feat(oci-private): add optional tmi-tf-wh OCIR repo, queue, and IAM

Mirrors oci-public configuration with is_public=false for OCIR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ericfitz

terraform/environments/oci-private/main.tf

@@ -139,6 +139,13 @@ resource "oci_artifacts_container_repository" "redis" {
   is_public      = false
 }
 
+resource "oci_artifacts_container_repository" "tmi_tf_wh" {
+  count          = var.tmi_tf_wh_enabled ? 1 : 0
+  compartment_id = var.compartment_id
+  display_name   = "${var.name_prefix}/tmi-tf-wh"
+  is_public      = false
+}
+
 # ---------------------------------------------------------------------------
 # Network Module (private subnets, NAT gateway for outbound)
 # ---------------------------------------------------------------------------
@@ -263,6 +270,18 @@ module "logging" {
   depends_on = [module.secrets, module.kubernetes]
 }
 
+# ---------------------------------------------------------------------------
+# tmi-tf-wh Queue (optional — enabled when tmi_tf_wh_enabled is true)
+# ---------------------------------------------------------------------------
+resource "oci_queue_queue" "tmi_tf_wh" {
+  count                            = var.tmi_tf_wh_enabled ? 1 : 0
+  compartment_id                   = var.compartment_id
+  display_name                     = "${var.name_prefix}-tf-wh-queue"
+  visibility_in_seconds            = 3600
+  retention_in_seconds             = 86400
+  dead_letter_queue_delivery_count = 3
+}
+
 # ---------------------------------------------------------------------------
 # Kubernetes (OKE) Module — private endpoint, internal LB
 # ---------------------------------------------------------------------------
@@ -302,6 +321,12 @@ module "kubernetes" {
   tmi_ux_enabled   = var.tmi_ux_enabled
   tmi_ux_image_url = var.tmi_ux_image_url
 
+  # tmi-tf-wh Webhook Analyzer configuration (optional)
+  tmi_tf_wh_enabled        = var.tmi_tf_wh_enabled
+  tmi_tf_wh_image_url      = var.tmi_tf_wh_image_url
+  tmi_tf_wh_queue_ocid     = var.tmi_tf_wh_enabled ? oci_queue_queue.tmi_tf_wh[0].id : ""
+  tmi_tf_wh_extra_env_vars = var.tmi_tf_wh_extra_env_vars
+
   # Database configuration (private endpoint)
   db_username           = var.db_username
   db_password           = local.db_password
@@ -418,10 +443,17 @@ resource "oci_identity_policy" "vault_access" {
   name           = "${var.name_prefix}-vault-access"
   description    = "Allow TMI OKE workloads to read secrets from Vault"
 
-  statements = [
-    "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to read secret-family in compartment id ${var.compartment_id}",
-    "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to use keys in compartment id ${var.compartment_id}"
-  ]
+  statements = concat(
+    [
+      "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to read secret-family in compartment id ${var.compartment_id}",
+      "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to use keys in compartment id ${var.compartment_id}",
+    ],
+    var.tmi_tf_wh_enabled ? [
+      "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to use queues in compartment id ${var.compartment_id} where target.queue.id = '${oci_queue_queue.tmi_tf_wh[0].id}'",
+      "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to manage queue-messages in compartment id ${var.compartment_id} where target.queue.id = '${oci_queue_queue.tmi_tf_wh[0].id}'",
+      "Allow dynamic-group ${oci_identity_dynamic_group.tmi_oke.name} to use generative-ai-family in compartment id ${var.compartment_id}",
+    ] : []
+  )
 
   freeform_tags = local.tags
 }

terraform/environments/oci-private/terraform.tfvars.example

@@ -127,6 +127,12 @@ redis_image_url = "<region>.ocir.io/<namespace>/tmi/tmi-redis:latest"
 # acme_contact_email            = "admin@example.com"
 # acme_directory                = "production"
 
+# ---------------------------------------------------------------------------
+# Optional: TMI-TF-WH Webhook Analyzer
+# ---------------------------------------------------------------------------
+# tmi_tf_wh_enabled   = true
+# tmi_tf_wh_image_url = "<region>.ocir.io/<namespace>/tmi/tmi-tf-wh:latest"
+
 # ---------------------------------------------------------------------------
 # Optional: Additional Tags
 # ---------------------------------------------------------------------------

terraform/environments/oci-private/variables.tf

@@ -287,6 +287,27 @@ variable "certmgr_image_url" {
   default     = null
 }
 
+# ---------------------------------------------------------------------------
+# tmi-tf-wh Webhook Analyzer (optional)
+# ---------------------------------------------------------------------------
+variable "tmi_tf_wh_enabled" {
+  description = "Enable tmi-tf-wh webhook analyzer deployment"
+  type        = bool
+  default     = false
+}
+
+variable "tmi_tf_wh_image_url" {
+  description = "Container image URL for tmi-tf-wh"
+  type        = string
+  default     = null
+}
+
+variable "tmi_tf_wh_extra_env_vars" {
+  description = "Additional environment variables for tmi-tf-wh"
+  type        = map(string)
+  default     = {}
+}
+
 # ---------------------------------------------------------------------------
 # Tags
 # ---------------------------------------------------------------------------