Add tests for image build not required; Fix example to use platform-c…

…onfig test file
uktrade · Jan 17, 2025 · 22753cd · 22753cd
1 parent 557b73b
commit 22753cd
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 122 deletions.
diff --git a/codebase-pipelines/codebuild.tf b/codebase-pipelines/codebuild.tf
@@ -3,7 +3,7 @@ data "aws_codestarconnections_connection" "github_codestar_connection" {
 }
 
 resource "aws_codebuild_project" "codebase_image_build" {
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each      = toset(var.requires_image_build ? [""] : [])
   name          = "${var.application}-${var.codebase}-codebase-pipeline-image-build"
   description   = "Publish images on push to ${var.repository}"
   build_timeout = 30
@@ -71,19 +71,19 @@ resource "aws_codebuild_project" "codebase_image_build" {
 resource "aws_cloudwatch_log_group" "codebase_image_build" {
   # checkov:skip=CKV_AWS_338:Retains logs for 3 months instead of 1 year
   # checkov:skip=CKV_AWS_158:Log groups encrypted using default encryption key instead of KMS CMK
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each          = toset(var.requires_image_build ? [""] : [])
   name              = "codebuild/${var.application}-${var.codebase}-codebase-image-build/log-group"
   retention_in_days = 90
 }
 
 resource "aws_cloudwatch_log_stream" "codebase_image_build" {
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each       = toset(var.requires_image_build ? [""] : [])
   name           = "codebuild/${var.application}-${var.codebase}-codebase-image-build/log-stream"
   log_group_name = aws_cloudwatch_log_group.codebase_image_build[""].name
 }
 
 resource "aws_codebuild_webhook" "codebuild_webhook" {
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each     = toset(var.requires_image_build ? [""] : [])
   project_name = aws_codebuild_project.codebase_image_build[""].name
   build_type   = "BUILD"
 

diff --git a/codebase-pipelines/iam.tf b/codebase-pipelines/iam.tf
@@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 resource "aws_iam_role" "codebase_image_build" {
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each           = toset(var.requires_image_build ? [""] : [])
   name               = "${var.application}-${var.codebase}-codebase-pipeline-image-build"
   assume_role_policy = data.aws_iam_policy_document.assume_codebuild_role.json
   tags               = local.tags
@@ -22,16 +22,16 @@ data "aws_iam_policy_document" "assume_codebuild_role" {
 }
 
 resource "aws_iam_role_policy_attachment" "ssm_access" {
-  for_each       = toset(var.image_build ? [""] : [])
+  for_each   = toset(var.requires_image_build ? [""] : [])
   role       = aws_iam_role.codebase_image_build[""].name
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
 }
 
 resource "aws_iam_role_policy" "log_access_for_codebuild_images" {
-  for_each       = toset(var.image_build ? [""] : [])
-  name   = "log-access"
-  role   = aws_iam_role.codebase_image_build[""].name
-  policy = data.aws_iam_policy_document.log_access.json
+  for_each = toset(var.requires_image_build ? [""] : [])
+  name     = "log-access"
+  role     = aws_iam_role.codebase_image_build[""].name
+  policy   = data.aws_iam_policy_document.log_access.json
 }
 
 data "aws_iam_policy_document" "log_access" {
@@ -53,10 +53,10 @@ data "aws_iam_policy_document" "log_access" {
 }
 
 resource "aws_iam_role_policy" "ecr_access_for_codebuild_images" {
-  for_each       = toset(var.image_build ? [""] : [])
-  name   = "ecr-access"
-  role   = aws_iam_role.codebase_image_build[""].name
-  policy = data.aws_iam_policy_document.ecr_access_for_codebuild_images.json
+  for_each = toset(var.requires_image_build ? [""] : [])
+  name     = "ecr-access"
+  role     = aws_iam_role.codebase_image_build[""].name
+  policy   = data.aws_iam_policy_document.ecr_access_for_codebuild_images.json
 }
 
 data "aws_iam_policy_document" "ecr_access_for_codebuild_images" {
@@ -126,10 +126,10 @@ data "aws_iam_policy_document" "ecr_access_for_codebuild_images" {
 }
 
 resource "aws_iam_role_policy" "codestar_connection_access_for_codebuild_images" {
-  for_each       = toset(var.image_build ? [""] : [])
-  name   = "codestar-connection-policy"
-  role   = aws_iam_role.codebase_image_build[""].name
-  policy = data.aws_iam_policy_document.codestar_connection_access.json
+  for_each = toset(var.requires_image_build ? [""] : [])
+  name     = "codestar-connection-policy"
+  role     = aws_iam_role.codebase_image_build[""].name
+  policy   = data.aws_iam_policy_document.codestar_connection_access.json
 }
 
 data "aws_iam_policy_document" "codestar_connection_access" {

diff --git a/codebase-pipelines/tests/unit.tftest.hcl b/codebase-pipelines/tests/unit.tftest.hcl
@@ -294,16 +294,32 @@ run "test_codebuild_images" {
   }
 }
 
-run "test_codebuild_images_disabled" {
+run "test_codebuild_images_not_required" {
   command = plan
 
   variables {
-    image_build = false
+    requires_image_build = false
   }
-  # TODO testing when image_build is false, all of the image build stuff isn't created
+
   assert {
-    condition     = length(terraform_data.update_pipeline.triggers_replace) == 3
-    error_message = "Should be: 3"
+    condition     = length(aws_codebuild_project.codebase_image_build) == 0
+    error_message = "Should be: 0"
+  }
+  assert {
+    condition     = length(aws_iam_role.codebase_image_build) == 0
+    error_message = "Should be: 0"
+  }
+  assert {
+    condition     = length(aws_cloudwatch_log_group.codebase_image_build) == 0
+    error_message = "Should be: 0"
+  }
+  assert {
+    condition     = length(aws_cloudwatch_log_stream.codebase_image_build) == 0
+    error_message = "Should be: 0"
+  }
+  assert {
+    condition     = length(aws_codebuild_webhook.codebuild_webhook) == 0
+    error_message = "Should be: 0"
   }
 }
 

diff --git a/codebase-pipelines/variables.tf b/codebase-pipelines/variables.tf
@@ -38,7 +38,7 @@ variable "env_config" {
   type = any
 }
 
-variable "image_build" {
-  type = bool
+variable "requires_image_build" {
+  type    = bool
   default = true
 }
diff --git a/example/extensions.yml b/example/extensions.yml
diff --git a/example/main.tf b/example/main.tf
@@ -1,15 +1,16 @@
 locals {
+  config       = yamldecode(file("${path.module}/platform-config.yml"))
+  environments = local.config["environments"]
+  env_config   = { for name, config in local.environments : name => merge(lookup(local.environments, "*", {}), config) }
   args = {
-    application         = "my-application"
-    services            = yamldecode(file("${path.module}/extensions.yml"))
-    dns_account_id      = one([for env in yamldecode(file("${path.module}/pipelines.yml"))["environments"] : env if env["name"] == "my-environment"])["accounts"]["dns"]["id"]
-    pipeline_account_id = one([for env in yamldecode(file("${path.module}/pipelines.yml"))["environments"] : env if env["name"] == "default"])["accounts"]["deploy"]["id"]
+    application = "my-application"
+    services    = local.config["extensions"]
+    env_config  = local.env_config
   }
 }
 
 module "extensions-staging" {
   source      = "../extensions"
   args        = local.args
   environment = "my-environment"
-  vpc_name    = "my-vpc"
 }
diff --git a/example/pipelines.yml b/example/pipelines.yml
diff --git a/example/platform-config.yml b/example/platform-config.yml
@@ -0,0 +1,88 @@
+application: example
+
+environments:
+  "*":
+    accounts:
+      deploy:
+        name: "sandbox"
+        id: "000123456789"
+      dns:
+        name: "dev"
+        id: "000123456789"
+    vpc: my-vpc
+  my-environment:
+
+extensions:
+  dw-redis:
+    type: redis
+    environments:
+      "*":
+        engine: '6.2'
+        plan: small
+      prod:
+        plan: medium-ha
+
+  dw-postgres:
+    type: postgres
+    version: 14
+    environments:
+      "*":
+        multi_az: false
+        backup_retention_days: 3
+      prod:
+        deletion_protection: true
+
+  dw-opensearch:
+    type: opensearch
+    environments:
+      "*":
+        plan: small
+        engine: '1.3'
+        volume_size: 40
+      prod:
+        plan: large-ha
+        engine: '1.3'
+        volume_size: 100
+
+  dw-s3-bucket:
+    type: s3
+    services:
+      - "s3proxy"
+      - "beat"
+      - "web"
+      - "worker"
+    environments:
+      dev:
+        bucket_name: digital-workspace-v2-dev
+        data_migration:
+          import:
+            source_bucket_arn: "arn:aws:s3:::my-application-test"
+            source_kms_key_arn: "arn:aws:kms:eu-west-2:123456789:key/1234-1334-1234-1234"
+            worker_role_arn: "arn:aws:iam::987654321:role/service-role"
+        lifecycle_rules:
+          - filter_prefix: "logs/"
+            expiration_days: 1
+            enabled: true
+          - filter_prefix: "keep_me_longer/"
+            expiration_days: 100
+            enabled: true
+      hotfix:
+        bucket_name: digital-workspace-v2-hotfix
+      prod:
+        bucket_name: digital-workspace-v2-prod
+      staging:
+        bucket_name: xyz-test-acme-widgets-ltd
+        versioning: false
+      training:
+        bucket_name: digital-workspace-v2-training
+      my-environment:
+        bucket_name: digital-workspace-v2-my-environment
+    objects:
+      - key: healthcheck.txt
+        body: S3 Proxy is working.
+
+  monitoring:
+    type: monitoring
+    environments:
+      "*":
+        enable_ops_center: false