fix: Address feedback from SonarQube and CodeRabbit reviews

Author: nishkersh

Terraform/Operational-Guide.md

@@ -46,14 +46,27 @@ This infrastructure requires an S3 bucket and a DynamoDB table for managing Terr
 2.  **Create the S3 Bucket for Terraform State:**
     *This bucket will store the `.tfstate` file, which is Terraform's map of your infrastructure.*
     ```bash
-    aws s3api create-bucket \
-      --bucket ${TF_STATE_BUCKET} \
-      --region ${AWS_REGION} \
-      --create-bucket-configuration LocationConstraint=${AWS_REGION}
+    if [ "${AWS_REGION}" = "us-east-1" ]; then
+      aws s3api create-bucket --bucket "${TF_STATE_BUCKET}" --region "${AWS_REGION}"
+    else
+      aws s3api create-bucket \
+        --bucket "${TF_STATE_BUCKET}" \
+        --region "${AWS_REGION}" \
+        --create-bucket-configuration LocationConstraint=${AWS_REGION}
+    fi
 
     aws s3api put-bucket-versioning \
       --bucket ${TF_STATE_BUCKET} \
       --versioning-configuration Status=Enabled
+
+
+    aws s3api put-public-access-block \
+      --bucket "${TF_STATE_BUCKET}" \
+      --public-access-block-configuration 'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'
+
+    aws s3api put-bucket-encryption \
+      --bucket "${TF_STATE_BUCKET}" \
+      --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
     ```
 
 3.  **Create the DynamoDB Table for State Locking:**
@@ -108,7 +121,7 @@ To deploy an environment, navigate to its directory and run the standard Terrafo
 
 1.  **Navigate to the Environment Directory:**
     ```bash
-    cd terraform/environments/dev
+    cd Terraform/environments/Dev
     ```
 
 2.  **Create a `terraform.tfvars` file:**

Terraform/modules/01-Network/main.tf

@@ -73,8 +73,8 @@ resource "aws_eip" "nat" {
 }
 
 resource "aws_nat_gateway" "main" {
-  # Only one NAT Gateway, placed in the first public subnet for simplicity.
-  # As AWS automatically handles failover at the infrastructure level.
+# Cost-optimized: a single NAT Gateway in the first public subnet.
+# NOTE: This is a single-AZ SPOF for egress. A per-AZ NAT option could be added for higher availability.
   allocation_id = aws_eip.nat.id
   subnet_id     = aws_subnet.public[0].id
 
@@ -182,6 +182,7 @@ resource "aws_lb" "main" {
   load_balancer_type = "application"
   security_groups    = [aws_security_group.alb.id]
   subnets            = aws_subnet.public[*].id
+  drop_invalid_header_fields = true
 
   # Deletion protection should be enabled via a variable for production.
   enable_deletion_protection = var.environment == "prod" ? true : false
@@ -213,7 +214,7 @@ resource "aws_lb_listener" "https" {
   load_balancer_arn = aws_lb.main.arn
   port              = 443
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
   certificate_arn   = var.acm_certificate_arn
 
   default_action {

Terraform/modules/01-Network/variables.tf

@@ -31,17 +31,17 @@ variable "public_subnet_cidrs" {
   description = "A list of CIDR blocks for the public subnets. The number of CIDRs must match the number of availability_zones."
   type        = list(string)
   validation {
-    condition     = length(var.public_subnet_cidrs) > 0
-    error_message = "At least one public subnet CIDR must be provided."
-  }
+  condition     = length(var.public_subnet_cidrs) > 0 && length(var.public_subnet_cidrs) == length(var.availability_zones)
+  error_message = "Provide at least one public subnet CIDR, and ensure its count matches availability_zones."
+}
 }
 
 variable "private_subnet_cidrs" {
   description = "A list of CIDR blocks for the private subnets. The number of CIDRs must match the number of availability_zones."
   type        = list(string)
   validation {
-    condition     = length(var.private_subnet_cidrs) > 0
-    error_message = "At least one private subnet CIDR must be provided."
+    condition     = length(var.private_subnet_cidrs) > 0 && length(var.private_subnet_cidrs) == length(var.availability_zones)
+    error_message = "Provide at least one private subnet CIDR, and ensure its count matches availability_zones."
   }
 }