add terraform-test

.github/workflows/claude.yml

@@ -0,0 +1,37 @@
+name: Claude PR Assistant
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude-code-action:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude PR Action
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          timeout_minutes: "60"
+          model: "claude-opus-4-20250514"

.github/workflows/terraform-test.yaml

@@ -0,0 +1,29 @@
+name: Test Module
+
+on:
+  pull_request:
+    paths:
+      - '*.tf'
+      - 'tests/**'
+      - 'examples/terraform-test/**'
+      - '.github/workflows/terraform-test.yaml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+  id-token: write
+
+jobs:
+  test:
+    name: Run Terraform Tests
+    uses: oozou/.github/.github/workflows/terraform-test.yml@main
+    secrets: inherit
+    with:
+      aws_region: 'ap-southeast-1'
+      tf_version: '1.6.0'
+      go_version: '1.21'
+      test_example_path: 'examples/terraform-test'
+      timeout_minutes: 60
+      module_name: 'AWS Lambda'
+      iam_oidc_role: 'arn:aws:iam::562563527952:role/oozou-internal-devops-github-action-oidc-role' # oozou internal account

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this module will be documented in this file.
 
+## [v1.2.3] - 2025-07-11
+
+### Added
+
+- var additional_lambda_log_group_kms_policy
+
 ## [v1.2.2] - 2023-11-20
 
 ### Changed

examples/terraform-test/README.md

@@ -0,0 +1,32 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name                                                                      | Version           |
+|---------------------------------------------------------------------------|-------------------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0          |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 4.0.0, < 5.0.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name                                                   | Source | Version |
+|--------------------------------------------------------|--------|---------|
+| <a name="module_lambda"></a> [lambda](#module\_lambda) | ../../ | n/a     |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name                                                                     | Description                                                                                                                                                                                                                                                                                                                                                       | Type                                                                                                                                          | Default | Required |
+|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------|:--------:|
+| <a name="input_generic_info"></a> [generic\_info](#input\_generic\_info) | `prefix`      >> The prefix name of customer to be displayed in AWS console and resource<br>  `environment` >> Environment Variable used as a prefix<br>  `name`        >> Name of the ECS cluster and s3 also redis to create<br>  `custom_tags` >> Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | <pre>object({<br>    prefix      = string<br>    environment = string<br>    name        = string<br>    custom_tags = map(any)<br>  })</pre> | n/a     |   yes    |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/terraform-test/main.tf

@@ -0,0 +1,97 @@
+module "lambda" {
+  source = "../../"
+
+  prefix      = var.generic_info.prefix
+  environment = var.generic_info.environment
+  name        = var.generic_info.name
+
+  is_edge = false # Defautl is `false`, If you want to publish to the edge don't forget to override aws's provider to virgina
+
+  # If is_edge is `false`, ignore this config
+  is_create_lambda_bucket = true # Default is `false`; plz use false, if not 1 lambda: 1 bucket
+  bucket_name             = ""   # If `is_create_lambda_bucket` is `false`; specified this, default is `""`
+
+  # Source code
+  source_code_dir           = "./src"
+  compressed_local_file_dir = "./outputs"
+
+  # Lambda Env
+  runtime = "nodejs22.x"
+  handler = "index.handler"
+
+  # Lambda Specification
+  timeout                        = 3
+  memory_size                    = 128
+  reserved_concurrent_executions = -1
+
+  # Optional to connect Lambda to VPC
+  # vpc_config = {
+  #   security_group_ids      = ["sg-028f637312eea735e"]
+  #   subnet_ids_to_associate = ["subnet-0b853f8c85796d72d", "subnet-07c068b4b51262793", "subnet-0362f68c559ef7716"]
+  # }
+  # dead_letter_target_arn = "arn:aws:sns:ap-southeast-1:557291035693:demo" # To send failed processing to target, Default is `""`
+
+  # IAM
+  is_create_lambda_role = true # Default is `true`
+  lambda_role_arn       = ""   # If `is_create_lambda_role` is `false`
+  # The policies that you want to attach to IAM Role created by only this module                                                   # If `is_create_lambda_role` is `false`
+  additional_lambda_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
+
+  # Resource policy
+  lambda_permission_configurations = {
+    lambda_on_my_account = {
+      principal  = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/"
+    }
+    lambda_on_my_another_account_wrong = {
+      principal      = "apigateway.amazonaws.com"
+      source_arn     = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/"
+      source_account = "557291035112"
+    }
+    lambda_on_my_another_account_correct = {
+      principal  = "apigateway.amazonaws.com"
+      source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/"
+    }
+  }
+
+  # Logging
+  is_create_cloudwatch_log_group         = true # Default is `true`
+  cloudwatch_log_retention_in_days       = 90   # Default is `90`
+  additional_lambda_log_group_kms_policy = data.aws_iam_policy_document.allow_github_oidc.json
+  # Env
+  ssm_params = {}
+  environment_variables = {
+    region         = "ap-southeast-1"
+    cluster_name   = "oozou-dev-test-schedule-cluster"
+    nodegroup_name = "oozou-dev-test-schedule-custom-nodegroup"
+    min            = 1,
+    max            = 1,
+    desired        = 1
+  }
+
+  tags = var.generic_info.custom_tags
+}
+
+
+data "aws_iam_policy_document" "allow_github_oidc" {
+  statement {
+    sid    = "AllowGitHubActionsEncryptDecrypt"
+    effect = "Allow"
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::562563527952:role/oozou-internal-devops-github-action-oidc-role"
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+  }
+}

examples/terraform-test/outputs.tf

@@ -0,0 +1,14 @@
+output "function_name" {
+  description = "Name of the Lambda function."
+  value       = module.lambda.function_name
+}
+
+output "function_arn" {
+  description = "ARN of the Lambda function."
+  value       = module.lambda.function_arn
+}
+
+output "execution_role_arn" {
+  description = "ARN of the Lambda function's execution role."
+  value       = module.lambda.execution_role_arn
+}

examples/terraform-test/src/index.js

@@ -0,0 +1,18 @@
+var http = require('http')
+
+exports.handler = (event, context, callback) => {
+  const options = {
+    hostname: event.Host,
+    port: event.Port
+  }
+
+  const response = {};
+
+  http.get(options, (res) => {
+    response.httpStatus = res.statusCode
+    callback(null, response)
+  }).on('error', (err) => {
+    callback(null, err.message);
+  })
+
+};

examples/terraform-test/terraform.auto.tfvars

@@ -0,0 +1,8 @@
+generic_info = {
+  prefix      = "oozou",
+  environment = "dev",
+  name        = "demo",
+  custom_tags = {
+    Workspace = "999-oozou-demo-dev-wp"
+  }
+}

examples/terraform-test/variables.tf

@@ -0,0 +1,14 @@
+variable "generic_info" {
+  description = <<EOF
+  `prefix`      >> The prefix name of customer to be displayed in AWS console and resource
+  `environment` >> Environment Variable used as a prefix
+  `name`        >> Name of the ECS cluster and s3 also redis to create
+  `custom_tags` >> Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys
+  EOF
+  type = object({
+    prefix      = string
+    environment = string
+    name        = string
+    custom_tags = map(any)
+  })
+}

examples/terraform-test/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0, < 6.0.0"
+    }
+  }
+}

main.tf

@@ -60,7 +60,7 @@ module "s3" {
   count = var.is_edge && var.is_create_lambda_bucket ? 1 : 0
 
   source  = "oozou/s3/aws"
-  version = "1.1.3"
+  version = "2.0.1"
 
   prefix      = var.prefix
   environment = var.environment
@@ -332,15 +332,15 @@ data "aws_iam_policy_document" "cloudwatch_log_group_kms_policy" {
 module "cloudwatch_log_group_kms" {
   count   = var.is_create_cloudwatch_log_group && var.is_create_default_kms && var.cloudwatch_log_group_kms_key_arn == null ? 1 : 0
   source  = "oozou/kms-key/aws"
-  version = "1.0.0"
+  version = "2.0.1"
 
   prefix               = var.prefix
   environment          = var.environment
   name                 = format("%s-function-log-group", var.name)
   key_type             = "service"
   append_random_suffix = true
   description          = format("Secure Secrets Manager's service secrets for service %s", local.name)
-  additional_policies  = [data.aws_iam_policy_document.cloudwatch_log_group_kms_policy.json]
+  additional_policies  = [data.aws_iam_policy_document.cloudwatch_log_group_kms_policy.json, var.additional_lambda_log_group_kms_policy]
 
   tags = merge(local.tags, { "Name" : format("%s-function-log-group", var.name) })
 }

outputs.tf

@@ -9,7 +9,7 @@ output "function_arn" {
 }
 output "function_name" {
   description = "Name of AWS Lambda function"
-  value       = local.name
+  value       = format("%s-function", local.name)
 }
 
 output "execution_role_arn" {

tests/Makefile

@@ -0,0 +1,48 @@
+.PHONY: test generate-report clean help
+
+# Default target
+help:
+	@echo "Available targets:"
+	@echo "  test           - Run all tests"
+	@echo "  generate-report - Generate test reports (JSON and HTML)"
+	@echo "  clean          - Clean up test artifacts"
+	@echo "  help           - Show this help message"
+
+# Run tests with report generation
+test:
+	@echo "Running Terraform AWS tests..."
+	go test -v -timeout 45m -args -report=true -report-file=test-report.json -html-file=test-report.html
+
+# Generate test report (used by CI/CD)
+generate-report:
+	@echo "Generating test reports..."
+	@if [ -f test-report.json ]; then \
+		echo "Test report already exists: test-report.json"; \
+		echo "HTML report already exists: test-report.html"; \
+	else \
+		echo "No test report found. Running tests to generate report..."; \
+		$(MAKE) test; \
+	fi
+
+# Clean up test artifacts
+clean:
+	@echo "Cleaning up test artifacts..."
+	rm -f test-report.json
+	rm -f test-report.html
+	rm -f test-results.json
+	rm -f test-summary.md
+	@echo "Clean up completed."
+
+# Run tests in verbose mode
+test-verbose:
+	@echo "Running tests in verbose mode..."
+	go test -v -timeout 45m -args -report=true -report-file=test-report.json -html-file=test-report.html
+
+# Run specific test
+test-specific:
+	@if [ -z "$(TEST)" ]; then \
+		echo "Usage: make test-specific TEST=TestName"; \
+		exit 1; \
+	fi
+	@echo "Running specific test: $(TEST)"
+	go test -v -timeout 45m -run $(TEST) -args -report=true -report-file=test-report.json -html-file=test-report.html