Patrick de Ruiter
c88fb4c15e
Some checks failed
Code Quality & Security Scan / TFLint (push) Successful in 20s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 48s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 36s
Code Quality & Security Scan / Terraform Validate (push) Successful in 48s
Code Quality & Security Scan / SonarQube Scan (push) Successful in 43s
Code Quality & Security Scan / Terraform Plan (push) Failing after 1m6s
Code Quality & Security Scan / Terraform Apply (push) Has been skipped
101 lines
3.1 KiB
HCL
101 lines
3.1 KiB
HCL
# Get Traefik network
|
|
data "docker_network" "traefik_network" {
|
|
name = "traefik_network"
|
|
}
|
|
|
|
# Create volumes for Renovate
|
|
resource "docker_volume" "renovate_config" {
|
|
name = "renovate-config"
|
|
}
|
|
|
|
resource "docker_volume" "renovate_cache" {
|
|
name = "renovate-cache"
|
|
}
|
|
|
|
# Pull Renovate image
|
|
resource "docker_image" "renovate" {
|
|
name = var.renovate_image
|
|
keep_locally = true
|
|
}
|
|
|
|
# Create Renovate container
|
|
resource "docker_container" "renovate" {
|
|
image = docker_image.renovate.image_id
|
|
name = var.container_name
|
|
hostname = var.container_name
|
|
restart = var.restart_policy
|
|
|
|
# Resource limits
|
|
memory = var.memory_limit
|
|
memory_swap = var.memory_swap_limit
|
|
|
|
# Environment variables for Renovate
|
|
env = concat(
|
|
[
|
|
"RENOVATE_PLATFORM=${data.vault_kv_secret_v2.renovate.data["renovate_platform"]}",
|
|
"RENOVATE_ENDPOINT=${data.vault_kv_secret_v2.renovate.data["renovate_endpoint"]}",
|
|
"RENOVATE_TOKEN=${data.vault_kv_secret_v2.renovate.data["renovate_token"]}",
|
|
"RENOVATE_GIT_AUTHOR=${data.vault_kv_secret_v2.renovate.data["renovate_git_author"]}",
|
|
"RENOVATE_USERNAME=${data.vault_kv_secret_v2.renovate.data["renovate_username"]}",
|
|
"RENOVATE_AUTODISCOVER=${var.renovate_autodiscover}",
|
|
"LOG_LEVEL=${var.log_level}"
|
|
],
|
|
# GitHub token: prefer Vault, fall back to variable
|
|
coalesce(try(data.vault_kv_secret_v2.renovate.data["github_token"], ""), var.github_com_token) != "" ? ["GITHUB_COM_TOKEN=${coalesce(try(data.vault_kv_secret_v2.renovate.data["github_token"], ""), var.github_com_token)}"] : [],
|
|
var.extra_env_vars
|
|
)
|
|
|
|
# Network configuration
|
|
networks_advanced {
|
|
name = data.docker_network.traefik_network.name
|
|
}
|
|
|
|
# DNS configuration for internal hostname resolution
|
|
# Only set if dns_servers is not empty
|
|
dns = length(var.dns_servers) > 0 ? var.dns_servers : null
|
|
|
|
# Volumes
|
|
volumes {
|
|
volume_name = docker_volume.renovate_config.name
|
|
container_path = "/usr/src/app/config"
|
|
}
|
|
|
|
volumes {
|
|
volume_name = docker_volume.renovate_cache.name
|
|
container_path = "/tmp/renovate"
|
|
}
|
|
|
|
# Upload config.js if enabled
|
|
dynamic "upload" {
|
|
for_each = var.upload_config_file ? [1] : []
|
|
content {
|
|
content = templatefile("${path.module}/files/config.js.tpl", {
|
|
platform = data.vault_kv_secret_v2.renovate.data["renovate_platform"]
|
|
endpoint = data.vault_kv_secret_v2.renovate.data["renovate_endpoint"]
|
|
git_author = data.vault_kv_secret_v2.renovate.data["renovate_git_author"]
|
|
username = data.vault_kv_secret_v2.renovate.data["renovate_username"]
|
|
autodiscover = var.renovate_autodiscover
|
|
onboarding_config = var.renovate_onboarding_config
|
|
})
|
|
file = "/usr/src/app/config.js"
|
|
}
|
|
}
|
|
|
|
lifecycle {
|
|
ignore_changes = [
|
|
command,
|
|
entrypoint
|
|
]
|
|
}
|
|
}
|
|
|
|
# DNS CNAME record for Renovate (optional, if web interface is needed)
|
|
resource "dns_cname_record" "renovate_cname" {
|
|
count = var.create_cname_record ? 1 : 0
|
|
|
|
zone = "${var.domain}."
|
|
ttl = 300
|
|
name = coalesce(var.dns_name, var.container_name)
|
|
cname = "hosting.${var.domain}."
|
|
}
|