Support polling for changes instead of using webhooks

[serain]

Problem statement Atlantis offers some security benefits:

• you can run Terraform in your trust boundary, as opposed to running it something like CircleCI or GitHub actions. This limits the number of third-parties with access to your deployment secrets.
• you can mandate peer reviews on infrastructure changes.

The one thing preventing Atlantis from offering all the security benefits of a pull-based GitOps pipelines is the use of GitHub webhooks to monitor a repository for changes.

This means that Atlantis exposes a network attack surface from your trust boundary, and technically, puts users at risk of an attack coming from the Internet should there ever be a vulnerability in Atlantis' exposed network service. Such an issue would be critical, given the level of Atlantis' access to users' environments.

This is all the more concerning given that GitHub doesn't guarantee static source IP addresses, meaning a lot of users probably opt to not use IP address whitelisting to protect Atlantis.

Finally, I suspect some more stringent organizations can not deploy Atlantis at the moment due to the need of opening up a port to the internet (without whitelisting, or with requiring additional engineering work for whitelisting, given the dynamic nature of GitHub's source IPs). It's possible that even organizations using an internally hosted GitHub Enterprise can't use Atlantis for similar reasons.

Proposal Consider supporting a poll mode, where Atlantis continuously polls the target GitHub repository every X minutes instead of listening for webhooks.

This would remove Atlantis' network attack surface, significantly increasing the security posture and protecting it from most potential 0-days.

Precedent The proposal is the model adopted by Flux.