init argocd_project resource (#6)

feature: argocd_project_resource

Author: oboukili

.github/workflows/acceptance.yml

@@ -8,6 +8,10 @@ jobs:
   acceptance_tests:
     name: Acceptance Tests
     runs-on: [ubuntu-latest]
+    strategy:
+      fail-fast: false
+      matrix:
+        argocd_version: ["v1.5.2", "v1.4.3"]
     steps:
       - uses: actions/checkout@v1
       - uses: actions/setup-go@v1
@@ -22,37 +26,17 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
 
-      - name: Install bitnami/bcrypt-cli
-        run: GO111MODULE=on go get github.com/bitnami/bcrypt-cli
-
       - name: Install Kind
         run: GO111MODULE=on go get sigs.k8s.io/kind
 
-      - name: Create Kind cluster
-        run: PATH=$(go env GOPATH)/bin:$PATH kind create cluster --name argocd
-
-      - name: Run Kind sanity checks
-        run: |
-          kubectl get nodes -o wide
-          kubectl get pods --all-namespaces -o wide
-          kubectl get services --all-namespaces -o wide
-
-      - name: Set up ArgoCD 1.5.0
+      - name: Set up ArgoCD ${{ matrix.argocd_version }}
+        env:
+          ARGOCD_VERSION: ${{ matrix.argocd_version }}
         run: |
-          export PATH=${PATH}:$(go env GOPATH)/bin &&
-          kubectl create namespace argocd &&
-          kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v1.5.0/manifests/install.yaml &&
-          kubectl patch -n argocd secret/argocd-secret --type merge -p '{"stringData":{"admin.password":"'$(echo -n acceptancetesting|bcrypt-cli)'"}}' &&
-          kubectl apply -n argocd -f manifests/argocd-project.yml &&
-          kubectl wait --for=condition=available --timeout=600s deployment/argocd-server -n argocd &&
+          sh scripts/testacc_prepare_env.sh
           kubectl port-forward -n argocd service/argocd-server --address 127.0.0.1 8080:443&
           until $(nc -z 127.0.0.1 8080); do sleep 2;done
           netstat -tulpn
 
       - name: Run acceptance tests
-        run: >
-          ARGOCD_INSECURE=true
-          ARGOCD_SERVER=127.0.0.1:8080
-          ARGOCD_AUTH_USERNAME=admin
-          ARGOCD_AUTH_PASSWORD=acceptancetesting
-          TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -timeout 5m
+        run: sh scripts/testacc.sh

GNUmakefile

@@ -15,18 +15,10 @@ test: fmt
 		xargs -t -n4 go test $(TESTARGS) -timeout=30s -parallel=4
 
 testacc_prepare_env:
-	kind create cluster --name argocd && \
-	kubectl create namespace argocd && \
-	kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v1.5.0/manifests/install.yaml && \
-	kubectl patch -n argocd secret/argocd-secret --type merge -p '{"stringData":{"admin.password":"$$2a$10$Oc4i/CTPPCrbbeAIrwgmzeCg.wzEtCZd2HQz5gZOnPNlBekm.FVta"}}' && \
-	kubectl apply -n argocd -f manifests/argocd-project.yml && \
-	kubectl wait --for=condition=available --timeout=300s deployment/argocd-server -n argocd && \
-	export KPF_PID=$(kubectl port-forward -n argocd service/argocd-server --address 127.0.0.1 8080:443)
+	sh scripts/testacc_prepare_env.sh
 
 testacc:
-	ARGOCD_INSECURE=true ARGOCD_SERVER=localhost:8080 \
-	ARGOCD_AUTH_USERNAME=admin ARGOCD_AUTH_PASSWORD=acceptancetesting \
-	TF_ACC=1 go test $(TEST) -v -timeout 5m
+	sh scripts/testacc.sh
 
 testacc_clean_env:
 	kind delete cluster --name argocd

README.md

@@ -9,6 +9,31 @@
 - [Terraform](https://www.terraform.io/downloads.html) 0.12.x
 - [Go](https://golang.org/doc/install) 1.14+
 
+---
+
+## Motivations
+
+### *I thought ArgoCD already allowed for 100% declarative configuration?*
+
+While that is true through the use of ArgoCD Kubernetes Custom Resources, 
+there are some resources that simply cannot be managed using Kubernetes manifests,
+such as project roles JWTs whose respective lifecycles are better handled by a tool like Terraform.
+Even more so when you need to export these JWTs to another external system using Terraform, like a CI platform.
+
+### *Wouldn't using a Kubernetes provider to handle ArgoCD configuration be enough?*
+
+Existing Kubernetes providers do not patch arrays of objects, losing project role JWTs when doing small project changes just happen.
+
+ArgoCD Kubernetes admission webhook controller is not as exhaustive as ArgoCD API validation, this can be seen with RBAC policies, where no validation occur when creating/patching a project.
+
+Using Terraform to manage Kubernetes Custom Resource becomes increasingly difficult 
+the further you use HCL2 DSL to merge different data structures *and* want to preserve type safety.
+
+Whatever the Kubernetes CRD provider you are using, you will probably end up using `locals` and the `yamlencode` function **which does not preserve the values' type**.
+In these cases, not only the readability of your Terraform plan will worsen, but you will also be losing some safeties that Terraform provides in the process.
+
+---
+
 ## Building
 
 Clone the repository within your `GOPATH`
@@ -36,11 +61,72 @@ provider "argocd" {
   insecure    = false              # env ARGOCD_INSECURE                 
 }
 
+resource "argocd_project" "myproject" {
+  metadata {
+    name      = "myproject"
+    namespace = "argocd"
+    labels = {
+      acceptance = "true"
+    }
+    annotations = {
+      "this.is.a.really.long.nested.key" = "yes, really!"
+    }
+  }
+
+  spec {
+    description  = "simple project"
+    source_repos = ["*"]
+
+    destination {
+      server    = "https://kubernetes.default.svc"
+      namespace = "default"
+    }
+    destination {
+      server    = "https://kubernetes.default.svc"
+      namespace = "foo"
+    }
+    cluster_resource_whitelist {
+      group = "rbac.authorization.k8s.io"
+      kind  = "ClusterRoleBinding"
+    }
+    cluster_resource_whitelist {
+      group = "rbac.authorization.k8s.io"
+      kind  = "ClusterRole"
+    }
+    namespace_resource_blacklist {
+      group = "networking.k8s.io"
+      kind  = "Ingress"
+    }
+    orphaned_resources = {
+      warn = true
+    }
+    sync_window {
+      kind = "allow"
+      applications = ["api-*"]
+      clusters = ["*"]
+      namespaces = ["*"]
+      duration = "3600s"
+      schedule = "10 1 * * *"
+      manual_sync = true
+    }
+    sync_window {
+      kind = "deny"
+      applications = ["foo"]
+      clusters = ["in-cluster"]
+      namespaces = ["default"]
+      duration = "12h"
+      schedule = "22 1 5 * *"
+      manual_sync = false
+    }
+  }
+}
+
 resource "argocd_project_token" "secret" {
-  project     = "myproject"
-  role        = "bar"
+  count       = 20
+  project     = argocd_project.myproject.metadata.0.name
+  role        = "foobar"
   description = "short lived token"
-  expires_in  = "3600"
+  expires_in  = 3600
 }
 ```
 

argocd/provider.go

@@ -35,6 +35,7 @@ func Provider() terraform.ResourceProvider {
 				},
 				AtLeastOneOf: []string{
 					"password",
+					"auth_token",
 				},
 			},
 			"password": {
@@ -46,6 +47,7 @@ func Provider() terraform.ResourceProvider {
 				},
 				AtLeastOneOf: []string{
 					"username",
+					"auth_token",
 				},
 			},
 			"cert_file": {
@@ -58,8 +60,9 @@ func Provider() terraform.ResourceProvider {
 				Default:  false,
 			},
 			"context": {
-				Type:     schema.TypeString,
-				Optional: true,
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ARGOCD_CONTEXT", nil),
 			},
 			"user_agent": {
 				Type:     schema.TypeString,
@@ -90,6 +93,7 @@ func Provider() terraform.ResourceProvider {
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
+			"argocd_project":       resourceArgoCDProject(),
 			"argocd_project_token": resourceArgoCDProjectToken(),
 		},
 

argocd/provider_test.go

@@ -8,7 +8,9 @@ import (
 )
 
 var testAccProviders map[string]terraform.ResourceProvider
+var testAccProviderFactories func(providers *[]*schema.Provider) map[string]terraform.ResourceProviderFactory
 var testAccProvider *schema.Provider
+var testAccProviderFunc func() *schema.Provider
 
 func init() {
 	testAccProvider = Provider().(*schema.Provider)