feat: integration tests with native framework

Author: oycyc

tests/cpu-compatibility.tftest.hcl

@@ -0,0 +1,104 @@
+variables {
+  vpc_id              = "vpc-12345678"
+  subnet_ids          = ["subnet-12345678", "subnet-87654321"]
+  stage               = "test"
+  namespace           = "mp"
+  name                = "ssm-agent"
+  region              = "us-east-1"
+  availability_zones  = ["us-east-1a"]
+  nat_gateway_enabled = true
+  ipv6_enabled        = true
+}
+
+### TESTING INSTANCE and ARCHITECTURE COMPATIBILITY ###
+# https://docs.aws.amazon.com/ec2/latest/instancetypes/instance-type-names.html
+# https://aws.amazon.com/ec2/instance-types/
+
+# Test valid x86_64 instance type
+run "valid_x86_64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t3.micro"
+    architecture  = "x86_64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type t3.micro to be compatible with x86_64 architecture"
+  }
+}
+
+# Test valid arm64 instance type
+run "valid_arm64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t4g.micro"
+    architecture  = "arm64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type t4g.micro to be compatible with arm64 architecture"
+  }
+}
+
+# Test invalid x86_64 instance type (using arm64 instance type)
+run "invalid_x86_64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t4g.micro"
+    architecture  = "x86_64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test invalid arm64 instance type (using x86_64 instance type)
+run "invalid_arm64_instance" {
+  command = plan
+
+  variables {
+    instance_type = "t3.micro"
+    architecture  = "arm64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test edge case, where the 'g' is defined as the instance family rather than the processor family
+# It has 'g' in the name, but it's still an x86_64 instance type because the 'g' is the instance family
+run "graphics_instance_arm_incompatiblity_edge_case" {
+  command = plan
+
+  variables {
+    instance_type = "g3s.xlarge"
+    architecture  = "arm64"
+  }
+
+  expect_failures = [
+    null_resource.validate_instance_type
+  ]
+}
+
+# Test edge case, where the 'g' is defined as the instance family rather than the processor family
+# It has 'g' in the name, but it still is compatible with x86_64 since the 'g' is the instance family
+run "graphics_instance_x86_compatibility_edge_case" {
+  command = plan
+
+  variables {
+    instance_type = "g4dn.xlarge"
+    architecture  = "x86_64"
+  }
+
+  assert {
+    condition     = local.is_instance_compatible
+    error_message = "Expected instance type g3s.xlarge to be compatible with x86_64 architecture"
+  }
+}

tests/main.tftest.hcl

@@ -1,104 +1,96 @@
-variables {
-  vpc_id = "vpc-12345678"
-  subnet_ids = ["subnet-12345678", "subnet-87654321"]
-  stage = "test"
-  namespace = "mp"
-  name = "ssm-agent"
-  region = "us-east-1"
-  availability_zones = ["us-east-1a"]
-  nat_gateway_enabled = true
-  ipv6_enabled = true
-}
+### Integration Tests for the SSM Agent Module
+### This test suite will create the SSM Agent module
+### and validate the resources created by the module,
+### then destroy it.
+
+### `/test-harness/` module is used as a helper to validate resources that aren't in the Terraform state, for example the EC2 instances created from the ASG.
 
-### TESTING INSTANCE and ARCHITECTURE COMPATIBILITY ###
-# https://docs.aws.amazon.com/ec2/latest/instancetypes/instance-type-names.html
-# https://aws.amazon.com/ec2/instance-types/
+run "setup" {
+  module {
+    source = "./tests/setup"
+  }
+}
 
-# Test valid x86_64 instance type
-run "valid_x86_64_instance" {
-  command = plan
+run "create_ssm_agent" {
+  command = apply
 
   variables {
-    instance_type = "t3.micro"
-    architecture = "x86_64"
+    namespace = "mp"
+    stage     = "terraform-test${run.setup.random_number}"
   }
 
-  assert {
-    condition     = local.is_instance_compatible
-    error_message = "Expected instance type t3.micro to be compatible with x86_64 architecture"
+  module {
+    source = "./examples/complete"
   }
-}
 
-# Test valid arm64 instance type
-run "valid_arm64_instance" {
-  command = plan
-
-  variables {
-    instance_type = "t4g.micro"
-    architecture = "arm64"
+  assert {
+    condition     = module.ssm_agent.security_group_id != ""
+    error_message = "The ID of the SSM Agent Security Group is empty, possibly not created."
   }
 
   assert {
-    condition     = local.is_instance_compatible
-    error_message = "Expected instance type t4g.micro to be compatible with arm64 architecture"
+    condition     = module.ssm_agent.launch_template_id != ""
+    error_message = "The ID of the SSM Agent Launch Template is empty, possibly not created."
   }
-}
 
-# Test invalid x86_64 instance type (using arm64 instance type)
-run "invalid_x86_64_instance" {
-  command = plan
+  assert {
+    condition     = module.ssm_agent.autoscaling_group_id != ""
+    error_message = "The ID of the SSM Agent Autoscaling Group is empty, possibly not created."
+  }
 
-  variables {
-    instance_type = "t4g.micro"
-    architecture = "x86_64"
+  assert {
+    condition     = module.ssm_agent.role_id != ""
+    error_message = "The ID of the SSM Agent Role is empty, possibly not created."
   }
 
-  expect_failures = [
-    null_resource.validate_instance_type
-  ]
 }
 
-# Test invalid arm64 instance type (using x86_64 instance type)
-run "invalid_arm64_instance" {
-  command = plan
+run "validate_ssm_agent_data" {
+  module {
+    source = "./tests/test-harness"
+  }
 
   variables {
-    instance_type = "t3.micro"
-    architecture = "arm64"
+    # These variables are based on using the values from `./examples/complete` module since we are using that for the integration tests.
+    instance_name               = "mp-terraform-test${run.setup.random_number}"
+    ssm_document_name_from_test = "SSM-SessionManagerRunShell"
+    iam_role_name_from_test     = run.create_ssm_agent.role_id
   }
 
-  expect_failures = [
-    null_resource.validate_instance_type
-  ]
-}
-
-# Test edge case, where the 'g' is defined as the instance family rather than the processor family
-# It has 'g' in the name, but it's still an x86_64 instance type because the 'g' is the instance family
-run "graphics_instance_arm_incompatiblity_edge_case" {
-  command = plan
+  # The EC2 Instance is not directly created since it is managed by the ASG + Launch Template.
+  # Check that the EC2 instance is actually spun up after this integration test.
+  assert {
+    condition     = data.aws_instance.from_test.arn != ""
+    error_message = "The SSM Agent EC2 instance does not exist."
+  }
+  assert {
+    condition     = contains(["running", "pending"], data.aws_instance.from_test.instance_state)
+    error_message = "The SSM Agent EC2 instance is not running or pending."
+  }
 
-  variables {
-    instance_type = "g3s.xlarge"
-    architecture = "arm64"
+  assert {
+    condition     = tolist(data.aws_instance.from_test.root_block_device)[0].encrypted == true
+    error_message = "The root block device of the SSM Agent EC2 instance is not encrypted."
   }
 
-  expect_failures = [
-    null_resource.validate_instance_type
-  ]
-}
 
-# Test edge case, where the 'g' is defined as the instance family rather than the processor family
-# It has 'g' in the name, but it still is compatible with x86_64 since the 'g' is the instance family
-run "graphics_instance_x86_compatibility_edge_case" {
-  command = plan
+  assert {
+    condition     = data.aws_ssm_document.from_test.content != ""
+    error_message = "The created SSM document content is empty."
+  }
 
-  variables {
-    instance_type = "g4dn.xlarge"
-    architecture = "x86_64"
+  assert {
+    condition     = can(regex("\"Effect\"\\s*:\\s*\"Allow\"", data.aws_iam_role.from_test.assume_role_policy))
+    error_message = "The created IAM role policy must contain Effect: Allow"
+  }
+
+  assert {
+    condition     = can(regex("\"Service\"\\s*:\\s*\"ec2\\.amazonaws\\.com\"", data.aws_iam_role.from_test.assume_role_policy))
+    error_message = "The created IAM role policy must contain Service: ec2.amazonaws.com"
   }
 
   assert {
-    condition     = local.is_instance_compatible
-    error_message = "Expected instance type g3s.xlarge to be compatible with x86_64 architecture"
+    condition     = can(regex("\"Action\"\\s*:\\s*\"sts:AssumeRole\"", data.aws_iam_role.from_test.assume_role_policy))
+    error_message = "The created IAM role policy must contain Action: sts:AssumeRole"
   }
 }

tests/setup/main.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+resource "random_integer" "random_number" {
+  min = 1
+  max = 9999
+}
+
+output "random_number" {
+  value       = random_integer.random_number.result
+  description = "Random number between 1 and 9999"
+}

tests/test-harness/main.tf

@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+data "aws_ssm_document" "from_test" {
+  name = var.ssm_document_name_from_test
+}
+
+data "aws_iam_role" "from_test" {
+  name = var.iam_role_name_from_test
+}
+
+data "aws_instance" "from_test" {
+  filter {
+    name   = "tag:Name"
+    values = [var.instance_name]
+  }
+}

tests/test-harness/variable.tf

@@ -0,0 +1,11 @@
+variable "ssm_document_name_from_test" {
+  type = string
+}
+
+variable "iam_role_name_from_test" {
+  type = string
+}
+
+variable "instance_name" {
+  type = string
+}