Skip to content

TESTING.md

Latest commit

 

History

History
165 lines (119 loc) · 6.91 KB

TESTING.md

File metadata and controls

165 lines (119 loc) · 6.91 KB

Testing Guide — terraform-ec-modules

How to run tests for the shared Terraform modules.

Prerequisites

Tool Version Installation
Terraform >= 1.6 (for terraform test) Install

No AWS credentials required — all tests use mock providers.

Quick Start

# Run tests for a module
cd lambda          # or lambda-layer
terraform init
terraform test

Expected output:

tests/artifact_source.tftest.hcl... in progress
  run "local_mode_creates_archive_file"... pass
  run "local_mode_creates_s3_object"... pass
  run "local_mode_creates_signing_job"... pass
  run "local_mode_s3_key_from_signing_job"... pass
  run "cicd_mode_skips_archive_file"... pass
  run "cicd_mode_skips_s3_object"... pass
  run "cicd_mode_skips_signing_job"... pass
  run "cicd_mode_s3_key_from_variable"... pass
  run "cicd_mode_sets_source_code_hash"... pass
  run "image_mode_skips_all_zip_resources"... pass
  run "local_mode_no_source_code_hash"... pass
  run "cicd_mode_rejects_missing_artifact_s3_key"... pass
  run "cicd_mode_rejects_missing_artifact_hash"... pass
  run "invalid_artifact_source_rejected"... pass

Success! 14 passed, 0 failed.

Test Inventory

Module Test File Tests Coverage
lambda tests/artifact_source.tftest.hcl 14 artifact_source variable: local mode, cicd mode, image mode, validation, precondition rejection
lambda-layer tests/artifact_source.tftest.hcl 13 artifact_source variable: local mode, cicd mode, negative, validation, precondition rejection
lambda-dlq 0 No tests yet

Test Details: lambda/tests/artifact_source.tftest.hcl

Tests the artifact_source variable and its preconditions.

What's Tested

# Test Mode Asserts
1 local_mode_creates_archive_file local archive_file count = 1
2 local_mode_creates_s3_object local aws_s3_object count = 1
3 local_mode_creates_signing_job local aws_signer_signing_job count = 1
4 local_mode_s3_key_from_signing_job local s3_key = signing job output
5 cicd_mode_skips_archive_file cicd archive_file count = 0
6 cicd_mode_skips_s3_object cicd aws_s3_object count = 0
7 cicd_mode_skips_signing_job cicd aws_signer_signing_job count = 0
8 cicd_mode_s3_key_from_variable cicd s3_key = artifact_s3_key variable
9 cicd_mode_sets_source_code_hash cicd source_code_hash = artifact_hash variable
10 image_mode_skips_all_zip_resources cicd+Image All ZIP resources skipped
11 local_mode_no_source_code_hash local source_code_hash not passed through
12 cicd_mode_rejects_missing_artifact_s3_key cicd Precondition rejects missing artifact_s3_key
13 cicd_mode_rejects_missing_artifact_hash cicd Precondition rejects missing artifact_hash
14 invalid_artifact_source_rejected invalid Validation error

Test Fixtures

Tests use minimal fixtures in tests/fixtures/:

File Purpose
index.mjs Minimal Lambda handler
package.json Required by module locals.tf (reads description field)

Mock Providers

All tests use mock_provider blocks — no real AWS calls are made. Key mocks:

  • aws_iam_policy_document — returns valid JSON policy
  • aws_iam_role / aws_iam_policy — returns valid ARNs
  • aws_signer_signing_job — returns signed_object with S3 path
  • archive — fully mocked (no file system operations)

Limitation: Mock providers assign synthetic values to string attributes even when the configuration expression evaluates to null. This means == null assertions on planned string attributes will fail. For example, local_mode_no_source_code_hash asserts != "should-not-appear" instead of == null because the mock provider generates a random string for source_code_hash.

Test Details: lambda-layer/tests/artifact_source.tftest.hcl

Tests the artifact_source variable for lambda layers.

What's Tested

# Test Mode Asserts
1 local_mode_creates_archive_file local archive_file count = 1
2 local_mode_creates_s3_object local aws_s3_object count = 1
3 local_mode_creates_signing_job local aws_signer_signing_job count = 1
4 local_mode_s3_key_from_signing_job local s3_key = signing job output
5 cicd_mode_skips_archive_file cicd archive_file count = 0
6 cicd_mode_skips_s3_object cicd aws_s3_object count = 0
7 cicd_mode_skips_signing_job cicd aws_signer_signing_job count = 0
8 cicd_mode_s3_key_from_variable cicd s3_key = artifact_s3_key variable
9 cicd_mode_sets_source_code_hash cicd source_code_hash = artifact_hash variable
10 local_mode_no_source_code_hash local source_code_hash not set from artifact_hash
11 cicd_mode_rejects_missing_artifact_s3_key cicd Precondition rejects missing artifact_s3_key
12 cicd_mode_rejects_missing_artifact_hash cicd Precondition rejects missing artifact_hash
13 invalid_artifact_source_rejected invalid Validation error

Test Fixtures

Tests use minimal fixtures in tests/fixtures/:

File Purpose
nodejs/node_modules/index.js Minimal placeholder for layer content

Mock Providers

  • aws_signer_signing_job — returns signed_object with S3 path
  • aws_lambda_layer_version — returns version = 1 (required numeric type)
  • archive — fully mocked

Limitation: Mock providers assign synthetic values to string attributes even when the configuration expression evaluates to null. This means == null assertions on planned string attributes will fail. For example, local_mode_no_source_code_hash asserts != "should-not-appear" instead of == null because the mock provider generates a random string for source_code_hash.

Known Warnings

data.aws_region.current.name produces deprecation warnings on AWS provider 5.x. The .name attribute is deprecated in favor of .region, but .region does not exist until provider 6.x. This is accepted until the provider 6 upgrade. See docs/DECISIONS.md → "Revert Provider 6 Attribute Changes".

Adding New Tests

  1. Create a .tftest.hcl file in the module's tests/ directory
  2. Use mock_provider blocks — avoid requiring AWS credentials
  3. Add test fixtures to tests/fixtures/ if needed
  4. Run terraform init && terraform test from the module directory
  5. Update this document with the new test inventory

References