How to enforce Resource2 is created when I have Resource1 defined?

[vrbcntrl]

** Question : **
<A clear describe of your question. Ex, how can I do [...] for [...] with terraform-compliance ?>
How to check if Resource2 is also defined when Resource1 is defined?

I have an use case where in I need to check VPC Flow logs are enabled when a VPC is created

main.tf:

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "example" {
  log_destination      = aws_s3_bucket.example.arn
  log_destination_type = "s3"
  traffic_type         = "ALL"
  vpc_id               = aws_vpc.main.id
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

so, I need my test be something like this

Given I have aws_vpc defined
Then aws_flow_log must be defined
And it must contain aws_vpc 

currently we don't have a step def for the step2 mentioned above.

I wrote the below Scenario:

Given I have aws_vpc defined
Given I have aws_flow_log defined
Then it must contain aws_vpc

The above test worked fine when I have both aws_vpc and aws_flow_log resources defined, however when I don't have aws_flow_log resource defined, the step2 is been SKIPPED, however ideally I would want step2 to be FAILED when aws_flow_log resource is not defined( because in my case its mandatory for aws_vpc to have aws_flog_log enabled

Any ideas on how to finish my test described above? thanks in advance!

[Kudbettin]

I glossed over the documentation, and couldn't find a way to do that.

I believe you are looking for something like

Given I have aws_vpc
Given I have aws_flow_log not defined
Then it must fail

Since When directives only work within a "given" resource.

Maybe those tests could be supported if we had one of the two:

• Given I have resource not defined
• @noskip tag that fails the scenario if it tries to skip

@eerkunt any thoughts?

[eerkunt]

I think with the use of

Given I have any resource defined

following a filtering step like ;

When its type is <resource_type>

and use of @precondition might solve this case.

E.g. (haven't tried) ;

Scenario: VPC is there
  Given I have any resource defined
  When its type is not aws_vpc
  Then it must fail

@precondition(filename.feature: VPC is there)
Scenario: VPC Flow Logs are defined
  Given I have any resource defined
  When its type is not aws_vpc_flow_log
  Then it must fail

Where the 2nd Scenario will first ensure the the first scenario passes and then runs.

Sounds like we need documentation with examples about @precondition tag - which doesn't exist right now.

[Kudbettin]

Wouldn't this fail on any resource that is not an "aws_vpc?"

If we use preconditions, on execution we still end up with the two scenarios stacked on top of each other.

e.g.

Given I have any resource defined
When its type is not aws_vpc
Then it must fail
Given I have any resource defined
When its type is not aws_vpc_flow_log
Then it must fail

So we still need to be able capture

Given I have aws_vpc
Given I have aws_flow_log not defined
Then it must fail

in one scenario

I tested this to be working

Scenario: VPC implies flowlogs
	Given I have aws_vpc defined
	Given I have any resource defined
	Then its type must be aws_vpc_flowlog

@vrbcntrl could you give it a try?

[Kudbettin]

I was thinking about simulating "Given I have "resource A" not defined" with the current possible directives.

The scenario given above simulates

Given I have "resource A" not defined
Then it must fail

If we come up with a way to represent the other case

Given I have "resource A" not defined
Then it passes

We would end up supporting the functionality of the directive.

However, I haven't been able to do so.

[eerkunt]

You are right, my example will fail on resources that doesn't have aws_vpc_flowlog. The problem about Given is, it will never ail. Thus when we define ;

Given I have aws_vpc defined
Given I have any resource defined

The scenario will be skipped if there is no aws_vpc

[vrbcntrl]

Thanks @Kudbettin @eerkunt for looking into my issue.
The below Scenario worked fine

Scenario: VPC implies flowlogs
	Given I have aws_vpc defined
	Given I have any resource defined
	Then its type must be aws__flow_log

However, I also need to check if aws_flow_log is actually referencing the aws_vpc resource via its vpc_id parameter (which is an optional parameter according to terraform docs)

so, I have extended the Scenario as shown below

Scenario: VPC implies flowlogs
	Given I have aws_vpc defined
	Given I have any resource defined
	Then its type must be aws__flow_log
        Then it must contain aws_vpc

But the step4 failed with error saying it could not find the aws_vpc parameter in
aws_vpc resource
aws_flow_log resource
aws_s3_bucket resource

so, it looks like it is checking for that property in all the available resources, not only inside aws_flow_log resource

so, not sure how to proceed :(

[Kudbettin]

Hi @vrbcntrl,

With release 1.2.7, my previous response became outdated.

Scenario: VPC implies flowlogs
	Given I have aws_vpc defined
	Given I have any resource defined
	Then its type must be aws_vpc_flowlog

Should not filter the aws_vpc_flow resource. All then directives drill down. Then its type must be aws_vpc_flowlog should drill down to the value property of type.

We could use the newly added @noskip tag, which will fail on skip.

	@noskip_at_line_8
	Scenario: VPC implies flowlogs
		Given I have aws_vpc defined
		Given I have any resource defined
		When its type is aws_flow_log

Will fail if you have aws_vpc defined but not aws_flow_log. (Line 8 corresponds to When its type is aws_flow_log on my file.

However, I couldn't come up with a step that checks for your last step. I've looked into the plan file, there isn't anything resembling aws_vpc within the aws_flow_log resource.

[vrbcntrl]

Hi @Kudbettin ,

Thanks for your response. Its good to have the @noskip tag, I think it would be very helpful.

so, I have tested your Scenario with @noskip tag, and it works fine, its funny that even though my tf and plan has the aws_vpc referrence inside aws_flo_log resource, it still could not find it.

However, later I have tested this reference the other way round and it worked :)

Scenario: VPC with flow logs
        Given I have aws_vpc defined
	Then it must contain aws_flow_log

please see the attached main.tf and plan json I used for testing

main.tf.txt
plan.json.txt

I think this works fine as long as both aws_vpc and aws_flow_log resources are being created during the same plan, but if some one tries to create them separatetly, then the test fails.

[Kudbettin]

@vrbcntrl,

Wow! It haven't occurred to me at all to try checking that, or looking into the contents of aws_vpc in general.
Just a heads up: the contents of aws_flow_log resource and the aws_vpc/aws_flow_log are slightly different.

I'm sorry I hadn't noticed your response. The notification got buried in my inbox :)

[vrbcntrl]

np @Kudbettin
Thank you for taking time to review our issues and fixing them :)
much appreciated.

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.