Security: Harden GitOps infrastructure

[somethingwithproof]

Summary

• Remove ArgoCD --insecure flag, configure TLS properly
• Restrict EKS public access CIDRs via variable
• Restrict ArgoCD project sources and destinations
• Pin GitHub Actions to SHA hashes
• Change tfsec soft_fail to false

Test plan

• Terraform plan succeeds
• ArgoCD configuration is valid
• CI passes with pinned actions

[Copilot]

Pull request overview

Security hardening for the GitOps + Terraform stack by tightening EKS API exposure, improving ArgoCD TLS settings, restricting ArgoCD project scope, and strengthening CI security checks.

Changes:

• Add configurable public_access_cidrs for the EKS public API endpoint.
• Remove ArgoCD --insecure usage and set Helm values to run with TLS (server.insecure=false).
• Tighten ArgoCD AppProject repo/destination allow-lists, pin some GitHub Actions to SHAs, and make tfsec fail the build.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
terraform/modules/eks/variables.tf	Introduces public_access_cidrs input (with a restrictive default).
terraform/modules/eks/main.tf	Applies public_access_cidrs to the EKS cluster vpc_config.
terraform/modules/argocd/main.tf	Removes --insecure and enables TLS-related Helm settings.
argocd/projects/default-project.yaml	Restricts allowed source repos and destination namespaces for the default AppProject.
.github/workflows/ci.yaml	Pins some actions to SHAs and makes tfsec non-soft-fail.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

default AppProject destinations are now limited to argocd, default, and kube-system, but existing ArgoCD Applications/ApplicationSets in this repo deploy into sample-app and sample-app-{dev,staging,production} namespaces. With this change those apps will be rejected as unauthorized destinations. Add the required destination namespaces (or adjust the apps/project strategy) so current manifests continue to sync.

Suggested change

	server: https://kubernetes.default.svc
	server: https://kubernetes.default.svc
	- namespace: 'sample-app'
	server: https://kubernetes.default.svc
	- namespace: 'sample-app-dev'
	server: https://kubernetes.default.svc
	- namespace: 'sample-app-staging'
	server: https://kubernetes.default.svc
	- namespace: 'sample-app-production'
	server: https://kubernetes.default.svc

[Copilot]

PR description says GitHub Actions are pinned to SHA hashes, but this workflow still uses version tags for aquasecurity/tfsec-action, azure/setup-helm, and ibiqlik/action-yamllint. Either pin those actions to commit SHAs as well, or update the PR description so expectations match the actual hardening applied.

[Copilot]

Setting public_access_cidrs default to ["10.0.0.0/8"] changes the module's out-of-the-box behavior (and the dev environment doesn’t pass this variable), which can easily lock out kubectl/Terraform access to the public endpoint from typical operator/CI IPs. Consider keeping the module default aligned with AWS’s default behavior (or explicitly disabling public access by default) and pushing the hardened CIDR list down from the environment layer so it’s an intentional, visible choice per environment.

Suggested change

	default = ["10.0.0.0/8"]
	default = ["0.0.0.0/0"]