From 4bbd6f6ff51f0c4dda3938cca9fa70fd794e5c4b Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sun, 19 Oct 2025 13:50:40 -0500
Subject: [PATCH 1/6] fix: Update CI workflow versions to latest

---
 .github/workflows/pr-title.yml          |  2 +-
 .github/workflows/pre-commit.yml        | 94 +++++++++++++++++++------
 .github/workflows/release.yml           | 23 ++++--
 .github/workflows/stale-actions.yaml    |  2 +-
 .gitignore                              | 11 ++-
 .pre-commit-config.yaml                 |  4 +-
 .releaserc.json => docs/.releaserc.json |  0
 CHANGELOG.md => docs/CHANGELOG.md       |  0
 8 files changed, 101 insertions(+), 35 deletions(-)
 rename .releaserc.json => docs/.releaserc.json (100%)
 rename CHANGELOG.md => docs/CHANGELOG.md (100%)

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 1e50760e..6419f3aa 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5.5.3
+      - uses: amannn/action-semantic-pull-request@v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index a19ff831..f25fe0f2 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -7,8 +7,8 @@ on:
       - master
 
 env:
-  TERRAFORM_DOCS_VERSION: v0.19.0
-  TFLINT_VERSION: v0.53.0
+  TERRAFORM_DOCS_VERSION: v0.20.0
+  TFLINT_VERSION: v0.59.1
 
 jobs:
   collectInputs:
@@ -18,11 +18,11 @@ jobs:
       directories: ${{ steps.dirs.outputs.directories }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Get root directories
         id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
+        uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
 
   preCommitMinVersions:
     name: Min TF pre-commit
@@ -32,27 +32,56 @@ jobs:
       matrix:
         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
-      - name: Delete huge unnecessary tools folder
+      - name: Delete unnecessary files
         run: |
-          rm -rf /opt/hostedtoolcache/CodeQL
-          rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
-          rm -rf /opt/hostedtoolcache/Ruby
-          rm -rf /opt/hostedtoolcache/go
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+
+          if ${{ github.repository }} == 'terraform-aws-modules/terraform-aws-iam';
+          then
+            sudo rmz -f /usr/local/lib/android &
+            sudo rmz -f /usr/share/dotnet &
+            sudo rmz -f /usr/local/.ghcup &
+          fi
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.3.1
+        uses: clowdhaus/terraform-min-max@v2.1.0
         with:
           directory: ${{ matrix.directory }}
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
@@ -61,7 +90,7 @@ jobs:
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
@@ -72,26 +101,49 @@ jobs:
     runs-on: ubuntu-latest
     needs: collectInputs
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
-      - name: Delete huge unnecessary tools folder
+      - name: Delete unnecessary files
         run: |
-          rm -rf /opt/hostedtoolcache/CodeQL
-          rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
-          rm -rf /opt/hostedtoolcache/Ruby
-          rm -rf /opt/hostedtoolcache/go
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          sudo rmz -f /usr/share/dotnet &
+          sudo rmz -f /usr/local/.ghcup &
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.3.1
+        uses: clowdhaus/terraform-min-max@v2.1.0
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4a942261..7558cc8a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,18 +20,27 @@ jobs:
     if: github.repository_owner == 'terraform-aws-modules'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           fetch-depth: 0
 
+      - name: Set correct Node.js version
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+
+      - name: Install dependencies
+        run: |
+          npm install \
+            @semantic-release/changelog@6.0.3 \
+            @semantic-release/git@10.0.1 \
+            conventional-changelog-conventionalcommits@9.1.0
+
       - name: Release
-        uses: cycjimmy/semantic-release-action@v4
+        uses: cycjimmy/semantic-release-action@v5
         with:
-          semantic_version: 23.0.2
-          extra_plugins: |
-            @semantic-release/changelog@6.0.3
-            @semantic-release/git@10.0.1
-            conventional-changelog-conventionalcommits@7.0.2
+          semantic_version: 25.0.0
+          working_directory: docs/
         env:
           GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml
index 6ccd0ed8..3e826dcf 100644
--- a/.github/workflows/stale-actions.yaml
+++ b/.github/workflows/stale-actions.yaml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           # Staling issues and PR's
diff --git a/.gitignore b/.gitignore
index 627f0686..f5abfc78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
-.DS_Store
-
 # Local .terraform directories
 **/.terraform/*
 
@@ -9,7 +7,6 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
-*.tfplan
 
 # Crash log files
 crash.log
@@ -30,3 +27,11 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Lambda build artifacts
+builds/
+__pycache__/
+*.zip
+
+.DS_Store
+.idea
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a6cd3694..9223e3c4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.103.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
diff --git a/.releaserc.json b/docs/.releaserc.json
similarity index 100%
rename from .releaserc.json
rename to docs/.releaserc.json
diff --git a/CHANGELOG.md b/docs/CHANGELOG.md
similarity index 100%
rename from CHANGELOG.md
rename to docs/CHANGELOG.md

From 8f637a7781c0106edec102e04780da05e2098c3e Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sun, 19 Oct 2025 14:23:56 -0500
Subject: [PATCH 2/6] fix: Update CI workflow versions to latest

---
 .github/workflows/pre-commit.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index f25fe0f2..c6e88978 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -56,13 +56,6 @@ jobs:
           rmz -f /opt/hostedtoolcache/Ruby &
           rmz -f /opt/hostedtoolcache/go &
 
-          if ${{ github.repository }} == 'terraform-aws-modules/terraform-aws-iam';
-          then
-            sudo rmz -f /usr/local/lib/android &
-            sudo rmz -f /usr/share/dotnet &
-            sudo rmz -f /usr/local/.ghcup &
-          fi
-
           wait
 
           AFTER=$(getAvailableSpace)
@@ -119,13 +112,19 @@ jobs:
           BEFORE=$(getAvailableSpace)
 
           ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
-          sudo rmz -f /usr/share/dotnet &
-          sudo rmz -f /usr/local/.ghcup &
           rmz -f /opt/hostedtoolcache/CodeQL &
           rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
           rmz -f /opt/hostedtoolcache/PyPy &
           rmz -f /opt/hostedtoolcache/Ruby &
           rmz -f /opt/hostedtoolcache/go &
+
+          if ${{ github.repository }} == 'terraform-aws-modules/terraform-aws-security-group';
+          then
+            sudo rmz -f /usr/local/lib/android &
+            sudo rmz -f /usr/share/dotnet &
+            sudo rmz -f /usr/local/.ghcup &
+          fi
+
           wait
 
           AFTER=$(getAvailableSpace)

From efd204721c095d23c6c9d6de0ac1c32ebf7802c9 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sun, 19 Oct 2025 15:03:10 -0500
Subject: [PATCH 3/6] fix: Update CI workflow versions to latest

---
 .github/workflows/pre-commit.yml | 8 ++++++--
 .gitignore                       | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c6e88978..cb40825c 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -118,8 +118,7 @@ jobs:
           rmz -f /opt/hostedtoolcache/Ruby &
           rmz -f /opt/hostedtoolcache/go &
 
-          if ${{ github.repository }} == 'terraform-aws-modules/terraform-aws-security-group';
-          then
+          if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
             sudo rmz -f /usr/local/lib/android &
             sudo rmz -f /usr/share/dotnet &
             sudo rmz -f /usr/local/.ghcup &
@@ -141,6 +140,11 @@ jobs:
         id: minMax
         uses: clowdhaus/terraform-min-max@v2.1.0
 
+      - name: Hide template dir
+        # Special to this repo, we don't want to check this dir
+        if: ${{ github.repository ==  'terraform-aws-modules/terraform-aws-security-group' }}
+        run: rm -rf modules/_templates
+
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
diff --git a/.gitignore b/.gitignore
index f5abfc78..fd39819e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,8 @@ terraform.rc
 builds/
 __pycache__/
 *.zip
+.tox
 
+# Local editors/macos files
 .DS_Store
 .idea

From 2a9e6471e6685949d410cd05f0dc2ad6522c6427 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sun, 19 Oct 2025 15:37:01 -0500
Subject: [PATCH 4/6] fix: Update CI workflow versions to latest

---
 .github/workflows/pre-commit.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index cb40825c..057b9c42 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -117,11 +117,25 @@ jobs:
           rmz -f /opt/hostedtoolcache/PyPy &
           rmz -f /opt/hostedtoolcache/Ruby &
           rmz -f /opt/hostedtoolcache/go &
+          sudo rmz -f /usr/local/lib/android &
 
           if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
-            sudo rmz -f /usr/local/lib/android &
             sudo rmz -f /usr/share/dotnet &
             sudo rmz -f /usr/local/.ghcup &
+            sudo apt-get -qq remove -y 'azure-.*'
+            sudo apt-get -qq remove -y 'cpp-.*'
+            sudo apt-get -qq remove -y 'dotnet-runtime-.*'
+            sudo apt-get -qq remove -y 'google-.*'
+            sudo apt-get -qq remove -y 'libclang-.*'
+            sudo apt-get -qq remove -y 'libllvm.*'
+            sudo apt-get -qq remove -y 'llvm-.*'
+            sudo apt-get -qq remove -y 'mysql-.*'
+            sudo apt-get -qq remove -y 'postgresql-.*'
+            sudo apt-get -qq remove -y 'php.*'
+            sudo apt-get -qq remove -y 'temurin-.*'
+            sudo apt-get -qq remove -y kubectl firefox mono-devel
+            sudo apt-get -qq autoremove -y
+            sudo apt-get -qq clean
           fi
 
           wait

From d2633233b4dca22cd9296598d07edfcc433c20af Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Mon, 20 Oct 2025 10:02:34 -0500
Subject: [PATCH 5/6] fix: Move changelog back to project root

---
 .github/workflows/release.yml           | 1 -
 docs/.releaserc.json => .releaserc.json | 0
 docs/CHANGELOG.md => CHANGELOG.md       | 0
 3 files changed, 1 deletion(-)
 rename docs/.releaserc.json => .releaserc.json (100%)
 rename docs/CHANGELOG.md => CHANGELOG.md (100%)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7558cc8a..e739b790 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,5 @@ jobs:
         uses: cycjimmy/semantic-release-action@v5
         with:
           semantic_version: 25.0.0
-          working_directory: docs/
         env:
           GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
diff --git a/docs/.releaserc.json b/.releaserc.json
similarity index 100%
rename from docs/.releaserc.json
rename to .releaserc.json
diff --git a/docs/CHANGELOG.md b/CHANGELOG.md
similarity index 100%
rename from docs/CHANGELOG.md
rename to CHANGELOG.md

From 1814ae399b2912fed22385ff9e7c5edb9a422965 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Mon, 20 Oct 2025 14:12:06 -0500
Subject: [PATCH 6/6] fix: Restrict AWS provider to within `v5.x` until project
 and modules used support `v6.x`

---
 README.md                            | 1 +
 examples/github-complete/README.md   | 4 ++--
 examples/github-complete/versions.tf | 2 +-
 examples/github-separate/README.md   | 4 ++--
 examples/github-separate/versions.tf | 2 +-
 versions.tf                          | 7 +++++++
 6 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index c0c0a24f..ae785f82 100644
--- a/README.md
+++ b/README.md
@@ -211,6 +211,7 @@ module "atlantis" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 
 ## Providers
 
diff --git a/examples/github-complete/README.md b/examples/github-complete/README.md
index 6d1c2613..0713a7e0 100644
--- a/examples/github-complete/README.md
+++ b/examples/github-complete/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | >= 5.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
@@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/github-complete/versions.tf b/examples/github-complete/versions.tf
index e759c653..0b115f06 100644
--- a/examples/github-complete/versions.tf
+++ b/examples/github-complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = "~> 5.0"
     }
 
     github = {
diff --git a/examples/github-separate/README.md b/examples/github-separate/README.md
index 15115f61..a0720588 100644
--- a/examples/github-separate/README.md
+++ b/examples/github-separate/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | >= 5.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
@@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/github-separate/versions.tf b/examples/github-separate/versions.tf
index e759c653..0b115f06 100644
--- a/examples/github-separate/versions.tf
+++ b/examples/github-separate/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = "~> 5.0"
     }
 
     github = {
diff --git a/versions.tf b/versions.tf
index 7117131f..a8de733f 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,3 +1,10 @@
 terraform {
   required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }