An RSpec extension for verifying Terraform configurations, with support for:
- unit testing;
- integration testing;
- end-to-end testing; and
- change auditing.
Add this line to your application's Gemfile:
gem 'rspec-terraform'
And then execute:
$ bundle
Or install it yourself as:
$ gem install rspec-terraform
To use RSpec::Terraform, require it in your spec_helper.rb
file:
require 'rspec/terraform'
When required, RSpec::Terraform automatically configures itself against RSpec by:
- adding helper methods to interact with Terraform;
- adding matchers to verify Terraform plans; and
- adding settings to control RSpec::Terraform's behaviour.
The sections below provide further details on each of these additions.
RSpec::Terraform adds helper methods to the RSpec DSL for planning, applying, and destroying Terraform configurations, as well as accessing variables to and outputs from Terraform configurations.
Each helper method takes a hash of parameters used to identify the configuration against which to act and to provide as options to the Terraform command being executed. Additionally, RSpec::Terraform includes a flexible approach to resolving these parameters allowing them to be sourced from a variety of locations. See the Configuration Providers section for more details.
When executing helper methods, RSpec::Terraform provides two execution modes,
:in_place
and :isolated
. By default, RSpec::Terraform works against a
Terraform configuration in place, i.e., it executes commands against the
Terraform configuration directly, in the location specified. RSpec::Terraform
can also operate in an isolated manner, wherein it initialises the
configuration into an isolated directory before executing commands. See the
Execution Mode section for more details.
The plan
helper produces a Terraform plan for a configuration, reads it
into a Ruby representation and returns it.
plan
requires a :configuration_directory
parameter, representing the path
to the configuration to plan and is typically invoked in a before(:context)
hook, with the resulting plan stored for use in expectations:
before(:context) do
@plan = plan(
configuration_directory: 'path/to/configuration/directory'
)
end
If the configuration has input variables, a :vars
parameter can be provided
as a hash:
before(:context) do
@plan = plan(
configuration_directory: 'path/to/configuration/directory',
vars: {
region: 'uk',
zones: ['uk-a', 'uk-b'],
tags: {
name: 'important-thing',
role: 'persistence'
}
}
)
end
or within a block:
before(:context) do
@plan = plan(
configuration_directory: 'path/to/configuration/directory'
) do |vars|
vars.region = 'uk'
vars.zones = ['uk-a', 'uk-b']
vars.tags = {
name: 'important-thing',
role: 'persistence'
}
end
end
plan
accepts an optional :state_file
parameter with the path to where the
current state file for the configuration is located, useful when checking the
incremental change that applying the configuration would have after a previous
apply.
Internally, plan
:
- calls
terraform init
to initialise the configuration directory; - calls
terraform plan
to produce a plan file; - calls
terraform show
to read the contents of the plan file into a Ruby representation; and - deletes the plan file.
Any additional parameters passed to plan
are passed on to the underlying
Terraform invocations.
The benefit of isolated execution is that nothing is carried over between test runs and providers and modules are fetched into a clean configuration directory every time. The downside is additional test run time.
To install dependencies and run the build, run the pre-commit build:
./go
This runs all unit tests and other checks including coverage and code linting / formatting.
To run only the unit tests, including coverage:
./go test:unit
To attempt to fix any code linting / formatting issues:
./go library:fix
To check for code linting / formatting issues without fixing:
./go library:check
You can also run bin/console
for an interactive prompt that will allow you to
experiment.
To encrypt a GPG key for use by CircleCI:
openssl aes-256-cbc \
-e \
-md sha1 \
-in ./config/secrets/ci/gpg.private \
-out ./.circleci/gpg.private.enc \
-k "<passphrase>"
To check decryption is working correctly:
openssl aes-256-cbc \
-d \
-md sha1 \
-in ./.circleci/gpg.private.enc \
-k "<passphrase>"
Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/rspec-terraform. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The gem is available as open source under the terms of the MIT License.