wbyc/terraform-docker-renovate
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Remove unused TF_VAR_renovate_* variables from pipeline
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 23s
Details
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s
Details
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 33s
Details
Code Quality & Security Scan / Terraform Validate (push) Successful in 35s
Details
Code Quality & Security Scan / SonarQube Scan (push) Successful in 45s
Details
Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s
Details
Code Quality & Security Scan / Terraform Apply (push) Successful in 1m35s
Details

Browse Source 
The renovate_endpoint and renovate_token values are retrieved from
Vault (secret/renovate) via data sources in the Terraform code, not
passed as Terraform variables.

Changes:
- Commented out TF_VAR_renovate_endpoint in all pipeline stages
- Commented out TF_VAR_renovate_token in all pipeline stages
- These values are properly sourced from Vault data sources

This fixes the container restart issue where Renovate couldn't find
the Gitea personal access token because the environment variable
wasn't being set correctly from Vault data.

Affected stages:
- terraform-validate (init and validate steps)
- terraform-plan (init and plan steps)
- terraform-apply (init and apply steps)
- terraform-destroy (init, plan, and execute steps)
This commit is contained in:
Patrick de Ruiter 2025-11-19 13:32:59 +01:00
parent 9c9df2fbf8
commit 1cca7c9267
Signed by: pderuiter
GPG Key ID: 5EBA7F21CF583321
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
.gitea/workflows/pipeline.yaml
View File

@ -83,8 +83,8 @@ jobs:
env: env:
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" #TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/"
TF_VAR_renovate_token: "dummy-token-for-validation" #TF_VAR_renovate_token: "dummy-token-for-validation"
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: terraform init -backend=false run: terraform init -backend=false
@ -92,8 +92,8 @@ jobs:
env: env:
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" #TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/"
TF_VAR_renovate_token: "dummy-token-for-validation" #TF_VAR_renovate_token: "dummy-token-for-validation"
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: terraform validate run: terraform validate
@ -154,8 +154,8 @@ jobs:
TF_BACKEND_REGION: "main" TF_BACKEND_REGION: "main"
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
terraform init -input=false \ terraform init -input=false \
@ -175,8 +175,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
terraform plan -input=false -out=tfplan terraform plan -input=false -out=tfplan
@ -254,8 +254,8 @@ jobs:
TF_BACKEND_REGION: "main" TF_BACKEND_REGION: "main"
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
terraform init \ terraform init \
@ -287,8 +287,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: terraform apply -input=false -auto-approve tfplan run: terraform apply -input=false -auto-approve tfplan
@ -350,8 +350,8 @@ jobs:
TF_BACKEND_REGION: "main" TF_BACKEND_REGION: "main"
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
echo "Performing fresh terraform init (no cache for safety)..." echo "Performing fresh terraform init (no cache for safety)..."
@ -372,8 +372,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
echo "Generating destroy plan..." echo "Generating destroy plan..."
@ -387,8 +387,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }}
TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }}
TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }}
TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }}
TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: | run: |
echo "🔥 DESTROYING INFRASTRUCTURE..." echo "🔥 DESTROYING INFRASTRUCTURE..."