ROSAENG-0000 | ci: block major version bumps

[amandahla]

PR Summary

Adds a Renovate rule to block major version bumps for terraform-aws-modules/iam/aws and terraform-aws-modules/secrets-manager/aws, preventing Renovate from proposing breaking upgrades until those modules are replaced with raw resources.

Detailed Description of the Issue

Recent major releases of the iam and secrets-manager community Terraform modules introduced breaking changes. Until this module migrates from those community modules to raw AWS resources (as already done in ROSA HCP), major version bumps must be suppressed to avoid unintended
breakage for consumers.

Related Issues and PRs

• Jira: ROSAENG-0000
• Fixes: #
• Related PR(s):
• Related design/docs:

Type of Change

• feat - adds a new module capability or new user-facing behavior.
• fix - resolves incorrect module behavior or bug.
• docs - updates documentation only.
• style - formatting/naming changes with no logic impact.
• refactor - module code restructuring with no behavior change.
• test - adds or updates tests only.
• chore - maintenance work (tooling, housekeeping, non-product code).
• build - changes build system, packaging, or dependencies for build output.
• ci - changes CI pipelines, jobs, or automation workflows.
• perf - improves performance without changing intended behavior.

Previous Behavior

Renovate could open PRs proposing major version upgrades for terraform-aws-modules/iam/aws and terraform-aws-modules/secrets-manager/aws, which could introduce breaking changes for module consumers.

Behavior After This Change

Renovate will skip major version bumps for terraform-aws-modules/iam/aws and terraform-aws-modules/secrets-manager/aws. Minor and patch updates remain enabled. No change to module behavior at plan/apply time.

How to Test (Step-by-Step)

Preconditions

N/A — CI configuration change only.

Test Steps

1. Verify the new packageRule entry in renovate.json targets matchPackageNames for both modules and sets matchUpdateTypes: ["major"] with "enabled": false.
2. (Optional) Trigger a Renovate dry-run and confirm no major-version PRs are proposed for the two modules.

Expected Results

Renovate does not open PRs for major upgrades of terraform-aws-modules/iam/aws or terraform-aws-modules/secrets-manager/aws.

Proof of the Fix

• Screenshots:
• Videos:
• Logs/CLI output:
• Other artifacts:

Breaking Changes

• No breaking changes
• Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

Developer Verification Checklist

• I checked if this affects terraform-rhcs-rosa-hcp and submitted (or already submitted) a companion PR when needed.
• Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make pre-push-checks passes (or each step: verify, verify-gen, lint, unit-tests, license-check, docs-lint).
• Documentation was added/updated where appropriate (see make terraform-docs).
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• Chores
  • Updated dependency update configuration to prevent major version bumps for selected Terraform modules, reducing unnecessary breaking changes in infrastructure code.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [amandahla]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 06547c1b-5287-4305-8db9-f6a9c5a22e8d

📥 Commits

Reviewing files that changed from the base of the PR and between dbf6f23 and 189d43d.

📒 Files selected for processing (1)

• renovate.json

Walkthrough

renovate.json gains a new packageRules entry that sets enabled: false for matchUpdateTypes: ["major"] targeting terraform-aws-modules/iam/aws and terraform-aws-modules/secrets-manager/aws. The rest of the file has whitespace/formatting-only changes.

Changes

Renovate Config – Block Major Terraform Module Bumps

Layer / File(s)	Summary
Add major-version block for Terraform AWS modules renovate.json	Appends a packageRules entry that matches terraform-aws-modules/iam/aws and terraform-aws-modules/secrets-manager/aws on major update type and disables those proposals; rest of file is whitespace-only reformatting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: blocking major version bumps via Renovate configuration, matching the actual modification to renovate.json.
Description check	✅ Passed	The PR description is comprehensive and follows the template with all major sections completed: summary, detailed issue description, related issues, type of change (ci), behavior before/after, testing steps, breaking changes declaration, and verification checklist items addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Pr Checklist Claims Vs Evidence (Generic)	✅ Passed	All 5 checked items verified: (1) Commit message matches format ROSAENG-0000 | ci: block major version bumps. (2) PR description clearly explains what (added packageRule blocking major bumps) and...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch amandahla-patch-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amandahla]

/override ci/prow/rosa-classic-public
/override ci/prow/rosa-classic-private-with-autoscaler-unmanaged-oidc-byo-vpc

[openshift-ci]

@amandahla: Overrode contexts on behalf of amandahla: ci/prow/rosa-classic-private-with-autoscaler-unmanaged-oidc-byo-vpc, ci/prow/rosa-classic-public

Details

In response to this:

/override ci/prow/rosa-classic-public
/override ci/prow/rosa-classic-private-with-autoscaler-unmanaged-oidc-byo-vpc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}