Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
What part(s) of the article would you like to see updated?
Background Information
Unlike other package managers, Terraform is a multi-sourcetype package managers with private registry support (that only applies to a few of these source types).
The following are various sample combinations of what all counts as a "module source" in Terraform:
| No | Source | Sample Source | Is this a Terraform Registry | Private Access Supported | Update Possible |
|---|---|---|---|---|---|
| 1 | Local Path | ../consul |
NA | No | |
| 2 | Terraform Registry | hashicorp/consul/aws |
Yes, https://registry.terraform.io/ | No | Yes |
| 3 | Terraform Private Registry | app.terraform.io/example-corp/k8s-cluster/azurerm |
Yes | Yes | Yes |
| 4 | GitHub | github.com/hashicorp/example |
No | Yes | Yes |
| 5 | GitHub (SSH) | git@github.com:hashicorp/example.git |
No | Yes | Yes |
| 6 | BitBucket | bitbucket.org/hashicorp/terraform-consul-aws |
No | Yes | Yes |
| 7 | Generic Git | git::https://example.com/vpc.git (Other Valid Git URLs also work) |
No | Yes | Yes |
| 8 | Generic Mercurial | hg::http://example.com/vpc.hg |
No | Yes | Yes |
| 9 | HTTP URls | https://example.com/terraform-source |
No | Yes | No |
| 10 | S3 Bucket URL | s3::https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip |
No | Yes | No |
| 11 | GCS Bucket URL | gcs::https://www.googleapis.com/storage/v1/modules/foomodule.zip |
No | Yes | No |
Current Documentation Status
The following is all of the text* that is present on the docs website about Dependabot Terraform setups:
The table tells us that Terraform integration supports both Private Repositories and Private registries (and not vendoring):
The second page tells us about terraform registry configuration.
The
terraform-registrytype supports a token.
registries: terraform-example: type: terraform-registry url: https://terraform.example.com token: ${{secrets.MY_TERRAFORM_API_TOKEN}}
Unanswered Questions
There are 7 different kinds of sources in the above table that support updates. Of these, 2 are well documented (Terraform Registry / Terraform Private Registry) with clear documentation on how it supports Private registries as well.
The other 5 are left very unclear, across each of their public/private variant (so 10 possibilities).
The core change in #30139:
You can give Dependabot access to private package registries hosted by GitLab or Bitbucket by specifying a type of git.
does not clarify if this works with Terraform. It is unclear if Mercurial repositories are updated.
Suggested Change
Similar to how swift in the table links to a clear indication of what is supported, a similar section should be added for Terraform. Something like:
Only modules hosted on Terraform Registry or a publicly reachable Git repository are supported. Private Terraform Registry is supported, and you can configure access for private git repositories by configuring a git registry.
Additional information
This is a re-opening of #8419. The relevant PR #30139 does not answer the important questions.