(TF): Bump hashicorp/aws from 5.47.0 to 6.23.0 in /modules/aws/users

[dependabot]

Bumps hashicorp/aws from 5.47.0 to 6.23.0.

Release notes

Sourced from hashicorp/aws's releases.

v6.22.1

6.22.1 (November 21, 2025)

ENHANCEMENTS:

• resource/aws_fsx_openzfs_file_system: Support INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#45159)
• resource/aws_msk_cluster: Add rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#45073)

BUG FIXES:

• provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in v6.22.0. (#45201)
• provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in v6.22.0. (#45201)
• resource/aws_accessanalyzer_analyzer: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#45202)
• resource/aws_odb_cloud_vm_cluster: Fix incorrect validation error when arguments are configured using variables. This addresses a regression introduced in v6.22.0 (#45205)

v6.22.0

6.22.0 (November 20, 2025)

NOTES:

• resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#45105)

FEATURES:

• New Ephemeral Resource: aws_ecr_authorization_token (#44949)
• New Guide: Tag Policy Compliance (#45143)
• New Resource: aws_billing_view (#45097)
• New Resource: aws_vpclattice_domain_verification (#45085)

ENHANCEMENTS:

• data-source/aws_lb_listener: Add default_action.jwt_validation attribute (#45089)
• data-source/aws_lb_listener_rule: Add action.jwt_validation attribute (#45089)
• data-source/aws_route53_zone: Support filtering by tags only or by vpc_id only (#39671)
• provider: Add support for enforcing tag policy compliance. This opt-in feature can be enabled via the new tag_policy_compliance provider argument, or the TF_AWS_TAG_POLICY_COMPLIANCE environment variable. When enabled, the principal executing Terraform must have the tags:ListRequiredTags IAM permission. (#45143)
• resource/aws_backup_logically_air_gapped_vault: Add encryption_key_arn argument (#45020)
• resource/aws_bedrock_guardrail: Add input_action, input_enabled, input_modalities, output_action, output_enabled, and output_modalities arguments to the content_policy_config.filters_config block (#45104)
• resource/aws_bedrockagent_knowledge_base: Add storage_configuration.rds_configuration.field_mapping.custom_metadata_field argument (#45075)
• resource/aws_bedrockagentcore_agent_runtime: Add agent_runtime_artifact.code_configuration block (#45091)
• resource/aws_bedrockagentcore_agent_runtime: Make agent_runtime_artifact.container_configuration block optional (#45091)
• resource/aws_dynamodb_table: Add global_table_witness argument (#43908)
• resource/aws_emr_managed_scaling_policy: Add scaling_strategy and utilization_performance_index arguments (#45132)
• resource/aws_fis_experiment_template: Add plan-time validation of log_configuration.cloudwatch_logs_configuration.log_group_arn (#35941)
• resource/aws_fis_experiment_template: Add support for Functions to action.*.target (#41209)
• resource/aws_lambda_invocation: Add import support (#41240)
• resource/aws_lb_listener: Support jwt-validation as a valid default_action.type and add default_action.jwt_validation configuration block (#45089)
• resource/aws_lb_listener_rule: Support jwt-validation as a valid action.type and add action.jwt_validation configuration block (#45089)
• resource/aws_odb_cloud_vm_cluster: vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. (#45003)
• resource/aws_organizations_organization: Add SECURITYHUB_POLICY as a valid value for enabled_policy_types argument (#45135)
• resource/aws_prometheus_query_logging_configuration: Add plan-time validation of destination.cloudwatch_logs.log_group_arn (#35941)

... (truncated)

Changelog

Sourced from hashicorp/aws's changelog.

6.23.0 (November 26, 2025)

NOTES:

• resource/aws_s3_bucket: To support ABAC (Attribute Based Access Control) in general purpose buckets, this resource will now attempt to send tags in the create request and use the S3 Control tagging APIs TagResource, UntagResource, and ListTagsForResource for read and update operations. The calling principal must have the corresponding s3:TagResource, s3:UntagResource, and s3:ListTagsForResource IAM permissions. If the principal lacks the appropriate permissions, the provider will fall back to tagging after creation and using the S3 tagging APIs PutBucketTagging, DeleteBucketTagging, and GetBucketTagging instead. With ABAC enabled, tag modifications may fail with the fall back behavior. See the AWS documentation for additional details on enabling ABAC in general purpose buckets. (#45251)

FEATURES:

• New Resource: aws_ecs_express_gateway_service (#45235)
• New Resource: aws_s3_bucket_abac (#45251)
• New Resource: aws_vpc_encryption_control (#45263)
• New Resource: aws_vpn_concentrator (#45175)

ENHANCEMENTS:

• action/aws_lambda_invoke: Add tenant_id argument (#45170)
• data-source/aws_eks_cluster: Add control_plane_scaling_config attribute (#45258)
• data-source/aws_lambda_function: Add tenancy_config attribute (#45170)
• data-source/aws_lambda_invocation: Add tenant_id argument (#45170)
• data-source/aws_vpn_connection: Add vpn_concentrator_id attribute (#45175)
• resoource/aws_ecs_capacity_provider: Add managed_instances_provider.infrastructure_optimization argument (#45142)
• resource/aws_docdb_cluster: Add network_type argument (#45140)
• resource/aws_docdb_subnet_group: Add supported_network_types attribute (#45140)
• resource/aws_eks_cluster: Add control_plane_scaling_config configuration block to support EKS Provisioned Control Plane (#45258)
• resource/aws_lambda_function: Add tenancy_config argument (#45170)
• resource/aws_lambda_invocation: Add tenant_id argument (#45170)
• resource/aws_s3_bucket: Tag on creation when the s3:TagResource permission is present (#45251)
• resource/aws_s3_bucket: Use the S3 Control tagging APIs when the s3:TagResource, s3:UntagResource, and s3:ListTagsForResource permissions are present (#45251)
• resource/aws_vpn_connection: Add vpn_concentrator_id argument to support Site-to-Site VPN Concentrator (#45175)

6.22.1 (November 21, 2025)

ENHANCEMENTS:

• resource/aws_fsx_openzfs_file_system: Support INTELLIGENT_TIERING storage type and add read_cache_configuration argument (#45159)
• resource/aws_msk_cluster: Add rebalancing configuration block to support intelligent rebalancing for Express broker clusters (#45073)

BUG FIXES:

• provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in v6.22.0. (#45201)
• provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in v6.22.0. (#45201)
• resource/aws_accessanalyzer_analyzer: Fix interface conversion: interface {} is nil, not map[string]interface {} panics when configuration.unused_access.analysis_rule.exclusion.resource_tags contains null values (#45202)
• resource/aws_odb_cloud_vm_cluster: Fix incorrect validation error when arguments are configured using variables. This addresses a regression introduced in v6.22.0 (#45205)

6.22.0 (November 20, 2025)

NOTES:

• resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the blocked_encryption_types argument to manage this behavior for specific buckets. (#45105)

... (truncated)

Commits

• c3023de Update CHANGELOG.md for #45277
• 6815f5d Merge pull request #45277 from hashicorp/prepare6.23.0
• bd79ef7 Merge pull request #45263 from hashicorp/f-vpc-encryption-controls
• d9e50d1 Document 'region' argument.
• cb1fdb1 Prepare for v6.23.0 release.
• c7c4b55 Merge pull request #45276 from sasidhar-aws/d_networkflowmonitor
• 286279a Update website/docs/r/networkflowmonitor_monitor.html.markdown
• eb8611c Merge pull request #45274 from tabito-hara/td-aws_organizations-add_new_policies
• bb55278 Adds CHANGELOG entry
• 3f21e1a Updates documentation from stub
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)