Removed all hardcoded sensitive values from backend.tf:
- MinIO endpoint URL
- Bucket name
- State file key/path
- Access key and secret key

Security Improvements:
- Backend configuration now uses environment variables
- Added comprehensive documentation for backend setup
- Provided examples for both env vars and backend.hcl
- Added backend.hcl to .gitignore to prevent credential leaks
- Updated README with secure configuration instructions
- Fixed step numbering in README after adding backend config section

Backend Configuration Methods:
1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
2. Command-line flags during terraform init
3. Backend configuration file (backend.hcl) - now gitignored

Breaking Change:
- Users must now explicitly configure backend during terraform init
- No default backend configuration provided for security reasons

See README section 'Configure Backend (Optional)' for detailed setup instructions.

2025-11-17 08:35:16 +01:00

20 KiB

Raw Blame History

Terraform Docker Renovate Module

Purpose

This Terraform module deploys a Renovate bot as a Docker container with the following features:

Renovate Container: Automatically updates dependencies in your repositories
Gitea Integration: Native support for Gitea platform with proper authentication
Traefik Integration: Automatically configures Traefik reverse proxy (optional)
DNS Management: Creates DNS CNAME records for the Renovate instance (optional)
Persistent Storage: Manages Docker volumes for configuration and cache
Vault Integration: Securely retrieves DNS credentials from HashiCorp Vault
Remote State Backend: Stores Terraform state in MinIO (S3-compatible storage)
Resource Limits: Configurable memory limits for container isolation

What It Does

The module creates and manages the following resources:

Docker Volumes:
- renovate-config: Persistent storage for configuration files
- renovate-cache: Cache storage for improved performance
Renovate Container:
- Runs Renovate bot process
- Connects to Traefik network for reverse proxy access (optional)
- Configured with resource limits (Memory)
- Configured with flexible restart policy
- Logs sent to Docker daemon (managed by Loki)
DNS Record (Optional):
- Creates a CNAME record pointing to the hosting server

What is Renovate?

Renovate is an automated dependency update tool that:

Monitors dependencies across multiple package managers and platforms
Creates pull requests with dependency updates automatically
Supports semantic versioning and custom update schedules
Works with Docker, Terraform, npm, pip, and many other ecosystems
Integrates with CI/CD pipelines for automated testing

Common Use Cases

Automated Docker image updates with semantic versioning
Terraform module and provider version updates
Application dependency management (npm, pip, composer, etc.)
Security vulnerability patching through automatic updates
Consistent dependency versions across multiple repositories

Prerequisites

Before using this module, ensure you have:

Docker Host: A Docker daemon accessible via TCP (configured at 192.168.2.170:2376)
Docker TLS Certificates: Client certificates in ~/.docker/ directory
Traefik Network: A Docker network named traefik_network must exist
Gitea Instance: Running Gitea instance with API access
Renovate Bot User: Dedicated user account in Gitea with appropriate permissions
Gitea Access Token: Personal Access Token with the following scopes:
- repo: Read and Write
- user: Read
- issue: Read and Write (Gitea ≥ 1.20.0)
- organization: Read (Gitea ≥ 1.20.0)
HashiCorp Vault: Running instance with:
- AppRole authentication enabled
- DNS credentials stored at secret/dns
- Role ID and Secret ID for authentication
MinIO/S3 Backend: For Terraform state storage
DNS Server: Supporting dynamic updates (TSIG authentication) - optional

Gitea Bot Setup

1. Create Renovate Bot User

In your Gitea instance:

Create a new user account (e.g., renovate-bot)
Configure the user with:
- Full name: "Renovate Bot"
- Email: renovate-bot@example.com
Add the bot user as a collaborator to repositories you want to manage

2. Generate Personal Access Token

Log in as the Renovate bot user
Go to Settings → Applications → Generate New Token
Token name: "Renovate Token"
Select scopes:
- repo (Read and Write)
- user (Read)
- issue (Read and Write)
- organization (Read)
Save the token securely - you'll need it for the renovate_token variable

3. Configure Repository Access

For each repository you want Renovate to manage:

Add renovate-bot as a collaborator with Write access
Or use autodiscovery to automatically find all accessible repositories

How to Use

1. Basic Usage with Gitea

module "renovate" {
  source = "./terraform-docker-renovate"

  # Infrastructure
  domain    = "bsdserver.nl"
  role_id   = var.vault_role_id
  secret_id = var.vault_secret_id

  # Gitea Configuration
  renovate_platform  = "gitea"
  renovate_endpoint  = "https://gitea.example.com/api/v1/"
  renovate_token     = var.renovate_token  # Store securely in Vault or use env var
  renovate_git_author = "Renovate Bot <renovate-bot@example.com>"
  renovate_username  = "renovate-bot"
}

2. Custom Configuration

module "renovate" {
  source = "./terraform-docker-renovate"

  # Infrastructure
  domain    = "bsdserver.nl"
  role_id   = var.vault_role_id
  secret_id = var.vault_secret_id

  # Container configuration
  container_name   = "renovate"
  renovate_image   = "renovate/renovate:latest"
  restart_policy   = "unless-stopped"

  # Resource limits
  memory_limit      = 2048
  memory_swap_limit = -1

  # Gitea platform configuration
  renovate_platform     = "gitea"
  renovate_endpoint     = "https://gitea.bsdserver.nl/api/v1/"
  renovate_token        = var.renovate_token
  renovate_git_author   = "Renovate Bot <renovate-bot@bsdserver.nl>"
  renovate_username     = "renovate-bot"
  renovate_autodiscover = true

  # Optional GitHub.com token for changelogs
  github_com_token = var.github_token

  # Logging
  log_level = "info"

  # Additional environment variables
  extra_env_vars = [
    "RENOVATE_REQUIRE_CONFIG=optional"
  ]
}

3. Configure Backend (Optional)

If using remote state storage (recommended), configure the backend:

# Option 1: Using environment variables
export AWS_ACCESS_KEY_ID="your-minio-access-key"
export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"

terraform init \
  -backend-config="endpoints={s3=\"https://minio.example.com:443\"}" \
  -backend-config="bucket=terraform-state" \
  -backend-config="key=docker/renovate/terraform.tfstate" \
  -backend-config="region=main" \
  -backend-config="skip_credentials_validation=true" \
  -backend-config="skip_metadata_api_check=true" \
  -backend-config="skip_requesting_account_id=true" \
  -backend-config="skip_region_validation=true" \
  -backend-config="use_path_style=true"

Or create a backend.hcl file:

# backend.hcl
endpoints = {
  s3 = "https://minio.example.com:443"
}
bucket                      = "terraform-state"
key                         = "docker/renovate/terraform.tfstate"
region                      = "main"
skip_credentials_validation = true
skip_metadata_api_check     = true
skip_requesting_account_id  = true
skip_region_validation      = true
use_path_style              = true

Then initialize:

export AWS_ACCESS_KEY_ID="your-minio-access-key"
export AWS_SECRET_ACCESS_KEY="your-minio-secret-key"
terraform init -backend-config=backend.hcl

4. Initialize Terraform

# For local state (not recommended for production)
terraform init

# Or with remote backend (see step 3)
terraform init -backend-config=backend.hcl

This will:

Download required providers (Docker, Vault, DNS)
Configure the backend for state storage (if specified)

5. Plan Deployment

terraform plan

Review the planned changes to ensure everything is correct.

6. Apply Configuration

terraform apply

Confirm the changes to deploy the Renovate bot.

7. Verify Deployment

After deployment:

Check Container Status:
```
docker ps | grep renovate
```
View Container Logs:
```
docker logs renovate -f
```

Verify Configuration:

docker exec renovate cat /usr/src/app/config.js

Repository Configuration

Adding Renovate to a Repository

To enable Renovate in a repository, create a renovate.json file in the repository root:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ],
  "assignees": ["@yourusername"],
  "labels": ["renovate"],
  "dependencyDashboard": true,
  "packageRules": [
    {
      "description": "Automerge minor and patch updates",
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    }
  ],
  "docker": {
    "enabled": true,
    "pinDigests": false
  },
  "terraform": {
    "enabled": true
  }
}

An example configuration is provided in files/example-renovate.json.

Docker-Compose Repository Example

For repositories with docker-compose.yml files:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "docker-compose": {
    "enabled": true
  },
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    }
  ]
}

Terraform Repository Example

For repositories with Terraform code:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "terraform": {
    "enabled": true
  },
  "packageRules": [
    {
      "matchDatasources": ["terraform-provider", "terraform-module"],
      "automerge": false,
      "schedule": ["before 6am on Monday"]
    }
  ]
}

Variables

Variable	Description	Type	Default	Required
`container_name`	Name of the Renovate container	`string`	`"renovate"`	No
`renovate_image`	Docker image for Renovate	`string`	`"renovate/renovate:latest"`	No
`restart_policy`	Restart policy for the container	`string`	`"unless-stopped"`	No
`memory_limit`	Memory limit for the container in MB	`number`	`2048`	No
`memory_swap_limit`	Memory swap limit in MB (-1 for unlimited)	`number`	`-1`	No
`domain`	Domain name for the application	`string`	`"bsdserver.lan"`	No
`dns_name`	DNS name for the Renovate service	`string`	`null` (uses container_name)	No
`create_cname_record`	Whether to create a DNS CNAME record	`bool`	`false`	No
`renovate_platform`	Git platform to use (gitea, github, gitlab)	`string`	`"gitea"`	No
`renovate_endpoint`	API endpoint for the git platform	`string`	-	Yes
`renovate_token`	Personal access token for authentication	`string`	-	Yes
`renovate_git_author`	Git author for Renovate commits	`string`	`"Renovate Bot <renovate-bot@example.com>"`	No
`renovate_username`	Username of the Renovate bot account	`string`	`"renovate-bot"`	No
`renovate_autodiscover`	Enable autodiscovery of repositories	`bool`	`true`	No
`renovate_onboarding_config`	Onboarding configuration for Renovate	`string`	See variables.tf	No
`github_com_token`	GitHub.com token for fetching changelogs	`string`	`""`	No
`log_level`	Log level for Renovate	`string`	`"info"`	No
`extra_env_vars`	Additional environment variables	`list(string)`	`[]`	No
`upload_config_file`	Upload a config.js file to the container	`bool`	`true`	No
`role_id`	Vault AppRole Role ID	`string`	-	Yes
`secret_id`	Vault AppRole Secret ID	`string`	-	Yes

Outputs

Output	Description
`container_id`	ID of the Renovate container
`container_name`	Name of the Renovate container
`config_volume`	Name of the config volume
`cache_volume`	Name of the cache volume
`renovate_platform`	Platform configured for Renovate
`renovate_endpoint`	API endpoint configured for Renovate

Configuration Details

Hardcoded Values

The following values are hardcoded in provider.tf and may need customization:

Docker Host: tcp://192.168.2.170:2376 (provider.tf:26)
Vault Address: https://wbyc-srv-docker01.bsdserver.lan:8200 (provider.tf:33)

Note: Backend configuration (MinIO/S3) is no longer hardcoded. Configure it via:

Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
Command-line flags during terraform init (see "Configure Backend" section)
Backend configuration file (backend.hcl)

Security Considerations

✅ Security Improvements:

No Privileged Mode: Container runs without elevated privileges
No Root User: Runs as standard user
No Docker Socket: Docker socket is not mounted
Resource Limits: Memory limits prevent resource exhaustion
Token Security: Renovate token is marked as sensitive in Terraform
Vault Integration: DNS credentials stored securely in Vault

⚠️ Security Notes:

Backend Credentials: Use environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) instead of hardcoding
Token Management: Store renovate_token in Vault or use environment variables
Repository Access: Ensure bot user only has access to intended repositories
Log Retention: Logs are sent to Docker daemon - ensure proper retention policies
Network Security: Renovate connects to external APIs - ensure proper firewall rules

Providers

This module uses the following Terraform providers:

docker (kreuzwerker/docker v3.0.2): For Docker resource management
vault (hashicorp/vault v3.25.0): For secrets management
dns: For DNS record management with TSIG authentication

Managing Configuration

Option 1: Use Template File (Recommended)

The module includes a config.js.tpl template that automatically configures Renovate based on your variables. Set upload_config_file = true to use this method.

Option 2: Manual Configuration

Mount a custom config.js file to the config volume:

# Create config.js
cat > config.js << 'EOF'
module.exports = {
  platform: 'gitea',
  endpoint: 'https://gitea.example.com/api/v1/',
  gitAuthor: 'Renovate Bot <renovate-bot@example.com>',
  username: 'renovate-bot',
  autodiscover: true,
  onboardingConfig: {
    $schema: 'https://docs.renovatebot.com/renovate-schema.json',
    extends: ['config:recommended'],
  },
};
EOF

# Copy to volume
docker run --rm -v renovate-config:/config -v $(pwd):/source alpine \
  cp /source/config.js /config/

# Restart container
docker restart renovate

Option 3: Environment Variables Only

Set upload_config_file = false and rely solely on environment variables configured in the module.

Scheduling Renovate Runs

Renovate can be scheduled using various methods:

Option 1: Cron Job

# Add to crontab to run daily at 2 AM
0 2 * * * docker restart renovate

Option 2: Gitea Actions/Workflows

Create .gitea/workflows/renovate.yaml in a dedicated repository:

name: Renovate
on:
  schedule:
    - cron: '0 2 * * *'
  workflow_dispatch:

jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger Renovate
        run: |
          docker restart renovate || true

Option 3: System Timer

Create a systemd timer for automated scheduling.

Troubleshooting

Container Won't Start

docker logs renovate

Check for:

Invalid Gitea endpoint or token
Network connectivity issues
Missing configuration
Resource limit issues

Renovate Not Creating PRs

Verify:

Bot user has write access to repositories
Gitea token has correct permissions
Repositories have valid renovate.json configuration
Check logs for API errors: docker logs renovate

Authentication Failures

Verify token scopes in Gitea settings
Ensure token hasn't expired
Check endpoint URL is correct (should end with /api/v1/)
Verify bot user account is active

DNS Record Not Created

Verify Vault DNS credentials are correct
Check DNS server allows dynamic updates
Ensure TSIG key has proper permissions

Rate Limiting Issues

If you see rate limit errors:

Add github_com_token for GitHub.com changelog access
Configure prConcurrentLimit in repository config
Adjust scheduling to reduce API calls

Maintenance

Updating Renovate

# Pull latest image
docker pull renovate/renovate:latest

# Recreate container
terraform apply -replace=docker_container.renovate

Viewing Logs

# Container logs
docker logs renovate -f

# Filter for specific repository
docker logs renovate 2>&1 | grep "repository-name"

Backup

The Renovate data is stored in Docker volumes. To backup:

# Backup config
docker run --rm -v renovate-config:/data -v $(pwd):/backup alpine \
  tar czf /backup/renovate-config-backup.tar.gz /data

# Backup cache
docker run --rm -v renovate-cache:/data -v $(pwd):/backup alpine \
  tar czf /backup/renovate-cache-backup.tar.gz /data

Restore

# Restore config
docker run --rm -v renovate-config:/data -v $(pwd):/backup alpine \
  tar xzf /backup/renovate-config-backup.tar.gz -C /

# Restore cache
docker run --rm -v renovate-cache:/data -v $(pwd):/backup alpine \
  tar xzf /backup/renovate-cache-backup.tar.gz -C /

Advanced Configuration

Custom Renovate Image

To use a specific version:

module "renovate" {
  source = "./terraform-docker-renovate"

  renovate_image = "renovate/renovate:37.100.0"
  # ... other variables
}

Multiple Platform Support

While this module is optimized for Gitea, you can configure it for other platforms:

module "renovate_github" {
  source = "./terraform-docker-renovate"

  renovate_platform = "github"
  renovate_endpoint = "https://api.github.com/"
  renovate_token    = var.github_token
  # ... other variables
}

SonarQube Integration

Add SonarQube scanning to Renovate PRs by configuring your repository's renovate.json:

{
  "extends": ["config:recommended"],
  "postUpgradeTasks": {
    "commands": [
      "sonar-scanner -Dsonar.projectKey=myproject"
    ]
  }
}

Integration with CI/CD

Gitea Actions Integration

Renovate PRs can automatically trigger Gitea Actions workflows. Example .gitea/workflows/test.yaml:

name: Test Dependencies
on:
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Tests
        run: |
          docker-compose up -d
          docker-compose exec -T app npm test

Pipeline Configuration

For automated testing and deployment:

Configure branch protection rules in Gitea
Require status checks to pass before merging
Enable auto-merge in renovate.json for passing PRs

Best Practices

Start with Manual Approval: Don't enable automerge until you trust the process
Use Dependency Dashboard: Enable "dependencyDashboard": true for visibility
Schedule Updates: Use schedule to avoid overwhelming your team
Group Updates: Group related dependencies to reduce PR noise
Test Updates: Always have CI/CD tests run on Renovate PRs
Monitor Logs: Regularly check Renovate logs for errors
Pin Versions: Use semantic versioning tags instead of latest

Example Workflow

Initial Setup:
- Create Renovate bot user in Gitea
- Generate access token with required scopes
- Deploy this Terraform module
- Add bot as collaborator to repositories
Repository Configuration:
- Add renovate.json to repository root
- Configure package rules and schedules
- Enable dependency dashboard
First Run:
- Renovate creates onboarding PR
- Review and merge onboarding PR
- Renovate starts scanning dependencies
Ongoing:
- Renovate creates PRs for updates
- CI/CD tests run automatically
- Review and merge PRs
- Monitor dependency dashboard

Resources

License

This module is part of the webuildyourcloud automation infrastructure.

Contributing

When contributing, ensure:

Terraform code follows best practices
Variables are properly documented
Security implications are considered
State backend configuration is tested
Configuration examples are validated

20 KiB Raw Blame History