fix: Pin acm module to source hash

[guthrey-coy]

Description

Pin the acm module to a source hash instead of just referencing a version number

Motivation and Context

It's best security practices to pin to a source hash instead of a version number.

Breaking Changes

This should not break backwards compatibility. In fact, this change should not affect the functionality of the module at all.

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

[guthrey-coy]

@antonbabenko I saw that you closed this PR. Is there a different way you would suggest I submit a change request?

[bryantbiggs]

its just not a valid change request

[guthrey-coy]

@bryantbiggs why do you feel it is not a valid request? Pinning to a source hash is widely accepted as a best security practice.

[bryantbiggs]

sure - when referencing something provided by someone else. but this is our module referencing our module and we know we don't mutate versions so ... whats the point? its just a superfluous change of hand wavy "ahh, but its a best practice"

[guthrey-coy]

@bryantbiggs thanks for the response. I was making this change because this module is failing a linter that my company is using. I will say, even if it is your own module it is still much more secure to pin to a source hash. If there were some kind of breach within your org and someone was able to modify the tag for this resource then it would be an issue.

Also, if you were to pin to a source hash it would benefit your customers, like my organization, who are running Terrafrom linting.