update modulo

diegoitaliait · diegoitaliait · commit 79494a6c64c6 · 2025-09-14T12:47:46.000+02:00
diff --git a/src/aks-platform/10_argocd.tf b/src/aks-platform/10_argocd.tf
@@ -16,6 +16,14 @@ data "azurerm_key_vault_secret" "argocd_entra_app_client_id" {
   key_vault_id = data.azurerm_key_vault.kv_core_ita.id
 }
 
+#
+# Admin Password
+#
+data "azurerm_key_vault_secret" "argocd_admin_password" {
+  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
+  name         = "argocd-admin-password"
+}
+
 #
 # Setup ArgoCD (module)
 #
@@ -27,38 +35,27 @@ module "argocd" {
   argocd_application_namespaces     = var.argocd_application_namespaces
   argocd_force_reinstall_version    = var.argocd_force_reinstall_version
   tenant_id                         = data.azurerm_subscription.current.tenant_id
-  app_client_id                     = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
+  entra_app_client_id               = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
   argocd_internal_url               = local.argocd_internal_url
-  kv_core_id                        = data.azurerm_key_vault.kv_core_ita.id
+  kv_id                             = data.azurerm_key_vault.kv_core_ita.id
   aks_name                          = module.aks.name
   aks_resource_group_name           = azurerm_resource_group.rg_aks.name
   workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
   location                          = var.location
   internal_dns_zone_name            = data.azurerm_private_dns_zone.internal.name
   internal_dns_zone_resource_group_name = local.internal_dns_zone_resource_group_name
   ingress_load_balancer_ip          = var.ingress_load_balancer_ip
-  ingress_hostname_prefix           = local.ingress_hostname_prefix
+  dns_record_name_for_ingress       = local.ingress_hostname_prefix
   admin_password                    = data.azurerm_key_vault_secret.argocd_admin_password.value
 
   depends_on = [
     module.aks,
   ]
 }
 
-#
-# Admin Password
-#
-data "azurerm_key_vault_secret" "argocd_admin_password" {
-  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
-  name         = "argocd-admin-password"
-}
-
-# moved to module
-
-#
+#---------------------------------------------------------------
 # tools
-#
-# moved to module
+#---------------------------------------------------------------
 
 module "cert_mounter_argocd_internal" {
   source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.77.0"
@@ -88,8 +85,3 @@ resource "helm_release" "reloader_argocd" {
     value = "false"
   }
 }
-
-#
-# 🌐 Network
-#
-# moved to module
diff --git a/src/aks-platform/modules/argocd/main.tf b/src/aks-platform/modules/argocd/main.tf
@@ -1,5 +1,19 @@
 locals {
   tls_secret_name = coalesce(var.ingress_tls_secret_name, replace(var.argocd_internal_url, ".", "-"))
+  effective_admin_password = (
+    var.admin_password != null && var.admin_password != ""
+  ) ? var.admin_password : random_password.argocd_admin_password[0].result
+}
+
+resource "random_password" "argocd_admin_password" {
+  count           = var.admin_password == null || var.admin_password == "" ? 1 : 0
+  length          = 28
+  special         = true
+  min_upper       = 1
+  min_lower       = 1
+  min_numeric     = 1
+  min_special     = 1
+  override_special = "!@#$%*+-=?"
 }
 
 resource "helm_release" "argocd" {
@@ -13,7 +27,7 @@ resource "helm_release" "argocd" {
     templatefile("${path.root}/src/aks-platform/argocd/argocd_helm_setup_values.yaml", {
       ARGOCD_APPLICATION_NAMESPACES    = var.argocd_application_namespaces
       TENANT_ID                        = var.tenant_id
-      APP_CLIENT_ID                    = var.app_client_id
+      APP_CLIENT_ID                    = var.entra_app_client_id
       ENTRA_ADMIN_GROUP_OBJECT_IDS     = var.entra_admin_group_object_ids
       ENTRA_DEVELOPER_GROUP_OBJECT_IDS = var.entra_developer_group_object_ids
       ENTRA_READER_GROUP_OBJECT_IDS    = var.entra_reader_group_object_ids
@@ -27,26 +41,34 @@ resource "helm_release" "argocd" {
 
 resource "azurerm_key_vault_secret" "argocd_admin_username" {
   count       = var.enable_store_admin_username ? 1 : 0
-  key_vault_id = var.kv_core_id
+  key_vault_id = var.kv_id
   name         = "argocd-admin-username"
   value        = "admin"
 }
 
+resource "azurerm_key_vault_secret" "argocd_admin_password" {
+  count        = var.enable_store_admin_password ? 1 : 0
+  key_vault_id = var.kv_id
+  name         = "argocd-admin-password"
+  value        = local.effective_admin_password
+}
+
 resource "null_resource" "argocd_change_admin_password" {
   count = var.enable_change_admin_password ? 1 : 0
 
   triggers = {
-    argocd_password = var.admin_password
+    argocd_password = local.effective_admin_password
     force_reinstall = var.argocd_force_reinstall_version
   }
 
   provisioner "local-exec" {
-    command = "kubectl -n ${var.namespace} patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(var.admin_password)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
+    command = "kubectl -n ${var.namespace} patch secret argocd-secret -p '{\"stringData\": {\"admin.password\":  \"${bcrypt(local.effective_admin_password)}\", \"admin.passwordMtime\": \"'$(date +%FT%T%Z)'\"}}'"
   }
 
   depends_on = [
     # Ensure helm release is applied before patching the secret when enabled
     helm_release.argocd,
+    azurerm_key_vault_secret.argocd_admin_password,
   ]
 }
 
@@ -88,7 +110,7 @@ module "argocd_workload_identity_configuration" {
   aks_resource_group_name               = var.aks_resource_group_name
   namespace                             = var.namespace
 
-  key_vault_id                      = var.kv_core_id
+  key_vault_id                      = var.kv_id
   key_vault_certificate_permissions = ["Get"]
   key_vault_key_permissions         = ["Get"]
   key_vault_secret_permissions      = ["Get"]
@@ -98,10 +120,9 @@ module "argocd_workload_identity_configuration" {
 
 resource "azurerm_private_dns_a_record" "argocd_ingress" {
   count               = var.enable_private_dns_a_record ? 1 : 0
-  name                = var.ingress_hostname_prefix
+  name                = var.dns_record_name_for_ingress
   zone_name           = var.internal_dns_zone_name
   resource_group_name = var.internal_dns_zone_resource_group_name
   ttl                 = 3600
   records             = [var.ingress_load_balancer_ip]
 }
-
diff --git a/src/aks-platform/modules/argocd/variables.tf b/src/aks-platform/modules/argocd/variables.tf
@@ -24,7 +24,7 @@ variable "tenant_id" {
   type        = string
 }
 
-variable "app_client_id" {
+variable "entra_app_client_id" {
   description = "Workload identity application client id"
   type        = string
 }
@@ -40,8 +40,8 @@ variable "ingress_tls_secret_name" {
   default     = null
 }
 
-variable "kv_core_id" {
-  description = "Core Key Vault id"
+variable "kv_id" {
+  description = "Key Vault id"
   type        = string
 }
 
@@ -80,15 +80,23 @@ variable "ingress_load_balancer_ip" {
   type        = string
 }
 
-variable "ingress_hostname_prefix" {
-  description = "Hostname prefix for the ArgoCD ingress A record"
+variable "dns_record_name_for_ingress" {
+  description = "DNS A record name for the ArgoCD ingress"
   type        = string
   default     = "argocd"
 }
 
 variable "admin_password" {
-  description = "Admin password (plain) stored in KV; used to patch ArgoCD secret"
+  description = "Admin password (plain). If null, a random one is generated."
   type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "enable_store_admin_password" {
+  description = "Enable storing of ArgoCD admin password in Key Vault"
+  type        = bool
+  default     = true
 }
 
 # Optional Entra group object IDs; default to empty
@@ -158,4 +166,3 @@ variable "enable_private_dns_a_record" {
   type        = bool
   default     = true
 }
-

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ variable "tenant_id" {`
`24`	`24`	`type = string`
`25`	`25`	`}`
`26`	`26`
`27`		`-variable "app_client_id" {`
	`27`	`+variable "entra_app_client_id" {`
`28`	`28`	`description = "Workload identity application client id"`
`29`	`29`	`type = string`
`30`	`30`	`}`
`@@ -40,8 +40,8 @@ variable "ingress_tls_secret_name" {`
`40`	`40`	`default = null`
`41`	`41`	`}`
`42`	`42`
`43`		`-variable "kv_core_id" {`
`44`		`- description = "Core Key Vault id"`
	`43`	`+variable "kv_id" {`
	`44`	`+ description = "Key Vault id"`
`45`	`45`	`type = string`
`46`	`46`	`}`
`47`	`47`
`@@ -80,15 +80,23 @@ variable "ingress_load_balancer_ip" {`
`80`	`80`	`type = string`
`81`	`81`	`}`
`82`	`82`
`83`		`-variable "ingress_hostname_prefix" {`
`84`		`- description = "Hostname prefix for the ArgoCD ingress A record"`
	`83`	`+variable "dns_record_name_for_ingress" {`
	`84`	`+ description = "DNS A record name for the ArgoCD ingress"`
`85`	`85`	`type = string`
`86`	`86`	`default = "argocd"`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`variable "admin_password" {`
`90`		`- description = "Admin password (plain) stored in KV; used to patch ArgoCD secret"`
	`90`	`+ description = "Admin password (plain). If null, a random one is generated."`
`91`	`91`	`type = string`
	`92`	`+ default = null`
	`93`	`+ sensitive = true`
	`94`	`+}`
	`95`	`+`
	`96`	`+variable "enable_store_admin_password" {`
	`97`	`+ description = "Enable storing of ArgoCD admin password in Key Vault"`
	`98`	`+ type = bool`
	`99`	`+ default = true`
`92`	`100`	`}`
`93`	`101`
`94`	`102`	`# Optional Entra group object IDs; default to empty`
`@@ -158,4 +166,3 @@ variable "enable_private_dns_a_record" {`
`158`	`166`	`type = bool`
`159`	`167`	`default = true`
`160`	`168`	`}`
`161`		`-`