Patrick de Ruiter
fe030ac335
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 20s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 47s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 42s
Code Quality & Security Scan / Terraform Validate (push) Successful in 40s
Code Quality & Security Scan / SonarQube Scan (push) Successful in 55s
Code Quality & Security Scan / Terraform Plan (push) Successful in 1m59s
Code Quality & Security Scan / Terraform Apply (push) Successful in 2m38s
227 lines
6.5 KiB
HCL
227 lines
6.5 KiB
HCL
# Example: Annotated Container Definitions for Renovate
|
|
#
|
|
# This file demonstrates how to annotate Docker container definitions
|
|
# in Terraform so that Renovate can detect and update image versions.
|
|
#
|
|
# Add the comment "# renovate: datasource=docker" above the image line
|
|
# to enable automatic version detection and updates.
|
|
|
|
# =============================================================================
|
|
# Basic Pattern: Combined image:tag format
|
|
# =============================================================================
|
|
# This is the most common pattern where image name and tag are in one string.
|
|
|
|
locals {
|
|
services = {
|
|
# Basic Redis container
|
|
redis = {
|
|
# renovate: datasource=docker
|
|
image = "redis:8.0.0"
|
|
|
|
container_ports = ["6379"]
|
|
networks = ["backend-network"]
|
|
}
|
|
|
|
# Container with full registry path
|
|
postgres = {
|
|
# renovate: datasource=docker
|
|
image = "docker.io/library/postgres:16.4-alpine"
|
|
|
|
container_ports = ["5432"]
|
|
networks = ["backend-network"]
|
|
volumes = {
|
|
"postgres-data" = "/var/lib/postgresql/data"
|
|
}
|
|
}
|
|
|
|
# Third-party image from Docker Hub
|
|
grafana = {
|
|
# renovate: datasource=docker
|
|
image = "grafana/grafana:11.2.0"
|
|
|
|
container_ports = ["3000"]
|
|
networks = ["traefik_network", "monitoring-network"]
|
|
use_traefik = true
|
|
}
|
|
|
|
# Image from GitHub Container Registry
|
|
paperless = {
|
|
# renovate: datasource=docker
|
|
image = "ghcr.io/paperless-ngx/paperless-ngx:2.12.1"
|
|
|
|
container_ports = ["8000"]
|
|
networks = ["traefik_network"]
|
|
use_traefik = true
|
|
}
|
|
}
|
|
}
|
|
|
|
# =============================================================================
|
|
# Advanced Pattern: With explicit versioning scheme
|
|
# =============================================================================
|
|
# Use this when the image has a non-standard version format.
|
|
|
|
locals {
|
|
advanced_services = {
|
|
# HashiCorp images use semver
|
|
vault = {
|
|
# renovate: datasource=docker versioning=semver
|
|
image = "hashicorp/vault:1.17.3"
|
|
|
|
container_ports = ["8200"]
|
|
networks = ["traefik_network"]
|
|
}
|
|
|
|
# MinIO uses date-based releases
|
|
minio = {
|
|
# renovate: datasource=docker versioning=regex:^RELEASE\.(?<major>\d{4})-(?<minor>\d{2})-(?<patch>\d{2})T\d{2}-\d{2}-\d{2}Z$
|
|
image = "minio/minio:RELEASE.2024-08-29T01-40-52Z"
|
|
|
|
container_ports = ["9000", "9001"]
|
|
networks = ["traefik_network"]
|
|
}
|
|
}
|
|
}
|
|
|
|
# =============================================================================
|
|
# Alternative Pattern: Separate version variable
|
|
# =============================================================================
|
|
# Use this when you prefer to define versions as separate variables.
|
|
|
|
# renovate: datasource=docker depName=traefik
|
|
variable "traefik_version" {
|
|
description = "Version of Traefik to deploy"
|
|
type = string
|
|
default = "3.1.2"
|
|
}
|
|
|
|
# renovate: datasource=docker depName=redis
|
|
variable "redis_version" {
|
|
description = "Version of Redis to deploy"
|
|
type = string
|
|
default = "8.0.0"
|
|
}
|
|
|
|
# renovate: datasource=docker depName=grafana/grafana
|
|
variable "grafana_version" {
|
|
description = "Version of Grafana to deploy"
|
|
type = string
|
|
default = "11.2.0"
|
|
}
|
|
|
|
# Usage example with separate variables
|
|
locals {
|
|
versioned_services = {
|
|
traefik = {
|
|
image = "traefik:${var.traefik_version}"
|
|
container_ports = ["80", "443", "8080"]
|
|
networks = ["traefik_network"]
|
|
}
|
|
}
|
|
}
|
|
|
|
# =============================================================================
|
|
# Complete Example: Production-like container object
|
|
# =============================================================================
|
|
# This shows a realistic container definition with all common settings.
|
|
|
|
locals {
|
|
production_services = {
|
|
# Paperless-NGX Document Management System
|
|
paperless-webserver = {
|
|
# renovate: datasource=docker
|
|
image = "ghcr.io/paperless-ngx/paperless-ngx:2.12.1"
|
|
|
|
healthcheck = {
|
|
test = ["CMD", "curl", "-f", "http://localhost:8000"]
|
|
interval = "30s"
|
|
timeout = "10s"
|
|
retries = 5
|
|
start_period = "60s"
|
|
}
|
|
|
|
vault_env_path = "secret/paperless-ngx"
|
|
environment = "prod"
|
|
replicas = 1
|
|
|
|
volumes = {
|
|
"paperless-data" = "/usr/src/paperless/data"
|
|
"paperless-media" = "/usr/src/paperless/media"
|
|
"paperless-export" = "/usr/src/paperless/export"
|
|
"paperless-consume" = "/usr/src/paperless/consume"
|
|
}
|
|
|
|
host_ports = []
|
|
container_ports = ["8000"]
|
|
networks = ["paperless-backend-network", "traefik_network"]
|
|
use_traefik = true
|
|
is_swarm_service = false
|
|
consul_service = true
|
|
access_docker_sock = false
|
|
create_cname_record = true
|
|
}
|
|
|
|
# Redis broker for Paperless
|
|
paperless-broker = {
|
|
# renovate: datasource=docker
|
|
image = "docker.io/library/redis:8"
|
|
|
|
healthcheck = {
|
|
test = ["CMD", "redis-cli", "ping"]
|
|
interval = "30s"
|
|
timeout = "5s"
|
|
retries = 3
|
|
start_period = "10s"
|
|
}
|
|
|
|
vault_env_path = "secret/paperless-ngx"
|
|
environment = "prod"
|
|
replicas = 1
|
|
|
|
volumes = {
|
|
"paperless-redisdata" = "/data"
|
|
}
|
|
|
|
host_ports = []
|
|
container_ports = ["6379"]
|
|
networks = ["paperless-backend-network"]
|
|
use_traefik = false
|
|
is_swarm_service = false
|
|
consul_service = false
|
|
access_docker_sock = false
|
|
create_cname_record = false
|
|
}
|
|
|
|
# PostgreSQL database for Paperless
|
|
paperless-db = {
|
|
# renovate: datasource=docker
|
|
image = "docker.io/library/postgres:16.4-alpine"
|
|
|
|
healthcheck = {
|
|
test = ["CMD-SHELL", "pg_isready -U paperless"]
|
|
interval = "30s"
|
|
timeout = "5s"
|
|
retries = 3
|
|
start_period = "30s"
|
|
}
|
|
|
|
vault_env_path = "secret/paperless-ngx"
|
|
environment = "prod"
|
|
replicas = 1
|
|
|
|
volumes = {
|
|
"paperless-pgdata" = "/var/lib/postgresql/data"
|
|
}
|
|
|
|
host_ports = []
|
|
container_ports = ["5432"]
|
|
networks = ["paperless-backend-network"]
|
|
use_traefik = false
|
|
is_swarm_service = false
|
|
consul_service = false
|
|
access_docker_sock = false
|
|
create_cname_record = false
|
|
}
|
|
}
|
|
}
|