Added Unit-tests to modules

.github/workflows/on-pull-request.yaml

@@ -2,20 +2,20 @@ name: "Pull Request Jobs"
 
 on:
   pull_request:
-
+  workflow_dispatch:
 
 env:
-  tf_version: 1.7.1
+  tf_version: 1.9.8
   working_dir: .
 
 jobs:
   terraform-doc-generation:
     permissions:
-      contents: 'write'
-      id-token: 'write'
-      pull-requests: 'write'
-      issues: 'write'
-    name: "Terraform Documentation Generation"
+      contents: "write"
+      id-token: "write"
+      pull-requests: "write"
+      issues: "write"
+    name: "Terraform doc generation and tests"
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -37,11 +37,23 @@ jobs:
         run: terraform fmt -check
 
       - name: Generate TF docs
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: terraform-docs/gh-actions@v1.3.0
         with:
           find-dir: modules/
           recursive: true
           recursive-path: .
           git-push: true
           output-method: replace
           template: "{{ .Content }}"
+
+      # recurse every directory in the ./modules directory
+      # and run the terraform test command
+      - name: Run Terraform Unit Tests
+        run: |
+          for dir in $(find ${{env.working_dir}}/modules -type d -not -path '*/\.terraform/*'); do
+            echo "Running tests in $dir"
+            cd $dir
+            terraform init
+            terraform test
+            cd -
+          done

modules/enterprise-organization/organization.tftest.hcl

@@ -0,0 +1,44 @@
+mock_provider "github" {}
+
+variables {
+  # required variables
+  enterprise_id = "1234567890"
+  name          = "github-foundations"
+  display_name  = "GitHub Foundations"
+  description   = "GitHub Foundations Organization"
+  billing_email = "billingemail@focisolutions.com"
+  admin_logins  = ["admin1", "admin2"]
+}
+
+run "organization_test" {
+  command = apply
+
+  assert {
+    condition     = github_enterprise_organization.organization.id != null
+    error_message = "The organization was not created."
+  }
+  assert {
+    condition     = github_enterprise_organization.organization.enterprise_id == var.enterprise_id
+    error_message = "The organization id is incorrect. Expected ${var.enterprise_id} but got ${github_enterprise_organization.organization.enterprise_id}."
+  }
+  assert {
+    condition     = github_enterprise_organization.organization.name == var.name
+    error_message = "The organization name is incorrect. Expected ${var.name} but got ${github_enterprise_organization.organization.name}."
+  }
+  assert {
+    condition     = github_enterprise_organization.organization.display_name == var.display_name
+    error_message = "The organization display name is incorrect. Expected ${var.display_name} but got ${github_enterprise_organization.organization.display_name}."
+  }
+  assert {
+    condition     = github_enterprise_organization.organization.description == var.description
+    error_message = "The organization description is incorrect. Expected ${var.description} but got ${github_enterprise_organization.organization.description}."
+  }
+  assert {
+    condition     = github_enterprise_organization.organization.billing_email == var.billing_email
+    error_message = "The organization billing email is incorrect. Expected ${var.billing_email} but got ${github_enterprise_organization.organization.billing_email}."
+  }
+  assert {
+    condition     = length(github_enterprise_organization.organization.admin_logins) == length(var.admin_logins)
+    error_message = "The organization admin logins are incorrect. Expected ${length(var.admin_logins)} but got ${length(github_enterprise_organization.organization.admin_logins)}."
+  }
+}

modules/github-aws-oidc/oidc.tftest.hcl

@@ -0,0 +1,97 @@
+mock_provider "github" {}
+mock_provider "aws" {}
+
+variables {
+  # required variables
+  github_foundations_organization_name = "github-foundations-org"
+  github_thumbprints                   = ["990F4193972F2BECF12DDEDA5237F9C952F20D9E"]
+}
+
+run "oidc_provider_entry_test" {
+  command = apply
+
+  assert {
+    condition     = aws_iam_openid_connect_provider.oidc_provider_entry.url == "https://token.actions.githubusercontent.com"
+    error_message = "The url of the openid connect provider entry is incorrect. Expected 'https://token.actions.githubusercontent.com' but got '${aws_iam_openid_connect_provider.oidc_provider_entry.url}'."
+  }
+  assert {
+    condition     = aws_iam_openid_connect_provider.oidc_provider_entry.client_id_list != null
+    error_message = "The client id list of the openid connect provider entry is incorrect. Expected a non-null value but got 'null'."
+  }
+  assert {
+    condition     = aws_iam_openid_connect_provider.oidc_provider_entry.thumbprint_list[0] == "990F4193972F2BECF12DDEDA5237F9C952F20D9E"
+    error_message = "The thumbprint list of the openid connect provider entry is incorrect. Expected '990F4193972F2BECF12DDEDA5237F9C952F20D9E' but got '${aws_iam_openid_connect_provider.oidc_provider_entry.thumbprint_list[0]}'."
+  }
+}
+
+run "organizations_role_test" {
+
+  assert {
+    condition     = aws_iam_role.organizations_role.name == "GhFoundationsOrganizationsAction"
+    error_message = "The name of the organizations role is incorrect. Expected 'GhFoundationsOrganizationsAction' but got '${aws_iam_role.organizations_role.name}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Effect"] == "Allow"
+    error_message = "The assume role policy of the organizations role is incorrect. Expected 'Allow' but got '${jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Effect"]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Action"] == "sts:AssumeRoleWithWebIdentity"
+    error_message = "The assume role policy action of the organizations role is incorrect. Expected 'sts:AssumeRoleWithWebIdentity' but got '${jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Action"]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Principal"]["Federated"] == aws_iam_openid_connect_provider.oidc_provider_entry.arn
+    error_message = "The assume role policy principal federated of the organizations role is incorrect. Expected '${aws_iam_openid_connect_provider.oidc_provider_entry.arn}' but got '${jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Principal"]["Federated"]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Condition"]["StringEquals"]["token.actions.githubusercontent.com:aud"][0] == "sts.amazonaws.com"
+    error_message = "The assume role policy condition string equals token actions githubusercontent com aud of the organizations role is incorrect. Expected 'sts.amazonaws.com' but got '${jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Condition"]["StringEquals"]["token.actions.githubusercontent.com:aud"][0]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Condition"]["StringLike"]["token.actions.githubusercontent.com:sub"][0] == "repo:github-foundations-org/organizations:*"
+    error_message = "The assume role policy condition string like token actions githubusercontent com sub of the organizations role is incorrect. Expected 'repo:github-foundations-org/organizations:*' but got '${jsondecode(aws_iam_role.organizations_role.assume_role_policy)["Statement"][0]["Condition"]["StringLike"]["token.actions.githubusercontent.com:sub"][0]}'."
+  }
+  assert {
+    condition     = aws_iam_role.organizations_role.tags.Purpose == "Github Foundations"
+    error_message = "The tags of the organizations role are incorrect. Expected 'Github Foundations' but got '${aws_iam_role.organizations_role.tags.Purpose}'."
+  }
+}
+
+run "organizations_role_policy_test" {
+
+  assert {
+    condition     = aws_iam_role_policy.organizations_role_policy.name == "organizations-tf-state-management-policy"
+    error_message = "The name of the organizations role policy is incorrect. Expected 'organizations-tf-state-management-policy' but got '${aws_iam_role_policy.organizations_role_policy.name}'."
+  }
+  assert {
+    condition     = aws_iam_role_policy.organizations_role_policy.role == aws_iam_role.organizations_role.id
+    error_message = "The role of the organizations role policy is incorrect. Expected '${aws_iam_role.organizations_role.id}' but got '${aws_iam_role_policy.organizations_role_policy.role}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Sid"] == "StateBucketFullAccess"
+    error_message = "The organizations role policy statement sid is incorrect. Expected 'StateBucketFullAccess' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Sid"]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][0] == "s3:PutObject"
+    error_message = "The organizations role policy statement action is incorrect. Expected 's3:PutObject' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][0]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][1] == "s3:GetObject"
+    error_message = "The organizations role policy statement action is incorrect. Expected 's3:GetObject' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][1]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][2] == "s3:ListBucket"
+    error_message = "The organizations role policy statement action is incorrect. Expected 's3:ListBucket' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Action"][2]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Effect"] == "Allow"
+    error_message = "The organizations role policy statement effect is incorrect. Expected 'Allow' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Effect"]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Resource"][0] == aws_s3_bucket.state_bucket.arn
+    error_message = "The organizations role policy statement resource is incorrect. Expected '${aws_s3_bucket.state_bucket.arn}' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Resource"][0]}'."
+  }
+  assert {
+    condition     = jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Resource"][1] == "${aws_s3_bucket.state_bucket.arn}/*"
+    error_message = "The organizations role policy statement resource is incorrect. Expected '${aws_s3_bucket.state_bucket.arn}/*' but got '${jsondecode(aws_iam_role_policy.organizations_role_policy.policy)["Statement"][0]["Resource"][1]}'."
+  }
+}

modules/github-aws-oidc/outputs.tftest.hcl

@@ -0,0 +1,45 @@
+mock_provider "github" {}
+mock_provider "aws" {}
+
+override_resource {
+  target = aws_s3_bucket.state_bucket
+  values = {
+    region = "us-west-2"
+  }
+}
+override_resource {
+  target = aws_iam_role.organizations_role
+  values = {
+    arn = "arn:aws:iam::123456789012:role/GhFoundationsOrganizationsAction"
+  }
+}
+
+variables {
+  # required variables
+  github_foundations_organization_name = "github-foundations-org"
+  github_thumbprints                   = ["990F4193972F2BECF12DDEDA5237F9C952F20D9E"]
+
+  # Variables for this test
+  bucket_name = "GithubFoundationStateBuckettyBucket"
+}
+
+run "create_test" {
+  command = apply
+
+  assert {
+    condition     = output.s3_bucket_name == var.bucket_name
+    error_message = "The name of the state bucket is incorrect. Expected '${var.bucket_name}' but got '${output.s3_bucket_name}'."
+  }
+  assert {
+    condition     = output.s3_bucket_region == "us-west-2"
+    error_message = "The region of the state bucket is incorrect. Expected 'us-west-2' but got '${output.s3_bucket_region}'."
+  }
+  assert {
+    condition     = output.dynamodb_table_name == "TFLockIds"
+    error_message = "The name of the dynamodb table is incorrect. Expected 'TFLockIds' but got '${output.dynamodb_table_name}'."
+  }
+  assert {
+    condition     = output.organizations_runner_role == "arn:aws:iam::123456789012:role/GhFoundationsOrganizationsAction"
+    error_message = "The ARN of the role is incorrect. Expected 'arn:aws:iam::123456789012:role/GhFoundationsOrganizationsAction' but got '${output.organizations_runner_role}'."
+  }
+}

modules/github-aws-oidc/resource_group.tftest.hcl

@@ -0,0 +1,34 @@
+mock_provider "github" {}
+mock_provider "aws" {}
+
+variables {
+  # required variables
+  github_foundations_organization_name = "github-foundations-org"
+  github_thumbprints                   = ["990F4193972F2BECF12DDEDA5237F9C952F20D9E"]
+}
+
+run "github_foundations_rg_test" {
+  command = apply
+
+  assert {
+    condition     = aws_resourcegroups_group.github_foundations_rg.name == "GithubFoundationResources"
+    error_message = "The name of the resource group is incorrect. Expected 'GithubFoundationResources' but got '${aws_resourcegroups_group.github_foundations_rg.name}'."
+  }
+  assert {
+    condition     = aws_resourcegroups_group.github_foundations_rg.resource_query[0].query == "{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Purpose\",\"Values\":[\"Github Foundations\"]}]}"
+    error_message = "The resource query of the resource group is incorrect. Expected '{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Purpose\",\"Values\":[\"Github Foundations\"]}]}' but got '${aws_resourcegroups_group.github_foundations_rg.resource_query[0].query}'."
+  }
+}
+
+run "github_foundations_rg_test_rg_name" {
+  variables {
+    rg_name = "ghf-set-by-test-rg"
+  }
+
+  command = apply
+
+  assert {
+    condition     = aws_resourcegroups_group.github_foundations_rg.name == "ghf-set-by-test-rg"
+    error_message = "The name of the resource group is incorrect. Expected 'ghf-set-by-test-rg' but got '${aws_resourcegroups_group.github_foundations_rg.name}'."
+  }
+}