terraform-docker-renovate

9 Commits 1 Branch 0 Tags

Author	SHA1	Message	Date
Patrick de Ruiter	eaab76901a	fix: Change Docker provider from TCP to SSH connection All checks were successful Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 26s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 40s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 30s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s Details Code Quality & Security Scan / Terraform Plan (push) Successful in 1m16s Details Code Quality & Security Scan / Terraform Apply (push) Successful in 3m27s Details Updated Docker provider configuration: - Changed from tcp://192.168.2.170:2376 to ssh://ansible@wbyc-srv-docker01.bsdserver.lan:22 - Added ssh_opts with path to SSH key and StrictHostKeyChecking=no - Removed cert_path configuration (not needed for SSH) This matches the working configuration from terraform-docker-eda module and uses the SSH key retrieved from Vault via setup-ssh.sh script.	2025-11-18 03:56:41 +01:00
Patrick de Ruiter	bb54c5bf5b	fix: Set vault_skip_tls_verify default to true Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 23s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 32s Details Code Quality & Security Scan / SonarQube Scan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Plan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details Code Quality & Security Scan / Terraform Validate (push) Has started running Details Changed vault_skip_tls_verify default from false to true to accommodate self-signed certificates in the infrastructure.	2025-11-18 03:54:51 +01:00
Patrick de Ruiter	e2b0c4c54e	fix: Add missing vault_skip_tls_verify variable declaration Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 25s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 35s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 33s Details Code Quality & Security Scan / SonarQube Scan (push) Successful in 44s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 49s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Added vault_skip_tls_verify variable to fix Terraform validation error. This variable is referenced in provider.tf but was not declared in variables.tf. Default value is false for security, can be set to true for self-signed certificates in development/testing environments.	2025-11-18 03:20:21 +01:00
Patrick de Ruiter	899fac55bb	feat: Replace pipeline with working configuration from EDA module Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Failing after 31s Details Code Quality & Security Scan / SonarQube Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Added working pipeline based on terraform-docker-eda module: - Added pipeline.yaml with complete CI/CD workflow including Vault CLI setup - Added setup-ssh.sh for Docker provider SSH key authentication - Added .tflint.hcl for Terraform linting configuration - Removed old sonarqube.yaml pipeline file Pipeline now includes: - Vault CLI installation and SSH key setup via script - Proper backend configuration with -backend-config flags - All security scans: TFLint, Tfsec, Checkov - SonarQube integration - Terraform plan/apply with MinIO artifact storage - Terraform destroy workflow with manual approval This pipeline configuration has been proven to work with Vault, MinIO, and Docker providers using self-signed certificates.	2025-11-18 03:09:53 +01:00
Patrick de Ruiter	2a5fb1ebd0	fix: Add backend configuration to all pipeline terraform init steps Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 39s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 34s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 37s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 32s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Updated all terraform init commands in the pipeline to include backend configuration: - terraform-plan job: Added backend-config flags - terraform-apply job: Added backend-config flags - terraform-destroy job: Added backend-config flags Backend Configuration: - Uses secrets for all values (MINIO_ENDPOINT, MINIO_BUCKET) - State file key: docker/renovate/terraform.tfstate - Credentials from AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars - Region: main - S3-compatible settings for MinIO Required Secrets (should already be available): - MINIO_ACCESS_KEY, MINIO_SECRET_KEY - MINIO_ENDPOINT, MINIO_BUCKET - VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR - RENOVATE_ENDPOINT, RENOVATE_TOKEN - SONARQUBE_HOST, SONARQUBE_TOKEN Fixes pipeline error: Missing Required Value for bucket, key, and region	2025-11-18 02:57:09 +01:00
Patrick de Ruiter	696bffd023	security: Remove hardcoded credentials from backend configuration Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 20s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 23s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / Terraform Validate (push) Successful in 35s Details Code Quality & Security Scan / SonarQube Trigger (push) Successful in 38s Details Code Quality & Security Scan / Terraform Plan (push) Failing after 25s Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Removed all hardcoded sensitive values from backend.tf: - MinIO endpoint URL - Bucket name - State file key/path - Access key and secret key Security Improvements: - Backend configuration now uses environment variables - Added comprehensive documentation for backend setup - Provided examples for both env vars and backend.hcl - Added backend.hcl to .gitignore to prevent credential leaks - Updated README with secure configuration instructions - Fixed step numbering in README after adding backend config section Backend Configuration Methods: 1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) 2. Command-line flags during terraform init 3. Backend configuration file (backend.hcl) - now gitignored Breaking Change: - Users must now explicitly configure backend during terraform init - No default backend configuration provided for security reasons See README section 'Configure Backend (Optional)' for detailed setup instructions.	2025-11-17 08:35:16 +01:00
Patrick de Ruiter	3a85a73a1b	fix: Add missing Terraform and DNS provider version constraints Some checks failed Code Quality & Security Scan / TFLint (push) Successful in 18s Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 29s Details Code Quality & Security Scan / Checkov Security Scan (push) Successful in 37s Details Code Quality & Security Scan / SonarQube Trigger (push) Has been cancelled Details Code Quality & Security Scan / Terraform Validate (push) Has been cancelled Details Code Quality & Security Scan / Terraform Plan (push) Has been cancelled Details Code Quality & Security Scan / Terraform Apply (push) Has been cancelled Details - Added required_version constraint (>= 1.5.0) - Added DNS provider to required_providers with version ~> 3.4 - Updated provider versions to use pessimistic constraint operator (~>) - Fixes TFLint warnings for missing version constraints	2025-11-17 08:28:13 +01:00
Patrick de Ruiter	86d9e60dd6	feat: Add CI/CD pipeline and SonarQube configuration Some checks failed Code Quality & Security Scan / TFLint (push) Failing after 18s Details Code Quality & Security Scan / Tfsec Security Scan (push) Has been skipped Details Code Quality & Security Scan / Checkov Security Scan (push) Has been skipped Details Code Quality & Security Scan / Terraform Validate (push) Has been skipped Details Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped Details Code Quality & Security Scan / Terraform Plan (push) Has been skipped Details Code Quality & Security Scan / Terraform Apply (push) Has been skipped Details Code Quality & Security Scan / Terraform Destroy (push) Has been skipped Details Added comprehensive Gitea Actions pipeline with: - TFLint for Terraform linting - Tfsec for security scanning - Checkov for policy validation - Terraform validate for syntax checking - SonarQube integration for code quality analysis - Terraform plan/apply workflow with MinIO artifact storage - Terraform destroy workflow with manual approval Pipeline Features: - Runs on push to main and pull requests - Sequential job execution with proper dependencies - Secure secrets management for Vault, MinIO, and Renovate - Plan artifact storage in MinIO for apply jobs - Production environment protection for apply - Destroy approval environment for safety - Support for destroy via PR label SonarQube Configuration: - Project metadata and version tracking - Terraform-specific exclusions - Proper source encoding - Documentation links to Gitea repository Required Secrets: - VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_ADDR - MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_ENDPOINT, MINIO_BUCKET - RENOVATE_ENDPOINT, RENOVATE_TOKEN - SONARQUBE_HOST, SONARQUBE_TOKEN	2025-11-17 08:25:38 +01:00
Patrick de Ruiter	d417281ee0	feat: Repurpose module from Ansible EDA to Renovate bot deployment Complete rewrite of the module to deploy a Renovate bot for automated dependency management with Gitea integration. Breaking Changes: - Module purpose changed from Ansible EDA to Renovate bot - All variables restructured for Renovate configuration - State file path updated to home/docker/renovate/renovate.tfstate - Volumes changed from EDA rulebooks/logs to config/cache - Container image now uses renovate/renovate:latest Added: - Gitea platform integration with token authentication - Renovate configuration template (config.js.tpl) - Repository configuration examples - Gitea Actions workflow examples - SonarQube integration examples - Comprehensive documentation (README, QUICKSTART, MIGRATION_GUIDE) - CHANGELOG.md for version tracking - Security best practices Removed: - All Ansible EDA-specific configuration - Traefik labels (not needed for Renovate) - Old EDA documentation files - example-rulebook.yml Updated: - Complete README with Gitea setup instructions - terraform.tfvars with Renovate configuration - All resource names from ansible_eda to renovate - Backend state path This is version 2.0.0 - not backward compatible with previous EDA version. See MIGRATION_GUIDE.md for detailed migration instructions.	2025-11-17 00:32:51 +01:00