feat: Update Terraform configuration to manage GitHub secrets and bump dependencies

Author: ColinDaglish

.pre-commit-config.yaml

@@ -24,16 +24,14 @@ repos:
           - configs/.secrets.baseline
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.5
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
       - id: terraform_tflint
       - id: terraform_trivy
-        args:
-          - --args=--config=configs/trivy.yaml
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.457
+    rev: 3.2.510
     hooks:
       - id: checkov
         args: [--config-file, ./configs/checkov.yml]

infra/terraform/main.tf

@@ -165,3 +165,39 @@ resource "google_cloud_run_service_iam_member" "gateway_invoker" {
   member     = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-apigateway.iam.gserviceaccount.com"
   depends_on = [google_cloud_run_v2_service.app, google_api_gateway_gateway.webhook]
 }
+
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret
+resource "google_secret_manager_secret" "github_private_key" {
+  project   = var.project_id
+  secret_id = "github-private-key"
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "github_private_key" {
+  secret      = google_secret_manager_secret.github_private_key.id
+  secret_data = var.github_private_key
+}
+
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret
+resource "google_secret_manager_secret" "github_webhook_secret" {
+  project   = var.project_id
+  secret_id = "github-webhook-secret"
+  replication {
+    user_managed {
+      replicas {
+        location = var.region
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "github_webhook_secret" {
+  secret      = google_secret_manager_secret.github_webhook_secret.id
+  secret_data = var.github_webhook_secret
+}

infra/terraform/variables.tf

@@ -32,18 +32,6 @@ variable "github_app_id" {
   description = "GitHub App ID"
 }
 
-variable "github_private_key" {
-  type        = string
-  description = "GitHub App private key (PEM contents; use \\n for newlines)"
-  sensitive   = true
-}
-
-variable "github_webhook_secret" {
-  type        = string
-  description = "GitHub webhook secret"
-  sensitive   = true
-}
-
 variable "github_accepted_events" {
   type        = string
   description = "Optional comma-separated events allowlist"
@@ -53,10 +41,22 @@ variable "github_accepted_events" {
 variable "services" {
   type        = list(string)
   description = "Additional GCP services to enable"
-  default     = ["run.googleapis.com", "artifactregistry.googleapis.com", "iam.googleapis.com", "apigateway.googleapis.com"]
+  default     = ["run.googleapis.com", "artifactregistry.googleapis.com", "iam.googleapis.com", "apigateway.googleapis.com", "secretmanager.googleapis.com"]
 }
 
 variable "kms_key_resource_name" {
   description = "The resource name of the KMS crypto key used for state encryption. This should be in the format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}"
   type        = string
 }
+
+variable "github_webhook_secret" {
+  description = "GitHub webhook secret for securing webhook payloads"
+  type        = string
+  sensitive   = true
+}
+
+variable "github_private_key" {
+  description = "GitHub App private key (PEM format, with \\n for newlines)"
+  type        = string
+  sensitive   = true
+}