cloudfoundry · stephanme · Nov 21, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 6, 2025
diff --git a/.github/actions/s3-integration-run/action.yml b/.github/actions/s3-integration-run/action.yml
@@ -0,0 +1,61 @@
+name: Run AWS S3 Integration Tests
+description: Runs integration tests against to aws infrastructure.
+
+inputs:
+  access_key_id:
+    description: 'AWS Access Key ID'
+    required: true
+  secret_access_key:
+    description: 'AWS Secret Access Key'
+    required: true
+  region_name:
+    description: 'AWS Region Name'
+    required: true
+  stack_name:
+    description: 'CloudFormation Stack Name (required for IAM tests)'
+    required: true
+  test_type:
+    description: 'Type of test to run (e.g.,aws, aws-iam, aws-assume)'
+    required: true
+  focus_regex:
+    description: 'Ginkgo Focus Regex for tests to run'
+    required: false
+  s3_endpoint_host:
+    description: 'Custom S3 Endpoint Host'
+    required: false
+  role_arn:
+    description: 'AWS Role ARN to test assume role functionality'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+  - name: Run AWS S3 Integration Tests
+    shell: bash
+    run: |
+      set -e
+      export access_key_id="${{inputs.access_key_id}}"
+      export secret_access_key="${{inputs.secret_access_key}}"
+      export region_name="${{inputs.region_name}}"
+      export stack_name="${{inputs.stack_name}}"
+
+      if [[ "${{inputs.test_type}}" == "aws" ]]; then
+        export role_arn="${{inputs.role_arn}}"
+        export s3_endpoint_host="${{inputs.s3_endpoint_host}}"
+        export focus_regex="${{inputs.focus_regex}}"
+        echo "Running standard AWS integration tests..."
+        ./.github/scripts/s3/run-integration-aws.sh
+      elif [[ "${{inputs.test_type}}" == "aws-iam" ]]; then
+        echo "Running AWS IAM role tests..."
+        ./.github/scripts/s3/run-integration-aws-iam.sh
+      elif [[ "${{inputs.test_type}}" == "aws-assume" ]]; then
+        export assume_role_arn="${{inputs.role_arn}}"
+        export focus_regex="${{inputs.focus_regex}}"
+        echo "Running AWS assume role tests..."
+        ./.github/scripts/s3/run-integration-aws-assume.sh
+      else
+        echo "Error: Unknown test_type '${{inputs.test_type}}'"
+        echo "Valid options are: aws, aws-iam, aws-assume"
+        exit 1
+      fi
diff --git a/.github/actions/s3-integration-setup/action.yml b/.github/actions/s3-integration-setup/action.yml
@@ -0,0 +1,34 @@
+name: Set up AWS S3 Integration Infrastructure
+description: Sets up AWS S3 Integration Infrastructure for testing purposes.
+
+inputs:
+  access_key_id:
+    description: 'AWS Access Key ID'
+    required: true
+  secret_access_key:
+    description: 'AWS Secret Access Key'
+    required: true
+  region_name:
+    description: 'AWS Region Name'
+    required: true
+  stack_name:
+    description: 'CloudFormation Stack Name'
+    required: true
+  role_arn:
+    description: 'AWS Role ARN'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up AWS Infrastructure
+      shell: bash
+      run: |
+        set -e
+        export access_key_id="${{inputs.access_key_id}}"
+        export secret_access_key="${{inputs.secret_access_key}}"
+        export role_arn="${{inputs.role_arn}}"
+        export region_name="${{inputs.region_name}}"
+        export stack_name="${{inputs.stack_name}}"
+        ./.github/scripts/s3/setup-aws-infrastructure.sh
diff --git a/.github/actions/s3-integration-teardown/action.yml b/.github/actions/s3-integration-teardown/action.yml
@@ -0,0 +1,28 @@
+name: 'Tear down AWS S3 Integration Infrastructure'
+description: 'Tears down AWS S3 Integration Infrastructure used for testing purposes.'
+inputs:
+  access_key_id:
+    description: 'AWS Access Key ID'
+    required: true
+  secret_access_key:
+    description: 'AWS Secret Access Key'
+    required: true
+  region_name:
+    description: 'AWS Region Name'
+    required: true
+  stack_name:
+    description: 'CloudFormation Stack Name'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Teardown AWS Infrastructure
+      shell: bash
+      run: |
+        set -e
+        export access_key_id="${{inputs.access_key_id}}"
+        export secret_access_key="${{inputs.secret_access_key}}"
+        export region_name="${{inputs.region_name}}"
+        export stack_name="${{inputs.stack_name}}"
+        ./.github/scripts/s3/teardown-infrastructure.sh
diff --git a/.github/scripts/s3/assets/cloudformation-s3cli-iam.template.json b/.github/scripts/s3/assets/cloudformation-s3cli-iam.template.json
@@ -0,0 +1,84 @@
+{
+  "Resources": {
+    "S3Bucket": {
+      "Type": "AWS::S3::Bucket",
+      "DeletionPolicy": "Delete",
+      "Properties": {
+        "AccessControl": "Private"
+      }
+    },
+    "Role": {
+      "Type": "AWS::IAM::Role",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com"
+              },
+              "Action": [
+                "sts:AssumeRole"
+              ]
+            }
+          ]
+        },
+        "Path": "/",
+        "Policies": [
+          {
+            "PolicyName": "S3CLIPermissions",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Action": [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "arn:aws:logs:*:*:*"
+                },
+                {
+                  "Action": [
+                    "s3:GetObject*",
+                    "s3:PutObject*",
+                    "s3:List*",
+                    "s3:DeleteObject*"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    {
+                      "Fn::Join": [
+                        "",
+                        [
+                          "arn:aws:s3:::",
+                          { "Ref": "S3Bucket" }
+                        ]
+                      ]
+                    },
+                    {
+                      "Fn::Join": [
+                        "",
+                        [
+                          "arn:aws:s3:::",
+                          { "Ref": "S3Bucket" },
+                          "/*"
+                        ]
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  },
+  "Outputs": {
+    "BucketName": { "Value": { "Ref": "S3Bucket" }},
+    "IamRoleArn": { "Value": {"Fn::GetAtt" : ["Role", "Arn"] }}
+  }
+}
diff --git a/.github/scripts/s3/assets/cloudformation-s3cli-private-bucket.template.json b/.github/scripts/s3/assets/cloudformation-s3cli-private-bucket.template.json
@@ -0,0 +1,14 @@
+{
+  "Resources": {
+    "S3Bucket": {
+      "Type": "AWS::S3::Bucket",
+      "DeletionPolicy": "Delete",
+      "Properties": {
+        "AccessControl": "Private"
+      }
+    }
+  },
+  "Outputs": {
+    "BucketName": { "Value": { "Ref": "S3Bucket" }}
+  }
+}
diff --git a/.github/scripts/s3/assets/cloudformation-s3cli-public-bucket.template.json b/.github/scripts/s3/assets/cloudformation-s3cli-public-bucket.template.json
@@ -0,0 +1,30 @@
+{
+  "Resources": {
+    "S3PublicReadBucket": {
+      "Type": "AWS::S3::Bucket",
+      "DeletionPolicy": "Delete",
+      "Properties": {
+        "PublicAccessBlockConfiguration": {
+          "BlockPublicAcls": false,
+          "BlockPublicPolicy": false,
+          "IgnorePublicAcls": false,
+          "RestrictPublicBuckets": false
+        },
+        "OwnershipControls": {
+          "Rules": [
+            {
+              "ObjectOwnership": "ObjectWriter"
+            }
+          ]
+        }
+      }
+    }
+  },
+  "Outputs": {
+    "BucketName": {
+      "Value": {
+        "Ref": "S3PublicReadBucket"
+      }
+    }
+  }
+}
diff --git a/.github/scripts/s3/assets/lambda_function.py b/.github/scripts/s3/assets/lambda_function.py
@@ -0,0 +1,22 @@
+import os
+import logging
+import subprocess
+
+def test_runner_handler(event, context):
+    os.environ['S3_CLI_PATH'] = './s3cli'
+    os.environ['BUCKET_NAME'] = event['bucket_name']
+    os.environ['REGION'] = event['region']
+    os.environ['S3_HOST'] = event['s3_host']
+
+    logger = logging.getLogger()
+    logger.setLevel(logging.DEBUG)
+
+    try:
+        output = subprocess.check_output(['./integration.test', '-ginkgo.focus', 'AWS STANDARD IAM ROLE'],
+                                env=os.environ, stderr=subprocess.STDOUT)
+        logger.debug("INTEGRATION TEST OUTPUT:")
+        logger.debug(output)
+    except subprocess.CalledProcessError as e:
+        logger.debug("INTEGRATION TEST EXITED WITH STATUS: " + str(e.returncode))
+        logger.debug(e.output)
+        raise
diff --git a/.github/scripts/s3/run-integration-aws-assume.sh b/.github/scripts/s3/run-integration-aws-assume.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+# Get the directory where this script is located
+script_dir="$( cd "$(dirname "${0}")" && pwd )"
+repo_root="$(cd "${script_dir}/../../.." && pwd)"
+
+# Source utils from the same directory
+source "${script_dir}/utils.sh"
+
+: "${access_key_id:?}"
+: "${secret_access_key:?}"
+: "${region_name:=unset}"
+: "${focus_regex:?}"
+: "${assume_role_arn:=unset}"
+: "${s3_endpoint_host:=unset}"
+
+
+# Just need these to get the stack info
+export AWS_ACCESS_KEY_ID=${access_key_id}
+export AWS_SECRET_ACCESS_KEY=${secret_access_key}
+export AWS_DEFAULT_REGION=${region_name}
+export ASSUME_ROLE_ARN=${assume_role_arn}
+
+# Some of these are optional
+export ACCESS_KEY_ID=${access_key_id}
+export SECRET_ACCESS_KEY=${secret_access_key}
+export REGION=${region_name}
+export S3_HOST=${s3_endpoint_host}
+
+
+pushd "${repo_root}" > /dev/null
+  echo -e "\n running tests with $(go version)..."
+  ginkgo -r --focus="${focus_regex}" s3/integration/
+popd > /dev/null