feat: Deploy Keys as Optional and GitHub Apps

[milldr]

what

• Deploy keys for accessing the desired state repo are optional.
• Use a GitHub App to access the desired state repo

why

• Use a GitHub App rather than deploy keys

references

• feat: Deploy Keys as Optional aws-argocd-github-repo#43

Summary by CodeRabbit

• New Features
  • Added optional GitHub App authentication for Argo CD repositories with a toggle to switch between deploy keys and GitHub App.
  • Streamlined RBAC scopes logic; removed the default readonly policy.
• Bug Fixes
  • Safer handling of missing notification webhook configurations to avoid iteration errors.
• Documentation
  • Cleaned up README formatting in the References section.
• Chores
  • Updated .gitignore to exclude account-map/ directories.

[coderabbitai]

Walkthrough

Adds .gitignore entry for account-map/. Normalizes README whitespace. Introduces GitHub authentication switch: new github_deploy_keys_enabled variable, updates data source gating, main logic for repo URLs/credentials, Helm values template conditionals, and passes GitHub App IDs. Hardens notifications webhook iteration.

Changes

Cohort / File(s)	Summary of Changes
Repo hygiene \.gitignore	Add ignore pattern for account-map/.
Docs formatting src/README.md	Trim trailing whitespace in reference bullets; remove stray dash line.
GitHub auth toggle: variables src/variables-argocd.tf	Add github_deploy_keys_enabled (bool, default true).
GitHub auth toggle: data sourcing src/data.tf	Change for_each of data "aws_ssm_parameter" "github_deploy_key" to use local.github_deploy_keys_enabled instead of local.enabled.
GitHub auth toggle: core logic src/main.tf	Introduce local.github_deploy_keys_enabled; switch repo clone URL and credentials between SSH deploy keys and GitHub App; adjust credential_templates; pass github_app_id, github_app_installation_id, and toggle into template.
Helm values template updates src/resources/argocd-values.yaml.tpl	In repositories: conditional blocks for SSH private key vs GitHub App fields; adjust RBAC scopes branching; remove policy.default: role:readonly.
Notifications iteration hardening src/notifications.tf	Iterate over coalesce(lookup(local.notifications_notifiers, "webhook", {}), {}) for webhook notifiers.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant TF as Terraform Module
  participant TPL as Helm Values Template
  participant ARGO as Argo CD
  participant GH as GitHub

  rect rgba(230,240,255,0.4)
    note over TF: Input vars: github_deploy_keys_enabled, github_app_id, github_app_installation_id
    TF->>TF: Compute locals and repo list
    alt github_deploy_keys_enabled == true
      TF->>TF: Use SSH clone URLs<br/>Load SSM deploy keys
      TF->>TPL: Pass sshPrivateKeySecret per repo
    else
      TF->>TF: Use HTTPS clone URLs<br/>Use GitHub App IDs/secret
      TF->>TPL: Pass githubAppID/InstallationID and private key secret
    end
  end

  TPL-->>TF: Rendered values.yaml
  TF-->>ARGO: Install/Upgrade Helm release with values

  alt Deploy Keys
    ARGO->>GH: Git over SSH using deploy key
  else GitHub App
    ARGO->>GH: HTTPS with GitHub App token minted from private key
  end

  note over ARGO,GH: Repos synced per selected auth method

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: GitHub App Support #16 — Parallel changes to support GitHub App vs deploy keys in Argo CD, including values template and credentials handling.

Poem

A whisk of ears, a hop of glee,
Keys or Apps—now choose with spree!
Repos clone by gentle art,
SSH or App, each plays its part.
I thump approval, fluffy-sure—
Pipelines hum, syncs secure.
Carrot commits? Merge for sure! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: Deploy Keys as Optional and GitHub Apps" succinctly describes the main feature introduced by the changeset. It aligns with the diffs which add github_deploy_keys_enabled, GitHub App variables (github_app_id, github_app_installation_id), and conditional logic to switch repository credentials and clone URLs between deploy keys and GitHub App authentication. The phrasing is concise and clear for change history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/optional-deploy-keys

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @milldr? 🙏

[milldr]

/terratest

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/data.tf (1)

29-41: for_each/name gating mismatch will crash when enabled=false.

for_each now ignores local.enabled but name still depends on it, and module.argocd_repo outputs won’t exist when disabled. Gate on both.

-data "aws_ssm_parameter" "github_deploy_key" {
-  for_each = local.github_deploy_keys_enabled ? var.argocd_repositories : {}
+data "aws_ssm_parameter" "github_deploy_key" {
+  for_each = (local.enabled && local.github_deploy_keys_enabled) ? var.argocd_repositories : {}
 
-  name = local.enabled ? format(
+  name = format(
     module.argocd_repo[each.key].outputs.deploy_keys_ssm_path_format,
     format(
       "${module.this.tenant != null ? "%[1]s/" : ""}%[2]s-%[3]s${length(module.this.attributes) > 0 ? "-%[4]s" : "%[4]s"}",
       module.this.tenant,
       module.this.environment,
       module.this.stage,
       join("-", module.this.attributes)
     )
-  ) : null
+  )

src/main.tf (1)

18-71: Unify gating for GitHub App private key data source
The data.aws_ssm_parameter.github_app_private_key resource is only created when local.create_github_webhook && var.github_app_enabled is true (provider-github.tf:35), but it’s referenced in main.tf whenever local.github_deploy_keys_enabled is false (main.tf:37), leading to potential index-out-of-range errors. Ensure both creation and usage share the same condition.

🧹 Nitpick comments (2)

src/variables-argocd.tf (1)

219-251: Add validations for GitHub App parameters and mutually exclusive auth.

Guard against misconfiguration at plan time.

 variable "github_deploy_keys_enabled" {
   type        = bool
   default     = true
   description = <<-EOT
   Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing.

   Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`.
   EOT
+  validation {
+    condition     = var.github_deploy_keys_enabled || var.github_app_enabled
+    error_message = "Enable at least one auth method: github_deploy_keys_enabled or github_app_enabled."
+  }
 }
 
 variable "github_app_enabled" {
   type        = bool
   description = "Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`)"
   default     = false
 }
 
 variable "github_app_id" {
   type        = string
   description = "The ID of the GitHub App to use for Argo CD repository authentication"
   default     = null
+  validation {
+    condition     = !var.github_app_enabled || (try(length(trimspace(var.github_app_id)) > 0, false))
+    error_message = "github_app_id must be set when github_app_enabled is true."
+  }
 }
 
 variable "github_app_installation_id" {
   type        = string
   description = "The Installation ID of the GitHub App to use for Argo CD repository authentication"
   default     = null
+  validation {
+    condition     = !var.github_app_enabled || (try(length(trimspace(var.github_app_installation_id)) > 0, false))
+    error_message = "github_app_installation_id must be set when github_app_enabled is true."
+  }
 }
 
 variable "ssm_github_app_private_key" {
   type        = string
   description = "SSM path to the GitHub App private key for Argo CD repository authentication"
   default     = "/argocd/github/app_private_key"
+  validation {
+    condition     = !var.github_app_enabled || (try(length(trimspace(var.ssm_github_app_private_key)) > 0, false))
+    error_message = "ssm_github_app_private_key must be set when github_app_enabled is true."
+  }
 }

src/resources/argocd-values.yaml.tpl (1)

31-31: Parameterize ingressClassName.

Hardcoding "alb-argocd-ext" reduces reuse. Suggest passing via a variable (defaulting to prior "alb") to avoid breaking existing clusters.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9bf4fec and 30801f6.

📒 Files selected for processing (10)

• .gitignore (1 hunks)
• src/README.md (1 hunks)
• src/data.tf (1 hunks)
• src/main.tf (2 hunks)
• src/notifications.tf (1 hunks)
• src/provider-github.tf (2 hunks)
• src/provider-helm.tf (1 hunks)
• src/remote-state.tf (4 hunks)
• src/resources/argocd-values.yaml.tpl (3 hunks)
• src/variables-argocd.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for all Terraform files
In Terraform, prefer lower_snake_case for variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Run terraform fmt and do not commit formatting violations
Adhere to TFLint rules defined in .tflint.hcl; do not commit lint violations

Files:

• src/provider-helm.tf
• src/data.tf
• src/notifications.tf
• src/variables-argocd.tf
• src/remote-state.tf
• src/main.tf
• src/provider-github.tf

src/README.md

📄 CodeRabbit inference engine (AGENTS.md)

Do not manually edit src/README.md; regenerate it via atmos docs generate readme-simple

Files:

• src/README.md

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Use 2-space indentation for Markdown files

Files:

• src/README.md

src/{main,variables,outputs,providers,versions,context}.tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep Terraform component source of truth under src/ with these files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (11)

src/remote-state.tf (1)

3-3: Downgrade to remote-state 1.5.0 — confirm compatibility and sync docs.

Verify no outputs/behaviors used here changed between 1.8.0 → 1.5.0, and regenerate README to reflect versions.

Also applies to: 12-12, 23-23, 35-35

.gitignore (1)

79-80: LGTM — ignore for account-map.

Benign and helps avoid committing local scaffolding.

src/resources/argocd-values.yaml.tpl (2)

15-19: Enabling ServiceMonitors requires CRDs.

Confirm Prometheus Operator CRDs are present; otherwise Helm apply will fail on unknown resource kinds.

Also applies to: 22-26, 152-156

---

96-110: Confirmed: field depends on config format — githubAppPrivateKeySecret is valid in argocd-cm; repo Secrets/credentialTemplates use githubAppPrivateKey

Verified: legacy argocd-cm repository entries accept githubAppPrivateKeySecret (object with name/key). The modern/recommended repository Secret / credentialTemplates expect githubAppPrivateKey as a Secret key (together with githubAppID and githubAppInstallationID). Keep your current snippet if you intend the argocd-cm (legacy) format; otherwise switch to repo Secret / credentialTemplates and use githubAppPrivateKey (ensure secret name/key match).

src/main.tf (3)

8-8: LGTM! New GitHub deploy keys toggle added correctly.

The local variable properly derives from the enabled state and input variable following established patterns.

---

176-178: LGTM! GitHub App configuration variables passed to template.

The new variables github_app_id, github_app_installation_id, and github_deploy_keys_enabled are correctly passed to the Helm template for ArgoCD configuration.

---

11-13: Approve: deploy-key gating and conditional clone URL are correct.

The aws_ssm_parameter data source github_deploy_key is conditionally created in src/data.tf (lines 28–31) via for_each = local.github_deploy_keys_enabled ? var.argocd_repositories : {}, so the lookup is only instantiated when deploy keys are enabled; the main.tf conditional can remain as-is.

src/provider-github.tf (4)

42-44: LGTM! Provider configuration properly gated by webhook creation.

The GitHub provider is now conditionally configured only when webhooks need to be created. The null values when local.create_github_webhook is false will effectively disable the provider, which is the intended behavior.

Based on the web search results, I can see that Terraform assumes an empty default configuration for any provider that is not explicitly configured, and (If the provider has any required configuration arguments, Terraform will raise an error when resources default to the empty configuration.). However, the GitHub provider in this code is being conditionally configured with null values when `local.create_github_webhook` is false, which should work properly as long as no GitHub resources are being created when the provider is "disabled".

---

46-53: LGTM! GitHub App authentication properly configured.

The dynamic app_auth block correctly configures GitHub App authentication when both webhook creation and GitHub App are enabled. The conditional logic ensures the block is only included when appropriate.

---

28-28: Approve — gating logic is correct and complementary. The PAT data source is gated with local.create_github_webhook && !var.github_app_enabled and the App private key with local.create_github_webhook && var.github_app_enabled — consistent; no change required.

---

21-24: local.create_github_webhook is defined — no action required.
Defined in src/github_webhook.tf:7 (create_github_webhook = local.github_webhook_enabled && var.create_github_webhook); variable declared at src/github_webhook.tf:22.

[milldr]

/terratest

[milldr]

/terratest

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/resources/argocd-values.yaml.tpl (2)

131-149: Duplicate rbacConfig.policy.default — later value overrides the variable.

Line 148 sets role:readonly and will override policy.default: ${rbac_default_policy}. Remove the duplicate or guard it behind a conditional.

   rbacConfig:
     policy.default: ${rbac_default_policy}
@@
-%{ if saml_enabled == true ~}
-    scopes: '${saml_rbac_scopes}'
-%{ endif ~}
-
-    policy.default: role:readonly
+%{ if saml_enabled == true ~}
+    scopes: '${saml_rbac_scopes}'
+%{ endif ~}

---

141-146: Emit only one scopes key (choose OIDC or SAML).

If both flags are true the template renders two scopes keys and the latter wins — use an else/elif or precompute a single rbac_scopes variable.

File: src/resources/argocd-values.yaml.tpl Lines: 141-146

-%{ if oidc_enabled == true ~}
-    scopes: '${oidc_rbac_scopes}'
-%{ endif ~}
-%{ if saml_enabled == true ~}
-    scopes: '${saml_rbac_scopes}'
-%{ endif ~}
+%{ if oidc_enabled == true ~}
+    scopes: '${oidc_rbac_scopes}'
+%{ else ~}
+%{   if saml_enabled == true ~}
+    scopes: '${saml_rbac_scopes}'
+%{   endif ~}
+%{ endif ~}

🧹 Nitpick comments (3)

src/resources/argocd-values.yaml.tpl (3)

15-18: Metrics + ServiceMonitor enabled for controller/server/repoServer — looks good; verify Prometheus setup.

Confirm the cluster has the ServiceMonitor CRD installed and that your Prometheus operator is selecting these ServiceMonitors (label selectors/namespace). Optionally expose additional fields (additionalLabels, scrapeInterval) via variables for flexibility.

Also applies to: 22-25, 152-155

---

96-110: GitHub App vs deploy‑keys switch: align types/fields and secrets; quote IDs.

Looks correct. Please:

• Ensure your Argo CD/chart version supports githubAppID/githubAppInstallationID/githubAppPrivateKeySecret in repository entries.
• Quote numeric IDs to avoid YAML/typing surprises.
• Verify repo URLs switch to SSH when deploy keys are enabled and HTTPS otherwise.
• Ensure the secret argocd-repo-creds-${name} exists with key githubAppPrivateKey (and sshPrivateKey for the SSH path).

Suggested tweak:

-        githubAppID: ${github_app_id}
-        githubAppInstallationID: ${github_app_installation_id}
+        githubAppID: "${github_app_id}"
+        githubAppInstallationID: "${github_app_installation_id}"

---

157-159: Consider enabling ApplicationSet metrics/ServiceMonitor for parity.

Optional, but keeps metrics consistent across Argo CD components.

 applicationSet:
   replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 517dec3 and 6d8ae17.

📒 Files selected for processing (2)

• src/resources/argocd-values.yaml.tpl (3 hunks)
• src/variables-argocd.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/variables-argocd.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

[milldr]

/terratest

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/resources/argocd-values.yaml.tpl (1)

89-99: Emit numeric GitHub App IDs; ensure HTTPS URLs and optionally add GHE support

• Change src/resources/argocd-values.yaml.tpl to emit numeric IDs (remove quotes):

-        githubAppID: "${github_app_id}"
-        githubAppInstallationID: "${github_app_installation_id}"
+        githubAppID: ${github_app_id}
+        githubAppInstallationID: ${github_app_installation_id}
+%{ if github_app_enterprise_base_url != "" ~}
+        githubAppEnterpriseBaseUrl: ${github_app_enterprise_base_url}
+%{ endif ~}

• Verified: src/main.tf selects repository_http_clone_url when github_deploy_keys_enabled == false (so the template should receive an HTTP/HTTPS clone URL). Confirm those HTTP clone URLs are HTTPS (not SSH-style git@ URLs).
• github_app_enterprise_base_url is not present in the repo; add the variable (e.g. src/variables-argocd.tf) and pass it through if you need GitHub Enterprise support.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d8ae17 and 81d99d9.

📒 Files selected for processing (1)

• src/resources/argocd-values.yaml.tpl (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (1)

src/resources/argocd-values.yaml.tpl (1)

133-137: Scopes selection logic is OK; confirm desired behavior when both OIDC and SAML are disabled.

Current flow emits OIDC scopes if enabled; otherwise emits SAML scopes if enabled; otherwise emits no scopes. Verify that “no scopes” is acceptable in your environment.

[milldr]

/terratest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/resources/argocd-values.yaml.tpl (2)

86-101: Heads‑up: repositories in argocd-cm are legacy; plan migration to Secret-based registration.

Argo CD still honors argocd-cm.data.repositories, but it’s deprecated in favor of repository Secrets labeled argocd.argoproj.io/secret-type: repository. Consider a roadmap to migrate. (argo-cd.readthedocs.io)

---

86-101: Add optional GitHub Enterprise base URL; wiring & URL-scheme verified

• Verified: src/main.tf selects SSH vs HTTPS via local.github_deploy_keys_enabled (uses repository_ssh_clone_url vs repository_http_clone_url). github_app_id and github_app_installation_id are defined as strings (src/provider-github.tf) and passed into the module (src/main.tf). SSM-sourced private key is wired into Argocd credentialTemplates (src/provider-github.tf, src/main.tf).
• Action: Add a string variable github_app_enterprise_base_url (default ""), expose/pass it through in src/main.tf to the ArgoCD module, and apply the suggested template diff to emit githubAppEnterpriseBaseUrl when set.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81d99d9 and 91ccc67.

📒 Files selected for processing (1)

• src/resources/argocd-values.yaml.tpl (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (2)

src/resources/argocd-values.yaml.tpl (2)

131-137: Scopes branching reads clean; confirm precedence when both OIDC and SAML are true.

This now prioritizes OIDC; SAML scopes render only if OIDC is disabled. If that’s the intended precedence, no change needed.

---

121-122: Duplicate policy.default resolved — variable-driven default retained.

Thanks for removing the hard-coded override noted previously; only ${rbac_default_policy} remains.

[Benbentwo]

Do we also need to update the variables to make sure that they're of type number now?

[milldr]

/terratest

[milldr]

/terratest

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (5)

src/provider-github.tf (3)

14-18: Mark token override as sensitive

Prevents accidental logging of secrets.

Apply:

 variable "github_token_override" {
   type        = string
   description = "Use the value of this variable as the GitHub token instead of reading it from SSM"
   default     = null
+  sensitive   = true
 }

---

1-5: Add validation for GitHub Enterprise base_url trailing slash

Avoid subtle provider misconfig due to missing “/”.

Apply:

 variable "github_base_url" {
   type        = string
   description = "This is the target GitHub base API endpoint. Providing a value is a requirement when working with GitHub Enterprise. It is optional to provide this value and it can also be sourced from the `GITHUB_BASE_URL` environment variable. The value must end with a slash, for example: `https://terraformtesting-ghe.westus.cloudapp.azure.com/`"
   default     = null
+  validation {
+    condition     = var.github_base_url == null || can(regex("/$", var.github_base_url))
+    error_message = "github_base_url must end with a trailing slash, e.g. https://ghe.example.com/ ."
+  }
 }

---

20-25: Add validation to ensure App fields are provided when enabled

Fail fast if github_app_enabled is true but IDs/key are missing.

Apply (two validations; adjust if you colocate elsewhere):

 variable "github_app_enabled" {
   type        = bool
   description = "Whether to use GitHub App authentication instead of PAT"
   default     = false
 }
 
 variable "github_app_id" {
-  type        = number
+  type        = string
   description = "The ID of the GitHub App to use for authentication"
   default     = null
 }
 
 variable "github_app_installation_id" {
-  type        = number
+  type        = string
   description = "The Installation ID of the GitHub App to use for authentication"
   default     = null
 }
 
+validation {
+  condition     = !var.github_app_enabled || (var.github_app_id != null && var.github_app_installation_id != null)
+  error_message = "When github_app_enabled is true, github_app_id and github_app_installation_id must be set."
+}

Also applies to: 27-37

src/variables-argocd-notifications.tf (2)

7-12: Add validations for notifications App configuration

Ensure required fields when github_notifications_app_enabled is true.

Apply:

 variable "github_notifications_app_enabled" {
   type        = bool
   description = "Whether to use GitHub App authentication for notifications instead of PAT"
   default     = false
 }
 
 variable "github_notifications_app_id" {
-  type        = number
+  type        = string
   description = "The ID of the GitHub App to use for notifications authentication"
   default     = null
 }
 
 variable "github_notifications_app_installation_id" {
-  type        = number
+  type        = string
   description = "The Installation ID of the GitHub App to use for notifications authentication"
   default     = null
 }
 
+validation {
+  condition     = !var.github_notifications_app_enabled || (var.github_notifications_app_id != null && var.github_notifications_app_installation_id != null)
+  error_message = "When github_notifications_app_enabled is true, both github_notifications_app_id and github_notifications_app_installation_id must be set."
+}

Also applies to: 14-30

---

104-108: Nit: fix dangling backtick in description

Minor doc polish.

Apply:

 variable "slack_notifications_enabled" {
   type        = bool
   default     = false
-  description = "Whether or not to enable Slack notifications. See `var.slack_notifications."
+  description = "Whether or not to enable Slack notifications. See `var.slack_notifications`."
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dd9a1aa and ba56b45.

📒 Files selected for processing (3)

• src/provider-github.tf (1 hunks)
• src/resources/argocd-values.yaml.tpl (2 hunks)
• src/variables-argocd-notifications.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/resources/argocd-values.yaml.tpl

🧰 Additional context used

📓 Path-based instructions (1)

**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for all Terraform files
In Terraform, prefer lower_snake_case for variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Run terraform fmt and do not commit formatting violations
Adhere to TFLint rules defined in .tflint.hcl; do not commit lint violations

Files:

• src/variables-argocd-notifications.tf
• src/provider-github.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (1)

src/provider-github.tf (1)

69-76: No change required — app_auth.id and app_auth.installation_id accept strings
The integrations/github provider treats both fields as strings, so keep your variables as string values and don’t apply tonumber() here.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/resources/argocd-values.yaml.tpl (1)

89-99: GitHub App vs Deploy Keys — supported, but add a guard & ensure repo secrets exist

• Confirmed: Argo CD supports credential‑template secret refs (sshPrivateKeySecret, githubAppPrivateKeySecret) and GitHub App fields (githubAppID, githubAppInstallationID); secret-vs-secretref naming differences are documented and both patterns are supported.
• Confirmed: application_repos already emits SSH when deploy keys are enabled and HTTPS otherwise (src/main.tf lines ~9–13).
• Missing artifact: I didn't find creation of argocd-repo-creds-${name} Secrets in this repo — ensure those Secrets are created/managed (module.argocd_repo or external) or switch to repository Secrets if preferred.
• Action: add a guard so the template won't call tonumber(null) / render invalid YAML when GitHub App IDs are unset — the suggested diff is still valid:

-%{ else ~}
-        githubAppID: ${tonumber(github_app_id)}
-        githubAppInstallationID: ${tonumber(github_app_installation_id)}
-        githubAppPrivateKeySecret:
-          name: argocd-repo-creds-${name}
-          key: githubAppPrivateKey
+%{ else ~}
+%{   if can(tonumber(github_app_id)) && can(tonumber(github_app_installation_id)) ~}
+        githubAppID: ${tonumber(github_app_id)}
+        githubAppInstallationID: ${tonumber(github_app_installation_id)}
+        githubAppPrivateKeySecret:
+          name: argocd-repo-creds-${name}
+          key: githubAppPrivateKey
+%{   else ~}
+        # GitHub App selected but IDs not provided; skipping credentials to avoid bad config
+%{   endif ~}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba56b45 and 6d7fea9.

📒 Files selected for processing (1)

• src/resources/argocd-values.yaml.tpl (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (2)

src/resources/argocd-values.yaml.tpl (2)

131-137: Mutually exclusive OIDC/SAML scopes — LGTM

This ensures only one scopes key is emitted and avoids conflicting entries.

If both oidc_enabled and saml_enabled can be true in some envs, confirm OIDC precedence is intended. If neither is enabled, omission of scopes is acceptable for your setup.

---

121-123: Duplicate policy.default removal — resolved

Previous hard-coded override was removed; the variable-driven value now wins.

[milldr]

/terratest

[github-actions]

These changes were released in v2.2.0.