Mahira Technology Private Limited's Blog
Beyond Basics: Advanced Techniques for Securing Argo CD and Updating AWS Secrets using Terraform

Beyond Basics: Advanced Techniques for Securing Argo CD and Updating AWS Secrets using Terraform

Mahira Technology Private Limited's photo
Mahira Technology Private Limited
·

3 min read

Over View:-

#Argo CD is a #powerful tool for #continuous delivery of #Kubernetes applications. However, securing access to its #admin password is crucial. In this guide, we will explore the process of fetching the #Argo CD admin password and then securely updating it in an #AWS Secret. This ensures a robust #security posture, aligning with best practices in managing sensitive information within #cloud environments. Let’s dive into the steps to fortify your #Argo CD setup.

Pre-requestites :-

  • Kubernetes Cluster configuration should be installled.(For e.g; Minikube, Eks, kind)

  • Terraform should be installed.

Steps for Reverting admin password with Terraform :-

  1. Deploy a Kubernetes cluster (minkube) or Eks cluster and install Argo-cd within the cluster (or) click here and follow the guide for deploying the cluster and installing Argo-cd.

  2. Now create a directory with name argo_cd_password on your desktop. within the directory create terraform configuration files such as main.tf, provider.tf.

  3. copy the below code to your main.tf file and replace the cluster endpoint, certificate etc.., with your values.

# main.tf
provider "kubernetes" {
  host                   = YOUR CLUSTER ENDPOINT
  cluster_ca_certificate = YOUR CLUSTER CERTIFICATE
  token                  = YOUR CLUSTER AUTH TOKEN
}

resource "aws_secretsmanager_secret" "argo_cd" {
  name = "argo-cd-password"
  recovery_window_in_days = 0
  description = "ArgoCD Initial Admin Password"
}
resource "aws_secretsmanager_secret_version" "argo_cd" {
  secret_id     = aws_secretsmanager_secret.argo_cd.id
  secret_string = <<EOT
{
  "": ""
}
EOT
}

resource "null_resource" "argocd_password" {
  provisioner "local-exec" {
    command = <<-EOT
      # Fetch the password from argocd-initial-admin-secret
      ARGOCD_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)

      # Update the AWS Secret
      aws secretsmanager update-secret \
        --secret-id argo-cd-password \
        --secret-string "$ARGOCD_PASSWORD" \
        --region us-east-1
    EOT
  }
}

4. Create a provider.tf file within the argo_cd_password directory and paste the below code into the file.

#provider.tf
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "5.29.0"
    }
  }
}

5. Open a terminal window and navigate to the argo_cd_password directory and configure your aws credentials. After the credentials are being configured run the terraform commands (terraform init, terraform plan, terraform apply) and deploy the above code to get the argo-cd password and update it in your aws secret.

6. Once the code is being deployed login to your aws account and check whether the secret is being created and the Argo-cd password is being stored in the secret.

Conclusion:-

#Securing administrative credentials is fundamental to any robust #DevOps pipeline. By leveraging #AWS Secrets Manager to store and manage the #Argo CD admin password, we enhance the overall security of our #infrastructure. This guide has provided a step-by-step walkthrough, empowering users to fetch the #Argo CD #admin password and seamlessly update it in an #AWS Secret. As you #implement these #security measures, your #Argo CD instance becomes more resilient to unauthorized access, contributing to a safer and more reliable #deployment environment.

ArgoCDTerraformAWSsecrets managementDevopsbest practicesInfrastructure as codetechnologyautomation