Improve / Fix S3 Bucket Usage

[rudransh-shrivastava]

Resolves #2759

Proposed change

Make improvements to the backend and storage module:

• Allow configurable bucket names to make them unique.
• Remove force_destroy_bucket flag completely.
• Accidental deletion protection.
• Enable S3 Object Lock for state bucket.

Checklist

• I've read and followed the contributing guidelines.
• I've run make check-test locally; all checks and tests passed.

[coderabbitai]

Summary by CodeRabbit

• Documentation

  • Updated infrastructure setup guides with clearer backend configuration instructions and deployment troubleshooting steps.

• Chores

  • Enhanced backend state management with improved security and lifecycle protection measures.
  • Standardized bucket naming conventions across infrastructure modules.
  • Simplified backend configuration workflow for easier setup and maintenance.
  • Added safeguards to prevent accidental resource destruction during infrastructure operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds hashicorp/random and random_id suffixes for unique bucket names; hardens state buckets with object lock, versioning, and prevent_destroy; switches staging backend to use a local terraform.tfbackend workflow and updates README; renames fixture/zappa bucket variables and removes force_destroy flags. (50 words)

Changes

Cohort / File(s)	Change Summary
Docs & backend examples infrastructure/README.md, infrastructure/staging/terraform.tfbackend.example, infrastructure/staging/terraform.tfvars.example	Updated backend setup instructions to use a local terraform.tfbackend file and terraform init -backend-config=terraform.tfbackend; added example backend file; removed force_destroy_bucket example; wording/formatting tweaks and deployment guidance.
Backend core & lockfile infrastructure/backend/main.tf, infrastructure/backend/.terraform.lock.hcl	Added random provider and lockfile entry; created random_id.suffix; appended suffix to state/log bucket names; enabled object lock, versioning, and lifecycle { prevent_destroy = true }; added object lock configuration.
Staging backend config infrastructure/staging/backend.tf	Replaced explicit S3 backend fields (bucket, dynamodb_table, region) with a minimal backend config relying on external/local backend file while preserving encrypt and key.
Module variable renames & callsites infrastructure/modules/ecs/variables.tf, infrastructure/modules/storage/variables.tf, infrastructure/staging/main.tf, infrastructure/staging/variables.tf, infrastructure/modules/ecs/main.tf	Renamed fixtures_s3_bucket → fixtures_bucket_name and zappa_s3_bucket → zappa_bucket_name; removed force_destroy_bucket; updated module inputs, defaults, and S3 copy source to use new names.
Storage module & s3-bucket module infrastructure/modules/storage/main.tf, infrastructure/modules/storage/modules/s3-bucket/main.tf, infrastructure/modules/storage/modules/s3-bucket/variables.tf	Added random provider and random_id.suffix to append suffixes to fixtures/zappa bucket names and ARNs; removed force_destroy variable; added lifecycle { prevent_destroy = true } to S3 bucket resource; minor variable description edits.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas to focus review on:
  • Consistency of renamed variables and module input updates across all files and examples.
  • Terraform state change/migration implications from adding random suffixes (may cause resource replacements).
  • Backend workflow change: verify CI/deployment scripts and local terraform.tfbackend usage.
  • Object lock/versioning and prevent_destroy implications for destroy/cleanup operations.

Possibly related PRs

• Migrate OWASP Nest to Zappa for serverless deployment #2431 — Touches the same Terraform module renames and random suffix approach for bucket names.
• Add logging in Infrastructure #2743 — Alters storage S3 module and force_destroy handling; overlaps with s3-bucket changes here.
• Add Remote State Management #2699 — Modifies Terraform backend/state resources and backend configuration patterns related to this PR.

Suggested reviewers

• kasya
• arkid15r

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve / Fix S3 Bucket Usage' accurately summarizes the main changes which focus on S3 bucket configuration improvements, uniqueness, and protection mechanisms.
Description check	✅ Passed	The description clearly outlines proposed changes including configurable bucket names, removal of force_destroy_bucket, accidental deletion protection, and S3 Object Lock enablement, all directly related to the changeset.
Linked Issues check	✅ Passed	The PR successfully implements all four coding requirements from issue #2759: configurable bucket names via random suffix [main.tf, variables.tf], removed force_destroy_bucket flag [variables.tf, main.tf], accidental deletion protection via prevent_destroy lifecycle blocks, and S3 Object Lock enabled on state bucket.
Out of Scope Changes check	✅ Passed	All changes are in-scope and directly support the four main objectives. Documentation updates in README align with the new backend workflow. Variable renames (fixtures_s3_bucket to fixtures_bucket_name) ensure consistency with the unique naming approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a8383b and 01f04ef.

📒 Files selected for processing (1)

• infrastructure/README.md (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• infrastructure/README.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Run frontend e2e tests
• GitHub Check: Run backend tests
• GitHub Check: Run frontend unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

infrastructure/README.md (1)

58-75: Staging backend-config instructions look correct; consider tiny clarification on region

The new terraform.tfbackend flow and terraform init -backend-config=terraform.tfbackend usage are consistent with staging/backend.tf and terraform.tfbackend.example. To make it foolproof, you might add a short sentence that the region in terraform.tfbackend must match the region where the backend stack created the state bucket, so users don’t accidentally diverge configs.

infrastructure/staging/terraform.tfbackend.example (1)

1-3: Backend example is correct; consider a more obvious placeholder

The example backend config matches the new staging workflow and the lock table name from the backend stack. To avoid users ever running with an invalid literal bucket name, you might consider changing "${STATE_BUCKET_NAME}" to something obviously non-functional like "REPLACE_WITH_STATE_BUCKET_NAME" and/or adding a short comment in this file indicating it must be replaced with the backend state bucket name.

infrastructure/backend/main.tf (1)

74-82: Follow-up on Object Lock, MFA delete, and # NOSONAR expectations for the state bucket

Issue #2759 calls out:

• Enabling S3 Object Lock for the state bucket.
• Enabling MFA delete on the state bucket.
• Resolving the # NOSONAR suppressions on the bucket resources.

In this module, the state bucket has versioning, lifecycle, encryption, and public access blocks, but there’s currently:

• No object_lock_enabled / aws_s3_bucket_object_lock_configuration for the state bucket.
• No Terraform-visible configuration or documented manual step for MFA delete.
• The # NOSONAR comments on the logs and state buckets are still present.

Given AWS and Terraform constraints, MFA delete typically has to be enabled manually using root credentials and the AWS CLI, with Terraform only reflecting the resulting state rather than enabling it directly. (rules.sonarsource.com)

Would you mind confirming how you plan to satisfy the issue requirements here?

• If Object Lock is in scope for this stack, we likely need to wire it explicitly on aws_s3_bucket.state (and possibly add an object lock configuration resource).
• For MFA delete, it may be better to document the manual post-apply step and, if supported by the provider version, mirror the state back into Terraform after it’s enabled.
• Once those concerns are addressed (either in code or as accepted limitations), we can probably remove or narrow the # NOSONAR suppressions to avoid hiding future issues.

Also applies to: 170-175

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e219f12 and 686e0fb.

📒 Files selected for processing (6)

• infrastructure/README.md (3 hunks)
• infrastructure/backend/.terraform.lock.hcl (1 hunks)
• infrastructure/backend/main.tf (3 hunks)
• infrastructure/staging/backend.tf (1 hunks)
• infrastructure/staging/terraform.tfbackend.example (1 hunks)
• infrastructure/staging/terraform.tfvars.example (1 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2178
File: frontend/src/app/snapshots/[id]/page.tsx:0-0
Timestamp: 2025-09-21T17:04:48.154Z
Learning: User rudransh-shrivastava confirmed that suggested type safety improvements during Apollo Client migration were no longer relevant, reinforcing their preference to keep migration PRs focused on core migration changes rather than additional improvements.

📚 Learning: 2025-11-23T11:52:15.463Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2699
File: backend/wsgi.py:13-13
Timestamp: 2025-11-23T11:52:15.463Z
Learning: In the OWASP Nest project, the SSM parameter store setup in backend/wsgi.py (using boto3 to fetch parameters from AWS Systems Manager) is designed for staging and production environments, not just for testing purposes.

Applied to files:

• infrastructure/staging/terraform.tfvars.example
• infrastructure/staging/backend.tf
• infrastructure/staging/terraform.tfbackend.example

📚 Learning: 2025-10-17T15:25:34.963Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/modules/cache/main.tf:30-30
Timestamp: 2025-10-17T15:25:34.963Z
Learning: The infrastructure/Terraform code in the OWASP Nest repository under the `infrastructure/` directory is intended for quick testing purposes only, not for production deployment.

Applied to files:

• infrastructure/staging/terraform.tfvars.example
• infrastructure/staging/terraform.tfbackend.example
• infrastructure/README.md

📚 Learning: 2025-11-27T19:38:23.956Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2743
File: infrastructure/modules/storage/main.tf:1-9
Timestamp: 2025-11-27T19:38:23.956Z
Learning: In the OWASP/Nest infrastructure code (infrastructure/ directory), the team prefers exact version pinning for Terraform (e.g., "1.14.0") and AWS provider (e.g., "6.22.0") over semantic versioning constraints (e.g., "~> 1.14" or "~> 6.22"). This is a deliberate choice for maximum reproducibility and explicit control over version updates in their testing environment.

Applied to files:

• infrastructure/backend/.terraform.lock.hcl
• infrastructure/staging/backend.tf
• infrastructure/backend/main.tf
• infrastructure/staging/terraform.tfbackend.example

📚 Learning: 2025-11-08T11:16:25.725Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2551
File: infrastructure/modules/parameters/main.tf:1-191
Timestamp: 2025-11-08T11:16:25.725Z
Learning: The parameters module in infrastructure/modules/parameters/ is currently configured for staging environment only. The `configuration` and `settings_module` variables default to "Staging" and "settings.staging" respectively, and users can update parameter values via the AWS Parameter Store console. The lifecycle.ignore_changes blocks on these parameters support manual console updates without Terraform reverting them.

Applied to files:

• infrastructure/staging/terraform.tfbackend.example

📚 Learning: 2025-10-17T15:25:53.713Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/modules/database/main.tf:22-60
Timestamp: 2025-10-17T15:25:53.713Z
Learning: The infrastructure code in the `infrastructure/` directory is intended for quick testing purposes only, not production-grade deployment. Production-grade security hardening controls (such as IAM database authentication, deletion protection, Performance Insights KMS encryption) are not required for this testing infrastructure.

Applied to files:

• infrastructure/README.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run frontend e2e tests

🔇 Additional comments (5)

infrastructure/backend/.terraform.lock.hcl (1)

27-45: Random provider lock entry looks consistent with main.tf

The hashicorp/random provider pin (version and constraints both 3.7.2) aligns with required_providers in main.tf and with the repo's preference for exact pinning. No manual tweaks needed here.

infrastructure/README.md (1)

25-40: Backend notes read clearly and match the new workflow

The added notes around optionally changing aws_region, copying the state bucket name from outputs, and avoiding destroying backend resources clarify the one-time backend setup nicely and are aligned with how the backend stack is used.

infrastructure/staging/terraform.tfvars.example (1)

9-9: Safer force_destroy_bucket default is a good change

Setting force_destroy_bucket = false as the example default better protects against accidental bucket deletion, matching the intent from the linked issue.

infrastructure/staging/backend.tf (1)

3-4: S3 backend simplification is consistent with the new backend-config flow

Leaving only encrypt and key in the backend "s3" block and moving bucket/region/lock table to terraform.tfbackend aligns with the documented terraform init -backend-config=terraform.tfbackend workflow. This looks good.

infrastructure/backend/main.tf (1)

8-11: Random suffix integration into bucket names looks correct

Adding the hashicorp/random provider, defining random_id "suffix" with byte_length = 4, and appending random_id.suffix.hex to the logs and state bucket names is wired correctly. This should give you stable, per-workspace uniqueness for the backend buckets while keeping names predictable via the project_name prefix.

Also applies to: 53-55, 75-76, 82-85

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

infrastructure/modules/storage/modules/s3-bucket/variables.tf (1)

18-22: Minor description wording adjustment. Changed from "Specifies the number of days..." to "The number of days..." — improves readability but note that other variable descriptions in the file still use "Specifies" (e.g., line 2), so consistency could be improved further.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 686e0fb and d59068f.

📒 Files selected for processing (9)

• infrastructure/backend/main.tf (5 hunks)
• infrastructure/modules/ecs/main.tf (1 hunks)
• infrastructure/modules/ecs/variables.tf (1 hunks)
• infrastructure/modules/storage/main.tf (3 hunks)
• infrastructure/modules/storage/modules/s3-bucket/main.tf (1 hunks)
• infrastructure/modules/storage/modules/s3-bucket/variables.tf (1 hunks)
• infrastructure/modules/storage/variables.tf (2 hunks)
• infrastructure/staging/main.tf (2 hunks)
• infrastructure/staging/variables.tf (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2178
File: frontend/src/app/snapshots/[id]/page.tsx:0-0
Timestamp: 2025-09-21T17:04:48.154Z
Learning: User rudransh-shrivastava confirmed that suggested type safety improvements during Apollo Client migration were no longer relevant, reinforcing their preference to keep migration PRs focused on core migration changes rather than additional improvements.

📚 Learning: 2025-10-23T19:22:23.811Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/main.tf:0-0
Timestamp: 2025-10-23T19:22:23.811Z
Learning: In Zappa-based serverless deployments, Lambda functions and IAM execution roles are managed by Zappa at application deployment time (via `zappa deploy`/`zappa update`), not via Terraform. Terraform provisions the supporting infrastructure (VPC, RDS, S3, security groups, RDS Proxy, Secrets Manager), while Zappa handles the Lambda orchestration layer.

Applied to files:

• infrastructure/modules/storage/variables.tf
• infrastructure/staging/variables.tf
• infrastructure/modules/storage/main.tf

📚 Learning: 2025-11-27T19:38:23.956Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2743
File: infrastructure/modules/storage/main.tf:1-9
Timestamp: 2025-11-27T19:38:23.956Z
Learning: In the OWASP/Nest infrastructure code (infrastructure/ directory), the team prefers exact version pinning for Terraform (e.g., "1.14.0") and AWS provider (e.g., "6.22.0") over semantic versioning constraints (e.g., "~> 1.14" or "~> 6.22"). This is a deliberate choice for maximum reproducibility and explicit control over version updates in their testing environment.

Applied to files:

• infrastructure/modules/storage/main.tf
• infrastructure/backend/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Run backend tests
• GitHub Check: Run frontend e2e tests
• GitHub Check: Run frontend unit tests
• GitHub Check: CodeQL (javascript-typescript)

🔇 Additional comments (18)

infrastructure/modules/ecs/variables.tf (1)

33-36: Variable rename aligns with consistent naming across infrastructure modules. Consistent with parallel renames in infrastructure/modules/storage/variables.tf and infrastructure/staging/variables.tf.

infrastructure/backend/main.tf (6)

8-11: Random provider version pinning is consistent with infrastructure standards. Exact version 3.7.2 aligns with team's reproducibility preference (as per learnings on infrastructure versioning).

Verify that infrastructure/backend/.terraform.lock.hcl includes the random provider lock entry with version 3.7.2.

---

53-55: Random suffix approach ensures globally unique state bucket names. The 4-byte random hex suffix (16 million possible combinations) provides sufficient uniqueness to avoid S3 bucket name collisions across deployments.

---

75-75: Logs bucket now has accidental deletion protection and unique naming. Name is suffixed with random ID; prevent_destroy lifecycle protects against unintended removal.

Also applies to: 77-79

---

86-91: State bucket properly configured for durability and protection. Object lock enabled (object_lock_enabled = true), unique name via random suffix, and lifecycle protection against destruction align with PR objectives.

---

136-145: Object lock configuration protects state bucket from tampering. GOVERNANCE mode (vs. COMPLIANCE) is appropriate—allows authorized users to modify retention, preventing operational lock-in while still preventing accidental deletion. 30-day window provides reasonable protection window.

---

75-75: Verify that storage module buckets also implement random suffix for uniqueness. The backend state and logs buckets use random_id.suffix.hex, but the storage module bucket naming pattern is not visible in this review. Confirm that infrastructure/modules/storage/main.tf implements the same suffix pattern for fixtures and zappa buckets to prevent collisions across parallel deployments, as required by the PR objective to ensure uniqueness.

infrastructure/modules/ecs/main.tf (1)

220-220: Variable reference updated consistently with rename. Updated from fixtures_s3_bucket to fixtures_bucket_name, aligning with the variable rename in infrastructure/modules/ecs/variables.tf.

infrastructure/modules/storage/modules/s3-bucket/main.tf (2)

38-38: Minor comment formatting improvement. Spacing adjusted for NOSONAR comment clarity; no functional impact.

---

43-45: Reusable s3-bucket module now includes destruction protection. The prevent_destroy lifecycle is applied at the module level, ensuring all buckets created via this module are protected from accidental removal. This extends the protection strategy beyond backend buckets to application buckets (fixtures, zappa).

infrastructure/modules/storage/variables.tf (1)

12-15: Variable naming standardized across storage module. Renames (fixtures_s3_bucket → fixtures_bucket_name and zappa_s3_bucket → zappa_bucket_name) improve consistency with naming conventions in backend and staging configurations.

Also applies to: 28-30

infrastructure/staging/main.tf (1)

63-63: Module inputs updated consistently with variable renames. All three module invocations correctly reference the renamed variables: fixtures_bucket_name and zappa_bucket_name.

Also applies to: 112-112, 115-115

infrastructure/staging/variables.tf (2)

144-148: Zappa bucket default remains consistent. zappa_bucket_name default value unchanged at "owasp-nest-zappa-deployments"; aligns with parallel changes to fixtures_bucket_name.

---

90-94: Staging default bucket names should clarify testing-only scope or implement unique suffixes. Default for fixtures_bucket_name changed from "nest-fixtures" to "owasp-nest-fixtures" (improved namespace, but static). Since infrastructure/ is designated for testing purposes only, confirm whether static defaults are intentional for this test environment or if parallel deployments require uniqueness guarantees. If production-like isolation is needed, verify that infrastructure/modules/storage/main.tf implements random suffix logic similar to the backend pattern (backend/main.tf lines 53–55, 75, 86).

infrastructure/modules/storage/main.tf (4)

8-11: Provider setup follows version pinning conventions.

The random provider is correctly added with exact version pinning (3.7.2), which aligns with the project's reproducibility standards for Terraform infrastructure.

---

27-29: Verify the random suffix uniqueness strategy.

The random_id with byte_length = 4 generates an 8-character hex suffix (~2³² combinations). This is suitable for typical environments but ensure it meets your organization's uniqueness requirements. Verify that the generated suffix persists across Terraform state operations and that bucket recreation scenarios are acceptable.

---

22-22: Validate variable references and ensure safety defaults.

The bucket naming now consistently uses suffixed variables (fixtures_bucket_name, zappa_bucket_name), and the IAM policy ARN is correctly updated. However, per the PR objectives to "add accidental deletion protection," verify:

1. The variable force_destroy_bucket defaults to false to prevent unintended S3 bucket destruction.
2. Variable definitions (e.g., fixtures_bucket_name, zappa_bucket_name) are properly declared and defaults are production-safe.

Also applies to: 34-34, 44-44

---

1-49: Confirm S3 Object Lock implementation for state bucket.

The PR objectives mention enabling S3 Object Lock for the state bucket. This storage module manages fixtures and zappa deployment buckets but not the state bucket. Verify that S3 Object Lock is implemented in the backend module (infrastructure/backend/main.tf) for the state bucket, as per the issue requirements.

[rudransh-shrivastava]

I'll remove other "specifies" like description in other PRs and make it all consistent.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

infrastructure/README.md (1)

206-208: Suggest minor clarification: Explain prevent_destroy reset procedure.

The note correctly identifies that prevent_destroy = true requires manual intervention before terraform destroy. Consider clarifying the mechanics—e.g., editing the .tf files to set prevent_destroy = false, or using terraform apply -replace with modified HCL. This helps operators understand the explicit safety mechanism.

Apply this diff to clarify the cleanup process:

 - Ensure all buckets and ECR repositories are empty.
 
-**Note:** Some resources have `prevent_destroy` set to `true`. Please set it to `false` manually.
+**Note:** Some resources have `prevent_destroy` set to `true`. Before running `terraform destroy`, edit the `.tf` files to set `prevent_destroy = false` on those resources, or use `-replace` with the modified configuration.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a784a70 and 800a52e.

📒 Files selected for processing (9)

• infrastructure/README.md (4 hunks)
• infrastructure/backend/main.tf (4 hunks)
• infrastructure/modules/storage/main.tf (3 hunks)
• infrastructure/modules/storage/modules/s3-bucket/main.tf (1 hunks)
• infrastructure/modules/storage/modules/s3-bucket/variables.tf (2 hunks)
• infrastructure/modules/storage/variables.tf (1 hunks)
• infrastructure/staging/main.tf (2 hunks)
• infrastructure/staging/terraform.tfvars.example (0 hunks)
• infrastructure/staging/variables.tf (2 hunks)

💤 Files with no reviewable changes (1)

• infrastructure/staging/terraform.tfvars.example

🚧 Files skipped from review as they are similar to previous changes (4)

• infrastructure/modules/storage/variables.tf
• infrastructure/modules/storage/modules/s3-bucket/variables.tf
• infrastructure/modules/storage/main.tf
• infrastructure/modules/storage/modules/s3-bucket/main.tf

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2178
File: frontend/src/app/snapshots/[id]/page.tsx:0-0
Timestamp: 2025-09-21T17:04:48.154Z
Learning: User rudransh-shrivastava confirmed that suggested type safety improvements during Apollo Client migration were no longer relevant, reinforcing their preference to keep migration PRs focused on core migration changes rather than additional improvements.

📚 Learning: 2025-10-17T15:25:53.713Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/modules/database/main.tf:22-60
Timestamp: 2025-10-17T15:25:53.713Z
Learning: The infrastructure code in the `infrastructure/` directory is intended for quick testing purposes only, not production-grade deployment. Production-grade security hardening controls (such as IAM database authentication, deletion protection, Performance Insights KMS encryption) are not required for this testing infrastructure.

Applied to files:

• infrastructure/README.md

📚 Learning: 2025-10-17T15:25:34.963Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/modules/cache/main.tf:30-30
Timestamp: 2025-10-17T15:25:34.963Z
Learning: The infrastructure/Terraform code in the OWASP Nest repository under the `infrastructure/` directory is intended for quick testing purposes only, not for production deployment.

Applied to files:

• infrastructure/README.md

📚 Learning: 2025-10-23T19:22:23.811Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2431
File: infrastructure/main.tf:0-0
Timestamp: 2025-10-23T19:22:23.811Z
Learning: In Zappa-based serverless deployments, Lambda functions and IAM execution roles are managed by Zappa at application deployment time (via `zappa deploy`/`zappa update`), not via Terraform. Terraform provisions the supporting infrastructure (VPC, RDS, S3, security groups, RDS Proxy, Secrets Manager), while Zappa handles the Lambda orchestration layer.

Applied to files:

• infrastructure/README.md
• infrastructure/staging/variables.tf

📚 Learning: 2025-11-27T19:38:23.956Z

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2743
File: infrastructure/modules/storage/main.tf:1-9
Timestamp: 2025-11-27T19:38:23.956Z
Learning: In the OWASP/Nest infrastructure code (infrastructure/ directory), the team prefers exact version pinning for Terraform (e.g., "1.14.0") and AWS provider (e.g., "6.22.0") over semantic versioning constraints (e.g., "~> 1.14" or "~> 6.22"). This is a deliberate choice for maximum reproducibility and explicit control over version updates in their testing environment.

Applied to files:

• infrastructure/backend/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Run frontend unit tests
• GitHub Check: Run frontend e2e tests
• GitHub Check: Run backend tests
• GitHub Check: CodeQL (javascript-typescript)
• GitHub Check: CodeQL (python)

🔇 Additional comments (10)

infrastructure/staging/variables.tf (1)

84-88: Approve: Variable renaming and default value updates.

The renamed variables (fixtures_bucket_name, zappa_bucket_name) are more descriptive, and the updated defaults include appropriate project prefixes. This aligns with the PR objectives for configurable and uniquely-named buckets.

Verify that the storage module inputs accept these renamed variables.

Also applies to: 138-142

infrastructure/backend/main.tf (6)

8-11: Approve: Random provider addition with exact version pinning.

Provider version 3.7.2 is pinned exactly, which aligns with team preferences for reproducible infrastructure. The random provider is used correctly to generate unique bucket name suffixes.

---

53-55: Approve: Random suffix resource generates bucket name uniqueness.

The random_id resource with byte_length = 4 produces ~8 hex characters, providing sufficient entropy for bucket name uniqueness across multiple deployments. This addresses the PR objective of configurable, unique bucket names.

---

69-71: Approve: Lifecycle prevent_destroy rules protect critical backend resources.

The prevent_destroy = true lifecycle rule is correctly applied to the DynamoDB state lock table and both S3 buckets (logs and state). This directly addresses the PR objective of adding accidental deletion protection. Combined with the random suffix for uniqueness, these changes significantly harden the backend infrastructure.

Also applies to: 78-78, 80-82, 89-94

---

89-90: Approve: S3 Object Lock enabled on state bucket.

The object_lock_enabled = true parameter is set at bucket creation time (required, cannot be retrofitted), which is the correct approach. This enables the subsequent object lock configuration to take effect.

---

138-147: Approve: Object lock configuration with GOVERNANCE retention.

The 30-day GOVERNANCE mode retention policy on the state bucket strikes a balance between protection and operational flexibility. GOVERNANCE mode allows authorized users to modify or delete objects under specified conditions, which is appropriate for a Terraform state bucket where lifecycle operations may require adjustment.

---

53-55: Unable to verify: State bucket naming strategy with random suffix implications.

The review raises a valid concern about random_id.suffix regeneration causing orphaned bucket names if backend state is lost or migrated. However, verification requires access to the repository to confirm whether bucket names are actually managed this way, if recovery procedures are documented, and how this pattern is used at lines 78 and 89. Reexamine this comment once repository access is available.

infrastructure/README.md (2)

18-40: Approve: Backend setup documentation is clear and aligns with infrastructure changes.

The one-time backend setup instructions properly guide users through creating the Terraform backend infrastructure. Notes about capturing the state bucket name and warnings against destroying backend resources align well with the hardened prevent_destroy rules in infrastructure/backend/main.tf.

---

58-75: Approve: terraform.tfbackend configuration workflow is well-documented.

The new local backend configuration file approach (separate from .tfvars) follows Terraform best practices for separating environment-specific backend settings from variable overrides. Step-by-step instructions are clear, with appropriate notes to update the state bucket name and region.

infrastructure/staging/main.tf (1)

63-63: Approve: Module input variable references updated.

The staging configuration correctly passes renamed variables to both ecs and storage modules. Verify that the downstream module definitions in infrastructure/modules/ecs/variables.tf and infrastructure/modules/storage/variables.tf have been updated to accept fixtures_bucket_name and zappa_bucket_name as input variables.

Also applies to: 112-112, 114-114

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud