Merge pull request #28 from gruntwork-io/yori-conditional-namespace

yorinasub17 · web-flow · commit fb4271f53968 · 2019-05-06T14:31:18.000-07:00
Implement create_resources flag for k8s-namespace and k8s-namespace-roles
diff --git a/modules/k8s-namespace-roles/main.tf b/modules/k8s-namespace-roles/main.tf
@@ -37,6 +37,9 @@ resource "null_resource" "dependency_getter" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_role" "rbac_role_access_all" {
+  count      = "${var.create_resources ? 1 : 0}"
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     name        = "${var.namespace}-access-all"
     namespace   = "${var.namespace}"
@@ -49,11 +52,12 @@ resource "kubernetes_role" "rbac_role_access_all" {
     resources  = ["*"]
     verbs      = ["*"]
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
 
 resource "kubernetes_role" "rbac_role_access_read_only" {
+  count      = "${var.create_resources ? 1 : 0}"
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     name        = "${var.namespace}-access-read-only"
     namespace   = "${var.namespace}"
@@ -66,15 +70,16 @@ resource "kubernetes_role" "rbac_role_access_read_only" {
     resources  = ["*"]
     verbs      = ["get", "list", "watch"]
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
 
 # These RBAC role permissions are based on the official example regarding deploying Tiller in a namespace to manage
 # resources in another namespace.
 # See https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-in-another-namespace
 
 resource "kubernetes_role" "rbac_tiller_metadata_access" {
+  count      = "${var.create_resources ? 1 : 0}"
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     name        = "${var.namespace}-tiller-metadata-access"
     namespace   = "${var.namespace}"
@@ -87,11 +92,12 @@ resource "kubernetes_role" "rbac_tiller_metadata_access" {
     resources  = ["secrets"]
     verbs      = ["*"]
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
 
 resource "kubernetes_role" "rbac_tiller_resource_access" {
+  count      = "${var.create_resources ? 1 : 0}"
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     name        = "${var.namespace}-tiller-resource-access"
     namespace   = "${var.namespace}"
@@ -121,6 +127,4 @@ resource "kubernetes_role" "rbac_tiller_resource_access" {
     resources = ["poddisruptionbudgets"]
     verbs     = ["*"]
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
diff --git a/modules/k8s-namespace-roles/outputs.tf b/modules/k8s-namespace-roles/outputs.tf
@@ -1,19 +1,19 @@
 output "rbac_access_all_role" {
   description = "The name of the RBAC role that grants admin level permissions on the namespace."
-  value       = "${kubernetes_role.rbac_role_access_all.metadata.0.name}"
+  value       = "${element(concat(kubernetes_role.rbac_role_access_all.*.metadata.0.name, list("")), 0)}"
 }
 
 output "rbac_access_read_only_role" {
   description = "The name of the RBAC role that grants read only permissions on the namespace."
-  value       = "${kubernetes_role.rbac_role_access_read_only.metadata.0.name}"
+  value       = "${element(concat(kubernetes_role.rbac_role_access_read_only.*.metadata.0.name, list("")), 0)}"
 }
 
 output "rbac_tiller_metadata_access_role" {
   description = "The name of the RBAC role that grants minimal permissions for Tiller to manage its metadata. Use this role if Tiller will be deployed into this namespace."
-  value       = "${kubernetes_role.rbac_tiller_metadata_access.metadata.0.name}"
+  value       = "${element(concat(kubernetes_role.rbac_tiller_metadata_access.*.metadata.0.name, list("")), 0)}"
 }
 
 output "rbac_tiller_resource_access_role" {
   description = "The name of the RBAC role that grants minimal permissions for Tiller to manage resources in this namespace."
-  value       = "${kubernetes_role.rbac_tiller_resource_access.metadata.0.name}"
+  value       = "${element(concat(kubernetes_role.rbac_tiller_resource_access.*.metadata.0.name, list("")), 0)}"
 }
diff --git a/modules/k8s-namespace-roles/variables.tf b/modules/k8s-namespace-roles/variables.tf
@@ -24,6 +24,11 @@ variable "annotations" {
   default     = {}
 }
 
+variable "create_resources" {
+  description = "Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace roles should be created or not."
+  default     = true
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # MODULE DEPENDENCIES
 # Workaround Terraform limitation where there is no module depends_on.
diff --git a/modules/k8s-namespace/main.tf b/modules/k8s-namespace/main.tf
@@ -31,13 +31,14 @@ resource "null_resource" "dependency_getter" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "kubernetes_namespace" "namespace" {
+  count      = "${var.create_resources ? 1 : 0}"
+  depends_on = ["null_resource.dependency_getter"]
+
   metadata {
     name        = "${var.name}"
     labels      = "${var.labels}"
     annotations = "${var.annotations}"
   }
-
-  depends_on = ["null_resource.dependency_getter"]
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -48,8 +49,10 @@ resource "kubernetes_namespace" "namespace" {
 module "namespace_roles" {
   source = "../k8s-namespace-roles"
 
-  namespace    = "${kubernetes_namespace.namespace.id}"
-  labels       = "${var.labels}"
-  annotations  = "${var.annotations}"
-  dependencies = ["${var.dependencies}"]
+  namespace   = "${kubernetes_namespace.namespace.id}"
+  labels      = "${var.labels}"
+  annotations = "${var.annotations}"
+
+  create_resources = "${var.create_resources}"
+  dependencies     = ["${var.dependencies}"]
 }
diff --git a/modules/k8s-namespace/outputs.tf b/modules/k8s-namespace/outputs.tf
@@ -1,6 +1,6 @@
 output "name" {
   description = "The name of the created namespace."
-  value       = "${kubernetes_namespace.namespace.id}"
+  value       = "${element(concat(kubernetes_namespace.namespace.*.id, list("")), 0)}"
 }
 
 output "rbac_access_all_role" {
diff --git a/modules/k8s-namespace/variables.tf b/modules/k8s-namespace/variables.tf
@@ -24,6 +24,11 @@ variable "annotations" {
   default     = {}
 }
 
+variable "create_resources" {
+  description = "Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Namespace should be created or not."
+  default     = true
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # MODULE DEPENDENCIES
 # Workaround Terraform limitation where there is no module depends_on.

Original file line number	Diff line number	Diff line change
`@@ -1,19 +1,19 @@`
`1`	`1`	`output "rbac_access_all_role" {`
`2`	`2`	`description = "The name of the RBAC role that grants admin level permissions on the namespace."`
`3`		`- value = "${kubernetes_role.rbac_role_access_all.metadata.0.name}"`
	`3`	`+ value = "${element(concat(kubernetes_role.rbac_role_access_all.*.metadata.0.name, list("")), 0)}"`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "rbac_access_read_only_role" {`
`7`	`7`	`description = "The name of the RBAC role that grants read only permissions on the namespace."`
`8`		`- value = "${kubernetes_role.rbac_role_access_read_only.metadata.0.name}"`
	`8`	`+ value = "${element(concat(kubernetes_role.rbac_role_access_read_only.*.metadata.0.name, list("")), 0)}"`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`output "rbac_tiller_metadata_access_role" {`
`12`	`12`	`description = "The name of the RBAC role that grants minimal permissions for Tiller to manage its metadata. Use this role if Tiller will be deployed into this namespace."`
`13`		`- value = "${kubernetes_role.rbac_tiller_metadata_access.metadata.0.name}"`
	`13`	`+ value = "${element(concat(kubernetes_role.rbac_tiller_metadata_access.*.metadata.0.name, list("")), 0)}"`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`output "rbac_tiller_resource_access_role" {`
`17`	`17`	`description = "The name of the RBAC role that grants minimal permissions for Tiller to manage resources in this namespace."`
`18`		`- value = "${kubernetes_role.rbac_tiller_resource_access.metadata.0.name}"`
	`18`	`+ value = "${element(concat(kubernetes_role.rbac_tiller_resource_access.*.metadata.0.name, list("")), 0)}"`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`output "name" {`
`2`	`2`	`description = "The name of the created namespace."`
`3`		`- value = "${kubernetes_namespace.namespace.id}"`
	`3`	`+ value = "${element(concat(kubernetes_namespace.namespace.*.id, list("")), 0)}"`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "rbac_access_all_role" {`