From 327207ad17f3069fdd0a76c14d3e07936eff4582 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 23 Sep 2023 15:58:07 -0400 Subject: [PATCH] fix: Ensure conditional creation applies to data sources (#21) --- .pre-commit-config.yaml | 2 +- main.tf | 19 ++++--- tests/README.md | 10 +--- tests/main.tf | 118 +++++----------------------------------- tests/versions.tf | 4 -- 5 files changed, 30 insertions(+), 123 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 75857b4..b5adebd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.2 + rev: v1.83.4 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/main.tf b/main.tf index 5a2db6e..63d4da5 100644 --- a/main.tf +++ b/main.tf @@ -87,14 +87,18 @@ resource "helm_release" "this" { # IAM Role for Service Account(s) (IRSA) ################################################################################ -data "aws_partition" "current" {} -data "aws_caller_identity" "current" {} +data "aws_partition" "current" { + count = local.create_role ? 1 : 0 +} +data "aws_caller_identity" "current" { + count = local.create_role ? 1 : 0 +} locals { create_role = var.create && var.create_role - account_id = data.aws_caller_identity.current.account_id - partition = data.aws_partition.current.partition + account_id = try(data.aws_caller_identity.current[0].account_id, "*") + partition = try(data.aws_partition.current[0].partition, "*") role_name = try(coalesce(var.role_name, var.name), "") role_name_condition = var.role_name_use_prefix ? "${local.role_name}-*" : local.role_name @@ -184,10 +188,11 @@ locals { create_policy = local.create_role && var.create_policy policy_name = try(coalesce(var.policy_name, local.role_name), "") + perms = concat(var.source_policy_documents, var.override_policy_documents, var.policy_statements) } data "aws_iam_policy_document" "this" { - count = local.create_policy ? 1 : 0 + count = local.create_policy && length(local.perms) > 0 ? 1 : 0 source_policy_documents = var.source_policy_documents override_policy_documents = var.override_policy_documents @@ -235,7 +240,7 @@ data "aws_iam_policy_document" "this" { } resource "aws_iam_policy" "this" { - count = local.create_policy ? 1 : 0 + count = local.create_policy && length(local.perms) > 0 ? 1 : 0 name = var.policy_name_use_prefix ? null : local.policy_name name_prefix = var.policy_name_use_prefix ? "${local.policy_name}-" : null @@ -247,7 +252,7 @@ resource "aws_iam_policy" "this" { } resource "aws_iam_role_policy_attachment" "this" { - count = local.create_policy ? 1 : 0 + count = local.create_policy && length(local.perms) > 0 ? 1 : 0 role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.this[0].arn diff --git a/tests/README.md b/tests/README.md index 722baf7..aa32169 100644 --- a/tests/README.md +++ b/tests/README.md @@ -26,25 +26,23 @@ Note that this example may create resources which will incur monetary charges on | [terraform](#requirement\_terraform) | >= 1.0 | | [aws](#requirement\_aws) | >= 4.47 | | [helm](#requirement\_helm) | >= 2.9 | -| [kubectl](#requirement\_kubectl) | >= 1.14 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 4.47 | -| [kubectl](#provider\_kubectl) | >= 1.14 | ## Modules | Name | Source | Version | |------|--------|---------| | [disabled](#module\_disabled) | ../ | n/a | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.10 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.16 | | [helm\_release\_irsa](#module\_helm\_release\_irsa) | ../ | n/a | | [helm\_release\_only](#module\_helm\_release\_only) | ../ | n/a | | [irsa\_only](#module\_irsa\_only) | ../ | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -52,12 +50,8 @@ Note that this example may create resources which will incur monetary charges on |------|------| | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [kubectl_manifest.karpenter_example_deployment](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | -| [kubectl_manifest.karpenter_node_template](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | -| [kubectl_manifest.karpenter_provisioner](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/tests/main.tf b/tests/main.tf index 24cfdde..d011ed9 100644 --- a/tests/main.tf +++ b/tests/main.tf @@ -6,20 +6,14 @@ provider "helm" { kubernetes { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token - } -} -provider "kubectl" { - apply_retry_count = 30 - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - load_config_file = false - token = data.aws_eks_cluster_auth.this.token -} - -data "aws_eks_cluster_auth" "this" { - name = module.eks.cluster_name + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } } data "aws_caller_identity" "current" {} @@ -157,21 +151,22 @@ module "disabled" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.10" + version = "~> 19.16" - cluster_name = local.name - cluster_version = "1.24" + cluster_name = local.name + cluster_version = "1.27" + cluster_endpoint_public_access = true vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets eks_managed_node_groups = { initial = { - instance_types = ["m5.xlarge"] + instance_types = ["m5.large"] min_size = 1 - max_size = 2 - desired_size = 1 + max_size = 3 + desired_size = 2 } } @@ -185,7 +180,7 @@ module "eks" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -218,7 +213,6 @@ resource "aws_iam_instance_profile" "karpenter" { } data "aws_iam_policy_document" "karpenter_controller" { - # # checkov:skip=CKV_AWS_111 statement { actions = [ "ec2:CreateLaunchTemplate", @@ -298,85 +292,3 @@ resource "aws_iam_policy" "karpenter_controller" { tags = local.tags } - -################################################################################ -# Karpenter Provisioner -################################################################################ - -# Workaround - https://github.com/hashicorp/terraform-provider-kubernetes/issues/1380#issuecomment-967022975 -resource "kubectl_manifest" "karpenter_provisioner" { - yaml_body = <<-YAML - --- - apiVersion: karpenter.sh/v1alpha5 - kind: Provisioner - metadata: - name: default - spec: - requirements: - - key: karpenter.sh/capacity-type - operator: In - values: ["spot"] - limits: - resources: - cpu: 1000 - providerRef: - name: default - ttlSecondsAfterEmpty: 30 - YAML - - depends_on = [ - module.helm_release_irsa.helm_release - ] -} - -resource "kubectl_manifest" "karpenter_node_template" { - yaml_body = <<-YAML - apiVersion: karpenter.k8s.aws/v1alpha1 - kind: AWSNodeTemplate - metadata: - name: default - spec: - subnetSelector: - ${local.karpenter_tag_key}: ${module.eks.cluster_name} - securityGroupSelector: - ${local.karpenter_tag_key}: ${module.eks.cluster_name} - tags: - ${local.karpenter_tag_key}: ${module.eks.cluster_name} - YAML - - depends_on = [ - kubectl_manifest.karpenter_provisioner - ] -} - -# Example deployment using the [pause image](https://www.ianlewis.org/en/almighty-pause-container) -# and starts with zero replicas -resource "kubectl_manifest" "karpenter_example_deployment" { - yaml_body = <<-YAML - apiVersion: apps/v1 - kind: Deployment - metadata: - name: inflate - spec: - replicas: 0 - selector: - matchLabels: - app: inflate - template: - metadata: - labels: - app: inflate - spec: - terminationGracePeriodSeconds: 0 - containers: - - name: inflate - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2 - resources: - requests: - cpu: 1 - YAML - - depends_on = [ - kubectl_manifest.karpenter_node_template - ] -} diff --git a/tests/versions.tf b/tests/versions.tf index baed9b7..7b6fd45 100644 --- a/tests/versions.tf +++ b/tests/versions.tf @@ -10,9 +10,5 @@ terraform { source = "hashicorp/helm" version = ">= 2.9" } - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.14" - } } }