CCM-10048: flaky tests (#488)

bhansell1 · web-flow · commit 25fcf340a453 · 2025-06-18T10:20:56.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -90,3 +90,5 @@ lambdas/backend-api/src/email/email-template.json
 
 # vscode
 .vscode/settings.local.json
+
+test-runs
diff --git a/infrastructure/terraform/modules/backend-api/README.md b/infrastructure/terraform/modules/backend-api/README.md
@@ -16,6 +16,7 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
+| <a name="input_enable_guardduty"></a> [enable\_guardduty](#input\_enable\_guardduty) | Enable GuardDuty | `bool` | `true` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = [local.guardduty_source]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    resources   = [local.guardduty_resource]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = [local.guardduty_source]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    resources   = [local.guardduty_resource]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = [local.guardduty_source]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    resources   = [local.guardduty_resource]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = [local.guardduty_source]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    resources   = [local.guardduty_resource]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
diff --git a/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf b/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf
@@ -1,4 +1,6 @@
 resource "aws_guardduty_malware_protection_plan" "quarantine" {
+  count = var.enable_guardduty ? 1 : 0
+
   role = aws_iam_role.guardduty_quarantine.arn
 
   protected_resource {
diff --git a/infrastructure/terraform/modules/backend-api/locals.tf b/infrastructure/terraform/modules/backend-api/locals.tf
@@ -59,4 +59,8 @@ locals {
   ][0], "")
 
   sftp_environment = "${var.group}-${var.environment}-${var.component}"
+
+  guardduty_source = var.enable_guardduty ? "aws.guardduty" : "test.guardduty"
+
+  guardduty_resource = var.enable_guardduty ? aws_guardduty_malware_protection_plan.quarantine[0].arn : "test:guardduty"
 }
diff --git a/infrastructure/terraform/modules/backend-api/variables.tf b/infrastructure/terraform/modules/backend-api/variables.tf
@@ -71,6 +71,12 @@ variable "enable_backup" {
   default     = true
 }
 
+variable "enable_guardduty" {
+  type        = bool
+  description = "Enable GuardDuty"
+  default     = true
+}
+
 variable "enable_proofing" {
   type        = bool
   description = "Enable proofing feature flag"
diff --git a/package-lock.json b/package-lock.json
diff --git a/tests/test-team/helpers/eventbridge/eventbridge-helper.ts b/tests/test-team/helpers/eventbridge/eventbridge-helper.ts
@@ -0,0 +1,74 @@
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+export type GuardDutyScanResult =
+  | 'NO_THREATS_FOUND'
+  | 'THREATS_FOUND'
+  | 'UNSUPPORTED';
+
+export class EventBridgeHelper {
+  readonly #client: EventBridgeClient;
+
+  constructor() {
+    this.#client = new EventBridgeClient({ region: 'eu-west-2' });
+  }
+
+  async publishGuardDutyEvent(
+    s3ObjectKey: string,
+    s3VersionId: string,
+    guardDutyScanResultStatus: GuardDutyScanResult
+  ) {
+    const resp = await this.#client.send(
+      new PutEventsCommand({
+        Entries: [
+          this.createGuardDutyEvent(
+            s3ObjectKey,
+            guardDutyScanResultStatus,
+            s3VersionId
+          ),
+        ],
+      })
+    );
+
+    if (resp.FailedEntryCount && resp.FailedEntryCount > 0) {
+      throw new Error(
+        `Failed to publish ${guardDutyScanResultStatus} event for ${s3ObjectKey}`,
+        {
+          cause: resp,
+        }
+      );
+    }
+
+    return true;
+  }
+
+  private createGuardDutyEvent(
+    s3ObjectKey: string,
+    scanResultStatus: GuardDutyScanResult,
+    versionId: string
+  ) {
+    const DETAIL_TYPE = 'GuardDuty Malware Protection Object Scan Result';
+    const RESOURCE = 'test:guardduty';
+    const SOURCE = 'test.guardduty';
+
+    return {
+      Source: SOURCE,
+      DetailType: DETAIL_TYPE,
+      Detail: JSON.stringify({
+        schemaVersion: '1.0',
+        scanResultDetails: {
+          scanResultStatus: scanResultStatus,
+        },
+        s3ObjectDetails: {
+          bucketName: process.env.TEMPLATES_QUARANTINE_BUCKET_NAME,
+          objectKey: s3ObjectKey,
+          eTag: `etag-${Date.now()}`,
+          versionId: versionId,
+        },
+      }),
+      Resources: [RESOURCE],
+    };
+  }
+}
diff --git a/tests/test-team/helpers/types.ts b/tests/test-team/helpers/types.ts
@@ -12,7 +12,7 @@ export const templateTypeToUrlTextMappings: Record<string, string> = {
   LETTER: 'letter',
 };
 
-type File = {
+export type File = {
   fileName: string;
   currentVersion: string;
   virusScanStatus: string;
diff --git a/tests/test-team/package.json b/tests/test-team/package.json
@@ -3,6 +3,7 @@
     "@aws-sdk/client-appsync": "3.775.0",
     "@aws-sdk/client-cognito-identity-provider": "3.775.0",
     "@aws-sdk/client-dynamodb": "3.775.0",
+    "@aws-sdk/client-eventbridge": "^3.775.0",
     "@aws-sdk/client-lambda": "3.775.0",
     "@aws-sdk/client-s3": "3.775.0",
     "@aws-sdk/client-sqs": "3.775.0",
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-file-validation.e2e.spec.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-file-validation.e2e.spec.ts
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-guardduty.steps.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-guardduty.steps.ts

Original file line number	Diff line number	Diff line change
`@@ -59,4 +59,8 @@ locals {`
`59`	`59`	`][0], "")`
`60`	`60`
`61`	`61`	`sftp_environment = "${var.group}-${var.environment}-${var.component}"`
	`62`	`+`
	`63`	`+ guardduty_source = var.enable_guardduty ? "aws.guardduty" : "test.guardduty"`
	`64`	`+`
	`65`	`+ guardduty_resource = var.enable_guardduty ? aws_guardduty_malware_protection_plan.quarantine[0].arn : "test:guardduty"`
`62`	`66`	`}`