Add terraform-test action

.github/workflows/test-test.yaml

@@ -0,0 +1,70 @@
+name: Test terraform-test
+
+on:
+  - push
+
+jobs:
+  default:
+    runs-on: ubuntu-latest
+    name: Default inputs
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Check
+        uses: ./terraform-test
+        with:
+          path: tests/workflows/test-test/local
+
+  filter:
+    runs-on: ubuntu-latest
+    name: Default path with a filter
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Check
+        uses: ./terraform-test
+        with:
+          path: tests/workflows/test-test/local
+          filter: main.tftest.hcl
+
+  test_dir:
+    runs-on: ubuntu-latest
+    name: Custom test directory
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Check
+        uses: ./terraform-test
+        with:
+          path: tests/workflows/test-test/local
+          test_path: custom-test-dir
+          filter: |
+            another.tftest.hcl
+            a-third.tftest.hcl
+
+  failing:
+    runs-on: ubuntu-latest
+    name: A failing test using variables
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Check
+        uses: ./terraform-test
+        id: failing
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-test/local
+          filter: main.tftest.hcl
+          variables: |
+            length = 1
+
+      - name: Check failure-reason
+        run: |
+          if [[ "${{ steps.failing.outcome }}" != "failure" ]]; then
+            echo "Test did not fail correctly"
+            exit 1
+          fi

image/actions.sh

@@ -176,6 +176,26 @@ function init() {
     end_group
 }
 
+##
+# Initialize terraform for running tests
+#
+# This installs modules and providers for the module and all tests
+function init-test() {
+    start_group "Initializing $TOOL_PRODUCT_NAME"
+
+    rm -rf "$TF_DATA_DIR"
+
+    if [[ -n "$INPUT_TEST_PATH" ]]; then
+        debug_log $TOOL_COMMAND_NAME init -input=false -backend=false -test-directory "$INPUT_TEST_PATH"
+        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false -test-directory $INPUT_TEST_PATH)
+    else
+        debug_log $TOOL_COMMAND_NAME init -input=false -backend=false
+        (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME init -input=false -backend=false)
+    fi
+
+    end_group
+}
+
 function set-init-args() {
     INIT_ARGS=""
 
@@ -339,15 +359,7 @@ function set-common-plan-args() {
     fi
 }
 
-function set-plan-args() {
-    set-common-plan-args
-
-    if [[ -n "$INPUT_VAR" ]]; then
-        for var in $(echo "$INPUT_VAR" | tr ',' '\n'); do
-            PLAN_ARGS="$PLAN_ARGS -var $var"
-        done
-    fi
-
+function set-variable-args() {
     if [[ -n "$INPUT_VAR_FILE" ]]; then
         for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do
 
@@ -364,6 +376,18 @@ function set-plan-args() {
         echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars"
         PLAN_ARGS="$PLAN_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars"
     fi
+}
+
+function set-plan-args() {
+    set-common-plan-args
+
+    if [[ -n "$INPUT_VAR" ]]; then
+        for var in $(echo "$INPUT_VAR" | tr ',' '\n'); do
+            PLAN_ARGS="$PLAN_ARGS -var $var"
+        done
+    fi
+
+    set-variable-args
 
     export PLAN_ARGS
 }

image/entrypoints/test.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# shellcheck source=../actions.sh
+source /usr/local/actions.sh
+
+debug
+setup
+init-test
+
+function set-test-args() {
+    TEST_ARGS=""
+
+    if [[ -n "$INPUT_CLOUD_RUN" ]]; then
+        # I have no idea what this does, it is not well documented.
+        TEST_ARGS="$TEST_ARGS -cloud-run=$INPUT_CLOUD_RUN"
+    fi
+
+    if [[ -n "$INPUT_TEST_PATH" ]]; then
+        TEST_ARGS="$TEST_ARGS -test-directory=$(relative_to "$INPUT_PATH" "$INPUT_TEST_PATH")"
+    fi
+
+    if [[ -n "$INPUT_TEST_FILTER" ]]; then
+        for file in $(echo "$INPUT_TEST_FILTER" | tr ',' '\n'); do
+            TEST_ARGS="$TEST_ARGS -filter=$file"
+        done
+    fi
+}
+
+set-test-args
+
+PLAN_ARGS=""
+set-variable-args
+
+debug_log $TOOL_COMMAND_NAME test -input=false -no-color $TEST_ARGS '$PLAN_ARGS'  # don't expand PLAN_ARGS
+$TOOL_COMMAND_NAME test -input=false -no-color $TEST_ARGS $PLAN_ARGS

terraform-test/README.md

@@ -0,0 +1,194 @@
+# terraform-test action
+
+This is one of a suite of Terraform related actions - find them at [dflook/terraform-github-actions](https://github.com/dflook/terraform-github-actions).
+
+Execute automated tests on Terraform configuration
+
+## Inputs
+
+* `path`
+
+  Path to the Terraform module under test
+
+  - Type: string
+  - Optional
+  - Default: The action workspace
+
+* `test_path`
+
+  Path to the Terraform tests to run
+
+  - Type: string
+  - Optional
+  - Default: `tests` subdirectory of the module path
+
+* `test_filter`
+
+  The test files to run, one per line
+
+  - Type: string
+  - Optional
+  - Default: All test files in the `test_path`
+
+* `variables`
+
+  Variables to set for the tests. This should be valid Terraform syntax - like a [variable definition file](https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files).
+
+  ```yaml
+  with:
+    variables: |
+      image_id = "${{ secrets.AMI_ID }}"
+      availability_zone_names = [
+        "us-east-1a",
+        "us-west-1c",
+      ]
+  ```
+
+  Variables set here override any given in `var_file`s.
+
+  - Type: string
+  - Optional
+
+* `var_file`
+
+  List of tfvars files to use, one per line.
+  Paths should be relative to the GitHub Actions workspace
+
+  ```yaml
+  with:
+    var_file: |
+      common.tfvars
+      prod.tfvars
+  ```
+
+  - Type: string
+  - Optional
+
+## Environment Variables
+
+* `GITHUB_DOT_COM_TOKEN`
+
+  This is used to specify a token for GitHub.com when the action is running on a GitHub Enterprise instance.
+  This is only used for downloading OpenTofu binaries from GitHub.com.
+  If this is not set, an unauthenticated request will be made to GitHub.com to download the binary, which may be rate limited.
+
+  - Type: string
+  - Optional
+
+* `TERRAFORM_CLOUD_TOKENS`
+
+  API tokens for cloud hosts, of the form `<host>=<token>`. Multiple tokens may be specified, one per line.
+  These tokens may be used with the `remote` backend and for fetching required modules from the registry.
+
+  e.g:
+  ```yaml
+  env:
+    TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}
+  ```
+
+  With other registries:
+  ```yaml
+  env:
+    TERRAFORM_CLOUD_TOKENS: |
+      app.terraform.io=${{ secrets.TF_CLOUD_TOKEN }}
+      terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}
+  ```
+
+  - Type: string
+  - Optional
+
+* `TERRAFORM_SSH_KEY`
+
+  A SSH private key that Terraform will use to fetch git/mercurial module sources.
+
+  This should be in PEM format.
+
+  For example:
+  ```yaml
+  env:
+    TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}
+  ```
+
+  - Type: string
+  - Optional
+
+* `TERRAFORM_HTTP_CREDENTIALS`
+
+  Credentials that will be used for fetching modules sources with `git::http://`, `git::https://`, `http://` & `https://` schemes.
+
+  Credentials have the format `<host>=<username>:<password>`. Multiple credentials may be specified, one per line.
+
+  Each credential is evaluated in order, and the first matching credentials are used. 
+
+  Credentials that are used by git (`git::http://`, `git::https://`) allow a path after the hostname.
+  Paths are ignored by `http://` & `https://` schemes.
+  For git module sources, a credential matches if each mentioned path segment is an exact match.
+
+  For example:
+  ```yaml
+  env:
+    TERRAFORM_HTTP_CREDENTIALS: |
+      example.com=dflook:${{ secrets.HTTPS_PASSWORD }}
+      github.com/dflook/terraform-github-actions.git=dflook-actions:${{ secrets.ACTIONS_PAT }}
+      github.com/dflook=dflook:${{ secrets.DFLOOK_PAT }}
+      github.com=graham:${{ secrets.GITHUB_PAT }}  
+  ```
+
+  - Type: string
+  - Optional
+
+* `TERRAFORM_PRE_RUN`
+
+  A set of commands that will be ran prior to `terraform init`. This can be used to customise the environment before running Terraform. 
+
+  The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use.
+
+  The runtime image is currently based on `debian:bullseye`, with the command run using `bash -xeo pipefail`.
+
+  For example:
+  ```yaml
+  env:
+    TERRAFORM_PRE_RUN: |
+      # Install latest Azure CLI
+      curl -skL https://aka.ms/InstallAzureCLIDeb | bash
+      
+      # Install postgres client
+      apt-get install -y --no-install-recommends postgresql-client
+  ```
+
+  - Type: string
+  - Optional
+
+## Example usage
+
+```yaml
+name: "Unlock state"
+on:
+  workflow_dispatch:
+    inputs:
+      path:
+        description: "Path to the Terraform root module"
+        required: true
+      lock_id:
+        description: "Lock ID to be unlocked"
+        required: true
+
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+jobs:
+  unlock:
+    name: Unlock
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout current branch
+        uses: actions/checkout@v3
+
+      - name: Terraform Unlock
+        uses: dflook/terraform-unlock-state@v1
+        with:
+          path: ${{ github.event.inputs.path }}
+          lock_id: ${{ github.event.inputs.lock_id }}
+
+```

terraform-test/action.yaml

@@ -0,0 +1,32 @@
+name: terraform-test
+description: Execute automated tests on Terraform configuration
+author: Daniel Flook
+
+inputs:
+  path:
+    description: Path to the Terraform configuration under test
+    required: false
+    default: .
+  test_path:
+    description: Path to the Terraform tests
+    required: false
+    default: ""
+  test_filter:
+    description: Test files to run within the test_path
+    required: false
+    default: ""
+  variables:
+    description: Variable definitions
+    required: false
+  var_file:
+    description: List of var file paths, one per line
+    required: false
+
+runs:
+  using: docker
+  image: ../image/Dockerfile
+  entrypoint: /entrypoints/test.sh
+
+branding:
+  icon: globe
+  color: purple