This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.
Infrastructure Testing with Terratest and Other Tools
Infrastructure Testing with Terratest and Other Tools
Infrastructure Testing with Terratest and Other Tools
Infrastructure Testing with Terratest and Other Tools
Infrastructure Testing with Terratest and Other Tools
Introduction
Infrastructure as Code (IaC) brings software engineering practices to infrastructure management, but testing remains an afterthought in many teams. Without proper testing, misconfigured infrastructure causes outages, security vulnerabilities, and costly re-provisioning. This guide covers practical approaches to testing Terraform configurations, cloud resources, and compliance policies using tools like Terratest, OPA, and tflint.
Unit Testing Terraform with Terratest
Terratest is a Go library for writing automated tests against infrastructure. For unit-level tests, validate Terraform outputs and resource configurations:
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)
func TestVPCModule(t *testing.T) {
t.Parallel()
terraformOptions := &terraform.Options;{
TerraformDir: "../examples/vpc",
// Use mock variables for unit testing
Vars: map[string]interface{}{
"region": "us-east-1",
"vpc_cidr": "10.0.0.0/16",
"enable_nat_gateway": false,
"environment": "test",
},
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
vpcID := terraform.Output(t, terraformOptions, "vpc_id")
assert.NotEmpty(t, vpcID, "VPC ID should not be empty")
assert.Contains(t, vpcID, "vpc-", "VPC ID should start with vpc-")
subnetIDs := terraform.OutputList(t, terraformOptions, "public_subnet_ids")
assert.Len(t, subnetIDs, 3, "Should have 3 public subnets")
}
Integration Testing Cloud Resources
Integration tests validate real cloud resources are configured correctly:
package test
import (
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)
func TestSecurityGroupCompliance(t *testing.T) {
t.Parallel()
terraformOptions := &terraform.Options;{
TerraformDir: "../examples/web-app",
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
vpcID := terraform.Output(t, terraformOptions, "vpc_id")
sgID := terraform.Output(t, terraformOptions, "web_sg_id")
// Create EC2 client
ec2Client := ec2.New(session.New(), &aws.Config;{
Region: aws.String("us-east-1"),
})
// Describe security group rules
result, err := ec2Client.DescribeSecurityGroupRules(&ec2.DescribeSecurityGroupRulesInput;{
Filters: []*ec2.Filter{
{
Name: aws.String("group-id"),
Values: []*string{aws.String(sgID)},
},
},
})
assert.NoError(t, err)
// Verify no public ingress from 0.0.0.0/0 on port 22
for _, rule := range result.SecurityGroupRules {
if *rule.CidrIpv4 == "0.0.0.0/0" && *rule.FromPort == 22 {
t.Error("Found SSH open to the world - security violation!")
}
}
}
Compliance Testing with OPA and Sentinel
Open Policy Agent (OPA) enforces policies at plan time:
policies/terraform/restrict_public_s3.rego
package terraform
Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.
Found this useful? Check out more developer guides and tool comparisons on AI Study Room.
Top comments (0)