Dependabot-core: Support Nested Terraform Code (HCL)

In general, the approach we take with recursive dependency file finding is:

• If the files are somehow linked (e.g., they reference each other, or have a top level file that lists all of them) then we download them all and update them all at once
• If the files aren't linked in any way then we don't crawl your repo looking for them - instead you need to add each directory manually in Dependabot (you can add the same "language" multiple times to a project - apologies for the confusing terminology)

What's the setup with Terraform? I'd like to improve the flow for setups that we don't bump all-at-once, but I think it's a UI tweak rather than a core change (i.e., making it easier to select them in the dashboard).

What do you reckon?

It's a bit of a bear to manually add every directory with terraform configurations into dependabot. Each directory with .tf files is really its own, independent terraform module.

Plus, the way dependabot is now, restructuring the repo would mean needing to also "fix" the dependabot config.

A better workflow to me would be to scan the repo for directories with .tf files, check each for module sources, and create separate PRs for each.

That makes sense to me. I think what's needed here is a better frontend for Dependabot for selecting multiple directories to apply it to, and an option to "always apply to all directories" or something like that (maybe with a blacklist).

Sounds like you think the backend implementation (separate PRs for each module) is basically correct, though?

Separate PRs for each updated "source" is my preference... That way each dependency update gets tested on it's own. If there are interrelated changes between dependencies needed to pass tests, I'd modify the PR myself.

Great. We're planning to work on the front-end a bunch over the next couple of months, so I should be able to get this sorted then.

Any updates on this? This would be a really awesome feature to have!

We haven't had a chance to work on the improved project-selection interface yet, but I'm still keen to do it. Will have an update in the next few weeks.

@greysteil awesome, thanks! I'll keep an eye out for updates.

I just added dependabot to a bunch of repos, several of which have multiple terraform stacks/modules. It would be cool to have the auto detect feature but I was still able to set everything up with the current config format so I'm pretty happy with that for now.

Any updates on this? Seems common to have Terraform modules as separate subdirectories and it can be tedious to add each one.