i'm configuring my AWS EKS cluster, I am currently setting up ARGOCD for one of the initial applications. The configuration is entirely write with TERRAFORM, with the HELM provider wherever possible. For application repositories, I am using AWS CodeCommit in the same AWS account as the EKS cluster.
I am aiming to enable ARGOCD to read the repository without the need to create an IAM user and assign it a secret. Although it currently functions in this manner, I would prefer ARGOCD to utilize a role with a policy allowing it to read repositories on CodeCommit. Alternatively, I am open to exploring the option of a role applied to the service account.
I have attempted the latter approach, but unfortunately, it does not seem to be working as expected. Any insights or guidance on resolving this issue would be greatly appreciated.
This is my actual configurartion that not works correctry. ArgoCD is UP but not has a permission to read a repository
resource "helm_release" "argocd" {
depends_on = [
aws_secretsmanager_secret.argocd,
aws_secretsmanager_secret_version.argocd,
random_password.argocd,
module.irsa_vpc_cni,
module.eks,
module.vpc]
name = "argocd"
chart = "argo-cd"
repository = "https://argoproj.github.io/argo-helm"
namespace = var.namespace_argocd
create_namespace = true
timeout = "300"
version = "6.2.1"
values = [templatefile("./platform_apps/argocd/values/argocd_install.yaml", {})]
set {
name = "configs.secret.argocdServerAdminPassword"
value = local.argo_admin_password
}
}
module "irsa_argocd" {
depends_on = [
helm_release.argocd,
module.irsa_vpc_cni,
module.eks,
module.vpc]
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name_prefix = "ll-role-argocd-"
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:${helm_release.argocd.namespace}"]
}
}
}
resource "aws_iam_policy" "argocd_irsa_policy" {
name = "ArgoCD_IRSA_Policy"
description = "IAM policy per il SA ArgoCD"
policy = file("./platform_apps/argocd/policy/iam_user.json")
}
resource "aws_iam_role_policy_attachment" "argocd_irsa_role_policy_attachment" {
policy_arn = aws_iam_policy.argocd_irsa_policy.arn
role = module.irsa_argocd.iam_role_name
}
after that i apply this manifest
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: k8s-lab01-apps-resources
namespace: argocd
labels:
name: k8s-lab01-apps-resources
spec:
project: default
source:
repoURL: https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/xxxxxxxxx
targetRevision: main
path: root-directory-of-apps
directory:
exclude: 'config.yaml'
include: '*.yaml'
destination:
server: https://kubernetes.default.svc
syncPolicy:
automated:
prune: true
selfHeal: false
allowEmpty: false
syncOptions:
- Validate=false
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
ignoreDifferences:
- group: argoproj.io
kind: Application
jsonPointers:
- /operation
revisionHistoryLimit: 10
if i apply a manifest about secrets with credential IAM with permission to read codecommit repo and apply the manifest above, all works ok, but I prefer to not use IAM user with policy but I prefer to use only a ROLE with service account. is possible?