Automating Terraform updates with Dependabot

2021-08-19|By Kamil Szczygieł|Code

If you are working with Terraform, for sure, you are familiar with modules. The ability to reuse the pieces of code across codebase allows you to reduce the amount of repetition, keep compliance and gradually control breaking change introduction. But there is one major issue with modules - once your amount of modules and their usage grows, it is very difficult to keep track of which version of module is used where. In this article, I will walk you through one of the solutions to this problem.

Dependabot

Dependabot

creates pull requests to keep your dependencies up-to-date and secure. It is a feature that got integrated into GitHub and you can utilize for free. It supports multiple ecosystems such as pip, Composer, Docker, Maven or Terraform. Its workflow is very simple:

  • Dependabot periodically (which is configurable) looks for newer versions of packages used in your repository.
  • If there is an update available, it will create a pull request with updated version and mark code owners as reviewers.
  • Once you review the pull request, you can simply merge it.

This way, you can easily keep track of package updates or security updates within your code.

Terraform

So the question is, how does Dependabot fit into Terraform world? Well, it actually fits in pretty well. Modules based on Terraform registry, or other private registry, are just one of multiple things that can be automatically updated. What else is versioned within Terraform? Providers. And yes, Dependabot is able to update your provider configuration as well.


Sounds great, doesn't it? Let me give you a quick walk through how to configure Dependabot for your repository.

Getting Started

At first, you need to create a dependabot.yml file inside the .github directory within your repository. At sysdogs, we are heavily utilizing Spacelift

for anything that relates to Terraform. That is why in this article we will show you how to connect Dependabot with a private module registry that Spacelift provides you with.


The simplest version of dependabot.yml file looks like this:

---
version: 2

registries:
 spacelift:
   type: terraform-registry
   url: https://app.spacelift.io
   token: ${{ secrets.SPACELIFT_TOKEN }}

updates:
 - package-ecosystem: "terraform"
   directory: "/"
   registries:
     - spacelift
   schedule:
     interval: "daily"

Let me quickly explain each section. At first, we are specifying a version of Dependabot configuration (at the time of writing this article the latest version is 2). Then we add all private registries that we want to use within our workflow. Right here, we add Spacelift as our private registry with token passed as GitHub secret. Please keep in mind, that GitHub Actions and Dependabot have a separate set of secrets. If you have a secret configured for your GitHub Actions, it won't be available for Dependabot to use. You can add Dependabot secrets by going into repository "Settings" tab and expanding "Secrets" section to unveil a dedicated Dependabot segment.

Location of Dependabot secrets in repository settings.

Location of Dependabot secrets in repository settings.

The last part is the actual updates' configuration. In this scenario, we are specifying that we will be utilizing a Terraform ecosystem along with our private Spacelift module registry. Dependency check will be performed on a daily schedule.


Once you commit this file, Dependabot will automatically start. You can observe its progress by going to repository "Insights" tab, "Dependency graph" section and then, "Dependabot" tab.

Progress of Dependabot checks.

Progress of Dependabot checks.

If there are any modules or providers that require an update, Dependabot will open a pull request that contains release notes, change log and commits associated with this particular release.

A list of update pull requests opened by Dependabot.

A list of update pull requests opened by Dependabot.

A full overview of the pull request.

A full overview of the pull request.

The introduced change.

The introduced change.

Once you review the pull request, you can simply merge it :)

Caveats

There is one caveat in this setup. Dependabot is considered as an external contributor to your repositories, hence it does not have access to any GitHub Actions secrets you created. What does it mean, is that any workflow requiring secrets will automatically fail. You can simply re-run it manually to make sure all status checks are green, or add an additional trigger for "pull request review" inside the workflow to re-run it once the pull request is approved.

Conclusion

By utilizing Dependabot at sysdogs, we have greatly reduced the amount of time spent on making sure, that all our code uses the latest modules from our Spacelift private registry, and our provider configuration is up-to-date. Being honest, I have been looking at Dependabot for over a year now, waiting for a moment, when it will support everything that it needs to make this magic happen. Module maintenance was so time-consuming that I have created a custom, Python-based script, that walks through Terraform state file and checks if used modules are in sync with our registry. With the latest additions to Dependabot, this script has become obsolete, and will be sent to the grave in the nearest future.

References

LinkedInLinkedInLinkedIn
Kamil Szczygieł photo

About the author

Kamil Szczygieł