Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for plan-only testing flows #37

Closed
esword opened this issue Sep 15, 2016 · 13 comments
Closed

Allow for plan-only testing flows #37

esword opened this issue Sep 15, 2016 · 13 comments
Assignees
@ncs-alane

Comments

@esword
Copy link

esword commented Sep 15, 2016

My team is starting to write terraform modules that will be used by many other groups. I have been looking for a way to rapidly test them and discovered this project. Many thanks for putting it together!

One idea we had is that you can do a lot of "unit like" testing of modules just by executing "terraform plan" and checking the resulting contents. This approach assumes that terraform will produce what it says in the plan, so it is not complete end-to-end testing, but it is very useful for rapid, first-pass testing of changes. Sort of like using mocks in unit tests before going on to full integration testing.

My thought was to add a "planOnly" prop to the driver or provisioner. When executing converge, it would only create the plan (and destroy would also short circuit). Then make the plan available as some data structure in the tests so that it can be easily traversed and queried. e.g. Does an aws_instance have the proper tags and values? Is it the right instance type? Does it have the right security roles?

I'm willing to make a first pass at this if you think it's a good idea.
@ncs-alane ncs-alane self-assigned this Sep 15, 2016
@ncs-alane
Copy link
Contributor

ncs-alane commented Sep 15, 2016
edited
Loading

Hi @esword!

I'm happy that the project is helping you and your team have a better experience working with Terraform!

I have actually experimented with writing a framework just like you're describing. While I think it has merrit, I also think it would be better suited to be packaged as a separate RSpec plugin. It would be a good excuse to break the Terraform client related logic in to a third gem that both projects could depend on.

Additionally, I will be implementing support for interface testing soon, which will theoretically enable the testing of all resources in a given Terraform configuration, assuming they are exposed by the provider and testable with Inspec.

@esword
Copy link
Author

esword commented Sep 16, 2016

As I was writing my original issue, I was thinking close to the same thing about separating it. Since there isn't really a need for full lifecycle management (i.e. destroy), it would be a bit of a hack to add in the "planOnly" option. Plus, with the plan-related checks, you don't need to ensure ssh access either since you won't be connecting to machines directly. This is actually a big hassle for us since there isn't direct ssh access to our AWS machines from the machine which makes the terraform calls.

It will be interesting to see what you come up with. We will experiment with some stuff over the next few days as well. If it's not directly tied to kitchen, it may make more sense to use some TF code directly and do the framework in go.

@ncs-alane
Copy link
Contributor

The last time I looked, Inspec did not support the use of bastion hosts for SSH forwarding, but if they have implemented that then I'll explore supporting it because your scenario is certainly not unique. One work around is to create a fixture project that uses the project under test as a module; you could add an extra test security group that allows direct SSH access to instances without complicating your production code.

Writing in Go certainly makes sense given that any Ruby gem is just going to be shelling out to the Terraform client, unless there is some Ruby Go bridge gem...

@dtolnay dtolnay mentioned this issue Sep 23, 2016
Closed
@nictrix
Copy link
Member

nictrix commented Sep 25, 2016

Looks like it will be a supported feature in the near future: inspec/inspec#431

@ncs-alane
Copy link
Contributor

@nictrix that doesn't seem related

@ncs-alane
Copy link
Contributor

Closed because unit testing is not a responsibility of Test Kitchen.

@esword
Copy link
Author

esword commented Sep 27, 2016

Just as a final piece for anyone else looking in the future - we built a tiny go utility that reads a plan file and outputs JSON. This TF issue is an example of a very verbose format, though we condensed it down to a more readable/fluent set of json objects. We are now to writing rspec tests against that. E.g.

RSpec.describe "Json parse" do
  let(:tf) {JSON.parse(contents)}

  it "host2 module uses proper ami" do
    expect(tf["host_2"]["aws_instance.instance"]["ami"]).to eq("ami-13be557e")
  end
end

@jamtur01
Copy link

@esword Is the Go utility available somewhere? Thanks!

@esword
Copy link
Author

esword commented Oct 21, 2016

It's a very, very simple tool. I'll check if we can move it to our open source repo. If not, we can hopefully at least just paste in the primary code.

@esword
Copy link
Author

esword commented Oct 28, 2016

@jamtur01 - we are releasing the tool. Just have to get one more sign off. Again, it's pretty underwhelming in what it does, but is handy if you haven't already written something to transform to json. I'll post when it goes up.

@jamtur01
Copy link

Thanks!

@esword
Copy link
Author

esword commented Nov 2, 2016

@jamtur01 - it only took 3 weeks, but finally got the tfjson moved to our OSS org - https://github.com/palantir/tfjson.

@jamtur01
Copy link

jamtur01 commented Nov 3, 2016

Neat! Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ncs-alane ncs-alane

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jamtur01 @nictrix @esword @ncs-alane