DEV-3535: Argo CD GitHub App Branch Protection Requirements (#810)

milldr · Benbentwo · cloudpossebot · web-flow · commit e0d516d76373 · 2025-09-03T08:27:48.000-07:00
Co-authored-by: Benbentwo &lt;14911525+Benbentwo@users.noreply.github.com&gt;
Co-authored-by: Cloud Posse Bot (CI/CD) &lt;bot@cloudposse.com&gt;
Co-authored-by: milldr &lt;14060048+milldr@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/docs/layers/software-delivery/eks-argocd/setup.mdx b/docs/layers/software-delivery/eks-argocd/setup.mdx
@@ -43,7 +43,7 @@ All deployment steps below assume that the environment has been successfully set
 
     First vendor all related components for the Argo CD layer:
 
-    <AtmosWorkflow workflow="vendor" fileName="quickstart/app/argocd" />
+    <AtmosWorkflow workflow="vendor" fileName="quickstart/platform/argocd" />
   </Step>
 
   <Step>
@@ -67,143 +67,46 @@ All deployment steps below assume that the environment has been successfully set
 
     <Steps>
     1. #### Terraform `argocd-repo` Access
-       The first PAT is used by Terraform with the `argocd-repo` component. This is used to create and manage the Argo CD desired state repositories and (optionally) add deployment ssh keys for those repos.
 
-       Terraform will pull that PAT from SSM typically using the `argocd/github` path in the `core-auto` account.
+        First we will need to apply the Argo CD desired state repositories configuration with Terraform. By default, we use local access to apply the component. This requires an engineer to locally authenticate with GitHub and apply this component locally. Since this component is rarely updated, this can be a reasonable trade-off.
 
-       Alternatively, you can enforce local access to apply the component. This would require an engineer to locally authenticate with GitHub and apply this component locally. Since this component is rarely updated, this can be a reasonable trade-off.
+    2. #### Argo CD Instance
 
-       At this time, we do not have GitHub App support for this step and prefer using local developer access.
+        Next, we need a GitHub App for Terraform and the `eks/argocd` component. This app is used to register the webhook in GitHub for the Argo CD Application created with this given component. 
 
-    2. #### Terraform `eks/argocd` Access
+        After creating the GitHub App, add the app's private key to AWS SSM Parameter Store in each account with Argo CD, typically the `plat-dev`, `plat-staging`, and `plat-prod` accounts, and add the App ID to the stack catalog. Detailed instructions linked below.
 
-       The next two PATs or GitHub App installations are also used by Terraform now with the `eks/argocd` component. Each of these is used to register the webhook in GitHub for the Argo CD Application created with this given component. One is used for non-prod stages and the other is used for prod stages.
+    3. #### Argo CD Desired State Repository Access (2)
 
-       Terraform will pull that token from SSM typically in `plat-dev`, `plat-staging`, and `plat-prod` accounts.
+        We will need two more GitHub Apps for accessing the ArgoCD desired state repositories _from GitHub Actions_. GitHub Actions running for an application repositories will build and update application manifests in the Argo CD desired state repositories and therefore will need write access to that respective non-prod or prod repository.
 
-    3. #### Argo CD GitHub Notification Access
+        This GitHub App does not need to be added to the stack catalog or SSM since it will be used by GitHub Actions, not Terraform.
 
-       The next PAT or GitHub App token is used by the Argo CD notifications system to update the GitHub commit status on deployments. This is stored in SSM and pulled by the `eks/argocd` component. That component will pass the token to the Argo CD instance in the given EKS cluster. That Argo CD instance uses that token _only when synchronous mode is enabled_.
+    4. #### Argo CD GitHub Notification Access
 
-    4. #### GitHub Release Workflow Access
+        The last GitHub App is used by the Argo CD notifications system to update the GitHub commit status on deployments. This is stored in SSM and pulled by the `eks/argocd` component. That component will pass the ID and private key to the Argo CD instance in the given EKS cluster. That Argo CD instance uses that app _only when synchronous mode is enabled_.
 
-       The final two PATs or GitHub App installations are used in the release engineering workflows: one for non-prod and one for prod. This token should allow write permissions in the given Argo CD desired state repositories.
+        After creating the GitHub App, add the app's private key to AWS SSM Parameter Store in each account with Argo CD, typically the `plat-dev`, `plat-staging`, and `plat-prod` accounts, and add the App ID to the stack catalog. Detailed instructions linked below.
 
     </Steps>
 
-    <Tabs queryString="auth-method">
-      <TabItem value="github-apps" label="GitHub Apps (Recommended)">
-        <Steps>
-          <Step>
-            ## <StepNumber/> Set up GitHub Apps
-
-            Follow the instructions in [Argo CD Integrations: How to set up Authorization for Argo CD with GitHub Apps](/layers/software-delivery/eks-argocd/tutorials/github-apps) to create and configure a GitHub App for Argo CD.
-          </Step>
-
-          <Step>
-            ## <StepNumber/> Configure Argo CD Desire State Repositories to Use GitHub Apps
-
-            Update your Argo CD desired state repository configuration to use the GitHub App instead of PAT:
-
-            ```yaml
-            components:
-              terraform:
-                argocd-repo:
-                  vars:
-                    # 1. Use local access to apply this component rather than a PAT
-                    # https://registry.terraform.io/providers/integrations/github/latest/docs#github-cli
-                    use_local_github_credentials: true
-
-                    # 2. If synchronous mode is enabled, set the notifications to send to "github" and not to the "webhook"
-                    github_notifications:
-                      - "notifications.argoproj.io/subscribe.on-deploy-started.github: \"\""
-                      - "notifications.argoproj.io/subscribe.on-deploy-succeeded.github: \"\""
-                      - "notifications.argoproj.io/subscribe.on-deploy-failed.github: \"\""
-
-                    # 3. Optional, disable the SSH deploy keys to use a GitHub App
-                    #    for the Argo CD instance to authenticate with the desired state repository
-                    deploy_keys_enabled: false
-            ```
-
-          </Step>
-
-          <Step>
-            ## <StepNumber/> Configure Argo CD to Use GitHub Apps
-
-            Update your Argo CD configuration to use the GitHub App instead of PATs:
-
-            ```yaml
-            components:
-              terraform:
-                eks/argocd:
-                  vars:
-                    # GitHub App (Argo CD Instance)
-                    # This GitHub App is used for the Argo CD instance to manage webhooks and read from the desired state repository.
-                    # ie https://github.com/acme/argocd-deploy-non-prod
-                    github_app_enabled: true
-                    github_app_id: "1234567"
-                    github_app_installation_id: "44444444"
-                    # The SSM parameter must exist in the account and region where Argo CD is deployed.
-                    ssm_github_app_private_key: "/argocd/argo_cd_instance/app_private_key"
-                    # Optional, disable the SSH deploy keys to use this GitHub App
-                    # for the Argo CD instance to authenticate with the desired state repository
-                    github_deploy_keys_enabled: false
-
-                    # GitHub App (Argo CD Notifications)
-                    # This GitHub App is used for the Argo CD instance to send commit status updates back to each ap repository.
-                    # This is only required if synchronous mode is enabled.
-                    # ie https://github.com/acme/example-app-on-eks
-                    github_notifications_app_enabled: true
-                    github_notifications_app_id: "8901235"
-                    github_notifications_app_installation_id: "55555555"
-                    # The SSM parameter must exist in the account and region where Argo CD is deployed.
-                    ssm_github_notifications_app_private_key: "/argocd/argo_cd_notifications/app_private_key"
-            ```
-          </Step>
-
-        </Steps>
-      </TabItem>
-      <TabItem value="pats" label="Personal Access Tokens (Legacy)">
-        <Steps>
-          <Step>
-            ## <StepNumber/> Establish a Bot User
-
-            We deploy a number of GitHub Personal Access Tokens (PATs) as part of the EKS with Argo CD application. By default each
-            PAT is given the least-access required for the given job.
-
-            Each one of these PATs will be associated with a given user. We recommend creating or using an existing "bot" user. For
-            example, at Cloud Posse we have the "cloudpossebot" GitHub user. This user has its own email address and GitHub account,
-            is accessible from our internal 1Password vault for all privileged users, and has all access keys and tokens stored with
-            it in 1Password.
-
-            This bot user will need permission to manage a few repositories in your Organization. If you wish to simplify
-            deployment, you can grant this user permission to create repositories. See (Create Permission for the Bot User)[#Create
-            Permission for the Bot User].
-
-            Use this bot user for all access tokens in the remainder of this guide.
-          </Step>
-
-          <Step>
-            ## <StepNumber/> Create all Argo CD PATs
-
-            We will need several PATs for the following steps. Now that the Argo CD repos are created, you can create all required
-            PATs.
-
-            Please see
-            [Argo CD Integrations: How to set up Authorization for Argo CD with GitHub PATs](/layers/software-delivery/eks-argocd/tutorials/pats)
-            and follow all steps.
-          </Step>
-        </Steps>
-      </TabItem>
-    </Tabs>
+    Follow the instructions in [Argo CD Integrations: How to set up Authorization for Argo CD with GitHub Apps](/layers/software-delivery/eks-argocd/tutorials/github-apps) to create and configure all GitHub Apps for Argo CD. Once completed, you should have 4 GitHub Apps:
+
+    <TaskList>
+      - `Argo CD Instance`
+      - `Argo CD Deploy Non-Prod`
+      - `Argo CD Deploy Prod`
+      - `Argo CD Notifications`
+    </TaskList>
+
   </Step>
 
   <Step>
-    ## <StepNumber/> Deploy Argo CD repo configuration
+    ## <StepNumber/> Deploy the Argo CD Desired State Repositories
 
-    Deploy the Argo CD configuration for the two GitHub repos with the following workflow:
+    Deploy the Argo CD configuration for the two Argo CD desired state GitHub repositories with the following workflow:
 
-    <AtmosWorkflow workflow="deploy/argocd-repos" fileName="quickstart/app/argocd" />
+    <AtmosWorkflow workflow="deploy/argocd-repos" fileName="quickstart/platform/argocd" />
 
     Once this finishes, review the two repos in your GitHub Organization. These should both be fully configured at this point.
 
@@ -220,14 +123,14 @@ All deployment steps below assume that the environment has been successfully set
   </Step>
 
   <Step>
-    ## <StepNumber/> Deploy Argo CD to each EKS Cluster
+    ## <StepNumber/> Deploy the Argo CD Instances to each EKS Cluster
 
     Once the GitHub repositories are in place and the SAML applications have been created and configuration uploaded to SSM,
     we're ready to deploy Argo CD to each cluster.
 
     Deploy `eks/argocd` to each cluster with the following workflow:
 
-    <AtmosWorkflow workflow="deploy/argocd" fileName="quickstart/app/argocd" />
+    <AtmosWorkflow workflow="deploy/argocd" fileName="quickstart/platform/argocd" />
   </Step>
 
   <Step>
diff --git a/docs/layers/software-delivery/eks-argocd/tutorials/github-apps.mdx b/docs/layers/software-delivery/eks-argocd/tutorials/github-apps.mdx
@@ -8,14 +8,15 @@ tags:
   - eks
   - github-apps
 ---
+import Admonition from '@theme/Admonition'
+import AtmosWorkflow from '@site/src/components/AtmosWorkflow';
 import Intro from '@site/src/components/Intro';
 import KeyPoints from '@site/src/components/KeyPoints';
-import Steps from '@site/src/components/Steps'
+import Note from '@site/src/components/Note'
 import Step from '@site/src/components/Step'
 import StepNumber from '@site/src/components/StepNumber'
-import Admonition from '@theme/Admonition'
-import Note from '@site/src/components/Note'
-import AtmosWorkflow from '@site/src/components/AtmosWorkflow';
+import Steps from '@site/src/components/Steps'
+import TaskList from '@site/src/components/TaskList'
 
 <Intro>
   GitHub Apps is now the preferred method for Argo CD integration with GitHub. GitHub Apps provide more granular permissions, better security, and improved audit capabilities compared to Personal Access Tokens (PATs). This guide will walk you through setting up Argo CD with GitHub Apps.
@@ -25,7 +26,7 @@ import AtmosWorkflow from '@site/src/components/AtmosWorkflow';
   - GitHub Apps provide more granular permissions than PATs
   - GitHub Apps can be installed on specific repositories
   - GitHub Apps have built-in rate limiting and audit capabilities
-  - GitHub Apps can be used for both repository management and notifications
+  - GitHub Apps need the ability to bypass branch protection rules
 </KeyPoints>
 
 ## Required GitHub Apps
@@ -70,19 +71,6 @@ Argo CD integration requires multiple GitHub Apps, each with specific permission
 - **Repository scope**:
   - All of the app repositories
 
-## Compensating Controls
-
-To address security concerns, the following compensating controls should be implemented:
-
-1. **Organization-Level Branch Ruleset**:
-   - Applied to all app repos but *not* to `acme/argocd-deploy-non-prod` and `acme/argocd-deploy-prod`
-   - Prevents changes to the main branch with the Argo CD app *not* in the bypass list
-   - The Argo CD repos are excluded because workflows need to write to the main branch in these repos
-
-2. **Argo CD Desired State Repositories Branch Ruleset**:
-   - Applied only to the Argo CD desired state repositories
-   - Prevents writing to the main branch, but with the Argo CD app in the bypass list
-
 ## Deployment
 
 <Steps>
@@ -117,10 +105,10 @@ To address security concerns, the following compensating controls should be impl
             - `repository.contents`: Read and Write
             - `repository.metadata`: Read-Only
 
-         #### Argo CD Deploy Prod
-         - Name: `Argo CD Deploy Prod`
-         - Homepage URL: Your organization's homepage
-         - Webhook: Disabled
+        #### Argo CD Deploy Prod
+        - Name: `Argo CD Deploy Prod`
+        - Homepage URL: Your organization's homepage
+        - Webhook: Disabled
         - Permissions:
           - Push commits to Desired State Repositories:
             - `repository.contents`: Read and Write
@@ -144,13 +132,28 @@ To address security concerns, the following compensating controls should be impl
 
     <Steps>
       1. For each GitHub App:
-        <Steps>
-         1. On the GitHub App page, scroll down to "Private keys" and click "Generate a private key"
-         1. Download the private key file
-         1. Store the App ID, Installation ID, and private key securely in 1Password
-        </Steps>
-      2. Upload these credentials to AWS SSM Parameter Store:
-         Save these credentials to AWS SSM at the [paths specified by the `eks/argocd` component](/layers/software-delivery/eks-argocd/setup/#-configure-argo-cd-to-use-github-apps)
+          <Steps>
+           1. On the GitHub App page, scroll down to "Private keys" and click "Generate a private key"
+           1. Download the private key file
+           1. Store the App ID, Installation ID, and private key securely in 1Password
+          </Steps>
+      2. Upload these credentials to AWS SSM Parameter Store
+          <TaskList>
+          - Upload the `Argo CD Instance` private key to `/argocd/argo_cd_instance/app_private_key` in `core-auto`: 
+            ```bash
+            # Replace acme with your namespace or assume the role separately.
+            # Your default region should be the same as your primary region. 
+            assume-role acme-core-gbl-auto-admin
+            chamber write argocd argo_cd_instance/app_private_key \
+              "$(cat /path/to/argocd-deploy-non-prod.private-key.pem)"
+            ```
+          - Upload the `Argo CD Notifications` private key to `/argocd/argo_cd_notifications/app_private_key` to `core-auto`:
+            ```bash
+            assume-role acme-core-gbl-auto-admin
+            chamber write argocd argo_cd_notifications/app_private_key \
+              "$(cat /path/to/argocd-notifications.private-key.pem)"
+            ```
+          </TaskList>
     </Steps>
   </Step>
 
@@ -193,29 +196,20 @@ To address security concerns, the following compensating controls should be impl
   <Step>
     ### <StepNumber/> Configure Branch Protection Rules
 
-    Set up the compensating controls by configuring branch protection rules:
-
-    **Organization-Level Branch Ruleset**:
+    If branch protection rules are enabled in your GitHub Organization, you'll need to configure exceptions for the ArgoCD GitHub Apps. This allows ArgoCD to update repositories while still maintaining security. The GitHub Apps must be able to bypass branch protection rules in order for ArgoCD's automated deployments to work correctly. 
 
-    <Steps>
-     - Go to your organization settings
-     - Navigate to "Code, planning, and automation" > "Branch rules"
-     - Create a new ruleset that applies to all app repos except `acme/argocd-deploy-non-prod` and `acme/argocd-deploy-prod`
-     - Configure the ruleset to prevent changes to the main branch with the Argo CD app not in the bypass list
-    </Steps>
+    Branch rulesets may be configured both or either at an organization and repository level. Check the enabled rulesets in both ArgoCD desired state repositories under "Code, planning, and automation" > "Branch rules". Add the ArgoCD GitHub Apps to the bypass list of any ruleset that prevents changes to the main branch.
 
-    **Argo CD Desired State Repositories Branch Ruleset**:
-
-    <Steps>
-     - Create a separate ruleset that applies only to `acme/argocd-deploy-non-prod` and `acme/argocd-deploy-prod`
-     - Configure the ruleset to prevent writing to the main branch, but with the Argo CD app in the bypass list
-    </Steps>
   </Step>
 
   <Step>
     ## <StepNumber/> Configure Argo CD Desire State Repositories to Use GitHub Apps
 
-    Update your Argo CD desired state repository configuration to use the GitHub App instead of PAT:
+    <Note title="Reference Architecture Users">
+    This step should be pre-configured for Reference Architecture users.
+    </Note>
+
+    Update your Argo CD desired state repository configuration to use the GitHub App:
 
     ```yaml
     components:
@@ -242,9 +236,18 @@ To address security concerns, the following compensating controls should be impl
   <Step>
     ### <StepNumber/> Configure Argo CD to Use GitHub Apps
 
-    Update your Argo CD configuration to use the GitHub Apps instead of PATs:
+    <Note title="Reference Architecture Users">
+      Reference Architecture users will need to update both GitHub App and Installation IDs.
+    </Note>
+
+    Update your Argo CD configuration to use the GitHub Apps by modifying the component configuration shown below. 
+    
+    <Note title="Installation ID">
+      You can find the Installation ID by going to your GitHub Organization settings, selecting "GitHub Apps", clicking on your app, then selecting "Install App". The Installation ID will be in the URL, e.g. https://github.com/organizations/acme/settings/installations/44444444.
+    </Note>
 
     ```yaml
+    # stacks/catalog/eks/argocd/defaults.yaml
     components:
       terraform:
         eks/argocd:
@@ -278,12 +281,11 @@ To address security concerns, the following compensating controls should be impl
 
     Redeploy both the `argocd-repo` component for both nonprod and prod.
 
-    <AtmosWorkflow workflow="deploy/argocd-repos" fileName="quickstart/app/argocd" />
+    <AtmosWorkflow workflow="deploy/argocd-repos" fileName="quickstart/platform/argocd" />
 
     Then redeploy all instances of `eks/argocd`
 
-    <AtmosWorkflow workflow="deploy/argocd" fileName="quickstart/app/argocd" />
-
+    <AtmosWorkflow workflow="deploy/argocd" fileName="quickstart/platform/argocd" />
   </Step>
 
   <Step>
