From a60629fe616575ee443844ed5f9f0b700d8bfba0 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Fri, 30 Jan 2026 22:17:54 +0530
Subject: [PATCH 01/10] add ci for testing infrastructure code

---
 .github/workflows/run-ci-cd.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index ec9a9a5546..ebd82d423c 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -479,6 +479,28 @@ jobs:
       test-file: rest_test.py
       rest-url: http://localhost:9500/api/v0
 
+  run-infrastructure-tests:
+    name: Run infrastructure tests
+    needs:
+      - run-security-scan
+      - scan-code
+      - scan-ci-dependencies
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: 1.14.0
+
+      - name: Run Infrastructure tests
+        working-directory: infrastructure/staging
+        run: make test-infrastructure
+
   build-staging-images:
     name: Build Staging Images
     env:

From 1e0a54eafa90d5f9dae1fa62f076448cd59985cc Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Fri, 30 Jan 2026 22:22:52 +0530
Subject: [PATCH 02/10] fix code

---
 .github/workflows/run-ci-cd.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index ebd82d423c..e214657d9c 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -480,7 +480,7 @@ jobs:
       rest-url: http://localhost:9500/api/v0
 
   run-infrastructure-tests:
-    name: Run infrastructure tests
+    name: Run Infrastructure tests
     needs:
       - run-security-scan
       - scan-code
@@ -498,7 +498,6 @@ jobs:
           terraform_version: 1.14.0
 
       - name: Run Infrastructure tests
-        working-directory: infrastructure/staging
         run: make test-infrastructure
 
   build-staging-images:

From bbcbc56035dfbfd35c6a5597bcca084ea75fbb5a Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:17:19 +0530
Subject: [PATCH 03/10] fix pre-commit hook

---
 .pre-commit-config.yaml                       |  2 +-
 .../modules/alb/tests/alb.tftest.hcl          | 40 +++++++++----------
 .../database/tests/database.tftest.hcl        |  2 +-
 .../tests/vpc-endpoint.tftest.hcl             | 24 +++++------
 .../networking/tests/networking.tftest.hcl    | 36 ++++++++---------
 5 files changed, 52 insertions(+), 52 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ca9565cd55..2a93cd34ef 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -13,7 +13,7 @@ repos:
     rev: v1.104.0
     hooks:
       - id: terraform_fmt
-        files: ^infrastructure/.*\.tf$
+        files: ^infrastructure/.*\.(tf|tftest\.hcl)$
       - id: terraform_tflint
         files: ^infrastructure/.*\.tf$
         args:
diff --git a/infrastructure/modules/alb/tests/alb.tftest.hcl b/infrastructure/modules/alb/tests/alb.tftest.hcl
index 95cc15d3d5..6320bc2819 100644
--- a/infrastructure/modules/alb/tests/alb.tftest.hcl
+++ b/infrastructure/modules/alb/tests/alb.tftest.hcl
@@ -55,10 +55,10 @@ run "test_lambda_alias_name" {
   command = plan
 
   override_data {
-      target = data.aws_lambda_function.backend[0]
-      values = {
-        version = "1"
-      }
+    target = data.aws_lambda_function.backend[0]
+    values = {
+      version = "1"
+    }
   }
   variables {
     lambda_function_name = "test-function"
@@ -85,10 +85,10 @@ run "test_lambda_permission_action" {
   command = plan
 
   override_data {
-      target = data.aws_lambda_function.backend[0]
-      values = {
-        version = "1"
-      }
+    target = data.aws_lambda_function.backend[0]
+    values = {
+      version = "1"
+    }
   }
   variables {
     lambda_function_name = "test-function"
@@ -103,10 +103,10 @@ run "test_lambda_permission_principal" {
   command = plan
 
   override_data {
-      target = data.aws_lambda_function.backend[0]
-      values = {
-        version = "1"
-      }
+    target = data.aws_lambda_function.backend[0]
+    values = {
+      version = "1"
+    }
   }
   variables {
     lambda_function_name = "test-function"
@@ -327,10 +327,10 @@ run "test_lambda_target_group_name_format" {
   command = plan
 
   override_data {
-      target = data.aws_lambda_function.backend[0]
-      values = {
-        version = "1"
-      }
+    target = data.aws_lambda_function.backend[0]
+    values = {
+      version = "1"
+    }
   }
   variables {
     lambda_function_name = "test-function"
@@ -345,10 +345,10 @@ run "test_lambda_target_group_type" {
   command = plan
 
   override_data {
-      target = data.aws_lambda_function.backend[0]
-      values = {
-        version = "1"
-      }
+    target = data.aws_lambda_function.backend[0]
+    values = {
+      version = "1"
+    }
   }
   variables {
     lambda_function_name = "test-function"
diff --git a/infrastructure/modules/database/tests/database.tftest.hcl b/infrastructure/modules/database/tests/database.tftest.hcl
index 8c184026ac..d714dcd26e 100644
--- a/infrastructure/modules/database/tests/database.tftest.hcl
+++ b/infrastructure/modules/database/tests/database.tftest.hcl
@@ -8,7 +8,7 @@ variables {
   db_subnet_ids        = ["subnet-12345678"]
   db_user              = "nest_user"
   environment          = "test"
-  kms_key_arn           = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
+  kms_key_arn          = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
   project_name         = "nest"
   security_group_ids   = ["sg-12345678"]
 }
diff --git a/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl b/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
index 3447f2abcb..2b0165d1f4 100644
--- a/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
+++ b/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
@@ -15,11 +15,11 @@ run "test_security_group_not_created_when_no_endpoint" {
 
   variables {
     create_cloudwatch_logs = false
-    create_ecr_api = false
-    create_ecr_dkr = false
-    create_s3 = false
-    create_secretsmanager = false
-    create_ssm = false
+    create_ecr_api         = false
+    create_ecr_dkr         = false
+    create_s3              = false
+    create_secretsmanager  = false
+    create_ssm             = false
   }
 
   assert {
@@ -33,11 +33,11 @@ run "test_security_group_created_with_interface_endpoint" {
 
   variables {
     create_cloudwatch_logs = true
-    create_ecr_api = false
-    create_ecr_dkr = false
-    create_s3 = false
-    create_secretsmanager = false
-    create_ssm = false
+    create_ecr_api         = false
+    create_ecr_dkr         = false
+    create_s3              = false
+    create_secretsmanager  = false
+    create_ssm             = false
   }
   assert {
     condition     = length(aws_security_group.vpc_endpoints) == 1
@@ -50,7 +50,7 @@ run "test_security_group_allows_https_from_vpc" {
 
   variables {
     create_cloudwatch_logs = true
-    create_s3 = false
+    create_s3              = false
   }
   assert {
     condition     = aws_security_group_rule.vpc_endpoints_ingress_https[0].from_port == 443
@@ -71,7 +71,7 @@ run "test_security_group_name_format" {
 
   variables {
     create_cloudwatch_logs = true
-    create_s3 = false
+    create_s3              = false
   }
   assert {
     condition     = aws_security_group.vpc_endpoints[0].tags["Name"] == "nest-test-vpc-endpoints-sg"
diff --git a/infrastructure/modules/networking/tests/networking.tftest.hcl b/infrastructure/modules/networking/tests/networking.tftest.hcl
index 53b853b908..bd667ee3fd 100644
--- a/infrastructure/modules/networking/tests/networking.tftest.hcl
+++ b/infrastructure/modules/networking/tests/networking.tftest.hcl
@@ -1,20 +1,20 @@
 variables {
-  availability_zones                     = ["us-east-2a", "us-east-2b", "us-east-2c"]
-  aws_region                             = "us-east-2"
-  common_tags                            = { Environment = "test", Project = "nest" }
-  create_vpc_cloudwatch_logs_endpoint    = false
-  create_vpc_ecr_api_endpoint            = false
-  create_vpc_ecr_dkr_endpoint            = false
-  create_vpc_s3_endpoint                 = false
-  create_vpc_secretsmanager_endpoint     = false
-  create_vpc_ssm_endpoint                = false
-  environment                            = "test"
-  kms_key_arn                            = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
-  log_retention_in_days                  = 90
-  private_subnet_cidrs                   = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  project_name                           = "nest"
-  public_subnet_cidrs                    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.6.0/24"]
-  vpc_cidr                               = "10.0.0.0/16"
+  availability_zones                  = ["us-east-2a", "us-east-2b", "us-east-2c"]
+  aws_region                          = "us-east-2"
+  common_tags                         = { Environment = "test", Project = "nest" }
+  create_vpc_cloudwatch_logs_endpoint = false
+  create_vpc_ecr_api_endpoint         = false
+  create_vpc_ecr_dkr_endpoint         = false
+  create_vpc_s3_endpoint              = false
+  create_vpc_secretsmanager_endpoint  = false
+  create_vpc_ssm_endpoint             = false
+  environment                         = "test"
+  kms_key_arn                         = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
+  log_retention_in_days               = 90
+  private_subnet_cidrs                = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
+  project_name                        = "nest"
+  public_subnet_cidrs                 = ["10.0.1.0/24", "10.0.2.0/24", "10.0.6.0/24"]
+  vpc_cidr                            = "10.0.0.0/16"
 }
 
 run "test_vpc_name_format" {
@@ -57,7 +57,7 @@ run "test_public_subnet_name_format" {
   command = plan
 
   assert {
-    condition     = alltrue([
+    condition = alltrue([
       for i, subnet in aws_subnet.public :
       subnet.tags["Name"] == "${var.project_name}-${var.environment}-public-${var.availability_zones[i]}"
     ])
@@ -96,7 +96,7 @@ run "test_private_subnet_name_format" {
   command = plan
 
   assert {
-    condition     = alltrue([
+    condition = alltrue([
       for i, subnet in aws_subnet.private :
       subnet.tags["Name"] == "${var.project_name}-${var.environment}-private-${var.availability_zones[i]}"
     ])

From 2e8c49b6b764f8d1066e40211686c241082fd6d1 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:18:42 +0530
Subject: [PATCH 04/10] mock aws provider

---
 infrastructure/modules/alb/tests/alb.tftest.hcl                 | 2 ++
 infrastructure/modules/cache/tests/cache.tftest.hcl             | 2 ++
 infrastructure/modules/database/tests/database.tftest.hcl       | 2 ++
 infrastructure/modules/ecs/modules/task/tests/task.tftest.hcl   | 2 ++
 infrastructure/modules/ecs/tests/ecs.tftest.hcl                 | 2 ++
 infrastructure/modules/frontend/tests/frontend.tftest.hcl       | 2 ++
 infrastructure/modules/kms/tests/kms.tftest.hcl                 | 2 ++
 .../modules/networking/modules/nacl/tests/nacl.tftest.hcl       | 2 ++
 .../modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl          | 2 ++
 infrastructure/modules/networking/tests/networking.tftest.hcl   | 2 ++
 infrastructure/modules/parameters/tests/parameters.tftest.hcl   | 2 ++
 infrastructure/modules/security/tests/security.tftest.hcl       | 2 ++
 12 files changed, 24 insertions(+)

diff --git a/infrastructure/modules/alb/tests/alb.tftest.hcl b/infrastructure/modules/alb/tests/alb.tftest.hcl
index 6320bc2819..050c6dddaa 100644
--- a/infrastructure/modules/alb/tests/alb.tftest.hcl
+++ b/infrastructure/modules/alb/tests/alb.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   alb_sg_id                  = "sg-alb-12345"
   common_tags                = { Environment = "test", Project = "nest" }
diff --git a/infrastructure/modules/cache/tests/cache.tftest.hcl b/infrastructure/modules/cache/tests/cache.tftest.hcl
index 3d6415a478..bdf2fc3fdb 100644
--- a/infrastructure/modules/cache/tests/cache.tftest.hcl
+++ b/infrastructure/modules/cache/tests/cache.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags           = { Environment = "test", Project = "nest" }
   environment           = "test"
diff --git a/infrastructure/modules/database/tests/database.tftest.hcl b/infrastructure/modules/database/tests/database.tftest.hcl
index d714dcd26e..4bb0323174 100644
--- a/infrastructure/modules/database/tests/database.tftest.hcl
+++ b/infrastructure/modules/database/tests/database.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags          = { Environment = "test", Project = "nest" }
   create_rds_proxy     = false
diff --git a/infrastructure/modules/ecs/modules/task/tests/task.tftest.hcl b/infrastructure/modules/ecs/modules/task/tests/task.tftest.hcl
index 785a7257cd..abe5ea3656 100644
--- a/infrastructure/modules/ecs/modules/task/tests/task.tftest.hcl
+++ b/infrastructure/modules/ecs/modules/task/tests/task.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   aws_region                   = "us-east-2"
   command                      = ["/bin/sh", "-c", "echo test"]
diff --git a/infrastructure/modules/ecs/tests/ecs.tftest.hcl b/infrastructure/modules/ecs/tests/ecs.tftest.hcl
index dfef0d5c11..692fd49876 100644
--- a/infrastructure/modules/ecs/tests/ecs.tftest.hcl
+++ b/infrastructure/modules/ecs/tests/ecs.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   aws_region                    = "us-east-2"
   common_tags                   = { Environment = "test", Project = "nest" }
diff --git a/infrastructure/modules/frontend/tests/frontend.tftest.hcl b/infrastructure/modules/frontend/tests/frontend.tftest.hcl
index 054fa955fc..fa04f9e0f7 100644
--- a/infrastructure/modules/frontend/tests/frontend.tftest.hcl
+++ b/infrastructure/modules/frontend/tests/frontend.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   aws_region               = "us-east-2"
   common_tags              = { Environment = "test", Project = "nest" }
diff --git a/infrastructure/modules/kms/tests/kms.tftest.hcl b/infrastructure/modules/kms/tests/kms.tftest.hcl
index d9a184855f..f860e7fca5 100644
--- a/infrastructure/modules/kms/tests/kms.tftest.hcl
+++ b/infrastructure/modules/kms/tests/kms.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags  = { Environment = "test", Project = "nest" }
   environment  = "test"
diff --git a/infrastructure/modules/networking/modules/nacl/tests/nacl.tftest.hcl b/infrastructure/modules/networking/modules/nacl/tests/nacl.tftest.hcl
index c350c5d893..cdbdef670b 100644
--- a/infrastructure/modules/networking/modules/nacl/tests/nacl.tftest.hcl
+++ b/infrastructure/modules/networking/modules/nacl/tests/nacl.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags        = { Environment = "test", Project = "nest" }
   environment        = "test"
diff --git a/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl b/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
index 2b0165d1f4..1ceb87e68c 100644
--- a/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
+++ b/infrastructure/modules/networking/modules/vpc-endpoint/tests/vpc-endpoint.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   aws_region             = "us-east-1"
   common_tags            = { Environment = "test", Project = "nest" }
diff --git a/infrastructure/modules/networking/tests/networking.tftest.hcl b/infrastructure/modules/networking/tests/networking.tftest.hcl
index bd667ee3fd..91c709ee31 100644
--- a/infrastructure/modules/networking/tests/networking.tftest.hcl
+++ b/infrastructure/modules/networking/tests/networking.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   availability_zones                  = ["us-east-2a", "us-east-2b", "us-east-2c"]
   aws_region                          = "us-east-2"
diff --git a/infrastructure/modules/parameters/tests/parameters.tftest.hcl b/infrastructure/modules/parameters/tests/parameters.tftest.hcl
index 6d6eeccfda..1e8ff3ae13 100644
--- a/infrastructure/modules/parameters/tests/parameters.tftest.hcl
+++ b/infrastructure/modules/parameters/tests/parameters.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   allowed_hosts      = "nest.owasp.dev"
   allowed_origins    = "https://nest.owasp.dev"
diff --git a/infrastructure/modules/security/tests/security.tftest.hcl b/infrastructure/modules/security/tests/security.tftest.hcl
index 4622f43bb5..f179defb13 100644
--- a/infrastructure/modules/security/tests/security.tftest.hcl
+++ b/infrastructure/modules/security/tests/security.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags  = { Environment = "test", Project = "nest" }
   db_port      = 5432

From 97ac415f60cfc927caf4ac5a4677074632881eb1 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:26:45 +0530
Subject: [PATCH 05/10] fix test

---
 infrastructure/modules/kms/tests/kms.tftest.hcl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/infrastructure/modules/kms/tests/kms.tftest.hcl b/infrastructure/modules/kms/tests/kms.tftest.hcl
index f860e7fca5..01d4546b98 100644
--- a/infrastructure/modules/kms/tests/kms.tftest.hcl
+++ b/infrastructure/modules/kms/tests/kms.tftest.hcl
@@ -1,5 +1,12 @@
 mock_provider "aws" {}
 
+override_data {
+  target = data.aws_iam_policy_document.key_policy
+  values = {
+    json = "{\"Statement\":[{\"Sid\":\"EnableIAMUserPermissions\"},{\"Sid\":\"AllowCloudWatchLogs\"}]}"
+  }
+}
+
 variables {
   common_tags  = { Environment = "test", Project = "nest" }
   environment  = "test"

From 468599291043a8b3bf4848db95ec1b5fbe64d8f7 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:35:12 +0530
Subject: [PATCH 06/10] fix test

---
 infrastructure/modules/networking/tests/networking.tftest.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/networking/tests/networking.tftest.hcl b/infrastructure/modules/networking/tests/networking.tftest.hcl
index 91c709ee31..ad9e6d19c2 100644
--- a/infrastructure/modules/networking/tests/networking.tftest.hcl
+++ b/infrastructure/modules/networking/tests/networking.tftest.hcl
@@ -128,7 +128,7 @@ run "test_private_subnets_no_public_ip" {
   command = plan
 
   assert {
-    condition     = alltrue([for subnet in aws_subnet.private : subnet.map_public_ip_on_launch == false])
+    condition     = alltrue([for subnet in aws_subnet.private : subnet.map_public_ip_on_launch != true])
     error_message = "Private subnets must not auto-assign public IPs."
   }
 }

From 4e83d909b03f559d51ddc19214f0855422c9cca7 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:49:03 +0530
Subject: [PATCH 07/10] change nosemgrep to NOSEMGREP

---
 backend/zappa_callback.py                 | 2 +-
 infrastructure/modules/ecs/main.tf        | 2 +-
 infrastructure/modules/frontend/main.tf   | 4 ++--
 infrastructure/modules/networking/main.tf | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/zappa_callback.py b/backend/zappa_callback.py
index 0b5e95fe87..5ac73b7447 100644
--- a/backend/zappa_callback.py
+++ b/backend/zappa_callback.py
@@ -31,7 +31,7 @@ def clean_package(zappa):
         temp_path = Path(temp_dir)
         new_archive_path = temp_path / "new.tar.gz"
 
-        # nosemgrep: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal # noqa: ERA001, E501
+        # NOSEMGREP: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal # noqa: ERA001, E501
         with tarfile.open(full_path, "r:gz") as tf:  # NOSONAR archive is trusted
             tf.extractall(temp_path, filter="data")
 
diff --git a/infrastructure/modules/ecs/main.tf b/infrastructure/modules/ecs/main.tf
index 2e32045b4b..3dc9d06c69 100644
--- a/infrastructure/modules/ecs/main.tf
+++ b/infrastructure/modules/ecs/main.tf
@@ -107,7 +107,7 @@ resource "aws_iam_policy" "ecs_tasks_execution_policy" {
     Version = "2012-10-17"
     Statement = [
       {
-        # nosemgrep: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure
+        # NOSEMGREP: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure
         Action = [
           # https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html#repository-policy-vs-iam-policy
           "ecr:GetAuthorizationToken"
diff --git a/infrastructure/modules/frontend/main.tf b/infrastructure/modules/frontend/main.tf
index c16f482ea0..929be802a8 100644
--- a/infrastructure/modules/frontend/main.tf
+++ b/infrastructure/modules/frontend/main.tf
@@ -21,7 +21,7 @@ resource "aws_cloudwatch_log_group" "frontend" {
 }
 
 # TODO: disallow tag mutability
-# nosemgrep: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags
+# NOSEMGREP: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags
 resource "aws_ecr_repository" "frontend" {
   image_tag_mutability = "MUTABLE"
   name                 = "${var.project_name}-${var.environment}-frontend"
@@ -206,7 +206,7 @@ resource "aws_iam_policy" "ecs_task_execution_policy" {
     Statement = [
       {
         # https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html#repository-policy-vs-iam-policy
-        # nosemgrep: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure
+        # NOSEMGREP: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure
         Action   = "ecr:GetAuthorizationToken"
         Effect   = "Allow"
         Resource = "*" # NOSONAR
diff --git a/infrastructure/modules/networking/main.tf b/infrastructure/modules/networking/main.tf
index 8302239008..a220c52a26 100644
--- a/infrastructure/modules/networking/main.tf
+++ b/infrastructure/modules/networking/main.tf
@@ -18,7 +18,7 @@ resource "aws_vpc" "main" {
   })
 }
 
-# nosemgrep: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address
+# NOSEMGREP: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address
 resource "aws_subnet" "public" {
   availability_zone       = var.availability_zones[count.index]
   cidr_block              = var.public_subnet_cidrs[count.index]

From 8291db505ba086023e102730e71612a68bc35f4f Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 00:57:36 +0530
Subject: [PATCH 08/10] use single quotes

---
 .github/workflows/run-ci-cd.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index e214657d9c..d6f0689e20 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -721,10 +721,10 @@ jobs:
           CREATE_RDS_PROXY: false
           DOMAIN_NAME: ${{ vars.DOMAIN_NAME }}
           ECS_USE_FARGATE_SPOT: true
-          ENVIRONMENT: "staging"
+          ENVIRONMENT: 'staging'
           FRONTEND_USE_FARGATE_SPOT: true
           LAMBDA_FUNCTION_NAME: ${{ secrets.ZAPPA_LAMBDA_FUNCTION_NAME }}
-          PROJECT_NAME: "nest"
+          PROJECT_NAME: 'nest'
         run: |
           umask 377
           cat > infrastructure/staging/terraform.tfvars <<-EOF

From 2e1eabfc336f245679cd447c0b2eb44874d645bf Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 01:03:37 +0530
Subject: [PATCH 09/10] update code

---
 .github/workflows/run-ci-cd.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index d6f0689e20..b5d0a8d5b6 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -513,6 +513,7 @@ jobs:
       - run-frontend-a11y-tests
       - run-frontend-e2e-tests
       - run-frontend-unit-tests
+      - run-infrastructure-tests
       - set-release-version
     permissions:
       contents: read
@@ -672,7 +673,6 @@ jobs:
   plan-staging-nest:
     name: Plan Nest Staging
     env:
-      FORCE_COLOR: 1
       TF_INPUT: false
       TF_IN_AUTOMATION: true
     environment: staging
@@ -771,7 +771,6 @@ jobs:
   deploy-staging-nest:
     name: Deploy Nest Staging
     env:
-      FORCE_COLOR: 1
       TF_INPUT: false
       TF_IN_AUTOMATION: true
     environment: staging

From 12d30087a5d52197bf27167f22a44cad3a0fd270 Mon Sep 17 00:00:00 2001
From: Rudransh Shrivastava <rudransh.shr@gmail.com>
Date: Sat, 31 Jan 2026 01:11:54 +0530
Subject: [PATCH 10/10] add mock provider

---
 .../storage/modules/s3-bucket/tests/s3-bucket.tftest.hcl        | 2 ++
 infrastructure/modules/storage/tests/storage.tftest.hcl         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/infrastructure/modules/storage/modules/s3-bucket/tests/s3-bucket.tftest.hcl b/infrastructure/modules/storage/modules/s3-bucket/tests/s3-bucket.tftest.hcl
index d577e1244a..44d1669c6c 100644
--- a/infrastructure/modules/storage/modules/s3-bucket/tests/s3-bucket.tftest.hcl
+++ b/infrastructure/modules/storage/modules/s3-bucket/tests/s3-bucket.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   bucket_name = "test-bucket"
   tags        = { Environment = "test", Project = "nest" }
diff --git a/infrastructure/modules/storage/tests/storage.tftest.hcl b/infrastructure/modules/storage/tests/storage.tftest.hcl
index 933238bf57..b01bb6bbf6 100644
--- a/infrastructure/modules/storage/tests/storage.tftest.hcl
+++ b/infrastructure/modules/storage/tests/storage.tftest.hcl
@@ -1,3 +1,5 @@
+mock_provider "aws" {}
+
 variables {
   common_tags          = { Environment = "test", Project = "nest" }
   environment          = "test"