feat: Provide Anonymous ArgoCD Access (cloudposse/terraform-aws-components#1017)

Co-authored-by: Andriy Knysh <[email protected]>

Author: RoseSecurity

src/README.md

@@ -511,6 +511,7 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec
 | <a name="input_alb_logs_bucket"></a> [alb\_logs\_bucket](#input\_alb\_logs\_bucket) | The name of the bucket for ALB access logs. The bucket must have policy allowing the ELB logging principal | `string` | `""` | no |
 | <a name="input_alb_logs_prefix"></a> [alb\_logs\_prefix](#input\_alb\_logs\_prefix) | `alb_logs_bucket` s3 bucket prefix | `string` | `""` | no |
 | <a name="input_alb_name"></a> [alb\_name](#input\_alb\_name) | The name of the ALB (e.g. `argocd`) provisioned by `alb-controller`. Works together with `var.alb_group_name` | `string` | `null` | no |
+| <a name="input_anonymous_enabled"></a> [anonymous\_enabled](#input\_anonymous\_enabled) | Toggles anonymous user access using default rbac setting (defaults to readonly) | `bool` | `false` | no |
 | <a name="input_argocd_apps_chart"></a> [argocd\_apps\_chart](#input\_argocd\_apps\_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `<repository>/<chart>` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended. | `string` | `"argocd-apps"` | no |
 | <a name="input_argocd_apps_chart_description"></a> [argocd\_apps\_chart\_description](#input\_argocd\_apps\_chart\_description) | Set release description attribute (visible in the history). | `string` | `"A Helm chart for managing additional Argo CD Applications and Projects"` | no |
 | <a name="input_argocd_apps_chart_repository"></a> [argocd\_apps\_chart\_repository](#input\_argocd\_apps\_chart\_repository) | Repository URL where to locate the requested chart. | `string` | `"https://argoproj.github.io/argo-helm"` | no |

src/main.tf

@@ -148,6 +148,7 @@ module "argocd" {
       "${path.module}/resources/argocd-values.yaml.tpl",
       {
         admin_enabled       = var.admin_enabled
+        anonymous_enabled   = var.anonymous_enabled
         alb_group_name      = var.alb_group_name == null ? "" : var.alb_group_name
         alb_logs_bucket     = var.alb_logs_bucket
         alb_logs_prefix     = var.alb_logs_prefix

src/resources/argocd-values.yaml.tpl

@@ -74,6 +74,7 @@ server:
   config:
     url: https://${argocd_host}
     admin.enabled: "${admin_enabled}"
+    users.anonymous_enabled: "${anonymous_enabled}"
 
     # https://github.com/argoproj/argo-cd/issues/7835
     kustomize.buildOptions: --enable-helm

src/variables-argocd.tf

@@ -101,6 +101,12 @@ variable "admin_enabled" {
   default     = false
 }
 
+variable "anonymous_enabled" {
+  type        = bool
+  description = "Toggles anonymous user access using default RBAC setting (Defaults to read-only)"
+  default     = false
+}
+
 variable "oidc_enabled" {
   type        = bool
   description = "Toggles OIDC integration in the deployed chart"