Tests created for module

.github/workflows/documentation.yml

@@ -4,6 +4,11 @@ on:
   pull_request:
     branches:
       - main
+    paths:
+      - '*.md'
+      - '.github/workflows/documentation.yml'
+
+permissions: {}
 
 jobs:
   docs:

data.tf

@@ -4,7 +4,7 @@ data "aws_ami" "this" {
   most_recent = true
   owners      = [try(var.account_ids_lookup[var.ami_owner], var.ami_owner)]
   tags = {
-    is-production = true # based on environment
+    is-production = false # based on environment
   }
 
   filter {

locals.tf

@@ -106,3 +106,4 @@ locals {
     try(length(var.user_data_cloud_init.write_files), 0)
   ]
 }
+

test/go.mod

@@ -0,0 +1,58 @@
+module test
+
+go 1.19
+
+require (
+	github.com/gruntwork-io/terratest v0.41.11
+	github.com/stretchr/testify v1.8.2
+)
+
+require (
+	cloud.google.com/go v0.83.0 // indirect
+	cloud.google.com/go/storage v1.10.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.40.56 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.3 // indirect
+	github.com/googleapis/gax-go/v2 v2.0.5 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-getter v1.6.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.0 // indirect
+	github.com/hashicorp/go-safetemp v1.0.0 // indirect
+	github.com/hashicorp/go-version v1.3.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.9.1 // indirect
+	github.com/hashicorp/terraform-json v0.13.0 // indirect
+	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jstemmer/go-junit-report v0.9.1 // indirect
+	github.com/klauspost/compress v1.13.0 // indirect
+	github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/tmccombs/hcl2json v0.3.3 // indirect
+	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/zclconf/go-cty v1.9.1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect
+	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
+	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
+	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
+	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/tools v0.1.2 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/api v0.47.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
+	google.golang.org/grpc v1.38.0 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

test/module_test.go

@@ -1,10 +1,10 @@
-package main
+package test
 
 import (
-	"github.com/gruntwork-io/terratest/modules/terraform"
-	"github.com/stretchr/testify/assert"
 	"regexp"
-	"testing"
+    "testing"
+    "github.com/gruntwork-io/terratest/modules/terraform"
+    "github.com/stretchr/testify/assert"
 )
 
 func TestModule(t *testing.T) {
@@ -14,11 +14,22 @@ func TestModule(t *testing.T) {
 		TerraformDir: "./unit-test",
 	})
 
-	defer terraform.Destroy(t, terraformOptions)
 
+	defer terraform.Destroy(t, terraformOptions)
 	terraform.InitAndApply(t, terraformOptions)
 
-	exampleName := terraform.Output(t, terraformOptions, "example_name")
+	secGroupId := terraform.Output(t, terraformOptions, "securtiy-group-id")
+	keyPair := terraform.Output(t, terraformOptions, "key-pair")
+	iamPolicy := terraform.Output(t, terraformOptions, "iam-policy")
+	amiName := terraform.Output(t, terraformOptions, "ami-name")
+	kmsKey := terraform.Output(t, terraformOptions, "kms-key")
+
+
+	assert.NotEmpty(t, secGroupId)
+    assert.Regexp(t, regexp.MustCompile(`^arn:aws:ec2:eu-west-2:836052629367:key-pair/:*`), keyPair)
+    assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam:*`), iamPolicy)
+    assert.Regexp(t, regexp.MustCompile(`^RHEL-7.9_HVM-*`), amiName)
+    assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam::836052629367:policy/*`), kmsKey)
+
 
-	assert.Regexp(t, regexp.MustCompile(`^example-name*`), exampleName)
-}
+}

test/unit-test/data.tf

@@ -0,0 +1,32 @@
+data "aws_vpc" "shared" {
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}"
+  }
+}
+
+data "aws_kms_key" "default_ebs" {
+  key_id = "alias/aws/ebs"
+}
+
+# combine ec2-common policy documents
+data "aws_iam_policy_document" "ec2_test_common_combined" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.ec2_test_policy.json,
+  ]
+}
+
+# custom policy for SSM as managed policy AmazonSSMManagedInstanceCore is too permissive
+data "aws_iam_policy_document" "ec2_test_policy" {
+  statement {
+    #checkov:skip=CKV_AWS_109:
+    #checkov:skip=CKV_AWS_111:
+    #checkov:skip=CKV_AWS_107:
+
+    sid    = "CustomEc2Policy"
+    effect = "Allow"
+    actions = [
+      "ec2:*"
+    ]
+    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
+  }
+}

test/unit-test/locals.tf

@@ -1,38 +1,150 @@
-# This data sources allows us to get the Modernisation Platform account information for use elsewhere
-# (when we want to assume a role in the MP, for instance)
-data "aws_organizations_organization" "root_account" {}
-
-# Get the environments file from the main repository
-data "http" "environments_file" {
-  url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json"
-}
 
 locals {
 
-  application_name = "testing"
+  # create list of common managed policies that can be attached to ec2 instance profiles
+  ec2_common_managed_policies = [
+    aws_iam_policy.ec2_test_common_policy.arn
+  ]
 
+  tags = {
+    component = "test"
+  }
+  subnet_set             = var.networking[0].set
+  vpc_name               = var.networking[0].business-unit
   environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+  provider_name          = "core-vpc-${local.environment}"
+  application_name       = "testing-test"
+  environment            = "test"
+  business_unit          = var.networking[0].business-unit
+  region                 = "eu-west-2"
+  availability_zone_1    = "eu-west-2a"
+  availability_zone_2    = "eu-west-2b"
+  autoscaling_schedules_default = {
+    "scale_up" = {
+      recurrence = "0 7 * * Mon-Fri"
+    }
+    "scale_down" = {
+      desired_capacity = 0
+      recurrence       = "0 19 * * Mon-Fri"
+    }
+  }
+  ec2_test = {
+    tags = {
+      component = "test"
+    }
 
-  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
-  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
-  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
-  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
-  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
-  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+    instance = {
+      disable_api_termination      = false
+      instance_type                = "t3.micro"
+      key_name                     = aws_key_pair.ec2-terratest-user.key_name
+      monitoring                   = false
+      metadata_options_http_tokens = "required"
+      vpc_security_group_ids       = [aws_security_group.test.id]
+    }
 
-  # Merge tags from the environment json file with additional ones
-  tags = merge(
-    jsondecode(data.http.environments_file.response_body).tags,
-    { "is-production" = local.is-production },
-    { "environment-name" = terraform.workspace },
-    { "source-code" = "https://github.com/ministryofjustice/modernisation-platform" }
-  )
+    user_data_cloud_init = {
+      args = {
+        lifecycle_hook_name  = "ready-hook"
+        branch               = "main"
+        ansible_repo         = "modernisation-platform-configuration-management"
+        ansible_repo_basedir = "ansible"
+        ansible_args         = "--tags ec2provision"
+      }
+      scripts = [
+        "install-ssm-agent.sh.tftpl",
+        "ansible-ec2provision.sh.tftpl",
+        "post-ec2provision.sh.tftpl"
+      ]
+    }
 
-  environment = trimprefix(terraform.workspace, "${var.networking[0].application}-")
-  vpc_name    = var.networking[0].business-unit
-  subnet_set  = var.networking[0].set
+    route53_records = {
+      create_internal_record = true
+      create_external_record = false
+    }
 
-  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
-  provider_name = "core-vpc-${local.environment}"
+    # user can manually increase the desired capacity to 1 via CLI/console
+    # to create an instance
+    autoscaling_group = {
+      desired_capacity = 0
+      max_size         = 2
+      min_size         = 0
+    }
 
+    ec2_test_instances = {
+      # Remove data.aws_kms_key from cmk.tf once the NDH servers are removed
+      example-test-instance-1 = {
+        tags = {
+          server-type = "private"
+          description = "Standalone EC2 for testing RHEL7.9 NDH App"
+          monitored   = false
+          os-type     = "Linux"
+          component   = "ndh"
+          environment = "test"
+        }
+        ebs_volumes = {
+          "/dev/sda1" = { kms_key_id = data.aws_kms_key.default_ebs.arn }
+        }
+        ami_name  = "RHEL-7.9_HVM-*"
+        ami_owner = "309956199498"
+      }
+      example-test-instance-2 = {
+        tags = {
+          server-type = "private"
+          description = "Standalone EC2 for testing RHEL7.9 NDH EMS"
+          monitored   = false
+          os-type     = "Linux"
+          component   = "ndh"
+          environment = "test"
+        }
+        ebs_volumes = {
+          "/dev/sda1" = { kms_key_id = data.aws_kms_key.default_ebs.arn }
+        }
+        ami_name  = "RHEL-7.9_HVM-*"
+        ami_owner = "309956199498"
+      }
+    }
+    ec2_test_autoscaling_groups = {
+      dev-redhat-rhel610 = {
+        tags = {
+          description = "For testing official RedHat RHEL6.10 image"
+          monitored   = false
+          os-type     = "Linux"
+          component   = "test"
+        }
+        instance = {
+          instance_type                = "t2.medium"
+          metadata_options_http_tokens = "optional"
+        }
+        ami_name  = "RHEL-6.10_HVM-*"
+        ami_owner = "309956199498"
+      }
+    }
+  }
 }
+
+# create single managed policy
+resource "aws_iam_policy" "ec2_test_common_policy" {
+  name        = "ec2-test-common-policy"
+  path        = "/"
+  description = "Common policy for all ec2 instances"
+  policy      = data.aws_iam_policy_document.ec2_test_common_combined.json
+  tags = merge(
+    local.tags,
+    {
+      Name = "ec2-common-policy"
+    },
+  )
+}
+
+# Keypair for ec2-terratest-user
+resource "aws_key_pair" "ec2-terratest-user" {
+  key_name   = "ec2-terratest-user"
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 email@example.com"
+  tags = merge(
+    local.tags,
+    {
+      Name = "ec2-terratest-user"
+    },
+  )
+}
+

test/unit-test/main.tf

@@ -1,5 +1,35 @@
+module "ec2_test_instance" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
 
-module "module_test" {
-  source = "../../"
-  tags   = local.tags
+  providers = {
+    aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
+  }
+
+  for_each = try(local.ec2_test.ec2_test_instances, {})
+
+  name = each.key
+
+  ami_name                      = each.value.ami_name
+  ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
+  instance                      = merge(local.ec2_test.instance, lookup(each.value, "instance", {}))
+  ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
+  ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
+  ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
+  ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
+  ssm_parameters                = lookup(each.value, "ssm_parameters", null)
+  route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
+
+  iam_resource_names_prefix = "ec2-test-instance"
+  instance_profile_policies = local.ec2_common_managed_policies
+
+  business_unit            = local.business_unit
+  application_name         = local.application_name
+  environment              = local.environment
+  region                   = local.region
+  availability_zone        = local.availability_zone_1
+  subnet_id                = data.aws_subnet.private_subnets_a.id
+  tags                     = merge(local.tags, local.ec2_test.tags, try(each.value.tags, {}))
+  account_ids_lookup       = local.environment_management.account_ids
+  cloudwatch_metric_alarms = {}
 }
+