chore(tests): add organizational test (#31)

* chore(tests): enable benchmarks to ci/cd tests
* chore(tests): 409 conflict testing aws-draios-demo
* chore(tests): try aws-qa-cloudvision account
* chore(tests): homogeneize backends
* chore(test): run tests separately with specific env vars
* chore(test): organize managed vs. member secrets
* chore(test): revert backend with profile usage
cannot make it work with multiple profile usage on organization :(

Co-authored-by: Hayk Kocharyan <hayk.kocharyan@sysdig.com>

Author: iru

.github/workflows/ci-integration-cleanup-force.yaml

@@ -1,23 +1,24 @@
 name: CI - Integration Tests
 
 on:
+  workflow_dispatch:
   pull_request:
     paths:
       - '**.tf'
+      - '.github/workflows/**'
   push:
     branches:
       - master
     paths:
       - '**.tf'
+      - '.github/workflows/**'
 concurrency: terraform
+
 jobs:
   integration_test:
     name: Test-Kitchen
     runs-on: ubuntu-latest
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_SECRET_ACCESS_KEY }}
-      AWS_REGION: ${{ secrets.AWS_REGION }}
       TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
       TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
 
@@ -30,9 +31,36 @@ jobs:
           ruby-version: 2.7
           bundler-cache: true
 
-      - name: Run test
-        run: bundle exec kitchen test
+      - name: Run single-account test
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+        run: bundle exec kitchen test single-account
+
+      - name: Destroy single-account resources
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+        if: ${{ failure() }}
+        run: bundle exec kitchen destroy single-account
+
+
+
+      - name: Run organizational test
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
+        run: bundle exec kitchen test organizational
 
-      - name: Destroy resources
+      - name: Destroy organizational resources
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
         if: ${{ failure() }}
-        run: bundle exec kitchen destroy
+        run: bundle exec kitchen destroy organizational

.github/workflows/ci-integration-tests.yaml

@@ -1,27 +1,19 @@
 ---
 driver:
   name: terraform
-  root_module_directory: test/fixtures/single-account
-  # ################
-  # Uncomment the following two lines if you are deploying /test/fixture/single-account/main.tf
-  # using custom tfvars file
-  #  variable_files:
-  #    - test/fixtures/single-account/test.tfvars
-  # ################
+  root_module_directory: test/fixtures
   parallelism: 4
 
 provisioner:
   name: terraform
 
-verifier:
-  name: "awspec"
-
 platforms:
   - name: "aws"
 
 suites:
-  - name: kt_suite
-    verifier:
-      name: "awspec"
-      patterns:
-        - "test/integration/kt_suite/single-account.rb"
+  - name: single-account
+    driver:
+      root_module_directory: test/fixtures/single-account
+  - name: organizational
+    driver:
+      root_module_directory: test/fixtures/organizational

.kitchen.yml

@@ -27,6 +27,7 @@ repos:
         args:
           - '--args=--sort-by required'
       - id: terraform_tflint
+        exclude: test\/.*$
         args:
           - '--args=--only=terraform_deprecated_interpolation'
           - '--args=--only=terraform_deprecated_index'

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+# Terraform state storage backend
+terraform {
+  backend "s3" {
+    bucket         = "secure-cloud-terraform-tests-org" # need to append '-org' to avoid conflict
+    key            = "aws-organizational/terraform.tfstate"
+    dynamodb_table = "secure-cloud-terraform-tests"
+    region         = "eu-west-3"
+  }
+}

test/fixtures/organizational/backend.tf

@@ -0,0 +1,9 @@
+module "cloudvision_aws_single_account" {
+  source = "../../../examples/organizational"
+  name   = var.name
+  region = var.region
+
+  sysdig_secure_api_token                   = var.sysdig_secure_api_token
+  sysdig_secure_endpoint                    = var.sysdig_secure_endpoint
+  sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
+}

test/fixtures/organizational/main.tf

@@ -0,0 +1,30 @@
+variable "sysdig_secure_api_token" {
+  type        = string
+  sensitive   = true
+  description = "Sysdig secure api token"
+}
+variable "sysdig_secure_for_cloud_member_account_id" {
+  type        = string
+  description = "organizational member account where the secure-for-cloud workload is going to be deployed"
+}
+
+
+
+
+variable "name" {
+  type        = string
+  description = "Name is the prefix used in the resources will be created"
+  default     = "sfc-tests-kitchen"
+}
+
+variable "region" {
+  type        = string
+  description = "Region to be deployed"
+  default     = "eu-west-3"
+}
+
+variable "sysdig_secure_endpoint" {
+  type        = string
+  description = "Sysdig secure endpoint"
+  default     = "https://secure.sysdig.com"
+}

test/fixtures/organizational/outputs.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_version = ">= 0.15.0"
+  required_providers {
+    aws = {
+      version = ">= 3.50.0"
+    }
+  }
+}

test/fixtures/organizational/variables.tf

@@ -1,9 +1,9 @@
 # Terraform state storage backend
 terraform {
   backend "s3" {
-    bucket         = "terraform-cicd-tests"
-    key            = "single-account/terraform.tfstate"
-    dynamodb_table = "terraform-cicd-test"
+    bucket         = "secure-cloud-terraform-tests"
+    key            = "aws-single-account/terraform.tfstate"
+    dynamodb_table = "secure-cloud-terraform-tests"
     region         = "eu-west-3"
   }
 }