chore: remove AWS-costing Terraform tests (#151)

* chore(ci): skip terraform_docs in CI workflow

- Remove .md files from trigger paths
- Remove terraform-docs installation step
- Add SKIP: terraform_docs environment variable
- Update actions/cache to v4 and setup-python to v5
- Update cache key to bust stale caches
- Simplify pre-commit run logic into single step
- Update summary to clarify docs handled locally

This eliminates environment parity issues between macOS and Linux
for terraform-docs and speeds up CI by removing unnecessary tooling.

Closes #148

* fix(ci): address security and error handling issues

- Replace insecure curl|bash with verified tflint GitHub release download
- Add set -euo pipefail for strict error handling
- Add explicit error handling for git fetch operations
- Use --diff-filter=ACMR to exclude deleted files from pre-commit
- Use xargs for safer file argument handling
- Update tflint to v0.54.0

Addresses review feedback from bug hunt.

* chore: remove AWS-costing Terraform tests

Remove Terratest integration tests to eliminate AWS resource costs in CI.

Changes:
- Delete test/ directory (Go tests, helpers, cleanup utility)
- Remove unit-tests, integration-tests, test-results, cleanup jobs from test.yml
- Keep free validation, security scanning, and linting jobs
- Update CLAUDE.md to remove testing documentation

Preserved:
- examples/ directory for user documentation
- terraform fmt, validate, tfsec, tflint checks

Author: lgallard

.github/workflows/test.yml

@@ -22,8 +22,6 @@ on:
 
 env:
   TERRAFORM_VERSION: latest
-  GO_VERSION: 1.21
-  ACTIONS_STEP_DEBUG: true
 
 jobs:
   # Validation tests - fast feedback
@@ -103,243 +101,4 @@ jobs:
         run: tflint --init
 
       - name: Run TFLint
-        run: tflint --recursive
-
-
-  # Unit tests using Terratest
-  unit-tests:
-    name: Unit Tests
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master'
-    strategy:
-      fail-fast: false
-      matrix:
-        test-suite: 
-          - validation
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
-          terraform_wrapper: false
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('test/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Install dependencies
-        working-directory: test
-        run: go mod download
-
-      - name: Run validation tests
-        if: matrix.test-suite == 'validation'
-        working-directory: test
-        run: |
-          go test -v -timeout 10m -run "TestTerraform.*Validation|TestTerraformFormat|TestTerraformValidate|TestExamplesValidation|TestTerraformPlan|TestVariableValidation" \
-            -json > validation-test-results.json
-        env:
-          AWS_DEFAULT_REGION: us-east-1
-
-      - name: Run ephemeral tests
-        if: matrix.test-suite == 'ephemeral'
-        working-directory: test
-        run: |
-          echo "Starting ephemeral tests..."
-          echo "AWS Region: $AWS_DEFAULT_REGION"
-          echo "Go version: $(go version)"
-          echo "Terraform version: $(terraform version)"
-          
-          # Run tests sequentially to avoid state conflicts
-          go test -v -timeout 30m -p=1 -run "TestEphemeral.*" \
-            -json > ephemeral-test-results.json
-          
-          exit_code=$?
-          echo "Tests completed with exit code: $exit_code"
-          
-          if [ $exit_code -ne 0 ]; then
-            echo "Test failures detected. Showing recent test output:"
-            tail -50 ephemeral-test-results.json || echo "No test results file found"
-          fi
-          
-          exit $exit_code
-        env:
-          AWS_DEFAULT_REGION: us-east-1
-
-      - name: Debug test artifacts
-        if: always()
-        working-directory: test
-        run: |
-          echo "=== Test directory contents ==="
-          ls -la
-          echo "=== Test result files ==="
-          ls -la *-test-results.json 2>/dev/null || echo "No test result files found"
-          echo "=== Terraform state files ==="
-          ls -la ../*.tfstate* 2>/dev/null || echo "No state files found"
-
-      - name: Upload test results
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: test-results-${{ matrix.test-suite }}
-          path: test/*-test-results.json
-
-  # Integration tests - only on master or when specifically requested
-  integration-tests:
-    name: Integration Tests
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/master' || contains(github.event.pull_request.labels.*.name, 'run-integration-tests')
-    strategy:
-      fail-fast: false
-      matrix:
-        aws-region: 
-          - us-east-1
-          - us-west-2
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
-          terraform_wrapper: false
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ matrix.aws-region }}
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('test/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Install dependencies
-        working-directory: test
-        run: go mod download
-
-      - name: Run integration tests
-        working-directory: test
-        run: |
-          go test -v -timeout 45m -run "TestTerraformAwsSecretsManager.*" \
-            -json > integration-test-results-${{ matrix.aws-region }}.json
-        env:
-          AWS_DEFAULT_REGION: ${{ matrix.aws-region }}
-
-      - name: Upload integration test results
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: integration-test-results-${{ matrix.aws-region }}
-          path: test/integration-test-results-${{ matrix.aws-region }}.json
-
-  # Test result processing and reporting
-  test-results:
-    name: Process Test Results
-    runs-on: ubuntu-latest
-    needs: [validate, security, lint, unit-tests]
-    if: always()
-    steps:
-      - name: Download test artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: test-results
-
-      - name: Process test results
-        run: |
-          echo "# Test Results Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          
-          # Count test files
-          VALIDATION_PASSED=$(find test-results -name "*validation*" -type f | wc -l)
-          EPHEMERAL_PASSED=$(find test-results -name "*ephemeral*" -type f | wc -l)
-          INTEGRATION_PASSED=$(find test-results -name "*integration*" -type f | wc -l)
-          
-          echo "| Test Suite | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "|------------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Validation | ✅ $VALIDATION_PASSED suites completed |" >> $GITHUB_STEP_SUMMARY
-          echo "| Ephemeral | ✅ $EPHEMERAL_PASSED suites completed |" >> $GITHUB_STEP_SUMMARY
-          echo "| Integration | ✅ $INTEGRATION_PASSED suites completed |" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "View detailed results in the artifacts section." >> $GITHUB_STEP_SUMMARY
-
-      - name: Check overall test status
-        run: |
-          if [ "${{ needs.validate.result }}" != "success" ] || \
-             [ "${{ needs.security.result }}" != "success" ] || \
-             [ "${{ needs.lint.result }}" != "success" ] || \
-             [ "${{ needs.unit-tests.result }}" != "success" ]; then
-            echo "One or more test suites failed"
-            exit 1
-          fi
-          echo "All test suites passed successfully"
-
-  # Cleanup job to remove test resources
-  cleanup:
-    name: Cleanup Test Resources
-    runs-on: ubuntu-latest
-    if: always() && (needs.unit-tests.result == 'success' || needs.unit-tests.result == 'failure' || needs.integration-tests.result == 'success' || needs.integration-tests.result == 'failure')
-    needs: [unit-tests, integration-tests]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: Install dependencies
-        working-directory: test
-        run: go mod download
-
-      - name: Cleanup test resources
-        working-directory: test
-        run: |
-          go run -v cleanup/main.go
-        env:
-          AWS_DEFAULT_REGION: us-east-1
-        continue-on-error: true
+        run: tflint --recursive