dependabot-core
dependabot-core copied to clipboard
dependabot
Support Nested Terraform Code (HCL)
what
- Dependabot will not look recursively through directories in repo for
.tfcode - Want submodules to get updates
why
- In terraform, it's valid to nest modules in subfolders
references
- https://github.com/cloudposse/terraform-root-modules
In general, the approach we take with recursive dependency file finding is:
- If the files are somehow linked (e.g., they reference each other, or have a top level file that lists all of them) then we download them all and update them all at once
- If the files aren't linked in any way then we don't crawl your repo looking for them - instead you need to add each directory manually in Dependabot (you can add the same "language" multiple times to a project - apologies for the confusing terminology)
What's the setup with Terraform? I'd like to improve the flow for setups that we don't bump all-at-once, but I think it's a UI tweak rather than a core change (i.e., making it easier to select them in the dashboard).
What do you reckon?
It's a bit of a bear to manually add every directory with terraform configurations into dependabot. Each directory with .tf files is really its own, independent terraform module.
Plus, the way dependabot is now, restructuring the repo would mean needing to also "fix" the dependabot config.
A better workflow to me would be to scan the repo for directories with .tf files, check each for module sources, and create separate PRs for each.
That makes sense to me. I think what's needed here is a better frontend for Dependabot for selecting multiple directories to apply it to, and an option to "always apply to all directories" or something like that (maybe with a blacklist).
Sounds like you think the backend implementation (separate PRs for each module) is basically correct, though?
Separate PRs for each updated "source" is my preference... That way each dependency update gets tested on it's own. If there are interrelated changes between dependencies needed to pass tests, I'd modify the PR myself.
Great. We're planning to work on the front-end a bunch over the next couple of months, so I should be able to get this sorted then.
We haven't had a chance to work on the improved project-selection interface yet, but I'm still keen to do it. Will have an update in the next few weeks.
@greysteil awesome, thanks! I'll keep an eye out for updates.
I just added dependabot to a bunch of repos, several of which have multiple terraform stacks/modules. It would be cool to have the auto detect feature but I was still able to set everything up with the current config format so I'm pretty happy with that for now.
Any updates on this? Seems common to have Terraform modules as separate subdirectories and it can be tedious to add each one.
Looking forward for this feature. I think this would also solve our problem around upgrading modules in terragrunt nested directories.
FWIW I have been able to completely ditch dependabot for this use case by using Renovate and a quick custom CI job.
has anyone tried the described options in github blog? looks promising.
I don't see where the new Dependabot grouping feature helps with this request. Can you give an example?
@SchulteMarkus sure
If you have a terraform modules in a repo like the ss below, you need to specify every directory in the dependabot config. As far as I understand, the blog post introduces a feature that allows you to use terraform modules in dependabot config with a wildcard pattern without specifying each of them seperately.
Is there any plan to support this? It's been years.
Right now if a repo has let's say 100 modules in their own folder, which is convention, then we need 100 TF dependabot configs in the YAML file. It's a lot of maintenance that can quickly fall out of sync minimizing the benefits of Dependabot with Terraform
