feat: implement STACKIT Git Repository building block with template and webhook support

Author: JohannesRudolph

modules/stackit/git-repository/backplane/README.md

@@ -0,0 +1,78 @@
+# STACKIT Git Repository – Backplane
+
+This module sets up the shared backplane configuration for the STACKIT Git Repository building block. It validates the API token and exposes credentials as outputs for use by individual building block instances. Currently there's nothing we can automate here using terraform, so this only validates your API token.
+
+## Prerequisites
+
+A Personal Access Token from STACKIT Git is required:
+
+1. Log in to [STACKIT Git](https://git-service.git.onstackit.cloud)
+2. Go to **Settings → Applications → Manage Access Tokens**
+3. Generate a new token with the following scopes:
+   - `write:repository` – create and manage repositories
+   - `write:organization` – manage organization repositories
+   - `read:user` – retrieve user information
+4. Copy the token (shown only once)
+
+## Usage
+
+```hcl
+module "git_repo_backplane" {
+  source = "./backplane"
+
+  gitea_base_url     = "https://git-service.git.onstackit.cloud"
+  gitea_token        = var.stackit_git_token
+  gitea_organization = "my-platform-org"
+}
+```
+
+## Inputs
+
+| Name | Description | Type | Required |
+|------|-------------|------|----------|
+| `gitea_base_url` | STACKIT Git base URL | `string` | no (default provided) |
+| `gitea_token` | STACKIT Git Personal Access Token | `string` | yes |
+| `gitea_organization` | Default organization for repository creation | `string` | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| `gitea_base_url` | STACKIT Git base URL |
+| `gitea_token` | STACKIT Git API token (sensitive) |
+| `gitea_organization` | Default STACKIT Git organization |
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.validate_token](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_gitea_base_url"></a> [gitea\_base\_url](#input\_gitea\_base\_url) | STACKIT Git base URL | `string` | `"https://git-service.git.onstackit.cloud"` | no |
+| <a name="input_gitea_organization"></a> [gitea\_organization](#input\_gitea\_organization) | Default STACKIT Git organization where repositories will be created | `string` | n/a | yes |
+| <a name="input_gitea_token"></a> [gitea\_token](#input\_gitea\_token) | STACKIT Git Personal Access Token with write:repository, write:organization, and read:user scopes | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_gitea_base_url"></a> [gitea\_base\_url](#output\_gitea\_base\_url) | STACKIT Git base URL |
+| <a name="output_gitea_organization"></a> [gitea\_organization](#output\_gitea\_organization) | Default STACKIT Git organization for repository creation |
+| <a name="output_gitea_token"></a> [gitea\_token](#output\_gitea\_token) | STACKIT Git API token for use by building block instances |
+<!-- END_TF_DOCS -->

modules/stackit/git-repository/backplane/main.tf

@@ -0,0 +1,23 @@
+# Validate that the API token is operational by checking the STACKIT Git API
+resource "null_resource" "validate_token" {
+  triggers = {
+    base_url = var.gitea_base_url
+    token    = sha256(var.gitea_token)
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      response=$(curl -s -o /dev/null -w "%\{http_code\}" \
+        -H "Authorization: token ${var.gitea_token}" \
+        "${var.gitea_base_url}/api/v1/user")
+
+      if [ "$response" -ne 200 ]; then
+        echo "ERROR: STACKIT Git API token validation failed (HTTP $response)"
+        echo "Please verify the token has the required scopes: read:user, write:repository, write:organization"
+        exit 1
+      fi
+
+      echo "STACKIT Git API token validated successfully"
+    EOT
+  }
+}

modules/stackit/git-repository/backplane/outputs.tf

@@ -0,0 +1,15 @@
+output "gitea_base_url" {
+  value       = var.gitea_base_url
+  description = "STACKIT Git base URL"
+}
+
+output "gitea_token" {
+  value       = var.gitea_token
+  description = "STACKIT Git API token for use by building block instances"
+  sensitive   = true
+}
+
+output "gitea_organization" {
+  value       = var.gitea_organization
+  description = "Default STACKIT Git organization for repository creation"
+}

modules/stackit/git-repository/backplane/variables.tf

@@ -0,0 +1,16 @@
+variable "gitea_base_url" {
+  type        = string
+  description = "STACKIT Git base URL"
+  default     = "https://git-service.git.onstackit.cloud"
+}
+
+variable "gitea_token" {
+  type        = string
+  description = "STACKIT Git Personal Access Token with write:repository, write:organization, and read:user scopes"
+  sensitive   = true
+}
+
+variable "gitea_organization" {
+  type        = string
+  description = "Default STACKIT Git organization where repositories will be created"
+}

modules/stackit/git-repository/backplane/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2.3"
+    }
+  }
+}

modules/stackit/git-repository/buildingblock/APP_TEAM_README.md

@@ -0,0 +1,65 @@
+This building block provisions a **Git repository on STACKIT Git** — the platform's self-hosted Forgejo/Gitea instance at [git-service.git.onstackit.cloud](https://git-service.git.onstackit.cloud). Within seconds you get a fully configured repository, optionally pre-populated from an application template, with CI/CD webhooks ready to fire 🚀.
+
+## 🎯 Who is this for?
+
+This building block is for **application teams** that:
+
+- Need a Git repository hosted on STACKIT infrastructure (data sovereignty, no external SaaS)
+- Want to start from a **pre-configured application template** (e.g., Python, Node.js) with Dockerfile, Kubernetes manifests, and CI/CD pipelines already in place
+- Are integrating with **Argo Workflows** for automated container builds triggered on every `git push`
+- Require a private repository within a shared STACKIT Git organization
+
+## 🛠️ Usage Examples
+
+### Example 1 – Empty private repository
+
+Use this when you already have existing code to push or prefer a clean slate.
+
+```bash
+# After the building block is provisioned, clone and start working:
+git clone https://git-service.git.onstackit.cloud/my-org/payments-service.git
+cd payments-service
+git add .
+git commit -m "Initial commit"
+git push origin main
+```
+
+### Example 2 – Repository from Python application template
+
+Use this when starting a new application. The `app-template-python` template provides a ready-to-run Python app with Docker and Kubernetes manifests.
+
+```
+# After provisioning, your repo contains:
+your-repo/
+├── app/
+│   ├── Dockerfile          ← Container build instructions
+│   ├── requirements.txt    ← Python dependencies
+│   └── main.py             ← Application entrypoint
+└── manifests/
+    └── base/
+        ├── kustomization.yaml
+        ├── deployment.yaml
+        └── service.yaml
+```
+
+Clone it, modify `app/main.py`, and push — an Argo Workflows build will trigger automatically if a webhook was configured.
+
+## 🤝 Shared Responsibility
+
+| Responsibility | Platform Team | Application Team |
+|---|:---:|:---:|
+| Provision STACKIT Git infrastructure | ✅ | ❌ |
+| Create and configure the repository | ✅ | ❌ |
+| Set up webhooks for CI/CD | ✅ | ❌ |
+| Manage STACKIT Git API tokens | ✅ | ❌ |
+| Develop and maintain application source code | ❌ | ✅ |
+| Commit and push code changes | ❌ | ✅ |
+| Manage branches and pull requests | ❌ | ✅ |
+| Review and merge code | ❌ | ✅ |
+| Application runtime security & updates | ❌ | ✅ |
+
+## ℹ️ Additional Resources
+
+- STACKIT Git: [https://git-service.git.onstackit.cloud](https://git-service.git.onstackit.cloud)
+- Contact the platform team for infrastructure issues or token access
+- Check Argo Workflows UI for build status after pushing code

modules/stackit/git-repository/buildingblock/README.md

@@ -0,0 +1,60 @@
+---
+name: STACKIT Git Repository
+supportedPlatforms:
+  - stackit
+description: Provisions a Git repository on STACKIT Git (Forgejo/Gitea) with optional template initialization, webhook configuration, and CI/CD integration.
+---
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_gitea"></a> [gitea](#requirement\_gitea) | ~> 0.16.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [gitea_repository.repo](https://registry.terraform.io/providers/Lerentis/gitea/latest/docs/resources/repository) | resource |
+| [null_resource.template_repo](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_default_branch"></a> [default\_branch](#input\_default\_branch) | Default branch name | `string` | `"main"` | no |
+| <a name="input_gitea_base_url"></a> [gitea\_base\_url](#input\_gitea\_base\_url) | STACKIT Git base URL | `string` | `"https://git-service.git.onstackit.cloud"` | no |
+| <a name="input_gitea_organization"></a> [gitea\_organization](#input\_gitea\_organization) | STACKIT Git organization where the repository will be created | `string` | n/a | yes |
+| <a name="input_gitea_token"></a> [gitea\_token](#input\_gitea\_token) | STACKIT Git API token (from backplane) | `string` | n/a | yes |
+| <a name="input_repository_auto_init"></a> [repository\_auto\_init](#input\_repository\_auto\_init) | Auto-initialize the repository with a README | `bool` | `true` | no |
+| <a name="input_repository_description"></a> [repository\_description](#input\_repository\_description) | Short description of the repository | `string` | `""` | no |
+| <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | Name of the Git repository to create | `string` | n/a | yes |
+| <a name="input_repository_private"></a> [repository\_private](#input\_repository\_private) | Whether the repository should be private | `bool` | `true` | no |
+| <a name="input_template_name"></a> [template\_name](#input\_template\_name) | Name of the template repository | `string` | `"app-template-python"` | no |
+| <a name="input_template_namespace"></a> [template\_namespace](#input\_template\_namespace) | Value for the NAMESPACE variable used during template substitution | `string` | `""` | no |
+| <a name="input_template_owner"></a> [template\_owner](#input\_template\_owner) | Owner/organization of the template repository | `string` | `"stackit"` | no |
+| <a name="input_template_repo_name"></a> [template\_repo\_name](#input\_template\_repo\_name) | Value for the REPO\_NAME variable used during template substitution | `string` | `""` | no |
+| <a name="input_use_template"></a> [use\_template](#input\_use\_template) | Create repository from a template repository instead of creating an empty one | `bool` | `false` | no |
+| <a name="input_webhook_events"></a> [webhook\_events](#input\_webhook\_events) | List of Gitea events that trigger the webhook | `list(string)` | <pre>[<br>  "push",<br>  "create"<br>]</pre> | no |
+| <a name="input_webhook_secret"></a> [webhook\_secret](#input\_webhook\_secret) | Secret for webhook authentication | `string` | `""` | no |
+| <a name="input_webhook_url"></a> [webhook\_url](#input\_webhook\_url) | Webhook URL to configure (e.g., Argo Workflows EventSource URL). Leave empty to skip. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_repository_clone_url"></a> [repository\_clone\_url](#output\_repository\_clone\_url) | HTTPS clone URL |
+| <a name="output_repository_html_url"></a> [repository\_html\_url](#output\_repository\_html\_url) | Web URL of the repository |
+| <a name="output_repository_id"></a> [repository\_id](#output\_repository\_id) | The ID of the created repository |
+| <a name="output_repository_name"></a> [repository\_name](#output\_repository\_name) | Name of the created repository |
+| <a name="output_repository_ssh_url"></a> [repository\_ssh\_url](#output\_repository\_ssh\_url) | SSH clone URL |
+| <a name="output_summary"></a> [summary](#output\_summary) | Summary with next steps and links for the created repository |
+<!-- END_TF_DOCS -->

modules/stackit/git-repository/buildingblock/logo.png

@@ -0,0 +1,101 @@
+locals {
+  owner = var.gitea_organization
+
+  clone_url = "${var.gitea_base_url}/${local.owner}/${var.repository_name}.git"
+  html_url  = "${var.gitea_base_url}/${local.owner}/${var.repository_name}"
+  ssh_url   = "git@${replace(var.gitea_base_url, "https://", "")}:${local.owner}/${var.repository_name}.git"
+
+  template_variables = {
+    REPO_NAME = var.template_repo_name != "" ? var.template_repo_name : var.repository_name
+    NAMESPACE = var.template_namespace != "" ? var.template_namespace : var.repository_name
+    CLONE_URL = local.clone_url
+  }
+}
+
+# ── Repository (empty, non-template) ──────────────────────────────────────────
+
+resource "gitea_repository" "repo" {
+  count = var.use_template ? 0 : 1
+
+  username       = local.owner
+  name           = var.repository_name
+  description    = var.repository_description
+  private        = var.repository_private
+  auto_init      = var.repository_auto_init
+  default_branch = var.default_branch
+}
+
+# ── Repository (from template, via Forgejo API) ───────────────────────────────
+
+resource "null_resource" "template_repo" {
+  count = var.use_template ? 1 : 0
+
+  triggers = {
+    repo_name      = var.repository_name
+    owner          = local.owner
+    template_owner = var.template_owner
+    template_name  = var.template_name
+    template_vars  = jsonencode(local.template_variables)
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      response=$(curl -s -w "\n%\{http_code\}" \
+        -X POST "${var.gitea_base_url}/api/v1/repos/${var.template_owner}/${var.template_name}/generate" \
+        -H "Authorization: token ${var.gitea_token}" \
+        -H "Content-Type: application/json" \
+        -d '{
+          "owner": "${local.owner}",
+          "name": "${var.repository_name}",
+          "description": "${var.repository_description}",
+          "private": ${var.repository_private},
+          "git_content": true,
+          "git_hooks": false
+        }')
+
+      http_code=$(echo "$response" | tail -n1)
+      body=$(echo "$response" | sed '$d')
+
+      if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
+        echo "Repository '${var.repository_name}' created from template '${var.template_owner}/${var.template_name}'"
+      else
+        echo "Failed to create repository from template. HTTP $http_code"
+        echo "$body"
+        exit 1
+      fi
+    EOT
+  }
+}
+
+# ── Webhook ────────────────────────────────────────────────────────────────────
+
+resource "null_resource" "webhook" {
+  count = var.webhook_url != "" ? 1 : 0
+
+  triggers = {
+    webhook_url    = var.webhook_url
+    webhook_secret = sha256(var.webhook_secret)
+    webhook_events = join(",", var.webhook_events)
+    repo           = "${local.owner}/${var.repository_name}"
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      curl -s -X POST "${var.gitea_base_url}/api/v1/repos/${local.owner}/${var.repository_name}/hooks" \
+        -H "Authorization: token ${var.gitea_token}" \
+        -H "Content-Type: application/json" \
+        -d '{
+          "type": "forgejo",
+          "config": {
+            "url": "${var.webhook_url}",
+            "content_type": "json",
+            "secret": "${var.webhook_secret}"
+          },
+          "events": ${jsonencode(var.webhook_events)},
+          "active": true
+        }'
+    EOT
+  }
+
+  depends_on = [gitea_repository.repo, null_resource.template_repo]
+}