication Ordering
Unlike the AWS CLI, the AWS Go SDK does not enable support for the shared AWS configuration file (e.g. ~/.aws/config) by default. In version 2.0 of the provider and earlier, this required setting the AWS_SDK_LOAD_CONFIG
environment variable to enable the use of shared configuration files. Version 2 of the provider and earlier required disabling the EC2 Instance Metadata handling via the skip_metadata_api_check
provider configuration or AWS_EC2_METADATA_DISABLED
environment variable. This workflow can be confusing for Terraform practitioners, as it highlights a difference in behavior between the AWS CLI and Terraform AWS Provider.
Version 3.0.0 ensures the shared configuration file, if used, is referenced before using EC2 Instance Metadata credentials. The authentication behavior of the provider is more aligned with the AWS CLI behaviors and ensures that shared configuration settings are honored as expected without extra workarounds. These authentication changes were separately applied to the Terraform S3 Backend as part of the Terraform CLI 0.13.0-beta2 release.
» Deprecating Terraform 0.11
In order for the provider to keep in step with Terraform Core development and to take advantage of Terraform 0.12 and later native features (such as the ability to surface warning messages in resources), we need to deprecate support for earlier versions of Terraform.
As of this release, practitioners who wish to remain on 0.11 will be limited to v2.* releases of the provider. This move will also consolidate all example code to use Terraform 0.12 syntax. Examples using the older syntax style can still be viewed by browsing older versions of the provider in the Terraform Registry.
For additional information regarding the decision to deprecate Terraform 0.11 please refer to this blog post.
» Additional Resources
When upgrading to v3.0, please consult the upgrade guide on the Terraform docs site, as it contains not only a list of changes but also examples.
As this release introduces breaking changes, we recommend pinning your provider version to protect against unexpected circumstances.
For a complete list of the changes in v3.0, please reference the AWS provider changelog.
The Terraform AWS provider team has worked hard on these changes and is thrilled to bring you these improvements. Please share any bugs or enhancement requests with us via GitHub Issues.
We look forward to your feedback and want to thank you for being such a great community!
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Terraform adds run queue visibility and new ephemeral workspace features
HCP Terraform and Terraform Enterprise gain new features related to ephemeral workspaces along with run queue visibility for HCP Terraform specifically.
Automate AWS deployments with HCP Terraform and GitHub Actions
Learn how to use GitHub Actions to automate HCP Terraform operations.
Access AWS from HCP Terraform with OIDC federation
Securely access AWS from HCP Terraform using OIDC federation, eliminating the need to use access keys.