Add test for checking create_resources does not actually create any resources

Author: yorinasub17

examples/k8s-namespace-with-service-account/main.tf

@@ -28,7 +28,8 @@ module "namespace" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-namespace?ref=v0.0.1"
   source = "../../modules/k8s-namespace"
 
-  name = var.name
+  create_resources = var.create_resources
+  name             = var.name
 }
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -41,9 +42,10 @@ module "service_account_access_all" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.0.1"
   source = "../../modules/k8s-service-account"
 
-  name           = "${var.name}-admin"
-  namespace      = module.namespace.name
-  num_rbac_roles = 1
+  create_resources = var.create_resources
+  name             = "${var.name}-admin"
+  namespace        = module.namespace.name
+  num_rbac_roles   = 1
 
   rbac_roles = [
     {
@@ -64,9 +66,10 @@ module "service_account_access_read_only" {
   # source = "git::https://github.com/gruntwork-io/terraform-kubernetes-helm.git//modules/k8s-service-account?ref=v0.0.1"
   source = "../../modules/k8s-service-account"
 
-  name           = "${var.name}-read-only"
-  namespace      = module.namespace.name
-  num_rbac_roles = 1
+  create_resources = var.create_resources
+  name             = "${var.name}-read-only"
+  namespace        = module.namespace.name
+  num_rbac_roles   = 1
 
   rbac_roles = [
     {

examples/k8s-namespace-with-service-account/variables.tf

@@ -19,3 +19,14 @@ variable "kubectl_config_path" {
   type        = string
   default     = "~/.kube/config"
 }
+
+# ---------------------------------------------------------------------------------------------------------------------
+# TEST PARAMETERS
+# These variables are only used for testing purposes and should not be touched in normal operations.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "create_resources" {
+  description = "Set to false to have this module create no resources."
+  type        = bool
+  default     = true
+}

modules/k8s-service-account/main.tf

@@ -31,6 +31,8 @@ resource "null_resource" "dependency_getter" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_service_account" "service_account" {
+  count = var.create_resources ? 1 : 0
+
   metadata {
     name        = var.name
     namespace   = var.namespace
@@ -62,7 +64,7 @@ resource "kubernetes_service_account" "service_account" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_role_binding" "service_account_role_binding" {
-  count = var.num_rbac_roles
+  count = var.create_resources ? var.num_rbac_roles : 0
 
   metadata {
     name        = "${var.name}-${var.rbac_roles[count.index]["name"]}-role-binding"
@@ -80,7 +82,7 @@ resource "kubernetes_role_binding" "service_account_role_binding" {
   subject {
     api_group = ""
     kind      = "ServiceAccount"
-    name      = kubernetes_service_account.service_account.metadata[0].name
+    name      = kubernetes_service_account.service_account[0].metadata[0].name
     namespace = var.namespace
   }
 

modules/k8s-service-account/outputs.tf

@@ -1,13 +1,13 @@
 output "name" {
   description = "The name of the created service account"
-  value       = kubernetes_service_account.service_account.metadata[0].name
+  value       = var.create_resources ? kubernetes_service_account.service_account[0].metadata[0].name : ""
 
   depends_on = [kubernetes_role_binding.service_account_role_binding]
 }
 
 output "token_secret_name" {
   description = "The name of the secret that holds the default ServiceAccount token that can be used to authenticate to the Kubernetes API."
-  value       = kubernetes_service_account.service_account.default_secret_name
+  value       = var.create_resources ? kubernetes_service_account.service_account[0].default_secret_name : ""
 
   depends_on = [kubernetes_role_binding.service_account_role_binding]
 }

modules/k8s-service-account/variables.tf

@@ -68,6 +68,12 @@ variable "secrets_for_pods" {
   default     = []
 }
 
+variable "create_resources" {
+  description = "Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace should be created or not."
+  type        = bool
+  default     = true
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # MODULE DEPENDENCIES
 # Workaround Terraform limitation where there is no module depends_on.

test/Gopkg.lock

@@ -27,7 +27,7 @@
 
 [[constraint]]
   name = "github.com/gruntwork-io/terratest"
-  version = "0.16.0"
+  version = "0.20.1"
 
 [prune]
   go-tests = true

test/Gopkg.toml

@@ -13,7 +13,7 @@ import (
 	"github.com/gruntwork-io/terratest/modules/logger"
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/gruntwork-io/terratest/modules/terraform"
-	"github.com/gruntwork-io/terratest/modules/test-structure"
+	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	authv1 "k8s.io/api/authorization/v1"
@@ -25,6 +25,53 @@ type TemplateArgs struct {
 	ServiceAccountName string
 }
 
+func TestK8SNamespaceWithServiceAccountNoCreate(t *testing.T) {
+	t.Parallel()
+
+	// Uncomment any of the following to skip that section during the test
+	// os.Setenv("SKIP_foo", "true") // This stage doesn't exist, but is useful in ensuring the test directory isn't copied
+	// os.Setenv("SKIP_create_test_copy_of_examples", "true")
+	// os.Setenv("SKIP_create_terratest_options", "true")
+	// os.Setenv("SKIP_terraform_apply", "true")
+	// os.Setenv("SKIP_validate", "true")
+	// os.Setenv("SKIP_cleanup", "true")
+
+	// Create a directory path that won't conflict
+	workingDir := filepath.Join(".", "stages", t.Name())
+
+	test_structure.RunTestStage(t, "create_test_copy_of_examples", func() {
+		testFolder := test_structure.CopyTerraformFolderToTemp(t, "..", "examples")
+		logger.Logf(t, "path to test folder %s\n", testFolder)
+		k8sNamespaceTerraformModulePath := filepath.Join(testFolder, "k8s-namespace-with-service-account")
+		test_structure.SaveString(t, workingDir, "k8sNamespaceTerraformModulePath", k8sNamespaceTerraformModulePath)
+	})
+
+	test_structure.RunTestStage(t, "create_terratest_options", func() {
+		k8sNamespaceTerraformModulePath := test_structure.LoadString(t, workingDir, "k8sNamespaceTerraformModulePath")
+		uniqueID := random.UniqueId()
+		k8sNamespaceTerratestOptions := createExampleK8SNamespaceTerraformOptions(
+			t, uniqueID, k8sNamespaceTerraformModulePath)
+		k8sNamespaceTerratestOptions.Vars["create_resources"] = 0
+		test_structure.SaveString(t, workingDir, "uniqueID", uniqueID)
+		test_structure.SaveTerraformOptions(t, workingDir, k8sNamespaceTerratestOptions)
+	})
+
+	defer test_structure.RunTestStage(t, "cleanup", func() {
+		k8sNamespaceTerratestOptions := test_structure.LoadTerraformOptions(t, workingDir)
+		terraform.Destroy(t, k8sNamespaceTerratestOptions)
+	})
+
+	test_structure.RunTestStage(t, "terraform_apply", func() {
+		k8sNamespaceTerratestOptions := test_structure.LoadTerraformOptions(t, workingDir)
+		counts := terraform.GetResourceCount(t, terraform.InitAndPlan(t, k8sNamespaceTerratestOptions))
+		assert.Equal(t, 0, counts.Change)
+		assert.Equal(t, 0, counts.Destroy)
+		// IMPORTANT NOTE: we don't expect any resources to create, but because of how the dependencies system works, we
+		// expect to see 4 resources created: the 4 null_resources that act as a dependency getter.
+		assert.Equal(t, 4, counts.Add)
+	})
+}
+
 func TestK8SNamespaceWithServiceAccount(t *testing.T) {
 	t.Parallel()
 
@@ -88,15 +135,15 @@ func TestK8SNamespaceWithServiceAccount(t *testing.T) {
 // validateNamespace verifies that the namespace was created and is active.
 func validateNamespace(t *testing.T, k8sNamespaceTerratestOptions *terraform.Options) {
 	namespace := terraform.Output(t, k8sNamespaceTerratestOptions, "name")
-	kubectlOptions := k8s.NewKubectlOptions("", "")
+	kubectlOptions := k8s.NewKubectlOptions("", "", "default")
 	k8sNamespace := k8s.GetNamespace(t, kubectlOptions, namespace)
 	assert.Equal(t, k8sNamespace.Name, namespace)
 	assert.Equal(t, k8sNamespace.Status.Phase, corev1.NamespaceActive)
 }
 
 // validateRbacAccessAll verifies that the access all RBAC role has read and write privileges to the namespace
 func validateRbacAccessAll(t *testing.T, k8sNamespaceTerratestOptions *terraform.Options) {
-	kubectlOptions := k8s.NewKubectlOptions("", "")
+	kubectlOptions := k8s.NewKubectlOptions("", "", "default")
 	namespace := terraform.Output(t, k8sNamespaceTerratestOptions, "name")
 	serviceAccountName := terraform.Output(t, k8sNamespaceTerratestOptions, "service_account_access_all")
 	templateArgs := TemplateArgs{
@@ -128,7 +175,7 @@ func validateRbacAccessAll(t *testing.T, k8sNamespaceTerratestOptions *terraform
 
 // validateRbacAccessReadOnly verifies that the access read only RBAC role has read only privileges to the namespace
 func validateRbacAccessReadOnly(t *testing.T, k8sNamespaceTerratestOptions *terraform.Options) {
-	kubectlOptions := k8s.NewKubectlOptions("", "")
+	kubectlOptions := k8s.NewKubectlOptions("", "", "default")
 	namespace := terraform.Output(t, k8sNamespaceTerratestOptions, "name")
 	serviceAccountName := terraform.Output(t, k8sNamespaceTerratestOptions, "service_account_access_read_only")
 	templateArgs := TemplateArgs{
@@ -181,8 +228,7 @@ func checkAccessForServiceAccount(
 	// Wait for up to 5 minutes for pod to start (60 tries, 5 seconds inbetween each trial)
 	// We explicitly set the namespace to default here, because the Kubernetes API requires an explicit namespace when
 	// looking up pods by name.
-	namespacedKubectlOptions := k8s.NewKubectlOptions("", "")
-	namespacedKubectlOptions.Namespace = namespace
+	namespacedKubectlOptions := k8s.NewKubectlOptions("", "", namespace)
 	k8s.WaitUntilPodAvailable(t, namespacedKubectlOptions, curlPodName, 60, 5*time.Second)
 
 	// Run the check function while the curl pod is up

test/k8s_namespace_with_service_account_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/gruntwork-io/terratest/modules/shell"
 	"github.com/gruntwork-io/terratest/modules/terraform"
-	"github.com/gruntwork-io/terratest/modules/test-structure"
+	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
 	"github.com/stretchr/testify/require"
 )
 
@@ -48,7 +48,7 @@ func TestK8STillerKubergrunt(t *testing.T) {
 		testServiceAccountName := fmt.Sprintf("%s-test-account", strings.ToLower(uniqueID))
 		testServiceAccountNamespace := fmt.Sprintf("%s-test-account-namespace", strings.ToLower(uniqueID))
 		tmpConfigPath := k8s.CopyHomeKubeConfigToTemp(t)
-		kubectlOptions := k8s.NewKubectlOptions("", tmpConfigPath)
+		kubectlOptions := k8s.NewKubectlOptions("", tmpConfigPath, "default")
 
 		k8s.CreateNamespace(t, kubectlOptions, testServiceAccountNamespace)
 		kubectlOptions.Namespace = testServiceAccountNamespace
@@ -84,7 +84,7 @@ func TestK8STillerKubergrunt(t *testing.T) {
 		terraform.Destroy(t, k8sTillerTerratestOptions)
 
 		testServiceAccountNamespace := test_structure.LoadString(t, workingDir, "testServiceAccountNamespace")
-		kubectlOptions := k8s.NewKubectlOptions("", "")
+		kubectlOptions := k8s.NewKubectlOptions("", "", "default")
 		k8s.DeleteNamespace(t, kubectlOptions, testServiceAccountNamespace)
 	})
 
@@ -99,8 +99,7 @@ func TestK8STillerKubergrunt(t *testing.T) {
 		resourceNamespace := k8sTillerTerratestOptions.Vars["resource_namespace"].(string)
 		tmpConfigPath := test_structure.LoadString(t, workingDir, "tmpKubectlConfigPath")
 		testServiceAccountName := test_structure.LoadString(t, workingDir, "testServiceAccountName")
-		kubectlOptions := k8s.NewKubectlOptions(testServiceAccountName, tmpConfigPath)
-		kubectlOptions.Namespace = resourceNamespace
+		kubectlOptions := k8s.NewKubectlOptions(testServiceAccountName, tmpConfigPath, resourceNamespace)
 
 		runHelm(
 			t,
@@ -116,7 +115,7 @@ func TestK8STillerKubergrunt(t *testing.T) {
 		// Make sure the upgrade command mentioned in the docs actually works
 		helmHome := test_structure.LoadString(t, workingDir, "helmHome")
 		tmpConfigPath := test_structure.LoadString(t, workingDir, "tmpKubectlConfigPath")
-		kubectlOptions := k8s.NewKubectlOptions("", tmpConfigPath)
+		kubectlOptions := k8s.NewKubectlOptions("", tmpConfigPath, "default")
 
 		runHelm(
 			t,

test/k8s_tiller_kubergrunt_test.go

@@ -115,7 +115,7 @@ func TestK8STiller(t *testing.T) {
 
 	test_structure.RunTestStage(t, "setup_helm_client", func() {
 		helmHome := test_structure.LoadString(t, workingDir, "helmHome")
-		kubectlOptions := k8s.NewKubectlOptions("", "")
+		kubectlOptions := k8s.NewKubectlOptions("", "", "default")
 		k8sTillerTerratestOptions := test_structure.LoadTerraformOptions(t, workingDir)
 		tillerNamespace := terraform.OutputRequired(t, k8sTillerTerratestOptions, "tiller_namespace")
 		resourceNamespace := terraform.OutputRequired(t, k8sTillerTerratestOptions, "resource_namespace")
@@ -129,8 +129,7 @@ func TestK8STiller(t *testing.T) {
 		helmHome := test_structure.LoadString(t, workingDir, "helmHome")
 		k8sTillerTerratestOptions := test_structure.LoadTerraformOptions(t, workingDir)
 		resourceNamespace := terraform.OutputRequired(t, k8sTillerTerratestOptions, "resource_namespace")
-		kubectlOptions := k8s.NewKubectlOptions("", "")
-		kubectlOptions.Namespace = resourceNamespace
+		kubectlOptions := k8s.NewKubectlOptions("", "", resourceNamespace)
 
 		runHelm(
 			t,