Skip to content

ADR-007: AWS Provider Upgrade to >= 6.22

Status: Accepted Date: 2026-03-18 Deciders: AI Engineering NAMER

ADR-005 decided to use ALB native JWT validation (jwt-validation action type) instead of API Gateway. This feature requires AWS Terraform provider >= v6.22.0 (released November 21, 2025).

Our current versions.tf specifies ~> 5.0. This must be upgraded.

Upgrade the AWS provider constraint from ~> 5.0 to ~> 6.22 in infrastructure/versions.tf.

The AWS provider v6.0.0 was a major release. Key breaking changes that may affect our config:

  • Resource and data source renames/removals
  • Default tag propagation behavior changes
  • Some attribute type changes

Since our Terraform was just written (no state yet), the upgrade is zero-risk — we’re starting fresh on v6.

default_action {
type = "jwt-validation"
jwt_validation {
issuer = "https://cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.gateway.id}"
jwks_endpoint = "https://cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.gateway.id}/.well-known/jwks.json"
additional_claim {
format = "string-array"
name = "scope"
values = ["https://gateway.internal/invoke"]
}
}
}

Key constraints:

  • HTTPS listener only
  • RS256 algorithm only
  • JWKS endpoint must be publicly accessible (Cognito’s is)
  • Max 10 additional claims, max 10 values per claim

Positive: Unlocks free JWT validation at ALB. No API Gateway needed. Negative: Major provider version jump. Must validate all existing resources still plan clean on v6.