Merge tag 'v3.50.0'

.changelog/11522.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_s3_bucket_object: Add `source_hash` argument to compliment `etag`'s encryption limitations
+```

.changelog/12370.txt

@@ -0,0 +1,7 @@
+```release-note:new-resource
+aws_rds_cluster_role_association
+```
+
+```release-note:enhancement
+aws_rds_cluster: Set `iam_roles` as Computed to prevent drift when the `aws_rds_cluster_role_association` resource is used
+```

.changelog/12548.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_db_instance: Ignore allocated_storage for replica at creation time
+```

.changelog/14714.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_securityhub_standards_control
+```

.changelog/15241.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_guardduty_organization_configuration: Add `datasources` argument
+```

.changelog/17298.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_config_organization_conformance_pack
+```

.changelog/17539.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_transfer_server: Add `security_group_ids` argument to `endpoint_details` configuration block.
+```

.changelog/17959.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_eks_identity_provider_config
+```

.changelog/18562.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_sagemaker_domain: Add support for `retention_policy`
+```

.changelog/19108.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_securityhub_organization_configuration
+```

.changelog/19307.txt

@@ -0,0 +1,7 @@
+```release-note:new-resource
+aws_appconfig_application
+```
+
+```release-note:new-resource
+aws_appconfig_environment
+```

.changelog/19320.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_appconfig_configuration_profile
+```

.changelog/19323.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_s3_bucket: Add the delete_marker_replication_status argument for V2 replication configurations
+```

.changelog/19324.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_appconfig_hosted_configuration_version
+```

.changelog/19359.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_appconfig_deployment_strategy
+```

.changelog/19407.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_wafv2_web_acl: Support `scope_down_statement` on `managed_rule_group_statement`
+```

.changelog/19579.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_iam_access_key: Add encrypted SES SMTP password
+```

.changelog/19718.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_ram_resource_share_accepter: Allow destroy even where AWS API provides no way to disassociate
+```

.changelog/19741.txt

@@ -0,0 +1,3 @@
+```release-note:note
+resource/aws_dx_gateway_association_proposal: If an accepted Proposal reaches end-of-life and is removed by AWS do not recreate the resource, instead refreshing Terraform state from the resource's Direct Connect Gateway ID and Associated Gateway ID.
+```

.changelog/19859.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_datasync_location_s3: Correctly parse S3 on Outposts location URI
+```

.changelog/19954.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_guardduty_detector: Add `datasources` argument
+```

.changelog/19967.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_kms_key: Add plan time validation to `description`.
+```

.changelog/19975.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cloudwatch_event_target: Add `enable_ecs_managed_tags`, `enable_execute_command`, `placement_constraints`, `propagate_tags`, and `tags` arguments to `ecs_target` block.
+```

.changelog/19986.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_eks_cluster: Don't associate an `encryption_config` if there's already one
+```

.changelog/20031.txt

@@ -0,0 +1,11 @@
+```release-note:bug
+resource/aws_cognito_user_pool_client: Retry on `ConcurrentModificationException`
+```
+
+```release-note:bug
+resource/aws_cognito_user_pool_client: Allow the `default_redirect_uri` argument value to be an empty string
+```
+
+```release-note:enhancement
+resource/aws_cognito_user_pool_client: Add the `enable_token_revocation` argument to support targeted sign out
+```

.changelog/20054.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_fsx_windows_file_system: Add `aliases` argument
+```

.changelog/20108.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_lakeformation_permissions: Fix various problems with permissions including select-only
+```
+
+```release-note:bug
+data-source/aws_lakeformation_permissions: Fix various problems with permissions including select-only
+```

.changelog/20111.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_elasticache_replication_group: Cannot set `cluster_mode.replicas_per_node_group` when member of Global Replication Group
+```

.github/labeler-issue-triage.yml

@@ -14,6 +14,8 @@ bug:
   - "(doesn't support update|failed to satisfy constraint: Member must not be null|Invalid address to set|panic:|produced an (invalid|unexpected) new value|Provider produced inconsistent (final plan|result after apply))"
 crash:
   - 'panic:'
+sweeper:
+  - 'sweeper'
 #
 # AWS Per-Service Labeling
 #

.github/workflows.disabled/project.yml

@@ -7,9 +7,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Move team PRs to Review column
-      uses: alex-page/[email protected].0
+      uses: alex-page/[email protected].1
       if: contains(fromJSON('["anGie44", "bill-rich", "breathingdust", "ewbankkit", "gdavison", "maryelizbeth", "YakDriver"]'), github.actor) && github.event.pull_request.draft == false
       with:
         project: AWS Provider Working Board
         column: Open Maintainer PR
-        repo-token: ${{ secrets.GITHUB_ACTIONS_TOKEN}}
+        repo-token: ${{ secrets.ORGSCOPED_GITHUB_TOKEN}}

.github/workflows.disabled/stale.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         days-before-stale: 720

.github/workflows.disabled/team_slack_bot.yml

@@ -13,7 +13,7 @@ jobs:
     - name: open-pr-stats
       uses: breathingdust/github-team-slackbot@v17
       with:
-        github_token: ${{ secrets.GITHUB_ACTIONS_TOKEN}}
+        github_token: ${{ secrets.ORGSCOPED_GITHUB_TOKEN}}
         org: hashicorp
         repo: terraform-provider-aws
         team_slug: terraform-aws

.semgrep.yml

@@ -22,6 +22,7 @@ rules:
         - aws/validators.go
         - aws/*wafregional*.go
         - aws/resource_aws_serverlessapplicationrepository_cloudformation_stack.go
+        - aws/resource_aws_transfer_server.go
         - aws/*_test.go
         - aws/internal/keyvaluetags/
         - aws/internal/service/wafregional/
@@ -326,10 +327,16 @@ rules:
         - aws/resource_aws_athena_*.go
         - aws/resource_aws_autoscaling_*.go
         - aws/resource_aws_autoscalingplans_scaling_plan.go
-        - aws/resource_aws_[b-g]*.go
+        - aws/resource_aws_[b-ce-g]*.go
+        - aws/resource_aws_d[a-df-z]*.go
+        - aws/resource_aws_devicefarm*.go
         - aws/resource_aws_i*.go
-        - aws/resource_aws_[k-t]*.go
-        - aws/resource_aws_[v-x]*.go
+        - aws/resource_aws_[k-r]*.go
+        - aws/resource_aws_s[a-df-z3]*.go
+        - aws/resource_aws_se[d-z]*.go
+        - aws/resource_aws_sec[a-t]*.go
+        - aws/resource_aws_securityhub*.go
+        - aws/resource_aws_[t-x]*.go
       include:
         - aws/resource*.go
     patterns:
@@ -347,7 +354,7 @@ rules:
             return nil
           }
       - pattern-not-inside: |
-          if <... d.IsNewResource() ...> { ... }
+          if <... !d.IsNewResource() ...> { ... }
     severity: WARNING
 
   - id: helper-schema-resource-Retry-without-TimeoutError-check

CHANGELOG.md

@@ -1,3 +1,61 @@
+## 3.50.0 (July 15, 2021)
+
+NOTES:
+
+* resource/aws_dx_gateway_association_proposal: If an accepted Proposal reaches end-of-life and is removed by AWS do not recreate the resource, instead refreshing Terraform state from the resource's Direct Connect Gateway ID and Associated Gateway ID. ([#19741](https://github.com/hashicorp/terraform-provider-aws/issues/19741))
+
+FEATURES:
+
+* **New Resource:** `aws_appconfig_application` ([#19307](https://github.com/hashicorp/terraform-provider-aws/issues/19307))
+* **New Resource:** `aws_appconfig_configuration_profile` ([#19320](https://github.com/hashicorp/terraform-provider-aws/issues/19320))
+* **New Resource:** `aws_appconfig_deployment_strategy` ([#19359](https://github.com/hashicorp/terraform-provider-aws/issues/19359))
+* **New Resource:** `aws_appconfig_environment` ([#19307](https://github.com/hashicorp/terraform-provider-aws/issues/19307))
+* **New Resource:** `aws_appconfig_hosted_configuration_version` ([#19324](https://github.com/hashicorp/terraform-provider-aws/issues/19324))
+* **New Resource:** `aws_config_organization_conformance_pack` ([#17298](https://github.com/hashicorp/terraform-provider-aws/issues/17298))
+* **New Resource:** `aws_securityhub_organization_configuration` ([#19108](https://github.com/hashicorp/terraform-provider-aws/issues/19108))
+* **New Resource:** `aws_securityhub_standards_control` ([#14714](https://github.com/hashicorp/terraform-provider-aws/issues/14714))
+
+ENHANCEMENTS:
+
+* resource/aws_cloudwatch_event_target: Add `enable_ecs_managed_tags`, `enable_execute_command`, `placement_constraints`, `propagate_tags`, and `tags` arguments to `ecs_target` block. ([#19975](https://github.com/hashicorp/terraform-provider-aws/issues/19975))
+* resource/aws_cognito_user_pool_client: Add the `enable_token_revocation` argument to support targeted sign out ([#20031](https://github.com/hashicorp/terraform-provider-aws/issues/20031))
+* resource/aws_fsx_windows_file_system: Add `aliases` argument ([#20054](https://github.com/hashicorp/terraform-provider-aws/issues/20054))
+* resource/aws_guardduty_detector: Add `datasources` argument ([#19954](https://github.com/hashicorp/terraform-provider-aws/issues/19954))
+* resource/aws_guardduty_organization_configuration: Add `datasources` argument ([#15241](https://github.com/hashicorp/terraform-provider-aws/issues/15241))
+* resource/aws_iam_access_key: Add encrypted SES SMTP password ([#19579](https://github.com/hashicorp/terraform-provider-aws/issues/19579))
+* resource/aws_kms_key: Add plan time validation to `description`. ([#19967](https://github.com/hashicorp/terraform-provider-aws/issues/19967))
+* resource/aws_s3_bucket: Add the delete_marker_replication_status argument for V2 replication configurations ([#19323](https://github.com/hashicorp/terraform-provider-aws/issues/19323))
+* resource/aws_s3_bucket_object: Add `source_hash` argument to compliment `etag`'s encryption limitations ([#11522](https://github.com/hashicorp/terraform-provider-aws/issues/11522))
+* resource/aws_sagemaker_domain: Add support for `retention_policy` ([#18562](https://github.com/hashicorp/terraform-provider-aws/issues/18562))
+* resource/aws_wafv2_web_acl: Support `scope_down_statement` on `managed_rule_group_statement` ([#19407](https://github.com/hashicorp/terraform-provider-aws/issues/19407))
+
+BUG FIXES:
+
+* resource/aws_cognito_user_pool_client: Allow the `default_redirect_uri` argument value to be an empty string ([#20031](https://github.com/hashicorp/terraform-provider-aws/issues/20031))
+* resource/aws_cognito_user_pool_client: Retry on `ConcurrentModificationException` ([#20031](https://github.com/hashicorp/terraform-provider-aws/issues/20031))
+* resource/aws_datasync_location_s3: Correctly parse S3 on Outposts location URI ([#19859](https://github.com/hashicorp/terraform-provider-aws/issues/19859))
+* resource/aws_db_instance: Ignore allocated_storage for replica at creation time ([#12548](https://github.com/hashicorp/terraform-provider-aws/issues/12548))
+* resource/aws_elasticache_replication_group: Cannot set `cluster_mode.replicas_per_node_group` when member of Global Replication Group ([#20111](https://github.com/hashicorp/terraform-provider-aws/issues/20111))
+
+## 3.49.0 (July 08, 2021)
+
+FEATURES:
+
+* **New Resource:** `aws_eks_identity_provider_config` ([#17959](https://github.com/hashicorp/terraform-provider-aws/issues/17959))
+* **New Resource:** `aws_rds_cluster_role_association` ([#12370](https://github.com/hashicorp/terraform-provider-aws/issues/12370))
+
+ENHANCEMENTS:
+
+* aws_rds_cluster: Set `iam_roles` as Computed to prevent drift when the `aws_rds_cluster_role_association` resource is used ([#12370](https://github.com/hashicorp/terraform-provider-aws/issues/12370))
+* resource/aws_transfer_server: Add `security_group_ids` argument to `endpoint_details` configuration block. ([#17539](https://github.com/hashicorp/terraform-provider-aws/issues/17539))
+
+BUG FIXES:
+
+* data-source/aws_lakeformation_permissions: Fix various problems with permissions including select-only ([#20108](https://github.com/hashicorp/terraform-provider-aws/issues/20108))
+* resource/aws_eks_cluster: Don't associate an `encryption_config` if there's already one ([#19986](https://github.com/hashicorp/terraform-provider-aws/issues/19986))
+* resource/aws_lakeformation_permissions: Fix various problems with permissions including select-only ([#20108](https://github.com/hashicorp/terraform-provider-aws/issues/20108))
+* resource/aws_ram_resource_share_accepter: Allow destroy even where AWS API provides no way to disassociate ([#19718](https://github.com/hashicorp/terraform-provider-aws/issues/19718))
+
 ## 3.48.0 (July 02, 2021)
 
 FEATURES:
@@ -34,7 +92,7 @@ ENHANCEMENTS:
 * resource/aws_eks_cluster: Allow updates to `encryption_config` ([#19144](https://github.com/hashicorp/terraform-provider-aws/issues/19144))
 * resource/aws_lb_target_group: Add support for `app_cookie` stickiness type and `cookie_name` argument ([#18102](https://github.com/hashicorp/terraform-provider-aws/issues/18102))
 * resource/aws_main_route_table_association: Wait for association to reach the required state ([#19426](https://github.com/hashicorp/terraform-provider-aws/issues/19426))
-* resource/aws_neptune_cluster: Add `copy_snapshot_to_tags` argument ([#19899](https://github.com/hashicorp/terraform-provider-aws/issues/19899))
+* resource/aws_neptune_cluster: Add `copy_tags_to_snapshot` argument ([#19899](https://github.com/hashicorp/terraform-provider-aws/issues/19899))
 * resource/aws_route: Add retries when creating, deleting and replacing routes ([#19426](https://github.com/hashicorp/terraform-provider-aws/issues/19426))
 * resource/aws_route_table: Add retries when creating, deleting and replacing routes ([#19426](https://github.com/hashicorp/terraform-provider-aws/issues/19426))
 * resource/aws_route_table_association: Wait for association to reach the required state ([#19426](https://github.com/hashicorp/terraform-provider-aws/issues/19426))

aws/config.go

@@ -720,6 +720,23 @@ func (c *Config) Client() (interface{}, error) {
 				return
 			}
 
+			// We only want to retry briefly as the default max retry count would
+			// excessively retry when the error could be legitimate.
+			// We currently depend on the DefaultRetryer exponential backoff here.
+			// ~10 retries gives a fair backoff of a few seconds.
+			if r.RetryCount < 9 {
+				r.Retryable = aws.Bool(true)
+			} else {
+				r.Retryable = aws.Bool(false)
+			}
+		case "DeleteOrganizationConformancePack", "DescribeOrganizationConformancePacks", "DescribeOrganizationConformancePackStatuses", "PutOrganizationConformancePack":
+			if !tfawserr.ErrCodeEquals(r.Error, configservice.ErrCodeOrganizationAccessDeniedException) {
+				if r.Operation.Name == "DeleteOrganizationConformancePack" && tfawserr.ErrCodeEquals(err, configservice.ErrCodeResourceInUseException) {
+					r.Retryable = aws.Bool(true)
+				}
+				return
+			}
+
 			// We only want to retry briefly as the default max retry count would
 			// excessively retry when the error could be legitimate.
 			// We currently depend on the DefaultRetryer exponential backoff here.