Adds enabled flag to completely disable resources (#50)

Sean Sundberg · web-flow · commit 6e7aa6c4edd8 · 2022-02-16T16:51:21.000-08:00
Signed-off-by: Sean Sundberg &lt;seansund@us.ibm.com&gt;
diff --git a/.github/scripts/validate-deploy.sh b/.github/scripts/validate-deploy.sh
@@ -5,6 +5,15 @@ SCRIPT_DIR=$(cd $(dirname "$0"); pwd -P)
 echo "terraform.tfvars"
 cat terraform.tfvars
 
+ENABLED=$(cat .enabled)
+
+if [[ "${ENABLED}" == "false" ]]; then
+  echo "The VPC is not enabled. Listing terraform state."
+
+  terraform state list
+  exit 0
+fi
+
 PREFIX_NAME=$(cat terraform.tfvars | grep name_prefix | sed "s/name_prefix=//g" | sed 's/"//g' | sed "s/_/-/g")
 REGION=$(cat terraform.tfvars | grep -E "^region" | sed "s/region=//g" | sed 's/"//g')
 RESOURCE_GROUP_NAME=$(cat terraform.tfvars | grep resource_group_name | sed "s/resource_group_name=//g" | sed 's/"//g')
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -13,15 +13,18 @@ jobs:
   verify:
     if: ${{ !contains( github.event.pull_request.labels.*.name, 'skip ci' ) }}
     runs-on: ubuntu-latest
-    container: quay.io/ibmgaragecloud/cli-tools:v0.12.0-lite
+    container: quay.io/ibmgaragecloud/cli-tools:v0.15
 
     strategy:
       matrix:
         platform:
           - vpc_count
           - vpc_count_cidr
+        enabled:
+          - true
+          - false
       max-parallel: 1
-      fail-fast: false
+      fail-fast: true
 
     env:
       HOME: /home/devops
@@ -38,6 +41,7 @@ jobs:
           validateDeployScript: .github/scripts/validate-deploy.sh
         env:
           TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
+          TF_VAR_enabled: ${{ matrix.enabled }}
           IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
 
       - name: Verify destroy on ${{ matrix.platform }}
@@ -47,6 +51,7 @@ jobs:
           clusterId: ${{ matrix.platform }}
         env:
           TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
+          TF_VAR_enabled: ${{ matrix.enabled }}
           IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
 
   verifyMetadata:
diff --git a/main.tf b/main.tf
@@ -5,19 +5,20 @@ locals {
   vpc_zone_names    = [ for index in range(max(local.zone_count, var.address_prefix_count)): "${var.region}-${(index % local.zone_count) + 1}" ]
   prefix_name       = var.name_prefix != "" && var.name_prefix != null ? var.name_prefix : var.resource_group_name
   vpc_name          = lower(replace(var.name != "" ? var.name : "${local.prefix_name}-vpc", "_", "-"))
-  vpc_id            = data.ibm_is_vpc.vpc.id
+  vpc_id            = lookup(local.vpc, "id", "")
   security_group_count = var.provision ? 2 : 0
-  security_group_ids = var.provision ? [ data.ibm_is_vpc.vpc.default_security_group, data.ibm_is_security_group.base.id ] : []
-  acl_id            = data.ibm_is_vpc.vpc.default_network_acl
-  crn               = data.ibm_is_vpc.vpc.resource_crn
+  security_group_ids = var.provision && var.enabled ? [ lookup(local.vpc, "default_security_group", ""), data.ibm_is_security_group.base[0].id ] : []
+  acl_id            = lookup(local.vpc, "default_network_acl", "")
+  crn               = lookup(local.vpc, "resource_crn", "")
   ipv4_cidr_provided = var.address_prefix_count > 0 && length(var.address_prefixes) >= var.address_prefix_count
   ipv4_cidr_block    = local.ipv4_cidr_provided ? var.address_prefixes : [ for val in range(var.address_prefix_count): "" ]
   provision_cidr     = var.provision && local.ipv4_cidr_provided
   base_security_group_name = var.base_security_group_name != null && var.base_security_group_name != "" ? var.base_security_group_name : "${local.vpc_name}-base"
+  vpc               = try(var.enabled ? data.ibm_is_vpc.vpc[0] : tomap(false), {})
 }
 
 resource ibm_is_vpc vpc {
-  count = var.provision ? 1 : 0
+  count = var.provision && var.enabled ? 1 : 0
 
   name                        = local.vpc_name
   resource_group              = var.resource_group_id
@@ -28,23 +29,26 @@ resource ibm_is_vpc vpc {
 }
 
 data ibm_is_vpc vpc {
+  count      = var.enabled ? 1 : 0
   depends_on = [ibm_is_vpc.vpc]
 
   name = local.vpc_name
 }
 
 resource ibm_is_vpc_address_prefix cidr_prefix {
-  count = local.provision_cidr ? var.address_prefix_count : 0
+  count = local.provision_cidr && var.enabled ? var.address_prefix_count : 0
 
   name  = "${local.vpc_name}-cidr-${format("%02s", count.index)}"
   zone  = local.vpc_zone_names[count.index]
-  vpc   = data.ibm_is_vpc.vpc.id
+  vpc   = lookup(local.vpc, "id", "")
   cidr  = local.ipv4_cidr_block[count.index]
   is_default = count.index < local.zone_count
 }
 
 resource ibm_is_network_acl_rule allow_internal_egress {
-  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  count      = var.enabled ? 1 : 0
+
+  network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "allow-internal-egress"
   action      = "allow"
   source      = var.internal_cidr
@@ -53,17 +57,21 @@ resource ibm_is_network_acl_rule allow_internal_egress {
 }
 
 resource ibm_is_network_acl_rule allow_internal_ingress {
-  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  count      = var.enabled ? 1 : 0
+
+  network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "allow-internal-ingress"
   action      = "allow"
   source      = var.internal_cidr
   destination = var.internal_cidr
   direction   = "inbound"
-  before      = ibm_is_network_acl_rule.deny_external_ssh.rule_id
+  before      = lookup(ibm_is_network_acl_rule.deny_external_ssh[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_ssh {
-  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  count      = var.enabled ? 1 : 0
+
+  network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "deny-external-ssh"
   action      = "deny"
   source      = "0.0.0.0/0"
@@ -75,11 +83,13 @@ resource ibm_is_network_acl_rule deny_external_ssh {
     source_port_max = 22
     source_port_min = 22
   }
-  before      = ibm_is_network_acl_rule.deny_external_rdp.rule_id
+  before      = lookup(ibm_is_network_acl_rule.deny_external_rdp[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_rdp {
-  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  count      = var.enabled ? 1 : 0
+
+  network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "deny-external-rdp"
   action      = "deny"
   source      = "0.0.0.0/0"
@@ -91,11 +101,13 @@ resource ibm_is_network_acl_rule deny_external_rdp {
     source_port_max = 3389
     source_port_min = 3389
   }
-  before = ibm_is_network_acl_rule.deny_external_ingress.rule_id
+  before      = lookup(ibm_is_network_acl_rule.deny_external_ingress[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_ingress {
-  network_acl    = data.ibm_is_vpc.vpc.default_network_acl
+  count      = var.enabled ? 1 : 0
+
+  network_acl    = lookup(local.vpc, "default_network_acl", "")
   name           = "deny-external-ingress"
   action         = "deny"
   source         = "0.0.0.0/0"
@@ -104,30 +116,25 @@ resource ibm_is_network_acl_rule deny_external_ingress {
 }
 
 resource ibm_is_security_group base {
-  count = var.provision ? 1 : 0
+  count = var.provision && var.enabled ? 1 : 0
 
   name = local.base_security_group_name
-  vpc  = data.ibm_is_vpc.vpc.id
+  vpc  = lookup(local.vpc, "id", "")
   resource_group = var.resource_group_id
 }
 
 data ibm_is_security_group base {
+  count      = var.enabled ? 1 : 0
   depends_on = [ibm_is_security_group.base]
 
   name = local.base_security_group_name
 }
 
-resource null_resource print_sg_name {
-  depends_on = [data.ibm_is_security_group.base]
-
-  provisioner "local-exec" {
-    command = "echo 'SG name: ${data.ibm_is_security_group.base.name != null ? data.ibm_is_security_group.base.name : "null"}'"
-  }
-}
-
 # from https://cloud.ibm.com/docs/vpc?topic=vpc-service-endpoints-for-vpc
 resource ibm_is_security_group_rule default_inbound_ping {
-  group     = data.ibm_is_vpc.vpc.default_security_group
+  count      = var.enabled ? 1 : 0
+
+  group     = lookup(local.vpc, "default_security_group", "")
   direction = "inbound"
   remote    = "0.0.0.0/0"
 
@@ -137,7 +144,9 @@ resource ibm_is_security_group_rule default_inbound_ping {
 }
 
 resource ibm_is_security_group_rule default_inbound_http {
-  group     = data.ibm_is_vpc.vpc.default_security_group
+  count      = var.enabled ? 1 : 0
+
+  group     = lookup(local.vpc, "default_security_group", "")
   direction = "inbound"
   remote    = "0.0.0.0/0"
 
@@ -148,7 +157,7 @@ resource ibm_is_security_group_rule default_inbound_http {
 }
 
 resource ibm_is_security_group_rule cse_dns_1 {
-  count = local.security_group_count
+  count = var.enabled ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -160,7 +169,7 @@ resource ibm_is_security_group_rule cse_dns_1 {
 }
 
 resource ibm_is_security_group_rule cse_dns_2 {
-  count = local.security_group_count
+  count = var.enabled ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -172,7 +181,7 @@ resource ibm_is_security_group_rule cse_dns_2 {
 }
 
 resource ibm_is_security_group_rule private_dns_1 {
-  count = local.security_group_count
+  count = var.enabled ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -184,7 +193,7 @@ resource ibm_is_security_group_rule private_dns_1 {
 }
 
 resource ibm_is_security_group_rule private_dns_2 {
-  count = local.security_group_count
+  count = var.enabled ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
diff --git a/outputs.tf b/outputs.tf
@@ -40,11 +40,11 @@ output "ids" {
 }
 
 output "base_security_group" {
-  value       = data.ibm_is_security_group.base.id
+  value       = var.enabled ? data.ibm_is_security_group.base[0].id : ""
   description = "The id of the base security group to be shared by other resources. The base group is different from the default security group."
 }
 
 output "addresses" {
-  value = data.ibm_is_vpc.vpc.cse_source_addresses[*].address
+  value = [for obj in lookup(local.vpc, "cse_source_addresses[*]", []): obj.address]
   description = "The ip address ranges for the VPC"
 }
diff --git a/test/stages/stage2-vpc.tf b/test/stages/stage2-vpc.tf
@@ -7,4 +7,11 @@ module "dev_vpc" {
   name_prefix          = var.name_prefix
   address_prefix_count = var.address_prefix_count
   address_prefixes     = jsondecode(var.address_prefixes)
+  enabled              = var.enabled
+}
+
+resource null_resource print_enabled {
+  provisioner "local-exec" {
+    command = "echo -n '${var.enabled}' > .enabled"
+  }
 }
diff --git a/test/stages/variables.tf b/test/stages/variables.tf
@@ -57,3 +57,8 @@ variable "address_prefixes" {
 variable "address_prefix_count" {
   default = 0
 }
+
+variable "enabled" {
+  default = true
+  type = bool
+}
diff --git a/variables.tf b/variables.tf
@@ -55,3 +55,9 @@ variable "internal_cidr" {
   description = "The cidr range of the internal network"
   default     = "10.0.0.0/8"
 }
+
+variable "enabled" {
+  type        = bool
+  description = "Flag to indicate that IBM VPC module should be enabled"
+  default     = true
+}
diff --git a/version.tf b/version.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.15.0"
 
   required_providers {
     ibm = {

Original file line number	Diff line number	Diff line change
`@@ -40,11 +40,11 @@ output "ids" {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`output "base_security_group" {`
`43`		`- value = data.ibm_is_security_group.base.id`
	`43`	`+ value = var.enabled ? data.ibm_is_security_group.base[0].id : ""`
`44`	`44`	`description = "The id of the base security group to be shared by other resources. The base group is different from the default security group."`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`output "addresses" {`
`48`		`- value = data.ibm_is_vpc.vpc.cse_source_addresses[*].address`
	`48`	`+ value = [for obj in lookup(local.vpc, "cse_source_addresses[*]", []): obj.address]`
`49`	`49`	`description = "The ip address ranges for the VPC"`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,3 +57,8 @@ variable "address_prefixes" {`
`57`	`57`	`variable "address_prefix_count" {`
`58`	`58`	`default = 0`
`59`	`59`	`}`
	`60`	`+`
	`61`	`+variable "enabled" {`
	`62`	`+ default = true`
	`63`	`+ type = bool`
	`64`	`+}`