Clarify what all sources are supported for Terraform Dependency Updates

[captn3m0]

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

What part(s) of the article would you like to see updated?

Terraform section.

Additional information

Terraform supports the following sources:

• Local paths
• Terraform Registry
• GitHub
• Bitbucket
• Generic Git, Mercurial repositories
• HTTP URLs
• S3 buckets
• GCS buckets
• Modules in Package Sub-directories

Out of these, it is very unclear which all are supported by Dependabot.

---

Update following discussion below

Answer

For anyone else with the same question, the answer was:

Dependabot can be used to manage version updates for dependencies that are stored in GitHub for all the supported package managers. In addition, for some package managers, you can include a registries section in your configuration file to allow access to private registries. This is supported for Terraform, see Configuration options for private registries.

If you need to access dependencies in git hosted by other services, like GitLab and BitBucket, you can add the git option to your registries section. See Configuration options for dependency updates.

Content design plan

"Supported repositories and ecosystems" section of About Dependabot version updates

• Update the introduction to mention that dependencies in private registeries are also supported (similar to the mention of vendored dependencies).
• Update the link to the article with configuration options - link to both the #vendor anchor and also the #registries anchor.

"package-ecosystem" section of Configuration options for dependency updates

• Add a brief sentence, similar to that for vendor mentioning private registries and linking to registries.

"Configuration options for private registries" section of Configuration options for dependency updates

• Add a brief sentence to the first paragraph, mentioning that you can give Dependabot access to private package registries hosted by GitLab or Bitbucket by specifying a type of git and linking to git.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[ramyaparimi]

@captn3m0 Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

[felicitymay]

@captn3m0 👋🏻

Dependabot can be used to manage version updates for dependencies that are stored in GitHub. You can also include a registries section in your configuration file to allow access to Terraform registries.

If you need to access dependencies in git hosted on other services, like GitLab and BitBucket, you can add the git option to your registries section. See Configuration options for dependency updates.

[captn3m0]

A note about Mercurial repos and S3 buckets not being supported would be nice.

[felicitymay]

I'm out of time today, but will come back to this issue and suggest a change to the docs to make this clearer when I get an opportunity. It's difficult to get the right balance in keeping a readable table as well as providing detailed information.

[felicitymay]

I've updated the issue summary with the information from our discussions and a plan for content changes to make the support clearer. I've also added a note to an internal issue so that when we next refactor these articles, we take your full feedback into account.