feat: Add Terratest framework for automated testing (#54)

* Initial plan for issue

* feat: implement terratest framework and basic tests

Co-authored-by: lgallard <[email protected]>

* fix: address PR feedback - move test badge down and switch to AWS credentials

Co-authored-by: lgallard <[email protected]>

* fix: explicitly use terraform binary instead of tofu in terratest

Co-authored-by: lgallard <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: lgallard <[email protected]>

Author: Copilot

.github/workflows/test.yml

@@ -0,0 +1,60 @@
+name: "Test"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: "Terratest"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.3.0
+          terraform_wrapper: false
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+          cache: true
+          cache-dependency-path: test/go.sum
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Run go tests
+        working-directory: ./test
+        run: |
+          go test -v -timeout 30m
+
+      - name: Generate test report
+        if: always()
+        working-directory: ./test
+        run: |
+          go install github.com/jstemmer/go-junit-report/v2@latest
+          go test -v 2>&1 | go-junit-report -set-exit-code > report.xml
+
+      - name: Upload test report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-report
+          path: ./test/report.xml

README.md

@@ -1,7 +1,10 @@
 ![Terraform](https://lgallardo.com/images/terraform.jpg)
 # terraform-aws-ecr
+
 Terraform module to create [AWS ECR](https://aws.amazon.com/ecr/) (Elastic Container Registry) which is a fully-managed Docker container registry.
 
+[![Test](https://github.com/lgallard/terraform-aws-ecr/actions/workflows/test.yml/badge.svg)](https://github.com/lgallard/terraform-aws-ecr/actions/workflows/test.yml)
+
 ## Architecture
 
 The terraform-aws-ecr module enables several common architectures for container image management.
@@ -316,6 +319,37 @@ module "ecr" {
 
 For detailed examples of all variables with explanations, see [docs/variable-examples.md](docs/variable-examples.md).
 
+## Testing
+
+This module uses [Terratest](https://github.com/gruntwork-io/terratest) for automated testing of the module functionality. The tests validate that the module can correctly:
+
+- Create an ECR repository with basic settings
+- Apply repository and lifecycle policies
+- Configure KMS encryption
+- Set up image tag mutability
+- Configure scan on push features
+
+### Running Tests Locally
+
+To run the tests locally, you'll need:
+
+1. [Go](https://golang.org/) 1.16+
+2. [Terraform](https://www.terraform.io/) 1.3.0+
+3. AWS credentials configured locally
+
+```bash
+# Clone the repository
+git clone https://github.com/lgallard/terraform-aws-ecr.git
+cd terraform-aws-ecr
+
+# Run the tests
+cd test
+go mod tidy
+go test -v
+```
+
+For more details on tests, see the [test directory README](test/README.md).
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

test/README.md

@@ -0,0 +1,57 @@
+# Testing terraform-aws-ecr
+
+This directory contains automated tests for the terraform-aws-ecr module. The tests use [Terratest](https://github.com/gruntwork-io/terratest), a Go library that provides utilities for testing Terraform code.
+
+## Prerequisites
+
+1. [Go](https://golang.org/) (version 1.16 or later)
+2. [Terraform](https://www.terraform.io/) (version 1.3.0 or later)
+3. AWS credentials configured (via environment variables, shared credentials file, or AWS IAM role)
+
+## Running the Tests
+
+To run all tests:
+
+```bash
+cd test
+go test -v
+```
+
+To run a specific test:
+
+```bash
+cd test
+go test -v -run TestEcrBasicCreation
+```
+
+## Test Structure
+
+The test suite includes the following tests:
+
+1. **Basic Repository Test**: Tests the creation of a simple ECR repository with minimal configuration.
+   - Verifies repository creation
+   - Checks image tag mutability
+   - Validates repository URL and ARN
+
+2. **Complete Repository Test**: Tests the creation of a fully configured ECR repository.
+   - Verifies repository creation with all features
+   - Validates repository policies
+   - Checks lifecycle policies
+   - Tests KMS encryption
+
+## Test Fixtures
+
+The test fixtures are located in the `fixtures` directory:
+
+- `fixtures/basic`: A simple ECR repository configuration
+- `fixtures/complete`: A full-featured ECR repository configuration with policies and KMS encryption
+
+## AWS Resources
+
+These tests create real AWS resources, which might incur costs. The tests use the `force_delete = true` option to ensure that repositories can be cleaned up even if they contain images.
+
+All resources are tagged with `Test = "true"` for identification and are destroyed after the test completes. However, if a test fails, you may need to manually delete the resources.
+
+## CI/CD Integration
+
+These tests can be run in GitHub Actions using the workflow defined in `.github/workflows/test.yml`.

test/ecr_basic_test.go

@@ -0,0 +1,84 @@
+package test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestEcrBasicCreation tests the basic creation of an ECR repository
+func TestEcrBasicCreation(t *testing.T) {
+	t.Parallel()
+
+	// Generate a random repository name to prevent collisions
+	uniqueID := strings.ToLower(random.UniqueId())
+	repoName := fmt.Sprintf("terratest-ecr-basic-%s", uniqueID)
+
+	// Terraform options for this test
+	terraformOptions := &terraform.Options{
+		// Path to the Terraform code
+		TerraformDir: "./fixtures/basic",
+
+		// Variables to pass to Terraform
+		Vars: map[string]interface{}{
+			"name": repoName,
+		},
+
+		// Explicitly use terraform binary
+		TerraformBinary: "terraform",
+	}
+
+	// Clean up resources when the test is finished
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Run "terraform init" and "terraform apply"
+	terraform.InitAndApply(t, terraformOptions)
+
+	// Run `terraform output` to get the repository name and URL
+	outputRepoName := terraform.Output(t, terraformOptions, "repository_name")
+	outputRepoURL := terraform.Output(t, terraformOptions, "repository_url")
+	outputRepoARN := terraform.Output(t, terraformOptions, "repository_arn")
+
+	// Verify the repository was created with the correct name
+	assert.Equal(t, repoName, outputRepoName)
+
+	// Verify the repository URL format
+	assert.True(t, strings.Contains(outputRepoURL, repoName))
+	
+	// Verify the ARN was created and contains the expected repository name
+	assert.True(t, strings.Contains(outputRepoARN, repoName))
+
+	// Use AWS SDK to verify the repository actually exists in AWS
+	sess := session.Must(session.NewSession())
+	ecrClient := ecr.New(sess)
+
+	// Describe the repository
+	describeResult, err := ecrClient.DescribeRepositories(&ecr.DescribeRepositoriesInput{
+		RepositoryNames: []*string{aws.String(repoName)},
+	})
+
+	// Verify we can retrieve the repository
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(describeResult.Repositories))
+	assert.Equal(t, repoName, *describeResult.Repositories[0].RepositoryName)
+	
+	// Verify image tag mutability setting (should be IMMUTABLE according to our fixture)
+	assert.Equal(t, "IMMUTABLE", *describeResult.Repositories[0].ImageTagMutability)
+	
+	// Verify scan on push is enabled
+	describeImageScanResult, err := ecrClient.GetRepositoryPolicy(&ecr.GetRepositoryPolicyInput{
+		RepositoryName: aws.String(repoName),
+	})
+	
+	// The policy might not exist yet, so check if there was an error before asserting
+	if err == nil {
+		assert.NotNil(t, describeImageScanResult)
+	}
+}

test/ecr_complete_test.go

@@ -0,0 +1,94 @@
+package test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestEcrCompleteRepository tests the creation of an ECR repository with all features enabled
+func TestEcrCompleteRepository(t *testing.T) {
+	t.Parallel()
+
+	// Generate a random repository name to prevent collisions
+	uniqueID := strings.ToLower(random.UniqueId())
+	repoName := fmt.Sprintf("terratest-ecr-complete-%s", uniqueID)
+
+	// Terraform options for this test
+	terraformOptions := &terraform.Options{
+		// Path to the Terraform code
+		TerraformDir: "./fixtures/complete",
+
+		// Variables to pass to Terraform
+		Vars: map[string]interface{}{
+			"name": repoName,
+		},
+
+		// Explicitly use terraform binary
+		TerraformBinary: "terraform",
+	}
+
+	// Clean up resources when the test is finished
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Run "terraform init" and "terraform apply"
+	terraform.InitAndApply(t, terraformOptions)
+
+	// Run `terraform output` to get the repository name and URL
+	outputRepoName := terraform.Output(t, terraformOptions, "repository_name")
+	outputRepoURL := terraform.Output(t, terraformOptions, "repository_url")
+	outputRepoARN := terraform.Output(t, terraformOptions, "repository_arn")
+
+	// Verify the repository was created with the correct name
+	assert.Equal(t, repoName, outputRepoName)
+
+	// Verify the repository URL format
+	assert.True(t, strings.Contains(outputRepoURL, repoName))
+	
+	// Verify the ARN was created and contains the expected repository name
+	assert.True(t, strings.Contains(outputRepoARN, repoName))
+
+	// Use AWS SDK to verify the repository actually exists in AWS
+	sess := session.Must(session.NewSession())
+	ecrClient := ecr.New(sess)
+
+	// Describe the repository
+	describeResult, err := ecrClient.DescribeRepositories(&ecr.DescribeRepositoriesInput{
+		RepositoryNames: []*string{aws.String(repoName)},
+	})
+
+	// Verify we can retrieve the repository
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(describeResult.Repositories))
+	assert.Equal(t, repoName, *describeResult.Repositories[0].RepositoryName)
+	
+	// Verify image tag mutability setting (should be IMMUTABLE according to our fixture)
+	assert.Equal(t, "IMMUTABLE", *describeResult.Repositories[0].ImageTagMutability)
+	
+	// Verify repository policy exists
+	policyResult, err := ecrClient.GetRepositoryPolicy(&ecr.GetRepositoryPolicyInput{
+		RepositoryName: aws.String(repoName),
+	})
+	
+	// The policy should exist
+	assert.NoError(t, err)
+	assert.NotNil(t, policyResult.PolicyText)
+	assert.True(t, strings.Contains(*policyResult.PolicyText, "TestPolicy"))
+	
+	// Verify lifecycle policy exists
+	lifecyclePolicyResult, err := ecrClient.GetLifecyclePolicy(&ecr.GetLifecyclePolicyInput{
+		RepositoryName: aws.String(repoName),
+	})
+	
+	// The lifecycle policy should exist
+	assert.NoError(t, err)
+	assert.NotNil(t, lifecyclePolicyResult.LifecyclePolicyText)
+	assert.True(t, strings.Contains(*lifecyclePolicyResult.LifecyclePolicyText, "imageCountMoreThan"))
+}

test/fixtures/basic/main.tf

@@ -0,0 +1,18 @@
+provider "aws" {
+  region = var.region
+}
+
+module "ecr" {
+  source = "../../../"
+
+  name                 = var.name
+  scan_on_push         = true
+  image_tag_mutability = "IMMUTABLE"
+  force_delete         = true  # Set to true for tests to ensure clean teardown
+
+  tags = {
+    Environment = "test"
+    Terraform   = "true"
+    Test        = "true"
+  }
+}

test/fixtures/basic/outputs.tf

@@ -0,0 +1,14 @@
+output "repository_name" {
+  description = "The name of the ECR repository"
+  value       = module.ecr.repository_name
+}
+
+output "repository_url" {
+  description = "The URL of the ECR repository"
+  value       = module.ecr.repository_url
+}
+
+output "repository_arn" {
+  description = "The ARN of the ECR repository"
+  value       = module.ecr.repository_arn
+}