Add files related to argocd project session

Author: mohammadll

.gitignore

@@ -9,12 +9,6 @@
 crash.log
 crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

v04-argocd-projects/project-manifest-examples/project-destination-restriction.yml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: project-destination-restriction
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  destinations:
+  - namespace: '!dev' ## Use '!' to place namespace in BlackList, if we remove '!' the namespace will be placed in WhiteList
+    server: '*' ## '*' means we are allowed to use any servers
+  sourceRepos:
+  - '*'

v04-argocd-projects/project-manifest-examples/project-resource-blacklist.yml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: project-resource-blacklist
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*' ## it means we are allowed to use any kinds of clusterscoped resources
+    kind: '*'
+  namespaceResourceBlacklist:
+  - group: ''
+    kind: 'ServiceAccount' ## it means we are NOT allowd to use 'serviceaccount' namespacescoped resource
+  destinations:
+  - namespace: '*'
+    server: '*'
+  sourceRepos:
+  - '*'

v04-argocd-projects/project-manifest-examples/project-resource-whitelist.yml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: project-resource-whitelist
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*' ## it means we are allowed to use any kinds of clusterscoped resources
+    kind: '*'
+  namespaceResourceWhitelist:
+  - group: ''
+    kind: 'ServiceAccount' ## it means we are allowd to use 'serviceaccount' namespacescoped resource Only
+  destinations:
+  - namespace: '*'
+    server: '*'
+  sourceRepos:
+  - '*'

v04-argocd-projects/project-manifest-examples/project-role.yml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: project-role
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  namespaceResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  sourceRepos:
+  - '*'
+  roles:
+    - name: read-sync
+      description: "this role can be used for reading applications"
+      policies:
+        - p, proj:project-role:read-sync, applications, get, project-role/*, allow
+        - p, proj:project-role:read-sync, applications, sync, project-role/*, allow

v04-argocd-projects/project-manifest-examples/project-source-restriction.yml

@@ -0,0 +1,15 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: project-source-restriction
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  sourceRepos:
+  - '!https://github.com/devopshobbies/argocd-tutorial.git' ## Use '!' to place repo in BlackList, if we remove '!' the repo will be placed in WhiteList
+  - '*' ## '*' means we are allowed to use any repos

v04-argocd-projects/project-using-terraform/main.tf

@@ -0,0 +1,59 @@
+locals {
+  roles_count = length(var.roles)
+}
+
+resource "argocd_project" "terraform-project" {
+  metadata {
+    name      = var.project_name
+    namespace = var.project_namespace
+    labels    = var.project_labels
+  }
+
+  spec {
+    description = var.project_description
+
+    source_namespaces = var.source_namespaces
+    source_repos      = var.source_repos
+
+    dynamic "destination" {
+      for_each = var.destinations
+      content {
+        server    = destination.value.server
+        namespace = destination.value.namespace
+      }
+    }
+
+    dynamic "cluster_resource_whitelist" {
+      for_each = var.cluster_resources_whitelist
+      content {
+        group = cluster_resource_whitelist.value.group
+        kind  = cluster_resource_whitelist.value.kind
+      }
+    }
+
+    dynamic "namespace_resource_whitelist" {
+      for_each = var.namespace_resources_whitelist
+      content {
+        group = namespace_resource_whitelist.value.group
+        kind  = namespace_resource_whitelist.value.kind
+      }
+    }
+
+    dynamic "role" {
+      for_each = var.roles
+      content {
+        name     = role.value.name
+        policies = role.value.policies
+      }
+    }
+  }
+}
+
+resource "argocd_project_token" "secret" {
+  count   = local.roles_count
+  project = var.project_name
+  role    = var.roles[count.index]["name"]
+  depends_on = [
+    argocd_project.terraform-project
+  ]
+}

v04-argocd-projects/project-using-terraform/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    argocd = {
+      source  = "oboukili/argocd"
+      version = "6.0.2"
+    }
+  }
+}
+
+provider "argocd" {
+  server_addr = var.server_addr
+  username    = var.username
+  password    = var.password
+  insecure    = var.insecure
+}

v04-argocd-projects/project-using-terraform/terraform.tfvars

@@ -0,0 +1,46 @@
+server_addr       = "localhost:32073"
+username          = "admin"
+password          = "O0Nk42qUhEOMK4q8"
+insecure          = true
+project_name      = "terraform-project"
+project_namespace = "argocd"
+project_labels = {
+  acceptance = "true"
+}
+project_description = "this project has been created using terraform"
+source_namespaces   = ["argocd"]
+source_repos        = ["*"]
+destinations = {
+  destination_one = {
+    server    = "*",
+    namespace = "dev"
+  },
+  destination_two = {
+    server    = "*",
+    namespace = "prod"
+  }
+}
+cluster_resources_whitelist = {
+  resource_one = {
+    group = "*"
+    kind  = "*"
+  }
+}
+namespace_resources_whitelist = {
+  resource_one = {
+    group = "apps"
+    kind  = "Deployment"
+  },
+  resource_two = {
+    group = ""
+    kind  = "Service"
+  }
+}
+roles = [
+  {
+    name = "read-only"
+    policies = [
+      "p, proj:terraform-project:read-only, applications, get, terraform-project/*, allow",
+    ]
+  }
+]

v04-argocd-projects/project-using-terraform/variables.tf

@@ -0,0 +1,77 @@
+variable "server_addr" {
+  type        = string
+  description = "The server address"
+}
+
+variable "username" {
+  type        = string
+  description = "The Username"
+}
+
+variable "password" {
+  type        = string
+  description = "The Password"
+}
+
+variable "insecure" {
+  type        = bool
+  description = "The Connection Insecure flag"
+}
+
+variable "project_name" {
+  type        = string
+  description = "The Name of the Project"
+}
+
+variable "project_namespace" {
+  type        = string
+  description = "The Namespace of the Project"
+}
+
+variable "project_labels" {
+  type        = map(string)
+  description = "The Labels of the Project"
+}
+
+variable "project_description" {
+  type        = string
+  description = "The Description of the Project"
+}
+
+variable "source_namespaces" {
+  type        = list(string)
+  description = "The Source Namespaces of the Project"
+}
+
+variable "source_repos" {
+  type        = list(string)
+  description = "The Source Repos of the Project"
+}
+
+variable "destinations" {
+  type = map(object({
+    server    = string,
+    namespace = string
+  }))
+}
+
+variable "cluster_resources_whitelist" {
+  type = map(object({
+    group = string,
+    kind  = string
+  }))
+}
+
+variable "namespace_resources_whitelist" {
+  type = map(object({
+    group = string,
+    kind  = string
+  }))
+}
+
+variable "roles" {
+  type = list(object({
+    name     = string,
+    policies = list(string)
+  }))
+}