argocd-repo
This component is responsible for creating and managing an ArgoCD desired state repository.
Usage
Stack Level: Regional
The following are example snippets of how to use this component:
# stacks/argocd/repo/default.yaml
components:
terraform:
argocd-repo:
vars:
enabled: true
github_user: ci-acme
github_user_email: [email protected]
github_organization: ACME
github_codeowner_teams:
- "@ACME/cloud-admins"
- "@ACME/cloud-posse"
# the team must be present in the org where the repository lives
# team_slug is the name of the team without the org
# e.g. `@cloudposse/engineering` is just `engineering`
permissions:
- team_slug: admins
permission: admin
- team_slug: bots
permission: admin
- team_slug: engineering
permission: push
# stacks/argocd/repo/non-prod.yaml
import:
- catalog/argocd/repo/defaults
components:
terraform:
argocd-deploy-non-prod:
component: argocd-repo
settings:
spacelift:
workspace_enabled: true
vars:
name: argocd-deploy-non-prod
description: "ArgoCD desired state repository (Non-production) for ACME applications"
environments:
- tenant: mgmt
environment: uw2
stage: sandbox
# stacks/mgmt-gbl-corp.yaml
import:
---
- catalog/argocd/repo/non-prod
If the repository already exists, it will need to be imported (replace names of IAM profile var file accordingly):
$ export TF_VAR_github_token_override=[REDACTED]
$ atmos terraform varfile argocd-deploy-non-prod -s mgmt-gbl-corp
$ cd components/terraform/argocd-repo
$ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file="mgmt-gbl-corp-argocd-deploy-non-prod.terraform.tfvars.json" "github_repository.default[0]" argocd-deploy-non-prod
$ atmos terraform varfile argocd-deploy-non-prod -s mgmt-gbl-corp
$ cd components/terraform/argocd-repo
$ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file="mgmt-gbl-corp-argocd-deploy-non-prod.terraform.tfvars.json" "github_branch.default[0]" argocd-deploy-non-prod:main
$ cd components/terraform/argocd-repo
$ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file="mgmt-gbl-corp-argocd-deploy-non-prod.terraform.tfvars.json" "github_branch_default.default[0]" argocd-deploy-non-prod
Variables
Required Variables
github_codeowner_teams
(list(string)
) requiredList of teams to use when populating the CODEOWNERS file.
For example:
["@ACME/cloud-admins", "@ACME/cloud-developers"]
.github_organization
(string
) requiredGitHub Organization
github_user
(string
) requiredGithub user
github_user_email
(string
) requiredGithub user email
gitignore_entries
(list(string)
) requiredList of .gitignore entries to use when populating the .gitignore file.
For example:
[".idea/", ".vscode/"]
.region
(string
) requiredAWS Region
Optional Variables
create_repo
(bool
) optionalWhether or not to create the repository or use an existing one
Default value:
true
description
(string
) optionalThe description of the repository
Default value:
null
environments
optionalEnvironments to populate
applicationset.yaml
files and repository deploy keys (for ArgoCD) for.auto-sync
determines whether or not the ArgoCD application will be automatically synced.ignore-differences
determines whether or not the ArgoCD application will ignore the number of
replicas in the deployment. Read more on ignore differences here:
https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configsExample:
tenant: plat<br/>
environment: use1<br/>
stage: sandbox<br/>
auto-sync: true<br/>
ignore-differences:<br/>
- group: apps<br/>
kind: Deployment<br/>
json-pointers:<br/>
- /spec/replicas<br/>
```<br/>
<br/>
<br/>
**Type:**
```hcl
list(object({
tenant = optional(string, null)
environment = string
stage = string
attributes = optional(list(string), [])
auto-sync = bool
ignore-differences = optional(list(object({
group = string,
kind = string,
json-pointers = list(string)
})), [])
}))Default value:
[ ]
github_base_url
(string
) optionalThis is the target GitHub base API endpoint. Providing a value is a requirement when working with GitHub Enterprise. It is optional to provide this value and it can also be sourced from the
GITHUB_BASE_URL
environment variable. The value must end with a slash, for example:https://terraformtesting-ghe.westus.cloudapp.azure.com/
Default value:
null
github_default_notifications_enabled
(string
) optionalEnable default GitHub commit statuses notifications (required for CD sync mode)
Default value:
true
github_notifications
(list(string)
) optionalArgoCD notification annotations for subscribing to GitHub.
The default value given uses the same notification template names as defined in the
eks/argocd
component. If want to add additional notifications, include any existing notifications from this list that you want to keep in addition.Default value:
[
"notifications.argoproj.io/subscribe.on-deploy-started.app-repo-github-commit-status: \"\"",
"notifications.argoproj.io/subscribe.on-deploy-started.argocd-repo-github-commit-status: \"\"",
"notifications.argoproj.io/subscribe.on-deploy-succeded.app-repo-github-commit-status: \"\"",
"notifications.argoproj.io/subscribe.on-deploy-succeded.argocd-repo-github-commit-status: \"\"",
"notifications.argoproj.io/subscribe.on-deploy-failed.app-repo-github-commit-status: \"\"",
"notifications.argoproj.io/subscribe.on-deploy-failed.argocd-repo-github-commit-status: \"\""
]github_token_override
(string
) optionalUse the value of this variable as the GitHub token instead of reading it from SSM
Default value:
null
manifest_kubernetes_namespace
(string
) optionalThe namespace used for the ArgoCD application
Default value:
"argocd"
permissions
optionalA list of Repository Permission objects used to configure the team permissions of the repository
team_slug
should be the name of the team without the@{org}
e.g.@cloudposse/team
=>team
permission
is just one of the available values listed belowType:
list(object({
team_slug = string,
permission = string
}))Default value:
[ ]
push_restrictions_enabled
(bool
) optionalEnforce who can push to the main branch
Default value:
true
required_pull_request_reviews
(bool
) optionalEnforce restrictions for pull request reviews
Default value:
true
slack_notifications_channel
(string
) optionalIf given, the Slack channel to for deployment notifications.
Default value:
""
ssm_github_api_key
(string
) optionalSSM path to the GitHub API key
Default value:
"/argocd/github/api_key"
ssm_github_deploy_key_format
(string
) optionalFormat string of the SSM parameter path to which the deploy keys will be written to (%s will be replaced with the environment name)
Default value:
"/argocd/deploy_keys/%s"
vulnerability_alerts_enabled
(bool
) optionalEnable security alerts for vulnerable dependencies
Default value:
false
Context Variables
The following variables are defined in the context.tf
file of this module and part of the terraform-null-label pattern.
context.tf
file of this module and part of the terraform-null-label pattern.additional_tag_map
(map(string)
) optionalAdditional key-value pairs to add to each map in
tags_as_list_of_maps
. Not added totags
orid
.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.Required: No
Default value:
{ }
attributes
(list(string)
) optionalID element. Additional attributes (e.g.
workers
orcluster
) to add toid
,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by thedelimiter
and treated as a single ID element.Required: No
Default value:
[ ]
context
(any
) optionalSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables asnull
to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.Required: No
Default value:
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}delimiter
(string
) optionalDelimiter to be used between ID elements.
Defaults to-
(hyphen). Set to""
to use no delimiter at all.Required: No
Default value:
null
descriptor_formats
(any
) optionalDescribe additional descriptors to be output in the
descriptors
output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type isany
so the map values can later be enhanced to provide additional options.)
format
is a Terraform format string to be passed to theformat()
function.
labels
is a list of labels, in order, to pass toformat()
function.
Label values will be normalized before being passed toformat()
so they will be
identical to how they appear inid
.
Default is{}
(descriptors
output will be empty).Required: No
Default value:
{ }
enabled
(bool
) optionalSet to false to prevent the module from creating any resources
Required: NoDefault value:
null
environment
(string
) optionalID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: NoDefault value:
null
id_length_limit
(number
) optionalLimit
id
to this many characters (minimum 6).
Set to0
for unlimited length.
Set tonull
for keep the existing setting, which defaults to0
.
Does not affectid_full
.Required: No
Default value:
null
label_key_case
(string
) optionalControls the letter case of the
tags
keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via thetags
input.
Possible values:lower
,title
,upper
.
Default value:title
.Required: No
Default value:
null
label_order
(list(string)
) optionalThe order in which the labels (ID elements) appear in the
id
.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.Required: No
Default value:
null
label_value_case
(string
) optionalControls the letter case of ID elements (labels) as included in
id
,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via thetags
input.
Possible values:lower
,title
,upper
andnone
(no transformation).
Set this totitle
and setdelimiter
to""
to yield Pascal Case IDs.
Default value:lower
.Required: No
Default value:
null
labels_as_tags
(set(string)
) optionalSet of labels (ID elements) to include as tags in the
tags
output.
Default is to include all labels.
Tags with empty values will not be included in thetags
output.
Set to[]
to suppress all generated tags.
Notes:
The value of thename
tag, if included, will be theid
, not thename
.
Unlike othernull-label
inputs, the initial setting oflabels_as_tags
cannot be
changed in later chained modules. Attempts to change it will be silently ignored.Required: No
Default value:
[
"default"
]name
(string
) optionalID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as atag
.
The "name" tag is set to the fullid
string. There is no tag with the value of thename
input.Required: No
Default value:
null
namespace
(string
) optionalID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: NoDefault value:
null
regex_replace_chars
(string
) optionalTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set,"/[^a-zA-Z0-9-]/"
is used to remove all characters other than hyphens, letters and digits.Required: No
Default value:
null
stage
(string
) optionalID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: NoDefault value:
null
tags
(map(string)
) optionalAdditional tags (e.g.
{'BusinessUnit': 'XYZ'}
).
Neither the tag keys nor the tag values will be modified by this module.Required: No
Default value:
{ }
tenant
(string
) optionalID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: NoDefault value:
null
Outputs
deploy_keys_ssm_path_format
SSM Parameter Store path format for the repository's deploy keys
deploy_keys_ssm_paths
SSM Parameter Store paths for the repository's deploy keys
repository
Repository name
repository_default_branch
Repository default branch
repository_description
Repository description
repository_git_clone_url
Repository git clone URL
repository_ssh_clone_url
Repository SSH clone URL
repository_url
Repository URL
Dependencies
Requirements
terraform
, version:>= 1.0.0
aws
, version:>= 4.0
github
, version:>= 6.0
random
, version:>= 2.3
tls
, version:>= 3.0
Providers
aws
, version:>= 4.0
github
, version:>= 6.0
tls
, version:>= 3.0
Modules
Name | Version | Source | Description |
---|---|---|---|
iam_roles | latest | ../account-map/modules/iam-roles | n/a |
store_write | 0.11.0 | cloudposse/ssm-parameter-store/aws | n/a |
this | 0.25.0 | cloudposse/label/null | n/a |
Resources
The following resources are used by this module:
github_branch_default.default
(resource)github_branch_protection.default
(resource)github_repository.default
(resource)github_repository_deploy_key.default
(resource)github_repository_file.application_set
(resource)github_repository_file.codeowners_file
(resource)github_repository_file.gitignore
(resource)github_repository_file.pull_request_template
(resource)github_repository_file.readme
(resource)github_team_repository.default
(resource)tls_private_key.default
(resource)
Data Sources
The following data sources are used by this module:
aws_ssm_parameter.github_api_key
(data source)github_repository.default
(data source)github_team.default
(data source)github_user.automation_user
(data source)
References
- cloudposse/terraform-aws-components - Cloud Posse's upstream component
Changelog
Components PR #851
This is a bug fix and feature enhancement update. There are few actions necessary to upgrade.
Upgrade actions
- Enable
github_default_notifications_enabled
(settrue
)
components:
terraform:
argocd-repo-defaults:
metadata:
type: abstract
vars:
enabled: true
github_default_notifications_enabled: true
- Apply changes with Atmos
Features
- Support predefined GitHub commit status notifications for CD sync mode:
on-deploy-started
app-repo-github-commit-status
argocd-repo-github-commit-status
on-deploy-succeded
app-repo-github-commit-status
argocd-repo-github-commit-status
on-deploy-failed
app-repo-github-commit-status
argocd-repo-github-commit-status
Bug Fixes
- Remove legacy unnecessary helm values used in old ArgoCD versions (ex.
workflow auth
configs) and dropped notifications services