1cca7c9267
fix: Remove unused TF_VAR_renovate_* variables from pipeline
...
Code Quality & Security Scan / TFLint (push) Successful in 23s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 33s
Code Quality & Security Scan / Terraform Validate (push) Successful in 35s
Code Quality & Security Scan / SonarQube Scan (push) Successful in 45s
Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s
Code Quality & Security Scan / Terraform Apply (push) Successful in 1m35s
The renovate_endpoint and renovate_token values are retrieved from
Vault (secret/renovate) via data sources in the Terraform code, not
passed as Terraform variables.
Changes:
- Commented out TF_VAR_renovate_endpoint in all pipeline stages
- Commented out TF_VAR_renovate_token in all pipeline stages
- These values are properly sourced from Vault data sources
This fixes the container restart issue where Renovate couldn't find
the Gitea personal access token because the environment variable
wasn't being set correctly from Vault data.
Affected stages:
- terraform-validate (init and validate steps)
- terraform-plan (init and plan steps)
- terraform-apply (init and apply steps)
- terraform-destroy (init, plan, and execute steps)
2025-11-19 13:32:59 +01:00
899fac55bb
feat: Replace pipeline with working configuration from EDA module
...
Code Quality & Security Scan / TFLint (push) Successful in 20s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s
Code Quality & Security Scan / Terraform Validate (push) Failing after 31s
Code Quality & Security Scan / SonarQube Scan (push) Has been skipped
Code Quality & Security Scan / Terraform Plan (push) Has been skipped
Code Quality & Security Scan / Terraform Apply (push) Has been skipped
Added working pipeline based on terraform-docker-eda module:
- Added pipeline.yaml with complete CI/CD workflow including Vault CLI setup
- Added setup-ssh.sh for Docker provider SSH key authentication
- Added .tflint.hcl for Terraform linting configuration
- Removed old sonarqube.yaml pipeline file
Pipeline now includes:
- Vault CLI installation and SSH key setup via script
- Proper backend configuration with -backend-config flags
- All security scans: TFLint, Tfsec, Checkov
- SonarQube integration
- Terraform plan/apply with MinIO artifact storage
- Terraform destroy workflow with manual approval
This pipeline configuration has been proven to work with Vault, MinIO,
and Docker providers using self-signed certificates.
2025-11-18 03:09:53 +01:00
2a5fb1ebd0
fix: Add backend configuration to all pipeline terraform init steps
...
Code Quality & Security Scan / TFLint (push) Successful in 18s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s
Code Quality & Security Scan / Terraform Validate (push) Successful in 34s
Code Quality & Security Scan / SonarQube Trigger (push) Successful in 37s
Code Quality & Security Scan / Terraform Plan (push) Failing after 32s
Code Quality & Security Scan / Terraform Apply (push) Has been skipped
Updated all terraform init commands in the pipeline to include backend configuration:
- terraform-plan job: Added backend-config flags
- terraform-apply job: Added backend-config flags
- terraform-destroy job: Added backend-config flags
Backend Configuration:
- Uses secrets for all values (MINIO_ENDPOINT, MINIO_BUCKET)
- State file key: docker/renovate/terraform.tfstate
- Credentials from AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars
- Region: main
- S3-compatible settings for MinIO
Required Secrets (should already be available):
- MINIO_ACCESS_KEY, MINIO_SECRET_KEY
- MINIO_ENDPOINT, MINIO_BUCKET
- VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR
- RENOVATE_ENDPOINT, RENOVATE_TOKEN
- SONARQUBE_HOST, SONARQUBE_TOKEN
Fixes pipeline error: Missing Required Value for bucket, key, and region
2025-11-18 02:57:09 +01:00
86d9e60dd6
feat: Add CI/CD pipeline and SonarQube configuration
...
Code Quality & Security Scan / TFLint (push) Failing after 18s
Code Quality & Security Scan / Tfsec Security Scan (push) Has been skipped
Code Quality & Security Scan / Checkov Security Scan (push) Has been skipped
Code Quality & Security Scan / Terraform Validate (push) Has been skipped
Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped
Code Quality & Security Scan / Terraform Plan (push) Has been skipped
Code Quality & Security Scan / Terraform Apply (push) Has been skipped
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Added comprehensive Gitea Actions pipeline with:
- TFLint for Terraform linting
- Tfsec for security scanning
- Checkov for policy validation
- Terraform validate for syntax checking
- SonarQube integration for code quality analysis
- Terraform plan/apply workflow with MinIO artifact storage
- Terraform destroy workflow with manual approval
Pipeline Features:
- Runs on push to main and pull requests
- Sequential job execution with proper dependencies
- Secure secrets management for Vault, MinIO, and Renovate
- Plan artifact storage in MinIO for apply jobs
- Production environment protection for apply
- Destroy approval environment for safety
- Support for destroy via PR label
SonarQube Configuration:
- Project metadata and version tracking
- Terraform-specific exclusions
- Proper source encoding
- Documentation links to Gitea repository
Required Secrets:
- VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR
- MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_ENDPOINT, MINIO_BUCKET
- RENOVATE_ENDPOINT, RENOVATE_TOKEN
- SONARQUBE_HOST, SONARQUBE_TOKEN
2025-11-17 08:25:38 +01:00
