Renovate EE - Configuring Renovate for Terraform modules hosted in private repositories
Overview
When using Renovate with Terraform projects that reference modules hosted in private GitHub repositories, additional configuration is required to grant Renovate access to such repositories for dependency updates.
Problem Description
Consider a Terraform configuration that references a module from a private repository:
module "rds" {
source = "git::<https://github.com/democorp-renovate-ee/my-terraform-aws-rds.git?ref=v6.6.0>"
identifier = var.db_identifier
# ... other configuration
}
Without proper configuration, Renovate cannot:
Access the private repository to check for new versions
Update the module reference to newer versions
Provide security vulnerability information for the module
Error Symptoms
You may encounter errors such as:
"msg":"Failed to look up github-tags package democorp-renovate-ee/my-terraform-aws-rds"
in Renovate logsFailed dependency updates for Terraform modules in the Dependency Dashboard
Solutions
To enable Renovate to access Terraform modules hosted in private GitHub repositories, you have three configuration options. Note that these options apply specifically to Terraform modules sourced directly from private Git repositories (e.g., git::<https://github.com/...
).> For modules hosted in private package registries like the Terraform Registry or private registries, different authentication methods / package rules definitions may be required.
Option 1: Same GitHub Organization (Recommended)
If the private repositories hosting your modules are in the same GitHub organization, simply add them to your Renovate GitHub app installation.
Steps:
Navigate to your GitHub organization settings
Go to "Third-party Access" → "GitHub Apps"
Find your Renovate app installation
Add the private repositories containing your Terraform modules to the app's repository access list
You are not required to onboard the private repositories to Renovate
Advantages:
Simplest configuration approach
No additional tokens required
Inherits existing permissions automatically
Option 2: Host Rules with Encrypted Tokens
If Option 1 isn't feasible, you can configure a host rule in your repository as follows:
"hostRules": [
{
"matchHost": "<https://api.github.com/repos/{org_name}/{private_repo_hosting_modules}>",
"encrypted": {
"token": "fine-grained-github-token-with-access-to-private-repo"
},
"hostType": "github"
}
]
Token Requirements:
Fine-grained personal access token (a GitHub token with limited, specific permissions)
Repository access to the private repository
Contents: Read
permission (minimum required)Metadata: Read
permission
Encryption Configuration:
Token encryption can be configured as described in the Renovate documentation.
Option 3: Environment Variables and Secrets
When it is not desirable to include encrypted secrets in your repository configuration, follow these steps:
Environment Variable Setup
Define an environment variable in the worker pod with a fine-grained token that grants access to the remote repositories hosting your Terraform modules:
YAML- name: PRIVATE_REPO_TERRAFORM_MODULE_TOKEN valueFrom: secretKeyRef: name: renovate-secrets key: terraform-module-token
Config.js Mapping
In your
config.js
file, map the environment variable to a secret:JSmodule.exports = { // ... other configuration "secrets": { "PRIVATE_REPO_TERRAFORM_MODULE_TOKEN": process.env.PRIVATE_REPO_TERRAFORM_MODULE_TOKEN }, // ... other configuration }
Host Rule Definition
Define a host rule in your repository configuration:
JSON"hostRules": [ { "matchHost": "<https://api.github.com/repos/{org_name}/{private_repo_hosting_modules}>", "token": "{{ secrets.PRIVATE_REPO_TERRAFORM_MODULE_TOKEN }}", "hostType": "github" } ]