From d3de577cbd5fba1d24bff0cd7a6ca766f3d5c96a Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 19 Sep 2025 12:44:54 -0400 Subject: [PATCH 1/9] Deploy keys optional --- .gitignore | 1 + src/CHANGELOG.md | 8 +-- src/README.md | 78 ++++++++++------------- src/data.tf | 2 +- src/main.tf | 92 ++++++++++++++++------------ src/notifications.tf | 6 +- src/provider-github.tf | 37 +++-------- src/provider-helm.tf | 3 +- src/remote-state.tf | 8 +-- src/resources/argocd-values.yaml.tpl | 24 +++++++- src/variables-argocd.tf | 34 ++++++++++ 11 files changed, 161 insertions(+), 132 deletions(-) diff --git a/.gitignore b/.gitignore index edeabaf..7c91e9c 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,4 @@ github/ *.ovpn *.zip +account-map/ diff --git a/src/CHANGELOG.md b/src/CHANGELOG.md index e3d9419..4f5ce4d 100644 --- a/src/CHANGELOG.md +++ b/src/CHANGELOG.md @@ -1,9 +1,3 @@ -## `aws-eks-argocd` Component PR [#16](https://github.com/cloudposse-terraform-components/aws-eks-argocd/pull/16) - -Corrected the spelling of "succeded" to "succeeded" in the `on-deploy-succeded` notification. As a result, the `argocd-repo` component will need to be updated to correct the same spelling in the Argo CD desired state repository application set. - -See the [PR for argocd-repo](https://github.com/cloudposse-terraform-components/aws-argocd-github-repo/pull/17) - ## Components PR [#905](https://github.com/cloudposse/terraform-aws-components/pull/905) The `notifications.tf` file has been renamed to `notifications.tf`. Delete `notifications.tf` after vendoring these @@ -84,7 +78,7 @@ chamber write argocd/github api_key ${PAT} - `on-deploy-started` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - - `on-deploy-succeded` + - `on-deploy-succeeded` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - `on-deploy-failed` diff --git a/src/README.md b/src/README.md index 0d1160c..2c5a0cd 100644 --- a/src/README.md +++ b/src/README.md @@ -6,16 +6,14 @@ tags: - provider/helm --- -# Component: `eks-argocd` +# Component: `eks/argocd` -This component provisions [Argo CD](https://argoproj.github.io/cd/), a declarative GitOps continuous delivery tool for Kubernetes. +This component is responsible for provisioning [Argo CD](https://argoproj.github.io/cd/). -Note: Argo CD CRDs must be installed separately from this component/Helm release. -## Usage - -### Install Argo CD CRDs +Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. -Install the Argo CD CRDs prior to deploying this component: +> :warning::warning::warning: ArgoCD CRDs must be installed separately from this component/helm release. +> :warning::warning::warning: ```shell kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=" @@ -24,7 +22,9 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref= - - - - + ## Requirements | Name | Version | @@ -487,14 +484,14 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec |------|--------|---------| | [argocd](#module\_argocd) | cloudposse/helm-release/aws | 0.10.1 | | [argocd\_apps](#module\_argocd\_apps) | cloudposse/helm-release/aws | 0.10.1 | -| [argocd\_repo](#module\_argocd\_repo) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | -| [dns\_gbl\_delegated](#module\_dns\_gbl\_delegated) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | +| [argocd\_repo](#module\_argocd\_repo) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [dns\_gbl\_delegated](#module\_dns\_gbl\_delegated) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | | [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | | [iam\_roles\_config\_secrets](#module\_iam\_roles\_config\_secrets) | ../../account-map/modules/iam-roles | n/a | | [notifications\_notifiers](#module\_notifications\_notifiers) | cloudposse/config/yaml//modules/deepmerge | 1.0.2 | | [notifications\_templates](#module\_notifications\_templates) | cloudposse/config/yaml//modules/deepmerge | 1.0.2 | -| [saml\_sso\_providers](#module\_saml\_sso\_providers) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | +| [saml\_sso\_providers](#module\_saml\_sso\_providers) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -554,11 +551,12 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [forecastle\_enabled](#input\_forecastle\_enabled) | Toggles Forecastle integration in the deployed chart | `bool` | `false` | no | -| [github\_app\_enabled](#input\_github\_app\_enabled) | Whether to use GitHub App authentication instead of PAT | `bool` | `false` | no | -| [github\_app\_id](#input\_github\_app\_id) | The ID of the GitHub App to use for authentication | `string` | `null` | no | -| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | The Installation ID of the GitHub App to use for authentication | `string` | `null` | no | +| [github\_app\_enabled](#input\_github\_app\_enabled) | Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`) | `bool` | `false` | no | +| [github\_app\_id](#input\_github\_app\_id) | The ID of the GitHub App to use for Argo CD repository authentication | `string` | `null` | no | +| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | The Installation ID of the GitHub App to use for Argo CD repository authentication | `string` | `null` | no | | [github\_base\_url](#input\_github\_base\_url) | This is the target GitHub base API endpoint. Providing a value is a requirement when working with GitHub Enterprise. It is optional to provide this value and it can also be sourced from the `GITHUB_BASE_URL` environment variable. The value must end with a slash, for example: `https://terraformtesting-ghe.westus.cloudapp.azure.com/` | `string` | `null` | no | | [github\_default\_notifications\_enabled](#input\_github\_default\_notifications\_enabled) | Enable default GitHub commit statuses notifications (required for CD sync mode) | `bool` | `true` | no | +| [github\_deploy\_keys\_enabled](#input\_github\_deploy\_keys\_enabled) | Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing.

Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`. | `bool` | `true` | no | | [github\_notifications\_app\_enabled](#input\_github\_notifications\_app\_enabled) | Whether to use GitHub App authentication for notifications instead of PAT | `bool` | `false` | no | | [github\_notifications\_app\_id](#input\_github\_notifications\_app\_id) | The ID of the GitHub App to use for notifications authentication | `string` | `null` | no | | [github\_notifications\_app\_installation\_id](#input\_github\_notifications\_app\_installation\_id) | The Installation ID of the GitHub App to use for notifications authentication | `string` | `null` | no | @@ -605,7 +603,7 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | [slack\_notifications](#input\_slack\_notifications) | ArgoCD Slack notification configuration. Requires Slack Bot created with token stored at the given SSM Parameter path.

See: https://argocd-notifications.readthedocs.io/en/stable/services/slack/ | 
object({
    token_ssm_path = optional(string, "/argocd/notifications/notifiers/slack/token")
    api_url        = optional(string, null)
    username       = optional(string, "ArgoCD")
    icon           = optional(string, null)
  })
| `{}` | no | | [slack\_notifications\_enabled](#input\_slack\_notifications\_enabled) | Whether or not to enable Slack notifications. See `var.slack_notifications.` | `bool` | `false` | no | | [ssm\_github\_api\_key](#input\_ssm\_github\_api\_key) | SSM path to the GitHub API key | `string` | `"/argocd/github/api_key"` | no | -| [ssm\_github\_app\_private\_key](#input\_ssm\_github\_app\_private\_key) | SSM path to the GitHub App private key | `string` | `"/argocd/github/app_private_key"` | no | +| [ssm\_github\_app\_private\_key](#input\_ssm\_github\_app\_private\_key) | SSM path to the GitHub App private key for Argo CD repository authentication | `string` | `"/argocd/github/app_private_key"` | no | | [ssm\_github\_notifications\_app\_private\_key](#input\_ssm\_github\_notifications\_app\_private\_key) | SSM path to the GitHub App private key for notifications | `string` | `"/argocd/github_notifications/app_private_key"` | no | | [ssm\_oidc\_client\_id](#input\_ssm\_oidc\_client\_id) | The SSM Parameter Store path for the ID of the IdP client | `string` | `"/argocd/oidc/client_id"` | no | | [ssm\_oidc\_client\_secret](#input\_ssm\_oidc\_client\_secret) | The SSM Parameter Store path for the secret of the IdP client | `string` | `"/argocd/oidc/client_secret"` | no | @@ -623,23 +621,13 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | Name | Description | |------|-------------| | [github\_webhook\_value](#output\_github\_webhook\_value) | The value of the GitHub webhook secret used for ArgoCD | - - - + + ## References +- [Argo CD](https://argoproj.github.io/cd/) +- [Argo CD Docs](https://argo-cd.readthedocs.io/en/stable/) +- [Argo Helm Chart](https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/) -- [Argo CD](https://argoproj.github.io/cd/) - - -- [Argo CD Docs](https://argo-cd.readthedocs.io/en/stable/) - - -- [Argo Helm Chart](https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/) - - -- [Argo CD error "server.secretkey is missing"](https://stackoverflow.com/questions/75046330/argo-cd-error-server-secretkey-is-missing) - - - - - -[](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-eks-argocd&utm_content=) - +[](https://cpco.io/component) diff --git a/src/data.tf b/src/data.tf index 212c20e..cc1d2c0 100644 --- a/src/data.tf +++ b/src/data.tf @@ -26,7 +26,7 @@ data "aws_ssm_parameter" "oidc_client_secret" { } data "aws_ssm_parameter" "github_deploy_key" { - for_each = local.enabled ? var.argocd_repositories : {} + for_each = local.github_deploy_keys_enabled ? var.argocd_repositories : {} name = local.enabled ? format( module.argocd_repo[each.key].outputs.deploy_keys_ssm_path_format, diff --git a/src/main.tf b/src/main.tf index 8ffc578..2d05857 100644 --- a/src/main.tf +++ b/src/main.tf @@ -1,41 +1,50 @@ locals { enabled = module.this.enabled - kubernetes_namespace = var.kubernetes_namespace - oidc_enabled = local.enabled && var.oidc_enabled - oidc_enabled_count = local.oidc_enabled ? 1 : 0 - saml_enabled = local.enabled && var.saml_enabled + kubernetes_namespace = var.kubernetes_namespace + oidc_enabled = local.enabled && var.oidc_enabled + oidc_enabled_count = local.oidc_enabled ? 1 : 0 + saml_enabled = local.enabled && var.saml_enabled + github_deploy_keys_enabled = local.enabled && var.github_deploy_keys_enabled argocd_repositories = local.enabled ? { for k, v in var.argocd_repositories : replace(k, "/", "-") => { - clone_url = module.argocd_repo[k].outputs.repository_ssh_clone_url - github_deploy_key = data.aws_ssm_parameter.github_deploy_key[k].value + # If using deploy keys, use the SSH clone URL. Otherwise, use the HTTP clone URL. + clone_url = local.github_deploy_keys_enabled ? module.argocd_repo[k].outputs.repository_ssh_clone_url : module.argocd_repo[k].outputs.repository_http_clone_url + github_deploy_key = local.github_deploy_keys_enabled ? data.aws_ssm_parameter.github_deploy_key[k].value : "" repository = module.argocd_repo[k].outputs.repository } } : {} - credential_templates = flatten(concat([ - for k, v in local.argocd_repositories : [ - { + credential_templates = flatten(concat( + [ + for k, v in local.argocd_repositories : { name = "configs.credentialTemplates.${k}.url" value = v.clone_url type = "string" - }, - { + } + ], + local.github_deploy_keys_enabled ? [ + for k, v in local.argocd_repositories : { name = "configs.credentialTemplates.${k}.sshPrivateKey" value = nonsensitive(v.github_deploy_key) type = "string" - }, - ] + } + ] : [ + # If we're using GitHub App authentication, we need to add the GitHub App private key as a secret. + # It will be used by all desired state repositories + for k, v in local.argocd_repositories : { + name = "configs.credentialTemplates.${k}.githubAppPrivateKey" + value = nonsensitive(data.aws_ssm_parameter.github_app_private_key[0].value) + type = "string" + } ], [ for s, v in local.notifications_notifiers_ssm_configs : [ - for k, i in v : [ - { - name = "notifications.secret.items.${s}_${k}" - value = i - type = "string" - } - ] + for k, i in v : { + name = "notifications.secret.items.${s}_${k}" + value = i + type = "string" + } ] ], local.github_webhook_enabled ? [ @@ -154,26 +163,29 @@ module "argocd" { templatefile( "${path.module}/resources/argocd-values.yaml.tpl", { - admin_enabled = var.admin_enabled - anonymous_enabled = var.anonymous_enabled - alb_group_name = var.alb_group_name == null ? "" : var.alb_group_name - alb_logs_bucket = var.alb_logs_bucket - alb_logs_prefix = var.alb_logs_prefix - alb_name = var.alb_name == null ? "" : var.alb_name - application_repos = { for k, v in local.argocd_repositories : k => v.clone_url } - argocd_host = local.host - cert_issuer = var.certificate_issuer - forecastle_enabled = var.forecastle_enabled - ingress_host = local.host - name = module.this.name - oidc_enabled = local.oidc_enabled - oidc_rbac_scopes = var.oidc_rbac_scopes - saml_enabled = local.saml_enabled - saml_rbac_scopes = var.saml_rbac_scopes - service_type = var.service_type - rbac_default_policy = var.argocd_rbac_default_policy - rbac_policies = var.argocd_rbac_policies - rbac_groups = var.argocd_rbac_groups + admin_enabled = var.admin_enabled + alb_group_name = var.alb_group_name == null ? "" : var.alb_group_name + alb_logs_bucket = var.alb_logs_bucket + alb_logs_prefix = var.alb_logs_prefix + alb_name = var.alb_name == null ? "" : var.alb_name + anonymous_enabled = var.anonymous_enabled + application_repos = { for k, v in local.argocd_repositories : k => v.clone_url } + argocd_host = local.host + cert_issuer = var.certificate_issuer + forecastle_enabled = var.forecastle_enabled + github_app_id = var.github_app_id + github_app_installation_id = var.github_app_installation_id + github_deploy_keys_enabled = local.github_deploy_keys_enabled + ingress_host = local.host + name = module.this.name + oidc_enabled = local.oidc_enabled + oidc_rbac_scopes = var.oidc_rbac_scopes + rbac_default_policy = var.argocd_rbac_default_policy + rbac_groups = var.argocd_rbac_groups + rbac_policies = var.argocd_rbac_policies + saml_enabled = local.saml_enabled + saml_rbac_scopes = var.saml_rbac_scopes + service_type = var.service_type } ), # argocd-notifications specific settings diff --git a/src/notifications.tf b/src/notifications.tf index e02fcdd..51c43dc 100644 --- a/src/notifications.tf +++ b/src/notifications.tf @@ -219,14 +219,14 @@ locals { if key != "ssm_path_prefix" && key != "webhook" }, { - for key, value in try(local.notifications_notifiers.webhook, {}) : + for key, value in coalesce(local.notifications_notifiers.webhook, {}) : format("webhook_%s", key) => { for param_name, param_value in value : param_name => param_value if param_value != null } } ) ## Get paths to read configs for each notifier service - notifications_notifiers_ssm_path = local.enabled ? merge( + notifications_notifiers_ssm_path = merge( { for key, value in local.notifications_notifiers_variables : key => format("%s/%s/", local.notifications_notifiers.ssm_path_prefix, key) @@ -234,7 +234,7 @@ locals { { common = format("%s/common/", local.notifications_notifiers.ssm_path_prefix) }, - ) : {} + ) ## Read SSM secrets into object for each notifier service notifications_notifiers_ssm_configs = { diff --git a/src/provider-github.tf b/src/provider-github.tf index 7804647..ee0e554 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -17,38 +17,15 @@ variable "github_token_override" { default = null } -# GitHub App Authentication Variables -variable "github_app_enabled" { - type = bool - description = "Whether to use GitHub App authentication instead of PAT" - default = false -} - -variable "github_app_id" { - type = string - description = "The ID of the GitHub App to use for authentication" - default = null -} - -variable "github_app_installation_id" { - type = string - description = "The Installation ID of the GitHub App to use for authentication" - default = null -} - -variable "ssm_github_app_private_key" { - type = string - description = "SSM path to the GitHub App private key" - default = "/argocd/github/app_private_key" -} - locals { - github_token = var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null)) + github_token = local.create_github_webhook ? ( + var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null)) + ) : "" } # SSM Parameter for PAT Authentication data "aws_ssm_parameter" "github_api_key" { - count = !var.github_app_enabled ? 1 : 0 + count = local.create_github_webhook && !var.github_app_enabled ? 1 : 0 name = var.ssm_github_api_key with_decryption = true } @@ -62,9 +39,9 @@ data "aws_ssm_parameter" "github_app_private_key" { # We will only need the github provider if we are creating the GitHub webhook with github_repository_webhook. provider "github" { - base_url = var.github_base_url - owner = var.github_organization - token = local.github_token + base_url = local.create_github_webhook ? var.github_base_url : null + owner = local.create_github_webhook ? var.github_organization : null + token = local.create_github_webhook ? local.github_token : null dynamic "app_auth" { for_each = local.create_github_webhook && var.github_app_enabled ? [1] : [] diff --git a/src/provider-helm.tf b/src/provider-helm.tf index ee1aaa6..91cc7f6 100644 --- a/src/provider-helm.tf +++ b/src/provider-helm.tf @@ -133,8 +133,9 @@ locals { "--profile", var.kube_exec_auth_aws_profile ] : [] + kube_exec_auth_role_arn = coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn) exec_role = local.kube_exec_auth_enabled && var.kube_exec_auth_role_arn_enabled ? [ - "--role-arn", coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn) + "--role-arn", local.kube_exec_auth_role_arn ] : [] # Provide dummy configuration for the case where the EKS cluster is not available. diff --git a/src/remote-state.tf b/src/remote-state.tf index 301edd8..c63f357 100644 --- a/src/remote-state.tf +++ b/src/remote-state.tf @@ -1,6 +1,6 @@ module "eks" { source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.8.0" + version = "1.5.0" component = var.eks_component_name @@ -9,7 +9,7 @@ module "eks" { module "dns_gbl_delegated" { source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.8.0" + version = "1.5.0" environment = "gbl" component = "dns-delegated" @@ -20,7 +20,7 @@ module "dns_gbl_delegated" { module "saml_sso_providers" { for_each = local.enabled ? var.saml_sso_providers : {} source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.8.0" + version = "1.5.0" component = each.value.component environment = each.value.environment @@ -32,7 +32,7 @@ module "argocd_repo" { for_each = local.enabled ? var.argocd_repositories : {} source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.8.0" + version = "1.5.0" component = each.key environment = each.value.environment diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index 3e9d5db..1bf08bf 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -12,13 +12,23 @@ dex: controller: replicas: 1 + metrics: + enabled: true + serviceMonitor: + enabled: true server: replicas: 2 + metrics: + enabled: true + serviceMonitor: + enabled: true + + ingress: enabled: true - ingressClassName: alb + ingressClassName: alb-argocd-ext annotations: cert-manager.io/cluster-issuer: ${cert_issuer} external-dns.alpha.kubernetes.io/hostname: ${ingress_host} @@ -86,9 +96,17 @@ server: repositories: | %{ for name, url in application_repos ~} - url: ${url} +%{ if github_deploy_keys_enabled == true ~} sshPrivateKeySecret: name: argocd-repo-creds-${name} key: sshPrivateKey +%{ else ~} + githubAppID: ${github_app_id} + githubAppInstallationID: ${github_app_installation_id} + githubAppPrivateKeySecret: + name: argocd-repo-creds-${name} + key: githubAppPrivateKey +%{ endif ~} %{ endfor ~} resource.customizations: | admissionregistration.k8s.io/MutatingWebhookConfiguration: @@ -131,6 +149,10 @@ server: repoServer: replicas: 2 + metrics: + enabled: true + serviceMonitor: + enabled: true applicationSet: replicas: 2 diff --git a/src/variables-argocd.tf b/src/variables-argocd.tf index 5ae2acc..393fc56 100644 --- a/src/variables-argocd.tf +++ b/src/variables-argocd.tf @@ -215,3 +215,37 @@ variable "saml_sso_providers" { default = {} description = "SAML SSO providers components" } + +variable "github_deploy_keys_enabled" { + type = bool + default = true + description = <<-EOT + Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. + + Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`. + EOT +} + +variable "github_app_enabled" { + type = bool + description = "Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`)" + default = false +} + +variable "github_app_id" { + type = string + description = "The ID of the GitHub App to use for Argo CD repository authentication" + default = null +} + +variable "github_app_installation_id" { + type = string + description = "The Installation ID of the GitHub App to use for Argo CD repository authentication" + default = null +} + +variable "ssm_github_app_private_key" { + type = string + description = "SSM path to the GitHub App private key for Argo CD repository authentication" + default = "/argocd/github/app_private_key" +} From 30801f6c73513609b46599e5030ec7eabbd775d2 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 19 Sep 2025 12:46:34 -0400 Subject: [PATCH 2/9] Deploy keys optional --- src/CHANGELOG.md | 8 ++++- src/README.md | 77 +++++++++++++++++++++++++++--------------------- 2 files changed, 51 insertions(+), 34 deletions(-) diff --git a/src/CHANGELOG.md b/src/CHANGELOG.md index 4f5ce4d..e3d9419 100644 --- a/src/CHANGELOG.md +++ b/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## `aws-eks-argocd` Component PR [#16](https://github.com/cloudposse-terraform-components/aws-eks-argocd/pull/16) + +Corrected the spelling of "succeded" to "succeeded" in the `on-deploy-succeded` notification. As a result, the `argocd-repo` component will need to be updated to correct the same spelling in the Argo CD desired state repository application set. + +See the [PR for argocd-repo](https://github.com/cloudposse-terraform-components/aws-argocd-github-repo/pull/17) + ## Components PR [#905](https://github.com/cloudposse/terraform-aws-components/pull/905) The `notifications.tf` file has been renamed to `notifications.tf`. Delete `notifications.tf` after vendoring these @@ -78,7 +84,7 @@ chamber write argocd/github api_key ${PAT} - `on-deploy-started` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - - `on-deploy-succeeded` + - `on-deploy-succeded` - `app-repo-github-commit-status` - `argocd-repo-github-commit-status` - `on-deploy-failed` diff --git a/src/README.md b/src/README.md index 2c5a0cd..2339b8b 100644 --- a/src/README.md +++ b/src/README.md @@ -6,14 +6,16 @@ tags: - provider/helm --- -# Component: `eks/argocd` +# Component: `eks-argocd` -This component is responsible for provisioning [Argo CD](https://argoproj.github.io/cd/). +This component provisions [Argo CD](https://argoproj.github.io/cd/), a declarative GitOps continuous delivery tool for Kubernetes. -Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. +Note: Argo CD CRDs must be installed separately from this component/Helm release. +## Usage + +### Install Argo CD CRDs -> :warning::warning::warning: ArgoCD CRDs must be installed separately from this component/helm release. -> :warning::warning::warning: +Install the Argo CD CRDs prior to deploying this component: ```shell kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=" @@ -22,9 +24,7 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref= - + + + + ## Requirements | Name | Version | @@ -484,14 +487,14 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec |------|--------|---------| | [argocd](#module\_argocd) | cloudposse/helm-release/aws | 0.10.1 | | [argocd\_apps](#module\_argocd\_apps) | cloudposse/helm-release/aws | 0.10.1 | -| [argocd\_repo](#module\_argocd\_repo) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [dns\_gbl\_delegated](#module\_dns\_gbl\_delegated) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [argocd\_repo](#module\_argocd\_repo) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | +| [dns\_gbl\_delegated](#module\_dns\_gbl\_delegated) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | | [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | | [iam\_roles\_config\_secrets](#module\_iam\_roles\_config\_secrets) | ../../account-map/modules/iam-roles | n/a | | [notifications\_notifiers](#module\_notifications\_notifiers) | cloudposse/config/yaml//modules/deepmerge | 1.0.2 | | [notifications\_templates](#module\_notifications\_templates) | cloudposse/config/yaml//modules/deepmerge | 1.0.2 | -| [saml\_sso\_providers](#module\_saml\_sso\_providers) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [saml\_sso\_providers](#module\_saml\_sso\_providers) | cloudposse/stack-config/yaml//modules/remote-state | 1.8.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -551,12 +554,11 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [forecastle\_enabled](#input\_forecastle\_enabled) | Toggles Forecastle integration in the deployed chart | `bool` | `false` | no | -| [github\_app\_enabled](#input\_github\_app\_enabled) | Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`) | `bool` | `false` | no | -| [github\_app\_id](#input\_github\_app\_id) | The ID of the GitHub App to use for Argo CD repository authentication | `string` | `null` | no | -| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | The Installation ID of the GitHub App to use for Argo CD repository authentication | `string` | `null` | no | +| [github\_app\_enabled](#input\_github\_app\_enabled) | Whether to use GitHub App authentication instead of PAT | `bool` | `false` | no | +| [github\_app\_id](#input\_github\_app\_id) | The ID of the GitHub App to use for authentication | `string` | `null` | no | +| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | The Installation ID of the GitHub App to use for authentication | `string` | `null` | no | | [github\_base\_url](#input\_github\_base\_url) | This is the target GitHub base API endpoint. Providing a value is a requirement when working with GitHub Enterprise. It is optional to provide this value and it can also be sourced from the `GITHUB_BASE_URL` environment variable. The value must end with a slash, for example: `https://terraformtesting-ghe.westus.cloudapp.azure.com/` | `string` | `null` | no | | [github\_default\_notifications\_enabled](#input\_github\_default\_notifications\_enabled) | Enable default GitHub commit statuses notifications (required for CD sync mode) | `bool` | `true` | no | -| [github\_deploy\_keys\_enabled](#input\_github\_deploy\_keys\_enabled) | Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing.

Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`. | `bool` | `true` | no | | [github\_notifications\_app\_enabled](#input\_github\_notifications\_app\_enabled) | Whether to use GitHub App authentication for notifications instead of PAT | `bool` | `false` | no | | [github\_notifications\_app\_id](#input\_github\_notifications\_app\_id) | The ID of the GitHub App to use for notifications authentication | `string` | `null` | no | | [github\_notifications\_app\_installation\_id](#input\_github\_notifications\_app\_installation\_id) | The Installation ID of the GitHub App to use for notifications authentication | `string` | `null` | no | @@ -603,7 +605,7 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | [slack\_notifications](#input\_slack\_notifications) | ArgoCD Slack notification configuration. Requires Slack Bot created with token stored at the given SSM Parameter path.

See: https://argocd-notifications.readthedocs.io/en/stable/services/slack/ | 
object({
    token_ssm_path = optional(string, "/argocd/notifications/notifiers/slack/token")
    api_url        = optional(string, null)
    username       = optional(string, "ArgoCD")
    icon           = optional(string, null)
  })
| `{}` | no | | [slack\_notifications\_enabled](#input\_slack\_notifications\_enabled) | Whether or not to enable Slack notifications. See `var.slack_notifications.` | `bool` | `false` | no | | [ssm\_github\_api\_key](#input\_ssm\_github\_api\_key) | SSM path to the GitHub API key | `string` | `"/argocd/github/api_key"` | no | -| [ssm\_github\_app\_private\_key](#input\_ssm\_github\_app\_private\_key) | SSM path to the GitHub App private key for Argo CD repository authentication | `string` | `"/argocd/github/app_private_key"` | no | +| [ssm\_github\_app\_private\_key](#input\_ssm\_github\_app\_private\_key) | SSM path to the GitHub App private key | `string` | `"/argocd/github/app_private_key"` | no | | [ssm\_github\_notifications\_app\_private\_key](#input\_ssm\_github\_notifications\_app\_private\_key) | SSM path to the GitHub App private key for notifications | `string` | `"/argocd/github_notifications/app_private_key"` | no | | [ssm\_oidc\_client\_id](#input\_ssm\_oidc\_client\_id) | The SSM Parameter Store path for the ID of the IdP client | `string` | `"/argocd/oidc/client_id"` | no | | [ssm\_oidc\_client\_secret](#input\_ssm\_oidc\_client\_secret) | The SSM Parameter Store path for the secret of the IdP client | `string` | `"/argocd/oidc/client_secret"` | no | @@ -621,13 +623,22 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec | Name | Description | |------|-------------| | [github\_webhook\_value](#output\_github\_webhook\_value) | The value of the GitHub webhook secret used for ArgoCD | - - + + + ## References -- [Argo CD](https://argoproj.github.io/cd/) -- [Argo CD Docs](https://argo-cd.readthedocs.io/en/stable/) -- [Argo Helm Chart](https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/) -[](https://cpco.io/component) +- [Argo CD](https://argoproj.github.io/cd/) - + +- [Argo CD Docs](https://argo-cd.readthedocs.io/en/stable/) - + +- [Argo Helm Chart](https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/) - + +- [Argo CD error "server.secretkey is missing"](https://stackoverflow.com/questions/75046330/argo-cd-error-server-secretkey-is-missing) - + + + + +[](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-eks-argocd&utm_content=) From 3bf87f6ae67358ec33ede9a324ffafcb70c75302 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 22 Sep 2025 10:32:53 -0400 Subject: [PATCH 3/9] fixed tests, revert unintended changes --- src/notifications.tf | 6 +++--- src/provider-helm.tf | 3 +-- src/remote-state.tf | 8 ++++---- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/src/notifications.tf b/src/notifications.tf index 51c43dc..1f5c6ec 100644 --- a/src/notifications.tf +++ b/src/notifications.tf @@ -219,14 +219,14 @@ locals { if key != "ssm_path_prefix" && key != "webhook" }, { - for key, value in coalesce(local.notifications_notifiers.webhook, {}) : + for key, value in lookup(local.notifications_notifiers, "webhook", {}) : format("webhook_%s", key) => { for param_name, param_value in value : param_name => param_value if param_value != null } } ) ## Get paths to read configs for each notifier service - notifications_notifiers_ssm_path = merge( + notifications_notifiers_ssm_path = local.enabled ? merge( { for key, value in local.notifications_notifiers_variables : key => format("%s/%s/", local.notifications_notifiers.ssm_path_prefix, key) @@ -234,7 +234,7 @@ locals { { common = format("%s/common/", local.notifications_notifiers.ssm_path_prefix) }, - ) + ) : {} ## Read SSM secrets into object for each notifier service notifications_notifiers_ssm_configs = { diff --git a/src/provider-helm.tf b/src/provider-helm.tf index 91cc7f6..ee1aaa6 100644 --- a/src/provider-helm.tf +++ b/src/provider-helm.tf @@ -133,9 +133,8 @@ locals { "--profile", var.kube_exec_auth_aws_profile ] : [] - kube_exec_auth_role_arn = coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn) exec_role = local.kube_exec_auth_enabled && var.kube_exec_auth_role_arn_enabled ? [ - "--role-arn", local.kube_exec_auth_role_arn + "--role-arn", coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn) ] : [] # Provide dummy configuration for the case where the EKS cluster is not available. diff --git a/src/remote-state.tf b/src/remote-state.tf index c63f357..301edd8 100644 --- a/src/remote-state.tf +++ b/src/remote-state.tf @@ -1,6 +1,6 @@ module "eks" { source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.5.0" + version = "1.8.0" component = var.eks_component_name @@ -9,7 +9,7 @@ module "eks" { module "dns_gbl_delegated" { source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.5.0" + version = "1.8.0" environment = "gbl" component = "dns-delegated" @@ -20,7 +20,7 @@ module "dns_gbl_delegated" { module "saml_sso_providers" { for_each = local.enabled ? var.saml_sso_providers : {} source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.5.0" + version = "1.8.0" component = each.value.component environment = each.value.environment @@ -32,7 +32,7 @@ module "argocd_repo" { for_each = local.enabled ? var.argocd_repositories : {} source = "cloudposse/stack-config/yaml//modules/remote-state" - version = "1.5.0" + version = "1.8.0" component = each.key environment = each.value.environment From 6d8ae173b69ee31b969b75802346819c53af9165 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 22 Sep 2025 11:43:02 -0400 Subject: [PATCH 4/9] revert changes --- src/provider-github.tf | 37 ++++++++++++++++++++++------ src/resources/argocd-values.yaml.tpl | 2 +- src/variables-argocd.tf | 24 ------------------ 3 files changed, 31 insertions(+), 32 deletions(-) diff --git a/src/provider-github.tf b/src/provider-github.tf index ee0e554..7804647 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -17,15 +17,38 @@ variable "github_token_override" { default = null } +# GitHub App Authentication Variables +variable "github_app_enabled" { + type = bool + description = "Whether to use GitHub App authentication instead of PAT" + default = false +} + +variable "github_app_id" { + type = string + description = "The ID of the GitHub App to use for authentication" + default = null +} + +variable "github_app_installation_id" { + type = string + description = "The Installation ID of the GitHub App to use for authentication" + default = null +} + +variable "ssm_github_app_private_key" { + type = string + description = "SSM path to the GitHub App private key" + default = "/argocd/github/app_private_key" +} + locals { - github_token = local.create_github_webhook ? ( - var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null)) - ) : "" + github_token = var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null)) } # SSM Parameter for PAT Authentication data "aws_ssm_parameter" "github_api_key" { - count = local.create_github_webhook && !var.github_app_enabled ? 1 : 0 + count = !var.github_app_enabled ? 1 : 0 name = var.ssm_github_api_key with_decryption = true } @@ -39,9 +62,9 @@ data "aws_ssm_parameter" "github_app_private_key" { # We will only need the github provider if we are creating the GitHub webhook with github_repository_webhook. provider "github" { - base_url = local.create_github_webhook ? var.github_base_url : null - owner = local.create_github_webhook ? var.github_organization : null - token = local.create_github_webhook ? local.github_token : null + base_url = var.github_base_url + owner = var.github_organization + token = local.github_token dynamic "app_auth" { for_each = local.create_github_webhook && var.github_app_enabled ? [1] : [] diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index 1bf08bf..a947324 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -28,7 +28,7 @@ server: ingress: enabled: true - ingressClassName: alb-argocd-ext + ingressClassName: alb annotations: cert-manager.io/cluster-issuer: ${cert_issuer} external-dns.alpha.kubernetes.io/hostname: ${ingress_host} diff --git a/src/variables-argocd.tf b/src/variables-argocd.tf index 393fc56..6d1ca77 100644 --- a/src/variables-argocd.tf +++ b/src/variables-argocd.tf @@ -225,27 +225,3 @@ variable "github_deploy_keys_enabled" { Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`. EOT } - -variable "github_app_enabled" { - type = bool - description = "Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`)" - default = false -} - -variable "github_app_id" { - type = string - description = "The ID of the GitHub App to use for Argo CD repository authentication" - default = null -} - -variable "github_app_installation_id" { - type = string - description = "The Installation ID of the GitHub App to use for Argo CD repository authentication" - default = null -} - -variable "ssm_github_app_private_key" { - type = string - description = "SSM path to the GitHub App private key for Argo CD repository authentication" - default = "/argocd/github/app_private_key" -} From 81d99d98fce7a4b9f22ad683ca792b51b2ab0008 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 22 Sep 2025 12:58:12 -0400 Subject: [PATCH 5/9] revert changes --- src/resources/argocd-values.yaml.tpl | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index a947324..0a6eb2a 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -12,19 +12,9 @@ dex: controller: replicas: 1 - metrics: - enabled: true - serviceMonitor: - enabled: true server: replicas: 2 - metrics: - enabled: true - serviceMonitor: - enabled: true - - ingress: enabled: true @@ -101,8 +91,8 @@ server: name: argocd-repo-creds-${name} key: sshPrivateKey %{ else ~} - githubAppID: ${github_app_id} - githubAppInstallationID: ${github_app_installation_id} + githubAppID: "${github_app_id}" + githubAppInstallationID: "${github_app_installation_id}" githubAppPrivateKeySecret: name: argocd-repo-creds-${name} key: githubAppPrivateKey @@ -140,19 +130,16 @@ server: %{ if oidc_enabled == true ~} scopes: '${oidc_rbac_scopes}' -%{ endif ~} -%{ if saml_enabled == true ~} +%{ else ~} +%{ if saml_enabled == true ~} scopes: '${saml_rbac_scopes}' +%{ endif ~} %{ endif ~} policy.default: role:readonly repoServer: replicas: 2 - metrics: - enabled: true - serviceMonitor: - enabled: true applicationSet: replicas: 2 From 91ccc670aa7ff246f60c939b569bf080a3bd4c97 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 22 Sep 2025 14:04:11 -0400 Subject: [PATCH 6/9] Remove default policy setting for readonly role --- src/resources/argocd-values.yaml.tpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index 0a6eb2a..e188809 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -136,8 +136,6 @@ server: %{ endif ~} %{ endif ~} - policy.default: role:readonly - repoServer: replicas: 2 From dd9a1aa8716f65cdcfc0214b5c5ec27fee859671 Mon Sep 17 00:00:00 2001 From: milldr Date: Tue, 23 Sep 2025 13:17:24 -0400 Subject: [PATCH 7/9] Update webhook notifier handling in notifications.tf --- src/notifications.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/notifications.tf b/src/notifications.tf index 1f5c6ec..e0485f9 100644 --- a/src/notifications.tf +++ b/src/notifications.tf @@ -219,7 +219,7 @@ locals { if key != "ssm_path_prefix" && key != "webhook" }, { - for key, value in lookup(local.notifications_notifiers, "webhook", {}) : + for key, value in coalesce(lookup(local.notifications_notifiers, "webhook", {}), {}) : format("webhook_%s", key) => { for param_name, param_value in value : param_name => param_value if param_value != null } } From ba56b45e0caaab489f6d5ead34c16f60cdea1234 Mon Sep 17 00:00:00 2001 From: milldr Date: Tue, 23 Sep 2025 14:14:21 -0400 Subject: [PATCH 8/9] enforce type number --- src/provider-github.tf | 4 ++-- src/resources/argocd-values.yaml.tpl | 4 ++-- src/variables-argocd-notifications.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/provider-github.tf b/src/provider-github.tf index 7804647..c084b1a 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -25,13 +25,13 @@ variable "github_app_enabled" { } variable "github_app_id" { - type = string + type = number description = "The ID of the GitHub App to use for authentication" default = null } variable "github_app_installation_id" { - type = string + type = number description = "The Installation ID of the GitHub App to use for authentication" default = null } diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index e188809..6d7f255 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -91,8 +91,8 @@ server: name: argocd-repo-creds-${name} key: sshPrivateKey %{ else ~} - githubAppID: "${github_app_id}" - githubAppInstallationID: "${github_app_installation_id}" + githubAppID: ${github_app_id} + githubAppInstallationID: ${github_app_installation_id} githubAppPrivateKeySecret: name: argocd-repo-creds-${name} key: githubAppPrivateKey diff --git a/src/variables-argocd-notifications.tf b/src/variables-argocd-notifications.tf index cc23ddb..9b0c714 100644 --- a/src/variables-argocd-notifications.tf +++ b/src/variables-argocd-notifications.tf @@ -12,13 +12,13 @@ variable "github_notifications_app_enabled" { } variable "github_notifications_app_id" { - type = string + type = number description = "The ID of the GitHub App to use for notifications authentication" default = null } variable "github_notifications_app_installation_id" { - type = string + type = number description = "The Installation ID of the GitHub App to use for notifications authentication" default = null } From 6d7fea9e604bb1e8b7ebace2b72d7d754070133c Mon Sep 17 00:00:00 2001 From: milldr Date: Tue, 23 Sep 2025 15:43:10 -0400 Subject: [PATCH 9/9] Update GitHub App ID and Installation ID types to string --- src/provider-github.tf | 4 ++-- src/resources/argocd-values.yaml.tpl | 4 ++-- src/variables-argocd-notifications.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/provider-github.tf b/src/provider-github.tf index c084b1a..7804647 100644 --- a/src/provider-github.tf +++ b/src/provider-github.tf @@ -25,13 +25,13 @@ variable "github_app_enabled" { } variable "github_app_id" { - type = number + type = string description = "The ID of the GitHub App to use for authentication" default = null } variable "github_app_installation_id" { - type = number + type = string description = "The Installation ID of the GitHub App to use for authentication" default = null } diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl index 6d7f255..6693d56 100644 --- a/src/resources/argocd-values.yaml.tpl +++ b/src/resources/argocd-values.yaml.tpl @@ -91,8 +91,8 @@ server: name: argocd-repo-creds-${name} key: sshPrivateKey %{ else ~} - githubAppID: ${github_app_id} - githubAppInstallationID: ${github_app_installation_id} + githubAppID: ${tonumber(github_app_id)} + githubAppInstallationID: ${tonumber(github_app_installation_id)} githubAppPrivateKeySecret: name: argocd-repo-creds-${name} key: githubAppPrivateKey diff --git a/src/variables-argocd-notifications.tf b/src/variables-argocd-notifications.tf index 9b0c714..cc23ddb 100644 --- a/src/variables-argocd-notifications.tf +++ b/src/variables-argocd-notifications.tf @@ -12,13 +12,13 @@ variable "github_notifications_app_enabled" { } variable "github_notifications_app_id" { - type = number + type = string description = "The ID of the GitHub App to use for notifications authentication" default = null } variable "github_notifications_app_installation_id" { - type = number + type = string description = "The Installation ID of the GitHub App to use for notifications authentication" default = null }