Added tests (#84)

Author: goruha

src/main.tf

@@ -27,7 +27,7 @@ locals {
 
   policy = local.enabled ? jsondecode(data.aws_iam_policy_document.default[0].json) : null
 
-  # default datadog_logs_archive query. 
+  # default datadog_logs_archive query.
   default_query = join(" OR ", concat([join(":", ["env", var.stage]), join(":", ["account", local.aws_account_id])], var.additional_query_tags))
   query         = var.query_override == null ? local.default_query : var.query_override
 }
@@ -65,7 +65,7 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      "arn:${local.aws_partition}:s3:::${module.cloudtrail_label.id}",
+      "arn:${local.aws_partition}:s3:::${module.cloudtrail_bucket_label.id}",
     ]
   }
 
@@ -84,7 +84,7 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      "arn:${local.aws_partition}:s3:::${module.cloudtrail_label.id}/*",
+      "arn:${local.aws_partition}:s3:::${module.cloudtrail_bucket_label.id}/*",
     ]
 
     condition {
@@ -98,7 +98,7 @@ data "aws_iam_policy_document" "default" {
       test     = "StringLike"
       variable = "aws:SourceArn"
       values = [
-        "arn:${local.aws_partition}:cloudtrail:*:${local.aws_account_id}:trail/*datadog-logs-archive",
+        "arn:${local.aws_partition}:cloudtrail:*:${local.aws_account_id}:trail/${module.this.id}",
       ]
     }
 
@@ -119,7 +119,7 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      "arn:${local.aws_partition}:s3:::${module.cloudtrail_label.id}/*",
+      "arn:${local.aws_partition}:s3:::${module.cloudtrail_bucket_label.id}/*",
     ]
 
     condition {
@@ -133,7 +133,7 @@ data "aws_iam_policy_document" "default" {
       test     = "StringLike"
       variable = "aws:SourceArn"
       values = [
-        "arn:${local.aws_partition}:cloudtrail:*:${local.aws_account_id}:trail/*datadog-logs-archive",
+        "arn:${local.aws_partition}:cloudtrail:*:${local.aws_account_id}:trail/${module.this.id}",
       ]
     }
 
@@ -211,7 +211,7 @@ module "archive_bucket" {
   user_enabled       = false
   versioning_enabled = true
 
-  object_lock_configuration = {
+  object_lock_configuration = var.object_lock_days_archive == 0 ? null : {
     mode  = var.object_lock_mode_archive
     days  = var.object_lock_days_archive
     years = null
@@ -220,7 +220,7 @@ module "archive_bucket" {
   context = module.this.context
 }
 
-module "cloudtrail_label" {
+module "cloudtrail_bucket_label" {
   source  = "cloudposse/label/null"
   version = "0.25.0" # requires Terraform >= 0.13.0
 
@@ -278,7 +278,7 @@ module "cloudtrail_s3_bucket" {
   label_key_case   = "lower"
   label_value_case = "lower"
 
-  object_lock_configuration = {
+  object_lock_configuration = var.object_lock_days_cloudtrail == 0 ? null : {
     mode  = var.object_lock_mode_cloudtrail
     days  = var.object_lock_days_cloudtrail
     years = null
@@ -294,7 +294,7 @@ module "cloudtrail_s3_bucket" {
   # https://github.com/hashicorp/terraform/issues/5613
   allow_ssl_requests_only = false
 
-  context = module.cloudtrail_label.context
+  context = module.cloudtrail_bucket_label.context
 }
 
 module "cloudtrail" {

src/variables.tf

@@ -7,6 +7,7 @@ variable "query_override" {
   type        = string
   nullable    = true
   description = "Override query for datadog archive. If null would be used query 'env:{stage} OR account:{aws account id} OR {additional_query_tags}'"
+  default     = null
 }
 
 variable "additional_query_tags" {

test/.gitignore

@@ -0,0 +1,5 @@
+state/
+.cache
+test/test-suite.json
+.atmos
+test_suite.yaml

test/README.md

@@ -0,0 +1,149 @@
+package test
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	helper "github.com/cloudposse/test-helpers/pkg/atmos/component-helper"
+	awsTerratest "github.com/gruntwork-io/terratest/modules/aws"
+	"github.com/cloudposse/test-helpers/pkg/atmos"
+	"github.com/gruntwork-io/terratest/modules/aws"
+	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/stretchr/testify/assert"
+)
+
+type ComponentSuite struct {
+	helper.TestSuite
+
+	datadogAPIKey string // Datadog API key
+	datadogAppKey string // Datadog App key
+	datadogHost   string // Datadog host
+	randomID      string
+	awsRegion     string
+}
+
+func (s *ComponentSuite) TestBasic() {
+	const component = "datadog-logs-archive/basic"
+	const stack = "default-test"
+	const awsRegion = "us-east-2"
+
+	randomID := strings.ToLower(random.UniqueId())
+
+	// Store the Datadog API key in SSM for the duration of the test.
+	apiKeyPath := fmt.Sprintf("/datadog/%s/datadog_api_key", randomID)
+	awsTerratest.PutParameter(s.T(), s.awsRegion, apiKeyPath, "Datadog API Key", s.datadogAPIKey)
+
+	// Store the Datadog App key in SSM for the duration of the test.
+	appKeyPath := fmt.Sprintf("/datadog/%s/datadog_app_key", randomID)
+	awsTerratest.PutParameter(s.T(), s.awsRegion, appKeyPath, "Datadog App Key", s.datadogAppKey)
+
+	defer func() {
+		if !s.Config.SkipDestroyComponent {
+			awsTerratest.DeleteParameter(s.T(), awsRegion, apiKeyPath)
+			awsTerratest.DeleteParameter(s.T(), awsRegion, appKeyPath)
+		}
+	}()
+
+	defer s.DestroyAtmosComponent(s.T(), component, stack, nil)
+	options, _ := s.DeployAtmosComponent(s.T(), component, stack, nil)
+	assert.NotNil(s.T(), options)
+
+	cloudtrailBucketName := atmos.Output(s.T(), options, "cloudtrail_bucket_id")
+
+	defer func() {
+		if !s.Config.SkipDestroyComponent {
+			atmos.DestroyE(s.T(), options)
+			aws.EmptyS3Bucket(s.T(), awsRegion, cloudtrailBucketName)
+		}
+	}()
+
+	s.DriftTest(component, stack, nil)
+}
+
+func (s *ComponentSuite) TestEnabledFlag() {
+	const component = "datadog-logs-archive/disabled"
+	const stack = "default-test"
+	const awsRegion = "us-east-2"
+
+	randomID := strings.ToLower(random.UniqueId())
+
+	// Store the Datadog API key in SSM for the duration of the test.
+	apiKeyPath := fmt.Sprintf("/datadog/%s/datadog_api_key", randomID)
+	awsTerratest.PutParameter(s.T(), s.awsRegion, apiKeyPath, "Datadog API Key", s.datadogAPIKey)
+
+	// Store the Datadog App key in SSM for the duration of the test.
+	appKeyPath := fmt.Sprintf("/datadog/%s/datadog_app_key", randomID)
+	awsTerratest.PutParameter(s.T(), s.awsRegion, appKeyPath, "Datadog App Key", s.datadogAppKey)
+
+	defer func() {
+		awsTerratest.DeleteParameter(s.T(), awsRegion, apiKeyPath)
+		awsTerratest.DeleteParameter(s.T(), awsRegion, appKeyPath)
+	}()
+
+	s.VerifyEnabledFlag(component, stack, nil)
+}
+
+func (s *ComponentSuite) SetupSuite() {
+	s.InitConfig()
+	s.Config.ComponentDestDir = "components/terraform/datadog-logs-archive"
+
+	// Store the Datadog API key in SSM for the duration of the test.
+	// Add the key to /datadog/<RANDOMID>/datadog_api_key to avoid
+	// conflicts during parallel tests and remove the key after the test.
+	s.datadogAPIKey = os.Getenv("DD_API_KEY")
+	if s.datadogAPIKey == "" {
+		s.T().Fatal("DD_API_KEY environment variable must be set")
+	}
+
+	// Store the Datadog App key in SSM for the duration of the test.
+	// Add the key to /datadog/<RANDOMID>/datadog_app_key to avoid
+	// conflicts during parallel tests and remove the key after the test.
+	s.datadogAppKey = os.Getenv("DD_APP_KEY")
+	if s.datadogAppKey == "" {
+		s.T().Fatal("DD_APP_KEY environment variable must be set")
+	}
+
+	s.randomID = strings.ToLower(random.UniqueId())
+	s.awsRegion = "us-east-2"
+	s.datadogHost = "us5.datadoghq.com"
+
+	if !s.Config.SkipDeployDependencies {
+		apiKeyPath := fmt.Sprintf("/datadog/%s/datadog_api_key", s.randomID)
+		awsTerratest.PutParameter(s.T(), s.awsRegion, apiKeyPath, "Datadog API Key", s.datadogAPIKey)
+
+		appKeyPath := fmt.Sprintf("/datadog/%s/datadog_app_key", s.randomID)
+		awsTerratest.PutParameter(s.T(), s.awsRegion, appKeyPath, "Datadog App Key", s.datadogAppKey)
+
+		inputs := map[string]any{
+			"datadog_site_url": s.datadogHost,
+			"datadog_secrets_source_store_account_region": s.awsRegion,
+			"datadog_secrets_source_store_account_stage":  "test",
+			"datadog_secrets_source_store_account_tenant": "default",
+			"datadog_api_secret_key":                      s.randomID,
+			"datadog_app_secret_key":                      s.randomID,
+		}
+		s.AddDependency(s.T(), "datadog-configuration", "default-test", &inputs)
+		s.AddDependency(s.T(), "datadog-integration", "default-test", &map[string]any{})
+	}
+
+	s.TestSuite.SetupSuite()
+}
+
+func (s *ComponentSuite) TearDownSuite() {
+	s.TestSuite.TearDownSuite()
+	if !s.Config.SkipDestroyDependencies {
+		apiKeyPath := fmt.Sprintf("/datadog/%s/datadog_api_key", s.randomID)
+		awsTerratest.DeleteParameter(s.T(), s.awsRegion, apiKeyPath)
+
+		appKeyPath := fmt.Sprintf("/datadog/%s/datadog_app_key", s.randomID)
+		awsTerratest.DeleteParameter(s.T(), s.awsRegion, appKeyPath)
+	}
+}
+
+func TestRunSuite(t *testing.T) {
+	suite := new(ComponentSuite)
+
+	helper.Run(t, suite)
+}

test/component_test.go

@@ -0,0 +1,77 @@
+# CLI config is loaded from the following locations (from lowest to highest priority):
+# system dir (`/usr/local/etc/atmos` on Linux, `%LOCALAPPDATA%/atmos` on Windows)
+# home dir (~/.atmos)
+# current directory
+# ENV vars
+# Command-line arguments
+#
+# It supports POSIX-style Globs for file names/paths (double-star `**` is supported)
+# https://en.wikipedia.org/wiki/Glob_(programming)
+
+# Base path for components, stacks and workflows configurations.
+# Can also be set using `ATMOS_BASE_PATH` ENV var, or `--base-path` command-line argument.
+# Supports both absolute and relative paths.
+# If not provided or is an empty string, `components.terraform.base_path`, `components.helmfile.base_path`, `stacks.base_path` and `workflows.base_path`
+# are independent settings (supporting both absolute and relative paths).
+# If `base_path` is provided, `components.terraform.base_path`, `components.helmfile.base_path`, `stacks.base_path` and `workflows.base_path`
+# are considered paths relative to `base_path`.
+base_path: ""
+
+components:
+  terraform:
+    # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_BASE_PATH` ENV var, or `--terraform-dir` command-line argument
+    # Supports both absolute and relative paths
+    base_path: "components/terraform"
+    # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_APPLY_AUTO_APPROVE` ENV var
+    apply_auto_approve: true
+    # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_DEPLOY_RUN_INIT` ENV var, or `--deploy-run-init` command-line argument
+    deploy_run_init: true
+    # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_INIT_RUN_RECONFIGURE` ENV var, or `--init-run-reconfigure` command-line argument
+    init_run_reconfigure: true
+    # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_AUTO_GENERATE_BACKEND_FILE` ENV var, or `--auto-generate-backend-file` command-line argument
+    auto_generate_backend_file: true
+
+stacks:
+  # Can also be set using `ATMOS_STACKS_BASE_PATH` ENV var, or `--config-dir` and `--stacks-dir` command-line arguments
+  # Supports both absolute and relative paths
+  base_path: "stacks"
+  # Can also be set using `ATMOS_STACKS_INCLUDED_PATHS` ENV var (comma-separated values string)
+  # Since we are distinguishing stacks based on namespace, and namespace is not part
+  # of the stack name, we have to set `included_paths` via the ENV var in the Dockerfile
+  included_paths:
+    - "orgs/**/*"
+
+  # Can also be set using `ATMOS_STACKS_EXCLUDED_PATHS` ENV var (comma-separated values string)
+  excluded_paths:
+    - "**/_defaults.yaml"
+
+  # Can also be set using `ATMOS_STACKS_NAME_PATTERN` ENV var
+  name_pattern: "{tenant}-{stage}"
+
+workflows:
+  # Can also be set using `ATMOS_WORKFLOWS_BASE_PATH` ENV var, or `--workflows-dir` command-line arguments
+  # Supports both absolute and relative paths
+  base_path: "stacks/workflows"
+
+# https://github.com/cloudposse/atmos/releases/tag/v1.33.0
+logs:
+  file: "/dev/stdout"
+  # Supported log levels: Trace, Debug, Info, Warning, Off
+  level: Info
+
+settings:
+  # Can also be set using 'ATMOS_SETTINGS_LIST_MERGE_STRATEGY' environment variable, or '--settings-list-merge-strategy' command-line argument
+  list_merge_strategy: replace
+
+# `Go` templates in Atmos manifests
+# https://atmos.tools/core-concepts/stacks/templating
+# https://pkg.go.dev/text/template
+templates:
+  settings:
+    enabled: true
+    # https://masterminds.github.io/sprig
+    sprig:
+      enabled: true
+    # https://docs.gomplate.ca
+    gomplate:
+      enabled: true

test/fixtures/atmos.yaml

@@ -0,0 +1,46 @@
+components:
+  terraform:
+    account-map:
+      metadata:
+        terraform_workspace: core-gbl-root
+      vars:
+        tenant: core
+        environment: gbl
+        stage: root
+
+#      This remote state is only for Cloud Posse internal use.
+#      It references the Cloud Posse test organizations actual infrastructure.
+#      remote_state_backend:
+#        s3:
+#          bucket: cptest-core-ue2-root-tfstate-core
+#          dynamodb_table: cptest-core-ue2-root-tfstate-core-lock
+#          role_arn: arn:aws:iam::822777368227:role/cptest-core-gbl-root-tfstate-core-ro
+#          encrypt: true
+#          key: terraform.tfstate
+#          acl: bucket-owner-full-control
+#          region: us-east-2
+
+      remote_state_backend_type: static
+      remote_state_backend:
+        # This static backend is used for tests that only need to use the account map iam-roles module
+        # to find the role to assume for Terraform operations. It is configured to use whatever
+        # the current user's role is, but the environment variable `TEST_ACCOUNT_ID` must be set to
+        # the account ID of the account that the user is currently assuming a role in.
+        #
+        # For some components, this backend is missing important data, and those components
+        # will need that data added to the backend configuration in order to work properly.
+        static:
+          account_info_map: {}
+          all_accounts: []
+          aws_partition: aws
+          full_account_map: {}
+          iam_role_arn_templates: {}
+          non_eks_accounts: []
+          profiles_enabled: false
+          root_account_aws_name: root
+          terraform_access_map: {}
+          terraform_dynamic_role_enabled: false
+          terraform_role_name_map:
+            apply: terraform
+            plan: planner
+          terraform_roles: {}

test/fixtures/stacks/catalog/account-map.yaml

@@ -0,0 +1,12 @@
+components:
+  terraform:
+    datadog-configuration:
+      vars:
+        enabled: true
+        name: datadog-configuration
+        datadog_secrets_store_type: SSM
+        datadog_site_url: us5.datadoghq.com
+        datadog_secrets_source_store_account_stage: auto
+        datadog_secrets_source_store_account_region: "us-east-2"
+
+