AWS Machine Image clarification needed for hosted instances

[chkpwd]

I've configured a custom regex manager in .renovate/customManagers.json5 to detect AMI IDs in Terraform files:

{
  customType: "regex",
  description: "Detect AMI changes in Terraform",
  managerFilePatterns: [
    "^terraform/aws/.+\\.(tf|tofu)$"
  ],
  matchStrings: [
    ".*amiFilter=(?<packageName>.*?)\\n(.*currentImageName=(?<currentDigest>.*?)\\n)?(.*\\n)?.*?(?<depName>[a-zA-Z0-9-_:]*)[ ]*?[:|=][ ]*?[\"|']?(?<currentValue>ami-[a-z0-9]{17})[\"|']?.*",
  ],
  datasourceTemplate: "aws-machine-image",
  versioningTemplate: "aws-machine-image",
}

1. File Matching Conflict

The built-in terraform manager is matching terraform/aws/*.tf files before the custom regex manager can process them. This prevents the custom manager from detecting AMI IDs.
Current state in renovate.json5:

terraform: {
  managerFilePatterns: ["/^terraform/.+\\.tf$/"],
},

This pattern matches ALL terraform files including terraform/aws/*.tf.
Attempted solution: Using negative lookahead regex to exclude terraform/aws/:

terraform: {
  managerFilePatterns: ["/^terraform/(?!aws/).+\\.tf$/"],
},

I'd imagine this failed because Renovate's regex parser doesn't support lookahead?

2. AWS Credentials Configuration

According to the Renovate docs for aws-machine-image, AWS credentials can be provided via:

• Environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE
• Or via ~/.aws/config and ~/.aws/credentials files
  However, the documentation is unclear about:

1. Host Rules vs Environment Variables: Should AWS credentials be configured via Renovate's hostRules configuration, or via environment variables/secrets (i.e. prefixed with MEND_*)?

2. How to exclude specific directories from the terraform manager so a custom regex manager can handle them?

3. What's the correct way to configure AWS credentials for the aws-machine-image datasource?

   • Should we use hostRules with hostType: "aws-machine-image"?
   • Or should we use environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)?
   • Or both?

example

Here's the current Terraform file structure im trying to monitor:

locals {
  # amiFilter=[{"Name":"owner-id","Values":["136693071363"]},{"Name":"name","Values":["debian-12-amd64-*"]}]
  # currentImageName=debian-12-amd64-20230711
  ami = "ami-023a5c1706f994759"
}

Renovate user with perms:
https://github.com/chkpwd/iac/blob/main/terraform/aws/directory.tf

Custom Manager:
https://github.com/chkpwd/iac/blob/main/.renovate/customManagers.json5#L14

And my renovate file:
https://github.com/chkpwd/iac/blob/main/renovate.json5