feat: Deploy Keys as Optional

.gitignore

@@ -76,3 +76,4 @@ github/
 *.ovpn
 
 *.zip
+account-map/

src/applicationset.tf

@@ -15,7 +15,7 @@ resource "github_repository_file" "application_set" {
     ignore-differences          = each.value.ignore-differences
     name                        = module.this.namespace
     namespace                   = local.manifest_kubernetes_namespace
-    ssh_url                     = local.github_repository.ssh_clone_url
+    url                         = local.deploy_keys_enabled ? local.github_repository.ssh_clone_url : local.github_repository.http_clone_url
     notifications               = local.github_notifications
     slack_notifications_channel = var.slack_notifications_channel
   })

src/main.tf

@@ -1,5 +1,6 @@
 locals {
-  enabled = module.this.enabled
+  enabled             = module.this.enabled
+  deploy_keys_enabled = local.enabled && var.deploy_keys_enabled
 
   environments = local.enabled ? {
     for env in var.environments :
@@ -118,14 +119,14 @@ resource "github_team_repository" "default" {
 }
 
 resource "tls_private_key" "default" {
-  for_each = local.environments
+  for_each = local.deploy_keys_enabled ? local.environments : {}
 
   algorithm = "RSA"
   rsa_bits  = "2048"
 }
 
 resource "github_repository_deploy_key" "default" {
-  for_each = local.environments
+  for_each = local.deploy_keys_enabled ? local.environments : {}
 
   title      = "Deploy key for ArgoCD environment: ${each.key} (${local.github_repository.default_branch} branch)"
   repository = local.github_repository.name

src/outputs.tf

@@ -1,6 +1,6 @@
 output "deploy_keys_ssm_paths" {
   description = "SSM Parameter Store paths for the repository's deploy keys"
-  value       = module.store_write.names
+  value       = local.deploy_keys_enabled ? module.store_write.names : []
 }
 
 output "deploy_keys_ssm_path_format" {
@@ -37,3 +37,8 @@ output "repository_ssh_clone_url" {
   description = "Repository SSH clone URL"
   value       = local.enabled ? local.github_repository.ssh_clone_url : null
 }
+
+output "repository_http_clone_url" {
+  description = "Repository HTTP clone URL"
+  value       = local.enabled ? local.github_repository.http_clone_url : null
+}

src/provider-github.tf

@@ -14,15 +14,15 @@ module "store_write" {
   source  = "cloudposse/ssm-parameter-store/aws"
   version = "0.13.0"
 
-  parameter_write = [for k, v in local.environments :
+  parameter_write = local.deploy_keys_enabled ? [for k, v in local.environments :
     {
       name        = format(var.ssm_github_deploy_key_format, k)
       value       = tls_private_key.default[k].private_key_pem
       type        = "SecureString"
       overwrite   = true
       description = github_repository_deploy_key.default[k].title
     }
-  ]
+  ] : []
 
   context = module.this.context
 }

src/templates/applicationset.yaml.tpl

@@ -37,7 +37,7 @@ metadata:
 spec:
   generators:
     - git:
-        repoURL: ${ssh_url}
+        repoURL: ${url}
         revision: HEAD
         files:
           - path: ${environment}/apps/*/*/config.yaml
@@ -63,7 +63,7 @@ spec:
     spec:
       project: ${name}
       source:
-        repoURL: ${ssh_url}
+        repoURL: ${url}
         targetRevision: HEAD
         path: '{{manifests}}'
       destination:

src/variables.tf

@@ -209,3 +209,9 @@ variable "use_local_github_credentials" {
   description = "Use local GitHub credentials from environment variables instead of SSM"
   default     = false
 }
+
+variable "deploy_keys_enabled" {
+  type        = bool
+  description = "Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. Alternatively, you can use a GitHub App to access this desired state repository."
+  default     = true
+}