Added webhook support (#20)

* feat: added webhook and build configs support

* refactor: rename webhook_urls to webhooks

- Updated README.md to reflect the new variable name
- Modified main.tf to use the new variable name
- Changed the variable name in variables.tf to webhooks

.github/renovate.json

@@ -0,0 +1,16 @@
+{
+ "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+ "extends": [
+ "config:base",
+ ":semanticCommitTypeAll(chore)"
+ ],
+ "lockFileMaintenance": {
+ "enabled": true,
+ "extends": [
+ "schedule:weekly"
+ ]
+ },
+ "nix": {
+ "enabled": true
+ }
+}

.github/workflows/terraform.yaml

@@ -0,0 +1,39 @@
+name: terraform
+
+on:
+ pull_request:
+ push:
+ branches:
+ - main
+
+env:
+ CACHIX_BINARY_CACHE: altf4llc-os
+
+jobs:
+ check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: cachix/install-nix-action@v27
+ with:
+ nix_path: nixpkgs=channel:nixos-unstable
+ - uses: cachix/cachix-action@v15
+ with:
+ authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ name: ${{ env.CACHIX_BINARY_CACHE }}
+ - uses: actions/checkout@v4
+ - run: nix develop -c just check
+
+ package:
+ needs:
+ - check
+ runs-on: ubuntu-latest
+ steps:
+ - uses: cachix/install-nix-action@v27
+ with:
+ nix_path: nixpkgs=channel:nixos-unstable
+ - uses: cachix/cachix-action@v15
+ with:
+ authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ name: ${{ env.CACHIX_BINARY_CACHE }}
+ - uses: actions/checkout@v4
+ - run: nix develop -c just package

.gitignore

@@ -1,13 +1,9 @@
-# Nix directories
 .direnv
-result
+*.tfplan
 
 # Local .terraform directories
 **/.terraform/*
 
-# Terraform lockfile
-.terraform.lock.hcl
-
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -17,8 +13,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -39,3 +35,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl

README.md

@@ -19,13 +19,13 @@ teams = { "1234567890" = "maintain" }
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_github"></a> [github](#requirement\_github) | 6.0.0 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_github"></a> [github](#provider\_github) | 6.0.0 |
+| <a name="provider_github"></a> [github](#provider\_github) | ~> 6.0 |
 
 ## Modules
 
@@ -35,9 +35,10 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [github_branch_protection.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/branch_protection) | resource |
-| [github_repository.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/repository) | resource |
-| [github_team_repository.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/team_repository) | resource |
+| [github_branch_protection.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) | resource |
+| [github_repository.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_repository_webhook.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_webhook) | resource |
+| [github_team_repository.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository) | resource |
 
 ## Inputs
 
@@ -71,6 +72,7 @@ No modules.
 | <a name="input_topics"></a> [topics](#input\_topics) | The topics of the repository | `list(string)` | `[]` | no |
 | <a name="input_visibility"></a> [visibility](#input\_visibility) | The visibility of the repository | `string` | `"private"` | no |
 | <a name="input_vulnerability_alerts"></a> [vulnerability\_alerts](#input\_vulnerability\_alerts) | Whether the repository has vulnerability alerts enabled | `bool` | `false` | no |
+| <a name="input_webhooks"></a> [webhooks](#input\_webhooks) | The URLs of the webhooks | <pre>list(object({<br> active = bool<br> events = list(string)<br> content_type = string<br> url = string<br> }))</pre> | `[]` | no |
 
 ## Outputs
 

build-configs.yaml

@@ -0,0 +1,9 @@
+---
+name: terraform-github-repository
+template: terraform-module
+parameters:
+ nix:
+ cachix:
+ binaryCache: altf4llc-os
+ providers:
+ - github

flake.nix

@@ -1,33 +1,23 @@
 {
- description = "terraform-github-repository";
-
- inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+ inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
 
  outputs = inputs @ {
  flake-parts,
  nixpkgs,
  ...
  }:
  flake-parts.lib.mkFlake {inherit inputs;} {
- systems = ["x86_64-linux" "aarch64-darwin" "x86_64-darwin"];
+ systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
+
  perSystem = {
  config,
- self',
- inputs',
  pkgs,
  system,
  ...
  }: let
- inherit (pkgs) just terraform-docs;
- terraform = pkgs.terraform.withPlugins (p: [
- (pkgs.terraform-providers.mkProvider {
- hash = "sha256-y8DMpNSySMbe7E+sGVQcQdEyulq4Wnp5ryYD7FQO/fc=";
- homepage = "https://registry.terraform.io/providers/integrations/github";
- owner = "integrations";
- repo = "terraform-provider-github";
- rev = "v6.0.0";
- vendorHash = null;
- })
+ inherit (pkgs) just mkShell terraform-docs;
+ terraform = pkgs.terraform.withPlugins (ps: [
+ ps.github
  ]);
  in {
  _module.args.pkgs = import nixpkgs {
@@ -36,10 +26,10 @@
  };
 
  devShells = {
- default = pkgs.mkShell {
- buildInputs = [
+ default = mkShell {
+ inputsFrom = [config.packages.default];
+ nativeBuildInputs = [
  just
- terraform
  terraform-docs
  ];
  };
@@ -49,13 +39,13 @@
  default =
  pkgs.runCommand "default"
  {
+ nativeBuildInputs = [terraform];
  src = ./.;
  } ''
  mkdir -p $out
  cp -R $src/*.tf $out
-
- ${terraform}/bin/terraform -chdir="$out" init
- ${terraform}/bin/terraform -chdir="$out" validate
+ terraform -chdir="$out" init
+ terraform -chdir="$out" validate
  '';
  };
  };

justfile

@@ -1,23 +1,6 @@
 _default:
  just --list
 
-build:
- nix build --json --no-link --print-build-logs
-
-cache-build cache_name="altf4llc-os":
- just build \
- | jq -r '.[].outputs | to_entries[].value' \
- | cachix push {{ cache_name }}
-
-cache-inputs cache_name="altf4llc-os":
- nix flake archive --json \
- | jq -r '.path,(.inputs|to_entries[].value.path)' \
- | cachix push "{{ cache_name }}"
-
-cache-shell cache_name="altf4llc-os":
- nix develop --profile "dev-profile" -c true
- cachix push "{{ cache_name }}" "dev-profile"
-
 check:
  nix flake check
 
@@ -29,5 +12,8 @@ docs:
 init:
  terraform init
 
+package:
+ nix build --json --no-link --print-build-logs .
+
 validate:
  terraform validate

main.tf

@@ -64,3 +64,17 @@ resource "github_branch_protection" "self" {
  required_approving_review_count = var.required_approving_review_count
  }
 }
+
+resource "github_repository_webhook" "self" {
+ for_each = toset(var.webhooks)
+
+ active = each.value.active
+ events = each.value.events
+ repository = github_repository.self.name
+
+ configuration {
+ content_type = each.value.content_type
+ insecure_ssl = false
+ url = each.value.url
+ }
+}

variables.tf

@@ -180,3 +180,14 @@ variable "vulnerability_alerts" {
  description = "Whether the repository has vulnerability alerts enabled"
  type = bool
 }
+
+variable "webhooks" {
+ default = []
+ description = "The URLs of the webhooks"
+ type = list(object({
+ active = bool
+ events = list(string)
+ content_type = string
+ url = string
+ }))
+}

versions.tf

@@ -2,7 +2,7 @@ terraform {
  required_providers {
  github = {
  source = "integrations/github"
- version = "6.0.0"
+ version = "~> 6.0"
  }
  }
 }