test(module): really test the generated access key

main.tftest.hcl

@@ -5,11 +5,10 @@ provider "aws" {
 
 run "main" {
   assert {
-    condition     = output.access_key_id != null
-    error_message = "invalid IAM access key ID"
+    condition     = data.external.main.result.Arn == local.expected_arn
+    error_message = "user ARN mismatch"
+  }
+  module {
+    source = "./test"
   }
 }
-
-variables {
-  name = "tftest-user"
-}

test/aws_config.tftpl

@@ -0,0 +1,4 @@
+[default]
+aws_access_key_id = ${aws_access_key_id}
+aws_secret_access_key = ${aws_access_key_secret}
+region = eu-west-3

test/main.tf

@@ -0,0 +1,31 @@
+module "main" {
+  source = "../"
+
+  name = "tftest-user"
+}
+
+data "aws_caller_identity" "current" {}
+
+# tflint-ignore: terraform_unused_declarations
+data "external" "main" {
+  program = ["${path.module}/test.sh"]
+
+  depends_on = [local_file.aws_config]
+}
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  expected_arn = format(
+    "arn:aws:iam::%s:user/tftest-user",
+    data.aws_caller_identity.current.account_id,
+  )
+}
+
+resource "local_file" "aws_config" {
+  filename        = "${path.module}/aws_config"
+  file_permission = "0600"
+  content = templatefile("${path.module}/aws_config.tftpl", {
+    aws_access_key_id     = module.main.access_key_id
+    aws_access_key_secret = module.main.access_key_secret
+  })
+}

test/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = "2.3.4"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.2"
+    }
+  }
+}

test/test.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wait a bit for the ACCESS KEY to be usable on AWS
+sleep 10
+
+export AWS_CONFIG_FILE="${PWD}/test/aws_config"
+aws sts get-caller-identity