Skip to content

Instantly share code, notes, and snippets.

@scottt732
Created February 11, 2025 17:23
Show Gist options
  • Save scottt732/fa53ba71164c7d8e936a87464ab9877d to your computer and use it in GitHub Desktop.
Save scottt732/fa53ba71164c7d8e936a87464ab9877d to your computer and use it in GitHub Desktop.
argoproj/argo-cd!17064 terraform
#
# ArgoCD Config - Clusters
#
resource "kubernetes_manifest" "clusters" {
for_each = {
for k, v in var.argo_managed_clusters : k => v if var.env_code == "mgmt"
}
manifest = {
"apiVersion" = "v1"
"kind" = "Secret"
"metadata" = {
"name" = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}-secret"
"namespace" = "argo-cd"
"labels" = {
"argocd.argoproj.io/secret-type" = "cluster"
"environment" = each.value.env_code
"${var.root_zone_fqdn}/account" = "${each.value.account_id}"
"${var.root_zone_fqdn}/region" = "${each.value.account_id}"
"${var.root_zone_fqdn}/cluster-name" = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}"
"${var.root_zone_fqdn}/cluster-full-name" = each.value.cluster_key
"${var.root_zone_fqdn}/cluster-color" = each.value.cluster_code
"${var.root_zone_fqdn}/k8s-version" = each.value.k8s_version
}
}
"data" = {
"name" = base64encode("${var.company_name}-${each.value.env_code}-${each.value.cluster_code}")
"server" = base64encode(each.value.env_code == "mgmt" ? "https://kubernetes.default.svc" : each.value.cluster_endpoint)
"config" = base64encode(jsonencode({
awsAuthConfig = {
clusterName = "${each.value.cluster_key}"
roleARN = "arn:aws:iam::${each.value.account_id}:role/ArgoCDDeployerRole"
}
tlsClientConfig = {
caData = each.value.cluster_ca_data
}
}))
}
"type" = "Opaque"
}
field_manager {
force_conflicts = true
}
}
#
# Pod Identity
#
resource "aws_iam_role" "argocd_pod_identity_role" {
name = "ArgoCDPodIdentityRole"
description = "Role to give ArgoCD access"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "${local.mgmt_account_id}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:eks:${var.region_code}:${var.account_id}:cluster/${local.cluster_name}"
}
}
}
]
})
inline_policy {
name = "AssumeRole"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [for cluster in var.argo_managed_clusters :
"arn:aws:iam::${cluster.account_id}:role/ArgoCDDeployerRole"
]
}
]
})
}
}
resource "aws_iam_role" "argocd_deployer_role" {
name = "ArgoCDDeployerRole"
description = "Role for ArgoCD deployment"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.mgmt_account_id}:role/ArgoCDPodIdentityRole"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
})
# Add inline policy for EKS cluster access
inline_policy {
name = "EKSAccess"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
"eks:AccessKubernetesApi",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListUpdates",
"eks:ListFargateProfiles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "*"
}
]
})
}
}
resource "aws_eks_access_entry" "argo_cd_pod_identity" {
cluster_name = local.cluster_name
principal_arn = aws_iam_role.argocd_pod_identity_role.arn
kubernetes_groups = []
type = "STANDARD"
}
# Not sure if all of these are necessary
resource "aws_eks_pod_identity_association" "argo_cd_application_controller" {
count = var.env_code == "mgmt" ? 1 : 0
cluster_name = local.cluster_name
namespace = "argo-cd"
service_account = "argocd-application-controller"
role_arn = aws_iam_role.argocd_pod_identity_role.arn
}
resource "aws_eks_pod_identity_association" "argo_cd_applicationset_controller" {
count = var.env_code == "mgmt" ? 1 : 0
cluster_name = local.cluster_name
namespace = "argo-cd"
service_account = "argocd-applicationset-controller"
role_arn = aws_iam_role.argocd_pod_identity_role.arn
}
resource "aws_eks_pod_identity_association" "argo_cd_server" {
count = var.env_code == "mgmt" ? 1 : 0
cluster_name = local.cluster_name
namespace = "argo-cd"
service_account = "argocd-server"
role_arn = aws_iam_role.argocd_pod_identity_role.arn
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment