feat: add module to update GitHub app webhook (#3451)

## Description

Setting up the runners are requiring typically three steps
1. Create the GitHub App
2. Run terraform with App details
3. Update the GitHub App webhook.

This PR adds a module that let you update the App webhook endpoint and
secret via a terraform module. Usages is sown in the examples.

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Navdeep Gupta <[email protected]>

Author: 3 people

Diff for: examples/arm64/README.md

@@ -52,6 +52,7 @@ Be aware some shells will print some end of line character `%`.
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 

Diff for: examples/arm64/main.tf

@@ -86,3 +86,14 @@ module "runners" {
   # override scaling down
   scale_down_schedule_expression = "cron(* * * * ? *)"
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/default/README.md

@@ -22,14 +22,12 @@ terraform init
 terraform apply
 ```
 
-You can receive the webhook details by running:
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
 
 ```bash
-terraform output -raw webhook_secret
+terraform output webhook_secret
 ```
 
-Be aware some shells will print some end of line character `%`.
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -52,6 +50,7 @@ Be aware some shells will print some end of line character `%`.
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 

Diff for: examples/default/main.tf

@@ -97,3 +97,14 @@ module "runners" {
   # Enable debug logging for the lambda functions
   # log_level = "debug"
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/ephemeral/README.md

@@ -21,13 +21,12 @@ terraform init
 terraform apply
 ```
 
-You can receive the webhook details by running:
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
 
 ```bash
-terraform output -raw webhook_secret
+terraform output webhook_secret
 ```
 
-Be aware some shells will print some end of line character `%`. 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -50,6 +49,7 @@ Be aware some shells will print some end of line character `%`.
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 

Diff for: examples/ephemeral/main.tf

@@ -85,3 +85,14 @@ module "runners" {
   #   deadLetterTargetArn = null
   # }
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/multi-runner/.terraform.lock.hcl

@@ -39,14 +39,12 @@ terraform init
 terraform apply
 ```
 
-You can receive the webhook details by running:
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
 
 ```bash
-terraform output -raw webhook_secret
+terraform output webhook_secret
 ```
 
-Be aware some shells will print some end of line character `%`.
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -69,6 +67,7 @@ Be aware some shells will print some end of line character `%`.
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_multi-runner"></a> [multi-runner](#module\_multi-runner) | ../../modules/multi-runner | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 

Diff for: examples/multi-runner/README.md

@@ -9,6 +9,7 @@ locals {
 resource "random_id" "random" {
   byte_length = 20
 }
+
 module "base" {
   source = "../base"
 
@@ -46,3 +47,14 @@ module "multi-runner" {
   # Enable debug logging for the lambda functions
   # log_level = "debug"
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.multi-runner.webhook.endpoint
+}

Diff for: examples/multi-runner/main.tf

@@ -86,14 +86,12 @@ terraform init
 terraform apply
 ```
 
-You can receive the webhook details by running:
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
 
 ```bash
-terraform output -raw webhook_secret
+terraform output webhook_secret
 ```
 
-Be aware some shells will print some end of line character `%`.
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -117,6 +115,7 @@ Be aware some shells will print some end of line character `%`.
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 

Diff for: examples/prebuilt/README.md

@@ -61,3 +61,14 @@ module "runners" {
   # override scaling down
   scale_down_schedule_expression = "cron(* * * * ? *)"
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/prebuilt/main.tf

@@ -23,6 +23,12 @@ terraform init
 terraform apply
 ```
 
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
+
+```bash
+terraform output webhook_secret
+```
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -45,6 +51,7 @@ terraform apply
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 
@@ -65,4 +72,4 @@ terraform apply
 | <a name="output_runners"></a> [runners](#output\_runners) | n/a |
 | <a name="output_webhook_endpoint"></a> [webhook\_endpoint](#output\_webhook\_endpoint) | n/a |
 | <a name="output_webhook_secret"></a> [webhook\_secret](#output\_webhook\_secret) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

Diff for: examples/ubuntu/README.md

@@ -111,3 +111,14 @@ module "runners" {
   # Enable logging all commands of user_data, secrets will be logged!!!
   # enable_user_data_debug_logging_runner = true
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/ubuntu/main.tf

@@ -25,6 +25,12 @@ terraform apply
 
 _**Note**_: It can take upwards of ten minutes for a runner to start processing jobs, and about as long for logs to start showing up. It's recommend that scale the runners via a warm-up job and then keep them idled.
 
+The module will try to update the GitHub App webhook and secret (only linux/mac). You can receive the webhook details by running:
+
+```bash
+terraform output webhook_secret
+```
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -47,6 +53,7 @@ _**Note**_: It can take upwards of ten minutes for a runner to start processing
 |------|--------|---------|
 | <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
 | <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook-github-app"></a> [webhook-github-app](#module\_webhook-github-app) | ../../modules/webhook-github-app | n/a |
 
 ## Resources
 
@@ -67,4 +74,4 @@ _**Note**_: It can take upwards of ten minutes for a runner to start processing
 | <a name="output_runners"></a> [runners](#output\_runners) | n/a |
 | <a name="output_webhook_endpoint"></a> [webhook\_endpoint](#output\_webhook\_endpoint) | n/a |
 | <a name="output_webhook_secret"></a> [webhook\_secret](#output\_webhook\_secret) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

Diff for: examples/windows/README.md

@@ -53,3 +53,14 @@ module "runners" {
   # override scaling down for testing
   scale_down_schedule_expression = "cron(* * * * ? *)"
 }
+
+module "webhook-github-app" {
+  source = "../../modules/webhook-github-app"
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}

Diff for: examples/windows/main.tf

@@ -0,0 +1,41 @@
+# Module - Update GitHub App Webhook
+
+> This module is using the local executor to run a bash script.
+
+This module updates the GitHub App webhook with the endpoint and secret and can be changed with the root module. See the examples for usages.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_null"></a> [null](#provider\_null) | ~> 3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.update_app](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_github_app"></a> [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | <pre>object({<br>    key_base64     = string<br>    id             = string<br>    webhook_secret = string<br>  })</pre> | n/a | yes |
+| <a name="input_webhook_endpoint"></a> [webhook\_endpoint](#input\_webhook\_endpoint) | The endpoint to use for the webhook, defaults to the endpoint of the runners module. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->