The Terraform AWS Provider has grown significantly over the last five years, and now includes 583 resources and 191 data sources. While we have been hard at work extending the provider's coverage, we have needed to make space for significant changes and prepare for another major release.
Version 3.0 of the Terraform AWS Provider brings four major enhancements: updating the Amazon Certificate Manager (ACM) resources, the removal of hashing from state storage, improved authentication ordering, and the deprecation of Terraform 0.11. These changes along with a host of other minor updates aim to simplify your configurations and improve the overall experience of using the Terraform AWS Provider.
Starting with v3.0, we will be automatically redirecting AWS provider documentation links from https://www.terraform.io/ to https://registry.terraform.io. The content of the documentation is unchanged, but the documentation will now be versioned. You can review the docs for a specific version using the Terraform Registry navigation. Provider documentation is now also searchable.
As we were evaluating open bug reports and enhancement requests for ACM, we determined that the resource needed to be refactored. As part of the refactor, a few breaking changes were made. We no longer store
private_key attributes in the Terraform state with hash values. Additionally, we have changed the
domain_validation_options attribute from a list to a set.
Hashing schema attribute values in Terraform state storage was implemented as a workaround for attribute-level encryption of some sensitive values. Terraform is designed to work with wholly known values during resource operations and when performing diffs. For example, if a resource only saves a hashed value in the state, during update operations the resource will incorrectly send the hashed value in API calls.
This change is expected to be transparent to users, and expanded reasoning as to the change can be found within the Terraform best practices. For a complete list of resources that will be affected by this change, consult the Terraform AWS provider changelog.
Unlike the AWS CLI, the AWS Go SDK does not enable support for the shared AWS configuration file (e.g. ~/.aws/config) by default. In version 2.0 of the provider and earlier, this required setting the
AWS_SDK_LOAD_CONFIG environment variable to enable the use of shared configuration files. Version 2 of the provider and earlier required disabling the EC2 Instance Metadata handling via the
skip_metadata_api_check provider configuration or
AWS_EC2_METADATA_DISABLED environment variable. This workflow can be confusing for Terraform practitioners, as it highlights a difference in behavior between the AWS CLI and Terraform AWS Provider.
Version 3.0.0 ensures the shared configuration file, if used, is referenced before using EC2 Instance Metadata credentials. The authentication behavior of the provider is more aligned with the AWS CLI behaviors and ensures that shared configuration settings are honored as expected without extra workarounds. These authentication changes were separately applied to the Terraform S3 Backend as part of the Terraform CLI 0.13.0-beta2 release.
In order for the provider to keep in step with Terraform Core development and to take advantage of Terraform 0.12 and later native features (such as the ability to surface warning messages in resources), we need to deprecate support for earlier versions of Terraform.
As of this release, practitioners who wish to remain on 0.11 will be limited to v2.* releases of the provider. This move will also consolidate all example code to use Terraform 0.12 syntax. Examples using the older syntax style can still be viewed by browsing older versions of the provider in the Terraform Registry.
For additional information regarding the decision to deprecate Terraform 0.11 please refer to this blog post.
When upgrading to v3.0, please consult the upgrade guide on the Terraform docs site, as it contains not only a list of changes but also examples.
As this release introduces breaking changes, we recommend pinning your provider version to protect against unexpected circumstances.
For a complete list of the changes in v3.0, please reference the AWS provider changelog.
The Terraform AWS provider team has worked hard on these changes and is thrilled to bring you these improvements. Please share any bugs or enhancement requests with us via GitHub Issues.
We look forward to your feedback and want to thank you for being such a great community!
HashiCorp Cloud Platform has added several new capabilities, including managed services for HashiCorp Boundary and Waypoint, and Drift Detection for Terraform Cloud.
Drift Detection for Terraform Cloud continuously checks infrastructure state to detect and notify operators of any changes, minimizing risk, downtime, and costs.
From adoption to standardization to operating and optimizing at scale, the evolution of infrastructure automation is critical to modern hybrid and multi-cloud environments.