write basic unit tests for the s3-full-access-policy module #122
Comments
|
Feedback from @NorfairKing: To make sure that setting it up works:
To make sure that we have the right policies:
|
|
@mcgirr, please review the module, #47, and the feedback from @NorfairKing, then write up a concise explanation/proposal for how you would implement this, and ping us to review. |
|
@ketzacoatl Will do! |
|
@ketzacoatl Something else I just thought of: IAM uses a combination of include-lists and exclude-lists. We need to (manually) review that we use the correct one for each aspects of the permission. |
(Draft) Proposal 2018 April 30Abstract - Generally Stated High Level Goals
Requirements
MethodologyThis problem can be roughly divided into two parts:
One possible way to implement step 1 would be to create a test module or example module similar to the example given in the remote state on S3 module. One difference to that example being that, in addition to creating an IAM policy that has full access to the bucket, the new testing module would need to create an IAM policy that had limited or no access to the bucket. Users could then be attached to these policies and used in testing. The second step will use need to test access to the bucket using these users. A naive approach would be to use a shell script that set environment variables and performed tests using aws s3 cli commands. NotesThis proposal is for issue 122. Additionally it covers the topics raised in issue 47. |
|
@ketzacoatl @NorfairKing This is an initial draft of the proposal. I will be adding more specific details to the methodology section today and tomorrow. |
That's the only possible way. If you don't use the module under test, you're not testing anything. For the IAM policies, we want to test that users have the permissions that we document that the module sets up. We are not testing whether AWS implements
I think this testing effort may warrant haskell code to test it, instead of bash scripts. |
|
For step 1 my plan at the moment is to create an example terraform module to go in terraform-aws-foundation/examples that uses the parts of the s3-full-access-policy module that we want to start testing initially This will also be a good place for the Haskell code that tests the module to live (for step 2). I will write some code to get familiar with the amazonka package and then migrate it over to the example directory. |
|
@ketzacoatl @NorfairKing Just FYI and very much a work in progress - but I'm currently working on this at terraform-aws-foundation/examples/s3-full-access-policy on the |
|
I like where this is going 👍 and I'm excited to see what we're able to do with the Haskell tooling here. |
* Add example for testing the s3-full-access-policy module. Add initial README. * Add the initial Haskell stack project for to run tests. * Update license to the match one in the root of the repo. * Add initial terraform files for s3-full-access-policy example. * Update terraform configuration for the s3-full-access-policy module example. Terraform will now create an S3 bucket to for the module to test setting up iam policy on. Add the initial makefile for the example. Update readme. * Add code to test access to s3 buckets with the amazonka library. * Clean up Haskell test code for the api calls in the s3-full-access-policy example. * Add function to check for bucket policy. * Check bucket function will now poll until it finds the target bucket. This will result in an error if it does not find the bucket after 20 checks. Once it finds the bucket it will request the bucket policy if the bucket has one. * update branch * Remove spacemacs buffer. * Setup terraform configurations for s3-full-access-policy. This updates the terraform files to create iam users which then have the s3-full-access-policy attached. * Clean up and reformat terraform files for s3-full-access-policy example. * update terraform files for s3-full-access-policy example. It seems that the iam policy is not being attached to the iam user that terraform is creating. * Example test code will put an object to the s3 bucket which the terraform config creates. The haskell test code will try to do this using the terraform output contained in the config.json file - which specifies the newly created iam user's access key and secret key. * Add the config.json file to a directory local gitignore. * Haskell tests now list and delete objects using the iam user created by the terraform full permissions module. * Rename Test module to Verify * Clean up Haskell test code for s3-full-access-policy module example. Add the initial implementation to run tests without credentials. * Set up test executables for s3-full-access-policy example to test as an IAM user which has credentials but has not been granted access to the bucket. Clean up Haskell code and adjust the terraform configurations to also create the IAM user that does not have any access. * Rename testS3Access function and add function documentation. * Add latest test executable for the s3-full-access-policy module example. Update readme and makefile to build and run the test executable. * This commit removes the portions of the test code that try to make api requests as the general public. * Cleanup of s3-full-access-policy example test code prior to initial PR request.
|
great work @mcgirr! |
|
It's great to see this happening :D Thanks @mcgirr |
This issue is targeting a specific unit test for a specific module. The goal is to implement tests that confirm the IAM policies in the module are correct. The module should give a specific IAM role/user/etc full access to the S3 bucket, but no one else has permission to do anything.
See the code in this module: https://github.com/fpco/terraform-aws-foundation/blob/master/modules/s3-full-access-policy/main.tf
This is related/contributes to #47.
The text was updated successfully, but these errors were encountered: