Bring up to date

.github/workflows/lint-test.yml

@@ -0,0 +1,17 @@
+name: lint
+on:
+  push:
+jobs:
+  run:
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+    - uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.5.7
+
+    - name: lint
+      run: terraform fmt **/*.tf

.github/workflows/validate-renovate.yml

@@ -0,0 +1,21 @@
+name: validate renovate.json
+
+on:
+  pull_request:
+
+env:
+  LOG_LEVEL: debug
+
+jobs:
+  renovate-config-validator:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
+        with:
+          node-version: 20
+
+      - run: npx -p renovate renovate-config-validator renovate.json

Dockerfile

@@ -1,6 +1,7 @@
-FROM debian:buster as builder
+FROM debian:bookworm as builder
 ARG DEBIAN_FRONTEND=noninteractive
-ARG VAULT_VERSION=1.12.3
+# renovate: datasource=github-releases depName=hashicorp-vault-cli packageName=hashicorp/vault
+ARG VAULT_VERSION=1.18.3
 RUN apt-get update && apt-get install -y wget unzip
 RUN wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
 RUN unzip vault_${VAULT_VERSION}_linux_amd64.zip

main.tf

@@ -6,14 +6,14 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.54.0"
+      version = "= 6.15.0"
     }
   }
 }
 
 locals {
   image_name = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)
-  kms_key = "vault"
+  kms_key    = "vault"
 }
 
 ## Create the GSA the Vault CloudRun deployment will run as
@@ -51,7 +51,7 @@ resource "google_artifact_registry_repository" "private" {
 
 data "google_artifact_registry_repository" "my-repo" {
   location      = var.country
-  repository_id = var.create_repository ? google_artifact_registry_repository.private[0].id : var.repository
+  repository_id = var.repository
 }
 
 # docker build vault server image
@@ -76,8 +76,8 @@ resource "docker_registry_image" "vault" {
 
 ## Create KMS keys
 resource "google_kms_key_ring" "vault-server" {
-  name       = "vault-server"
-  location   = "global"
+  name     = "vault-server"
+  location = "global"
 }
 
 resource "google_kms_crypto_key" "key" {
@@ -161,7 +161,7 @@ resource "google_cloud_run_v2_job" "vault-init" {
       service_account = google_service_account.gsa.email
       containers {
         name  = "vault-init"
-        image = "jcorall/vault-init:0.3.0"
+        image = var.init_image
 
         env {
           name  = "GOOGLE_PROJECT"

renovate.json

@@ -0,0 +1,34 @@
+{
+  "extends": [
+    "config:best-practices",
+    ":rebaseStalePrs",
+    "customManagers:dockerfileVersions"
+  ],
+  "enabledManagers": [
+    "custom.regex",
+    "dockerfile",
+    "github-actions",
+    "terraform"
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update _VERSION variables in Dockerfiles",
+      "fileMatch": [
+        "(^|/|\\.)Dockerfile$",
+        "(^|/)Dockerfile\\.[^/]*$"
+      ],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>.+?) packageName=(?<packageName>.+?)(?: versioning=(?<versioning>[a-z-]+?))?\\s(?:ENV|ARG) .+?_VERSION=(?<currentValue>.+?)(\\s|$)"
+      ]
+    }
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboardOSVVulnerabilitySummary": "unresolved",
+  "vulnerabilityAlerts": {
+    "enabled": true
+  }
+}

variables.tf

@@ -15,6 +15,11 @@ variable "repository" {
   default     = "private"
 }
 
+variable "init_image" {
+  type    = string
+  default = "joecorall/vault-init:0.4.0"
+}
+
 variable "create_repository" {
   type        = bool
   description = "Whether or not the AR repo needs to be created by this terraform"