feat: add support for gitlab_project_hook and gitlab_group_hook (#11)

Add webhook drift detection for project and group hooks, generating
individual resource blocks in hooks.tf. Group hooks handle 403
gracefully (Premium/Ultimate required). Uses hclwrite for proper
HCL formatting consistent with the rest of the codebase.

Author: xMoelletschi

README.md

@@ -83,6 +83,7 @@ terraform/
 ├── group_labels.tf         # generated: variable with group → labels
 ├── project_labels.tf       # generated: variable with project → labels
 ├── pipeline_schedules.tf   # generated: variable with project → pipeline schedules
+├── hooks.tf                # generated: project and group webhooks
 └── ...
 ```
 
@@ -103,6 +104,8 @@ terraform/
 - ✅ GitLab Project Labels ([`gitlab_project_label`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_label))
 - ✅ GitLab Pipeline Schedules ([`gitlab_pipeline_schedule`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/pipeline_schedule))
 - ✅ GitLab Pipeline Schedule Variables ([`gitlab_pipeline_schedule_variable`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/pipeline_schedule_variable))
+- ✅ GitLab Project Hooks ([`gitlab_project_hook`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_hook))
+- ✅ GitLab Group Hooks ([`gitlab_group_hook`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/group_hook)) *(requires Premium/Ultimate)*
 - 🚧 More resources coming soon
 
 ## Contributing

internal/gitlab/client.go

@@ -21,6 +21,8 @@ type Resources struct {
 	GroupLabels       GroupLabels
 	ProjectLabels     ProjectLabels
 	PipelineSchedules PipelineSchedules
+	ProjectHooks      ProjectHooks
+	GroupHooks        GroupHooks
 }
 
 func NewClientFromAPI(api *gl.Client, group string) *Client {
@@ -82,12 +84,30 @@ func (c *Client) FetchAll(ctx context.Context, skipSet skip.Set) (*Resources, er
 		slog.Info("fetched pipeline schedules", "count", len(pipelineSchedules))
 	}
 
+	var projectHooks ProjectHooks
+	var groupHooks GroupHooks
+	if !skipSet.Has("hooks") {
+		projectHooks, err = c.ListProjectHooks(ctx, projects)
+		if err != nil {
+			return nil, fmt.Errorf("listing project hooks: %w", err)
+		}
+		slog.Info("fetched project hooks", "count", len(projectHooks))
+
+		groupHooks, err = c.ListGroupHooks(ctx, groups)
+		if err != nil {
+			return nil, fmt.Errorf("listing group hooks: %w", err)
+		}
+		slog.Info("fetched group hooks", "count", len(groupHooks))
+	}
+
 	return &Resources{
 		Groups:            groups,
 		Projects:          projects,
 		GroupMembers:      groupMembers,
 		GroupLabels:       groupLabels,
 		ProjectLabels:     projectLabels,
 		PipelineSchedules: pipelineSchedules,
+		ProjectHooks:      projectHooks,
+		GroupHooks:        groupHooks,
 	}, nil
 }

internal/gitlab/hooks.go

@@ -0,0 +1,88 @@
+package gitlab
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	gl "gitlab.com/gitlab-org/api/client-go"
+)
+
+// ProjectHooks maps project IDs to their hooks.
+type ProjectHooks = map[int64][]*gl.ProjectHook
+
+// GroupHooks maps group IDs to their hooks.
+type GroupHooks = map[int64][]*gl.GroupHook
+
+func (c *Client) ListProjectHooks(ctx context.Context, projects []*gl.Project) (ProjectHooks, error) {
+	result := make(ProjectHooks, len(projects))
+
+	for _, p := range projects {
+		if p == nil {
+			continue
+		}
+		slog.Debug("fetching project hooks", "project", p.PathWithNamespace)
+		opts := &gl.ListProjectHooksOptions{
+			ListOptions: gl.ListOptions{
+				Page:    1,
+				PerPage: 100,
+			},
+		}
+		var hooks []*gl.ProjectHook
+		for {
+			page, resp, err := c.api.Projects.ListProjectHooks(p.ID, opts, gl.WithContext(ctx))
+			if err != nil {
+				return nil, fmt.Errorf("listing hooks for project %d: %w", p.ID, err)
+			}
+			hooks = append(hooks, page...)
+			if resp.NextPage == 0 {
+				break
+			}
+			opts.Page = resp.NextPage
+		}
+		if len(hooks) > 0 {
+			result[p.ID] = hooks
+		}
+	}
+	return result, nil
+}
+
+func (c *Client) ListGroupHooks(ctx context.Context, groups []*gl.Group) (GroupHooks, error) {
+	result := make(GroupHooks, len(groups))
+
+	for _, g := range groups {
+		if g == nil {
+			continue
+		}
+		slog.Debug("fetching group hooks", "group", g.FullPath)
+		opts := &gl.ListGroupHooksOptions{
+			ListOptions: gl.ListOptions{
+				Page:    1,
+				PerPage: 100,
+			},
+		}
+		var hooks []*gl.GroupHook
+		for {
+			page, resp, err := c.api.Groups.ListGroupHooks(g.ID, opts, gl.WithContext(ctx))
+			if err != nil {
+				var errResp *gl.ErrorResponse
+				if errors.As(err, &errResp) && errResp.HasStatusCode(http.StatusForbidden) {
+					slog.Warn("group hooks require Premium/Ultimate, skipping", "group", g.FullPath)
+					break
+				}
+				return nil, fmt.Errorf("listing hooks for group %d: %w", g.ID, err)
+			}
+			hooks = append(hooks, page...)
+			if resp.NextPage == 0 {
+				break
+			}
+			opts.Page = resp.NextPage
+		}
+		if len(hooks) > 0 {
+			result[g.ID] = hooks
+		}
+	}
+	return result, nil
+}

internal/terraform/hooks.go

@@ -0,0 +1,149 @@
+package terraform
+
+import (
+	"io"
+	"strings"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclwrite"
+	"github.com/zclconf/go-cty/cty"
+	gl "gitlab.com/gitlab-org/api/client-go"
+)
+
+func normalizeHookURL(rawURL string) string {
+	u := strings.TrimPrefix(rawURL, "https://")
+	u = strings.TrimPrefix(u, "http://")
+	u = strings.ReplaceAll(u, ":", "_")
+	return normalizeName(u)
+}
+
+func projectHookResourceName(p *gl.Project, h *gl.ProjectHook) string {
+	return projectResourceName(p) + "_" + normalizeHookURL(h.URL)
+}
+
+func groupHookResourceName(g *gl.Group, h *gl.GroupHook) string {
+	return normalizeToTerraformName(g.Path) + "_" + normalizeHookURL(h.URL)
+}
+
+func WriteProjectHooks(p *gl.Project, hooks []*gl.ProjectHook, w io.Writer) error {
+	f := hclwrite.NewEmptyFile()
+	rootBody := f.Body()
+	projName := projectResourceName(p)
+
+	for i, h := range hooks {
+		if i > 0 {
+			rootBody.AppendNewline()
+		}
+		name := projectHookResourceName(p, h)
+		block := rootBody.AppendNewBlock("resource", []string{"gitlab_project_hook", name})
+		body := block.Body()
+
+		body.SetAttributeTraversal("project", hcl.Traversal{
+			hcl.TraverseRoot{Name: "gitlab_project"},
+			hcl.TraverseAttr{Name: projName},
+			hcl.TraverseAttr{Name: "id"},
+		})
+		body.SetAttributeValue("url", cty.StringVal(h.URL))
+		if h.Name != "" {
+			body.SetAttributeValue("name", cty.StringVal(h.Name))
+		}
+		if h.Description != "" {
+			body.SetAttributeValue("description", cty.StringVal(h.Description))
+		}
+		body.SetAttributeValue("enable_ssl_verification", cty.BoolVal(h.EnableSSLVerification))
+
+		// push_events: always write (provider default is true, so we need explicit false)
+		body.SetAttributeValue("push_events", cty.BoolVal(h.PushEvents))
+		if h.PushEventsBranchFilter != "" {
+			body.SetAttributeValue("push_events_branch_filter", cty.StringVal(h.PushEventsBranchFilter))
+		}
+
+		writeEvents(body, []hookEvent{
+			{"tag_push_events", h.TagPushEvents},
+			{"issues_events", h.IssuesEvents},
+			{"confidential_issues_events", h.ConfidentialIssuesEvents},
+			{"merge_requests_events", h.MergeRequestsEvents},
+			{"note_events", h.NoteEvents},
+			{"confidential_note_events", h.ConfidentialNoteEvents},
+			{"job_events", h.JobEvents},
+			{"pipeline_events", h.PipelineEvents},
+			{"wiki_page_events", h.WikiPageEvents},
+			{"deployment_events", h.DeploymentEvents},
+			{"releases_events", h.ReleasesEvents},
+		})
+	}
+
+	_, err := w.Write(f.Bytes())
+	return err
+}
+
+func WriteGroupHooks(g *gl.Group, hooks []*gl.GroupHook, w io.Writer) error {
+	f := hclwrite.NewEmptyFile()
+	rootBody := f.Body()
+	groupName := normalizeToTerraformName(g.Path)
+
+	for i, h := range hooks {
+		if i > 0 {
+			rootBody.AppendNewline()
+		}
+		name := groupHookResourceName(g, h)
+		block := rootBody.AppendNewBlock("resource", []string{"gitlab_group_hook", name})
+		body := block.Body()
+
+		body.SetAttributeTraversal("group", hcl.Traversal{
+			hcl.TraverseRoot{Name: "gitlab_group"},
+			hcl.TraverseAttr{Name: groupName},
+			hcl.TraverseAttr{Name: "id"},
+		})
+		body.SetAttributeValue("url", cty.StringVal(h.URL))
+		if h.Name != "" {
+			body.SetAttributeValue("name", cty.StringVal(h.Name))
+		}
+		if h.Description != "" {
+			body.SetAttributeValue("description", cty.StringVal(h.Description))
+		}
+		body.SetAttributeValue("enable_ssl_verification", cty.BoolVal(h.EnableSSLVerification))
+
+		// push_events: always write
+		body.SetAttributeValue("push_events", cty.BoolVal(h.PushEvents))
+		if h.PushEventsBranchFilter != "" {
+			body.SetAttributeValue("push_events_branch_filter", cty.StringVal(h.PushEventsBranchFilter))
+		}
+		if h.BranchFilterStrategy != "" {
+			body.SetAttributeValue("branch_filter_strategy", cty.StringVal(h.BranchFilterStrategy))
+		}
+
+		writeEvents(body, []hookEvent{
+			{"tag_push_events", h.TagPushEvents},
+			{"issues_events", h.IssuesEvents},
+			{"confidential_issues_events", h.ConfidentialIssuesEvents},
+			{"merge_requests_events", h.MergeRequestsEvents},
+			{"note_events", h.NoteEvents},
+			{"confidential_note_events", h.ConfidentialNoteEvents},
+			{"job_events", h.JobEvents},
+			{"pipeline_events", h.PipelineEvents},
+			{"wiki_page_events", h.WikiPageEvents},
+			{"deployment_events", h.DeploymentEvents},
+			{"releases_events", h.ReleasesEvents},
+			{"subgroup_events", h.SubGroupEvents},
+			{"emoji_events", h.EmojiEvents},
+			{"feature_flag_events", h.FeatureFlagEvents},
+		})
+	}
+
+	_, err := w.Write(f.Bytes())
+	return err
+}
+
+type hookEvent struct {
+	attr string
+	val  bool
+}
+
+func writeEvents(body *hclwrite.Body, events []hookEvent) {
+	for _, e := range events {
+		if e.val {
+			body.SetAttributeValue(e.attr, cty.True)
+		}
+	}
+}

internal/terraform/hooks_test.go

@@ -0,0 +1,97 @@
+package terraform
+
+import (
+	"bytes"
+	"testing"
+
+	gl "gitlab.com/gitlab-org/api/client-go"
+)
+
+func TestNormalizeHookURL(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"https://hooks.slack.com/services/T123", "hooks_slack_com_services_t123"},
+		{"http://example.com/webhook", "example_com_webhook"},
+		{"https://example.com:8080/hook", "example_com_8080_hook"},
+		{"example.com/plain", "example_com_plain"},
+	}
+	for _, tt := range tests {
+		got := normalizeHookURL(tt.input)
+		if got != tt.want {
+			t.Errorf("normalizeHookURL(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestWriteProjectHooks(t *testing.T) {
+	project := &gl.Project{
+		ID:                1,
+		Path:              "my-project",
+		Namespace:         &gl.ProjectNamespace{FullPath: "my-group"},
+		PathWithNamespace: "my-group/my-project",
+	}
+
+	hooks := []*gl.ProjectHook{
+		{
+			ID:                    100,
+			URL:                   "https://hooks.slack.com/services/T123",
+			Name:                  "Slack notifications",
+			Description:           "Posts to #dev",
+			EnableSSLVerification: true,
+			PushEvents:            true,
+			MergeRequestsEvents:   true,
+		},
+		{
+			ID:                    200,
+			URL:                   "https://example.com/webhook",
+			EnableSSLVerification: true,
+			PushEvents:            false,
+			TagPushEvents:         true,
+			PipelineEvents:        true,
+		},
+	}
+
+	var buf bytes.Buffer
+	if err := WriteProjectHooks(project, hooks, &buf); err != nil {
+		t.Fatalf("WriteProjectHooks error: %v", err)
+	}
+
+	compareGolden(t, "project_hooks.tf", buf.String())
+}
+
+func TestWriteGroupHooks(t *testing.T) {
+	group := &gl.Group{
+		ID:       10,
+		Path:     "my-group",
+		FullPath: "my-group",
+	}
+
+	hooks := []*gl.GroupHook{
+		{
+			ID:                    300,
+			URL:                   "https://example.com/webhook",
+			EnableSSLVerification: true,
+			PushEvents:            true,
+			SubGroupEvents:        true,
+		},
+		{
+			ID:                    400,
+			URL:                   "https://ci.internal.io/notify",
+			Name:                  "CI notify",
+			EnableSSLVerification: false,
+			PushEvents:            true,
+			MergeRequestsEvents:   true,
+			EmojiEvents:           true,
+			FeatureFlagEvents:     true,
+		},
+	}
+
+	var buf bytes.Buffer
+	if err := WriteGroupHooks(group, hooks, &buf); err != nil {
+		t.Fatalf("WriteGroupHooks error: %v", err)
+	}
+
+	compareGolden(t, "group_hooks.tf", buf.String())
+}