test: add unit test framework for Terraform (#1038)

## Description

This PR adds the possibility to add automated tests for the module. We
start simple with a `terraform test` command. The tests live at
`tests/`.

Tests are executed only if the base branch was created in the cattle-ops
repository. Terraform needs cloud access which is restricted to the
cattle-ops organization at the moment. The AWS account is sponsored by
Hapag-Lloyd.

## Migrations required

No

## Verification

No verification done as this PR adds tests only.

Author: kayman-mk

.cspell.json

@@ -46,6 +46,7 @@
     "tflint",
     "tftpl",
     "tfsec",
+    "tftest",
     "tftpl",
     "tfvars",
     "tmpfs",

.github/pull_request_template.md

@@ -2,10 +2,12 @@
 
 A few sentences describing the overall goals of the pull request's commits.
 
+Note: The whole PR is used as commit message.
+
 ## Migrations required
 
-YES | NO - If yes please describe the migration.
+Yes or No - If yes please describe the migration. For bigger changes please provide a migration script.
 
 ## Verification
 
-Please mention the examples you have verified.
+Please mention how you test the changes. Ideally add automated tests (see tests/ folder)

.github/workflows/ci.yml

@@ -12,6 +12,9 @@ permissions:
   contents: read
   pull-requests: write
 
+env:
+  TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache
+
 jobs:
   verify_module:
     name: Verify module
@@ -107,7 +110,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       # ignore: "tags not used", "access analyzer not used", "shield advanced not used"
-      - run: kics scan -p . -o . --exclude-queries e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10,e592a0c5-5bdb-414c-9066-5dba7cdea370,084c6686-2a70-4710-91b1-000393e54c12
+      - run: kics scan -p . -o . --config .kics.yml --exclude-queries e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10,e592a0c5-5bdb-414c-9066-5dba7cdea370,084c6686-2a70-4710-91b1-000393e54c12
 
   tflint:
     runs-on: ubuntu-latest
@@ -151,3 +154,30 @@ jobs:
         uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1
         with:
           github_token: ${{ github.token }}
+
+  tests:
+    name: Test
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        name: Cache plugin dir
+        with:
+          key: ${{ runner.os }}-terraform-plugin-cache
+          path: ${{ env.TF_PLUGIN_CACHE_DIR }}
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.TERRAFORM_ADMIN_ROLE_ARN }}
+          role-session-name: GitHubActions
+      - name: Setup Terraform CLI
+        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+        with:
+          terraform_version: "1.6.3"
+      - run: terraform init -get -backend=false -input=false
+      - run: terraform test

.gitignore

@@ -34,6 +34,9 @@ debug/
 !.release/package*
 !.release/*.lock
 
+# tests
+*.tfplan.json
+
 # VS Code
 .vscode/
 

.kics.yml

@@ -0,0 +1,2 @@
+exclude-paths:
+  - "tests/"