initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,3 @@
+assume_role_arn   = "bad_arn"
+aws_cli_commands  = ["version"]
+role_session_name = "bad_arn"
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ -f $PLAN_FILE ]]; then
+  echo "Incorrectly generated a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! -z "$(cat $PLAN_LOG_FILE)" ]]; then
+  echo "Incorrectly generated content in the plan log file - $PLAN_LOG_FILE";
+  exit 2;
+fi
+
+if [[ ! "$(cat $PLAN_ERROR_FILE)" == *'The optional ARN must match the format documented in'* ]]; then
+  echo 'Failed to detect invalid ARN.';
+  exit 3;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+TEST_PATH=$(dirname $1)
+TEST_NAME=$(basename $TEST_PATH)
+
+echo "Start   : $TEST_PATH"
+
+TERRAFORM_TFVARS=$TEST_PATH/terraform.tfvars
+EXPECTED_VARIABLES=$TEST_PATH/expected_variables.json
+
+RESOURCE_PATH=test-reports/$TEST_NAME
+mkdir -p $RESOURCE_PATH
+
+INIT_LOG_FILE=$RESOURCE_PATH/init.log
+INIT_ERROR_FILE=$RESOURCE_PATH/init.error.log
+PLAN_FILE=$RESOURCE_PATH/terraform.plan
+PLAN_LOG_FILE=$RESOURCE_PATH/plan.log
+PLAN_ERROR_FILE=$RESOURCE_PATH/plan.error.log
+STATE_FILE=$RESOURCE_PATH/terraform.tfstate
+APPLY_LOG_FILE=$RESOURCE_PATH/apply.log
+APPLY_ERROR_FILE=$RESOURCE_PATH/apply.error.log
+DEBUG_LOG_FILE=$RESOURCE_PATH/debug.log
+
+terraform init > $INIT_LOG_FILE 2> $INIT_ERROR_FILE
+
+terraform plan -var-file=$TERRAFORM_TFVARS -out=$PLAN_FILE > $PLAN_LOG_FILE 2> $PLAN_ERROR_FILE
+
+run_test
+
+echo "Passed  : $TEST_PATH"
@@ -0,0 +1,24 @@
+{
+  "assume_role_arn": {
+    "value": ""
+  },
+  "aws_cli_commands": {
+    "value": [
+      "guardduty",
+      "update-detector",
+      "--finding-publishing-frequency",
+      "ONE_HOUR",
+      "--detector-id",
+      "0123456789abcdef0123456789abcdef"
+    ]
+  },
+  "aws_cli_query": {
+    "value": ""
+  },
+  "debug_log_filename": {
+    "value": ""
+  },
+  "role_session_name": {
+    "value": "empty_result"
+  }
+}
@@ -0,0 +1,26 @@
+This test requires Guard Duty. As this is a paid service, the test is disabled.
+
+The test can be enabled by running the following commands with a suitable profile or set of AWS credentials in play.
+
+1. Create the Guard Duty detector
+
+   aws guardduty create-detector --enable
+
+
+2. Get the detector ID
+
+   aws guardduty list-detectors --query='DetectorIds[0]'
+
+
+3. Copy the detector ID reported into terraform.tfvars and update the expected_variables.json file to match, replacing
+   0123456789abcdef0123456789abcdef (unless that's your detector ID of course! ... It COULD happen!)
+
+
+4. Change the RUN_TEST to true in ./test.sh
+
+
+Once you've finished the testing, revert the changes above, and disable the detector using
+
+   aws guardduty delete-detector --detector-id <detector_id>
+
+replacing <detector_id> with the detector ID you extracted in step 2 above.
@@ -0,0 +1,3 @@
+// An empty result from AWS
+aws_cli_commands  = ["guardduty", "update-detector", "--finding-publishing-frequency", "ONE_HOUR", "--detector-id", "0123456789abcdef0123456789abcdef"]
+role_session_name = "empty_result"
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ ! -f $PLAN_FILE ]]; then
+  echo "Failed to generate a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! "$(terraform show -json $PLAN_FILE | jq -MSr .variables)" == "$(cat $EXPECTED_VARIABLES)" ]]; then
+  echo 'Failed to incorporate expected variable values into plan.';
+  exit 2;
+fi
+
+terraform apply -auto-approve -backup=- -state-out $STATE_FILE -var-file $TERRAFORM_TFVARS > $APPLY_LOG_FILE 2> $APPLY_ERROR_FILE
+
+if [[ ! -f $STATE_FILE ]]; then
+  echo "Failed to generate state file - $STATE_FILE";
+  exit 3;
+fi
+
+# Validate the presence of the plan error file.
+if [[ ! -f $PLAN_ERROR_FILE ]]; then
+  echo "Failed to generate plan error file - $PLAN_ERROR_FILE";
+  exit 4;
+fi
+
+# Validate the plan error file is empty.
+if [[ -s $PLAN_ERROR_FILE ]]; then
+  echo "Plan error file is not empty - $PLAN_ERROR_FILE";
+  exit 5;
+fi
+}
+
+# Set to true to allow this test to run
+RUN_TEST=false
+if [[ "$RUN_TEST" == "false" ]]; then
+  echo "Start   : $(dirname $0)";
+  echo "Skipped : $(dirname $0) : See $(dirname $0)/notes.txt";
+else
+  . tests/common.sh $0
+fi
@@ -0,0 +1,4 @@
+// 64 characters, but $ is invalid
+role_session_name  = "$234567890123456789012345678901234567890123456789012345678901234"
+aws_cli_commands   = ["version"]
+debug_log_filename = "test-reports/role_session_name_invalid_characters/debug.log"
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ -f $PLAN_FILE ]]; then
+  echo "Incorrectly generated a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! -z "$(cat $PLAN_LOG_FILE)" ]]; then
+  echo "Incorrectly generated content in the plan log file - $PLAN_LOG_FILE";
+  exit 2;
+fi
+
+if [[ ! "$(cat $PLAN_ERROR_FILE)" == *'The role session name match the regular expression'* ]]; then
+  echo 'Failed to detect invalid characters in role_session_name.';
+  exit 3;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,23 @@
+{
+  "assume_role_arn": {
+    "value": ""
+  },
+  "aws_cli_commands": {
+    "value": [
+      "s3api",
+      "list-objects",
+      "--bucket",
+      "ryft-public-sample-data",
+      "--no-sign-request"
+    ]
+  },
+  "aws_cli_query": {
+    "value": "max_by(Contents, &Size)"
+  },
+  "debug_log_filename": {
+    "value": ""
+  },
+  "role_session_name": {
+    "value": ""
+  }
+}
@@ -0,0 +1,3 @@
+// ryft-public-sample-data is a publicly accessible S3 bucket.
+aws_cli_commands = ["s3api", "list-objects", "--bucket", "ryft-public-sample-data", "--no-sign-request"]
+aws_cli_query    = "max_by(Contents, &Size)"
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ ! -f $PLAN_FILE ]]; then
+  echo "Failed to generate a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! "$(terraform show -json $PLAN_FILE | jq -MSr .variables)" == "$(cat $EXPECTED_VARIABLES)" ]]; then
+  echo 'Failed to incorporate expected variable values into plan.';
+  exit 2;
+fi
+
+terraform apply -auto-approve -backup=- -state-out $STATE_FILE -var-file $TERRAFORM_TFVARS > $APPLY_LOG_FILE 2> $APPLY_ERROR_FILE
+
+if [[ ! -f $STATE_FILE ]]; then
+  echo "Failed to generate state file - $STATE_FILE";
+  exit 3;
+fi
+
+# Extract some content the state file.
+if [[ ! "$(cat $STATE_FILE)" == *'0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517'* ]]; then
+  echo 'Failed to retrieve expected content from AWS.';
+  exit 4;
+fi
+
+# Extract some content from the apply log.
+if [[ ! "$(cat $APPLY_LOG_FILE)" == *"0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517"* ]]; then
+  echo 'Failed to present expected content to Terraform.';
+  exit 5;
+fi
+
+# Validate the absence of the debug log.
+if [[ -f $DEBUG_LOG_FILE ]]; then
+  echo "Incorrectly generated debug.log file - $DEBUG_LOG_FILE";
+  exit 6;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,4 @@
+// 65 characters is too long
+role_session_name  = "12345678901234567890123456789012345678901234567890123456789012345"
+aws_cli_commands   = ["version"]
+debug_log_filename = "test-reports/role_session_name_too_long/debug.log"
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ -f $PLAN_FILE ]]; then
+  echo "Incorrectly generated a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! -z "$(cat $PLAN_LOG_FILE)" ]]; then
+  echo "Incorrectly generated content in the plan log file - $PLAN_LOG_FILE";
+  exit 2;
+fi
+
+if [[ ! "$(cat $PLAN_ERROR_FILE)" == *'The role session name must be less than or equal to 64 characters'* ]]; then
+  echo 'Failed to detect too long role_session_name.';
+  exit 3;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,23 @@
+{
+  "assume_role_arn": {
+    "value": ""
+  },
+  "aws_cli_commands": {
+    "value": [
+      "s3api",
+      "list-objects",
+      "--bucket",
+      "ryft-public-sample-data",
+      "--no-sign-request"
+    ]
+  },
+  "aws_cli_query": {
+    "value": "max_by(Contents, &Size)"
+  },
+  "debug_log_filename": {
+    "value": "test-reports/test_with_debug/debug.log"
+  },
+  "role_session_name": {
+    "value": "test_with_debug"
+  }
+}
@@ -0,0 +1,5 @@
+// ryft-public-sample-data is a publicly accessible S3 bucket.
+aws_cli_commands   = ["s3api", "list-objects", "--bucket", "ryft-public-sample-data", "--no-sign-request"]
+aws_cli_query      = "max_by(Contents, &Size)"
+debug_log_filename = "test-reports/test_with_debug/debug.log"
+role_session_name  = "test_with_debug"
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ ! -f $PLAN_FILE ]]; then
+  echo "Failed to generate a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! "$(terraform show -json $PLAN_FILE | jq -MSr .variables)" == "$(cat $EXPECTED_VARIABLES)" ]]; then
+  echo 'Failed to incorporate expected variable values into plan.';
+  exit 2;
+fi
+
+terraform apply -auto-approve -backup=- -state-out $STATE_FILE -var-file $TERRAFORM_TFVARS > $APPLY_LOG_FILE 2> $APPLY_ERROR_FILE
+
+if [[ ! -f $STATE_FILE ]]; then
+  echo "Failed to generate state file - $STATE_FILE";
+  exit 3;
+fi
+
+# Extract some content the state file.
+if [[ ! "$(cat $STATE_FILE)" == *'0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517'* ]]; then
+  echo 'Failed to retrieve expected content from AWS.';
+  exit 4;
+fi
+
+# Extract some content from the apply log.
+if [[ ! "$(cat $APPLY_LOG_FILE)" == *"0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517"* ]]; then
+  echo 'Failed to present expected content to Terraform.';
+  exit 5;
+fi
+
+# Validate the presence of the debug log.
+if [[ ! -f $DEBUG_LOG_FILE ]]; then
+  echo "Failed to generate debug.log file - $DEBUG_LOG_FILE";
+  exit 6;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,23 @@
+{
+  "assume_role_arn": {
+    "value": ""
+  },
+  "aws_cli_commands": {
+    "value": [
+      "s3api",
+      "list-objects",
+      "--bucket",
+      "ryft-public-sample-data",
+      "--no-sign-request"
+    ]
+  },
+  "aws_cli_query": {
+    "value": "max_by(Contents, &Size)"
+  },
+  "debug_log_filename": {
+    "value": ""
+  },
+  "role_session_name": {
+    "value": "test_without_debug"
+  }
+}
@@ -0,0 +1,4 @@
+// ryft-public-sample-data is a publicly accessible S3 bucket.
+aws_cli_commands  = ["s3api", "list-objects", "--bucket", "ryft-public-sample-data", "--no-sign-request"]
+aws_cli_query     = "max_by(Contents, &Size)"
+role_session_name = "test_without_debug"
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+function run_test() {
+if [[ ! -f $PLAN_FILE ]]; then
+  echo "Failed to generate a plan - $PLAN_FILE";
+  exit 1;
+fi
+
+if [[ ! "$(terraform show -json $PLAN_FILE | jq -MSr .variables)" == "$(cat $EXPECTED_VARIABLES)" ]]; then
+  echo 'Failed to incorporate expected variable values into plan.';
+  exit 2;
+fi
+
+terraform apply -auto-approve -backup=- -state-out $STATE_FILE -var-file $TERRAFORM_TFVARS > $APPLY_LOG_FILE 2> $APPLY_ERROR_FILE
+
+if [[ ! -f $STATE_FILE ]]; then
+  echo "Failed to generate state file - $STATE_FILE";
+  exit 3;
+fi
+
+# Extract some content the state file.
+if [[ ! "$(cat $STATE_FILE)" == *'0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517'* ]]; then
+  echo 'Failed to retrieve expected content from AWS.';
+  exit 4;
+fi
+
+# Extract some content from the apply log.
+if [[ ! "$(cat $APPLY_LOG_FILE)" == *"0ae8f910a30bc83fd81c4e3c1a6bbd9bab0afe4e0762b56a2807d22fcd77d517"* ]]; then
+  echo 'Failed to present expected content to Terraform.';
+  exit 5;
+fi
+
+# Validate the absence of the debug log.
+if [[ -f $DEBUG_LOG_FILE ]]; then
+  echo "Incorrectly generated debug.log file - $DEBUG_LOG_FILE";
+  exit 6;
+fi
+}
+
+. tests/common.sh $0
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash -e
+rm -rf temp
+rm -rf test-reports
+find . -type f -name test.sh | sort | xargs -L 1 bash