Merge pull request #43 from gruntwork-io/yori-address-create-resources

Add test for checking create_resources does not actually create any resources

Author: yorinasub17

.circleci/config.yml

@@ -8,7 +8,7 @@ defaults: &defaults
     KUBERGRUNT_VERSION: v0.5.1
     HELM_VERSION: v2.12.2
     MODULE_CI_VERSION: v0.14.1
-    TERRAFORM_VERSION: 0.12.9
+    TERRAFORM_VERSION: 0.12.11
     TERRAGRUNT_VERSION: NONE
     PACKER_VERSION: NONE
     GOLANG_VERSION: 1.11.2

examples/k8s-namespace-with-service-account/main.tf

@@ -28,7 +28,8 @@ module "namespace" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.0.1"
   source = "../../modules/k8s-namespace"
 
-  name = var.name
+  create_resources = var.create_resources
+  name             = var.name
 }
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -41,9 +42,10 @@ module "service_account_access_all" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.0.1"
   source = "../../modules/k8s-service-account"
 
-  name           = "${var.name}-admin"
-  namespace      = module.namespace.name
-  num_rbac_roles = 1
+  create_resources = var.create_resources
+  name             = "${var.name}-admin"
+  namespace        = module.namespace.name
+  num_rbac_roles   = 1
 
   rbac_roles = [
     {
@@ -64,9 +66,10 @@ module "service_account_access_read_only" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.0.1"
   source = "../../modules/k8s-service-account"
 
-  name           = "${var.name}-read-only"
-  namespace      = module.namespace.name
-  num_rbac_roles = 1
+  create_resources = var.create_resources
+  name             = "${var.name}-read-only"
+  namespace        = module.namespace.name
+  num_rbac_roles   = 1
 
   rbac_roles = [
     {

examples/k8s-namespace-with-service-account/variables.tf

@@ -19,3 +19,14 @@ variable "kubectl_config_path" {
   type        = string
   default     = "~/.kube/config"
 }
+
+# ---------------------------------------------------------------------------------------------------------------------
+# TEST PARAMETERS
+# These variables are only used for testing purposes and should not be touched in normal operations.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "create_resources" {
+  description = "Set to false to have this module skip creating resources."
+  type        = bool
+  default     = true
+}

modules/k8s-namespace-roles/variables.tf

@@ -26,7 +26,7 @@ variable "annotations" {
 }
 
 variable "create_resources" {
-  description = "Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace roles should be created or not."
+  description = "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace roles should be created or not."
   type        = bool
   default     = true
 }

modules/k8s-namespace/main.tf

@@ -49,7 +49,7 @@ resource "kubernetes_namespace" "namespace" {
 module "namespace_roles" {
   source = "../k8s-namespace-roles"
 
-  namespace   = kubernetes_namespace.namespace[0].id
+  namespace   = var.create_resources ? kubernetes_namespace.namespace[0].id : ""
   labels      = var.labels
   annotations = var.annotations
 

modules/k8s-namespace/variables.tf

@@ -26,7 +26,7 @@ variable "annotations" {
 }
 
 variable "create_resources" {
-  description = "Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace should be created or not."
+  description = "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace should be created or not."
   type        = bool
   default     = true
 }

modules/k8s-service-account/main.tf

@@ -31,6 +31,8 @@ resource "null_resource" "dependency_getter" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_service_account" "service_account" {
+  count = var.create_resources ? 1 : 0
+
   metadata {
     name        = var.name
     namespace   = var.namespace
@@ -62,7 +64,7 @@ resource "kubernetes_service_account" "service_account" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_role_binding" "service_account_role_binding" {
-  count = var.num_rbac_roles
+  count = var.create_resources ? var.num_rbac_roles : 0
 
   metadata {
     name        = "${var.name}-${var.rbac_roles[count.index]["name"]}-role-binding"
@@ -80,7 +82,7 @@ resource "kubernetes_role_binding" "service_account_role_binding" {
   subject {
     api_group = ""
     kind      = "ServiceAccount"
-    name      = kubernetes_service_account.service_account.metadata[0].name
+    name      = kubernetes_service_account.service_account[0].metadata[0].name
     namespace = var.namespace
   }
 

modules/k8s-service-account/outputs.tf

@@ -1,13 +1,13 @@
 output "name" {
   description = "The name of the created service account"
-  value       = kubernetes_service_account.service_account.metadata[0].name
+  value       = var.create_resources ? kubernetes_service_account.service_account[0].metadata[0].name : ""
 
   depends_on = [kubernetes_role_binding.service_account_role_binding]
 }
 
 output "token_secret_name" {
   description = "The name of the secret that holds the default ServiceAccount token that can be used to authenticate to the Kubernetes API."
-  value       = kubernetes_service_account.service_account.default_secret_name
+  value       = var.create_resources ? kubernetes_service_account.service_account[0].default_secret_name : ""
 
   depends_on = [kubernetes_role_binding.service_account_role_binding]
 }

modules/k8s-service-account/variables.tf

@@ -68,6 +68,12 @@ variable "secrets_for_pods" {
   default     = []
 }
 
+variable "create_resources" {
+  description = "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace should be created or not."
+  type        = bool
+  default     = true
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # MODULE DEPENDENCIES
 # Workaround Terraform limitation where there is no module depends_on.