Configure Dependabot to update Terraform module versions daily

[makhtar-ch]

Change description

try to leverage dependabot to update tf modules and put up a PR up

Work checklist

• Tests added where applicable
• UI changes look good on mobile
• UI changes meet accessibility criteria

Merge instructions

We are committed to keeping commit history clean, consistent and linear. To achieve this commit should be structured as follows:

<type>[optional scope]: <description>

and contain the following structural elements:

• fix: a commit that patches a bug in your codebase (this correlates with PATCH in semantic versioning),
• feat: a commit that introduces a new feature to the codebase (this correlates with MINOR in semantic versioning),
• BREAKING CHANGE: a commit that has a footer BREAKING CHANGE: introduces a breaking API change (correlating with MAJOR in semantic versioning). A BREAKING CHANGE can be part of commits of any type,
• types other than fix: and feat: are allowed, for example build:, chore:, ci:, docs:, style:, refactor:, perf:, test:, and others,
• footers other than BREAKING CHANGE: <description> may be provided.

[marcransome]

The versioning-strategy attribute isn't supported for the Terraform ecosystem so this can be removed, and a daily frequency is likely to generate excessive pull requests—weekly should suffice for these kind of updates.

You'll also need to introduce configuration for a registry to support Terraform updates for this project as it uses modules from a private terraform-modules GitHub repository here and here.

I would also recommend grouping updates (per package manager) as it can reduce the number of open pull requests and maintenance burden, generally making things easier to manage:

Suggested change

	- package-ecosystem: "terraform"
	directory: "terraform/groups/ecs-service"
	schedule:
	interval: "daily"
	versioning-strategy: "increase"
	- package-ecosystem: "terraform"
	directory: "terraform/groups/ecs-service"
	schedule:
	interval: "weekly"
	registries:
	github-dependabot:
	type: git
	url: https://github.com
	username: x-access-token
	password: ${{secrets.DEPENDABOT_GITHUB_ACCESS_TOKEN}}
	groups:
	version-updates:
	applies-to: "version-updates"
	patterns:
	- "*"
	security-updates:
	applies-to: "security-updates"
	patterns:
	- "*"

This would require the introduction of a DEPENDABOT_GITHUB_ACCESS_TOKEN Dependabot secret, either at the repository or organisation level. We've previously implemented this across several projects at the repository level (prior to the migration to GitHub Enterprise) but this would be best implemented as an organisation secret now.

---

The main issue with adopting Dependabot is the lack of ownership across projects in general—I can see from the existing configuration for the npm ecosystem that updates aren't being merged, instead Dependabot is closing them and replacing them as newer versions of dependencies become available. It will eventually disable itself after a 90 day window if it goes unmaintained. This is something you'll want to escalate as we've already seen this in other projects where Dependabot pull requests are ignored and have no real meaningful value as a result.