Version 5.0.0 of the AWS provider for Terraform is a major release and includes changes that you need to consider when upgrading. This guide will help with that process and focuses only on changes from version 4.x to version 5.0.0. See the Version 4 Upgrade Guide for information on upgrading from 3.x to version 4.0.0.
Upgrade topics:
Use version constraints when configuring Terraform providers. If you are following that recommendation, update the version constraints in your Terraform configuration and run terraform init -upgrade
to download the new version.
For example, given this previous configuration:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.65"
}
}
}
provider "aws" {
# Configuration options
}
Update to the latest 5.X version:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
# Configuration options
}
Version 5.0.0 removes these provider
arguments:
assume_role.duration_seconds
- Use assume_role.duration
insteadassume_role_with_web_identity.duration_seconds
- Use assume_role_with_web_identity.duration
insteads3_force_path_style
- Use s3_use_path_style
insteadshared_credentials_file
- Use shared_credentials_files
insteadskip_get_ec2_platforms
- Removed following the retirement of EC2-ClassicThe following enhancements are included:
default_tags
can now be included and will be overwritten by resource tags
.""
, can now be included in both default_tags
and resource tags
.computed
.Following the retirement of EC2-Classic, we removed a number of resources, arguments, and attributes. This list summarizes what we _removed_:
aws_db_security_group
resourceaws_elasticache_security_group
resourceaws_redshift_security_group
resourceaws_db_instance
resource's security_group_names
argumentaws_elasticache_cluster
resource's security_group_names
argumentaws_redshift_cluster
resource's cluster_security_groups
argumentaws_launch_configuration
resource's vpc_classic_link_id
and vpc_classic_link_security_groups
argumentsaws_vpc
resource's enable_classiclink
and enable_classiclink_dns_support
argumentsaws_default_vpc
resource's enable_classiclink
and enable_classiclink_dns_support
argumentsaws_vpc_peering_connection
resource's allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
argumentsaws_vpc_peering_connection_accepter
resource's allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
argumentsaws_vpc_peering_connection_options
resource's allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
argumentsaws_db_instance
data source's db_security_groups
attributeaws_elasticache_cluster
data source's security_group_names
attributeaws_redshift_cluster
data source's cluster_security_groups
attributeaws_launch_configuration
data source's vpc_classic_link_id
and vpc_classic_link_security_groups
attributesFollowing the retirement of Amazon Macie Classic, we removed these resources:
aws_macie_member_account_association
aws_macie_s3_bucket_association
Remove status
from configurations as it no longer exists.
The minimum_compression_size
attribute is now a String type, allowing it to be computed when set via the body
attribute. Valid values remain the same.
Change alb_target_group_arn
, which no longer exists, to lb_target_group_arn
in configurations.
Remove tags
from configurations as it no longer exists. Use the tag
attribute instead. For use cases requiring dynamic tags, see the Dynamic Tagging example.
Remove cost_filters
from configurations as it no longer exists.
Remove threshold
from configurations as it no longer exists.
The ecs_target.propagate_tags
attribute now has no default value. If no value is specified, the tags are not propagated.
Remove secondary_sources.auth
and source.auth
from configurations as they no longer exist.
Remove hours_of_operation_arn
from configurations as it no longer exists.
Remove quick_connect_ids_associated
from configurations as it no longer exists.
Remove queue_configs_associated
from configurations as it no longer exists.
Configurations that define source_ids
using the id
attribute of aws_db_instance
must be updated to use identifier
instead. For example, source_ids = [aws_db_instance.example.id]
must be updated to source_ids = [aws_db_instance.example.identifier]
.
aws_db_instance
has had a number of changes:
What id
_is_ has changed and can have far-reaching consequences. Fortunately, fixing configurations is straightforward.
id
is _now_ the DBI Resource ID (_i.e._, dbi-resource-id
), an immutable "identifier" for an instance. id
is now the same as the resource_id
. (We recommend using resource_id
rather than id
when you need to refer to the DBI Resource ID.) _Previously_, id
was the DB Identifier. Now when you need to refer to the _DB Identifier_, use identifier
.
Fixing configurations involves changing any id
references to identifier
, where the reference expects the DB Identifier. For example, if you're replicating an aws_db_instance
, you can no longer use id
to define the replicate_source_db
.
This configuration will now result in an error since replicate_source_db
expects a _DB Identifier_:
resource "aws_db_instance" "test" {
replicate_source_db = aws_db_instance.source.id
# ...other configuration...
}
You can fix the configuration like this:
resource "aws_db_instance" "test" {
replicate_source_db = aws_db_instance.source.identifier
# ...other configuration...
}
db_name
instead of name
Change name
to db_name
in configurations as name
no longer exists.
db_security_groups
Remove db_security_groups
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
Configurations that define db_instance_identifier
using the id
attribute of aws_db_instance
must be updated to use identifier
instead. For example, db_instance_identifier = aws_db_instance.example.id
must be updated to db_instance_identifier = aws_db_instance.example.identifier
.
Configurations that define db_instance_identifier
using the id
attribute of aws_db_instance
must be updated to use identifier
instead. For example, db_instance_identifier = aws_db_instance.example.id
must be updated to db_instance_identifier = aws_db_instance.example.identifier
.
We removed this resource as part of the EC2-Classic retirement.
Configurations that define db_instance_identifier
using the id
attribute of aws_db_instance
must be updated to use identifier
instead. For example, db_instance_identifier = aws_db_instance.example.id
must be updated to db_instance_identifier = aws_db_instance.example.identifier
.
Remove enable_classiclink
and enable_classiclink_dns_support
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
Remove s3_settings.ignore_headers_row
from configurations as it no longer exists. Be careful to not confuse ignore_headers_row
, which no longer exists, with ignore_header_rows
, which still exists.
Changes to the snapshot_identifier
attribute will now correctly force re-creation of the resource. Previously, changing this attribute would result in a successful apply, but without the cluster being restored (only the resource state was changed). This change brings behavior of the cluster snapshot_identifier
attribute into alignment with other RDS resources, such as aws_db_instance
.
Automated snapshots should not be used for this attribute, unless from a different cluster. Automated snapshots are deleted as part of cluster destruction when the resource is replaced.
The vpn_gateway_id
attribute has been deprecated. All configurations using vpn_gateway_id
should be updated to use the associated_gateway_id
attribute instead.
Remove status
from configurations as it no longer exists.
Remove security_groups
and status
from configurations as they no longer exist.
Remove capacity_providers
and default_capacity_provider_strategy
from configurations as they no longer exist.
standard
domain is no longer supported.vpc
argument has been deprecated. Use domain
argument instead.With the retirement of EC2-Classic, the standard
domain is no longer supported.
The resolve_conflicts
argument has been deprecated. Use the resolve_conflicts_on_create
and/or resolve_conflicts_on_update
arguments instead.
Remove security_group_names
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
cluster_mode
configuration block. Use top-level num_node_groups
and replicas_per_node_group
instead.availability_zones
, number_cache_clusters
, replication_group_description
arguments from configurations as they no longer exist. Use preferred_cache_cluster_azs
, num_cache_clusters
, and description
, respectively, instead.We removed this resource as part of the EC2-Classic retirement.
The log_group_name
attribute has been deprecated. All configurations using log_group_name
should be updated to use the log_destination
attribute instead.
The auto_enable
argument has been deprecated. Use the auto_enable_organization_members
argument instead.
s3_configuration
attribute from the root of the resource. s3_configuration
is now a part of the following blocks: elasticsearch_configuration
, opensearch_configuration
, redshift_configuration
, splunk_configuration
, and http_endpoint_configuration
.s3
as an option for destination
. Use extended_s3
insteadextended_s3_configuration.0.s3_backup_configuration.0.buffer_size
and extended_s3_configuration.0.s3_backup_configuration.0.buffer_interval
to extended_s3_configuration.0.s3_backup_configuration.0.buffering_size
and extended_s3_configuration.0.s3_backup_configuration.0.buffering_interval
, respectively.redshift_configuration.0.s3_backup_configuration.0.buffer_size
and redshift_configuration.0.s3_backup_configuration.0.buffer_interval
to redshift_configuration.0.s3_backup_configuration.0.buffering_size
and redshift_configuration.0.s3_backup_configuration.0.buffering_interval
, respectively.s3_configuration.0.buffer_size
and s3_configuration.0.buffer_interval
to s3_configuration.0.buffering_size
and s3_configuration.0.buffering_interval
, respectively.Remove vpc_classic_link_id
and vpc_classic_link_security_groups
from configurations as they no longer exist. We removed them as part of the EC2-Classic retirement.
We removed defaults from metatadata_options
. Launch template metadata options will now default to unset values, which is the AWS default behavior.
Remove ipv6_address
from configurations as it no longer exists.
We removed this resource as part of the Macie Classic retirement.
We removed this resource as part of the Macie Classic retirement.
Change statemux_settings
, which no longer exists, to statmux_settings
in configurations.
Remove broker_node_group_info.ebs_volume_size
from configurations as it no longer exists.
Changes to the snapshot_identifier
attribute will now correctly force re-creation of the resource. Previously, changing this attribute would result in a successful apply, but without the cluster being restored (only the resource state was changed). This change brings behavior of the cluster snapshot_identifier
attribute into alignment with other RDS resources, such as aws_db_instance
.
Automated snapshots should not be used for this attribute, unless from a different cluster. Automated snapshots are deleted as part of cluster destruction when the resource is replaced.
Remove policy_document
from configurations as it no longer exists. Use the aws_networkmanager_core_network_policy_attachment
resource instead.
kibana_endpoint
attribute has been deprecated. All configurations using kibana_endpoint
should be updated to use the dashboard_endpoint
attribute instead.engine_version
attribute no longer has a default value. Omitting this attribute will now create a domain with the latest OpenSearch version, consistent with the behavior of the AWS API.engine
since it is now required and has no default. Previously, not including engine
was equivalent to engine = "aurora"
and created a MySQL-5.6-compatible cluster.snapshot_identifier
attribute will now correctly force re-creation of the resource. Previously, changing this attribute would result in a successful apply, but without the cluster being restored (only the resource state was changed). This change brings behavior of the cluster snapshot_identifier
attribute into alignment with other RDS resources, such as aws_db_instance
. NOTE: Automated snapshots should not be used for this attribute, unless from a different cluster. Automated snapshots are deleted as part of cluster destruction when the resource is replaced.Update configurations to always include engine
since it is now required and has no default. Previously, not including engine
was equivalent to engine = "aurora"
and created a MySQL-5.6-compatible cluster.
Remove cluster_security_groups
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
We removed this resource as part of the EC2-Classic retirement.
Update configurations to use network_interface_id
rather than instance_id
, which no longer exists.
For example, this configuration is _no longer valid_:
resource "aws_route" "example" {
instance_id = aws_instance.example.id
# ...other configuration...
}
One possible way to fix this configuration involves referring to the primary_network_interface_id
of an instance:
resource "aws_route" "example" {
network_interface_id = aws_instance.example.primary_network_interface_id
# ...other configuration...
}
Another fix is to use an ENI:
resource "aws_network_interface" "example" {
# ...other configuration...
}
resource "aws_instance" "example" {
network_interface {
network_interface_id = aws_network_interface.example.id
# ...other configuration...
}
# ...other configuration...
}
resource "aws_route" "example" {
network_interface_id = aws_network_interface.example.id
# ...other configuration...
# Wait for the ENI attachment
depends_on = [aws_instance.example]
}
Update configurations to use route.*.network_interface_id
rather than route.*.instance_id
, which no longer exists.
For example, this configuration is _no longer valid_:
resource "aws_route_table" "example" {
route {
instance_id = aws_instance.example.id
# ...other configuration...
}
# ...other configuration...
}
One possible way to fix this configuration involves referring to the primary_network_interface_id
of an instance:
resource "aws_route_table" "example" {
route {
network_interface_id = aws_instance.example.primary_network_interface_id
# ...other configuration...
}
# ...other configuration...
}
Another fix is to use an ENI:
resource "aws_network_interface" "example" {
# ...other configuration...
}
resource "aws_instance" "example" {
network_interface {
network_interface_id = aws_network_interface.example.id
# ...other configuration...
}
# ...other configuration...
}
resource "aws_route_table" "example" {
route {
network_interface_id = aws_network_interface.example.id
# ...other configuration...
}
# ...other configuration...
# Wait for the ENI attachment
depends_on = [aws_instance.example]
}
The acl
attribute no longer has a default value. Previously this was set to private
when omitted. Objects requiring a private ACL should now explicitly set this attribute.
The acl
attribute no longer has a default value. Previously this was set to private
when omitted. Object copies requiring a private ACL should now explicitly set this attribute.
Remove rotation_enabled
, rotation_lambda_arn
and rotation_rules
from configurations as they no longer exist.
With the retirement of EC2-Classic, non-VPC security groups are no longer supported.
With the retirement of EC2-Classic, non-VPC security groups are no longer supported.
Changes to any provisioning_artifact_parameters
arguments now properly trigger a replacement. This fixes incorrect behavior, but may technically be breaking for configurations expecting non-functional in-place updates.
The instance_id
attribute has been deprecated. All configurations using instance_id
should be updated to use the targets
attribute instead.
The overwrite
attribute has been deprecated. Existing parameters should be explicitly imported rather than relying on the "import on create" behavior previously enabled by setting overwrite = true
. In a future major version the overwrite
attribute will be removed and attempting to create a parameter that already exists will fail.
Remove enable_classiclink
and enable_classiclink_dns_support
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
Remove allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
Remove allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
Remove allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
statement.managed_rule_group_statement.excluded_rule
and statement.rule_group_reference_statement.excluded_rule
from configurations as they no longer exist.statement.rule_group_reference_statement.rule_action_override
attribute has been added.Remove redacted_fields.all_query_arguments
, redacted_fields.body
and redacted_fields.single_query_argument
from configurations as they no longer exist.
The minimum_compression_size
attribute is now a String type, allowing it to be computed when set via the body
attribute.
Remove hours_of_operation_arn
from configurations as it no longer exists.
Remove db_security_groups
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
Remove security_group_names
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
Rename number_cache_clusters
and replication_group_description
, which no longer exist, to num_cache_clusters
, and description
, respectively.
source_json
and override_json
from configurations. Use source_policy_documents
and override_policy_documents
, respectively, instead.statement.sid
values to json
attribute value.Remove filter
from configurations as it no longer exists.
Remove filter
from configurations as it no longer exists.
Remove vpc_classic_link_id
and vpc_classic_link_security_groups
from configurations as they no longer exist. They were part of the EC2-Classic retirement.
The kibana_endpoint
attribute has been deprecated. All configurations using kibana_endpoint
should be updated to use the dashboard_endpoint
attribute instead.
The tags_all
attribute has been deprecated and will be removed in a future version.
Remove cluster_security_groups
from configurations as it no longer exists. We removed it as part of the EC2-Classic retirement.
AWS document that a service principal name be used instead of AWS account ID in any relevant IAM policy.
The aws_redshift_service_account
data source should now be considered deprecated and will be removed in a future version.
The tags_all
attribute has been deprecated and will be removed in a future version.
Remove rotation_enabled
, rotation_lambda_arn
and rotation_rules
from configurations as they no longer exist.
We removed the aws_subnet_ids
data source. Use the aws_subnets
data source instead.
Remove allow_classic_link_to_remote_vpc
and allow_vpc_to_remote_classic_link
from configurations as they no longer exist. They were part of the EC2-Classic retirement.