Add ability to conditionally create module and conditional IAM role c…

…reation
umotif-public · Jan 24, 2020 · db3f30f · db3f30f
1 parent 6ef8cf3
commit db3f30f
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 12 deletions.
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ endif
 
 CURRENT_DIR     = $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 TF_EXAMPLES     = $(sort $(dir $(wildcard $(CURRENT_DIR)examples/*/)))
-TF_DOCS_VERSION = 0.6.0
+TF_DOCS_VERSION = 0.7.0
 
 # Adjust your delimiter here or overwrite via make arguments
 DELIM_START = <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ module "eks-node-group" {
   source = "umotif-public/eks-node-group/aws"
   version = "~> 1.0"
   
+  enabled      = true
   cluster_name = aws_eks_cluster.cluster.id
 
   subnet_ids = ["subnet-1","subnet-2","subnet-3"]
@@ -62,23 +63,25 @@ Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](http
 | min\_size | Minimum number of worker nodes | number | n/a | yes |
 | subnet\_ids | A list of subnet IDs to launch resources in | list(string) | n/a | yes |
 | ami\_release\_version | AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version | string | `"null"` | no |
-| ami\_type | Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to `AL2_x86_64`. Valid values: `AL2_x86_64`, `AL2_x86_64_GPU`. Terraform will only perform drift detection if a configuration value is provided | string | `"AL2_x86_64"` | no |
+| ami\_type | Type of Amazon Machine Image \(AMI\) associated with the EKS Node Group. Defaults to `AL2\_x86\_64`. Valid values: `AL2\_x86\_64`, `AL2\_x86\_64\_GPU`. Terraform will only perform drift detection if a configuration value is provided | string | `"AL2_x86_64"` | no |
+| create\_iam\_role | Create IAM role for node group. Set to false if pass `node\_role\_arn` as an argument | bool | `"true"` | no |
 | disk\_size | Disk size in GiB for worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided | number | `"20"` | no |
 | ec2\_ssh\_key | SSH key name that should be used to access the worker nodes | string | `"null"` | no |
-| instance\_types | Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]. Terraform will only perform drift detection if a configuration value is provided | list(string) | `[ "t3.medium" ]` | no |
+| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | bool | `"true"` | no |
+| instance\_types | Set of instance types associated with the EKS Node Group. Defaults to \["t3.medium"\]. Terraform will only perform drift detection if a configuration value is provided | list(string) | `[ "t3.medium" ]` | no |
 | kubernetes\_labels | Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed | map(string) | `{}` | no |
 | kubernetes\_version | Kubernetes version. Defaults to EKS Cluster Kubernetes version. Terraform will only perform drift detection if a configuration value is provided | string | `"null"` | no |
 | node\_role\_arn | IAM role arn that will be used by managed node group | string | `""` | no |
-| source\_security\_group\_ids | Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0) | list(string) | `[]` | no |
-| tags | A map of tags (key-value pairs) passed to resources. | map(string) | `{}` | no |
+| source\_security\_group\_ids | Set of EC2 Security Group IDs to allow SSH access \(port 22\) from on the worker nodes. If you specify `ec2\_ssh\_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet \(0.0.0.0/0\) | list(string) | `[]` | no |
+| tags | A map of tags \(key-value pairs\) passed to resources. | map(string) | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | iam\_role\_arn | IAM role ARN used by node group. |
 | iam\_role\_id | IAM role ID used by node group. |
-| node\_group | Outputs from EKS node group. See `aws_eks_node_group` Terraform documentation for values |
+| node\_group | Outputs from EKS node group. See `aws\_eks\_node\_group` Terraform documentation for values |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

diff --git a/examples/multiaz-node-group/main.tf b/examples/multiaz-node-group/main.tf
@@ -130,6 +130,9 @@ resource "aws_iam_role_policy_attachment" "main_AmazonEC2ContainerRegistryReadOn
 module "eks-node-group-a" {
   source = "../../"
 
+  enabled         = true
+  create_iam_role = false
+
   cluster_name  = aws_eks_cluster.cluster.id
   node_role_arn = aws_iam_role.main.arn
   subnet_ids    = [module.vpc.private_subnets[0]]
@@ -155,6 +158,9 @@ module "eks-node-group-a" {
 module "eks-node-group-b" {
   source = "../../"
 
+  enabled         = true
+  create_iam_role = false
+
   cluster_name  = aws_eks_cluster.cluster.id
   node_role_arn = aws_iam_role.main.arn
   subnet_ids    = [module.vpc.private_subnets[1]]
@@ -180,6 +186,9 @@ module "eks-node-group-b" {
 module "eks-node-group-c" {
   source = "../../"
 
+  enabled         = true
+  create_iam_role = false
+
   cluster_name  = aws_eks_cluster.cluster.id
   node_role_arn = aws_iam_role.main.arn
   subnet_ids    = [module.vpc.private_subnets[2]]

diff --git a/examples/single-node-group/main.tf b/examples/single-node-group/main.tf
@@ -91,6 +91,7 @@ resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
 module "eks-node-group" {
   source = "../../"
 
+  enabled      = true
   cluster_name = aws_eks_cluster.cluster.id
 
   subnet_ids = flatten([module.vpc.private_subnets])

diff --git a/main.tf b/main.tf
@@ -1,4 +1,6 @@
 resource "random_id" "main" {
+  count = var.enabled ? 1 : 0
+
   byte_length = 4
 
   keepers = {
@@ -16,8 +18,10 @@ resource "random_id" "main" {
 }
 
 resource "aws_eks_node_group" "main" {
+  count = var.enabled ? 1 : 0
+
   cluster_name    = var.cluster_name
-  node_group_name = join("-", [var.cluster_name, random_id.main.id])
+  node_group_name = join("-", [var.cluster_name, random_id.main[0].id])
   node_role_arn   = var.node_role_arn == "" ? join("", aws_iam_role.main.*.arn) : var.node_role_arn
 
   subnet_ids = var.subnet_ids
@@ -53,8 +57,9 @@ resource "aws_eks_node_group" "main" {
 }
 
 resource "aws_iam_role" "main" {
-  count = var.node_role_arn == "" ? 1 : 0
-  name  = "${var.cluster_name}-managed-group-node"
+  count = var.enabled && var.create_iam_role ? 1 : 0
+
+  name = "${var.cluster_name}-managed-group-node"
 
   assume_role_policy = <<EOF
 {
@@ -73,19 +78,22 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "main_AmazonEKSWorkerNodePolicy" {
-  count      = var.node_role_arn == "" ? 1 : 0
+  count = var.enabled && var.create_iam_role ? 1 : 0
+
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = aws_iam_role.main[0].name
 }
 
 resource "aws_iam_role_policy_attachment" "main_AmazonEKS_CNI_Policy" {
-  count      = var.node_role_arn == "" ? 1 : 0
+  count = var.enabled && var.create_iam_role ? 1 : 0
+
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
   role       = aws_iam_role.main[0].name
 }
 
 resource "aws_iam_role_policy_attachment" "main_AmazonEC2ContainerRegistryReadOnly" {
-  count      = var.node_role_arn == "" ? 1 : 0
+  count = var.enabled && var.create_iam_role ? 1 : 0
+
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = aws_iam_role.main[0].name
 }
diff --git a/variables.tf b/variables.tf
@@ -82,3 +82,16 @@ variable "source_security_group_ids" {
   default     = []
   description = "Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)"
 }
+
+variable "enabled" {
+  type        = bool
+  description = "Whether to create the resources. Set to `false` to prevent the module from creating any resources"
+  default     = true
+}
+
+variable "create_iam_role" {
+  type        = bool
+  description = "Create IAM role for node group. Set to false if pass `node_role_arn` as an argument"
+  default     = true
+}
+