From 5bf315b4bd8d23b0626def3d05054826507a0dd2 Mon Sep 17 00:00:00 2001
From: Michal Tomaszek <michal.tomaszek@rtbhouse.com>
Date: Tue, 21 Apr 2026 10:28:11 +0000
Subject: [PATCH] feat: resolve webhook secrets from SSM and Secrets Manager

---
 src/main.tf      | 22 +++++++++++++++++++++-
 src/variables.tf |  5 +++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/main.tf b/src/main.tf
index b3d7c7f..2b07ca8 100644
--- a/src/main.tf
+++ b/src/main.tf
@@ -63,7 +63,7 @@ module "repository" {
   variables                             = local.variables
   secrets                               = local.secrets
   deploy_keys                           = var.deploy_keys
-  webhooks                              = var.webhooks
+  webhooks                              = local.webhooks
   labels                                = var.labels
   teams                                 = var.teams
   users                                 = var.users
@@ -108,6 +108,20 @@ locals {
     }
   }
 
+  webhooks = {
+    for k, v in coalesce(var.webhooks, {}) : k => {
+      active       = v.active
+      events       = v.events
+      url          = v.url
+      content_type = v.content_type
+      insecure_ssl = v.insecure_ssl
+      secret = v.secret != null ? (
+        startswith(v.secret, "ssm://") ? nonsensitive(data.aws_ssm_parameter.default[v.secret].value) :
+        startswith(v.secret, "asm://") ? nonsensitive(data.aws_secretsmanager_secret_version.default[v.secret].secret_string) : v.secret
+      ) : null
+    }
+  }
+
   ssm_parameters = merge(flatten([
     [
       {
@@ -116,6 +130,9 @@ locals {
       {
         for k, v in coalesce(var.secrets, {}) : v => trimprefix(v, "ssm://") if startswith(v, "ssm://")
       },
+      {
+        for k, v in coalesce(var.webhooks, {}) : v.secret => trimprefix(v.secret, "ssm://") if v.secret != null && startswith(v.secret, "ssm://")
+      },
     ],
     [
       for k, v in coalesce(var.environments, {}) : {
@@ -138,6 +155,9 @@ locals {
       {
         for k, v in coalesce(var.secrets, {}) : v => trimprefix(v, "asm://") if startswith(v, "asm://")
       },
+      {
+        for k, v in coalesce(var.webhooks, {}) : v.secret => trimprefix(v.secret, "asm://") if v.secret != null && startswith(v.secret, "asm://")
+      },
     ],
     [
       for k, v in coalesce(var.environments, {}) : {
diff --git a/src/variables.tf b/src/variables.tf
index dfb9265..01b6795 100644
--- a/src/variables.tf
+++ b/src/variables.tf
@@ -224,8 +224,9 @@ variable "webhooks" {
     insecure_ssl = optional(bool, false)
     secret       = optional(string, null)
   }))
-  default  = {}
-  nullable = false
+  default   = {}
+  sensitive = true
+  nullable  = false
 
   validation {
     condition     = alltrue([for k, v in var.webhooks : can(regex("^http(s)?://", v.url))])