Skip to content

chore(infrastructure): bump hashicorp/aws from 6.36.0 to 6.53.0 #5129

Merged
arkid15r merged 9 commits into
OWASP:mainfrom
Nachiket-Roy:fix/bump-aws-provider-6.53.0
Jul 6, 2026
Merged

chore(infrastructure): bump hashicorp/aws from 6.36.0 to 6.53.0 #5129
arkid15r merged 9 commits into
OWASP:mainfrom
Nachiket-Roy:fix/bump-aws-provider-6.53.0

Conversation

@Nachiket-Roy

Copy link
Copy Markdown
Contributor

Proposed change

Resolves #5128

Bumps the hashicorp/aws Terraform provider constraint from ~> 6.36.0 to ~> 6.53.0 across all infrastructure modules and updates all .terraform.lock.hcl lockfiles to match.

Checklist

  • Required: I followed the contributing workflow
  • Required: I verified that my code works as intended and resolves the issue as described
  • Required: I ran all required checks and tests locally; all warnings addressed and failures resolved
  • I used AI for code, documentation, tests, or communication related to this PR

…dd Dependabot tracking

- Bump AWS provider constraint from ~> 6.36.0 to ~> 6.53.0 across all
  infrastructure modules and regenerate .terraform.lock.hcl files with
  correct provider hashes

- Fixes MalformedXML errors on S3 operations against LocalStack and
  other S3-compatible backends (fixed upstream in v6.43.0,
  hashicorp/terraform-provider-aws#47530)

- Add terraform package-ecosystem to Dependabot covering all existing
  infrastructure module directories with 21-day cooldown and daily
  schedule, consistent with other ecosystems in the project

- Update auto-generated terraform-docs READMEs to reflect new
  constraint ~> 6.53.0

Signed-off-by: Nachiket Roy <nachiket.roy.2@gmail.com>
@github-actions github-actions Bot added docs Improvements or additions to documentation infrastructure labels Jul 3, 2026
@Nachiket-Roy Nachiket-Roy changed the title chore(infrastructure): bump hashicorp/aws from 6.36.0 to 6.53.0 and a… chore(infrastructure): bump hashicorp/aws from 6.36.0 to 6.53.0 Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

The Terraform AWS provider is bumped from ~> 6.36.0 to ~> 6.53.0 across infrastructure modules. Lockfiles and documentation are updated, Dependabot adds Terraform coverage, and a pre-commit hook is added for Terraform provider lock regeneration. The KMS module also changes its CloudWatch Logs policy interpolation to use the AWS region name.

Changes

AWS Provider Version Bump

Layer / File(s) Summary
Update automation
.github/dependabot.yml, .pre-commit-config.yaml
Adds Terraform Dependabot tracking for infrastructure/**/* and a pre-commit hook for terraform_providers_lock on .terraform.lock.hcl files.
Root module provider updates
infrastructure/bootstrap/..., infrastructure/live/..., infrastructure/state/...
Updates AWS provider constraints, lock files, and README version references for the root infrastructure modules.
Core module provider updates
infrastructure/modules/alb/..., infrastructure/modules/cache/..., infrastructure/modules/database/..., infrastructure/modules/ecr-cache/..., infrastructure/modules/kms/main.tf
Updates AWS provider constraints, lock files, and README version references for the core modules.
KMS log policy interpolation
infrastructure/modules/kms/main.tf
Changes the KMS CloudWatch Logs condition and principal interpolation to use data.aws_region.current.region.
Networking, parameters, security, and service updates
infrastructure/modules/networking/..., infrastructure/modules/networking/modules/nacl/..., infrastructure/modules/networking/modules/vpc-endpoint/..., infrastructure/modules/parameters/..., infrastructure/modules/security/..., infrastructure/modules/service/...
Updates AWS provider constraints, lock files, and README version references for networking-related and adjacent modules.
Storage and tasks module updates
infrastructure/modules/storage/..., infrastructure/modules/storage/modules/s3-bucket/..., infrastructure/modules/storage/modules/shared-data-bucket/..., infrastructure/modules/tasks/..., infrastructure/modules/tasks/modules/task/...
Updates AWS provider constraints, lock files, and README version references for storage and tasks modules, including random-provider hash refreshes where present.

Estimated code review effort: 4 (Complex) | ~60 minutes

Suggested reviewers: arkid15r, kasya, rudransh-shrivastava

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The KMS module also changes CloudWatch Logs policy interpolation from region id to region name, which is unrelated to the provider bump. Remove the KMS policy change or split it into a separate PR unless it is required by the linked issue.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the AWS provider bump from 6.36.0 to 6.53.0, which matches the main change.
Description check ✅ Passed The description matches the PR by describing the provider bump and lockfile updates across infrastructure modules.
Linked Issues check ✅ Passed The provider bump, lockfile refresh, and Dependabot config satisfy the linked issue's acceptance criteria.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Nachiket-Roy Nachiket-Roy marked this pull request as draft July 3, 2026 11:35
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 3, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 58 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 124-128: The new terraform Dependabot group is missing the same
dependency-level grouping used by the pre-commit block, so update the
version-updates group definition to include group-by: dependency-name alongside
applies-to and patterns. Keep the change within the terraform grouping section
in dependabot.yml and use the existing group blocks as the reference point for
consistency.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: be030504-d1b5-4846-a057-0d28f726f47b

📥 Commits

Reviewing files that changed from the base of the PR and between 2de24d1 and 63cbaa6.

📒 Files selected for processing (58)
  • .github/dependabot.yml
  • infrastructure/bootstrap/.terraform.lock.hcl
  • infrastructure/bootstrap/README.md
  • infrastructure/bootstrap/main.tf
  • infrastructure/live/.terraform.lock.hcl
  • infrastructure/live/README.md
  • infrastructure/live/main.tf
  • infrastructure/modules/alb/.terraform.lock.hcl
  • infrastructure/modules/alb/README.md
  • infrastructure/modules/alb/main.tf
  • infrastructure/modules/cache/.terraform.lock.hcl
  • infrastructure/modules/cache/README.md
  • infrastructure/modules/cache/main.tf
  • infrastructure/modules/database/.terraform.lock.hcl
  • infrastructure/modules/database/README.md
  • infrastructure/modules/database/main.tf
  • infrastructure/modules/ecr-cache/.terraform.lock.hcl
  • infrastructure/modules/ecr-cache/README.md
  • infrastructure/modules/ecr-cache/main.tf
  • infrastructure/modules/kms/.terraform.lock.hcl
  • infrastructure/modules/kms/README.md
  • infrastructure/modules/kms/main.tf
  • infrastructure/modules/networking/.terraform.lock.hcl
  • infrastructure/modules/networking/README.md
  • infrastructure/modules/networking/main.tf
  • infrastructure/modules/networking/modules/nacl/.terraform.lock.hcl
  • infrastructure/modules/networking/modules/nacl/README.md
  • infrastructure/modules/networking/modules/nacl/main.tf
  • infrastructure/modules/networking/modules/vpc-endpoint/.terraform.lock.hcl
  • infrastructure/modules/networking/modules/vpc-endpoint/README.md
  • infrastructure/modules/networking/modules/vpc-endpoint/main.tf
  • infrastructure/modules/parameters/.terraform.lock.hcl
  • infrastructure/modules/parameters/README.md
  • infrastructure/modules/parameters/main.tf
  • infrastructure/modules/security/.terraform.lock.hcl
  • infrastructure/modules/security/README.md
  • infrastructure/modules/security/main.tf
  • infrastructure/modules/service/.terraform.lock.hcl
  • infrastructure/modules/service/README.md
  • infrastructure/modules/service/main.tf
  • infrastructure/modules/storage/.terraform.lock.hcl
  • infrastructure/modules/storage/README.md
  • infrastructure/modules/storage/main.tf
  • infrastructure/modules/storage/modules/s3-bucket/.terraform.lock.hcl
  • infrastructure/modules/storage/modules/s3-bucket/README.md
  • infrastructure/modules/storage/modules/s3-bucket/main.tf
  • infrastructure/modules/storage/modules/shared-data-bucket/.terraform.lock.hcl
  • infrastructure/modules/storage/modules/shared-data-bucket/README.md
  • infrastructure/modules/storage/modules/shared-data-bucket/main.tf
  • infrastructure/modules/tasks/.terraform.lock.hcl
  • infrastructure/modules/tasks/README.md
  • infrastructure/modules/tasks/main.tf
  • infrastructure/modules/tasks/modules/task/.terraform.lock.hcl
  • infrastructure/modules/tasks/modules/task/README.md
  • infrastructure/modules/tasks/modules/task/main.tf
  • infrastructure/state/.terraform.lock.hcl
  • infrastructure/state/README.md
  • infrastructure/state/main.tf

Comment thread .github/dependabot.yml
Consistent with npm and pip ecosystem groups in the same file.

Signed-off-by: Nachiket Roy <nachiket.roy.2@gmail.com>
@Nachiket-Roy Nachiket-Roy marked this pull request as ready for review July 3, 2026 11:46
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 3, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 3, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

@codecov

codecov Bot commented Jul 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.73%. Comparing base (88f5bf0) to head (10adf86).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5129   +/-   ##
=======================================
  Coverage   98.73%   98.73%           
=======================================
  Files         536      536           
  Lines       16980    16980           
  Branches     2418     2418           
=======================================
  Hits        16765    16765           
  Misses        123      123           
  Partials       92       92           
Flag Coverage Δ
backend 99.44% <ø> (ø)
frontend 96.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88f5bf0...10adf86. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Rudransh Shrivastava <rudransh.shrivastava@owasp.org>
add darwin_arm64 and linux_arm64 hashes to the lockfiles.

Signed-off-by: Rudransh Shrivastava <rudransh.shrivastava@owasp.org>
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 4, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 4, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 21 files (changes from recent commits).

Re-trigger cubic

@rudransh-shrivastava rudransh-shrivastava left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, there are some deprecation warnings:

Image

https://github.com/OWASP/Nest/actions/runs/28710387263/job/85143014122?pr=5129#step:6:771

I think you already fixed them in your original PR? Can you please add them here as well? Thank you!

Signed-off-by: Rudransh Shrivastava <rudransh.shrivastava@owasp.org>
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 4, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 4, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

@Nachiket-Roy

Copy link
Copy Markdown
Contributor Author

Hello @rudransh-shrivastava,
I've kept the scope limited to just the Terraform provider version bump. Fixing them would mean adding additional file to the PR. To avoid scope creep in this PR, I've left that out for now. Let me know if you want me to fix them in this PR.

@rudransh-shrivastava

rudransh-shrivastava commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

@Nachiket-Roy Hello!

I think it's fine to add them here. We can update the PR title/description to reflect the changes.

The alternative is to keep those changes in the other PR -- which makes less sense.

…on id

Signed-off-by: Nachiket Roy <nachiket.roy.2@gmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@infrastructure/modules/kms/main.tf`:
- Around line 43-48: The KMS test for AllowCloudWatchLogs is too loose and can
miss regressions in the region-specific interpolation. Update the test that
covers the KMS policy rendering to explicitly assert the rendered
kms:EncryptionContext:aws:logs:arn value and the logs.<region>.amazonaws.com
service principal, using the same data sources or expected interpolation as in
the KMS policy module. Focus on the policy assertions around the
AllowCloudWatchLogs statement so the test verifies both the ARN and principal
values, not just the statement existence.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6507328a-534e-42f9-b859-870037552579

📥 Commits

Reviewing files that changed from the base of the PR and between bce29d2 and cb34c8d.

📒 Files selected for processing (1)
  • infrastructure/modules/kms/main.tf

Comment thread infrastructure/modules/kms/main.tf
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 4, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

…atch logs configuration

Signed-off-by: Nachiket Roy <nachiket.roy.2@gmail.com>
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 4, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot previously approved these changes Jul 4, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Contribution validation failed:

  • commit_sign_off: One or more commits are missing or have an invalid Signed-off-by trailer.

1 similar comment
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Contribution validation failed:

  • commit_sign_off: One or more commits are missing or have an invalid Signed-off-by trailer.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Contribution validation failed:

  • commit_sign_off: One or more commits are missing or have an invalid Signed-off-by trailer.

@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

@arkid15r arkid15r added this pull request to the merge queue Jul 6, 2026
Merged via the queue into OWASP:main with commit 46a69ff Jul 6, 2026
30 of 31 checks passed
@Nachiket-Roy Nachiket-Roy deleted the fix/bump-aws-provider-6.53.0 branch July 7, 2026 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs Improvements or additions to documentation infrastructure

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(infrastructure): bump hashicorp/aws Terraform provider from 6.36.0 to 6.53.0

3 participants