security: Remove hardcoded credentials from backend configuration

Removed all hardcoded sensitive values from backend.tf: - MinIO endpoint URL - Bucket name - State file key/path - Access key and secret key Security Improvements: - Backend configuration now uses environment variables - Added comprehensive documentation for backend setup - Provided examples for both env vars and backend.hcl - Added backend.hcl to .gitignore to prevent credential leaks - Updated README with secure configuration instructions - Fixed step numbering in README after adding backend config section Backend Configuration Methods: 1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) 2. Command-line flags during terraform init 3. Backend configuration file (backend.hcl) - now gitignored Breaking Change: - Users must now explicitly configure backend during terraform init - No default backend configuration provided for security reasons See README section 'Configure Backend (Optional)' for detailed setup instructions.
2025-11-17 08:35:16 +01:00 · 2025-11-17 08:35:16 +01:00 · 696bffd023
commit 696bffd023
parent 3a85a73a1b
3 changed files with 88 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,7 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Ignore backend configuration files that may contain credentials
+backend.hcl
+*.backend.hcl
--- a/README.md
+++ b/README.md
@ -164,17 +164,67 @@ module "renovate" {
 }
 ```

-### 3. Initialize Terraform
+### 3. Configure Backend (Optional)
+
+If using remote state storage (recommended), configure the backend:

 ```bash
+# Option 1: Using environment variables
+export AWS_ACCESS_KEY_ID="your-minio-access-key"
+export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"
+
+terraform init \
+  -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \
+  -backend-config="bucket=terraform-state" \
+  -backend-config="key=docker/renovate/terraform.tfstate" \
+  -backend-config="region=main" \
+  -backend-config="skip_credentials_validation=true" \
+  -backend-config="skip_metadata_api_check=true" \
+  -backend-config="skip_requesting_account_id=true" \
+  -backend-config="skip_region_validation=true" \
+  -backend-config="use_path_style=true"
+```
+
+Or create a `backend.hcl` file:
+
+```hcl
+# backend.hcl
+endpoints = {
+  s3 = "https://minio.example.com:443"
+}
+bucket                      = "terraform-state"
+key                         = "docker/renovate/terraform.tfstate"
+region                      = "main"
+skip_credentials_validation = true
+skip_metadata_api_check     = true
+skip_requesting_account_id  = true
+skip_region_validation      = true
+use_path_style              = true
+```
+
+Then initialize:
+
+```bash
+export AWS_ACCESS_KEY_ID="your-minio-access-key"
+export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"
+terraform init -backend-config=backend.hcl
+```
+
+### 4. Initialize Terraform
+
+```bash
+# For local state (not recommended for production)
 terraform init
+
+# Or with remote backend (see step 3)
+terraform init -backend-config=backend.hcl
 ```

 This will:
 - Download required providers (Docker, Vault, DNS)
- Configure the MinIO backend for state storage
+- Configure the backend for state storage (if specified)

-### 4. Plan Deployment
+### 5. Plan Deployment

 ```bash
 terraform plan
@ -182,7 +232,7 @@ terraform plan

 Review the planned changes to ensure everything is correct.

-### 5. Apply Configuration
+### 6. Apply Configuration

 ```bash
 terraform apply
@ -190,7 +240,7 @@ terraform apply

 Confirm the changes to deploy the Renovate bot.

-### 6. Verify Deployment
+### 7. Verify Deployment

 After deployment:

@ -326,13 +376,15 @@ For repositories with Terraform code:

 ### Hardcoded Values

-The following values are hardcoded and may need customization:
+The following values are hardcoded in `provider.tf` and may need customization:

- **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf)
- **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf)
- **MinIO Endpoint**: `https://minio.bsdserver.nl:443` (backend.tf)
- **MinIO Credentials**: Access and secret keys in backend.tf (consider moving to variables)
- **State File Path**: `home/docker/renovate/renovate.tfstate` (backend.tf)
+- **Docker Host**: `tcp://192.168.2.170:2376` (provider.tf:26)
+- **Vault Address**: `https://wbyc-srv-docker01.bsdserver.lan:8200` (provider.tf:33)
+
+**Note**: Backend configuration (MinIO/S3) is no longer hardcoded. Configure it via:
+- Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`
+- Command-line flags during `terraform init` (see "Configure Backend" section)
+- Backend configuration file (`backend.hcl`)

 ### Security Considerations

@ -347,7 +399,7 @@ The following values are hardcoded and may need customization:

 ⚠️ **Security Notes**:

-1. **Hardcoded Credentials**: MinIO credentials in `backend.tf` should be moved to environment variables
+1. **Backend Credentials**: Use environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) instead of hardcoding
 2. **Token Management**: Store `renovate_token` in Vault or use environment variables
 3. **Repository Access**: Ensure bot user only has access to intended repositories
 4. **Log Retention**: Logs are sent to Docker daemon - ensure proper retention policies
--- a/backend.tf
+++ b/backend.tf
@ -1,20 +1,24 @@
 terraform {
  backend "s3" {
-    endpoints = {
-      s3 = "https://minio.bsdserver.nl:443"
-    }
-
-    bucket = "home-terraform"
-    key    = "home/docker/renovate/renovate.tfstate"
-
-    access_key = "R9lCycfEO8qJ2dxlQT1S"
-    secret_key = "6rtVLjDIjx7U9ecNRkdbS3idSBNWsfNhN6wB20sJ"
-
-    region                      = "main"
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    skip_requesting_account_id  = true
-    skip_region_validation      = true
-    use_path_style              = true
+    # Backend configuration should be provided via:
+    # 1. Command-line flags during terraform init
+    # 2. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+    # 3. Backend config file
+    #
+    # Example init command:
+    #   terraform init \
+    #     -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \
+    #     -backend-config="bucket=terraform-state" \
+    #     -backend-config="key=docker/renovate/terraform.tfstate" \
+    #     -backend-config="region=main" \
+    #     -backend-config="skip_credentials_validation=true" \
+    #     -backend-config="skip_metadata_api_check=true" \
+    #     -backend-config="skip_requesting_account_id=true" \
+    #     -backend-config="skip_region_validation=true" \
+    #     -backend-config="use_path_style=true"
+    #
+    # Or use environment variables:
+    #   export AWS_ACCESS_KEY_ID="your-access-key"
+    #   export AWS_SECRET_ACCESS_KEY="your-secret-key"
  }
 }