HighPR-scope Plug & play

Pin providers/modules and commit .terraform.lock.hcl

Use version constraints for required_providers and modules, and include .terraform.lock.hcl in PRs that change dependencies.

Add to Mesrai Open workspace

Why this matters

Pinned versions and lockfiles ensure reproducible plans and safer rollbacks.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

terraform {
 required_providers {
 aws = {}
 }
}
module "vpc" {
 source = "terraform-aws-modules/vpc/aws"
}
# (no lockfile in PR)

Prefer

terraform {
 required_providers {
 aws = {
 source = "hashicorp/aws"
 version = ">= 5.0, < 6.0"
 }
 }
}
module "vpc" {
 source = "terraform-aws-modules/vpc/aws"
 version = "5.1.2"
}
# .terraform.lock.hcl added

More snippets

Good

required_providers { aws = { version = ">= 5.0, < 6.0" } }

Bad

required_providers { aws = {} }

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret