terraform-docker-renovate

Author	SHA1	Message	Date
Patrick de Ruiter	b673dbb0c9	fix: Use cron syntax for schedule per Renovate docs Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 22s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 45s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 33s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details	2025-11-29 12:12:15 +01:00
Patrick de Ruiter	9cee473d1e	feat: Schedule Renovate to run only between 2-4 AM Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 22s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 54s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 25s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Add schedule configuration to reduce resource usage by limiting Renovate runs to a nightly maintenance window. - schedule: 'after 2am and before 4am' - timezone: Europe/Amsterdam Renovate will now only check for updates during this window instead of running continuously.	2025-11-29 12:08:51 +01:00
Patrick de Ruiter	16bb56c454	feat: Add regex managers for Docker container versioning in Terraform Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 26s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 33s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 32s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Add support for Renovate to detect and update Docker image versions defined in Terraform files using annotation comments. Changes: - Add 3 regex managers to config.js.tpl for different annotation patterns: - Basic: # renovate: datasource=docker - With versioning: # renovate: datasource=docker versioning=semver - Separate variable: # renovate: datasource=docker depName=redis - Update README.md with comprehensive Docker container annotation docs - Update QUICKSTART.md with Terraform Docker container examples - Add example-annotated-containers.tf with usage patterns This enables Renovate to automatically create PRs when Docker images used in Terraform container definitions have updates available.	2025-11-28 04:09:14 +01:00
Patrick de Ruiter	77e6102b0c	docs: Clean up documentation - remove stale content and fix inconsistencies All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 41s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 36s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 41s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m20s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m18s Details Comprehensive documentation cleanup to align with current implementation and remove outdated/confusing content. DELETED: - SUMMARY.md - Historical migration document from Ansible EDA to Renovate (migration is complete, document no longer needed) UPDATED README.md Variables Section: - Split into "Terraform Variables" and "Vault-Stored Configuration" sections - Removed 5 incorrectly documented variables that are actually stored in Vault: * renovate_platform, renovate_endpoint, renovate_token * renovate_git_author, renovate_username - Added missing variable documentation: * dns_servers (list of DNS servers for hostname resolution) * vault_skip_tls_verify (skip TLS verification for Vault) - Fixed log_level default value: "info" → "debug" (matches variables.tf) - Added clear explanation that Vault keys are NOT Terraform variables - Added reference to "Store Credentials in Vault" section UPDATED QUICKSTART.md Troubleshooting: - Added DNS resolution error troubleshooting section - Documents ENOTFOUND errors and how to resolve them - Provides diagnostic commands (dig @DNS_SERVER hostname) - Shows how to configure dns_servers variable - Explains hostname verification (git.bsdserver.nl vs gitea.bsdserver.nl) - Provides alternative solution (use IP address instead of hostname) These changes ensure documentation accurately reflects: - Current implementation (Vault-based credential storage) - All available configuration options (including dns_servers) - Correct default values - Clear separation between TF vars and Vault-stored config - Complete troubleshooting guidance for common issues	2025-11-20 11:07:27 +01:00
Patrick de Ruiter	56e15bd594	fix: Only set DNS if dns_servers list is not empty All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 22s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 32s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m21s Details Changed dns configuration to use conditional assignment to avoid setting empty DNS list which Docker might ignore. Changes: - dns = length(var.dns_servers) > 0 ? var.dns_servers : null This ensures that: - If dns_servers is empty, dns is set to null (Docker uses defaults) - If dns_servers has values, they are properly applied to container	2025-11-20 10:21:25 +01:00
Patrick de Ruiter	89f0029d67	fix: Add DNS server configuration to all pipeline stages All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 21s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 26s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 39s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m21s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m42s Details Added TF_VAR_dns_servers to all pipeline stages to configure the Renovate container to use internal DNS server for hostname resolution. Changes: - Added TF_VAR_dns_servers: '["192.168.2.2"]' to all pipeline env blocks - Applied to: terraform-plan (init and plan) - Applied to: terraform-apply (init and apply) - Applied to: terraform-destroy (init, plan, execute) This configures the Renovate container to use 192.168.2.2 as its DNS server, allowing it to resolve internal hostnames like gitea.bsdserver.nl. Fixes the ENOTFOUND DNS error: getaddrinfo ENOTFOUND gitea.bsdserver.nl The DNS configuration is passed as a Terraform variable in JSON array format: '["192.168.2.2"]'	2025-11-19 14:49:15 +01:00
Patrick de Ruiter	88f64911a7	fix: Add DNS server configuration support for internal hostname resolution All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 27s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 44s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 39s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m24s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m31s Details Added dns_servers variable to allow configuring custom DNS servers for the container to resolve internal hostnames. Changes: - Added dns_servers variable (list of strings, default empty) - Added dns configuration to docker_container resource in main.tf - Allows container to resolve internal domains like gitea.bsdserver.nl This fixes the ENOTFOUND DNS resolution error where the container couldn't resolve internal Gitea hostname, which was being reported as an "Authentication failure" but was actually a network/DNS issue. The error was: getaddrinfo ENOTFOUND gitea.bsdserver.nl Usage: dns_servers = ["192.168.x.x", "192.168.x.y"] If not specified (default), container uses Docker's default DNS.	2025-11-19 14:27:42 +01:00
Patrick de Ruiter	57e03ed2db	Upped loglevel to debug All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 30s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m24s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m45s Details	2025-11-19 14:18:04 +01:00
Patrick de Ruiter	906d000e8e	docs: Update all documentation with Vault credential requirements All checks were successful Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 31s Details Code Quality & Security Scan / TFLint (push) Successful in 21s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Terraform Validate (push) Successful in 32s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 42s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m22s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m57s Details Updated comprehensive documentation across README, QUICKSTART, and MIGRATION_GUIDE to clarify that Renovate credentials are stored in HashiCorp Vault, not passed as Terraform variables. Changes to README.md: - Added detailed Vault setup section in Gitea Bot Setup - Documented all 5 required keys in secret/renovate path - Added vault kv put example with all required fields - Added token regeneration instructions - Clarified prerequisites to include Vault secret requirements - Emphasized CRITICAL nature of Vault storage Changes to QUICKSTART.md: - Added comprehensive Step 3: Store Credentials in Vault - Included complete vault kv put command with all keys - Added verification steps with expected output - Listed common mistakes to avoid (missing username, wrong endpoint, etc.) - Updated Step 4 to clarify tfvars only needs Vault auth - Renumbered subsequent steps (5-9) - Added environment variable verification in Step 6 - Added troubleshooting steps for authentication errors Changes to MIGRATION_GUIDE.md: - Clearly separated Vault-stored config from Terraform variables - Added vault kv put example in New Required Configuration section - Updated migration steps to include Vault credential storage - Clarified that renovate_endpoint and renovate_token are NOT tfvars - Listed all 5 required Vault keys with descriptions These changes address the authentication failures caused by: - Missing renovate_username in environment variables - Confusion about where credentials should be stored - Token regeneration without updating Vault All documentation now consistently emphasizes the Vault-first approach and provides clear, copy-paste-ready commands for proper setup.	2025-11-19 13:59:25 +01:00
Patrick de Ruiter	2d287824c7	fix: Add missing RENOVATE_USERNAME environment variable All checks were successful Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s Details Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 24s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 39s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m21s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m36s Details The renovate_username value was stored in Vault but not being passed as an environment variable to the container, causing authentication failures with Gitea. Changes: - Added RENOVATE_USERNAME to the environment variables list in main.tf - Value is retrieved from Vault at secret/renovate with key renovate_username This should resolve the "Authentication failure" error in the Renovate container logs, as the username is required for proper Gitea authentication.	2025-11-19 13:44:55 +01:00
Patrick de Ruiter	1cca7c9267	fix: Remove unused TF_VAR_renovate_* variables from pipeline All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 23s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 31s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 33s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 45s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m35s Details The renovate_endpoint and renovate_token values are retrieved from Vault (secret/renovate) via data sources in the Terraform code, not passed as Terraform variables. Changes: - Commented out TF_VAR_renovate_endpoint in all pipeline stages - Commented out TF_VAR_renovate_token in all pipeline stages - These values are properly sourced from Vault data sources This fixes the container restart issue where Renovate couldn't find the Gitea personal access token because the environment variable wasn't being set correctly from Vault data. Affected stages: - terraform-validate (init and validate steps) - terraform-plan (init and plan steps) - terraform-apply (init and apply steps) - terraform-destroy (init, plan, and execute steps)	2025-11-19 13:32:59 +01:00
Patrick de Ruiter	9c9df2fbf8	Added sensitive boolean to outputs,tf All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 46s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m33s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 32s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 1m48s Details	2025-11-19 00:47:26 +01:00
Patrick de Ruiter	93ae123c1f	tf fmt Some checks failed Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 48s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 42s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 40s Details	2025-11-19 00:41:13 +01:00
Patrick de Ruiter	786d1acbb0	Fixed some more variables in main.tf replaced variable with data statement from vault Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 29s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 33s Details	2025-11-19 00:38:26 +01:00
Patrick de Ruiter	b70952d0f7	Fixed outputs.tf and main.tf replaced variable with data statement from vault Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 38s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 42s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 53s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details	2025-11-19 00:29:25 +01:00
Patrick de Ruiter	bbb8c1ac00	forgot terraform fmt Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 33s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 34s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 32s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details	2025-11-19 00:23:12 +01:00
Patrick de Ruiter	679d2f3286	Moved renovate settings and credentials to vault Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 19s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 22s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details	2025-11-19 00:20:23 +01:00
Patrick de Ruiter	eaab76901a	fix: Change Docker provider from TCP to SSH connection All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 26s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 40s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 30s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 3m27s Details Updated Docker provider configuration: - Changed from tcp://192.168.2.170:2376 to ssh://ansible@wbyc-srv-docker01.bsdserver.lan:22 - Added ssh_opts with path to SSH key and StrictHostKeyChecking=no - Removed cert_path configuration (not needed for SSH) This matches the working configuration from terraform-docker-eda module and uses the SSH key retrieved from Vault via setup-ssh.sh script.	2025-11-18 03:56:41 +01:00
Patrick de Ruiter	bb54c5bf5b	fix: Set vault_skip_tls_verify default to true Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 23s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 32s Details Code Quality & Security Scan / SonarQube Scan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Plan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details Code Quality & Security Scan / Terraform Validate (push) Has started running Details Changed vault_skip_tls_verify default from false to true to accommodate self-signed certificates in the infrastructure.	2025-11-18 03:54:51 +01:00
Patrick de Ruiter	e2b0c4c54e	fix: Add missing vault_skip_tls_verify variable declaration Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 25s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 33s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 44s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 49s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Added vault_skip_tls_verify variable to fix Terraform validation error. This variable is referenced in provider.tf but was not declared in variables.tf. Default value is false for security, can be set to true for self-signed certificates in development/testing environments.	2025-11-18 03:20:21 +01:00
Patrick de Ruiter	899fac55bb	feat: Replace pipeline with working configuration from EDA module Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 31s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Added working pipeline based on terraform-docker-eda module: - Added pipeline.yaml with complete CI/CD workflow including Vault CLI setup - Added setup-ssh.sh for Docker provider SSH key authentication - Added .tflint.hcl for Terraform linting configuration - Removed old sonarqube.yaml pipeline file Pipeline now includes: - Vault CLI installation and SSH key setup via script - Proper backend configuration with -backend-config flags - All security scans: TFLint, Tfsec, Checkov - SonarQube integration - Terraform plan/apply with MinIO artifact storage - Terraform destroy workflow with manual approval This pipeline configuration has been proven to work with Vault, MinIO, and Docker providers using self-signed certificates.	2025-11-18 03:09:53 +01:00
Patrick de Ruiter	2a5fb1ebd0	fix: Add backend configuration to all pipeline terraform init steps Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 34s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 37s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 32s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Updated all terraform init commands in the pipeline to include backend configuration: - terraform-plan job: Added backend-config flags - terraform-apply job: Added backend-config flags - terraform-destroy job: Added backend-config flags Backend Configuration: - Uses secrets for all values (MINIO_ENDPOINT, MINIO_BUCKET) - State file key: docker/renovate/terraform.tfstate - Credentials from AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars - Region: main - S3-compatible settings for MinIO Required Secrets (should already be available): - MINIO_ACCESS_KEY, MINIO_SECRET_KEY - MINIO_ENDPOINT, MINIO_BUCKET - VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR - RENOVATE_ENDPOINT, RENOVATE_TOKEN - SONARQUBE_HOST, SONARQUBE_TOKEN Fixes pipeline error: Missing Required Value for bucket, key, and region	2025-11-18 02:57:09 +01:00
Patrick de Ruiter	696bffd023	security: Remove hardcoded credentials from backend configuration Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 23s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 25s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Removed all hardcoded sensitive values from backend.tf: - MinIO endpoint URL - Bucket name - State file key/path - Access key and secret key Security Improvements: - Backend configuration now uses environment variables - Added comprehensive documentation for backend setup - Provided examples for both env vars and backend.hcl - Added backend.hcl to .gitignore to prevent credential leaks - Updated README with secure configuration instructions - Fixed step numbering in README after adding backend config section Backend Configuration Methods: 1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) 2. Command-line flags during terraform init 3. Backend configuration file (backend.hcl) - now gitignored Breaking Change: - Users must now explicitly configure backend during terraform init - No default backend configuration provided for security reasons See README section 'Configure Backend (Optional)' for detailed setup instructions.	2025-11-17 08:35:16 +01:00
Patrick de Ruiter	3a85a73a1b	fix: Add missing Terraform and DNS provider version constraints Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled Details Code Quality & Security Scan / Terraform Validate (push) Has been cancelled Details Code Quality & Security Scan / Terraform Plan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details - Added required_version constraint (>= 1.5.0) - Added DNS provider to required_providers with version ~> 3.4 - Updated provider versions to use pessimistic constraint operator (~>) - Fixes TFLint warnings for missing version constraints	2025-11-17 08:28:13 +01:00
Patrick de Ruiter	86d9e60dd6	feat: Add CI/CD pipeline and SonarQube configuration Some checks failed Code Quality & Security Scan / TFLint (push) Failing after 18s Details Code Quality & Security Scan / Tfsec Security Scan (push) Has been skipped Details Code Quality & Security Scan / Checkov Security Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Validate (push) Has been skipped Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Added comprehensive Gitea Actions pipeline with: - TFLint for Terraform linting - Tfsec for security scanning - Checkov for policy validation - Terraform validate for syntax checking - SonarQube integration for code quality analysis - Terraform plan/apply workflow with MinIO artifact storage - Terraform destroy workflow with manual approval Pipeline Features: - Runs on push to main and pull requests - Sequential job execution with proper dependencies - Secure secrets management for Vault, MinIO, and Renovate - Plan artifact storage in MinIO for apply jobs - Production environment protection for apply - Destroy approval environment for safety - Support for destroy via PR label SonarQube Configuration: - Project metadata and version tracking - Terraform-specific exclusions - Proper source encoding - Documentation links to Gitea repository Required Secrets: - VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR - MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_ENDPOINT, MINIO_BUCKET - RENOVATE_ENDPOINT, RENOVATE_TOKEN - SONARQUBE_HOST, SONARQUBE_TOKEN	2025-11-17 08:25:38 +01:00
Patrick de Ruiter	d417281ee0	feat: Repurpose module from Ansible EDA to Renovate bot deployment Complete rewrite of the module to deploy a Renovate bot for automated dependency management with Gitea integration. Breaking Changes: - Module purpose changed from Ansible EDA to Renovate bot - All variables restructured for Renovate configuration - State file path updated to home/docker/renovate/renovate.tfstate - Volumes changed from EDA rulebooks/logs to config/cache - Container image now uses renovate/renovate:latest Added: - Gitea platform integration with token authentication - Renovate configuration template (config.js.tpl) - Repository configuration examples - Gitea Actions workflow examples - SonarQube integration examples - Comprehensive documentation (README, QUICKSTART, MIGRATION_GUIDE) - CHANGELOG.md for version tracking - Security best practices Removed: - All Ansible EDA-specific configuration - Traefik labels (not needed for Renovate) - Old EDA documentation files - example-rulebook.yml Updated: - Complete README with Gitea setup instructions - terraform.tfvars with Renovate configuration - All resource names from ansible_eda to renovate - Backend state path This is version 2.0.0 - not backward compatible with previous EDA version. See MIGRATION_GUIDE.md for detailed migration instructions.	2025-11-17 00:32:51 +01:00

26 Commits