Support Dependabot for update automation

[rdhar]

OpenTofu Version

OpenTofu v1.6.1

Use Cases

For keeping up-to-date with the regular flow of dependency updates across all providers.

Attempted Solutions

Using terraform in dependabot.yml which, let's be frank, is "eugh" in 2024.

It's also interesting to note the supported version range is only >= 0.13, <= 1.5.x; I wonder why that may be...

Proposal

Use opentofu within dependabot.yml instead as a 1-to-1 replacement!

Following today's public dev-sync, here's a link to the current handling of dependabot-terraform (with a dash of Ruby).

References

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems

[ghost]

Hi @rdhar thank you for this issue. We had a look with the core team and we tentatively decided to accept this issue based on Dependabot accepting us as a provider. We've assigned @Yantrio to track this down.

[joeybenamy]

Also interested in this.

[Yantrio]

Just wanted to update people here, We've been really busy lately but this is high up on my TODO list and it will be tackled soon!

[joeybenamy]

Just wanted to update people here, We've been really busy lately but this is high up on my TODO list and it will be tackled soon!

Thanks so much! For us, this is the biggest pain point in the transition from Terraform to OpenTofu. Honestly, the only pain point since the rest was so easy!

[rdhar]

Could I request an update on this request please?

With the advent on OpenTofu v1.8, specifically its early-evaluation of variables, Dependabot's terraform package-ecosystem is categorically broken since it's no longer "valid" Terraform, as shown here.

Dependabot encountered '2' error(s) during execution, please check the logs for more details.
+----------------------------------------------------------------------+
|                    Dependencies failed to update                     |
+-------------------------------------+--------------------------------+
| hashicorp/aws                       | dependency_file_not_resolvable |
| terraform-aws-modules/s3-bucket/aws | unknown_error                  |
+-------------------------------------+--------------------------------+

Taken from Dependabot's workflow log.

[elementalvoid]

Combining this with #586 is where things will get really good. We are currently implementing Renovate with static versions in our Terraform code but I'd love it if my developers could set constraints in the version and let Renovate update/lock.

[apparentlymart]

As far as I know we've not been able to prioritize this for the OpenTofu Core team just yet, but it seems like the existing support for Terraform in OpenTofu was entirely community contributed and so it seems like the Dependabot folks don't require that these integrations be maintained by the same folks that are maintaining the corresponding toolchain and so if someone interested in this issue wanted to follow their instructions in Contributing new ecosystems to get this discussion started, that seems like it should be fine.

I note that at the time of writing there seem to be a lot of open issues related to dependabot's Terraform support, and so I wouldn't be surprised if the Dependabot folks say that they'd rather share as much code as possible between these two ecosystems to avoid effectively duplicating that entire backlog of work. 😖 But starting the discussion seems like the main thing, and then we (the OpenTofu community at large and the core team) can react to whatever the maintainers suggest.

We do still need to figure out how to reconcile the fact that OpenTofu v1.8 made module dependencies potentially require input variables for the first time, but that's a design detail we can discuss once we have a better idea of how the Dependabot maintainers would prefer this work to happen.

[rdhar]

Appreciate your input, @apparentlymart. Hoping to clarify a few deets, if that's alright.

I wouldn't be surprised if the Dependabot folks say that they'd rather share as much code as possible between these two ecosystems to avoid effectively duplicating that entire backlog of work.

We do still need to figure out how to reconcile the fact that OpenTofu v1.8 made module dependencies potentially require input variables for the first time

While I get wanting to minimise duplication, these statements conflict with each other. The advent of OpenTofu v1.8's early evaluation of variables (including module versions) is exactly what necessitates this request. And it's this same unique feature of OpenTofu which makes it somewhat incompatible with Terraform's subpar implementation.

While community-driven contribution would be stellar, I wonder if Dependabot support might be a core priority, given that it's currently number 10 on the top-ranked issues.

But starting the discussion seems like the main thing, and then we (the OpenTofu community at large and the core team) can react to whatever the maintainers suggest.

Totally agreed, and raised during 2025-01-15 Public Engineering Sync to discover there may be some progress on this already.