terraform-aws-arc-argocd¶
Overview¶
SourceFuse AWS Reference Architecture (ARC) Terraform module for deploying and managing ArgoCD on Amazon EKS clusters. This module provides a production-ready ArgoCD installation with comprehensive AWS service integrations, following security and operational best practices.
Key Features¶
- GitOps Continuous Delivery: Declarative application deployment and lifecycle management
- AWS Load Balancer Integration: Automated ALB provisioning with HTTPS termination
- Certificate Management: Automatic ACM certificate creation with DNS validation
- DNS Automation: Route53 record creation and management
- Secure AWS Access: IAM Roles for Service Accounts (IRSA) for pod-level permissions
- High Availability: Multi-replica deployment with Redis HA support
- Image Automation: ArgoCD Image Updater for automated container updates
- Multi-Cluster Support: ApplicationSet controller for managing applications across clusters
- Enterprise SSO: Dex integration for GitHub, OIDC, SAML authentication
- Event Notifications: Integration with Slack, email, and webhook services
Architecture¶
The module deploys the following components:
-
ArgoCD Core Components
- Application Controller: Monitors applications and synchronizes desired state
- API Server: Provides API and UI for ArgoCD
- Repository Server: Manages Git repository connections and manifests
- Redis: Caching layer for improved performance
-
AWS Infrastructure
- Application Load Balancer (ALB) for external access
- ACM Certificate for HTTPS encryption
- Route53 DNS records for domain resolution
- IAM roles and policies for AWS service access
-
Optional Components
- ArgoCD Image Updater for automated image updates
- Notifications Controller for event-driven alerts
- Dex for SSO authentication
Prerequisites¶
- Terraform >= 1.6.0
- AWS CLI configured with appropriate credentials
- Existing EKS cluster with OIDC provider enabled
- VPC with public subnets (for internet-facing ALB)
- Route53 hosted zone (optional, for automatic DNS management)
Usage¶
External Access (ALB + HTTPS)¶
With Existing Certificate¶
High Availability Configuration¶
With ArgoCD Resources (Repositories, Projects, Applications)¶
Examples¶
- Complete Example - Full-featured deployment with all options
- EKS Integration - Deploy EKS cluster and ArgoCD together
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.6.0 |
| aws | >= 5.0, < 7.0 |
| helm | >= 2.12.1 |
| http | >= 3.0.0 |
| kubectl | >= 2.0.0 |
| kubernetes | >= 2.24.0 |
| time | >= 0.9.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 6.32.1 |
| helm | 3.1.1 |
| kubectl | 2.1.3 |
| kubernetes | 3.0.1 |
| time | 0.13.1 |
Modules¶
No modules.
Resources¶
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_config | ArgoCD admin account configuration. - disable_admin : Disable the built-in admin user (recommended for prod with SSO).- bcrypt_hash : Bcrypt hash of the admin password. Leave empty to auto-generate. |
object({ |
{} |
no |
| applications | Map of ArgoCD applications to create. Each application requires: - repo_url : Git repository URL- target_revision : Git revision (branch, tag, commit)- path : Path within repository- project : ArgoCD project name- destination : Destination cluster and namespace- sync_policy : Sync policy configuration- helm : Helm-specific configuration |
map(object({ |
{} |
no |
| applicationset_config | ApplicationSet controller configuration. - enable : Enable ApplicationSet controller (default: true — ships with ArgoCD chart).- replicas : Number of ApplicationSet controller replicas. |
object({ |
{} |
no |
| argocd_config | Configuration for the ArgoCD Helm release. - enable : Toggle ArgoCD installation (default: true).- name : Helm release name (default: "argocd").- chart : Helm chart name (default: "argo-cd").- helm_repository : Helm chart repository URL.- version : Helm chart version to install.- namespace : Kubernetes namespace for ArgoCD.- create_namespace : Whether to create the namespace if it does not exist.- timeout : Helm install/upgrade timeout in seconds.- wait : Wait for all resources to be ready.- atomic : Rollback on failure.- cleanup_on_fail : Delete new resources on failed install.- helm_release_values : List of YAML value strings for the Helm release.- helm_release_set_values : List of individual set values [{name, value}]. |
object({ |
{} |
no |
| eks_cluster_name | Name of the existing EKS cluster where ArgoCD will be installed. | string |
n/a | yes |
| environment | ID element for the deployment environment (e.g., prod, staging, dev). | string |
n/a | yes |
| ha_config | High availability configuration for ArgoCD. - enable : Enable HA mode with multiple replicas (default: false).- server_replicas : Number of ArgoCD server replicas.- repo_server_replicas : Number of ArgoCD repo-server replicas.- controller_replicas : Number of application controller replicas. |
object({ |
{} |
no |
| image_updater_config | ArgoCD Image Updater configuration for automatic image update detection. - enable : Deploy ArgoCD Image Updater alongside ArgoCD.- chart : Helm chart name (default: "argocd-image-updater").- version : Helm chart version for image updater.- helm_release_values : List of YAML value strings for image updater Helm release.- registries : List of container registries to monitor. |
object({ |
{} |
no |
| ingress_config | Ingress configuration for exposing ArgoCD UI. - enable : Enable ingress resource creation via Helm values.- host : Hostname for ArgoCD UI (e.g., argocd.example.com).- ingress_class_name : Kubernetes ingress class (default: "alb").- annotations : Additional annotations for the ingress resource.- tls_enabled : Enable TLS termination.- acm_certificate_arn: ACM certificate ARN for ALB HTTPS listener.- auto_create_route53_record : Automatically create Route53 A record for the ingress.- route53_zone_name : Route53 hosted zone name (e.g., example.com) for automatic DNS record creation. |
object({ |
{} |
no |
| irsa_config | IAM Roles for Service Accounts (IRSA) configuration. - enable : Create IRSA roles for ArgoCD components.- server_role_name : IAM role name for ArgoCD server.- server_policy_arns : Additional policy ARNs to attach to server role.- repo_server_role_name : IAM role name for repo-server (for private ECR Helm charts, etc.).- repo_server_policy_arns : Additional policy ARNs for repo-server role. |
object({ |
{} |
no |
| namespace | Namespace for the resources. Used as a prefix for resource names. | string |
n/a | yes |
| notifications_config | ArgoCD Notifications controller configuration. - enable : Enable the notifications controller.- triggers : Map of notification triggers.- templates: Map of notification templates.- services : Map of notification services (slack, webhook, email, etc.). |
object({ |
{} |
no |
| projects | Map of ArgoCD projects to create. Each project can have: - description : Project description- source_repos : List of allowed source repositories- destinations : List of allowed destinations- cluster_resource_whitelist : Cluster-scoped resources whitelist- namespace_resource_whitelist : Namespace-scoped resources whitelist |
map(object({ |
{} |
no |
| repositories | Map of ArgoCD repositories to create. Each repository can have: - url : Repository URL (required)- type : Repository type (git, helm) (default: git)- username : Username for authentication- password : Password for authentication- ssh_private_key : SSH private key for authentication- insecure : Skip TLS verification- enable_lfs : Enable Git LFS |
map(object({ |
{} |
no |
| sso_config | SSO / Dex configuration for ArgoCD authentication. - enable : Enable Dex SSO integration.- provider : SSO provider type (e.g., "github", "oidc", "saml").- config : Provider-specific configuration map (clientID, clientSecret, org, etc.). |
object({ |
{} |
no |
| tags | Tags to apply to all resources. | map(string) |
{} |
no |
Outputs¶
| Name | Description |
|---|---|
| acm_certificate_arn | ACM certificate ARN used for ArgoCD ingress. |
| alb_dns_name | DNS name of the ALB created for ArgoCD ingress. |
| applications | Map of created ArgoCD applications. |
| argocd_server_url | The ArgoCD server URL (based on ingress host or cluster-internal service). |
| chart_version | The ArgoCD Helm chart version deployed. |
| image_updater_status | Status of the ArgoCD Image Updater Helm release. |
| name | The name of the ArgoCD Helm release. |
| namespace | The Kubernetes namespace where ArgoCD is installed. |
| projects | Map of created ArgoCD projects. |
| repo_server_iam_role_arn | ARN of the IAM role for the ArgoCD repo-server service account. |
| repositories | Map of created ArgoCD repositories. |
| route53_record_fqdn | FQDN of the Route53 record created for ArgoCD. |
| server_iam_role_arn | ARN of the IAM role for the ArgoCD server service account. |
| status | Status of the ArgoCD Helm release. |
Security Considerations¶
- IRSA: Always enable IRSA for production deployments to follow least-privilege principles
- TLS Termination: Use ACM certificates for HTTPS encryption
- Network Security: Deploy ALB in public subnets, ArgoCD pods in private subnets
- Admin Account: Disable the default admin account when using SSO
- RBAC: Configure proper role-based access control for users and applications
Troubleshooting¶
ArgoCD UI Returns 504 Gateway Timeout¶
Cause: ALB cannot connect to ArgoCD pods or health checks are failing.
Solution:
1. Verify ArgoCD is running in insecure mode: configs.params.server.insecure = true
2. Check ALB backend protocol is HTTP (not HTTPS)
3. Ensure security groups allow traffic from ALB to pods on port 8080
4. Verify target group health: aws elbv2 describe-target-health --target-group-arn <arn>
Certificate Validation Stuck¶
Cause: DNS validation records not created or Route53 zone not accessible.
Solution:
1. Verify Route53 hosted zone exists and is in the same AWS account
2. Check DNS validation records were created: aws acm describe-certificate --certificate-arn <arn>
3. Ensure auto_create_route53_record = true if using automatic validation
4. Wait 5-10 minutes for DNS propagation
Best Practices¶
- Use IRSA: Enable IRSA for secure AWS service access without long-lived credentials
- Enable HA: For production workloads, enable high availability mode
- Separate Environments: Use different namespaces and clusters for dev/staging/prod
- Version Pinning: Pin ArgoCD chart version to avoid unexpected upgrades
- Backup Configuration: Regularly backup ArgoCD configuration and application definitions
- Monitor Resources: Set up CloudWatch alarms for ArgoCD pod health and ALB metrics
- Use SSO: Configure SSO instead of relying on the default admin account
- Network Segmentation: Deploy ArgoCD in private subnets, expose only via ALB
Upgrade Guide¶
Upgrading ArgoCD Version¶
- Review ArgoCD release notes for breaking changes
- Update the version in your configuration:
- Run
terraform planto review changes - Apply during maintenance window:
terraform apply - Verify all applications sync successfully after upgrade
Upgrading Module Version¶
- Review module changelog for breaking changes
- Update module version:
- Run
terraform init -upgrade - Review plan carefully:
terraform plan - Apply changes:
terraform apply
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
- Configure golang deps for tests
Git commits¶
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
Tests¶
- Tests are available in
testdirectory
- In the test directory, run the below command
Authors¶
This project is authored by below people
- SourceFuse ARC Team