diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0dfd2574..d9842f09 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,104 +6,30 @@ on: tags: ["v*"] jobs: - draft_release: - name: Draft release + goreleaser: runs-on: ubuntu-latest - outputs: - tag: ${{ steps.get_tag.outputs.tag }} - release_id: ${{ steps.create_draft_release.outputs.release_id }} - upload_url: ${{ steps.create_draft_release.outputs.upload_url }} steps: - - name: Get tag - id: get_tag - shell: bash - # Github actions does not make getting the tag name easy... - run: echo "::set-output name=tag::${GITHUB_REF#refs\/tags\/}" - - # actions/create_release official action returns 'untagged-XXX' as release tag (bug). - - name: Create draft Release - id: create_draft_release - shell: bash - env: - tag: ${{ steps.get_tag.outputs.tag }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - RESULT=$(curl -sfL -H "Authorization: token ${GITHUB_TOKEN}" -XPOST --data '{"tag_name":"${{ env.tag }}","name":"${{ env.tag }}","draft":true}' https://api.github.com/repos/${{ github.repository }}/releases) - - RELEASE_ID=$(echo $RESULT | jq -r .id) - UPLOAD_URL=$(echo $RESULT | jq -r .upload_url) - - echo "::set-output name=release_id::${RELEASE_ID}" - echo "::set-output name=upload_url::${UPLOAD_URL}" - - assets: - name: Assets - needs: draft_release - strategy: - fail-fast: true - matrix: - arch: [amd64, 386, arm] - os: [linux, darwin, windows] - exclude: - - os: darwin - arch: 386 - - os: darwin - arch: arm - - os: windows - arch: arm - runs-on: ubuntu-latest - env: - asset: terraform-provider-argocd_${{ needs.draft_release.outputs.tag }}_${{ matrix.os }}_${{ matrix.arch }}.gz - asset_build: terraform-provider-argocd_${{ needs.draft_release.outputs.tag }} - asset_gzip_suffix: _${{ matrix.os }}_${{ matrix.arch }}.gz - upload_url: ${{ needs.draft_release.outputs.upload_url }} - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - uses: actions/setup-go@v1 - with: - go-version: 1.14 - - - name: Restore Go cache - uses: actions/cache@v1 - with: - path: ~/go/pkg/mod - key: ${{ matrix.os }}-${{ matrix.arch }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ matrix.os }}-${{ matrix.arch }}-go- - - - name: Build ${{ matrix.os }}-${{ matrix.arch }} - env: - GOARCH: ${{ matrix.arch }} - GOOS: ${{ matrix.os }} - run: | - CGO_ENABLED=0 go build --ldflags '-s -w -extldflags "-static"' --tags netgo -a -o ${{ env.asset_build }} - gzip --name --suffix ${{ env.asset_gzip_suffix }} ${{ env.asset_build }} - - - name: Upload Release Asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ env.upload_url }} - asset_path: ./${{ env.asset }} - asset_name: ${{ env.asset }} - asset_content_type: application/gzip - - publish_release: - name: Publish release - runs-on: ubuntu-latest - needs: - - assets - - draft_release - env: - release_id: ${{ needs.draft_release.outputs.release_id }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - name: Publish release - shell: bash - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - curl -sfL -H "Authorization: token ${GITHUB_TOKEN}" -XPATCH --data '{"draft":false}' https://api.github.com/repos/${{ github.repository }}/releases/${{ env.release_id }} + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.14 + + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v2 + env: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 00000000..34993004 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,46 @@ +--- +builds: + - env: + - CGO_ENABLED=0 + mod_timestamp: '{{ .CommitTimestamp }}' + flags: + - -trimpath + ldflags: + - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}' + goos: + - windows + - linux + - darwin + goarch: + - amd64 + - arm + - arm64 + binary: '{{ .ProjectName }}_v{{ .Version }}' +archives: + - format: zip + name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' +checksum: + name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS' + algorithm: sha256 +signs: + - artifacts: checksum + args: + - "--batch" + - "--local-user" + - "{{ .Env.GPG_FINGERPRINT }}" + - "--output" + - "${signature}" + - "--detach-sign" + - "${artifact}" +release: + draft: true + disable: false + github: + owner: oboukili + name: terraform-provider-argocd +changelog: + skip: false + filters: + exclude: + - '^docs:' + - '^chore' diff --git a/README.md b/README.md index bcc9d30a..1958b13f 100644 --- a/README.md +++ b/README.md @@ -125,15 +125,15 @@ resource "argocd_project" "myproject" { role { name = "testrole" policies = [ - "p, proj:%s:testrole, applications, override, %s/*, allow", - "p, proj:%s:testrole, applications, sync, %s/*, allow", + "p, proj:myproject:testrole, applications, override, myproject/*, allow", + "p, proj:myproject:testrole, applications, sync, myproject/*, allow", ] } role { name = "anotherrole" policies = [ - "p, proj:%s:testrole, applications, get, %s/*, allow", - "p, proj:%s:testrole, applications, sync, %s/*, deny", + "p, proj:myproject:testrole, applications, get, myproject/*, allow", + "p, proj:myproject:testrole, applications, sync, myproject/*, deny", ] } sync_window { diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 00000000..741bdf9b --- /dev/null +++ b/docs/index.md @@ -0,0 +1,28 @@ +# ArgoCD Provider + +A Terraform provider for [ArgoCD](https://argoproj.github.io/argo-cd/). + +## Example Usage + +```hcl +provider "argocd" { + server_addr = "argocd.local:443" + auth_token = "1234..." +} +``` + +## Argument Reference + +* `server_addr` - (Required) ArgoCD server address with port. +* `auth_token` - (Optional) ArgoCD authentication token, taked precedence over `username`/`password`. Can be set through the `ARGOCD_AUTH_TOKEN` environment variable. +* `username` - (Optional) authentication username. Can be set through the `ARGOCD_AUTH_USERNAME` environment variable. +* `password` - (Optional) authentication password. Can be set through the `ARGOCD_AUTH_PASSWORD` environment variable. +* `cert_file` - (Optional) Additional root CA certificates file to add to the client TLS connection pool. +* `plain_text` - (Optional) Boolean, whether to initiate an unencrypted connection to ArgoCD server. +* `context` - (Optional) Kubernetes context to load from an existing `.kube/config` file. Can be set through `ARGOCD_CONTEXT` environment variable. +* `user_agent` - (Optional) +* `grpc_web` - (Optional) Whether to use gRPC web proxy client. +* `port_forward` - (Optional) +* `port_forward_with_namespace` - (Optional) +* `headers` - (Optional) Additional headers to add to each request to the ArgoCD server. +* `insecure` - (Optional) Whether to skip TLS server certificate. Can be set through the `ARGOCD_INSECURE` environment variable. diff --git a/docs/resources/project.md b/docs/resources/project.md new file mode 100644 index 00000000..06c5562a --- /dev/null +++ b/docs/resources/project.md @@ -0,0 +1,130 @@ +# argocd_project + +Creates an ArgoCD project. + +## Example Usage + +```hcl +resource "argocd_project" "myproject" { + metadata { + name = "myproject" + namespace = "argocd" + labels = { + acceptance = "true" + } + annotations = { + "this.is.a.really.long.nested.key" = "yes, really!" + } + } + + spec { + description = "simple project" + source_repos = ["*"] + + destination { + server = "https://kubernetes.default.svc" + namespace = "default" + } + destination { + server = "https://kubernetes.default.svc" + namespace = "foo" + } + cluster_resource_whitelist { + group = "rbac.authorization.k8s.io" + kind = "ClusterRoleBinding" + } + cluster_resource_whitelist { + group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + } + namespace_resource_blacklist { + group = "networking.k8s.io" + kind = "Ingress" + } + orphaned_resources = { + warn = true + } + role { + name = "testrole" + policies = [ + "p, proj:myproject:testrole, applications, override, myproject/*, allow", + "p, proj:myproject:testrole, applications, sync, myproject/*, allow", + ] + } + role { + name = "anotherrole" + policies = [ + "p, proj:myproject:testrole, applications, get, myproject/*, allow", + "p, proj:myproject:testrole, applications, sync, myproject/*, deny", + ] + } + sync_window { + kind = "allow" + applications = ["api-*"] + clusters = ["*"] + namespaces = ["*"] + duration = "3600s" + schedule = "10 1 * * *" + manual_sync = true + } + sync_window { + kind = "deny" + applications = ["foo"] + clusters = ["in-cluster"] + namespaces = ["default"] + duration = "12h" + schedule = "22 1 5 * *" + manual_sync = false + } + } +} + +``` + +## Argument Reference + +* `metadata` - (Required) Standard Kubernetes API service's metadata. For more info see the [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata). +* `spec` - (Required) The project specification, the nested attributes are documented below. + +The `metadata` block can have the following attributes: + +* `name` - (Required) The project name, must be unique, cannot be updated. +* `annotations` - (Optional) An unstructured key value map stored with the config map that may be used to store arbitrary metadata. **By default, the provider ignores any annotations whose key names end with kubernetes.io. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem)**. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). +* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the config map. May match selectors of replication controllers and services. **By default, the provider ignores any labels whose key names end with kubernetes.io. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem).** For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). + +The `spec` block can have the following attributes: + +* `destination` - (Required) The allowed cluster/namespace project destination, can be repeated multiple times. +* `source_repos` - (Required) List of strings containing allowed application repositories URLs for the project. Can be set to `["*"]` to allow all configured repositories configured in ArgoCD. +* `cluster_resource_whitelist` - (Optional) Cluster-scoped resource allowed to be managed by the project applications, can be repeated multiple times. +* `description` - (Optional) +* `orphaned_resources` - (Optional) A key value map to control orphaned resources monitoring, +* `namespace_resource_blacklist` - (Optional) Namespaced-scoped resources allowed to be managed by the project applications, can be repeated multiple times. +* `role` - (Optional) can be repeated multiple times. +* `sync_window` - (Optional) can be repeated multiple times. + +Each `cluster_resource_whitelist` block can have the following attributes: +* `group` - (Optional) The Kubernetes resource Group to match for. +* `kind` - (Optional) The Kubernetes resource Kind to match for. + +The `orphaned_resources` map can have the following attributes: +* `warn` - Boolean, defaults to `false`. + +Each `namespace_resource_blacklist` block can have the following attributes: +* `group` - (Optional) The Kubernetes resource Group to match for. +* `kind` - (Optional) The Kubernetes resource Kind to match for. + +Each `role` block can have the following attributes: +* `name` - (Required) Name of the role. +* `policies` - (Required) list of Casbin formated strings that define access policies for the role in the project, For more information, read the [ArgoCD RBAC reference](https://argoproj.github.io/argo-cd/operator-manual/rbac/#rbac-permission-structure). +* `description` - (Optional) +* `groups` - (Optional) List of OIDC group claims bound to this role. + +Each `sync_window` block can have the following attributes: +* `applications` - (Optional) List of applications the window will apply to. +* `clusters` - (Optional) List of clusters the window will apply to. +* `duration` - (Optional) amount of time the sync window will be open. +* `kind` - (Optional) Defines if the window allows or blocks syncs, allowed values are `allow` or `deny`. +* `manual_sync` - (Optional) Boolean, enables manual syncs when they would otherwise be blocked. +* `namespaces` - (Optional) List of namespaces that the window will apply to. +* `schedule` - (Optional) Time the window will begin, specified in cron format. diff --git a/docs/resources/token.md b/docs/resources/token.md new file mode 100644 index 00000000..157dd465 --- /dev/null +++ b/docs/resources/token.md @@ -0,0 +1,29 @@ +# argocd_project_token + +Creates an ArgoCD role project JSON Web Token. + +## Example Usage + +```hcl +resource "argocd_project_token" "secret" { + project = "someproject" + role = "foobar" + description = "short lived token" + expires_in = "1h" + renew_before = "30m" +} +``` + +## Argument Reference + +* `project` - (Required) The project name associated with the token. +* `role` - (Required) The project role associated with the token, the role must exist beforehand. +* `description` - (Optional) +* `expires_in` - (Optional) An expiration duration, valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +* `renew_before` - (Optional) duration to control token silent regeneration, valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". If `expires_in` is set, Terraform will regenerate the token if `expires_in - renew_before < currentDate`. + +## Attribute Reference + +* `jwt` - The raw JWT as a string. +* `issued_at` - Unix timestamp upon which the token was issued at, as a string. +* `expires_at` - If `expires_in` is set, Unix timestamp upon which the token will expire, as a string.