[BREAKING] Automated testing

.gitignore

@@ -3,12 +3,9 @@
 .DS_Store
 
 # Local .terraform directories
-**/.terraform/*
+.terraform/
 *.terraform.*
 
-# except .terraform.lock.hcl
-!.terraform.lock.hcl
-
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -24,6 +21,10 @@ crash.*.log
 *.tfvars
 *.tfvars.json
 
+# Except ones that we do want to commit because they are used for automated tests
+!examples/complete/fixtures.common.tfvars
+!examples/complete/fixtures.insecure.tfvars
+
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf

.golangci.yml

@@ -5,8 +5,10 @@ linters:
   disable:
     - exhaustivestruct
     - exhaustruct
+    - gci
     - goerr113
     - gofumpt
+    - goimports
     - gomnd
     - lll
     - nlreturn

.tool-versions

@@ -1,9 +1,10 @@
 adr-tools 3.0.0
+awscli 2.11.0
 checkov 2.3.3
 golang 1.19.5
 golangci-lint 1.50.1
 pre-commit 3.0.1
-terraform 1.3.7
+terraform 1.3.9
 terraform-docs 0.16.0
 tflint 0.44.1
 tfsec 1.28.1

Makefile

@@ -1,9 +1,15 @@
 # The version of the build harness container to use
 BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/not-a-build-harness/not-a-build-harness
-BUILD_HARNESS_VERSION := 0.0.4
+BUILD_HARNESS_VERSION := 0.0.8
 
 .DEFAULT_GOAL := help
 
+# Optionally add the "-it" flag for docker run commands if the env var "CI" is not set (meaning we are on a local machine and not in github actions)
+TTY_ARG :=
+ifndef CI
+	TTY_ARG := -it
+endif
+
 # Silent mode by default. Run `make VERBOSE=1` to turn off silent mode.
 ifndef VERBOSE
 .SILENT:
@@ -18,25 +24,42 @@ help: ## Show a list of all targets
 	| sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \
 	| column -t -s ":"
 
+.PHONY: _test-all
+_test-all:
+	mkdir -p .cache/go
+	mkdir -p .cache/go-build
+	mkdir -p .cache/tmp
+	echo "Running automated tests. This will take several minutes. At times it does not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure."
+	docker run $(TTY_ARG) --rm -v "${PWD}:/app" -v "${PWD}/.cache/tmp:/tmp" -v "${PWD}/.cache/go:/root/go" -v "${PWD}/.cache/go-build:/root/.cache/go-build" --workdir "/app/test/e2e" -e GOPATH=/root/go -e GOCACHE=/root/.cache/go-build -e REPO_URL -e GIT_BRANCH -e AWS_REGION -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN -e AWS_SESSION_EXPIRATION -e SKIP_SETUP -e SKIP_TEST -e SKIP_TEARDOWN $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v $(EXTRA_TEST_ARGS) ./...'
+
 .PHONY: test
 test: ## Run all automated tests. Requires access to an AWS account. Costs real money.
-	go test -v -timeout 2h ./...
+	$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h"
+
+.PHONY: test-complete-insecure
+test-complete-insecure: ## Run one test (TestExamplesCompleteInsecure). Requires access to an AWS account. Costs real money.
+	$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteInsecure"
+
+.PHONY: test-complete-secure
+test-complete-secure: ## Run one test (TestExamplesCompleteSecure). Requires access to an AWS account. Costs real money.
+	#$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteSecure"
+	echo "TestExamplesCompleteSecure is still being worked on. For now feel free to use the complete-self-managed-nodegroup example."
 
 .PHONY: docker-save-build-harness
 docker-save-build-harness: ## Pulls the build harness docker image and saves it to a tarball
-	@mkdir -p .cache/docker
-	@docker pull $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION)
-	@docker save -o .cache/docker/build-harness.tar $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION)
+	mkdir -p .cache/docker
+	docker pull $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION)
+	docker save -o .cache/docker/build-harness.tar $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION)
 
 .PHONY: docker-load-build-harness
 docker-load-build-harness: ## Loads the saved build harness docker image
-	@docker load -i .cache/docker/build-harness.tar
+	docker load -i .cache/docker/build-harness.tar
 
 .PHONY: run-pre-commit-hooks
 run-pre-commit-hooks: ## Run all pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	@mkdir -p .cache/pre-commit
-	@docker run --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) pre-commit run -a --show-diff-on-failure
+	mkdir -p .cache/pre-commit
+	docker run $(TTY_ARG) --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && pre-commit run -a --show-diff-on-failure'
 
 .PHONY: fix-cache-permissions
 fix-cache-permissions: ## Fixes the permissions on the pre-commit cache
-	@docker run --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) chmod -R a+rx .cache
+	docker run $(TTY_ARG) --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) chmod -R a+rx .cache

examples/README.md

@@ -0,0 +1,40 @@
+# Examples
+
+This directory contains examples of how to use the various modules in this repository.
+
+## How to Deploy
+
+### Prerequisites
+
+- *Nix operating system (Linux, macOS, WSL2)
+- AWS CLI environment variables
+  - At minimum: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and either `AWS_REGION` or `AWS_DEFAULT_REGION`
+  - Preferred: the above plus `AWS_SESSION_TOKEN`, `AWS_SECURITY_TOKEN`, and `AWS_SESSION_EXPIRATION`
+  > If the account is set up to require MFA, you'll be required to have the session stuff. We recommend that you use [aws-vault](https://github.com/99designs/aws-vault). Friends don't let friends use unencrypted AWS creds.
+- `docker`
+- `make`
+- various standard CLI tools that usually come with running on *Nix (grep, sed, etc)
+
+### Deploy
+
+We'll be using our automated tests to stand up environments. They use [Terratest](https://github.com/gruntwork-io/terratest). Each test is based on one of examples in the `examples` directory. For example, if you want to stand up the "complete" example in "insecure" mode, you'll run the `test-complete-insecure` target.
+
+```shell
+export SKIP_TEARDOWN=1
+unset SKIP_SETUP
+unset SKIP_TEST
+make <TheTargetYouWantToRun>
+```
+> `SKIP_TEARDOWN` tells Terratest to skip running the test stage called "TEARDOWN", which is the stage that destroys the environment. We want things to stay up, so we set this variable. We also make sure `SKIP_SETUP` and `SKIP_TEST` are unset.
+
+> Run `make help` to see all the available targets. Any of them can be used to stand up an environment with different parameters. Do not run `make test` directly, as it will run all the tests in parallel and is not compatible with `SKIP_TEARDOWN`.
+
+### Destroy
+
+```shell
+unset SKIP_TEARDOWN
+export SKIP_SETUP=1
+export SKIP_TEST=1
+make <TheTargetYouWantToRun>
+```
+> Since we're tearing down this time, we don't want `SKIP_TEARDOWN` to be set. Instead, we are setting `SKIP_SETUP` and `SKIP_TEST` to skip the setup and test stages.

examples/complete-managed-nodegroup/main.tf

@@ -66,20 +66,20 @@ module "bastion" {
     volume_size = "20"
     encrypted   = true
   }
-  name                     = var.bastion_name
-  vpc_id                   = module.vpc.vpc_id
-  subnet_id                = module.vpc.private_subnets[0]
-  aws_region               = var.region
-  access_log_bucket_name   = "${var.bastion_name}-access-logs"
-  bucket_name              = "${var.bastion_name}-session-logs"
-  ssh_user                 = var.bastion_ssh_user
-  ssh_password             = var.bastion_ssh_password
-  assign_public_ip         = false # var.assign_public_ip
-  enable_log_to_s3         = true
-  enable_log_to_cloudwatch = true
-  vpc_endpoints_enabled    = true
-  tenancy                  = var.bastion_tenancy
-  zarf_version             = var.zarf_version
+  name                           = var.bastion_name
+  vpc_id                         = module.vpc.vpc_id
+  subnet_id                      = module.vpc.private_subnets[0]
+  aws_region                     = var.region
+  access_log_bucket_name_prefix  = "${var.bastion_name}-access-logs"
+  session_log_bucket_name_prefix = "${var.bastion_name}-session-logs"
+  ssh_user                       = var.bastion_ssh_user
+  ssh_password                   = var.bastion_ssh_password
+  assign_public_ip               = false # var.assign_public_ip
+  enable_log_to_s3               = true
+  enable_log_to_cloudwatch       = true
+  vpc_endpoints_enabled          = true
+  tenancy                        = var.bastion_tenancy
+  zarf_version                   = var.zarf_version
   tags = {
     Function = "bastion-ssm"
   }

examples/complete-self-managed-nodegroup/main.tf

@@ -66,20 +66,20 @@ module "bastion" {
     volume_size = "20"
     encrypted   = true
   }
-  name                     = var.bastion_name
-  vpc_id                   = module.vpc.vpc_id
-  subnet_id                = module.vpc.private_subnets[0]
-  aws_region               = var.region
-  access_log_bucket_name   = "${var.bastion_name}-access-logs"
-  bucket_name              = "${var.bastion_name}-session-logs"
-  ssh_user                 = var.bastion_ssh_user
-  ssh_password             = var.bastion_ssh_password
-  assign_public_ip         = false # var.assign_public_ip
-  enable_log_to_s3         = true
-  enable_log_to_cloudwatch = true
-  vpc_endpoints_enabled    = true
-  tenancy                  = var.bastion_tenancy
-  zarf_version             = var.zarf_version
+  name                           = var.bastion_name
+  vpc_id                         = module.vpc.vpc_id
+  subnet_id                      = module.vpc.private_subnets[0]
+  aws_region                     = var.region
+  access_log_bucket_name_prefix  = "${var.bastion_name}-access-logs"
+  session_log_bucket_name_prefix = "${var.bastion_name}-session-logs"
+  ssh_user                       = var.bastion_ssh_user
+  ssh_password                   = var.bastion_ssh_password
+  assign_public_ip               = false # var.assign_public_ip
+  enable_log_to_s3               = true
+  enable_log_to_cloudwatch       = true
+  vpc_endpoints_enabled          = true
+  tenancy                        = var.bastion_tenancy
+  zarf_version                   = var.zarf_version
   tags = {
     Function = "bastion-ssm"
   }