ci(runners): add terraform test for pool module type safety#5157
Open
Brend-Smits wants to merge 5 commits into
Open
ci(runners): add terraform test for pool module type safety#5157Brend-Smits wants to merge 5 commits into
Brend-Smits wants to merge 5 commits into
Conversation
The conditional for the runner role in pool.tf returned inconsistent types: the true branch produced an object with a single 'arn' attribute while the false branch returned the full aws_iam_role resource (16 attributes). Terraform requires both branches to have consistent types. Move the conditional inside the object so both branches produce a string for the 'arn' key. Fixes type error introduced in #4875. Signed-off-by: Brend Smits <brend.smits@philips.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Brend-Smits
force-pushed
the
ci/add-terraform-test
branch
from
250ab7c to
8cb1fef
Compare
Brend-Smits
force-pushed
the
ci/add-terraform-test
branch
from
8cb1fef to
5f2cf57
Compare
Add a terraform test that exercises the pool module code path with mock providers. This catches conditional type mismatches (like the one in #4875) that terraform validate cannot detect. The test uses mock_provider with mock_data to avoid needing AWS credentials while still running a full plan that validates type consistency. Also adds a terraform_test job to the existing CI workflow that runs `terraform test` on modules with test files. Signed-off-by: Brend Smits <brend.smits@philips.com>
- Add README.md explaining how to write and run terraform tests - Pin CI container to hashicorp/terraform:1.12 (mock_provider needs >= 1.7) Signed-off-by: Brend Smits <brend.smits@philips.com>
Brend-Smits
force-pushed
the
ci/add-terraform-test
branch
from
5f2cf57 to
7df0fb9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
terraform validatecannot detect conditional type mismatches like the one introduced in #4875:This passes
terraform validatebut fails at plan time because the two branches produce objects with different attributes (1 vs 16).Solution
Add a
terraform testfile (modules/runners/tests/pool.tftest.hcl) that uses mock providers to run a full plan of the runners module with pool enabled. This catches type errors thatvalidatemisses, without requiring AWS credentials.Also adds a
terraform_testjob to the existing CI workflow. The job uses Terraformlatest(requires 1.7+ formock_provider/mock_datasupport) and runsterraform teston modules that have test files.Verified locally
With the buggy code (before #5156):
With the fix (#5156 applied):
Future work
The
terraform_testjob matrix can be expanded as more modules add.tftest.hclfiles. This is a starting point to catch the class of bugs thatvalidatecannot.