wbyc/terraform-docker-renovate
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: Remove hardcoded credentials from backend configuration
Some checks failed
Code Quality & Security Scan / TFLint (push) Successful in 20s
Details
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 23s
Details
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s
Details
Code Quality & Security Scan / Terraform Validate (push) Successful in 35s
Details
Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s
Details
Code Quality & Security Scan / Terraform Plan (push) Failing after 25s
Details
Code Quality & Security Scan / Terraform Apply (push) Has been skipped
Details

Browse Source 
Removed all hardcoded sensitive values from backend.tf:
- MinIO endpoint URL
- Bucket name
- State file key/path
- Access key and secret key

Security Improvements:
- Backend configuration now uses environment variables
- Added comprehensive documentation for backend setup
- Provided examples for both env vars and backend.hcl
- Added backend.hcl to .gitignore to prevent credential leaks
- Updated README with secure configuration instructions
- Fixed step numbering in README after adding backend config section

Backend Configuration Methods:
1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
2. Command-line flags during terraform init
3. Backend configuration file (backend.hcl) - now gitignored

Breaking Change:
- Users must now explicitly configure backend during terraform init
- No default backend configuration provided for security reasons

See README section 'Configure Backend (Optional)' for detailed setup instructions.
This commit is contained in:
Patrick de Ruiter 2025-11-17 08:35:16 +01:00
parent 3a85a73a1b
commit 696bffd023
Signed by: pderuiter
GPG Key ID: 5EBA7F21CF583321
3 changed files with 88 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -32,3 +32,7 @@ override.tf.json
# Ignore CLI configuration files # Ignore CLI configuration files
.terraformrc .terraformrc
terraform.rc terraform.rc
# Ignore backend configuration files that may contain credentials
backend.hcl
*.backend.hcl

76
README.md
View File

@ -164,17 +164,67 @@ module "renovate" {
} }
``` ```
### 3. Initialize Terraform ### 3. Configure Backend (Optional)
If using remote state storage (recommended), configure the backend:
```bash ```bash
# Option 1: Using environment variables
export AWS_ACCESS_KEY_ID="your-minio-access-key"
export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"
terraform init \
-backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \
-backend-config="bucket=terraform-state" \
-backend-config="key=docker/renovate/terraform.tfstate" \
-backend-config="region=main" \
-backend-config="skip_credentials_validation=true" \
-backend-config="skip_metadata_api_check=true" \
-backend-config="skip_requesting_account_id=true" \
-backend-config="skip_region_validation=true" \
-backend-config="use_path_style=true"
```
Or create a `backend.hcl` file:
```hcl
# backend.hcl
endpoints = {
s3 = "https://minio.example.com:443"
}
bucket = "terraform-state"
key = "docker/renovate/terraform.tfstate"
region = "main"
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true
skip_region_validation = true
use_path_style = true
```
Then initialize:
```bash
export AWS_ACCESS_KEY_ID="your-minio-access-key"
export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"
terraform init -backend-config=backend.hcl
```
### 4. Initialize Terraform
```bash
# For local state (not recommended for production)
terraform init terraform init
# Or with remote backend (see step 3)
terraform init -backend-config=backend.hcl
``` ```
This will: This will:
- Download required providers (Docker, Vault, DNS) - Download required providers (Docker, Vault, DNS)
- Configure the MinIO backend for state storage - Configure the backend for state storage (if specified)
### 4. Plan Deployment ### 5. Plan Deployment
```bash ```bash
terraform plan terraform plan
@ -182,7 +232,7 @@ terraform plan
Review the planned changes to ensure everything is correct. Review the planned changes to ensure everything is correct.
### 5. Apply Configuration ### 6. Apply Configuration
```bash ```bash
terraform apply terraform apply
@ -190,7 +240,7 @@ terraform apply
Confirm the changes to deploy the Renovate bot. Confirm the changes to deploy the Renovate bot.
### 6. Verify Deployment ### 7. Verify Deployment
After deployment: After deployment:
@ -326,13 +376,15 @@ For repositories with Terraform code:
### Hardcoded Values ### Hardcoded Values
The following values are hardcoded and may need customization: The following values are hardcoded in `provider.tf` and may need customization:
- **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf) - **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf:26)
- **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf) - **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf:33)
- **MinIO Endpoint**: `https://minio.bsdserver.nl:443` (backend.tf)
- **MinIO Credentials**: Access and secret keys in backend.tf (consider moving to variables) **Note**: Backend configuration (MinIO/S3) is no longer hardcoded. Configure it via:
- **State File Path**: `home/docker/renovate/renovate.tfstate` (backend.tf) - Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`
- Command-line flags during `terraform init` (see "Configure Backend" section)
- Backend configuration file (`backend.hcl`)
### Security Considerations ### Security Considerations
@ -347,7 +399,7 @@ The following values are hardcoded and may need customization:
⚠️ **Security Notes**: ⚠️ **Security Notes**:
1. **Hardcoded Credentials**: MinIO credentials in `backend.tf` should be moved to environment variables 1. **Backend Credentials**: Use environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) instead of hardcoding
2. **Token Management**: Store `renovate_token` in Vault or use environment variables 2. **Token Management**: Store `renovate_token` in Vault or use environment variables
3. **Repository Access**: Ensure bot user only has access to intended repositories 3. **Repository Access**: Ensure bot user only has access to intended repositories
4. **Log Retention**: Logs are sent to Docker daemon - ensure proper retention policies 4. **Log Retention**: Logs are sent to Docker daemon - ensure proper retention policies

36
backend.tf
View File

@ -1,20 +1,24 @@
terraform { terraform {
backend "s3" { backend "s3" {
endpoints = { # Backend configuration should be provided via:
s3 = "https://minio.bsdserver.nl:443" # 1. Command-line flags during terraform init
} # 2. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
# 3. Backend config file
bucket = "home-terraform" #
key = "home/docker/renovate/renovate.tfstate" # Example init command:
# terraform init \
access_key = "R9lCycfEO8qJ2dxlQT1S" # -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \
secret_key = "6rtVLjDIjx7U9ecNRkdbS3idSBNWsfNhN6wB20sJ" # -backend-config="bucket=terraform-state" \
# -backend-config="key=docker/renovate/terraform.tfstate" \
region = "main" # -backend-config="region=main" \
skip_credentials_validation = true # -backend-config="skip_credentials_validation=true" \
skip_metadata_api_check = true # -backend-config="skip_metadata_api_check=true" \
skip_requesting_account_id = true # -backend-config="skip_requesting_account_id=true" \
skip_region_validation = true # -backend-config="skip_region_validation=true" \
use_path_style = true # -backend-config="use_path_style=true"
#
# Or use environment variables:
# export AWS_ACCESS_KEY_ID="your-access-key"
# export AWS_SECRET_ACCESS_KEY="your-secret-key"
} }
} }