feat: add gh repo webhook stack

.checkov_config.yaml

@@ -0,0 +1,26 @@
+block-list-secret-scan: []
+branch: main
+download-external-modules: false
+evaluate-variables: true
+external-modules-download-path: .external_modules
+framework:
+  - all
+quiet: true
+secrets-scan-file-type: []
+skip-check:
+  - CKV_K8S_10 # CPU requests should be set
+  - CKV_K8S_11 # CPU limits should be set
+  - CKV_K8S_12 # Memory requests should be set
+  - CKV_K8S_13 # Memory limits should be set
+  - CKV_K8S_14 # Image Tag should be fixed - not latest or blank
+  - CKV_K8S_15 # Image Pull Policy should be Always
+  - CKV_K8S_21 # The default namespace should not be used
+  - CKV_K8S_38 # Ensure that Service Account Tokens are only mounted where necessary
+  - CKV_K8S_43 # Image should use digest
+  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
+  - CKV2_K8S_6 # Minimize the admission of pods which lack an associated NetworkPolicy
+
+skip-framework: []
+skip-path:
+  - ".*/kustomization\\.yml"
+summary-position: bottom

.gitignore

@@ -40,3 +40,4 @@ terraform.rc
 # End of https://www.toptal.com/developers/gitignore/api/Terraform
 
 mkdocs
+**/.terraform.lock.hcl

Justfile

@@ -0,0 +1,11 @@
+create-tofu-stack dirname:
+  #!/usr/bin/env bash
+
+  mkdir -p $PWD/{{dirname}}
+  touch $PWD/{{dirname}}/{main,versions,variables,outputs}.tf
+
+checkov:
+  checkov -c .checkov_config.yaml -d .
+
+lint:
+  pre-commit run -a

docs/github-repo-webhook.md

@@ -0,0 +1,41 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | < 2 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | < 7 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | < 5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_github"></a> [github](#provider\_github) | 6.4.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_repository_webhook.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_webhook) | resource |
+| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_content_type"></a> [content\_type](#input\_content\_type) | The content type of the webhook | `string` | `"json"` | no |
+| <a name="input_events"></a> [events](#input\_events) | The events to trigger the webhook | `list(string)` | <pre>[<br/>  "push"<br/>]</pre> | no |
+| <a name="input_repository"></a> [repository](#input\_repository) | The repository to add the webhook to | `string` | n/a | yes |
+| <a name="input_secret_length"></a> [secret\_length](#input\_secret\_length) | The length of the webhook secret string | `number` | `32` | no |
+| <a name="input_webhook_url"></a> [webhook\_url](#input\_webhook\_url) | The URL to send the webhook to | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_secret_value"></a> [secret\_value](#output\_secret\_value) | n/a |

github-repo-webhook/README.md

@@ -0,0 +1,43 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | < 2 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | < 7 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | < 5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_github"></a> [github](#provider\_github) | 6.4.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_repository_webhook.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_webhook) | resource |
+| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_content_type"></a> [content\_type](#input\_content\_type) | The content type of the webhook | `string` | `"json"` | no |
+| <a name="input_events"></a> [events](#input\_events) | The events to trigger the webhook | `list(string)` | <pre>[<br/>  "push"<br/>]</pre> | no |
+| <a name="input_repository"></a> [repository](#input\_repository) | The repository to add the webhook to | `string` | n/a | yes |
+| <a name="input_secret_length"></a> [secret\_length](#input\_secret\_length) | The length of the webhook secret string | `number` | `32` | no |
+| <a name="input_webhook_url"></a> [webhook\_url](#input\_webhook\_url) | The URL to send the webhook to | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_secret_value"></a> [secret\_value](#output\_secret\_value) | n/a |
+<!-- END_TF_DOCS -->

github-repo-webhook/main.tf

@@ -0,0 +1,19 @@
+resource "random_password" "this" {
+  length  = var.secret_length
+  special = false
+}
+
+resource "github_repository_webhook" "this" {
+  repository = var.repository
+
+  configuration {
+    url          = var.webhook_url
+    content_type = var.content_type
+    secret       = random_password.this.result
+    insecure_ssl = false
+  }
+
+  active = true
+
+  events = var.events
+}

github-repo-webhook/outputs.tf

@@ -0,0 +1,4 @@
+output "secret_value" {
+  value     = random_password.this.result
+  sensitive = true
+}

github-repo-webhook/variables.tf

@@ -0,0 +1,29 @@
+variable "secret_length" {
+  description = "The length of the webhook secret string"
+  type        = number
+  default     = 32
+}
+
+variable "repository" {
+  description = "The repository to add the webhook to"
+  type        = string
+  nullable    = false
+}
+
+variable "webhook_url" {
+  description = "The URL to send the webhook to"
+  type        = string
+  nullable    = false
+}
+
+variable "content_type" {
+  description = "The content type of the webhook"
+  type        = string
+  default     = "json"
+}
+
+variable "events" {
+  description = "The events to trigger the webhook"
+  type        = list(string)
+  default     = ["push"]
+}

github-repo-webhook/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    random = {
+      source  = "hashicorp/random"
+      version = "< 5"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "< 7"
+    }
+  }
+
+  required_version = "< 2"
+}