Terraform: Be able to disable/enable modules with conditional

Created on 21 Mar 2017  ยท  27Comments  ยท  Source: hashicorp/terraform

Hi there,

If you are using TF 0.9.0 or TF Enterprise, you are probably trying to have all your environments (dev/stage/production) using the same code base but with different variables.

Main issue right now is that there is no way to enable or disable a module depending of, for example, an environment. You can of course trying to pass multiple variables in parameter of your modules to set all the sub-resources to a count of 0 but it will not work with everything. Am I wrong here ?

So the idea here is to be able to do that :

module "service" {
  source = "../modules/service"
  enable = "${var.environment == "stage" ? true : false }"
  ...
}

This will make the usage of a single code base more flexible.

Any thought ? :)

Most helpful comment

Since module counts feature is complex and need internal refactoring, can we have the enable/disable module feature meanwhile?

All 27 comments

This will be solved with module counts #953 (open issue, not done)

Since module counts feature is complex and need internal refactoring, can we have the enable/disable module feature meanwhile?

I agree with @geniousphp on this one. The module count has been open since Feb 8, 2015. There was a comment on Jun 26, 2017 "so we've prototyped a few approaches so far and haven't yet landed on something that works well." so it doesn't sound like it is coming anytime soon.

However, I did find a pattern that should address all the use cases that @Pryz hinted to

In Module:
variable "enable" {
type = "string"
default
}
resource "resource_type" "name_of_resource" {
count = "${var.enable == "true" ? 1 : 0}"
.....
}

In the tf file:
module "jane_doe_access" {
source = "../modules/service"
enable = "true"
}

You can use boolean logic for count options.

// If you want to configure if a list has an item
count = "${var.enable == "true" && length(var.an_list) > 0 ? 1 : 0}"

// If you want to config based on actual count
count = "${var.enable == "true" && var.a_count > 0 ? var.a_count : 0}"

Yeah @wderezin, I use that same pattern also and I think everyone use it. The thing is that I have many resources in my module that I want to enable/disable. Thus, I ended up with as many repetitive count as resources

@wderezin how do I do that with an aws_iam_policy_document data source?

yeah we use the patten described by @wderezin but like @geniousphp said, it gets ugly when you have multiple resources in the module you want to toggle.

Are there any new on this? The workaround from @wderezin is not really a solution since I have modules with over 20 resources and the whole point to put them into a module was to be able to easily enable/disable them whenever needed.

There was no progress on the module count for over a year. I think a simple "enable" option to turn a module on/off would open a lot of options to reduce code and improve readability without too much effort.

@Crapworks I believe with v0.12 you'll be able to do this, so let's wait :)

It's a must have feature, please update once done. My use case is in lower environment we don't have permission to create pip(we are fine with private IP and it's internal network for testing) but in prod my LB need a pip so I want to enabled disable the public ip configuration for LB based on a flag.

@Chupaka what leads you to believe this will be included with v0.12? I can't seem to find any documented commitment by hashicorp?

@rekahsoft, oops, looks like it will just bring a base for future enchancements :(
https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each

I don't think they are adding this functionality in Terraform 12 as well.

@VipinAgarwal it's actually planned :tada:

Scroll down to the last paragraph:

For a long time, users have wished to be able to use the count meta-argument within module blocks, allowing multiple instances of the same module to be created more easily.

Yeah, but not in 0.12 :(

Also blocked on not being able to do this. Our terraform scripts have evolved from nice, simple, and declarative to monolithic, gnarly, and scary without basic constructs like this.

This is kludgy but what I do is typically copy terraform files as needed to a working directory and use a shell script to wrap around my terraform commands. I use the conditionals within shell driven by parameters in Jenkins to determine which modules to use. For now this seems to be the easiest solution for me so my terraform code remains clean and I only copy modules as needed to the working directory within the same repository.

Is there any update on above?

Any update on this? It seems like a simple feature, so simple in fact that I just implemented as a "count" and was surprised it wasn't going to work.

@wderezin that's the pattern I'm using too, but this is so against DRY it makes my fingers hurt :)

In addition to that, count is still not supported on outputs, and lazy evaluation is still in the making, therefore if you have outputs from optional resources - whether in a module or not - you end up with expected failures when the resources are disabled.

@apparentlymart Tagging you on this one here since you've disable comments on https://github.com/hashicorp/terraform/issues/953

Any update on this ?

Sadly I'm in the same boat as others here trying to use a count. Certain resources just don't play well with adding count to everything. I have modules that call modules that call modules that call modules in order to reuse them as much as possible. Now I have a prod env that is going wildly off the rails due to all those modules not being local copies into this repo so the odds they get updated down the road pretty thin. I'm quite sad to see it's not in 12 as that's most of the office chatter around here. "Wait for 12... Wait for 12." Now I can start the wait for 13 ! lol

I'd like to see this implemented as well. The count parameter github issue is locked and hasn't been updated in almost 2 years.

https://github.com/hashicorp/terraform/issues/953

Bumping this as well - this seems quite fundamental; modules should be count-dependent.

I need the ability to be able to exclude a module also

Use case customer 1 has a dev and prod account, same code but params defined under .tfvars

I need to exclude a module so it is written to prod but not to dev

Relevant for #953: #21643

Count set to zero for the resource "aws_acm_certificate" doesn't help if there is a reference to (intentionally absent) local files for cert body, private key and chain.
Validation fails with "Call to function "file" failed: no file exists at ../path-to-absent/file"

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

thebenwaters picture thebenwaters  ยท  3Comments

rjinski picture rjinski  ยท  3Comments

ketzacoatl picture ketzacoatl  ยท  3Comments

darron picture darron  ยท  3Comments

larstobi picture larstobi  ยท  3Comments