The Secure Cloud Baseline uses Terraform’s native test framework with a mocked AWS provider. Tests run without AWS credentials or a remote backend, so you can validate configuration and wiring locally or in CI.
make testThis runs terraform init -backend=false then terraform test. No .env or backend.hcl is required. After tests, run make init again if you need the remote backend for plan/apply.
Tests live in tests/*.tftest.hcl. Each file uses mock_provider "aws" {} so all AWS resources and data sources are satisfied by the mock; no real API calls are made. Each run block runs a plan with a specific set of variables and asserts that the plan succeeds and that a known root output is present (e.g. output.cloudwatch_log_group_name == "scb-cloudtrail"). That confirms the root module and its modules are wired correctly for that scenario.
| Run | Variables | What’s exercised | Why it matters |
|---|---|---|---|
| plan_defaults | Required only: project_name, aws_region, owner, admin_email. All optional vars at default. |
Logging (always on), IAM (always on), Guardrails (GuardDuty on, Config off, Budgets on). | Ensures the minimal default path works: logging, IAM, and guardrails. This is the default and lowest-cost configuration. |
| plan_with_extra_tags | Same as above plus extra_tags = { Team = "platform" }. |
Same modules; tags are merged at root and passed into all modules. | Ensures extra_tags are accepted and do not break plan; validates tagging path. |
Modules covered: Logging, IAM, Guardrails (GuardDuty + Budgets, no Config).
| Run | Variables | What’s exercised | Why it matters |
|---|---|---|---|
| plan_guardduty_only | needs_guardduty = true, needs_config = false. |
Guardrails: GuardDuty detector and Budgets only; no AWS Config. | Confirms the default guardrails path (GuardDuty + Budgets, no Config) plans successfully. |
| plan_with_config | needs_guardduty = true, needs_config = true. |
Guardrails: GuardDuty, Budgets, and AWS Config (recorder, delivery channel, S3 bucket, config rules). | Confirms the optional Config path (cost driver) plans correctly and does not conflict with GuardDuty or Budgets. |
Modules covered: Guardrails only (in addition to Logging and IAM, which are always present). These runs explicitly validate GuardDuty-on and Config-on/off combinations.
- No real AWS or secrets: The mock provider means tests are safe to run in any environment (laptop, CI) without credentials or a backend. They validate configuration and module wiring, not live infrastructure.
- Regression safety: Changing root variables, module inputs, or outputs can easily break plan for certain scenarios. The suite catches those breakages before apply.
- Documented behavior: The test files and this doc describe the main variable combinations we support (defaults, GuardDuty only, GuardDuty + Config). New contributors can see what “works” by default.
- CI-ready: A single command (
make test) runs the full suite; CI can run it on every commit or PR.
All runs use command = plan. During plan, only config-set values are known; computed values (e.g. ARNs, IDs) are unknown until apply. So every run asserts on a value that is known at plan time: output.cloudwatch_log_group_name == "scb-cloudtrail". The logging module sets that name in configuration, so it is always available. That assertion:
- Ensures the plan completes without error.
- Confirms the root module exposes the logging output (i.e. the logging module is wired and considered by the plan).
Stronger assertions (e.g. on resource counts or computed outputs) would require command = apply in the run block; the current suite prioritizes fast, credential-free plan-time checks.
| Module | Test file(s) | Scenarios |
|---|---|---|
| Logging | All | Always on; asserted via cloudwatch_log_group_name. |
| IAM | All | Always on; validated indirectly via successful plan. |
| Guardrails | guardrails.tftest.hcl, defaults.tftest.hcl |
GuardDuty only; GuardDuty + Config; defaults (GuardDuty + Budgets, no Config). |