cloudposse · SweetOps · Mar 1, 2021 · Feb 18, 2021 · Feb 22, 2021 · Feb 22, 2021
diff --git a/README.md b/README.md
@@ -276,18 +276,21 @@ Available targets:
 |------|---------|
 | terraform | >= 0.13.0 |
 | aws | >= 2.0 |
+| random | >=2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | >= 2.0 |
+| random | >=2.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | codebuild | cloudposse/codebuild/aws | 0.32.0 |
+| github_webhook | cloudposse/repository-webhooks/github | 0.12.0 |
 | this | cloudposse/label/null | 0.24.1 |
 
 ## Resources
@@ -296,12 +299,14 @@ Available targets:
 |------|
 | [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
 | [aws_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) |
+| [aws_codepipeline_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline_webhook) |
 | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
 | [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
 | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
 | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
 | [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
 | [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
+| [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) |
 
 ## Inputs
 
@@ -326,6 +331,8 @@ Available targets:
 | environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | <pre>list(object(<br>    {<br>      name  = string<br>      value = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "NO_ADDITIONAL_BUILD_VARS",<br>    "value": "TRUE"<br>  }<br>]</pre> | no |
 | force\_destroy | Force destroy the CI/CD S3 bucket even if it's not empty | `bool` | `false` | no |
 | github\_oauth\_token | GitHub Oauth Token | `string` | n/a | yes |
+| github\_webhook\_events | A list of events which should trigger the webhook. See a list of [available events](https://developer.github.com/v3/activity/events/types/) | `list(string)` | <pre>[<br>  "push"<br>]</pre> | no |
+| github\_webhooks\_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | `string` | `""` | no |
 | id\_length\_limit | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | image\_repo\_name | ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"UNSET"` | no |
 | image\_tag | Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"latest"` | no |
@@ -344,6 +351,11 @@ Available targets:
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
+| webhook\_authentication | The type of authentication to use. One of IP, GITHUB\_HMAC, or UNAUTHENTICATED | `string` | `"GITHUB_HMAC"` | no |
+| webhook\_enabled | Set to false to prevent the module from creating any webhook resources | `bool` | `false` | no |
+| webhook\_filter\_json\_path | The JSON path to filter on | `string` | `"$.ref"` | no |
+| webhook\_filter\_match\_equals | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no |
+| webhook\_target\_action | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no |
 | website\_bucket\_name | Name of the S3 bucket where the website will be deployed | `string` | `""` | no |
 
 ## Outputs

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -5,18 +5,21 @@
 |------|---------|
 | terraform | >= 0.13.0 |
 | aws | >= 2.0 |
+| random | >=2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | >= 2.0 |
+| random | >=2.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | codebuild | cloudposse/codebuild/aws | 0.32.0 |
+| github_webhook | cloudposse/repository-webhooks/github | 0.12.0 |
 | this | cloudposse/label/null | 0.24.1 |
 
 ## Resources
@@ -25,12 +28,14 @@
 |------|
 | [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
 | [aws_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) |
+| [aws_codepipeline_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline_webhook) |
 | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
 | [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
 | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
 | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
 | [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
 | [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
+| [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) |
 
 ## Inputs
 
@@ -55,6 +60,8 @@
 | environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | <pre>list(object(<br>    {<br>      name  = string<br>      value = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "NO_ADDITIONAL_BUILD_VARS",<br>    "value": "TRUE"<br>  }<br>]</pre> | no |
 | force\_destroy | Force destroy the CI/CD S3 bucket even if it's not empty | `bool` | `false` | no |
 | github\_oauth\_token | GitHub Oauth Token | `string` | n/a | yes |
+| github\_webhook\_events | A list of events which should trigger the webhook. See a list of [available events](https://developer.github.com/v3/activity/events/types/) | `list(string)` | <pre>[<br>  "push"<br>]</pre> | no |
+| github\_webhooks\_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | `string` | `""` | no |
 | id\_length\_limit | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | image\_repo\_name | ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"UNSET"` | no |
 | image\_tag | Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"latest"` | no |
@@ -73,6 +80,11 @@
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
+| webhook\_authentication | The type of authentication to use. One of IP, GITHUB\_HMAC, or UNAUTHENTICATED | `string` | `"GITHUB_HMAC"` | no |
+| webhook\_enabled | Set to false to prevent the module from creating any webhook resources | `bool` | `false` | no |
+| webhook\_filter\_json\_path | The JSON path to filter on | `string` | `"$.ref"` | no |
+| webhook\_filter\_match\_equals | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no |
+| webhook\_target\_action | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no |
 | website\_bucket\_name | Name of the S3 bucket where the website will be deployed | `string` | `""` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -5,7 +5,11 @@ data "aws_region" "default" {
 }
 
 locals {
-  enabled = module.this.enabled
+  enabled         = module.this.enabled
+  webhook_enabled = local.enabled && var.webhook_enabled ? true : false
+  webhook_count   = local.webhook_enabled ? 1 : 0
+  webhook_secret  = join("", random_password.webhook_secret.*.result)
+  webhook_url     = join("", aws_codepipeline_webhook.default.*.url)
 }
 
 resource "aws_s3_bucket" "default" {
@@ -308,3 +312,44 @@ resource "aws_codepipeline" "default" {
     }
   }
 }
+
+resource "random_password" "webhook_secret" {
+  count  = local.webhook_enabled ? 1 : 0
+  length = 32
+
+  # Special characters are not allowed in webhook secret (AWS silently ignores webhook callbacks)
+  special = false
+}
+
+resource "aws_codepipeline_webhook" "default" {
+  count           = local.webhook_count
+  name            = module.this.id
+  authentication  = var.webhook_authentication
+  target_action   = var.webhook_target_action
+  target_pipeline = join("", aws_codepipeline.default.*.name)
+
+  authentication_configuration {
+    secret_token = local.webhook_secret
+  }
+
+  filter {
+    json_path    = var.webhook_filter_json_path
+    match_equals = var.webhook_filter_match_equals
+  }
+}
+
+module "github_webhook" {
+  source  = "cloudposse/repository-webhooks/github"
+  version = "0.12.0"
+
+  enabled              = local.webhook_enabled
+  github_organization  = var.repo_owner
+  github_repositories  = [var.repo_name]
+  github_token         = var.github_webhooks_token
+  webhook_url          = local.webhook_url
+  webhook_secret       = local.webhook_secret
+  webhook_content_type = "json"
+  events               = var.github_webhook_events
+
+  context = module.this.context
+}
diff --git a/variables.tf b/variables.tf
@@ -15,6 +15,18 @@ variable "github_oauth_token" {
   description = "GitHub Oauth Token"
 }
 
+variable "github_webhooks_token" {
+  type        = string
+  default     = ""
+  description = "GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable"
+}
+
+variable "github_webhook_events" {
+  type        = list(string)
+  description = "A list of events which should trigger the webhook. See a list of [available events](https://developer.github.com/v3/activity/events/types/)"
+  default     = ["push"]
+}
+
 variable "repo_owner" {
   type        = string
   description = "GitHub Organization or Person name"
@@ -30,6 +42,36 @@ variable "branch" {
   description = "Branch of the GitHub repository, _e.g._ `master`"
 }
 
+variable "webhook_enabled" {
+  type        = bool
+  description = "Set to false to prevent the module from creating any webhook resources"
+  default     = false
+}
+
+variable "webhook_target_action" {
+  type        = string
+  description = "The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline"
+  default     = "Source"
+}
+
+variable "webhook_authentication" {
+  type        = string
+  description = "The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED"
+  default     = "GITHUB_HMAC"
+}
+
+variable "webhook_filter_json_path" {
+  type        = string
+  description = "The JSON path to filter on"
+  default     = "$.ref"
+}
+
+variable "webhook_filter_match_equals" {
+  type        = string
+  description = "The value to match on (e.g. refs/heads/{Branch})"
+  default     = "refs/heads/{Branch}"
+}
+
 variable "build_image" {
   type        = string
   default     = "aws/codebuild/standard:2.0"

diff --git a/versions.tf b/versions.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 2.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">=2.1"
+    }
   }
 }