From 00ee290f2976dad1855168ebf4e7ff1a0efe314c Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Thu, 17 Apr 2025 16:50:33 +0200
Subject: [PATCH 1/2] chore(infrastructure): change the AWS account used for
 tests

---
 infrastructure/tofu/main.tf | 28 ++++++++++------------------
 main.tftest.hcl             |  2 +-
 2 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
index 6180f21..ced2b09 100644
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@@ -11,28 +11,20 @@ module "aws_iam_ci_user" {
   source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
 
   name = local.name
-}
-
-resource "aws_iam_policy" "tftest" {
-  provider = aws.all["root"]
-
-  name = "${local.name}-tftest"
-  policy = jsonencode({
-    Statement = [{
+  tests_policy_statements = jsonencode([
+    {
       Action = "iam:*"
       Effect = "Allow"
       Resource = [
         "arn:aws:iam::*:user/tftest-user",
         "arn:aws:iam::*:policy/${local.name}-tftest",
       ]
-    }]
-    Version = "2012-10-17"
-  })
-}
-
-resource "aws_iam_user_policy_attachment" "tftest" {
-  provider = aws.all["root"]
-
-  policy_arn = aws_iam_policy.tftest.arn
-  user       = local.name
+    },
+    {
+      # Necessary for removing an IAM user
+      Action   = "iam:ListVirtualMFADevices",
+      Effect   = "Allow"
+      Resource = "*"
+    }
+  ])
 }
diff --git a/main.tftest.hcl b/main.tftest.hcl
index 1662cf6..f5e0950 100644
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@@ -1,5 +1,5 @@
 provider "aws" {
-  profile = "root"
+  profile = "tests"
   region  = "eu-west-3"
 }
 

From c7927f49ebcd571e84c2119af3c9e55e89ed966d Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Sat, 26 Apr 2025 00:31:19 +0200
Subject: [PATCH 2/2] test(module): really test the generated access key

---
 main.tftest.hcl       | 11 +++++------
 test/aws_config.tftpl |  4 ++++
 test/main.tf          | 31 +++++++++++++++++++++++++++++++
 test/providers.tf     | 15 +++++++++++++++
 test/test.sh          |  8 ++++++++
 5 files changed, 63 insertions(+), 6 deletions(-)
 create mode 100644 test/aws_config.tftpl
 create mode 100644 test/main.tf
 create mode 100644 test/providers.tf
 create mode 100755 test/test.sh

diff --git a/main.tftest.hcl b/main.tftest.hcl
index f5e0950..90ccb91 100644
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@@ -5,11 +5,10 @@ provider "aws" {
 
 run "main" {
   assert {
-    condition     = output.access_key_id != null
-    error_message = "invalid IAM access key ID"
+    condition     = data.external.main.result.Arn == local.expected_arn
+    error_message = "user ARN mismatch"
+  }
+  module {
+    source = "./test"
   }
 }
-
-variables {
-  name = "tftest-user"
-}
diff --git a/test/aws_config.tftpl b/test/aws_config.tftpl
new file mode 100644
index 0000000..a5470b2
--- /dev/null
+++ b/test/aws_config.tftpl
@@ -0,0 +1,4 @@
+[default]
+aws_access_key_id = ${aws_access_key_id}
+aws_secret_access_key = ${aws_access_key_secret}
+region = eu-west-3
diff --git a/test/main.tf b/test/main.tf
new file mode 100644
index 0000000..450636a
--- /dev/null
+++ b/test/main.tf
@@ -0,0 +1,31 @@
+module "main" {
+  source = "../"
+
+  name = "tftest-user"
+}
+
+data "aws_caller_identity" "current" {}
+
+# tflint-ignore: terraform_unused_declarations
+data "external" "main" {
+  program = ["${path.module}/test.sh"]
+
+  depends_on = [local_file.aws_config]
+}
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  expected_arn = format(
+    "arn:aws:iam::%s:user/tftest-user",
+    data.aws_caller_identity.current.account_id,
+  )
+}
+
+resource "local_file" "aws_config" {
+  filename        = "${path.module}/aws_config"
+  file_permission = "0600"
+  content = templatefile("${path.module}/aws_config.tftpl", {
+    aws_access_key_id     = module.main.access_key_id
+    aws_access_key_secret = module.main.access_key_secret
+  })
+}
diff --git a/test/providers.tf b/test/providers.tf
new file mode 100644
index 0000000..7886647
--- /dev/null
+++ b/test/providers.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = "2.3.4"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.2"
+    }
+  }
+}
diff --git a/test/test.sh b/test/test.sh
new file mode 100755
index 0000000..325fcd2
--- /dev/null
+++ b/test/test.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wait a bit for the ACCESS KEY to be usable on AWS
+sleep 10
+
+export AWS_CONFIG_FILE="${PWD}/test/aws_config"
+aws sts get-caller-identity