cloudposse-terraform-components · goruha · Sep 26, 2025 · Sep 19, 2025 · Sep 19, 2025 · Sep 22, 2025
diff --git a/.gitignore b/.gitignore
@@ -76,3 +76,4 @@ github/
 *.ovpn
 
 *.zip
+account-map/
diff --git a/src/README.md b/src/README.md
diff --git a/src/data.tf b/src/data.tf
@@ -26,7 +26,7 @@ data "aws_ssm_parameter" "oidc_client_secret" {
 }
 
 data "aws_ssm_parameter" "github_deploy_key" {
-  for_each = local.enabled ? var.argocd_repositories : {}
+  for_each = local.github_deploy_keys_enabled ? var.argocd_repositories : {}
 
   name = local.enabled ? format(
     module.argocd_repo[each.key].outputs.deploy_keys_ssm_path_format,

diff --git a/src/main.tf b/src/main.tf
@@ -1,41 +1,50 @@
 locals {
   enabled = module.this.enabled
 
-  kubernetes_namespace = var.kubernetes_namespace
-  oidc_enabled         = local.enabled && var.oidc_enabled
-  oidc_enabled_count   = local.oidc_enabled ? 1 : 0
-  saml_enabled         = local.enabled && var.saml_enabled
+  kubernetes_namespace       = var.kubernetes_namespace
+  oidc_enabled               = local.enabled && var.oidc_enabled
+  oidc_enabled_count         = local.oidc_enabled ? 1 : 0
+  saml_enabled               = local.enabled && var.saml_enabled
+  github_deploy_keys_enabled = local.enabled && var.github_deploy_keys_enabled
   argocd_repositories = local.enabled ? {
     for k, v in var.argocd_repositories : replace(k, "/", "-") => {
-      clone_url         = module.argocd_repo[k].outputs.repository_ssh_clone_url
-      github_deploy_key = data.aws_ssm_parameter.github_deploy_key[k].value
+      # If using deploy keys, use the SSH clone URL. Otherwise, use the HTTP clone URL.
+      clone_url         = local.github_deploy_keys_enabled ? module.argocd_repo[k].outputs.repository_ssh_clone_url : module.argocd_repo[k].outputs.repository_http_clone_url
+      github_deploy_key = local.github_deploy_keys_enabled ? data.aws_ssm_parameter.github_deploy_key[k].value : ""
       repository        = module.argocd_repo[k].outputs.repository
     }
   } : {}
 
-  credential_templates = flatten(concat([
-    for k, v in local.argocd_repositories : [
-      {
+  credential_templates = flatten(concat(
+    [
+      for k, v in local.argocd_repositories : {
         name  = "configs.credentialTemplates.${k}.url"
         value = v.clone_url
         type  = "string"
-      },
-      {
+      }
+    ],
+    local.github_deploy_keys_enabled ? [
+      for k, v in local.argocd_repositories : {
         name  = "configs.credentialTemplates.${k}.sshPrivateKey"
         value = nonsensitive(v.github_deploy_key)
         type  = "string"
-      },
-    ]
+      }
+      ] : [
+      # If we're using GitHub App authentication, we need to add the GitHub App private key as a secret.
+      # It will be used by all desired state repositories
+      for k, v in local.argocd_repositories : {
+        name  = "configs.credentialTemplates.${k}.githubAppPrivateKey"
+        value = nonsensitive(data.aws_ssm_parameter.github_app_private_key[0].value)
+        type  = "string"
+      }
     ],
     [
       for s, v in local.notifications_notifiers_ssm_configs : [
-        for k, i in v : [
-          {
-            name  = "notifications.secret.items.${s}_${k}"
-            value = i
-            type  = "string"
-          }
-        ]
+        for k, i in v : {
+          name  = "notifications.secret.items.${s}_${k}"
+          value = i
+          type  = "string"
+        }
       ]
     ],
     local.github_webhook_enabled ? [
@@ -154,26 +163,29 @@ module "argocd" {
     templatefile(
       "${path.module}/resources/argocd-values.yaml.tpl",
       {
-        admin_enabled       = var.admin_enabled
-        anonymous_enabled   = var.anonymous_enabled
-        alb_group_name      = var.alb_group_name == null ? "" : var.alb_group_name
-        alb_logs_bucket     = var.alb_logs_bucket
-        alb_logs_prefix     = var.alb_logs_prefix
-        alb_name            = var.alb_name == null ? "" : var.alb_name
-        application_repos   = { for k, v in local.argocd_repositories : k => v.clone_url }
-        argocd_host         = local.host
-        cert_issuer         = var.certificate_issuer
-        forecastle_enabled  = var.forecastle_enabled
-        ingress_host        = local.host
-        name                = module.this.name
-        oidc_enabled        = local.oidc_enabled
-        oidc_rbac_scopes    = var.oidc_rbac_scopes
-        saml_enabled        = local.saml_enabled
-        saml_rbac_scopes    = var.saml_rbac_scopes
-        service_type        = var.service_type
-        rbac_default_policy = var.argocd_rbac_default_policy
-        rbac_policies       = var.argocd_rbac_policies
-        rbac_groups         = var.argocd_rbac_groups
+        admin_enabled              = var.admin_enabled
+        alb_group_name             = var.alb_group_name == null ? "" : var.alb_group_name
+        alb_logs_bucket            = var.alb_logs_bucket
+        alb_logs_prefix            = var.alb_logs_prefix
+        alb_name                   = var.alb_name == null ? "" : var.alb_name
+        anonymous_enabled          = var.anonymous_enabled
+        application_repos          = { for k, v in local.argocd_repositories : k => v.clone_url }
+        argocd_host                = local.host
+        cert_issuer                = var.certificate_issuer
+        forecastle_enabled         = var.forecastle_enabled
+        github_app_id              = var.github_app_id
+        github_app_installation_id = var.github_app_installation_id
+        github_deploy_keys_enabled = local.github_deploy_keys_enabled
+        ingress_host               = local.host
+        name                       = module.this.name
+        oidc_enabled               = local.oidc_enabled
+        oidc_rbac_scopes           = var.oidc_rbac_scopes
+        rbac_default_policy        = var.argocd_rbac_default_policy
+        rbac_groups                = var.argocd_rbac_groups
+        rbac_policies              = var.argocd_rbac_policies
+        saml_enabled               = local.saml_enabled
+        saml_rbac_scopes           = var.saml_rbac_scopes
+        service_type               = var.service_type
       }
     ),
     # argocd-notifications specific settings

diff --git a/src/notifications.tf b/src/notifications.tf
@@ -219,22 +219,22 @@ locals {
       if key != "ssm_path_prefix" && key != "webhook"
     },
     {
-      for key, value in try(local.notifications_notifiers.webhook, {}) :
+      for key, value in coalesce(local.notifications_notifiers.webhook, {}) :
       format("webhook_%s", key) =>
       { for param_name, param_value in value : param_name => param_value if param_value != null }
     }
   )
 
   ## Get paths to read configs for each notifier service
-  notifications_notifiers_ssm_path = local.enabled ? merge(
+  notifications_notifiers_ssm_path = merge(
     {
       for key, value in local.notifications_notifiers_variables :
       key => format("%s/%s/", local.notifications_notifiers.ssm_path_prefix, key)
     },
     {
       common = format("%s/common/", local.notifications_notifiers.ssm_path_prefix)
     },
-  ) : {}
+  )
 
   ## Read SSM secrets into object for each notifier service
   notifications_notifiers_ssm_configs = {

diff --git a/src/provider-github.tf b/src/provider-github.tf
@@ -17,38 +17,15 @@ variable "github_token_override" {
   default     = null
 }
 
-# GitHub App Authentication Variables
-variable "github_app_enabled" {
-  type        = bool
-  description = "Whether to use GitHub App authentication instead of PAT"
-  default     = false
-}
-
-variable "github_app_id" {
-  type        = string
-  description = "The ID of the GitHub App to use for authentication"
-  default     = null
-}
-
-variable "github_app_installation_id" {
-  type        = string
-  description = "The Installation ID of the GitHub App to use for authentication"
-  default     = null
-}
-
-variable "ssm_github_app_private_key" {
-  type        = string
-  description = "SSM path to the GitHub App private key"
-  default     = "/argocd/github/app_private_key"
-}
-
 locals {
-  github_token = var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null))
+  github_token = local.create_github_webhook ? (
+    var.github_app_enabled ? null : coalesce(var.github_token_override, try(data.aws_ssm_parameter.github_api_key[0].value, null))
+  ) : ""
 }
 
 # SSM Parameter for PAT Authentication
 data "aws_ssm_parameter" "github_api_key" {
-  count           = !var.github_app_enabled ? 1 : 0
+  count           = local.create_github_webhook && !var.github_app_enabled ? 1 : 0
   name            = var.ssm_github_api_key
   with_decryption = true
 }
@@ -62,9 +39,9 @@ data "aws_ssm_parameter" "github_app_private_key" {
 
 # We will only need the github provider if we are creating the GitHub webhook with github_repository_webhook.
 provider "github" {
-  base_url = var.github_base_url
-  owner    = var.github_organization
-  token    = local.github_token
+  base_url = local.create_github_webhook ? var.github_base_url : null
+  owner    = local.create_github_webhook ? var.github_organization : null
+  token    = local.create_github_webhook ? local.github_token : null
 
   dynamic "app_auth" {
     for_each = local.create_github_webhook && var.github_app_enabled ? [1] : []

diff --git a/src/provider-helm.tf b/src/provider-helm.tf
@@ -133,8 +133,9 @@ locals {
     "--profile", var.kube_exec_auth_aws_profile
   ] : []
 
+  kube_exec_auth_role_arn = coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn)
   exec_role = local.kube_exec_auth_enabled && var.kube_exec_auth_role_arn_enabled ? [
-    "--role-arn", coalesce(var.kube_exec_auth_role_arn, module.iam_roles.terraform_role_arn)
+    "--role-arn", local.kube_exec_auth_role_arn
   ] : []
 
   # Provide dummy configuration for the case where the EKS cluster is not available.

diff --git a/src/remote-state.tf b/src/remote-state.tf
@@ -1,6 +1,6 @@
 module "eks" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "1.8.0"
+  version = "1.5.0"
 
   component = var.eks_component_name
 
@@ -9,7 +9,7 @@ module "eks" {
 
 module "dns_gbl_delegated" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "1.8.0"
+  version = "1.5.0"
 
   environment = "gbl"
   component   = "dns-delegated"
@@ -20,7 +20,7 @@ module "dns_gbl_delegated" {
 module "saml_sso_providers" {
   for_each = local.enabled ? var.saml_sso_providers : {}
   source   = "cloudposse/stack-config/yaml//modules/remote-state"
-  version  = "1.8.0"
+  version  = "1.5.0"
 
   component   = each.value.component
   environment = each.value.environment
@@ -32,7 +32,7 @@ module "argocd_repo" {
   for_each = local.enabled ? var.argocd_repositories : {}
 
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "1.8.0"
+  version = "1.5.0"
 
   component   = each.key
   environment = each.value.environment

diff --git a/src/resources/argocd-values.yaml.tpl b/src/resources/argocd-values.yaml.tpl
@@ -12,13 +12,23 @@ dex:
 
 controller:
   replicas: 1
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
 
 server:
   replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+
 
   ingress:
     enabled: true
-    ingressClassName: alb
+    ingressClassName: alb-argocd-ext
     annotations:
       cert-manager.io/cluster-issuer: ${cert_issuer}
       external-dns.alpha.kubernetes.io/hostname: ${ingress_host}
@@ -86,9 +96,17 @@ server:
     repositories: |
 %{ for name, url in application_repos ~}
       - url: ${url}
+%{ if github_deploy_keys_enabled == true ~}
         sshPrivateKeySecret:
           name: argocd-repo-creds-${name}
           key: sshPrivateKey
+%{ else ~}
+        githubAppID: ${github_app_id}
+        githubAppInstallationID: ${github_app_installation_id}
+        githubAppPrivateKeySecret:
+          name: argocd-repo-creds-${name}
+          key: githubAppPrivateKey
+%{ endif ~}
 %{ endfor ~}
     resource.customizations: |
         admissionregistration.k8s.io/MutatingWebhookConfiguration:
@@ -131,6 +149,10 @@ server:
 
 repoServer:
   replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
 
 applicationSet:
   replicas: 2
diff --git a/src/variables-argocd.tf b/src/variables-argocd.tf
@@ -215,3 +215,37 @@ variable "saml_sso_providers" {
   default     = {}
   description = "SAML SSO providers components"
 }
+
+variable "github_deploy_keys_enabled" {
+  type        = bool
+  default     = true
+  description = <<-EOT
+  Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing.
+
+  Alternatively, you can use a GitHub App to access this desired state repository configured with `var.github_app_enabled`, `var.github_app_id`, and `var.github_app_installation_id`.
+  EOT
+}
+
+variable "github_app_enabled" {
+  type        = bool
+  description = "Whether to use GitHub App authentication for Argo CD repositories both for webhooks and syncing (depending on `var.github_deploy_keys_enabled`)"
+  default     = false
+}
+
+variable "github_app_id" {
+  type        = string
+  description = "The ID of the GitHub App to use for Argo CD repository authentication"
+  default     = null
+}
+
+variable "github_app_installation_id" {
+  type        = string
+  description = "The Installation ID of the GitHub App to use for Argo CD repository authentication"
+  default     = null
+}
+
+variable "ssm_github_app_private_key" {
+  type        = string
+  description = "SSM path to the GitHub App private key for Argo CD repository authentication"
+  default     = "/argocd/github/app_private_key"
+}