ADR-007: AWS Provider Upgrade to >= 6.22
Status: Accepted Date: 2026-03-18 Deciders: AI Engineering NAMER
Context
Section titled “Context”ADR-005 decided to use ALB native JWT validation (jwt-validation action type) instead of API Gateway. This feature requires AWS Terraform provider >= v6.22.0 (released November 21, 2025).
Our current versions.tf specifies ~> 5.0. This must be upgraded.
Decision
Section titled “Decision”Upgrade the AWS provider constraint from ~> 5.0 to ~> 6.22 in infrastructure/versions.tf.
Breaking Changes in the 5.x -> 6.x Jump
Section titled “Breaking Changes in the 5.x -> 6.x Jump”The AWS provider v6.0.0 was a major release. Key breaking changes that may affect our config:
- Resource and data source renames/removals
- Default tag propagation behavior changes
- Some attribute type changes
Since our Terraform was just written (no state yet), the upgrade is zero-risk — we’re starting fresh on v6.
JWT Validation Configuration
Section titled “JWT Validation Configuration”default_action { type = "jwt-validation" jwt_validation { issuer = "https://cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.gateway.id}" jwks_endpoint = "https://cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.gateway.id}/.well-known/jwks.json" additional_claim { format = "string-array" name = "scope" values = ["https://gateway.internal/invoke"] } }}Key constraints:
- HTTPS listener only
- RS256 algorithm only
- JWKS endpoint must be publicly accessible (Cognito’s is)
- Max 10 additional claims, max 10 values per claim
Consequences
Section titled “Consequences”Positive: Unlocks free JWT validation at ALB. No API Gateway needed. Negative: Major provider version jump. Must validate all existing resources still plan clean on v6.
Sources
Section titled “Sources”- Terraform AWS Provider #45067 — jwt-validation feature, closed in v6.22.0
- Terraform Registry: aws_lb_listener — jwt_validation block spec