creazione modulo argocd

diegoitaliait · diegoitaliait · commit 430a91d9fddc · 2025-09-14T12:30:06.000+02:00
diff --git a/src/aks-platform/10_argocd.tf b/src/aks-platform/10_argocd.tf
@@ -17,28 +17,28 @@ data "azurerm_key_vault_secret" "argocd_entra_app_client_id" {
 }
 
 #
-# Setup ArgoCD
+# Setup ArgoCD (module)
 #
-resource "helm_release" "argocd" {
-  name      = "argo"
-  chart     = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-${var.argocd_helm_release_version}/argo-cd-${var.argocd_helm_release_version}.tgz"
-  namespace = kubernetes_namespace.namespace_argocd.metadata[0].name
-  wait      = true
-
-  values = [
-    templatefile("${path.module}/argocd/argocd_helm_setup_values.yaml", {
-      ARGOCD_APPLICATION_NAMESPACES    = var.argocd_application_namespaces
-      TENANT_ID                        = data.azurerm_subscription.current.tenant_id
-      APP_CLIENT_ID                    = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
-      ENTRA_ADMIN_GROUP_OBJECT_IDS     = []
-      ENTRA_DEVELOPER_GROUP_OBJECT_IDS = []
-      ENTRA_READER_GROUP_OBJECT_IDS    = []
-      ENTRA_GUEST_GROUP_OBJECT_IDS     = []
-      ARGOCD_INTERNAL_URL              = local.argocd_internal_url
-      ARGOCD_INGRESS_TLS_SECRET_NAME   = replace(local.argocd_internal_url, ".", "-", )
-      FORCE_REINSTALL                  = var.argocd_force_reinstall_version
-    })
-  ]
+module "argocd" {
+  source = "./modules/argocd"
+
+  namespace                         = kubernetes_namespace.namespace_argocd.metadata[0].name
+  argocd_helm_release_version       = var.argocd_helm_release_version
+  argocd_application_namespaces     = var.argocd_application_namespaces
+  argocd_force_reinstall_version    = var.argocd_force_reinstall_version
+  tenant_id                         = data.azurerm_subscription.current.tenant_id
+  app_client_id                     = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
+  argocd_internal_url               = local.argocd_internal_url
+  kv_core_id                        = data.azurerm_key_vault.kv_core_ita.id
+  aks_name                          = module.aks.name
+  aks_resource_group_name           = azurerm_resource_group.rg_aks.name
+  workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
+  location                          = var.location
+  internal_dns_zone_name            = data.azurerm_private_dns_zone.internal.name
+  internal_dns_zone_resource_group_name = local.internal_dns_zone_resource_group_name
+  ingress_load_balancer_ip          = var.ingress_load_balancer_ip
+  ingress_hostname_prefix           = local.ingress_hostname_prefix
+  admin_password                    = data.azurerm_key_vault_secret.argocd_admin_password.value
 
   depends_on = [
     module.aks,
@@ -53,73 +53,12 @@ data "azurerm_key_vault_secret" "argocd_admin_password" {
   name         = "argocd-admin-password"
 }
 
-resource "null_resource" "argocd_change_admin_password" {
-
-  triggers = {
-    argocd_password = data.azurerm_key_vault_secret.argocd_admin_password.value
-    force_reinstall = var.argocd_force_reinstall_version
-  }
-
-  provisioner "local-exec" {
-    command = "kubectl -n argocd patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(data.azurerm_key_vault_secret.argocd_admin_password.value)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
-  }
-
-  depends_on = [
-    data.azurerm_key_vault_secret.argocd_admin_password,
-    helm_release.argocd
-  ]
-}
-
-resource "null_resource" "restart_argocd_server" {
-  triggers = {
-    force_reinstall = var.argocd_force_reinstall_version
-    helm_version    = helm_release.argocd.version
-    helm_values     = helm_release.argocd.values[0]
-  }
-
-  provisioner "local-exec" {
-    command = "kubectl -n argocd rollout restart deployment/argo-argocd-server"
-  }
-
-  depends_on = [
-    helm_release.argocd,
-    null_resource.argocd_change_admin_password
-  ]
-}
-
-resource "azurerm_key_vault_secret" "argocd_admin_username" {
-  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
-  name         = "argocd-admin-username"
-  value        = "admin"
-}
+# moved to module
 
 #
 # tools
 #
-module "argocd_workload_identity_init" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.77.0"
-
-  workload_identity_name_prefix         = "argocd"
-  workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
-  workload_identity_location            = var.location
-}
-
-module "argocd_workload_identity_configuration" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.77.0"
-
-  workload_identity_name_prefix         = "argocd"
-  workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
-  aks_name                              = module.aks.name
-  aks_resource_group_name               = azurerm_resource_group.rg_aks.name
-  namespace                             = kubernetes_namespace.namespace_argocd.metadata[0].name
-
-  key_vault_id                      = data.azurerm_key_vault.kv_core_ita.id
-  key_vault_certificate_permissions = ["Get"]
-  key_vault_key_permissions         = ["Get"]
-  key_vault_secret_permissions      = ["Get"]
-
-  depends_on = [module.argocd_workload_identity_init]
-}
+# moved to module
 
 module "cert_mounter_argocd_internal" {
   source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.77.0"
@@ -129,11 +68,11 @@ module "cert_mounter_argocd_internal" {
   tenant_id        = data.azurerm_subscription.current.tenant_id
 
   workload_identity_enabled              = true
-  workload_identity_service_account_name = module.argocd_workload_identity_configuration.workload_identity_service_account_name
-  workload_identity_client_id            = module.argocd_workload_identity_configuration.workload_identity_client_id
+  workload_identity_service_account_name = module.argocd.workload_identity_service_account_name
+  workload_identity_client_id            = module.argocd.workload_identity_client_id
 
   depends_on = [
-    module.argocd_workload_identity_configuration
+    module.argocd
   ]
 }
 
@@ -153,10 +92,4 @@ resource "helm_release" "reloader_argocd" {
 #
 # 🌐 Network
 #
-resource "azurerm_private_dns_a_record" "argocd_ingress" {
-  name                = local.ingress_hostname_prefix
-  zone_name           = data.azurerm_private_dns_zone.internal.name
-  resource_group_name = local.internal_dns_zone_resource_group_name
-  ttl                 = 3600
-  records             = [var.ingress_load_balancer_ip]
-}
+# moved to module
diff --git a/src/aks-platform/modules/argocd/main.tf b/src/aks-platform/modules/argocd/main.tf
@@ -0,0 +1,107 @@
+locals {
+  tls_secret_name = coalesce(var.ingress_tls_secret_name, replace(var.argocd_internal_url, ".", "-"))
+}
+
+resource "helm_release" "argocd" {
+  count     = var.enable_helm_release ? 1 : 0
+  name      = "argo"
+  chart     = "https://github.com/argoproj/argo-helm/releases/download/argo-cd-${var.argocd_helm_release_version}/argo-cd-${var.argocd_helm_release_version}.tgz"
+  namespace = var.namespace
+  wait      = true
+
+  values = [
+    templatefile("${path.root}/src/aks-platform/argocd/argocd_helm_setup_values.yaml", {
+      ARGOCD_APPLICATION_NAMESPACES    = var.argocd_application_namespaces
+      TENANT_ID                        = var.tenant_id
+      APP_CLIENT_ID                    = var.app_client_id
+      ENTRA_ADMIN_GROUP_OBJECT_IDS     = var.entra_admin_group_object_ids
+      ENTRA_DEVELOPER_GROUP_OBJECT_IDS = var.entra_developer_group_object_ids
+      ENTRA_READER_GROUP_OBJECT_IDS    = var.entra_reader_group_object_ids
+      ENTRA_GUEST_GROUP_OBJECT_IDS     = var.entra_guest_group_object_ids
+      ARGOCD_INTERNAL_URL              = var.argocd_internal_url
+      ARGOCD_INGRESS_TLS_SECRET_NAME   = local.tls_secret_name
+      FORCE_REINSTALL                  = var.argocd_force_reinstall_version
+    })
+  ]
+}
+
+resource "azurerm_key_vault_secret" "argocd_admin_username" {
+  count       = var.enable_store_admin_username ? 1 : 0
+  key_vault_id = var.kv_core_id
+  name         = "argocd-admin-username"
+  value        = "admin"
+}
+
+resource "null_resource" "argocd_change_admin_password" {
+  count = var.enable_change_admin_password ? 1 : 0
+
+  triggers = {
+    argocd_password = var.admin_password
+    force_reinstall = var.argocd_force_reinstall_version
+  }
+
+  provisioner "local-exec" {
+    command = "kubectl -n ${var.namespace} patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(var.admin_password)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
+  }
+
+  depends_on = [
+    # Ensure helm release is applied before patching the secret when enabled
+    helm_release.argocd,
+  ]
+}
+
+resource "null_resource" "restart_argocd_server" {
+  count = var.enable_restart_argocd_server ? 1 : 0
+
+  triggers = {
+    force_reinstall = var.argocd_force_reinstall_version
+    helm_version    = try(helm_release.argocd[0].version, "")
+    helm_values     = try(helm_release.argocd[0].values[0], "")
+  }
+
+  provisioner "local-exec" {
+    command = "kubectl -n ${var.namespace} rollout restart deployment/argo-argocd-server"
+  }
+
+  depends_on = [
+    helm_release.argocd,
+    null_resource.argocd_change_admin_password,
+  ]
+}
+
+module "argocd_workload_identity_init" {
+  count  = var.enable_workload_identity_init ? 1 : 0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.77.0"
+
+  workload_identity_name_prefix         = "argocd"
+  workload_identity_resource_group_name = var.workload_identity_resource_group_name
+  workload_identity_location            = var.location
+}
+
+module "argocd_workload_identity_configuration" {
+  count  = var.enable_workload_identity_configuration ? 1 : 0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.77.0"
+
+  workload_identity_name_prefix         = "argocd"
+  workload_identity_resource_group_name = var.workload_identity_resource_group_name
+  aks_name                              = var.aks_name
+  aks_resource_group_name               = var.aks_resource_group_name
+  namespace                             = var.namespace
+
+  key_vault_id                      = var.kv_core_id
+  key_vault_certificate_permissions = ["Get"]
+  key_vault_key_permissions         = ["Get"]
+  key_vault_secret_permissions      = ["Get"]
+
+  depends_on = [module.argocd_workload_identity_init]
+}
+
+resource "azurerm_private_dns_a_record" "argocd_ingress" {
+  count               = var.enable_private_dns_a_record ? 1 : 0
+  name                = var.ingress_hostname_prefix
+  zone_name           = var.internal_dns_zone_name
+  resource_group_name = var.internal_dns_zone_resource_group_name
+  ttl                 = 3600
+  records             = [var.ingress_load_balancer_ip]
+}
+
diff --git a/src/aks-platform/modules/argocd/outputs.tf b/src/aks-platform/modules/argocd/outputs.tf
@@ -0,0 +1,10 @@
+output "workload_identity_service_account_name" {
+  description = "Service Account name created by workload identity configuration"
+  value       = try(module.argocd_workload_identity_configuration[0].workload_identity_service_account_name, null)
+}
+
+output "workload_identity_client_id" {
+  description = "Client ID created by workload identity configuration"
+  value       = try(module.argocd_workload_identity_configuration[0].workload_identity_client_id, null)
+}
+
diff --git a/src/aks-platform/modules/argocd/variables.tf b/src/aks-platform/modules/argocd/variables.tf
