test(module): really test the generated access key

chore(infrastructure): change the AWS account used for tests
2025-04-26 18:14:37 +02:00 · 2025-04-17 17:02:05 +02:00
6 changed files with 74 additions and 25 deletions
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@ -11,28 +11,20 @@ module "aws_iam_ci_user" {
  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
  name = local.name
-}
+  tests_policy_statements = jsonencode([
-
+    {
 resource "aws_iam_policy" "tftest" {
  provider = aws.all["root"]
  name = "${local.name}-tftest"
  policy = jsonencode({
    Statement = [{
      Action = "iam:*"
      Effect = "Allow"
      Resource = [
        "arn:aws:iam::*:user/tftest-user",
        "arn:aws:iam::*:policy/${local.name}-tftest",
      ]
-    }]
+    },
-    Version = "2012-10-17"
+    {
-  })
+      # Necessary for removing an IAM user
-}
+      Action   = "iam:ListVirtualMFADevices",
-
+      Effect   = "Allow"
-resource "aws_iam_user_policy_attachment" "tftest" {
+      Resource = "*"
-  provider = aws.all["root"]
+    }
-
+  ])
  policy_arn = aws_iam_policy.tftest.arn
  user       = local.name
 }
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@ -1,15 +1,14 @@
 provider "aws" {
-  profile = "root"
+  profile = "tests"
  region  = "eu-west-3"
 }
 run "main" {
  assert {
-    condition     = output.access_key_id != null
+    condition     = data.external.main.result.Arn == local.expected_arn
-    error_message = "invalid IAM access key ID"
+    error_message = "user ARN mismatch"
  }
  module {
    source = "./test"
  }
 }
 variables {
  name = "tftest-user"
 }
--- a/test/aws_config.tftpl
+++ b/test/aws_config.tftpl
@ -0,0 +1,4 @@
 [default]
 aws_access_key_id = ${aws_access_key_id}
 aws_secret_access_key = ${aws_access_key_secret}
 region = eu-west-3
--- a/test/main.tf
+++ b/test/main.tf
@ -0,0 +1,31 @@
 module "main" {
  source = "../"
  name = "tftest-user"
 }
 data "aws_caller_identity" "current" {}
 # tflint-ignore: terraform_unused_declarations
 data "external" "main" {
  program = ["${path.module}/test.sh"]
  depends_on = [local_file.aws_config]
 }
 locals {
  # tflint-ignore: terraform_unused_declarations
  expected_arn = format(
    "arn:aws:iam::%s:user/tftest-user",
    data.aws_caller_identity.current.account_id,
  )
 }
 resource "local_file" "aws_config" {
  filename        = "${path.module}/aws_config"
  file_permission = "0600"
  content = templatefile("${path.module}/aws_config.tftpl", {
    aws_access_key_id     = module.main.access_key_id
    aws_access_key_secret = module.main.access_key_secret
  })
 }
--- a/test/providers.tf
+++ b/test/providers.tf
@ -0,0 +1,15 @@
 terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
    external = {
      source  = "hashicorp/external"
      version = "2.3.4"
    }
    local = {
      source  = "hashicorp/local"
      version = "2.5.2"
    }
  }
 }
--- a/test/test.sh
+++ b/test/test.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Wait a bit for the ACCESS KEY to be usable on AWS
 sleep 10
 export AWS_CONFIG_FILE="${PWD}/test/aws_config"
 aws sts get-caller-identity
Author	SHA1	Message	Date
Julien Dessaux	c7927f49eb	test(module): really test the generated access key	2025-04-26 18:14:37 +02:00
Julien Dessaux	00ee290f29	chore(infrastructure): change the AWS account used for tests	2025-04-17 17:02:05 +02:00