feat: Deploy Keys as Optional (#43)

milldr · web-flow · commit f4bbf8677d8a · 2025-09-23T16:39:38.000Z
* Deploy keys optional

* Deploy keys optional

* fixed enabled flag
diff --git a/.gitignore b/.gitignore
@@ -76,3 +76,4 @@ github/
 *.ovpn
 
 *.zip
+account-map/
diff --git a/src/README.md b/src/README.md
diff --git a/src/applicationset.tf b/src/applicationset.tf
@@ -15,7 +15,7 @@ resource "github_repository_file" "application_set" {
     ignore-differences          = each.value.ignore-differences
     name                        = module.this.namespace
     namespace                   = local.manifest_kubernetes_namespace
-    ssh_url                     = local.github_repository.ssh_clone_url
+    url                         = local.deploy_keys_enabled ? local.github_repository.ssh_clone_url : local.github_repository.http_clone_url
     notifications               = local.github_notifications
     slack_notifications_channel = var.slack_notifications_channel
   })
diff --git a/src/main.tf b/src/main.tf
@@ -1,5 +1,6 @@
 locals {
-  enabled = module.this.enabled
+  enabled             = module.this.enabled
+  deploy_keys_enabled = local.enabled && var.deploy_keys_enabled
 
   environments = local.enabled ? {
     for env in var.environments :
@@ -118,14 +119,14 @@ resource "github_team_repository" "default" {
 }
 
 resource "tls_private_key" "default" {
-  for_each = local.environments
+  for_each = local.deploy_keys_enabled ? local.environments : {}
 
   algorithm = "RSA"
   rsa_bits  = "2048"
 }
 
 resource "github_repository_deploy_key" "default" {
-  for_each = local.environments
+  for_each = local.deploy_keys_enabled ? local.environments : {}
 
   title      = "Deploy key for ArgoCD environment: ${each.key} (${local.github_repository.default_branch} branch)"
   repository = local.github_repository.name
diff --git a/src/outputs.tf b/src/outputs.tf
@@ -1,6 +1,6 @@
 output "deploy_keys_ssm_paths" {
   description = "SSM Parameter Store paths for the repository's deploy keys"
-  value       = module.store_write.names
+  value       = local.deploy_keys_enabled ? module.store_write.names : []
 }
 
 output "deploy_keys_ssm_path_format" {
@@ -37,3 +37,8 @@ output "repository_ssh_clone_url" {
   description = "Repository SSH clone URL"
   value       = local.enabled ? local.github_repository.ssh_clone_url : null
 }
+
+output "repository_http_clone_url" {
+  description = "Repository HTTP clone URL"
+  value       = local.enabled ? local.github_repository.http_clone_url : null
+}
diff --git a/src/provider-github.tf b/src/provider-github.tf
@@ -14,15 +14,15 @@ module "store_write" {
   source  = "cloudposse/ssm-parameter-store/aws"
   version = "0.13.0"
 
-  parameter_write = [for k, v in local.environments :
+  parameter_write = local.deploy_keys_enabled ? [for k, v in local.environments :
     {
       name        = format(var.ssm_github_deploy_key_format, k)
       value       = tls_private_key.default[k].private_key_pem
       type        = "SecureString"
       overwrite   = true
       description = github_repository_deploy_key.default[k].title
     }
-  ]
+  ] : []
 
   context = module.this.context
 }
diff --git a/src/templates/applicationset.yaml.tpl b/src/templates/applicationset.yaml.tpl
@@ -37,7 +37,7 @@ metadata:
 spec:
   generators:
     - git:
-        repoURL: ${ssh_url}
+        repoURL: ${url}
         revision: HEAD
         files:
           - path: ${environment}/apps/*/*/config.yaml
@@ -63,7 +63,7 @@ spec:
     spec:
       project: ${name}
       source:
-        repoURL: ${ssh_url}
+        repoURL: ${url}
         targetRevision: HEAD
         path: '{{manifests}}'
       destination:
diff --git a/src/variables.tf b/src/variables.tf
@@ -209,3 +209,9 @@ variable "use_local_github_credentials" {
   description = "Use local GitHub credentials from environment variables instead of SSM"
   default     = false
 }
+
+variable "deploy_keys_enabled" {
+  type        = bool
+  description = "Enable GitHub deploy keys for the repository. These are used for Argo CD application syncing. Alternatively, you can use a GitHub App to access this desired state repository."
+  default     = true
+}

Original file line number	Diff line number	Diff line change
`@@ -76,3 +76,4 @@ github/`
`76`	`76`	`*.ovpn`
`77`	`77`
`78`	`78`	`*.zip`
	`79`	`+account-map/`
Original file line number	Diff line number	Diff line change
`@@ -14,15 +14,15 @@ module "store_write" {`
`14`	`14`	`source = "cloudposse/ssm-parameter-store/aws"`
`15`	`15`	`version = "0.13.0"`
`16`	`16`
`17`		`- parameter_write = [for k, v in local.environments :`
	`17`	`+ parameter_write = local.deploy_keys_enabled ? [for k, v in local.environments :`
`18`	`18`	`{`
`19`	`19`	`name = format(var.ssm_github_deploy_key_format, k)`
`20`	`20`	`value = tls_private_key.default[k].private_key_pem`
`21`	`21`	`type = "SecureString"`
`22`	`22`	`overwrite = true`
`23`	`23`	`description = github_repository_deploy_key.default[k].title`
`24`	`24`	`}`
`25`		`- ]`
	`25`	`+ ] : []`
`26`	`26`
`27`	`27`	`context = module.this.context`
`28`	`28`	`}`