terraform-aws-arc-argocd¶
Module:
sourcefuse/arc-argocd/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-argocd/aws
Category: DevOps / GitOps
Source: https://github.com/sourcefuse/terraform-aws-arc-argocd
Overview¶
Architecture¶
Deploys ArgoCD on an existing EKS cluster with ALB ingress, ACM certificates, Route53 DNS, and IRSA.
What It Does¶
- ArgoCD Helm release with configurable version
- ALB ingress with ACM certificate (auto-created or existing)
- Route53 A record auto-creation
- IRSA for least-privilege AWS access
- High-availability mode with configurable replicas
- ArgoCD Image Updater for automated image updates
- SSO via Dex (GitHub, OIDC, SAML)
- Repositories, projects, and applications as code
For more information about this repository and its usage, please see Terraform AWS ARGOCD Usage Guide.
SourceFuse AWS Reference Architecture (ARC) Terraform module for deploying and managing ArgoCD on Amazon EKS clusters. This module provides a production-ready ArgoCD installation with comprehensive AWS service integrations, following security and operational best practices.
Key Features¶
- GitOps Continuous Delivery: Declarative application deployment and lifecycle management
- AWS Load Balancer Integration: Automated ALB provisioning with HTTPS termination
- Certificate Management: Automatic ACM certificate creation with DNS validation
- DNS Automation: Route53 record creation and management
- Secure AWS Access: IAM Roles for Service Accounts (IRSA) for pod-level permissions
- High Availability: Multi-replica deployment with Redis HA support
- Image Automation: ArgoCD Image Updater for automated container updates
- Multi-Cluster Support: ApplicationSet controller for managing applications across clusters
- Enterprise SSO: Dex integration for GitHub, OIDC, SAML authentication
- Event Notifications: Integration with Slack, email, and webhook services
The module deploys the following components:
-
ArgoCD Core Components
- Application Controller: Monitors applications and synchronizes desired state
- API Server: Provides API and UI for ArgoCD
- Repository Server: Manages Git repository connections and manifests
- Redis: Caching layer for improved performance
-
AWS Infrastructure
- Application Load Balancer (ALB) for external access
- ACM Certificate for HTTPS encryption
- Route53 DNS records for domain resolution
- IAM roles and policies for AWS service access
-
Optional Components
- ArgoCD Image Updater for automated image updates
- Notifications Controller for event-driven alerts
- Dex for SSO authentication
Prerequisites¶
- Terraform >= 1.6.0
- AWS CLI configured with appropriate credentials
- Existing EKS cluster with OIDC provider enabled
- VPC with public subnets (for internet-facing ALB)
- Route53 hosted zone (optional, for automatic DNS management)
Quickstart¶
External Access (ALB + HTTPS)¶
With Existing Certificate¶
High Availability Configuration¶
With ArgoCD Resources (Repositories, Projects, Applications)¶
Examples¶
- Complete Example - Full-featured deployment with all options
- EKS Integration - Deploy EKS cluster and ArgoCD together
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.6.0 |
| aws | >= 5.0, < 7.0 |
| helm | >= 2.12.1 |
| http | >= 3.0.0 |
| kubectl | >= 2.0.0 |
| kubernetes | >= 2.24.0 |
| time | >= 0.9.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 6.32.1 |
| helm | 3.1.1 |
| kubectl | 2.1.3 |
| kubernetes | 3.0.1 |
| time | 0.13.1 |
Modules¶
No modules.
Resources¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
namespace |
string |
Namespace prefix for resource names |
environment |
string |
Deployment environment |
eks_cluster_name |
string |
Name of the existing EKS cluster |
| ## Key Outputs |
| Name | Description |
|---|---|
argocd_server_url |
ArgoCD UI URL |
acm_certificate_arn |
ACM certificate ARN |
server_iam_role_arn |
IRSA role ARN for ArgoCD server |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_config | ArgoCD admin account configuration. - disable_admin : Disable the built-in admin user (recommended for prod with SSO).- bcrypt_hash : Bcrypt hash of the admin password. Leave empty to auto-generate. |
object({ |
{} |
no |
| applications | Map of ArgoCD applications to create. Each application requires: - repo_url : Git repository URL- target_revision : Git revision (branch, tag, commit)- path : Path within repository- project : ArgoCD project name- destination : Destination cluster and namespace- sync_policy : Sync policy configuration- helm : Helm-specific configuration |
map(object({ |
{} |
no |
| applicationset_config | ApplicationSet controller configuration. - enable : Enable ApplicationSet controller (default: true — ships with ArgoCD chart).- replicas : Number of ApplicationSet controller replicas. |
object({ |
{} |
no |
| argocd_config | Configuration for the ArgoCD Helm release. - enable : Toggle ArgoCD installation (default: true).- name : Helm release name (default: "argocd").- chart : Helm chart name (default: "argo-cd").- helm_repository : Helm chart repository URL.- version : Helm chart version to install.- namespace : Kubernetes namespace for ArgoCD.- create_namespace : Whether to create the namespace if it does not exist.- timeout : Helm install/upgrade timeout in seconds.- wait : Wait for all resources to be ready.- atomic : Rollback on failure.- cleanup_on_fail : Delete new resources on failed install.- helm_release_values : List of YAML value strings for the Helm release.- helm_release_set_values : List of individual set values [{name, value}]. |
object({ |
{} |
no |
| eks_cluster_name | Name of the existing EKS cluster where ArgoCD will be installed. | string |
n/a | yes |
| environment | ID element for the deployment environment (e.g., prod, staging, dev). | string |
n/a | yes |
| ha_config | High availability configuration for ArgoCD. - enable : Enable HA mode with multiple replicas (default: false).- server_replicas : Number of ArgoCD server replicas.- repo_server_replicas : Number of ArgoCD repo-server replicas.- controller_replicas : Number of application controller replicas. |
object({ |
{} |
no |
| image_updater_config | ArgoCD Image Updater configuration for automatic image update detection. - enable : Deploy ArgoCD Image Updater alongside ArgoCD.- chart : Helm chart name (default: "argocd-image-updater").- version : Helm chart version for image updater.- helm_release_values : List of YAML value strings for image updater Helm release.- registries : List of container registries to monitor. |
object({ |
{} |
no |
| ingress_config | Ingress configuration for exposing ArgoCD UI. - enable : Enable ingress resource creation via Helm values.- host : Hostname for ArgoCD UI (e.g., argocd.example.com).- ingress_class_name : Kubernetes ingress class (default: "alb").- annotations : Additional annotations for the ingress resource.- tls_enabled : Enable TLS termination.- acm_certificate_arn: ACM certificate ARN for ALB HTTPS listener.- auto_create_route53_record : Automatically create Route53 A record for the ingress.- route53_zone_name : Route53 hosted zone name (e.g., example.com) for automatic DNS record creation. |
object({ |
{} |
no |
| irsa_config | IAM Roles for Service Accounts (IRSA) configuration. - enable : Create IRSA roles for ArgoCD components.- server_role_name : IAM role name for ArgoCD server.- server_policy_arns : Additional policy ARNs to attach to server role.- repo_server_role_name : IAM role name for repo-server (for private ECR Helm charts, etc.).- repo_server_policy_arns : Additional policy ARNs for repo-server role. |
object({ |
{} |
no |
| namespace | Namespace for the resources. Used as a prefix for resource names. | string |
n/a | yes |
| notifications_config | ArgoCD Notifications controller configuration. - enable : Enable the notifications controller.- triggers : Map of notification triggers.- templates: Map of notification templates.- services : Map of notification services (slack, webhook, email, etc.). |
object({ |
{} |
no |
| projects | Map of ArgoCD projects to create. Each project can have: - description : Project description- source_repos : List of allowed source repositories- destinations : List of allowed destinations- cluster_resource_whitelist : Cluster-scoped resources whitelist- namespace_resource_whitelist : Namespace-scoped resources whitelist |
map(object({ |
{} |
no |
| repositories | Map of ArgoCD repositories to create. Each repository can have: - url : Repository URL (required)- type : Repository type (git, helm) (default: git)- username : Username for authentication- password : Password for authentication- ssh_private_key : SSH private key for authentication- insecure : Skip TLS verification- enable_lfs : Enable Git LFS |
map(object({ |
{} |
no |
| sso_config | SSO / Dex configuration for ArgoCD authentication. - enable : Enable Dex SSO integration.- provider : SSO provider type (e.g., "github", "oidc", "saml").- config : Provider-specific configuration map (clientID, clientSecret, org, etc.). |
object({ |
{} |
no |
| tags | Tags to apply to all resources. | map(string) |
{} |
no |
Outputs¶
| Name | Description |
|---|---|
| acm_certificate_arn | ACM certificate ARN used for ArgoCD ingress. |
| alb_dns_name | DNS name of the ALB created for ArgoCD ingress. |
| applications | Map of created ArgoCD applications. |
| argocd_server_url | The ArgoCD server URL (based on ingress host or cluster-internal service). |
| chart_version | The ArgoCD Helm chart version deployed. |
| image_updater_status | Status of the ArgoCD Image Updater Helm release. |
| name | The name of the ArgoCD Helm release. |
| namespace | The Kubernetes namespace where ArgoCD is installed. |
| projects | Map of created ArgoCD projects. |
| repo_server_iam_role_arn | ARN of the IAM role for the ArgoCD repo-server service account. |
| repositories | Map of created ArgoCD repositories. |
| route53_record_fqdn | FQDN of the Route53 record created for ArgoCD. |
| server_iam_role_arn | ARN of the IAM role for the ArgoCD server service account. |
| status | Status of the ArgoCD Helm release. |
Security Considerations¶
- IRSA: Always enable IRSA for production deployments to follow least-privilege principles
- TLS Termination: Use ACM certificates for HTTPS encryption
- Network Security: Deploy ALB in public subnets, ArgoCD pods in private subnets
- Admin Account: Disable the default admin account when using SSO
- RBAC: Configure proper role-based access control for users and applications
Troubleshooting¶
ArgoCD UI Returns 504 Gateway Timeout¶
Cause: ALB cannot connect to ArgoCD pods or health checks are failing.
Solution:
1. Verify ArgoCD is running in insecure mode: configs.params.server.insecure = true
2. Check ALB backend protocol is HTTP (not HTTPS)
3. Ensure security groups allow traffic from ALB to pods on port 8080
4. Verify target group health: aws elbv2 describe-target-health --target-group-arn <arn>
Certificate Validation Stuck¶
Cause: DNS validation records not created or Route53 zone not accessible.
Solution:
1. Verify Route53 hosted zone exists and is in the same AWS account
2. Check DNS validation records were created: aws acm describe-certificate --certificate-arn <arn>
3. Ensure auto_create_route53_record = true if using automatic validation
4. Wait 5-10 minutes for DNS propagation
Best Practices¶
- Use IRSA: Enable IRSA for secure AWS service access without long-lived credentials
- Enable HA: For production workloads, enable high availability mode
- Separate Environments: Use different namespaces and clusters for dev/staging/prod
- Version Pinning: Pin ArgoCD chart version to avoid unexpected upgrades
- Backup Configuration: Regularly backup ArgoCD configuration and application definitions
- Monitor Resources: Set up CloudWatch alarms for ArgoCD pod health and ALB metrics
- Use SSO: Configure SSO instead of relying on the default admin account
- Network Segmentation: Deploy ArgoCD in private subnets, expose only via ALB
Upgrade Guide¶
Upgrading ArgoCD Version¶
- Review ArgoCD release notes for breaking changes
- Update the version in your configuration:
- Run
terraform planto review changes - Apply during maintenance window:
terraform apply - Verify all applications sync successfully after upgrade
Upgrading Module Version¶
- Review module changelog for breaking changes
- Update module version:
- Run
terraform init -upgrade - Review plan carefully:
terraform plan - Apply changes:
terraform apply
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
- Configure golang deps for tests
Git commits¶
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
Tests¶
- Tests are available in
testdirectory
- In the test directory, run the below command
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse ARC Team