infrastructure/tofu/main.tf

@@ -11,20 +11,28 @@ module "aws_iam_ci_user" {
   source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
 
   name = local.name
-  tests_policy_statements = jsonencode([
+}
-    {
+
+resource "aws_iam_policy" "tftest" {
+  provider = aws.all["root"]
+
+  name = "${local.name}-tftest"
+  policy = jsonencode({
+    Statement = [{
       Action = "iam:*"
       Effect = "Allow"
       Resource = [
         "arn:aws:iam::*:user/tftest-user",
         "arn:aws:iam::*:policy/${local.name}-tftest",
       ]
-    },
+    }]
-    {
+    Version = "2012-10-17"
-      # Necessary for removing an IAM user
+  })
-      Action   = "iam:ListVirtualMFADevices",
+}
-      Effect   = "Allow"
+
-      Resource = "*"
+resource "aws_iam_user_policy_attachment" "tftest" {
-    }
+  provider = aws.all["root"]
-  ])
+
+  policy_arn = aws_iam_policy.tftest.arn
+  user       = local.name
 }

main.tftest.hcl

@@ -1,14 +1,15 @@
 provider "aws" {
-  profile = "tests"
+  profile = "root"
   region  = "eu-west-3"
 }
 
 run "main" {
   assert {
-    condition     = data.external.main.result.Arn == local.expected_arn
+    condition     = output.access_key_id != null
-    error_message = "user ARN mismatch"
+    error_message = "invalid IAM access key ID"
-  }
-  module {
-    source = "./test"
   }
 }
+
+variables {
+  name = "tftest-user"
+}

test/aws_config.tftpl

@@ -1,4 +0,0 @@
-[default]
-aws_access_key_id = ${aws_access_key_id}
-aws_secret_access_key = ${aws_access_key_secret}
-region = eu-west-3

test/main.tf

@@ -1,31 +0,0 @@
-module "main" {
-  source = "../"
-
-  name = "tftest-user"
-}
-
-data "aws_caller_identity" "current" {}
-
-# tflint-ignore: terraform_unused_declarations
-data "external" "main" {
-  program = ["${path.module}/test.sh"]
-
-  depends_on = [local_file.aws_config]
-}
-
-locals {
-  # tflint-ignore: terraform_unused_declarations
-  expected_arn = format(
-    "arn:aws:iam::%s:user/tftest-user",
-    data.aws_caller_identity.current.account_id,
-  )
-}
-
-resource "local_file" "aws_config" {
-  filename        = "${path.module}/aws_config"
-  file_permission = "0600"
-  content = templatefile("${path.module}/aws_config.tftpl", {
-    aws_access_key_id     = module.main.access_key_id
-    aws_access_key_secret = module.main.access_key_secret
-  })
-}

test/providers.tf

@@ -1,15 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source = "hashicorp/aws"
-    }
-    external = {
-      source  = "hashicorp/external"
-      version = "2.3.4"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "2.5.2"
-    }
-  }
-}

test/test.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Wait a bit for the ACCESS KEY to be usable on AWS
-sleep 10
-
-export AWS_CONFIG_FILE="${PWD}/test/aws_config"
-aws sts get-caller-identity