From 61f2e9b9ad2337f663b22d6caa359162db9e9f7b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jun 2026 07:26:22 +0000 Subject: [PATCH 1/3] build(deps): bump the terraform-minor-patch group across 3 directories with 3 updates Bumps the terraform-minor-patch group with 1 update in the /infrastructure/modules/iam directory: [terraform-aws-modules/iam/aws](https://github.com/terraform-aws-modules/terraform-aws-iam). Bumps the terraform-minor-patch group with 1 update in the /infrastructure/modules/lambda directory: [terraform-aws-modules/lambda/aws](https://github.com/terraform-aws-modules/terraform-aws-lambda). Bumps the terraform-minor-patch group with 1 update in the /infrastructure/modules/s3-bucket directory: [terraform-aws-modules/s3-bucket/aws](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket). Updates `terraform-aws-modules/iam/aws` from 6.6.0 to 6.6.1 - [Release notes](https://github.com/terraform-aws-modules/terraform-aws-iam/releases) - [Changelog](https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/CHANGELOG.md) - [Commits](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v6.6.0...v6.6.1) Updates `terraform-aws-modules/lambda/aws` from 8.7.0 to 8.8.0 - [Release notes](https://github.com/terraform-aws-modules/terraform-aws-lambda/releases) - [Changelog](https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/master/CHANGELOG.md) - [Commits](https://github.com/terraform-aws-modules/terraform-aws-lambda/compare/v8.7.0...v8.8.0) Updates `terraform-aws-modules/s3-bucket/aws` from 5.13.0 to 5.14.0 - [Release notes](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/releases) - [Changelog](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/master/CHANGELOG.md) - [Commits](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v5.13.0...v5.14.0) --- updated-dependencies: - dependency-name: terraform-aws-modules/iam/aws dependency-version: 6.6.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: terraform-minor-patch - dependency-name: terraform-aws-modules/lambda/aws dependency-version: 8.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: terraform-minor-patch - dependency-name: terraform-aws-modules/s3-bucket/aws dependency-version: 5.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: terraform-minor-patch ... Signed-off-by: dependabot[bot] --- infrastructure/modules/iam/main.tf | 4 ++-- infrastructure/modules/lambda/main.tf | 2 +- infrastructure/modules/s3-bucket/main.tf | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/modules/iam/main.tf b/infrastructure/modules/iam/main.tf index 2c1e3b84..e31bb23a 100644 --- a/infrastructure/modules/iam/main.tf +++ b/infrastructure/modules/iam/main.tf @@ -39,7 +39,7 @@ module "role_label" { module "policies" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "6.6.0" + version = "6.6.1" for_each = module.this.enabled ? var.policies : {} name = module.policy_label[each.key].id @@ -63,7 +63,7 @@ module "policies" { module "roles" { source = "terraform-aws-modules/iam/aws//modules/iam-role" - version = "6.6.0" + version = "6.6.1" for_each = module.this.enabled ? var.roles : {} name = module.role_label[each.key].id diff --git a/infrastructure/modules/lambda/main.tf b/infrastructure/modules/lambda/main.tf index 869cf839..250131d4 100644 --- a/infrastructure/modules/lambda/main.tf +++ b/infrastructure/modules/lambda/main.tf @@ -5,7 +5,7 @@ module "lambda_function" { source = "terraform-aws-modules/lambda/aws" # downgrade version as workaround for bug https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/733 - version = "8.7.0" + version = "8.8.0" function_name = local.function_name description = var.function_description diff --git a/infrastructure/modules/s3-bucket/main.tf b/infrastructure/modules/s3-bucket/main.tf index fe765e69..ee8ac56a 100644 --- a/infrastructure/modules/s3-bucket/main.tf +++ b/infrastructure/modules/s3-bucket/main.tf @@ -17,7 +17,7 @@ module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" - version = "5.13.0" + version = "5.14.0" create_bucket = module.this.enabled From 9ec2194abbbc18973bfa5bba4b62d13a6728b86a Mon Sep 17 00:00:00 2001 From: Oliver Slater Date: Tue, 23 Jun 2026 08:55:05 +0100 Subject: [PATCH 2/3] feat(gitleaks): enhance gitleaks configuration for IPv4 and IPv6 rules --- .gitleaksignore | 4 ++++ scripts/config/gitleaks.toml | 27 +++++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/.gitleaksignore b/.gitleaksignore index f97f5c8a..bf9d628a 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -5,3 +5,7 @@ e876843351a025eb754ec61982c8b7d95deeb709:.pre-commit-config.yaml:ipv4:119 e364bc1869c67729653c7efb4d6169f2294e68de:.pre-commit-config.yaml:ipv4:110 62088509f98ce02ce379adef2168b867eecfb5da:.pre-commit-config.yaml:ipv4:110 a3fa25da4e8f9eaa2e28c29f6196f23bfe87a58d:.pre-commit-config.yaml:ipv4:119 +# Historical false positive: example ARN comment in tags/main.tf contained hex-like content +# which triggered the ipv6 rule. Comment updated in later commit; old commits suppressed here. +7b49758d98757e8f404cb2c540c1f146afd6e395:infrastructure/modules/tags/main.tf:ipv6:131 +091dcd76884ffd307aee6c6b306b015c065f4896:infrastructure/modules/tags/main.tf:ipv6:131 diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml index af5f0bb7..8371dcbc 100644 --- a/scripts/config/gitleaks.toml +++ b/scripts/config/gitleaks.toml @@ -11,8 +11,31 @@ regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}''' [rules.allowlist] regexTarget = "match" regexes = [ - # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS - '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''', + # Exclude private/reserved IPv4 addresses and well-known DNS servers used in docs/examples. + # Includes RFC5737 TEST-NET ranges: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 + '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|192\.0\.2\.[0-9]{1,3}|198\.51\.100\.[0-9]{1,3}|203\.0\.113\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)''', +] + +[[rules]] +description = "IPv6" +id = "ipv6" +# Matches valid IPv6 forms requiring at least 2 groups on each side of :: to +# avoid false positives from AWS ARNs (which use :: between region and account). +# full: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 +# compressed: 2001:db8::1, fe80:db8::1 +# trailing :: fe80:db8:: (2+ groups required before ::) +# leading :: ::db8:1 (2+ groups required after ::) +# Note: RE2 does not support lookahead/lookbehind so boundary enforcement is +# achieved structurally via minimum repetition counts. +regex = '''(?i)(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){2,7}:|(?:[0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){1,5}(?::[0-9a-f]{1,4}){1,2}|(?:[0-9a-f]{1,4}:){1,4}(?::[0-9a-f]{1,4}){1,3}|(?:[0-9a-f]{1,4}:){1,3}(?::[0-9a-f]{1,4}){1,4}|(?:[0-9a-f]{1,4}:){1,2}(?::[0-9a-f]{1,4}){1,5}|[0-9a-f]{1,4}:(?::[0-9a-f]{1,4}){1,6}|:(?::[0-9a-f]{1,4}){2,7}''' + +[rules.allowlist] +regexTarget = "match" +regexes = [ + # Exclude IPv6 documentation prefixes used in examples. + # RFC3849: 2001:db8::/32 + # RFC9637: 3fff::/20 (3fff:0000:: to 3fff:0fff::) + '''(?i)(^|[^0-9a-f])(2001:db8:|3fff:0[0-9a-f]{0,3}:)''', ] [allowlist] From 48d03cd46871d185cec910dfe355f52dfaa9fcbe Mon Sep 17 00:00:00 2001 From: Oliver Slater Date: Tue, 23 Jun 2026 09:42:49 +0100 Subject: [PATCH 3/3] docs(README.md): update module terraform_docs blocks to reflect updated upstream modules --- infrastructure/modules/iam/README.md | 4 ++-- infrastructure/modules/lambda/README.md | 2 +- infrastructure/modules/s3-bucket/README.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/modules/iam/README.md b/infrastructure/modules/iam/README.md index d50dfb41..be3ae25d 100644 --- a/infrastructure/modules/iam/README.md +++ b/infrastructure/modules/iam/README.md @@ -173,10 +173,10 @@ No providers. | Name | Source | Version | | ---- | ------ | ------- | -| [policies](#module\_policies) | terraform-aws-modules/iam/aws//modules/iam-policy | 6.6.0 | +| [policies](#module\_policies) | terraform-aws-modules/iam/aws//modules/iam-policy | 6.6.1 | | [policy\_label](#module\_policy\_label) | ../tags | n/a | | [role\_label](#module\_role\_label) | ../tags | n/a | -| [roles](#module\_roles) | terraform-aws-modules/iam/aws//modules/iam-role | 6.6.0 | +| [roles](#module\_roles) | terraform-aws-modules/iam/aws//modules/iam-role | 6.6.1 | | [this](#module\_this) | ../tags | n/a | ## Resources diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md index 88884d64..bb694a32 100644 --- a/infrastructure/modules/lambda/README.md +++ b/infrastructure/modules/lambda/README.md @@ -129,7 +129,7 @@ module "lambda_with_layers" { | Name | Source | Version | | ---- | ------ | ------- | -| [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | 8.7.0 | +| [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | 8.8.0 | | [this](#module\_this) | ../tags | n/a | ## Resources diff --git a/infrastructure/modules/s3-bucket/README.md b/infrastructure/modules/s3-bucket/README.md index eb41aabe..c3260d08 100644 --- a/infrastructure/modules/s3-bucket/README.md +++ b/infrastructure/modules/s3-bucket/README.md @@ -107,7 +107,7 @@ No providers. | Name | Source | Version | | ---- | ------ | ------- | -| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.13.0 | +| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.14.0 | | [this](#module\_this) | ../tags | n/a | ## Resources