chore(deps): update terraform aws to v6.22.0

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change	Pending
aws (source)	required_provider	minor	6.20.0 -> 6.22.0	6.22.1

---

Release Notes

hashicorp/terraform-provider-aws (aws)

v6.22.0

Compare Source

NOTES:

• resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#​45105)

FEATURES:

• New Ephemeral Resource: aws_ecr_authorization_token (#​44949)
• New Guide: Tag Policy Compliance (#​45143)
• New Resource: aws_billing_view (#​45097)
• New Resource: aws_vpclattice_domain_verification (#​45085)

ENHANCEMENTS:

• data-source/aws_lb_listener: Add default_action.jwt_validation attribute (#​45089)
• data-source/aws_lb_listener_rule: Add action.jwt_validation attribute (#​45089)
• data-source/aws_route53_zone: Support filtering by tags only or by vpc_id only (#​39671)
• provider: Add support for enforcing tag policy compliance. This opt-in feature can be enabled via the new tag_policy_compliance provider argument, or the TF_AWS_TAG_POLICY_COMPLIANCE environment variable. When enabled, the principal executing Terraform must have the tags:ListRequiredTags IAM permission. (#​45143)
• resource/aws_backup_logically_air_gapped_vault: Add encryption_key_arn argument (#​45020)
• resource/aws_bedrock_guardrail: Add input_action, input_enabled, input_modalities, output_action, output_enabled, and output_modalities arguments to the content_policy_config.filters_config block (#​45104)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.rds_configuration.field_mapping.custom_metadata_field argument (#​45075)
• resource/aws_bedrockagentcore_agent_runtime: Add agent_runtime_artifact.code_configuration block (#​45091)
• resource/aws_bedrockagentcore_agent_runtime: Make agent_runtime_artifact.container_configuration block optional (#​45091)
• resource/aws_dynamodb_table: Add global_table_witness argument (#​43908)
• resource/aws_emr_managed_scaling_policy: Add scaling_strategy and utilization_performance_index arguments (#​45132)
• resource/aws_fis_experiment_template: Add plan-time validation of log_configuration.cloudwatch_logs_configuration.log_group_arn (#​35941)
• resource/aws_fis_experiment_template: Add support for Functions to action.*.target (#​41209)
• resource/aws_lambda_invocation: Add import support (#​41240)
• resource/aws_lb_listener: Support jwt-validation as a valid default_action.type and add default_action.jwt_validation configuration block (#​45089)
• resource/aws_lb_listener_rule: Support jwt-validation as a valid action.type and add action.jwt_validation configuration block (#​45089)
• resource/aws_odb_cloud_vm_cluster: vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#​45003)
• resource/aws_organizations_organization: Add SECURITYHUB_POLICY as a valid value for enabled_policy_types argument (#​45135)
• resource/aws_prometheus_query_logging_configuration: Add plan-time validation of destination.cloudwatch_logs.log_group_arn (#​35941)
• resource/aws_prometheus_workspace: Add plan-time validation of logging_configuration.log_group_arn (#​35941)
• resource/aws_s3_bucket_server_side_encryption_configuration: Add rule.blocked_encryption_types argument (#​45105)
• resource/aws_sagemaker_model: Add container.additional_model_data_source and primary_container.additional_model_data_source arguments (#​44407)
• resource/aws_sfn_state_machine: Add plan-time validation of logging_configuration.log_destination (#​35941)
• resource/aws_timestreaminfluxdb_db_cluster: Add engine_type attribute (#​44899)
• resource/aws_timestreaminfluxdb_db_cluster: Add validation to ensure InfluxDB V2 clusters have required fields and InfluxDB V3 clusters (when using V3 parameter groups) do not have forbidden V2 fields. This functionality requires the timestream-influxdb:GetDbParameterGroup IAM permission (#​44899)
• resource/aws_vpclattice_resource_configuration: Add custom_domain_name and domain_verification_id arguments and domain_verification_arn and domain_verification_status attributes to support custom domain names for resource configurations (#​45085)
• resource/aws_vpn_connection: Add tunnel_bandwidth argument to support higher bandwidth tunnels (#​45070)

BUG FIXES:

• resource/aws_db_instance: Fix blue/green deployments failing with "not in available state" by improving stability and handling storage-config-upgrade and storage-initialization statuses (#​41275)
• resource/aws_elastic_beanstalk_configuration_template: Fix updates not applying by including ResourceName for option settings and preventing duplicate add/remove operations (#​45077)
• resource/aws_odb_cloud_vm_cluster: support for hyphen in odb cloud vm cluster hostname prefix. (#​45003)
• resource/aws_quicksight_account_settings: Add region argument (#​45083)
• resource/aws_s3_directory_bucket: Fix plan-time AWS resource not found during refresh warnings causing resource replacement when ReadOnly s3express:SessionMode is enforced (#​45086)
• resource/aws_ssoadmin_account_assignment: Correct target_type argument to required (#​45092)
• resource/aws_timestreaminfluxdb_db_cluster: Make allocated_storage, bucket, organization, username, and password optional to support InfluxDB V3 clusters (#​44899)

v6.21.0

Compare Source

BREAKING CHANGES:

• resource/aws_bedrockagentcore_browser: Rename network_configuration.network_mode_config to network_configuration.vpc_config (#​44828)

FEATURES:

• New Action: aws_dynamodb_create_backup (#​45001)
• New Resource: aws_networkflowmonitor_monitor (#​44782)
• New Resource: aws_networkflowmonitor_scope (#​44782)
• New Resource: aws_observabilityadmin_centralization_rule_for_organization (#​44806)

ENHANCEMENTS:

• data-source/aws_ecs_service: Add capacity_provider_strategy, created_at, created_by, deployment_configuration, deployment_controller, deployments, enable_ecs_managed_tags, enable_execute_command, events, health_check_grace_period_seconds, iam_role, network_configuration, ordered_placement_strategy, pending_count, placement_constraints, platform_family, platform_version, propagate_tags, running_count, service_connect_configuration, service_registries, status, and task_sets attributes (#​44842)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.mcp.mcp_server block (#​44991)
• resource/aws_bedrockagentcore_gateway_target: Make credential_provider_configuration block optional (#​44991)
• resource/aws_cloudwatch_log_delivery_destination: Make delivery_destination_type and delivery_destination_configuration optional to support AWS X-Ray as a destination (#​44995)
• resource/aws_ecs_service: Add support for LINEAR and CANARY deployment strategies with deployment_configuration.linear_configuration and deployment_configuration.canary_configuration blocks (#​44842)
• resource/aws_lambda_function: Add support for java25 runtime value (#​45024)
• resource/aws_lambda_function: Add support for nodejs24.x runtime value (#​45024)
• resource/aws_lambda_function: Add support for python3.14 runtime value (#​45024)
• resource/aws_lambda_layer_version: Add support for java25 compatible_runtimes value (#​45024)
• resource/aws_lambda_layer_version: Add support for nodejs24.x compatible_runtimes value (#​45024)
• resource/aws_lambda_layer_version: Add support for python3.14 compatible_runtimes value (#​45024)
• resource/aws_s3tables_table: Add tagging support (#​44996)
• resource/aws_s3tables_table_bucket: Add tagging support (#​44996)
• resource/aws_sagemaker_endpoint_configuration: Add execution_role_arn argument and make model_name optional in production_variants and shadow_production_variants blocks to support Inference Components (#​44977)
• resource/aws_sns_topic: Fix AuthorizationError ... is not authorized to perform: iam:PassRole on resource ... IAM eventual consistency errors on Create and Update (#​45018)

BUG FIXES:

• provider: Fix situation where refreshes of removed infrastructure appear as errors rather than warnings (#​45022)
• resource/aws_acmpca_certificate_authority: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45050)
• resource/aws_apprunner_service: Prevents error when upgrading from provider pre-v6.0 without refreshing (#​45051)
• resource/aws_ec2_image_block_public_access: Add region argument (#​45023)
• resource/aws_ec2_serial_console_access: Add region argument (#​45064)
• resource/aws_emrcontainers_job_template: Fix ValidationException: Value null at 'jobTemplateData.configurationOverrides.monitoringConfiguration.cloudWatchMonitoringConfiguration.logGroupName' failed to satisfy constraint: Member must not be null error (#​45029)
• resource/aws_emrcontainers_job_template: Fix setting job_template_data: job_template_data.0.configuration_overrides.0.application_configuration.0: '' expected a map, got 'slice' error (#​45029)
• resource/aws_emrcontainers_job_template: Mark job_template_data.job_driver.configuration_overrides.monitoring_configuration.persistent_app_ui argument as computed (#​45029)
• resource/aws_invoicing_invoice_unit: Fix Provider returned invalid result object after apply error occurred when updating the resource (#​45030)
• resource/aws_opensearch_authorize_vpc_endpoint_access: Fix reading the resource when more than one principal is authorized. The import ID has changed from domain_name to domain_name and account separated by a comma (#​44982)
• resource/aws_redshift_cluster: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_cluster_snapshot: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_event_subscription: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_client_certificate: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_hsm_configuration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_integration: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_parameter_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_copy_grant: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_snapshot_schedule: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_subnet_group: Prevents errors with empty tag values. (#​44952)
• resource/aws_redshift_usage_limit: Prevents errors with empty tag values. (#​44952)
• resource/aws_sagemaker_endpoint: Fix bug where endpoint_config_name was not correctly updated, causing the endpoint to retain the old configuration (#​42843)
• resource/aws_wafv2_web_acl_logging_configuration: Fix the validation for redacted_fields.single_header.name (#​44987)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.