Initial commit

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-argocd-github-repo
+  description: This component is responsible for creating and managing an ArgoCD desired state repository
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

CHANGELOG.md

@@ -0,0 +1,38 @@
+## Components PR [#851](https://github.com/cloudposse/terraform-aws-components/pull/851)
+
+This is a bug fix and feature enhancement update. There are few actions necessary to upgrade.
+
+## Upgrade actions
+
+1. Enable `github_default_notifications_enabled` (set `true`)
+
+```yaml
+components:
+  terraform:
+    argocd-repo-defaults:
+      metadata:
+        type: abstract
+      vars:
+        enabled: true
+        github_default_notifications_enabled: true
+```
+
+2. Apply changes with Atmos
+
+## Features
+
+- Support predefined GitHub commit status notifications for CD sync mode:
+  - `on-deploy-started`
+    - `app-repo-github-commit-status`
+    - `argocd-repo-github-commit-status`
+  - `on-deploy-succeded`
+    - `app-repo-github-commit-status`
+    - `argocd-repo-github-commit-status`
+  - `on-deploy-failed`
+    - `app-repo-github-commit-status`
+    - `argocd-repo-github-commit-status`
+
+### Bug Fixes
+
+- Remove legacy unnecessary helm values used in old ArgoCD versions (ex. `workflow auth` configs) and dropped
+  notifications services

src/applicationset.tf

@@ -0,0 +1,26 @@
+locals {
+  github_default_notifications_enabled = local.enabled && var.github_default_notifications_enabled
+  github_notifications                 = local.github_default_notifications_enabled ? var.github_notifications : []
+}
+
+resource "github_repository_file" "application_set" {
+  for_each = local.environments
+
+  repository = local.github_repository.name
+  branch     = local.github_repository.default_branch
+  file       = "${each.value.tenant != null ? format("%s/", each.value.tenant) : ""}${each.value.environment}-${each.value.stage}${length(each.value.attributes) > 0 ? format("-%s", join("-", each.value.attributes)) : ""}/${local.manifest_kubernetes_namespace}/applicationset.yaml"
+  content = templatefile("${path.module}/templates/applicationset.yaml.tpl", {
+    environment                 = each.key
+    auto-sync                   = each.value.auto-sync
+    ignore-differences          = each.value.ignore-differences
+    name                        = module.this.namespace
+    namespace                   = local.manifest_kubernetes_namespace
+    ssh_url                     = local.github_repository.ssh_clone_url
+    notifications               = local.github_notifications
+    slack_notifications_channel = var.slack_notifications_channel
+  })
+  commit_message      = "Initialize environment: `${each.key}`."
+  commit_author       = var.github_user
+  commit_email        = var.github_user_email
+  overwrite_on_create = true
+}

src/git-files.tf

@@ -0,0 +1,59 @@
+resource "github_repository_file" "gitignore" {
+  count = local.enabled ? 1 : 0
+
+  repository = local.github_repository.name
+  branch     = local.github_repository.default_branch
+  file       = ".gitignore"
+  content = templatefile("${path.module}/templates/.gitignore.tpl", {
+    entries = var.gitignore_entries
+  })
+  commit_message      = "Create .gitignore file."
+  commit_author       = var.github_user
+  commit_email        = var.github_user_email
+  overwrite_on_create = true
+}
+
+resource "github_repository_file" "readme" {
+  count = local.enabled ? 1 : 0
+
+  repository = local.github_repository.name
+  branch     = local.github_repository.default_branch
+  file       = "README.md"
+  content = templatefile("${path.module}/templates/README.md.tpl", {
+    repository_name        = local.github_repository.name
+    repository_description = local.github_repository.description
+    github_organization    = var.github_organization
+  })
+  commit_message      = "Create README.md file."
+  commit_author       = var.github_user
+  commit_email        = var.github_user_email
+  overwrite_on_create = true
+}
+
+resource "github_repository_file" "codeowners_file" {
+  count = local.enabled ? 1 : 0
+
+  repository = local.github_repository.name
+  branch     = local.github_repository.default_branch
+  file       = ".github/CODEOWNERS"
+  content = templatefile("${path.module}/templates/CODEOWNERS.tpl", {
+    codeowners = var.github_codeowner_teams
+  })
+  commit_message      = "Create CODEOWNERS file."
+  commit_author       = var.github_user
+  commit_email        = var.github_user_email
+  overwrite_on_create = true
+}
+
+resource "github_repository_file" "pull_request_template" {
+  count = local.enabled ? 1 : 0
+
+  repository          = local.github_repository.name
+  branch              = local.github_repository.default_branch
+  file                = ".github/PULL_REQUEST_TEMPLATE.md"
+  content             = file("${path.module}/templates/PULL_REQUEST_TEMPLATE.md")
+  commit_message      = "Create PULL_REQUEST_TEMPLATE.md file."
+  commit_author       = var.github_user
+  commit_email        = var.github_user_email
+  overwrite_on_create = true
+}

src/main.tf

@@ -1,8 +1,133 @@
 locals {
   enabled = module.this.enabled
+
+  environments = local.enabled ? {
+    for env in var.environments :
+    (format(
+      "${env.tenant != null ? "%[1]s/" : ""}%[2]s-%[3]s${length(env.attributes) > 0 ? "-%[4]s" : "%[4]s"}",
+      env.tenant,
+      env.environment,
+      env.stage,
+      join("-", env.attributes)
+    )) => env
+  } : {}
+
+  manifest_kubernetes_namespace = var.manifest_kubernetes_namespace
+
+  team_slugs = toset(compact([
+    for permission in var.permissions : lookup(permission, "team_slug", null)
+  ]))
+
+  team_ids = [
+    for team in data.github_team.default : team.id
+  ]
+
+  team_permissions = {
+    for index, id in local.team_ids : (var.permissions[index].team_slug) => {
+      id         = id
+      permission = var.permissions[index].permission
+    }
+  }
+
+  empty_repo = {
+    name           = ""
+    default_branch = ""
+  }
+
+  github_repository = try((var.create_repo ? github_repository.default : data.github_repository.default)[0], local.empty_repo)
+}
+
+data "github_repository" "default" {
+  count = local.enabled && !var.create_repo ? 1 : 0
+  name  = var.name
+}
+
+resource "github_repository" "default" {
+  count = local.enabled && var.create_repo ? 1 : 0
+
+  name        = module.this.name
+  description = var.description
+  auto_init   = true # will create a 'main' branch
+
+  visibility           = "private"
+  vulnerability_alerts = var.vulnerability_alerts_enabled
+
+  web_commit_signoff_required = var.web_commit_signoff_required
+}
+
+resource "github_branch_default" "default" {
+  count = local.enabled ? 1 : 0
+
+  repository = local.github_repository.name
+  branch     = local.github_repository.default_branch
 }
 
+data "github_user" "automation_user" {
+  count = local.enabled ? 1 : 0
 
+  username = var.github_user
+}
+
+resource "github_branch_protection" "default" {
+  # This resource enforces PRs needing to be opened in order for changes to be made, except for automated commits to
+  # the main branch. Those commits made by the automation user, which is an admin.
+  count = local.enabled ? 1 : 0
+
+  repository_id = local.github_repository.name
+
+  pattern          = join("", github_branch_default.default[*].branch)
+  enforce_admins   = false # needs to be false in order to allow automation user to push
+  allows_deletions = true
+
+  dynamic "required_pull_request_reviews" {
+    for_each = var.required_pull_request_reviews ? [0] : []
+    content {
+      dismiss_stale_reviews      = true
+      restrict_dismissals        = true
+      require_code_owner_reviews = true
+    }
+  }
 
+  restrict_pushes {
+    blocks_creations = var.restrict_pushes_blocks_creations
+    push_allowances = var.push_restrictions_enabled ? [
+      join("", data.github_user.automation_user[*].node_id),
+    ] : []
+  }
 
+  lifecycle {
+    ignore_changes = [
+      restrict_pushes[0].push_allowances
+    ]
+  }
+}
+
+data "github_team" "default" {
+  for_each = local.team_slugs
+
+  slug = each.value
+}
 
+resource "github_team_repository" "default" {
+  for_each = local.team_permissions
+
+  repository = local.github_repository.name
+  team_id    = each.value.id
+  permission = each.value.permission
+}
+
+resource "tls_private_key" "default" {
+  for_each = local.environments
+
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "github_repository_deploy_key" "default" {
+  for_each = local.environments
+
+  title      = "Deploy key for ArgoCD environment: ${each.key} (${local.github_repository.default_branch} branch)"
+  repository = local.github_repository.name
+  key        = tls_private_key.default[each.key].public_key_openssh
+  read_only  = true
+}

src/outputs.tf

@@ -1,4 +1,39 @@
-output "mock" {
-  description = "Mock output example for the Cloud Posse Terraform component template"
-  value       = local.enabled ? "hello ${basename(abspath(path.module))}" : ""
+output "deploy_keys_ssm_paths" {
+  description = "SSM Parameter Store paths for the repository's deploy keys"
+  value       = module.store_write.names
+}
+
+output "deploy_keys_ssm_path_format" {
+  description = "SSM Parameter Store path format for the repository's deploy keys"
+  value       = local.enabled ? var.ssm_github_deploy_key_format : null
+}
+
+output "repository" {
+  description = "Repository name"
+  value       = local.enabled && var.create_repo ? module.this.name : var.name
+}
+
+output "repository_description" {
+  description = "Repository description"
+  value       = local.github_repository.description
+}
+
+output "repository_default_branch" {
+  description = "Repository default branch"
+  value       = local.github_repository.default_branch
+}
+
+output "repository_url" {
+  description = "Repository URL"
+  value       = local.github_repository.html_url
+}
+
+output "repository_git_clone_url" {
+  description = "Repository git clone URL"
+  value       = local.github_repository.git_clone_url
+}
+
+output "repository_ssh_clone_url" {
+  description = "Repository SSH clone URL"
+  value       = local.github_repository.ssh_clone_url
 }

src/provider-github.tf

@@ -0,0 +1,32 @@
+locals {
+  github_token = local.enabled ? coalesce(var.github_token_override, data.aws_ssm_parameter.github_api_key[0].value) : ""
+}
+
+data "aws_ssm_parameter" "github_api_key" {
+  count           = local.enabled ? 1 : 0
+  name            = var.ssm_github_api_key
+  with_decryption = true
+}
+
+module "store_write" {
+  source  = "cloudposse/ssm-parameter-store/aws"
+  version = "0.11.0"
+
+  parameter_write = [for k, v in local.environments :
+    {
+      name        = format(var.ssm_github_deploy_key_format, k)
+      value       = tls_private_key.default[k].private_key_pem
+      type        = "SecureString"
+      overwrite   = true
+      description = github_repository_deploy_key.default[k].title
+    }
+  ]
+
+  context = module.this.context
+}
+
+provider "github" {
+  base_url = var.github_base_url
+  owner    = var.github_organization
+  token    = local.github_token
+}

src/providers.tf

@@ -0,0 +1,19 @@
+provider "aws" {
+  region = var.region
+
+  # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null.
+  profile = module.iam_roles.terraform_profile_name
+
+  dynamic "assume_role" {
+    # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role.
+    for_each = compact([module.iam_roles.terraform_role_arn])
+    content {
+      role_arn = module.iam_roles.terraform_role_arn
+    }
+  }
+}
+
+module "iam_roles" {
+  source  = "../account-map/modules/iam-roles"
+  context = module.this.context
+}

src/templates/.gitignore.tpl

@@ -0,0 +1,6 @@
+# This file has been programmatically generated and committed by the argocd-repo Terraform component in the infrastructure
+# monorepo. It can be updated to contain further entries by adjusting var.gitignore_entries in the aforementioned component.
+
+%{ for entry in entries ~}
+${entry}
+%{ endfor ~}

src/templates/CODEOWNERS.tpl

@@ -0,0 +1,4 @@
+# Use this file to define individuals or teams that are responsible for code in a repository.
+# Read more: https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners
+
+* %{ for codeowner in codeowners }${codeowner} %{ endfor }

src/templates/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,15 @@
+## what
+
+- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
+- Use bullet points to be concise and to the point.
+
+## why
+
+- Provide the justifications for the changes (e.g. business case).
+- Describe why these changes were made (e.g. why do these commits fix the problem?)
+- Use bullet points to be concise and to the point.
+
+## references
+
+- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
+- Use `closes #123`, if this PR closes a GitHub issue `#123`