Skip to main content
Skip table of contents

Renovate EE - Configuring Renovate for Terraform modules hosted in private repositories

Overview

When using Renovate with Terraform projects that reference modules hosted in private GitHub repositories, additional configuration is required to grant Renovate access to such repositories for dependency updates.

Problem Description

Consider a Terraform configuration that references a module from a private repository:

HCL
module "rds" {
  source = "git::<https://github.com/democorp-renovate-ee/my-terraform-aws-rds.git?ref=v6.6.0>"
  
  identifier = var.db_identifier
  # ... other configuration
}

Without proper configuration, Renovate cannot:

  • Access the private repository to check for new versions

  • Update the module reference to newer versions

  • Provide security vulnerability information for the module

Error Symptoms

You may encounter errors such as:

  • "msg":"Failed to look up github-tags package democorp-renovate-ee/my-terraform-aws-rds" in Renovate logs

  • Failed dependency updates for Terraform modules in the Dependency Dashboard

Solutions

To enable Renovate to access Terraform modules hosted in private GitHub repositories, you have three configuration options. Note that these options apply specifically to Terraform modules sourced directly from private Git repositories (e.g., git::<https://github.com/...).> For modules hosted in private package registries like the Terraform Registry or private registries, different authentication methods / package rules definitions may be required.

Option 1: Same GitHub Organization (Recommended)

If the private repositories hosting your modules are in the same GitHub organization, simply add them to your Renovate GitHub app installation.

Steps:

  1. Navigate to your GitHub organization settings

  2. Go to "Third-party Access" → "GitHub Apps"

  3. Find your Renovate app installation

  4. Add the private repositories containing your Terraform modules to the app's repository access list

  5. You are not required to onboard the private repositories to Renovate

Advantages:

  • Simplest configuration approach

  • No additional tokens required

  • Inherits existing permissions automatically

Option 2: Host Rules with Encrypted Tokens

If Option 1 isn't feasible, you can configure a host rule in your repository as follows:

JSON
"hostRules": [
  {
    "matchHost": "<https://api.github.com/repos/{org_name}/{private_repo_hosting_modules}>",
    "encrypted": {
      "token": "fine-grained-github-token-with-access-to-private-repo"
    },
    "hostType": "github"
  }
]

Token Requirements:

  • Fine-grained personal access token (a GitHub token with limited, specific permissions)

  • Repository access to the private repository

  • Contents: Read permission (minimum required)

  • Metadata: Read permission

Encryption Configuration:
Token encryption can be configured as described in the Renovate documentation.

Option 3: Environment Variables and Secrets

When it is not desirable to include encrypted secrets in your repository configuration, follow these steps:

  1. Environment Variable Setup

    Define an environment variable in the worker pod with a fine-grained token that grants access to the remote repositories hosting your Terraform modules:

    YAML
    - name: PRIVATE_REPO_TERRAFORM_MODULE_TOKEN
      valueFrom:
        secretKeyRef:
          name: renovate-secrets
          key: terraform-module-token
  2. Config.js Mapping

    In your config.js file, map the environment variable to a secret:

    JS
    module.exports = {
      // ... other configuration
      "secrets": {
        "PRIVATE_REPO_TERRAFORM_MODULE_TOKEN": process.env.PRIVATE_REPO_TERRAFORM_MODULE_TOKEN
      },
      // ... other configuration
    }
  3. Host Rule Definition

    Define a host rule in your repository configuration:

    JSON
    "hostRules": [
      {
        "matchHost": "<https://api.github.com/repos/{org_name}/{private_repo_hosting_modules}>",
        "token": "{{ secrets.PRIVATE_REPO_TERRAFORM_MODULE_TOKEN }}",
        "hostType": "github"
      }
    ]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.