feat(argo-helm): add status wait support (#15)

Author: jaygridley

Diff for: README.md

@@ -104,8 +104,12 @@ No modules.
 | [helm_release.default_cluster_issuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.default_cluster_issuer_argo_application](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_job.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job) | resource |
 | [kubernetes_manifest.default_cluster_issuer_argo_application](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_role.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource |
+| [kubernetes_role_binding.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_service_account.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [utils_deep_merge_yaml.argo_helm_values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source |
@@ -123,6 +127,10 @@ No modules.
 | <a name="input_argo_enabled"></a> [argo\_enabled](#input\_argo\_enabled) | If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release | `bool` | `false` | no |
 | <a name="input_argo_helm_enabled"></a> [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info | `bool` | `false` | no |
 | <a name="input_argo_helm_values"></a> [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying argo application object with helm | `string` | `""` | no |
+| <a name="input_argo_helm_wait_backoff_limit"></a> [argo\_helm\_wait\_backoff\_limit](#input\_argo\_helm\_wait\_backoff\_limit) | Backoff limit for ArgoCD Application Helm release wait job | `number` | `6` | no |
+| <a name="input_argo_helm_wait_node_selector"></a> [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job | `map(string)` | `{}` | no |
+| <a name="input_argo_helm_wait_timeout"></a> [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job | `string` | `"10m"` | no |
+| <a name="input_argo_helm_wait_tolerations"></a> [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job | `list(any)` | `[]` | no |
 | <a name="input_argo_info"></a> [argo\_info](#input\_argo\_info) | ArgoCD info manifest parameter | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "terraform",<br>    "value": "true"<br>  }<br>]</pre> | no |
 | <a name="input_argo_kubernetes_manifest_computed_fields"></a> [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. | `list(string)` | <pre>[<br>  "metadata.labels",<br>  "metadata.annotations"<br>]</pre> | no |
 | <a name="input_argo_kubernetes_manifest_field_manager_force_conflicts"></a> [argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts](#input\_argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts) | Forcibly override any field manager conflicts when applying the kubernetes manifest resource | `bool` | `false` | no |

Diff for: argo-helm.tf

@@ -0,0 +1,162 @@
+locals {
+  helm_argo_application_enabled      = var.enabled && var.argo_enabled && var.argo_helm_enabled
+  helm_argo_application_wait_enabled = local.helm_argo_application_enabled && length(keys(var.argo_kubernetes_manifest_wait_fields)) > 0
+  helm_argo_application_values = [
+    one(data.utils_deep_merge_yaml.argo_helm_values[*].output),
+    var.argo_helm_values
+  ]
+}
+
+data "utils_deep_merge_yaml" "argo_helm_values" {
+  count = local.helm_argo_application_enabled ? 1 : 0
+
+  input = compact([
+    yamlencode({
+      "apiVersion" : var.argo_apiversion
+    }),
+    yamlencode({
+      "spec" : local.argo_application_values
+    }),
+    yamlencode({
+      "spec" : var.argo_spec
+    }),
+    yamlencode(
+      local.argo_application_metadata
+    )
+  ])
+}
+
+resource "helm_release" "argo_application" {
+  count = local.helm_argo_application_enabled ? 1 : 0
+
+  chart     = "${path.module}/helm/argocd-application"
+  name      = var.helm_release_name
+  namespace = var.argo_namespace
+
+  values = local.helm_argo_application_values
+}
+
+resource "kubernetes_role" "helm_argo_application_wait" {
+  count = local.helm_argo_application_wait_enabled ? 1 : 0
+
+  metadata {
+    name        = "${var.helm_release_name}-argo-application-wait"
+    namespace   = var.argo_namespace
+    labels      = local.argo_application_metadata.labels
+    annotations = local.argo_application_metadata.annotations
+  }
+
+  rule {
+    api_groups = ["argoproj.io"]
+    resources  = ["applications"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_role_binding" "helm_argo_application_wait" {
+  count = local.helm_argo_application_wait_enabled ? 1 : 0
+
+  metadata {
+    name        = "${var.helm_release_name}-argo-application-wait"
+    namespace   = var.argo_namespace
+    labels      = local.argo_application_metadata.labels
+    annotations = local.argo_application_metadata.annotations
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = one(kubernetes_role.helm_argo_application_wait[*].metadata[0].name)
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = one(kubernetes_service_account.helm_argo_application_wait[*].metadata[0].name)
+    namespace = one(kubernetes_service_account.helm_argo_application_wait[*].metadata[0].namespace)
+  }
+}
+
+resource "kubernetes_service_account" "helm_argo_application_wait" {
+  count = local.helm_argo_application_wait_enabled ? 1 : 0
+
+  metadata {
+    name        = "${var.helm_release_name}-argo-application-wait"
+    namespace   = var.argo_namespace
+    labels      = local.argo_application_metadata.labels
+    annotations = local.argo_application_metadata.annotations
+  }
+}
+
+resource "kubernetes_job" "helm_argo_application_wait" {
+  count = local.helm_argo_application_wait_enabled ? 1 : 0
+
+  metadata {
+    generate_name = "${var.helm_release_name}-argo-application-wait-"
+    namespace     = var.argo_namespace
+    labels        = local.argo_application_metadata.labels
+    annotations   = local.argo_application_metadata.annotations
+  }
+
+  spec {
+    template {
+      metadata {
+        labels      = local.argo_application_metadata.labels
+        annotations = local.argo_application_metadata.annotations
+      }
+
+      spec {
+        service_account_name = one(kubernetes_service_account.helm_argo_application_wait[*].metadata[0].name)
+
+        dynamic "container" {
+          for_each = var.argo_kubernetes_manifest_wait_fields
+
+          content {
+            name    = "${lower(replace(container.key, ".", "-"))}-${md5(jsonencode(local.helm_argo_application_values))}" # md5 suffix is a workaround for https://github.com/hashicorp/terraform-provider-kubernetes/issues/1325
+            image   = "bitnami/kubectl:latest"
+            command = ["/bin/bash", "-ecx"]
+            # Waits for ArgoCD Application to be "Healthy", see https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#wait
+            #   i.e. kubectl wait --for=jsonpath='{.status.sync.status}'=Healthy application.argoproj.io <$addon-name>
+            args = [
+              <<-EOT
+              kubectl wait \
+                --namespace ${var.argo_namespace} \
+                --for=jsonpath='{.${container.key}}'=${container.value} \
+                --timeout=${var.argo_helm_wait_timeout} \
+                application.argoproj.io ${var.helm_release_name}
+              EOT
+            ]
+          }
+        }
+
+        node_selector = var.argo_helm_wait_node_selector
+
+        dynamic "toleration" {
+          for_each = var.argo_helm_wait_tolerations
+
+          content {
+            key      = try(toleration.value.key, null)
+            operator = try(toleration.value.operator, null)
+            value    = try(toleration.value.value, null)
+            effect   = try(toleration.value.effect, null)
+          }
+        }
+
+        # ArgoCD Application status fields might not be available immediately after creation
+        restart_policy = "OnFailure"
+      }
+    }
+
+    backoff_limit = var.argo_helm_wait_backoff_limit
+  }
+
+  wait_for_completion = true
+
+  timeouts {
+    create = var.argo_helm_wait_timeout
+    update = var.argo_helm_wait_timeout
+  }
+
+  depends_on = [
+    helm_release.argo_application
+  ]
+}

Diff for: argo.tf

@@ -25,37 +25,6 @@ locals {
   }
 }
 
-data "utils_deep_merge_yaml" "argo_helm_values" {
-  count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0
-  input = compact([
-    yamlencode({
-      "apiVersion" : var.argo_apiversion
-    }),
-    yamlencode({
-      "spec" : local.argo_application_values
-    }),
-    yamlencode({
-      "spec" : var.argo_spec
-    }),
-    yamlencode(
-      local.argo_application_metadata
-    )
-  ])
-}
-
-resource "helm_release" "argo_application" {
-  count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0
-
-  chart     = "${path.module}/helm/argocd-application"
-  name      = var.helm_release_name
-  namespace = var.argo_namespace
-
-  values = [
-    data.utils_deep_merge_yaml.argo_helm_values[0].output,
-    var.argo_helm_values
-  ]
-}
-
 resource "kubernetes_manifest" "this" {
   count = var.enabled && var.argo_enabled && !var.argo_helm_enabled ? 1 : 0
   manifest = {

Diff for: default_cluster_issuer.tf renamed to default-cluster-issuer.tf

@@ -164,6 +164,30 @@ variable "argo_helm_enabled" {
   description = "If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info"
 }
 
+variable "argo_helm_wait_timeout" {
+  type        = string
+  default     = "10m"
+  description = "Timeout for ArgoCD Application Helm release wait job"
+}
+
+variable "argo_helm_wait_node_selector" {
+  type        = map(string)
+  default     = {}
+  description = "Node selector for ArgoCD Application Helm release wait job"
+}
+
+variable "argo_helm_wait_tolerations" {
+  type        = list(any)
+  default     = []
+  description = "Tolerations for ArgoCD Application Helm release wait job"
+}
+
+variable "argo_helm_wait_backoff_limit" {
+  type        = number
+  default     = 6
+  description = "Backoff limit for ArgoCD Application Helm release wait job"
+}
+
 variable "argo_destination_server" {
   type        = string
   default     = "https://kubernetes.default.svc"