From c19f3f408e8c739f66e2076c0319eaca723b0616 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 19 Sep 2025 12:38:23 -0400 Subject: [PATCH 1/3] Deploy keys optional --- .gitignore | 1 + src/CHANGELOG.md | 8 +------- src/README.md | 27 +++++++++++---------------- src/applicationset.tf | 2 +- src/main.tf | 11 ++++++----- src/outputs.tf | 15 ++++++++++----- src/provider-github.tf | 6 ++++-- src/templates/applicationset.yaml.tpl | 4 ++-- src/variables.tf | 6 ++++++ 9 files changed, 42 insertions(+), 38 deletions(-) diff --git a/.gitignore b/.gitignore index edeabaf..7c91e9c 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,4 @@ github/ *.ovpn *.zip +account-map/ diff --git a/src/CHANGELOG.md b/src/CHANGELOG.md index 6355f24..49f0c18 100644 --- a/src/CHANGELOG.md +++ b/src/CHANGELOG.md @@ -1,9 +1,3 @@ -## `argocd-github-repo` Component PR [#17](https://github.com/cloudposse-terraform-components/aws-argocd-github-repo/pull/17) - -Corrected the spelling of "succeded" to "succeeded" in the `on-deploy-succeded` notification. As a result, both components (`argocd-github-repo` and `eks/argocd`) need to be updated to make this change. - -See the [PR for eks/argocd](https://github.com/cloudposse-terraform-components/aws-eks-argocd/pull/16) - ## Components PR [#851](https://github.com/cloudposse/terraform-aws-components/pull/851) This is a bug fix and feature enhancement update. There are few actions necessary to upgrade. @@ -31,7 +25,7 @@ components: - `on-deploy-started` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - - `on-deploy-succeded` + - `on-deploy-succeeded` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - `on-deploy-failed` diff --git a/src/README.md b/src/README.md index 88431d8..718d9ce 100644 --- a/src/README.md +++ b/src/README.md @@ -6,9 +6,10 @@ tags: - provider/github --- -# Component: `argocd-github-repo` +# Component: `argocd-repo` This component is responsible for creating and managing an ArgoCD desired state repository. + ## Usage **Stack Level**: Regional @@ -83,10 +84,7 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" ``` - - - - + ## Requirements | Name | Version | @@ -109,7 +107,7 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | Name | Source | Version | |------|--------|---------| | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.13.0 | +| [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.11.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -142,6 +140,7 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [create\_repo](#input\_create\_repo) | Whether or not to create the repository or use an existing one | `bool` | `true` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [deploy\_keys\_enabled](#input\_deploy\_keys\_enabled) | Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. Alternatively, you can use a GitHub App to access this desired state repository. | `bool` | `true` | no | | [description](#input\_description) | The description of the repository | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | @@ -190,19 +189,15 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | [repository\_default\_branch](#output\_repository\_default\_branch) | Repository default branch | | [repository\_description](#output\_repository\_description) | Repository description | | [repository\_git\_clone\_url](#output\_repository\_git\_clone\_url) | Repository git clone URL | +| [repository\_http\_clone\_url](#output\_repository\_http\_clone\_url) | Repository HTTP clone URL | | [repository\_ssh\_clone\_url](#output\_repository\_ssh\_clone\_url) | Repository SSH clone URL | | [repository\_url](#output\_repository\_url) | Repository URL | - - - + + ## References +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/argocd-repo) - + Cloud Posse's upstream component -- [cloudposse-terraform-components](https://github.com/orgs/cloudposse-terraform-components/repositories) - Cloud Posse's upstream component - - - - -[](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-argocd-github-repo&utm_content=) - +[](https://cpco.io/component) diff --git a/src/applicationset.tf b/src/applicationset.tf index 21abbf9..f16f604 100644 --- a/src/applicationset.tf +++ b/src/applicationset.tf @@ -15,7 +15,7 @@ resource "github_repository_file" "application_set" { ignore-differences = each.value.ignore-differences name = module.this.namespace namespace = local.manifest_kubernetes_namespace - ssh_url = local.github_repository.ssh_clone_url + url = local.deploy_keys_enabled ? local.github_repository.ssh_clone_url : local.github_repository.http_clone_url notifications = local.github_notifications slack_notifications_channel = var.slack_notifications_channel }) diff --git a/src/main.tf b/src/main.tf index 88be37c..8f1c4dc 100644 --- a/src/main.tf +++ b/src/main.tf @@ -1,5 +1,6 @@ locals { - enabled = module.this.enabled + enabled = module.this.enabled + deploy_keys_enabled = local.enabled && var.deploy_keys_enabled environments = local.enabled ? { for env in var.environments : @@ -14,9 +15,9 @@ locals { manifest_kubernetes_namespace = var.manifest_kubernetes_namespace - team_slugs = local.enabled ? toset(compact([ + team_slugs = toset(compact([ for permission in var.permissions : lookup(permission, "team_slug", null) - ])) : [] + ])) team_ids = [ for team in data.github_team.default : team.id @@ -118,14 +119,14 @@ resource "github_team_repository" "default" { } resource "tls_private_key" "default" { - for_each = local.environments + for_each = local.deploy_keys_enabled ? local.environments : {} algorithm = "RSA" rsa_bits = "2048" } resource "github_repository_deploy_key" "default" { - for_each = local.environments + for_each = local.deploy_keys_enabled ? local.environments : {} title = "Deploy key for ArgoCD environment: ${each.key} (${local.github_repository.default_branch} branch)" repository = local.github_repository.name diff --git a/src/outputs.tf b/src/outputs.tf index e737724..05fe2ca 100644 --- a/src/outputs.tf +++ b/src/outputs.tf @@ -15,25 +15,30 @@ output "repository" { output "repository_description" { description = "Repository description" - value = local.enabled ? local.github_repository.description : null + value = local.github_repository.description } output "repository_default_branch" { description = "Repository default branch" - value = local.enabled ? local.github_repository.default_branch : null + value = local.github_repository.default_branch } output "repository_url" { description = "Repository URL" - value = local.enabled ? local.github_repository.html_url : null + value = local.github_repository.html_url } output "repository_git_clone_url" { description = "Repository git clone URL" - value = local.enabled ? local.github_repository.git_clone_url : null + value = local.github_repository.git_clone_url } output "repository_ssh_clone_url" { description = "Repository SSH clone URL" - value = local.enabled ? local.github_repository.ssh_clone_url : null + value = local.github_repository.ssh_clone_url +} + +output "repository_http_clone_url" { + description = "Repository HTTP clone URL" + value = local.github_repository.http_clone_url } diff --git a/src/provider-github.tf b/src/provider-github.tf index e701885..2902a14 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -2,6 +2,8 @@ locals { github_token = local.enabled ? ( var.use_local_github_credentials ? null : coalesce(var.github_token_override, data.aws_ssm_parameter.github_api_key[0].value) ) : "" + + deploy_key_environments = local.deploy_keys_enabled ? local.environments : {} } data "aws_ssm_parameter" "github_api_key" { @@ -12,9 +14,9 @@ data "aws_ssm_parameter" "github_api_key" { module "store_write" { source = "cloudposse/ssm-parameter-store/aws" - version = "0.13.0" + version = "0.11.0" - parameter_write = [for k, v in local.environments : + parameter_write = [for k, v in local.deploy_key_environments : { name = format(var.ssm_github_deploy_key_format, k) value = tls_private_key.default[k].private_key_pem diff --git a/src/templates/applicationset.yaml.tpl b/src/templates/applicationset.yaml.tpl index e44b750..609035d 100644 --- a/src/templates/applicationset.yaml.tpl +++ b/src/templates/applicationset.yaml.tpl @@ -37,7 +37,7 @@ metadata: spec: generators: - git: - repoURL: ${ssh_url} + repoURL: ${url} revision: HEAD files: - path: ${environment}/apps/*/*/config.yaml @@ -63,7 +63,7 @@ spec: spec: project: ${name} source: - repoURL: ${ssh_url} + repoURL: ${url} targetRevision: HEAD path: '{{manifests}}' destination: diff --git a/src/variables.tf b/src/variables.tf index 080b80e..891b03c 100644 --- a/src/variables.tf +++ b/src/variables.tf @@ -209,3 +209,9 @@ variable "use_local_github_credentials" { description = "Use local GitHub credentials from environment variables instead of SSM" default = false } + +variable "deploy_keys_enabled" { + type = bool + description = "Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. Alternatively, you can use a GitHub App to access this desired state repository." + default = true +} From 689d04318e7bb4d829da14b8907f0e6cb1bce624 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 19 Sep 2025 12:42:05 -0400 Subject: [PATCH 2/3] Deploy keys optional --- src/CHANGELOG.md | 8 +++++++- src/README.md | 26 +++++++++++++++----------- src/outputs.tf | 14 +++++++------- src/provider-github.tf | 8 +++----- 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/src/CHANGELOG.md b/src/CHANGELOG.md index 49f0c18..6355f24 100644 --- a/src/CHANGELOG.md +++ b/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## `argocd-github-repo` Component PR [#17](https://github.com/cloudposse-terraform-components/aws-argocd-github-repo/pull/17) + +Corrected the spelling of "succeded" to "succeeded" in the `on-deploy-succeded` notification. As a result, both components (`argocd-github-repo` and `eks/argocd`) need to be updated to make this change. + +See the [PR for eks/argocd](https://github.com/cloudposse-terraform-components/aws-eks-argocd/pull/16) + ## Components PR [#851](https://github.com/cloudposse/terraform-aws-components/pull/851) This is a bug fix and feature enhancement update. There are few actions necessary to upgrade. @@ -25,7 +31,7 @@ components: - `on-deploy-started` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - - `on-deploy-succeeded` + - `on-deploy-succeded` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - `on-deploy-failed` diff --git a/src/README.md b/src/README.md index 718d9ce..526471c 100644 --- a/src/README.md +++ b/src/README.md @@ -6,10 +6,9 @@ tags: - provider/github --- -# Component: `argocd-repo` +# Component: `argocd-github-repo` This component is responsible for creating and managing an ArgoCD desired state repository. - ## Usage **Stack Level**: Regional @@ -84,7 +83,10 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" ``` - + + + + ## Requirements | Name | Version | @@ -107,7 +109,7 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | Name | Source | Version | |------|--------|---------| | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.11.0 | +| [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.13.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -140,7 +142,6 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [create\_repo](#input\_create\_repo) | Whether or not to create the repository or use an existing one | `bool` | `true` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [deploy\_keys\_enabled](#input\_deploy\_keys\_enabled) | Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. Alternatively, you can use a GitHub App to access this desired state repository. | `bool` | `true` | no | | [description](#input\_description) | The description of the repository | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | @@ -189,15 +190,18 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | [repository\_default\_branch](#output\_repository\_default\_branch) | Repository default branch | | [repository\_description](#output\_repository\_description) | Repository description | | [repository\_git\_clone\_url](#output\_repository\_git\_clone\_url) | Repository git clone URL | -| [repository\_http\_clone\_url](#output\_repository\_http\_clone\_url) | Repository HTTP clone URL | | [repository\_ssh\_clone\_url](#output\_repository\_ssh\_clone\_url) | Repository SSH clone URL | | [repository\_url](#output\_repository\_url) | Repository URL | - - + + + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/argocd-repo) - - Cloud Posse's upstream component -[](https://cpco.io/component) +- [cloudposse-terraform-components](https://github.com/orgs/cloudposse-terraform-components/repositories) - Cloud Posse's upstream component + + + + +[](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-argocd-github-repo&utm_content=) diff --git a/src/outputs.tf b/src/outputs.tf index 05fe2ca..fcad1ad 100644 --- a/src/outputs.tf +++ b/src/outputs.tf @@ -1,6 +1,6 @@ output "deploy_keys_ssm_paths" { description = "SSM Parameter Store paths for the repository's deploy keys" - value = module.store_write.names + value = local.deploy_keys_enabled ? module.store_write.names : [] } output "deploy_keys_ssm_path_format" { @@ -15,30 +15,30 @@ output "repository" { output "repository_description" { description = "Repository description" - value = local.github_repository.description + value = local.enabled ? local.github_repository.description : null } output "repository_default_branch" { description = "Repository default branch" - value = local.github_repository.default_branch + value = local.enabled ? local.github_repository.default_branch : null } output "repository_url" { description = "Repository URL" - value = local.github_repository.html_url + value = local.enabled ? local.github_repository.html_url : null } output "repository_git_clone_url" { description = "Repository git clone URL" - value = local.github_repository.git_clone_url + value = local.enabled ? local.github_repository.git_clone_url : null } output "repository_ssh_clone_url" { description = "Repository SSH clone URL" - value = local.github_repository.ssh_clone_url + value = local.enabled ? local.github_repository.ssh_clone_url : null } output "repository_http_clone_url" { description = "Repository HTTP clone URL" - value = local.github_repository.http_clone_url + value = local.enabled ? local.github_repository.http_clone_url : null } diff --git a/src/provider-github.tf b/src/provider-github.tf index 2902a14..ec3910d 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -2,8 +2,6 @@ locals { github_token = local.enabled ? ( var.use_local_github_credentials ? null : coalesce(var.github_token_override, data.aws_ssm_parameter.github_api_key[0].value) ) : "" - - deploy_key_environments = local.deploy_keys_enabled ? local.environments : {} } data "aws_ssm_parameter" "github_api_key" { @@ -14,9 +12,9 @@ data "aws_ssm_parameter" "github_api_key" { module "store_write" { source = "cloudposse/ssm-parameter-store/aws" - version = "0.11.0" + version = "0.13.0" - parameter_write = [for k, v in local.deploy_key_environments : + parameter_write = local.deploy_keys_enabled ? [for k, v in local.environments : { name = format(var.ssm_github_deploy_key_format, k) value = tls_private_key.default[k].private_key_pem @@ -24,7 +22,7 @@ module "store_write" { overwrite = true description = github_repository_deploy_key.default[k].title } - ] + ] : [] context = module.this.context } From 160be6d0714471753500dfa78c536b2cfc032b6a Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 19 Sep 2025 13:14:11 -0400 Subject: [PATCH 3/3] fixed enabled flag --- src/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main.tf b/src/main.tf index 8f1c4dc..63174df 100644 --- a/src/main.tf +++ b/src/main.tf @@ -15,9 +15,9 @@ locals { manifest_kubernetes_namespace = var.manifest_kubernetes_namespace - team_slugs = toset(compact([ + team_slugs = local.enabled ? toset(compact([ for permission in var.permissions : lookup(permission, "team_slug", null) - ])) + ])) : [] team_ids = [ for team in data.github_team.default : team.id