diff --git a/.gitignore b/.gitignore index 9b8a46e..b25261b 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,7 @@ override.tf.json # Ignore CLI configuration files .terraformrc terraform.rc + +# Ignore backend configuration files that may contain credentials +backend.hcl +*.backend.hcl diff --git a/README.md b/README.md index 3287e8c..376eded 100644 --- a/README.md +++ b/README.md @@ -164,17 +164,67 @@ module "renovate" { } ``` -### 3. Initialize Terraform +### 3. Configure Backend (Optional) + +If using remote state storage (recommended), configure the backend: ```bash +# Option 1: Using environment variables +export AWS_ACCESS_KEY_ID="your-minio-access-key" +export AWS_SECRET_ACCESS_KEY="your-minio-secret-key" + +terraform init \ + -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \ + -backend-config="bucket=terraform-state" \ + -backend-config="key=docker/renovate/terraform.tfstate" \ + -backend-config="region=main" \ + -backend-config="skip_credentials_validation=true" \ + -backend-config="skip_metadata_api_check=true" \ + -backend-config="skip_requesting_account_id=true" \ + -backend-config="skip_region_validation=true" \ + -backend-config="use_path_style=true" +``` + +Or create a `backend.hcl` file: + +```hcl +# backend.hcl +endpoints = { + s3 = "https://minio.example.com:443" +} +bucket = "terraform-state" +key = "docker/renovate/terraform.tfstate" +region = "main" +skip_credentials_validation = true +skip_metadata_api_check = true +skip_requesting_account_id = true +skip_region_validation = true +use_path_style = true +``` + +Then initialize: + +```bash +export AWS_ACCESS_KEY_ID="your-minio-access-key" +export AWS_SECRET_ACCESS_KEY="your-minio-secret-key" +terraform init -backend-config=backend.hcl +``` + +### 4. Initialize Terraform + +```bash +# For local state (not recommended for production) terraform init + +# Or with remote backend (see step 3) +terraform init -backend-config=backend.hcl ``` This will: - Download required providers (Docker, Vault, DNS) -- Configure the MinIO backend for state storage +- Configure the backend for state storage (if specified) -### 4. Plan Deployment +### 5. Plan Deployment ```bash terraform plan @@ -182,7 +232,7 @@ terraform plan Review the planned changes to ensure everything is correct. -### 5. Apply Configuration +### 6. Apply Configuration ```bash terraform apply @@ -190,7 +240,7 @@ terraform apply Confirm the changes to deploy the Renovate bot. -### 6. Verify Deployment +### 7. Verify Deployment After deployment: @@ -326,13 +376,15 @@ For repositories with Terraform code: ### Hardcoded Values -The following values are hardcoded and may need customization: +The following values are hardcoded in `provider.tf` and may need customization: -- **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf) -- **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf) -- **MinIO Endpoint**: `https://minio.bsdserver.nl:443` (backend.tf) -- **MinIO Credentials**: Access and secret keys in backend.tf (consider moving to variables) -- **State File Path**: `home/docker/renovate/renovate.tfstate` (backend.tf) +- **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf:26) +- **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf:33) + +**Note**: Backend configuration (MinIO/S3) is no longer hardcoded. Configure it via: +- Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` +- Command-line flags during `terraform init` (see "Configure Backend" section) +- Backend configuration file (`backend.hcl`) ### Security Considerations @@ -347,7 +399,7 @@ The following values are hardcoded and may need customization: ⚠️ **Security Notes**: -1. **Hardcoded Credentials**: MinIO credentials in `backend.tf` should be moved to environment variables +1. **Backend Credentials**: Use environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) instead of hardcoding 2. **Token Management**: Store `renovate_token` in Vault or use environment variables 3. **Repository Access**: Ensure bot user only has access to intended repositories 4. **Log Retention**: Logs are sent to Docker daemon - ensure proper retention policies diff --git a/backend.tf b/backend.tf index 6ec9e79..1e8da3c 100644 --- a/backend.tf +++ b/backend.tf @@ -1,20 +1,24 @@ terraform { backend "s3" { - endpoints = { - s3 = "https://minio.bsdserver.nl:443" - } - - bucket = "home-terraform" - key = "home/docker/renovate/renovate.tfstate" - - access_key = "R9lCycfEO8qJ2dxlQT1S" - secret_key = "6rtVLjDIjx7U9ecNRkdbS3idSBNWsfNhN6wB20sJ" - - region = "main" - skip_credentials_validation = true - skip_metadata_api_check = true - skip_requesting_account_id = true - skip_region_validation = true - use_path_style = true + # Backend configuration should be provided via: + # 1. Command-line flags during terraform init + # 2. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + # 3. Backend config file + # + # Example init command: + # terraform init \ + # -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \ + # -backend-config="bucket=terraform-state" \ + # -backend-config="key=docker/renovate/terraform.tfstate" \ + # -backend-config="region=main" \ + # -backend-config="skip_credentials_validation=true" \ + # -backend-config="skip_metadata_api_check=true" \ + # -backend-config="skip_requesting_account_id=true" \ + # -backend-config="skip_region_validation=true" \ + # -backend-config="use_path_style=true" + # + # Or use environment variables: + # export AWS_ACCESS_KEY_ID="your-access-key" + # export AWS_SECRET_ACCESS_KEY="your-secret-key" } }