feat: Add GH action for VDI module with TF Test

[novekm]

Issue number:
N/A

Summary

Changes

A new GitHub Actions workflow file tf-test-on-comment-modules-vdi.yml was added to enable on-demand Terraform testing for the VDI module. The workflow is triggered by PR comments containing /run-vdi-module-tf-tests and runs comprehensive Terraform validation including formatting checks, initialization, and test execution with AWS credentials via OIDC.

User experience

Before: Developers working on the VDI module had no automated way to run Terraform tests on-demand for their pull requests. Testing would need to be done manually or wait for standard CI/CD pipeline execution.

After: Developers can now trigger VDI module Terraform tests by simply commenting /run-vdi-module-tf-tests on any pull request. The workflow provides real-time feedback through PR comments, showing when tests are scheduled, in progress, and completed with success/failure status and links to the full GitHub Actions run. This currently will only work for PRs submitted from branches of this source repo. Forks are not supported yet, but will be added via #664.

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Is this a breaking change?

no

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created might not be successful.

[novekm]

To fix the problem, change the checkout step to use an immutable reference (commit SHA) instead of the mutable branch reference. Specifically, replace ref: ${{ steps.comment-branch.outputs.head_ref }} with ref: ${{ steps.comment-branch.outputs.head_sha }} in the checkout step. This ensures that the code being checked out and executed is exactly the commit that was referenced when the workflow was triggered, preventing TOCTOU (Time-of-Check to Time-of-Use) attacks. No other changes are needed, as the rest of the workflow references the commit SHA for status updates and comments.

---

To fix the problem, ensure that the workflow checks out code using an immutable reference (commit SHA) that is guaranteed to be set by GitHub and not derived from potentially manipulated workflow logic or untrusted input. Specifically, replace the checkout step's ref input with ${{ github.event.pull_request.head.sha }} and the repository input with ${{ github.event.pull_request.head.repo.full_name }}. This ensures that the code being checked out is exactly the code that was reviewed and approved, and cannot be changed after the security check. Only the checkout step needs to be updated; all subsequent steps will operate on the securely checked-out code.

---

[ghost]

I'm a bit confused by this PR. We need to define a new action for each tftest module? I thought we tried to avoid this?

[novekm]

Yeah unfortunately we do right now. I wasn't able to find an easy way to target specific modules since they're all in a central /modules directory. For AWS-IA modules, each module is its own git repo which simplifies tf tests/the gh action. You can just do a simple /do-e2e-test comment which will apply to all tests in the repo at the same level in directory. Since there is a 1 module per repo pattern, it only will run relevant tests for the specific module, which is in the /tests directory at the same level of the .github directory (root).

For the toolkit since we have multiple modules in the same repo, and these are not at the same level (root), we have to change directory into the specific directory to be able to run tests for that individual module. If we have a simple /run-tf-tests we would need some other way to extract the directory name to ensure it changes into the correct one.

For example:

jobs:
  terraform-testing:
    # TODO: scope these permissions down
    permissions: write-all
    name: Terraform Testing
    # Only run if it is a PR and the comment contains '/run-vdi-module-tf-tests'
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/run-vdi-module-tf-tests')
    runs-on: ubuntu-latest
    environment: aws-ci

    defaults:
      run:
        working-directory: ${{ github.workspace }}/modules/vdi/

the working-directory is hardcoded to a predictable path to each module, which is why we need to have separate gh actions. Unless there is a way to extract the directory the PR is targeting somehow, but I don't think that will work if users make changes to a module and also update docs for the module. The PR will be making changes in two locations.

Only other thing I could think of is to enforce PRs have the directory name in the title which can be fetched (and maybe have some regex match). Maybe I'm overthinking it. We should hop on a call at some point - I also wanted to tackle the issue of ensuring PRs from forks can also use the actions.