Merge branch 'main' into HEAD

.changelog/20533.txt

@@ -0,0 +1,19 @@
+```release-note:enhancement
+resource/aws_kms_key: Add `multi_region` argument
+```
+
+```release-note:enhancement
+data-source/aws_kms_key: Add `multi_region` and `multi_region_configuration` attributes
+```
+
+```release-note:new-resource
+aws_kms_replica_key
+```
+
+```release-note:enhancement
+resource/aws_kms_external_key: Add `multi_region` argument
+```
+
+```release-note:new-resource
+aws_kms_replica_external_key
+```

.changelog/21176.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_s3_bucket: Add `metrics` and `replication_time` arguments to `replication_configuration.rules` configuration block to support Amazon S3 Replication Time Control
+```

.changelog/21315.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_backup_vault_lock_configuration
+```

.changelog/21452.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_glue_data_catalog_encryption_settings: Disable encryption on resource deletion
+```

.changelog/21459.txt

@@ -0,0 +1,3 @@
+```release-note:bug-fix
+resource/aws_eip: Set `allocation_id` attribute for value for VPC domain EIPs
+```

.changelog/21461.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_apigateway_usage_plan : Add `throttle` argument for `api_stages` block.
+```

.changelog/21465.txt

@@ -0,0 +1,3 @@
+```release-note:bug-fix
+resource/aws_appstream_fleet: Use `image_arn` when specified
+```

.changelog/21467.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_glue_crawler: Add `dlq_event_queue_arn` and `event_queue_arn` arguments to the `s3_target` configuration block
+```

.changelog/21470.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_prometheus_rule_group_namespace
+```

.changelog/21480.txt

@@ -0,0 +1,2 @@
+```release-note:enhancement
+resource/aws_sagemaker_code_repository: Add tagging support.

.changelog/21482.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_storage_gateway_nfs_file_share: Add `audit_destination_arn` argument.
+```

.changelog/21509.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+aws/resource_aws_lex_slot_type: Correctly determine `version` attribute
+```

.github/labeler-pr-triage.yml

@@ -434,13 +434,11 @@ service/mq:
 service/mwaa:
   - 'internal/service/mwaa/**/*'
   - 'website/**/mwaa_*'
-service/nas:
-  - 'internal/service/nas/**/*'
+service/meta:
+  - 'internal/service/meta/**/*'
   - 'website/**/arn*'
   - 'website/**/ip_ranges*'
   - 'website/**/billing_service_account*'
-  - 'website/**/caller_identity*'
-  - 'website/**/canonical_user_id*'
   - 'website/**/default_tags*'
   - 'website/**/partition*'
   - 'website/**/region*'
@@ -523,6 +521,7 @@ service/s3:
   - 'internal/service/s3/**/*'
   - 'website/**/s3_bucket*'
   - 'website/**/s3_object*'
+  - 'website/**/canonical_user_id*'
 service/s3control:
   - 'internal/service/s3control/**/*'
   - 'website/**/s3_account_*'
@@ -588,6 +587,7 @@ service/storagegateway:
   - 'website/**/storagegateway_*'
 service/sts:
   - 'internal/service/sts/**/*'
+  - 'website/**/caller_identity*'
 service/swf:
   - 'internal/service/swf/**/*'
   - 'website/**/swf_*'

.github/workflows/acctest-terraform-lint.yml

@@ -9,7 +9,7 @@ on:
       - .github/workflows/acctest-terraform-lint.yml
       - .go-version
       - .tflint.hcl
-      - aws/*_test.go
+      - 'internal/service/**/*_test.go'
       - scripts/validate-terraform.sh
       - tools/go.mod
 

.github/workflows/stale.yml

@@ -12,8 +12,8 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         days-before-stale: 720
         days-before-close: 30
-        exempt-issue-label: 'needs-triage'
-        exempt-pr-label: 'needs-triage'
+        exempt-issue-labels: 'needs-triage'
+        exempt-pr-labels: 'needs-triage'
         operations-per-run: 100
         stale-issue-label: 'stale'
         stale-issue-message: |

CHANGELOG.md

@@ -3,18 +3,31 @@
 FEATURES:
 
 * **New Data Source:** `aws_iam_user_ssh_key` ([#21335](https://github.com/hashicorp/terraform-provider-aws/issues/21335))
+* **New Resource:** `aws_backup_vault_lock_configuration` ([#21315](https://github.com/hashicorp/terraform-provider-aws/issues/21315))
+* **New Resource:** `aws_kms_replica_external_key` ([#20533](https://github.com/hashicorp/terraform-provider-aws/issues/20533))
+* **New Resource:** `aws_kms_replica_key` ([#20533](https://github.com/hashicorp/terraform-provider-aws/issues/20533))
 * **New Resource:** `aws_prometheus_alert_manager_definition` ([#21431](https://github.com/hashicorp/terraform-provider-aws/issues/21431))
+* **New Resource:** `aws_prometheus_rule_group_namespace` ([#21470](https://github.com/hashicorp/terraform-provider-aws/issues/21470))
 
 ENHANCEMENTS:
 
+* data-source/aws_kms_key: Add `multi_region` and `multi_region_configuration` attributes ([#20533](https://github.com/hashicorp/terraform-provider-aws/issues/20533))
 * data-source/aws_s3_bucket: Return `hosted_zone_id` attribute for `cn-northwest-1` (Ningxia) region ([#21337](https://github.com/hashicorp/terraform-provider-aws/issues/21337))
+* resource/aws_apigateway_usage_plan : Add `throttle` argument for `api_stages` block. ([#21461](https://github.com/hashicorp/terraform-provider-aws/issues/21461))
 * resource/aws_dms_endpoint: Add `include_transaction_details`, `include_partition_value`, `partition_include_schema_table`, `include_table_alter_operations`, `include_control_details` and `include_null_and_empty` arguments to `kinesis_settings` configuration block ([#20084](https://github.com/hashicorp/terraform-provider-aws/issues/20084))
+* resource/aws_glue_crawler: Add `dlq_event_queue_arn` and `event_queue_arn` arguments to the `s3_target` configuration block ([#21467](https://github.com/hashicorp/terraform-provider-aws/issues/21467))
+* resource/aws_glue_data_catalog_encryption_settings: Disable encryption on resource deletion ([#21452](https://github.com/hashicorp/terraform-provider-aws/issues/21452))
 * resource/aws_kinesisanalyticsv2_application: `runtime_environment` now supports `FLINK-1_13` ([#21341](https://github.com/hashicorp/terraform-provider-aws/issues/21341))
+* resource/aws_kms_external_key: Add `multi_region` argument ([#20533](https://github.com/hashicorp/terraform-provider-aws/issues/20533))
+* resource/aws_kms_key: Add `multi_region` argument ([#20533](https://github.com/hashicorp/terraform-provider-aws/issues/20533))
 * resource/aws_route53_key_signing_key: Deactivate key-signing key with `ACTION_NEEDED` status before deletion ([#21369](https://github.com/hashicorp/terraform-provider-aws/issues/21369))
+* resource/aws_s3_bucket: Add `metrics` and `replication_time` arguments to `replication_configuration.rules` configuration block to support Amazon S3 Replication Time Control ([#21176](https://github.com/hashicorp/terraform-provider-aws/issues/21176))
 * resource/aws_s3_bucket: Return `hosted_zone_id` attribute for `cn-northwest-1` (Ningxia) region ([#21337](https://github.com/hashicorp/terraform-provider-aws/issues/21337))
+* resource/aws_storage_gateway_nfs_file_share: Add `audit_destination_arn` argument. ([#21482](https://github.com/hashicorp/terraform-provider-aws/issues/21482))
 
 BUG FIXES:
 
+* aws/resource_aws_lex_slot_type: Correctly determine `version` attribute ([#21509](https://github.com/hashicorp/terraform-provider-aws/issues/21509))
 * resource/aws_cloudwatch_metric_alarm: Fix imported 'treat_missing_data' diff ([#21363](https://github.com/hashicorp/terraform-provider-aws/issues/21363))
 * resource/aws_codedeploy_deployment_group: Correctly update `deployment_group_name` argument ([#21362](https://github.com/hashicorp/terraform-provider-aws/issues/21362))
 * resource/aws_db_event_subscription: Fix adding new `event_categories` to existing resource ([#21338](https://github.com/hashicorp/terraform-provider-aws/issues/21338))

ROADMAP.md

@@ -14,7 +14,7 @@ In the period spanning May to July 2021 539 Pull Requests were opened in the pro
 - AWS AppConfig
 - AWS Amplify
 - AWS Service Catalog
-- AWS ElasticSearch Native SAML for Kibana
+- AWS Elasticsearch Native SAML for Kibana
 - Amazon Macie 2
 - Delegated Administrators for Organisations
 - Predictive Autoscaling

docs/contributing/contribution-checklists.md

@@ -355,7 +355,7 @@ More details about this code generation, including fixes for potential error mes
   }
   ```
 
-- Otherwise if the API does not support tagging on creation (the `Input` struct does not accept a `Tags` field), in the resource `Create` function, implement the logic to convert the configuration tags into the service API call to tag a resource, e.g., with ElasticSearch Domain:
+- Otherwise if the API does not support tagging on creation (the `Input` struct does not accept a `Tags` field), in the resource `Create` function, implement the logic to convert the configuration tags into the service API call to tag a resource, e.g., with Elasticsearch Domain:
 
   ```go
   // Typically declared near conn := /* ... */
@@ -547,7 +547,7 @@ More details about this code generation, including fixes for potential error mes
   }
   ```
 
-- Verify all acceptance testing passes for the resource (e.g., `make testacc TESTARGS='-run=TestAccEKSCluster_'`)
+- Verify all acceptance testing passes for the resource (e.g., `make testacc TESTARGS='-run=TestAccEKSCluster_' PKG_NAME=internal/service/eks`)
 
 ### Resource Tagging Documentation Implementation
 
@@ -571,7 +571,7 @@ See the [EC2 Listing and filtering your resources page](https://docs.aws.amazon.
 Implementing server-side filtering support for Terraform AWS Provider resources requires the following, each with its own section below:
 
 - [ ] _Generated Service Filtering Code_: In the internal code generators (e.g., `internal/generate/namevaluesfilters`), implementation and customization of how a service handles filtering, which is standardized for the resources.
-- [ ] _Resource Filtering Code Implementation_: In the resource's equivalent data source code (e.g., `aws/data_source_aws_service_thing.go`), implementation of `filter` schema attribute, along with handling in the `Read` function.
+- [ ] _Resource Filtering Code Implementation_: In the resource's equivalent data source code (e.g., `internal/service/{servicename}/thing_data_source.go`), implementation of `filter` schema attribute, along with handling in the `Read` function.
 - [ ] _Resource Filtering Documentation Implementation_: In the resource's equivalent data source documentation (e.g., `website/docs/d/service_thing.html.markdown`), addition of `filter` argument
 
 ### Adding Service to Filter Generating Code
@@ -586,7 +586,7 @@ More details about this code generation can be found in the [namevaluesfilters d
 
 ### Resource Filter Code Implementation
 
-- In the resource's equivalent data source Go file (e.g., `aws/data_source_aws_internet_gateway.go`), add the following Go import: `"github.com/hashicorp/terraform-provider-aws/internal/namevaluesfilters"`
+- In the resource's equivalent data source Go file (e.g., `internal/service/ec2/internet_gateway_data_source.go`), add the following Go import: `"github.com/hashicorp/terraform-provider-aws/internal/namevaluesfilters"`
 - In the resource schema, add `"filter": namevaluesfilters.Schema(),`
 - Implement the logic to build the list of filters:
 
@@ -647,8 +647,8 @@ guidelines.
    and to prevent future conflicts with new AWS services/resources.
    For reference:
 
-    - `service` is the AWS short service name that matches the entry in
-     `endpointServiceNames` (created via the [New Service](#new-service)
+    - `service` is the AWS short service name that matches the key in
+     the `serviceData` map in the `conns` package (created via the [New Service](#new-service)
      section)
     - `name` represents the conceptual infrastructure represented by the
      create, read, update, and delete methods of the service API. It should
@@ -672,9 +672,9 @@ guidelines.
 
 Adding a tag resource, similar to the `aws_ecs_tag` resource, has its own implementation procedure since the resource code and initial acceptance testing functions are automatically generated. The rest of the resource acceptance testing and resource documentation must still be manually created.
 
-- In `aws/internal/keyvaluetags`: Ensure the service is supported by all generators. Run `make gen` after any modifications.
-- In `aws/tag_resources.go`: Add the new `//go:generate` call with the correct service name. Run `make gen` after any modifications.
-- In `aws/provider.go`: Add the new resource.
+- In `internal/generate`: Ensure the service is supported by all generators. Run `make gen` after any modifications.
+- In `internal/service/{service}/generate.go`: Add the new `//go:generate` call with the correct generator directives. Run `make gen` after any modifications.
+- In `internal/provider/provider.go`: Add the new resource.
 - Run `make test` and ensure there are no failures.
 - Create `internal/service/{service}/tag_gen_test.go` with initial acceptance testing similar to the following (where the parent resource is simple to provision):
 
@@ -792,7 +792,7 @@ resource "aws_{service}_tag" "test" {
 }
 ```
 
-- Run `make testacc TEST=./aws TESTARGS='-run=TestAcc{Service}Tags_'` and ensure there are no failures.
+- Run `make testacc TESTARGS='-run=TestAcc{Service}Tags_' PKG_NAME=internal/service/{Service}` and ensure there are no failures.
 - Create `website/docs/r/{service}_tag.html.markdown` with initial documentation similar to the following:
 
 ``````markdown
@@ -860,16 +860,30 @@ into Terraform.
 
   To add the AWS Go SDK service client:
 
-    - In `aws/provider.go` Add a new service entry to `endpointServiceNames`.
-    This service name should match the AWS Go SDK or AWS CLI service name.
-    - In `aws/config.go`: Add a new import for the AWS Go SDK code. E.g.
+    - In `internal/conns/conns.go`: Add a string constant for the service. Follow these rules to name the constant.
+        - The constant name should be the same as the service name used in the AWS Go SDK except:
+            1. Drop "service" or "api" if the service name ends with either or both, and
+            2. Shorten the service name if it is excessively long. Avoid names longer than 17 characters if possible. When shortening a service name, look to the endpoints ID, common usage in documentation and marketing, and discuss the change with the community and maintainers to get buy in. The goals for this alternate name are to be instantly recognizable, not verbose, and more easily managed.
+        - The constant name should be capitalized following Go mixed-case rules. In other words:
+            1. Do not use underscores,
+            2. The first letter of each word is capitalized, and
+            3. Abbreviations and initialisms are all caps.
+        - Proper examples include `CognitoIdentity`, `DevOpsGuru`, `DynamoDB`, `ECS`, `Prometheus` ("Service" is dropped from end), and `ServerlessAppRepo` (shortened from "Serverless Application Repository").
+        - The constant value is the same as the name but all lowercase (_e.g._, `DynamoDB = "dynamodb"`).
+    - In `internal/conns/conns.go`: Add a new entry to the `serviceData` map:
+        1. The entry key is the string constant created above
+        2. The `AWSClientName` is the exact name of the return type of the `New()` method of the service. For example, see the `New()` method in the [Application Auto Scaling documentation](https://docs.aws.amazon.com/sdk-for-go/api/service/applicationautoscaling/#New).
+        3. For `AWSServiceName`, `AWSEndpointsID`, and `AWSServiceID`, directly reference the AWS Go SDK service package for the values. For example, `accessanalyzer.ServiceName`, `accessanalyzer.EndpointsID`, and `accessanalyzer.ServiceID` respectively.
+        4. `ProviderNameUpper` is the exact same as the constant _name_ (_not_ value) as described above.
+        5. In most cases, the `HCLKeys` slice will have one element, an all-lowercase string that matches the AWS SDK Go service name and provider constant value, described above. However, when these diverge, it may be helpful to add additional elements. Practitioners can use any of these names in the provider configuration when customizing service endpoints.
+    - In `internal/conns/conns.go`: Add a new import for the AWS Go SDK code. E.g.
     `github.com/aws/aws-sdk-go/service/quicksight`
-    - In `aws/config.go`: Add a new `{SERVICE}conn` field to the `AWSClient`
-    struct for the service client. The service name should match the name
-    in `endpointServiceNames`. E.g., `quicksightconn *quicksight.QuickSight`
-    - In `aws/config.go`: Create the new service client in the `{SERVICE}conn`
-    field in the `AWSClient` instantiation within `Client()`. E.g.
-    `quicksightconn: quicksight.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["quicksight"])})),`
+    - In `internal/conns/conns.go`: Add a new `{ServiceName}Conn` field to the `AWSClient`
+    struct for the service client. The service name should match the constant name, capitalized the same, as described above.
+    _E.g._, `DynamoDBConn *dynamodb.DynamoDB`.
+    - In `internal/conns/conns.go`: Create the new service client in the `{ServiceName}Conn`
+    field in the `AWSClient` instantiation within `Client()`, using the constant created above as a key to a value in the `Endpoints` map. _E.g._,
+    `DynamoDBConn: dynamodb.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints[DynamoDB])})),`.
     - In `website/allowed-subcategories.txt`: Add a name acceptable for the documentation navigation.
     - In `website/docs/guides/custom-service-endpoints.html.md`: Add the service
     name in the list of customizable endpoints.
@@ -888,7 +902,7 @@ into Terraform.
   ```yaml
   # ... other services ...
   service/quicksight:
-    - 'aws/internal/service/quicksight/**/*'
+    - 'internal/service/quicksight/**/*'
     - '**/*_quicksight_*'
     - '**/quicksight_*'
   # ... other services ...