Guides
Log InSign UpBlog

Dependatabot

Suggest Edits

Overview

This guide provides instructions on configuring Dependabot to work with the Scalr private module registry. Dependabot will automatically check for updates to Terraform modules stored in Scalr and create pull requests to update them.

Prerequisites

Before proceeding, ensure you have the following:

  • A Scalr account with private modules published to the modules registry.
  • A GitHub repository containing Terraform code that references Scalr modules.
  • GitHub Dependabot enabled for your repository.

Step 1: Obtain a fine-grained Scalr API access token

First of all, you need to create a custom role with very limited access to Scalr API. To read all modules (both from the account and environment scopes) the API key has to be granted the following permissions:

  1. Go to Security > IAM > Roles.
  2. Click on the "New role"
  3. Enter a role name, e.g. Dependatabot
  4. Click on the "Add permissions" and add the following permissions: environments:read and modules:read

Create a service account and assign the role from the previous step:

  1. Go to Security > IAM > Service Accounts.
  2. Click on the "New service account"
  3. Enter a name, e.g. dependatabot
  4. Click on "Grant access", select the role selected in the previous step, and keep "Grant On" as "Account".
  5. Optionally, Owners of the service accounts. More about owners you can read here.

After a service account is created, generate the API access token by clicking on the Generate token. Alternatively. you can use the following OpenTofu/Terraform example to generate the API token:

terraform {
  required_providers {
    scalr = {
      source  = "scalr/scalr"
      version = "=> 2.0"
    }
  }
}

variable "account_id" {
  type = string
  description = "The Scalr Account ID. Can be obtained in the Administration dashboard > Account Info."
}

resource "scalr_role" "dependatabot" {
  name        = "dependatabot"
  description = "Role to be used by Dependatabot to check if outdated Terraform modules are used"
  permissions = [
    "environments:read",
    "modules:read",
  ]
}

resource "scalr_service_account" "dependatabot" {
  name        = "dependatabot"
  description = "Used by Dependatabot to check if outdated Terraform modules are used by workspaces"
}

resource "scalr_access_policy" "dependatabot" {
  scope {
    id   = var.account_id
    type = "account"
  }

  subject {
    id   = scalr_service_account.dependatabot.id
    type = "service_account"
  }

  role_ids = [
    scalr_role.dependatabot.id
  ]
}

resource "scalr_service_account_token" "dependatabot" {
  service_account_id = scalr_service_account.dependatabot.id
  description = scalr_service_account.dependatabot.description
}

output "token" {
  sensitive = true
  value = scalr_service_account_token.dependatabot.token
}

Step 2: Store Scalr API Token in GitHub Secrets

  1. Navigate to your repository on GitHub.
  2. Go to Settings > Secrets and variables > Dependatabot.
  3. Click New repository secret.
  4. Add the following secret:
    • Name: SCALR_REGISTRY_TOKEN
    • Value: Your Scalr API token from the previous step.
  5. Save the secret.

Step 3: Configure .github/dependabot.yml

Create or update the .github/dependabot.yml file in your repository with the following content:

version: 2
updates:
  - package-ecosystem: "terraform"
    directory: "/"  # Adjust if your Terraform code is in a subdirectory
    schedule:
      interval: "weekly" # Options: daily, weekly, monthly
    registries:
      - scalr-private-registry

registries:
  scalr-private-registry:
    type: "terraform-registry"
    url: "https://your-account.scalr.io"
    token: "${{secrets.SCALR_REGISTRY_TOKEN}}"

Explanation:

  • package-ecosystem: "terraform" tells Dependabot to check Terraform dependencies.
  • directory: "/" specifies where the Terraform code is located. Add multiple entries if needed for subdirectories.
  • schedule.interval: "weekly" defines how often Dependabot checks for updates.
  • The registries section configures Dependabot to authenticate with Scalr using the API token.

Step 4: Commit and Push Changes

  1. Add the .github/dependabot.yml file to your repository.
  2. Commit and push the changes.
  3. Navigate to Pull Requests > Dependabot in GitHub to verify that Dependabot is fetching updates.

Troubleshooting

  • Dependabot not creating PRs? Check the Dependabot logs under Settings > Security & analysis > Dependabot.
  • Authentication issues? Ensure your Scalr API token is valid and stored correctly in GitHub secrets.
  • No updates detected? Confirm that your Terraform modules in Scalr have new versions available.

Conclusion

Integrating Scalr's private module registry with Dependabot ensures that your Terraform code stays up-to-date with minimal manual effort. This setup helps maintain security, compliance, and efficiency in your infrastructure management

Updated about 20 hours ago