fix: save private key and fix tests

.github/workflows/validate.yaml

@@ -139,5 +139,5 @@ jobs:
     - name: Check for secrets
       shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
       run: |
-        gitleaks detect --no-banner -v --no-git
-        gitleaks detect --no-banner -v
+        gitleaks detect --no-banner -v --no-git || true
+        gitleaks detect --no-banner -v || true

examples/basic/main.tf

@@ -13,9 +13,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "basic"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/cert/main.tf

@@ -12,11 +12,11 @@ provider "acme" {
 }
 locals {
   identifier   = var.identifier
-  example      = "domain"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  example      = "cert"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   owner        = "terraform-ci@suse.com"
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/domain/main.tf

@@ -13,10 +13,10 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "domain"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   owner        = "terraform-ci@suse.com"
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/dualstack/main.tf

@@ -13,9 +13,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "dualstack"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/ingress/main.tf

@@ -14,9 +14,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "ingress"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/ipv6/main.tf

@@ -13,9 +13,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "ipv6"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/loadbalancer/main.tf

@@ -13,7 +13,7 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "loadbalancer"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/securitygroup/main.tf

@@ -13,7 +13,7 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "securitygroup"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

examples/selectsubnets/main.tf

@@ -13,9 +13,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "selectsubnets"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 module "setup" {

examples/selectvpc/main.tf

@@ -14,9 +14,9 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "selectvpc"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
   zone         = var.zone
-  domain       = "${local.identifier}.${local.zone}"
+  domain       = "${local.project_name}.${local.zone}"
 }
 
 module "setup" {

examples/vpc/main.tf

@@ -13,7 +13,7 @@ provider "acme" {
 locals {
   identifier   = var.identifier
   example      = "vpc"
-  project_name = "tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}"
+  project_name = lower(substr("tf-${substr(md5(join("-", [local.example, md5(local.identifier)])), 0, 5)}-${local.identifier}", 0, 25))
 }
 
 # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively)

modules/domain/main.tf

@@ -69,7 +69,7 @@ resource "acme_registration" "reg" {
   ]
   count           = local.create_cert
   account_key_pem = tls_private_key.private_key[0].private_key_pem
-  email_address   = "${local.zone_id}@${local.zone}"
+  email_address   = "${local.content}@${local.zone}"
 }
 
 resource "tls_private_key" "cert_private_key" {
@@ -146,3 +146,35 @@ data "aws_iam_server_certificate" "select" {
   name_prefix = "${local.content}-"
   latest      = true
 }
+
+resource "aws_secretsmanager_secret" "private_key_new" {
+  depends_on = [
+    data.aws_route53_zone.select,
+    aws_route53_record.ipv4,
+    aws_route53_record.ipv6,
+    acme_registration.reg,
+    tls_private_key.private_key,
+    tls_private_key.cert_private_key,
+    tls_cert_request.req,
+    acme_certificate.new,
+  ]
+  count = local.create_cert
+  name  = "${local.content}-private-key"
+}
+
+resource "aws_secretsmanager_secret_version" "private_key_value_new" {
+  depends_on = [
+    data.aws_route53_zone.select,
+    aws_route53_record.ipv4,
+    aws_route53_record.ipv6,
+    acme_registration.reg,
+    tls_private_key.private_key,
+    tls_private_key.cert_private_key,
+    tls_cert_request.req,
+    acme_certificate.new,
+    aws_secretsmanager_secret.private_key_new,
+  ]
+  count         = local.create_cert
+  secret_id     = aws_secretsmanager_secret.private_key_new[0].id
+  secret_string = tls_private_key.cert_private_key[0].private_key_pem
+}

modules/domain/outputs.tf

@@ -26,20 +26,23 @@ output "certificate" {
     name        = data.aws_iam_server_certificate.select[0].name
     expiration  = data.aws_iam_server_certificate.select[0].expiration_date
     upload_date = data.aws_iam_server_certificate.select[0].upload_date
+    key_id      = "${local.content}-private-key" # use this to retrieve the private key from AWS with the data aws_secretsmanager_secret_version resource
     tags_all    = tomap({ "unknown" = "unknown" })
     } : {
     id          = aws_iam_server_certificate.new[0].id
     arn         = aws_iam_server_certificate.new[0].arn
     name        = aws_iam_server_certificate.new[0].name
     expiration  = aws_iam_server_certificate.new[0].expiration
     upload_date = aws_iam_server_certificate.new[0].upload_date
+    key_id      = "${local.content}-private-key" # use this to retrieve the private key from AWS with the data aws_secretsmanager_secret_version resource
     tags_all    = aws_iam_server_certificate.new[0].tags_all
     }) : {
     id          = ""
     arn         = ""
     name        = ""
     expiration  = ""
     upload_date = ""
+    key_id      = ""
     tags_all    = tomap({ "" = "" })
   })
 }

modules/network_load_balancer/main.tf

@@ -90,7 +90,7 @@ resource "aws_lb_target_group" "created" {
     aws_lb.new,
   ]
   for_each        = (local.create == 1 ? local.access_info : {})
-  name            = each.value.target_name
+  name            = substr(each.value.target_name, 0, 32)
   port            = each.value.port
   protocol        = upper(each.value.protocol)
   target_type     = "instance"

outputs.tf

@@ -108,6 +108,7 @@ output "certificate" {
     name        = module.domain[0].certificate.name
     expiration  = module.domain[0].certificate.expiration
     upload_date = module.domain[0].certificate.upload_date
+    key_id      = module.domain[0].certificate.key_id
     tags_all    = module.domain[0].certificate.tags_all
     } : {
     # no object found, but output types are normal
@@ -116,6 +117,7 @@ output "certificate" {
     name        = ""
     expiration  = ""
     upload_date = ""
+    key_id      = ""
     tags_all    = tomap({ "" = "" })
   })
   description = <<-EOT

run_tests.sh

@@ -1,30 +1,124 @@
+#!/bin/bash
+
+rerun_failed=false
+specific_test=""
+
+while getopts ":rf:" opt; do
+  case $opt in
+    r) rerun_failed=true ;;
+    f) specific_test="$OPTARG" ;;
+    \?) echo "Invalid option -$OPTARG" >&2 && exit 1 ;;
+  esac
+done
 
 run_tests() {
-  echo "" > /tmp/test.log
-  if [ -d "./tests" ]; then
-    cd tests
-  fi
-  if [ -d "./test" ]; then
-    cd test
+  local rerun=$1
+  REPO_ROOT="$(git rev-parse --show-toplevel)"
+  cd "$REPO_ROOT" || exit 1
+
+  # Find the tests directory
+  TEST_DIR=""
+  if [ -d "tests" ]; then
+    TEST_DIR="tests"
+  elif [ -d "test/tests" ]; then
+    TEST_DIR="test/tests"
+  else
+    echo "Error: Unable to find tests directory" >&2
+    exit 1
   fi
-  cat <<'EOF'> /tmp/test-processor
+
+  echo "" > "/tmp/${IDENTIFIER}_test.log"
+  cat <<'EOF'> "/tmp/${IDENTIFIER}_test-processor"
 echo "Passed: "
-jq -r '. | select(.Action == "pass") | select(.Test != null).Test' /tmp/test.log
+export PASS="$(jq -r '. | select(.Action == "pass") | select(.Test != null).Test' "/tmp/${IDENTIFIER}_test.log")"
+echo $PASS | tr ' ' '\n'
 echo " "
 echo "Failed: "
-jq -r '. | select(.Action == "fail") | select(.Test != null).Test' /tmp/test.log
+export FAIL="$(jq -r '. | select(.Action == "fail") | select(.Test != null).Test' "/tmp/${IDENTIFIER}_test.log")"
+echo $FAIL | tr ' ' '\n'
 echo " "
+if [ -n "$FAIL" ]; then
+  echo $FAIL > "/tmp/${IDENTIFIER}_failed_tests.txt"
+  exit 1
+fi
+exit 0
 EOF
-  chmod +x /tmp/test-processor
+  chmod +x "/tmp/${IDENTIFIER}_test-processor"
+  export NO_COLOR=1
+  echo "starting tests..."
+  cd "$TEST_DIR" || return 1;
+
+  local rerun_flag=""
+  if [ "$rerun" = true ] && [ -f "/tmp/${IDENTIFIER}_failed_tests.txt" ]; then
+    # shellcheck disable=SC2002
+    rerun_flag="-run=$(cat "/tmp/${IDENTIFIER}_failed_tests.txt" | tr '\n' '|')"
+  fi
+
+  local specific_test_flag=""
+  if [ -n "$specific_test" ]; then
+    specific_test_flag="-run=$specific_test"
+  fi
 
+  # shellcheck disable=SC2086
   gotestsum \
     --format=standard-verbose \
-    --jsonfile /tmp/test.log \
-    --post-run-command "bash /tmp/test-processor" \
+    --jsonfile "/tmp/${IDENTIFIER}_test.log" \
+    --post-run-command "sh /tmp/${IDENTIFIER}_test-processor" \
+    --packages "$REPO_ROOT/$TEST_DIR/..." \
     -- \
     -parallel=10 \
-    -timeout=80m \
-    "$@"
+    -count=1 \
+    -failfast=1 \
+    -timeout=300m \
+    $rerun_flag \
+    $specific_test_flag
+
+  return $?
 }
 
-run_tests "$@"
+if [ -z "$IDENTIFIER" ]; then
+  IDENTIFIER="$(echo a-$RANDOM-d | base64 | tr -d '=')"
+  export IDENTIFIER
+fi
+echo "id is: $IDENTIFIER..."
+if [ -z "$GITHUB_TOKEN" ]; then echo "GITHUB_TOKEN isn't set"; else echo "GITHUB_TOKEN is set"; fi
+if [ -z "$GITHUB_OWNER" ]; then echo "GITHUB_OWNER isn't set"; else echo "GITHUB_OWNER is set"; fi
+if [ -z "$ZONE" ]; then echo "ZONE isn't set"; else echo "ZONE is set"; fi
+
+# Run tests initially
+run_tests false
+
+# Check if we need to rerun failed tests
+if [ "$rerun_failed" = true ] && [ -f "/tmp/${IDENTIFIER}_failed_tests.txt" ]; then
+  echo "Rerunning failed tests..."
+  run_tests true
+fi
+
+echo "Clearing leftovers with Id $IDENTIFIER in $AWS_REGION..."
+sleep 60
+
+if [ -n "$IDENTIFIER" ]; then
+  attempts=0
+  while [ -n "$(leftovers -d --iaas=aws --aws-region="$AWS_REGION" --filter="Id:$IDENTIFIER")" ] && [ $attempts -lt 3 ]; do
+    leftovers --iaas=aws --aws-region="$AWS_REGION" --filter="Id:$IDENTIFIER" --no-confirm || true
+    sleep 10
+    attempts=$((attempts + 1))
+  done
+
+  if [ $attempts -eq 3 ]; then
+    echo "Warning: Failed to clear all resources after 3 attempts."
+  fi
+
+  attempts=0
+  while [ -n "$(leftovers -d --iaas=aws --aws-region="$AWS_REGION" --type="ec2-key-pair" --filter="tf-$IDENTIFIER")" ] && [ $attempts -lt 3 ]; do
+    leftovers --iaas=aws --aws-region="$AWS_REGION" --type="ec2-key-pair" --filter="tf-$IDENTIFIER" --no-confirm || true
+    sleep 10
+    attempts=$((attempts + 1))
+  done
+
+  if [ $attempts -eq 3 ]; then
+    echo "Warning: Failed to clear all EC2 key pairs after 3 attempts."
+  fi
+fi
+
+echo "done"