Terraform AWS ARC ArgoCD Module Usage Guide¶
Introduction¶
Purpose of the Document¶
This document provides comprehensive guidelines and instructions for users implementing the Terraform AWS ARC ArgoCD module for deploying and managing ArgoCD on Amazon EKS clusters.
Module Overview¶
The Terraform AWS ARC ArgoCD module provides a secure, production-ready foundation for deploying ArgoCD on AWS EKS. It automates the deployment of ArgoCD with integrated AWS services including Application Load Balancer, ACM certificates, Route53 DNS, and IAM Roles for Service Accounts (IRSA).
Key Capabilities: - GitOps continuous delivery with ArgoCD - Automated AWS infrastructure provisioning - Secure pod-level AWS access via IRSA - High availability configurations - Enterprise SSO integration - Automated image update detection
Prerequisites¶
Before using this module, ensure you have the following:
- AWS Credentials: Configured with appropriate IAM permissions
- Terraform: Version >= 1.6.0 installed
- Existing EKS Cluster: With OIDC provider enabled
- kubectl: Configured to access your EKS cluster
- VPC Configuration: With public and private subnets
- Route53 Hosted Zone: (Optional) For automatic DNS management
- Working Knowledge: AWS EKS, Kubernetes, Helm, and Terraform concepts
Getting Started¶
Module Source¶
To use the module in your Terraform configuration, include the following source block:
Refer to the Terraform Registry for the latest version.
Integration with Existing Terraform Configurations¶
To integrate the module with your existing Terraform mono repo configuration:
-
Create Module Directory
-
Create Required Files
main.tf- Module configurationvariables.tf- Input variablesoutputs.tf- Output valuesproviders.tf- Provider configurationbackend.tf- Backend configuration
-
Configure Backend
Create environment-specific backend configuration:
config.prod.hcl -
Initialize and Apply
Required AWS Permissions¶
Ensure that the AWS credentials used to execute Terraform have the necessary permissions to create, list, and modify:
- IAM Resources
- IAM roles and policies
- IAM role policy attachments
- OIDC provider trust relationships
- Certificate Manager (ACM)
- ACM certificates
- Certificate validation
- Route53
- Hosted zones (read)
- DNS records (create, update, delete)
- Elastic Load Balancing
- Application Load Balancers
- Target groups
- Listeners
- EKS/Kubernetes
- Kubernetes resources via EKS API
- Helm releases
- Service accounts
- EC2
- VPC and subnet information (read)
- Security groups (read)
Module Configuration¶
Input Variables¶
For a complete list of input variables with descriptions and types, see the README Inputs section.
Core Required Variables:
- namespace - Resource namespace prefix
- environment - Deployment environment (dev, staging, prod)
- eks_cluster_name - EKS cluster name
- eks_cluster_endpoint - EKS API endpoint
- eks_oidc_provider_url - OIDC provider URL
- eks_oidc_provider_arn - OIDC provider ARN
Key Optional Variables:
- argocd_config - ArgoCD Helm configuration
- ingress_config - ALB and ingress settings
- irsa_config - IAM roles for service accounts
- ha_config - High availability settings
- image_updater_config - Image updater configuration
Output Values¶
For a complete list of outputs, see the README Outputs section.
Key Outputs:
- argocd_server_url - ArgoCD UI URL
- server_iam_role_arn - Server IRSA role ARN
- repo_server_iam_role_arn - Repo-server IRSA role ARN
- acm_certificate_arn - ACM certificate ARN
- route53_record_fqdn - DNS record FQDN
Module Usage¶
Basic Usage¶
For basic usage without external access:
This basic example creates: - ArgoCD server, repo-server, and application controller - Redis cache - Internal Kubernetes service (no external access)
Production Usage with External Access¶
For production deployments with HTTPS access:
Tips and Recommendations¶
- Use IRSA: Always enable IRSA for production deployments to follow AWS security best practices
- Enable HA: For production workloads, enable high availability mode with multiple replicas
- Version Pinning: Pin the ArgoCD chart version to avoid unexpected upgrades
- Separate Environments: Use different namespaces and clusters for dev/staging/prod
- Backup Strategy: Regularly backup ArgoCD configuration and application definitions
- Monitoring: Set up CloudWatch alarms for ArgoCD pod health and ALB metrics
- Network Segmentation: Deploy ArgoCD pods in private subnets, expose only via ALB
- SSO Integration: Configure enterprise SSO instead of using the default admin account
Advanced Configurations¶
High Availability Setup¶
Image Updater Integration¶
SSO Configuration¶
Custom Helm Values¶
Troubleshooting¶
Common Issues¶
1. ArgoCD UI Returns 504 Gateway Timeout¶
Symptoms: ALB returns 504 error when accessing ArgoCD UI
Causes: - ArgoCD server not running in insecure mode - Security groups blocking traffic - Health check configuration incorrect
Solutions:
2. Certificate Validation Stuck¶
Symptoms: ACM certificate stuck in "Pending Validation"
Causes: - DNS validation records not created - Route53 zone not accessible - DNS propagation delay
Solutions:
3. IRSA Not Working¶
Symptoms: ArgoCD pods cannot access AWS services
Causes: - Service account annotations missing - OIDC provider not configured - IAM role trust policy incorrect
Solutions:
Reporting Issues¶
If you encounter a bug or issue, please report it on the GitHub repository with:
- Terraform version
- Module version
- Error messages and logs
- Steps to reproduce
- Expected vs actual behavior
Security Considerations¶
Network Security¶
- Private Subnets: Deploy ArgoCD pods in private subnets
- Security Groups: Restrict ingress to ALB only
- TLS Termination: Always use HTTPS with ACM certificates
- Network Policies: Implement Kubernetes network policies
Access Control¶
- IRSA: Use IAM roles for service accounts instead of long-lived credentials
- RBAC: Configure Kubernetes RBAC for ArgoCD access
- SSO: Enable enterprise SSO for user authentication
- Admin Account: Disable or rotate admin password after SSO setup
Best Practices for AWS ArgoCD¶
Follow these security best practices:
- Least Privilege: Grant minimum required IAM permissions
- Encryption: Enable encryption at rest and in transit
- Audit Logging: Enable ArgoCD audit logs and CloudWatch logging
- Secret Management: Use AWS Secrets Manager or Parameter Store
- Image Scanning: Scan container images for vulnerabilities
- Regular Updates: Keep ArgoCD and dependencies up to date
References: - ArgoCD Security Best Practices - EKS Security Best Practices - AWS Well-Architected Framework
Examples¶
Complete Example¶
See the complete example for a full-featured deployment with: - External ALB access - ACM certificate creation - Route53 DNS automation - IRSA configuration
EKS Integration Example¶
See the EKS integration example for deploying both EKS and ArgoCD together.
Contributing and Community Support¶
Contributing Guidelines¶
Contribute to the module by following the guidelines outlined in the CONTRIBUTING.md file.
Contribution Process: 1. Fork the repository 2. Create a feature branch 3. Make your changes 4. Add tests if applicable 5. Submit a pull request
Reporting Bugs and Issues¶
If you find a bug or issue, report it on the GitHub repository.
Include: - Clear description of the issue - Steps to reproduce - Expected behavior - Actual behavior - Environment details
License¶
License Information¶
This module is licensed under the Apache 2.0 license. Refer to the LICENSE file for more details.
Open Source Contribution¶
Contribute to open source by using and enhancing this module. Your contributions are welcome!
Additional Resources¶
- ArgoCD Official Documentation
- AWS Load Balancer Controller
- EKS User Guide
- Terraform AWS Provider
- Module GitHub Repository
Support¶
For commercial support and consulting services:
- Website: SourceFuse
- Email: support@sourcefuse.com
- GitHub Issues: Report Issues