@@ -133,7 +133,7 @@ Please ensure that these dependencies are kept in sync with infrastructure by up
## Terraform Module Management
It's considered a security best practice to pin Terraform modules to a specific version to ensure that any changes to the module are reviewed and approved before being applied to production. Addtionally, as tags are considered mutable in Git, it's recommended to leverage the digest of a particular version as opposed to the tag. Using the digest will help prevent [supply chain attacks](https://medium.com/boostsecurity/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry-2af48a7eb2) or any unintentional changes by the module author.
It's considered a security best practice to pin Terraform modules to a specific version to ensure that any changes to the module are reviewed and approved before being applied to production. Additionally, as tags are considered mutable in Git, it's recommended to leverage the digest of a particular version as opposed to the tag. Using the digest will help prevent [supply chain attacks](https://medium.com/boostsecurity/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry-2af48a7eb2) or any unintentional changes by the module author.
To allow Renovate to manage updating the terraform modules pinned to digest, simply annotate the `file.tf` with the following:
