feat: allow vulnerability scanning of Argo repository and implement ignore changes for non-change drift (cloudposse/terraform-aws-components#1120)

Co-authored-by: Igor Rodionov <[email protected]>

Author: RoseSecurity

src/main.tf

@@ -49,7 +49,8 @@ resource "github_repository" "default" {
   description = var.description
   auto_init   = true # will create a 'main' branch
 
-  visibility = "private"
+  visibility           = "private"
+  vulnerability_alerts = var.vulnerability_alerts_enabled
 }
 
 resource "github_branch_default" "default" {
@@ -90,6 +91,12 @@ resource "github_branch_protection" "default" {
       join("", data.github_user.automation_user[*].node_id),
     ] : []
   }
+
+  lifecycle {
+    ignore_changes = [
+      restrict_pushes[0].push_allowances
+    ]
+  }
 }
 
 data "github_team" "default" {

src/variables.tf

@@ -151,6 +151,12 @@ variable "push_restrictions_enabled" {
   default     = true
 }
 
+variable "vulnerability_alerts_enabled" {
+  type        = bool
+  description = "Enable security alerts for vulnerable dependencies"
+  default     = false
+}
+
 variable "slack_notifications_channel" {
   type        = string
   default     = ""