Cloud Expert

Terraform Testing — Validace infrastruktury¶

TerraformTestingOPAPolicy-as-Code 5 min read

Native terraform test, Terratest, OPA policy-as-code a plan validation.

Native Tests¶

# tests/vpc.tftest.hcl (TF 1.6+)
run "correct_cidr" {
  command = plan
  assert {
    condition     = aws_vpc.main.cidr_block == "10.0.0.0/16"
    error_message = "VPC CIDR must be 10.0.0.0/16"
  }
}

Terratest¶

func TestVpcModule(t *testing.T) {
    opts := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
        TerraformDir: "../modules/vpc",
    })
    defer terraform.Destroy(t, opts)
    terraform.InitAndApply(t, opts)
    vpcId := terraform.Output(t, opts, "vpc_id")
    assert.NotEmpty(t, vpcId)
}

OPA Policy¶

package terraform.analysis
deny[msg] {
    r := input.resource_changes[_]
    r.type == "aws_s3_bucket"
    not r.change.after.server_side_encryption_configuration
    msg := sprintf("S3 %s must have encryption", [r.address])
}

Summary¶

Native tests pro unit, Terratest pro integration, OPA/Sentinel pro governance.

Need Help with Implementation?¶

Our team has experience designing and implementing modern architectures. We’re happy to help.

Free Consultation