This component is responsible for provisioning Argo CD.

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

⚠️⚠️⚠️ ArgoCD CRDs must be installed separately from this component/helm release. ⚠️⚠️⚠️

kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=<appVersion>"

# Eg. version v2.4.9
kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=v2.4.9"

Usage

Preparing AppProject repos:

First, make sure you have a GitHub repo ready to go. We have a component for this called the argocd-repo component. It will create a GitHub repo and adds some secrets and code owners. Most importantly, it configures an applicationset.yaml that includes all the details for helm to create ArgoCD CRDs. These CRDs let ArgoCD know how to fulfill changes to its repo.

components:
  terraform:
    argocd-repo-defaults:
      metadata:
        type: abstract
      vars:
        enabled: true
        github_user: acme_admin
        github_user_email: infra@acme.com
        github_organization: ACME
        github_codeowner_teams:
          - "@ACME/acme-admins"
          - "@ACME/CloudPosse"
          - "@ACME/developers"
        gitignore_entries:
          - "**/.DS_Store"
          - ".DS_Store"
          - "**/.vscode"
          - "./vscode"
          - ".idea/"
          - ".vscode/"
        permissions:
          - team_slug: acme-admins
            permission: admin
          - team_slug: CloudPosse
            permission: admin
          - team_slug: developers
            permission: push

Injecting infrastructure details into applications

Second, your application repos could use values to best configure their helm releases. We have an eks/platform component for exposing various infra outputs. It takes remote state lookups and stores them into SSM. We demonstrate how to pull the platform SSM parameters later. Here's an example eks/platform config:

components:
  terraform:
    eks/platform:
      metadata:
        type: abstract
        component: eks/platform
      backend:
        s3:
          workspace_key_prefix: platform
      deps:
        - catalog/eks/cluster
        - catalog/eks/alb-controller-ingress-group
        - catalog/acm
      vars:
        enabled: true
        name: "platform"
        eks_component_name: eks/cluster
        ssm_platform_path: /platform/%s/%s
        references:
          default_alb_ingress_group:
            component: eks/alb-controller-ingress-group
            output: .group_name
          default_ingress_domain:
            component: dns-delegated
            environment: gbl
            output: "[.zones[].name][-1]"

    eks/platform/acm:
      metadata:
        component: eks/platform
        inherits:
          - eks/platform
      vars:
        eks_component_name: eks/cluster
        references:
          default_ingress_domain:
            component: acm
            environment: use2
            output: .domain_name

    eks/platform/dev:
      metadata:
        component: eks/platform
        inherits:
          - eks/platform
      vars:
        platform_environment: dev

    acm/qa2:
      settings:
        spacelift:
          workspace_enabled: true
      metadata:
        component: acm
      vars:
        enabled: true
        name: acm-qa2
        tags:
          Team: sre
          Service: acm
        process_domain_validation_options: true
        validation_method: DNS
        dns_private_zone_enabled: false
        certificate_authority_enabled: false

In the previous sample we create platform settings for a dev platform and a qa2 platform. Understand that these are arbitrary titles that are used to separate the SSM parameters so that if, say, a particular hostname is needed, we can safely select the right hostname using a moniker such as qa2. These otherwise are meaningless and do not need to align with any particular stage or tenant.

ArgoCD on SAML / AWS Identity Center (formerly aws-sso)

Here's an example snippet for how to use this component:

components:
  terraform:
    eks/argocd:
      settings:
        spacelift:
          workspace_enabled: true
          depends_on:
            - argocd-applicationset
            - tenant-gbl-corp-argocd-depoy-non-prod
      vars:
        enabled: true
        alb_group_name: argocd
        alb_name: argocd
        alb_logs_prefix: argocd
        certificate_issuer: selfsigning-issuer
        github_organization: MyOrg
        oidc_enabled: false
        saml_enabled: true
        ssm_store_account: corp
        ssm_store_account_region: us-west-2
        argocd_repo_name: argocd-deploy-non-prod
        argocd_rbac_policies:
          - "p, role:org-admin, applications, *, */*, allow"
          - "p, role:org-admin, clusters, get, *, allow"
          - "p, role:org-admin, repositories, get, *, allow"
          - "p, role:org-admin, repositories, create, *, allow"
          - "p, role:org-admin, repositories, update, *, allow"
          - "p, role:org-admin, repositories, delete, *, allow"
        # Note: the IDs for AWS Identity Center groups will change if you alter/replace them:
        argocd_rbac_groups:
          - group: deadbeef-dead-beef-dead-beefdeadbeef
            role: admin
          - group: badca7sb-add0-65ba-dca7-sbadd065badc
            role: reader
        chart_values:
          global:
            logging:
              format: json
              level: warn

    sso-saml/aws-sso:
      settings:
        spacelift:
          workspace_enabled: true
      metadata:
        component: sso-saml-provider
      vars:
        enabled: true
        ssm_path_prefix: "/sso/saml/aws-sso"
        usernameAttr: email
        emailAttr: email
        groupsAttr: groups

Note, if you set up sso-saml-provider, you will need to restart DEX on your EKS cluster manually:

kubectl delete pod <dex-pod-name> -n argocd

The configuration above will work for AWS Identity Center if you have the following attributes in a Custom SAML 2.0 application:

attribute name	value	type
Subject	${user:subject}	persistent
email	${user:email}	unspecified
groups	${user:groups}	unspecified

You will also need to assign AWS Identity Center groups to your Custom SAML 2.0 application. Make a note of each group and replace the IDs in the argocd_rbac_groups var accordingly.

Google Workspace OIDC

To use Google OIDC:

oidc_enabled: true
saml_enabled: false
oidc_providers:
  google:
    uses_dex: true
    type: google
    id: google
    name: Google
    serviceAccountAccess:
      enabled: true
      key: googleAuth.json
      value: /sso/oidc/google/serviceaccount
      admin_email: an_actual_user@acme.com
    config:
      # This filters emails when signing in with Google to only this domain. helpful for picking the right one.
      hostedDomains:
        - acme.com
      clientID: /sso/saml/google/clientid
      clientSecret: /sso/saml/google/clientsecret

Working with ArgoCD and GitHub

Here's a simple GitHub action that will trigger a deployment in ArgoCD:

# NOTE: Example will show dev, and qa2
name: argocd-deploy
on:
  push:
    branches:
      - main
jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2.1.0
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::123456789012:role/github-action-worker
      - name: Build
        shell: bash
        run: docker build -t some.docker.repo/acme/app . & docker push some.docker.repo/acmo/app
      - name: Checkout Argo Configuration
        uses: actions/checkout@v3
        with:
          repository: acme/argocd-deploy-non-prod
          ref: main
          path: argocd-deploy-non-prod
      - name: Deploy to dev
        shell: bash
        run: |
          echo Rendering helmfile:
          helmfile \
            --namespace acme-app \
            --environment dev \
            --file deploy/app/release.yaml \
            --state-values-file <(aws ssm get-parameter --name /platform/dev),<(docker image inspect some.docker.repo/acme/app) \
            template > argocd-deploy-non-prod/plat/use2-dev/apps/my-preview-acme-app/manifests/resources.yaml
          echo Updating sha for app:
          yq e '' -i argocd-deploy-non-prod/plat/use2-dev/apps/my-preview-acme-app/config.yaml
          echo Committing new helmfile
          pushd argocd-deploy-non-prod
          git add --all
          git commit --message 'Updating acme-app'
          git push
          popd

In the above example, we make a few assumptions:

• You've already made the app in ArgoCD by creating a YAML file in your non-prod ArgoCD repo at the path plat/use2-dev/apps/my-preview-acme-app/config.yaml with contents:

app_repository: acme/app
app_commit: deadbeefdeadbeef
app_hostname: https://some.app.endpoint/landing_page
name: my-feature-branch.acme-app
namespace: my-feature-branch
manifests: plat/use2-dev/apps/my-preview-acme-app/manifests

• you have set up ecr with permissions for github to push docker images to it
• you already have your ApplicationSet and AppProject crd's in plat/use2-dev/argocd/applicationset.yaml, which should be generated by our argocd-repo component.
• your app has a helmfile template in deploy/app/release.yaml
• that helmfile template can accept both the eks/platform config which is pulled from ssm at the path configured in eks/platform/defaults
• the helmfile template can update container resources using the output of docker image inspect

Notifications

Here's a configuration for letting argocd send notifications back to GitHub:

1. Create GitHub PAT with scope repo:status
2. Save the PAT to SSM /argocd/notifications/notifiers/common/github-token
3. Use this atmos stack configuration

components:
  terraform:
    eks/argocd/notifications:
      metadata:
        component: eks/argocd
      vars:
        github_default_notifications_enabled: true

Webhook

Here's a configuration Github notify ArgoCD on commit:

1. Create GitHub PAT with scope admin:repo_hook
2. Save the PAT to SSM /argocd/github/api_key
3. Use this atmos stack configuration

components:
  terraform:
    eks/argocd/notifications:
      metadata:
        component: eks/argocd
      vars:
        github_webhook_enabled: true

Creating Webhooks with github-webhook

If you are creating webhooks for ArgoCD deployment repos in multiple GitHub Organizations, you cannot use the same Terraform GitHub provider. Instead, we can use Atmos to deploy multiple component. To do this, disable the webhook creation in this component and deploy the webhook with the github-webhook component as such:

components:
  terraform:
    eks/argocd:
      metadata:
        component: eks/argocd
        inherits:
          - eks/argocd/defaults
      vars:
        github_webhook_enabled: true # create webhook value; required for argo-cd chart
        create_github_webhook: false # created with github-webhook
        argocd_repositories:
          "argocd-deploy-non-prod/org1": # this is the name of the `argocd-repo` component for "org1"
            environment: ue2
            stage: auto
            tenant: core
          "argocd-deploy-non-prod/org2":
            environment: ue2
            stage: auto
            tenant: core

    webhook/org1/argocd:
      metadata:
        component: github-webhook
      vars:
        github_organization: org1
        github_repository: argocd-deploy-non-prod
        webhook_url: "https://argocd.ue2.dev.plat.acme.org/api/webhook"
        ssm_github_webhook: "/argocd/github/webhook"

    webhook/org2/argocd:
      metadata:
        component: github-webhook
      vars:
        github_organization: org2
        github_repository: argocd-deploy-non-prod
        webhook_url: "https://argocd.ue2.dev.plat.acme.org/api/webhook"
        ssm_github_webhook: "/argocd/github/webhook"

Slack Notifications

ArgoCD supports Slack notifications on application deployments.

1. In order to enable Slack notifications, first create a Slack Application following the ArgoCD documentation.
2. Create an OAuth token for the new Slack App
3. Save the OAuth token to AWS SSM Parameter Store in the same account and region as Github tokens. For example, core-use2-auto
4. Add the app to the chosen Slack channel. If not added, notifications will not work
5. For this component, enable Slack integrations for each Application with var.slack_notifications_enabled and var.slack_notifications:

slack_notifications_enabled: true
slack_notifications:
  channel: argocd-updates

6. In the argocd-repo component, set var.slack_notifications_channel to the name of the Slack notification channel to add the relevant ApplicationSet annotations

Troubleshooting

Login to ArgoCD admin UI

For ArgoCD v1.9 and later, the initial admin password is available from a Kubernetes secret named argocd-initial-admin-secret. To get the initial password, execute the following command:

kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 --decode

Then open the ArgoCD admin UI and use the username admin and the password obtained in the previous step to log in to the ArgoCD admin.

Error "server.secretkey is missing"

If you provision a new version of the eks/argocd component, and some Helm Chart values get updated, you might encounter the error "server.secretkey is missing" in the ArgoCD admin UI. To fix the error, execute the following commands:

# Download `kubeconfig` and set EKS cluster
set-eks-cluster cluster-name

# Restart the `argocd-server` Pods
kubectl rollout restart deploy/argocd-server -n argocd

# Get the new admin password from the Kubernetes secret
kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 --decode

Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-secretkey-is-missing

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.0
github	>= 4.0
helm	>= 2.6.0
kubernetes	>= 2.9.0, != 2.21.0
random	>= 3.5

Providers

Name	Version
aws	>= 4.0
aws.config_secrets	>= 4.0
github	>= 4.0
kubernetes	>= 2.9.0, != 2.21.0
random	>= 3.5

Modules

Name	Source	Version
argocd	cloudposse/helm-release/aws	0.10.1
argocd_apps	cloudposse/helm-release/aws	0.10.1
argocd_repo	cloudposse/stack-config/yaml//modules/remote-state	1.5.0
dns_gbl_delegated	cloudposse/stack-config/yaml//modules/remote-state	1.5.0
eks	cloudposse/stack-config/yaml//modules/remote-state	1.5.0
iam_roles	../../account-map/modules/iam-roles	n/a
iam_roles_config_secrets	../../account-map/modules/iam-roles	n/a
notifications_notifiers	cloudposse/config/yaml//modules/deepmerge	1.0.2
notifications_templates	cloudposse/config/yaml//modules/deepmerge	1.0.2
saml_sso_providers	cloudposse/stack-config/yaml//modules/remote-state	1.5.0
this	cloudposse/label/null	0.25.0

Resources

Name	Type
github_repository_webhook.default	resource
random_password.webhook	resource
aws_eks_cluster_auth.eks	data source
aws_ssm_parameter.github_api_key	data source
aws_ssm_parameter.github_deploy_key	data source
aws_ssm_parameter.oidc_client_id	data source
aws_ssm_parameter.oidc_client_secret	data source
aws_ssm_parameter.slack_notifications	data source
aws_ssm_parameters_by_path.argocd_notifications	data source
kubernetes_resources.crd	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	map(string)	{}	no
admin_enabled	Toggles Admin user creation the deployed chart	bool	false	no
alb_group_name	A name used in annotations to reuse an ALB (e.g. argocd) or to generate a new one	string	null	no
alb_logs_bucket	The name of the bucket for ALB access logs. The bucket must have policy allowing the ELB logging principal	string	""	no
alb_logs_prefix	alb_logs_bucket s3 bucket prefix	string	""	no
alb_name	The name of the ALB (e.g. argocd) provisioned by alb-controller. Works together with var.alb_group_name	string	null	no
anonymous_enabled	Toggles anonymous user access using default RBAC setting (Defaults to read-only)	bool	false	no
argocd_apps_chart	Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specified. It is also possible to use the <repository>/<chart> format here if you are running Terraform on a system that the repository has been added to with helm repo add but this is not recommended.	string	"argocd-apps"	no
argocd_apps_chart_description	Set release description attribute (visible in the history).	string	"A Helm chart for managing additional Argo CD Applications and Projects"	no
argocd_apps_chart_repository	Repository URL where to locate the requested chart.	string	"https://argoproj.github.io/argo-helm"	no
argocd_apps_chart_values	Additional values to yamlencode as helm_release values for the argocd_apps chart	any	{}	no
argocd_apps_chart_version	Specify the exact chart version to install. If this is not specified, the latest version is installed.	string	"0.0.3"	no
argocd_apps_enabled	Enable argocd apps	bool	true	no
argocd_create_namespaces	ArgoCD create namespaces policy	bool	false	no
argocd_rbac_default_policy	Default ArgoCD RBAC default role. See https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#basic-built-in-roles for more information.	string	"role:readonly"	no
argocd_rbac_groups	List of ArgoCD Group Role Assignment strings to be added to the argocd-rbac configmap policy.csv item. e.g. [ { group: idp-group-name, role: argocd-role-name }, ] becomes: g, idp-group-name, role:argocd-role-name See https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ for more information.	list(object({ group = string, role = string }))	[]	no
argocd_rbac_policies	List of ArgoCD RBAC Permission strings to be added to the argocd-rbac configmap policy.csv item. See https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ for more information.	list(string)	[]	no
argocd_repositories	Map of objects defining an argocd_repo to configure. The key is the name of the ArgoCD repository.	map(object({ environment = string # The environment where the argocd_repo component is deployed. stage = string # The stage where the argocd_repo component is deployed. tenant = string # The tenant where the argocd_repo component is deployed. }))	{}	no
atomic	If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used.	bool	true	no
attributes	ID element. Additional attributes (e.g. workers or cluster) to add to id, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiter and treated as a single ID element.	list(string)	[]	no
certificate_issuer	Certificate manager cluster issuer	string	"letsencrypt-staging"	no
chart	Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specified. It is also possible to use the <repository>/<chart> format here if you are running Terraform on a system that the repository has been added to with helm repo add but this is not recommended.	string	"argo-cd"	no
chart_description	Set release description attribute (visible in the history).	string	null	no
chart_repository	Repository URL where to locate the requested chart.	string	"https://argoproj.github.io/argo-helm"	no
chart_values	Additional values to yamlencode as helm_release values.	any	{}	no
chart_version	Specify the exact chart version to install. If this is not specified, the latest version is installed.	string	"5.55.0"	no
cleanup_on_fail	Allow deletion of new resources created in this upgrade when upgrade fails.	bool	true	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	any	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
create_github_webhook	Enable GitHub webhook creation Use this to create the GitHub Webhook for the given ArgoCD repo using the value created when var.github_webhook_enabled is true.	bool	true	no
create_namespace	Create the namespace if it does not yet exist. Defaults to false.	bool	false	no
delimiter	Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all.	string	null	no
descriptor_formats	Describe additional descriptors to be output in the descriptors output map. Map of maps. Keys are names of descriptors. Values are maps of the form {<br/> format = string<br/> labels = list(string)<br/>} (Type is any so the map values can later be enhanced to provide additional options.) format is a Terraform format string to be passed to the format() function. labels is a list of labels, in order, to pass to format() function. Label values will be normalized before being passed to format() so they will be identical to how they appear in id. Default is {} (descriptors output will be empty).	any	{}	no
eks_component_name	The name of the eks component	string	"eks/cluster"	no
enabled	Set to false to prevent the module from creating any resources	bool	null	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	string	null	no
forecastle_enabled	Toggles Forecastle integration in the deployed chart	bool	false	no
github_base_url	This is the target GitHub base API endpoint. Providing a value is a requirement when working with GitHub Enterprise. It is optional to provide this value and it can also be sourced from the GITHUB_BASE_URL environment variable. The value must end with a slash, for example: https://terraformtesting-ghe.westus.cloudapp.azure.com/	string	null	no
github_default_notifications_enabled	Enable default GitHub commit statuses notifications (required for CD sync mode)	bool	true	no
github_organization	GitHub Organization	string	n/a	yes
github_token_override	Use the value of this variable as the GitHub token instead of reading it from SSM	string	null	no
github_webhook_enabled	Enable GitHub webhook integration Use this to create a secret value and pass it to the argo-cd chart	bool	true	no
helm_manifest_experiment_enabled	Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan	bool	false	no
host	Host name to use for ingress and ALB	string	""	no
id_length_limit	Limit id to this many characters (minimum 6). Set to 0 for unlimited length. Set to null for keep the existing setting, which defaults to 0. Does not affect id_full.	number	null	no
kube_data_auth_enabled	If true, use an aws_eks_cluster_auth data source to authenticate to the EKS cluster. Disabled by kubeconfig_file_enabled or kube_exec_auth_enabled.	bool	false	no
kube_exec_auth_aws_profile	The AWS config profile for aws eks get-token to use	string	""	no
kube_exec_auth_aws_profile_enabled	If true, pass kube_exec_auth_aws_profile as the profile to aws eks get-token	bool	false	no
kube_exec_auth_enabled	If true, use the Kubernetes provider exec feature to execute aws eks get-token to authenticate to the EKS cluster. Disabled by kubeconfig_file_enabled, overrides kube_data_auth_enabled.	bool	true	no
kube_exec_auth_role_arn	The role ARN for aws eks get-token to use	string	""	no
kube_exec_auth_role_arn_enabled	If true, pass kube_exec_auth_role_arn as the role ARN to aws eks get-token	bool	true	no
kubeconfig_context	Context to choose from the Kubernetes config file. If supplied, kubeconfig_context_format will be ignored.	string	""	no
kubeconfig_context_format	A format string to use for creating the kubectl context name when kubeconfig_file_enabled is true and kubeconfig_context is not supplied. Must include a single %s which will be replaced with the cluster name.	string	""	no
kubeconfig_exec_auth_api_version	The Kubernetes API version of the credentials returned by the exec auth plugin	string	"client.authentication.k8s.io/v1beta1"	no
kubeconfig_file	The Kubernetes provider config_path setting to use when kubeconfig_file_enabled is true	string	""	no
kubeconfig_file_enabled	If true, configure the Kubernetes provider with kubeconfig_file and use that kubeconfig file for authenticating to the EKS cluster	bool	false	no
kubernetes_namespace	The namespace to install the release into.	string	"argocd"	no
label_key_case	Controls the letter case of the tags keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the tags input. Possible values: lower, title, upper. Default value: title.	string	null	no
label_order	The order in which the labels (ID elements) appear in the id. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	list(string)	null	no
label_value_case	Controls the letter case of ID elements (labels) as included in id, set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input. Possible values: lower, title, upper and none (no transformation). Set this to title and set delimiter to "" to yield Pascal Case IDs. Default value: lower.	string	null	no
labels_as_tags	Set of labels (ID elements) to include as tags in the tags output. Default is to include all labels. Tags with empty values will not be included in the tags output. Set to [] to suppress all generated tags. Notes: The value of the name tag, if included, will be the id, not the name. Unlike other null-label inputs, the initial setting of labels_as_tags cannot be changed in later chained modules. Attempts to change it will be silently ignored.	set(string)	[ "default" ]	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag. The "name" tag is set to the full id string. There is no tag with the value of the name input.	string	null	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	string	null	no
notifications_notifiers	Notification Triggers to configure. See: https://argocd-notifications.readthedocs.io/en/stable/triggers/ See: Example value in argocd-notifications Helm Chart	object({ ssm_path_prefix = optional(string, "/argocd/notifications/notifiers") # service.webhook.: webhook = optional(map( object({ url = string headers = optional(list( object({ name = string value = string }) ), []) insecureSkipVerify = optional(bool, false) }) )) })	{}	no
notifications_templates	Notification Templates to configure. See: https://argocd-notifications.readthedocs.io/en/stable/templates/ See: Example value in argocd-notifications Helm Chart	map(object({ message = string alertmanager = optional(object({ labels = map(string) annotations = map(string) generatorURL = string })) webhook = optional(map( object({ method = optional(string) path = optional(string) body = optional(string) }) )) }))	{}	no
notifications_triggers	Notification Triggers to configure. See: https://argocd-notifications.readthedocs.io/en/stable/triggers/ See: Example value in argocd-notifications Helm Chart	map(list( object({ oncePer = optional(string) send = list(string) when = string }) ))	{}	no
oidc_enabled	Toggles OIDC integration in the deployed chart	bool	false	no
oidc_issuer	OIDC issuer URL	string	""	no
oidc_name	Name of the OIDC resource	string	""	no
oidc_rbac_scopes	OIDC RBAC scopes to request	string	"[argocd_realm_access]"	no
oidc_requested_scopes	Set of OIDC scopes to request	string	"[\"openid\", \"profile\", \"email\", \"groups\"]"	no
rbac_enabled	Enable Service Account for pods.	bool	true	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.	string	null	no
region	AWS Region.	string	n/a	yes
resources	The cpu and memory of the deployment's limits and requests.	object({ limits = object({ cpu = string memory = string }) requests = object({ cpu = string memory = string }) })	null	no
saml_enabled	Toggles SAML integration in the deployed chart	bool	false	no
saml_rbac_scopes	SAML RBAC scopes to request	string	"[email,groups]"	no
saml_sso_providers	SAML SSO providers components	map(object({ component = string environment = optional(string, null) }))	{}	no
service_type	Service type for exposing the ArgoCD service. The available type values and their behaviors are: ClusterIP: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. NodePort: Exposes the Service on each Node's IP at a static port (the NodePort). LoadBalancer: Exposes the Service externally using a cloud provider's load balancer.	string	"NodePort"	no
slack_notifications	ArgoCD Slack notification configuration. Requires Slack Bot created with token stored at the given SSM Parameter path. See: https://argocd-notifications.readthedocs.io/en/stable/services/slack/	object({ token_ssm_path = optional(string, "/argocd/notifications/notifiers/slack/token") api_url = optional(string, null) username = optional(string, "ArgoCD") icon = optional(string, null) })	{}	no
slack_notifications_enabled	Whether or not to enable Slack notifications. See var.slack_notifications.	bool	false	no
ssm_github_api_key	SSM path to the GitHub API key	string	"/argocd/github/api_key"	no
ssm_oidc_client_id	The SSM Parameter Store path for the ID of the IdP client	string	"/argocd/oidc/client_id"	no
ssm_oidc_client_secret	The SSM Parameter Store path for the secret of the IdP client	string	"/argocd/oidc/client_secret"	no
ssm_store_account	Account storing SSM parameters	string	n/a	yes
ssm_store_account_region	AWS region storing SSM parameters	string	n/a	yes
ssm_store_account_tenant	Tenant of the account storing SSM parameters. If the tenant label is not used, leave this as null.	string	null	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	string	null	no
tags	Additional tags (e.g. {'BusinessUnit': 'XYZ'}). Neither the tag keys nor the tag values will be modified by this module.	map(string)	{}	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	string	null	no
timeout	Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to 300 seconds	number	300	no
wait	Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to true.	bool	true	no

Outputs

Name	Description
github_webhook_value	The value of the GitHub webhook secret used for ArgoCD

References

• Argo CD
• Argo CD Docs
• Argo Helm Chart

Tip

👽 Use Atmos with Terraform

Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.

Watch demo of using Atmos with Terraform

Example of running atmos to manage infrastructure from our Quick Start tutorial.

Related Projects

Check out these related projects.

• Cloud Posse Terraform Modules - Our collection of reusable Terraform modules used by our reference architectures.
• Atmos - Atmos is like docker-compose but for your infrastructure

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.

✅ We build it together with your team.
✅ Your team owns everything.
✅ 100% Open Source and backed by fanatical support.

📚 Learn More

Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

• Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
• Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
• Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
• Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
• GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Day-2: Your Operational Mastery

• Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
• Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
• Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
• Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
• Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
• Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
• Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

1. Review our Code of Conduct and Contributor Guidelines.
2. Fork the repo on GitHub
3. Clone the project to your own machine
4. Commit changes to your own branch
5. Push your work back up to your fork
6. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

📰 Newsletter

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

License

Preamble to the Apache License, Version 2.0

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

---

Copyright © 2017-2025 Cloud Posse, LLC