Nov 2025 Quality & Maintainability Improvements

.github/workflows/fmt-check.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   terraform:
-    name: Lint
+    name: Lint and Test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -23,4 +23,8 @@ jobs:
           terraform_version: "1.8.2"
       - name: Terraform fmt
         run: task fmt:check
+      - name: Terraform Init
+        run: terraform init
+      - name: Terraform Test
+        run: task test
 

.github/workflows/test.yml

@@ -0,0 +1,30 @@
+---
+name: Terraform Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Task
+        uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.8.2"
+      - name: Terraform Init
+        run: terraform init
+      - name: Terraform Test
+        run: task test:verbose

Taskfile.yml

@@ -11,3 +11,13 @@ tasks:
     desc: Check if the input is formatted
     cmds:
       - terraform fmt -recursive -check -diff .
+
+  test:
+    desc: Run Terraform unit tests
+    cmds:
+      - terraform test
+
+  test:verbose:
+    desc: Run Terraform unit tests with verbose output
+    cmds:
+      - terraform test -verbose

data.tf

@@ -25,4 +25,11 @@ data "cloudinit_config" "config" {
     })
     filename = "sensor-build.yaml"
   }
+
+  lifecycle {
+    precondition {
+      condition     = (var.fleet_token == "" && var.fleet_url == "" && var.fleet_server_sslname == "") || (var.fleet_token != "" && var.fleet_url != "" && var.fleet_server_sslname != "")
+      error_message = "Fleet Manager pairing requires all three variables to be set together: fleet_token, fleet_url, and fleet_server_sslname. Either set all three or leave all three empty."
+    }
+  }
 }

outputs.tf

@@ -1,3 +1,5 @@
 output "cloudinit_config" {
-  value = data.cloudinit_config.config
+  value       = data.cloudinit_config.config
+  sensitive   = true
+  description = "The complete cloudinit_config data source object. Use .rendered for the final user data string."
 }

tests/basic_configuration.tftest.hcl

@@ -0,0 +1,91 @@
+# Test basic sensor configuration without optional features
+run "basic_sensor_config" {
+  command = plan
+
+  variables {
+    fleet_community_string                       = "test-community-string"
+    sensor_license                               = "test-license-key"
+    sensor_management_interface_name             = "eth0"
+    sensor_monitoring_interface_name             = "eth1"
+    sensor_health_check_probe_source_ranges_cidr = ["35.191.0.0/16", "130.211.0.0/22"]
+    subnetwork_monitoring_cidr                   = "10.0.1.0/24"
+    subnetwork_monitoring_gateway                = "10.0.1.1"
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = can(regex("password: test-community-string", output.cloudinit_config.rendered))
+    error_message = "Community string should be present in rendered config"
+  }
+
+  assert {
+    condition     = can(regex("license_key: test-license-key", output.cloudinit_config.rendered))
+    error_message = "License should be present in rendered config"
+  }
+
+  assert {
+    condition     = can(regex("name: eth0", output.cloudinit_config.rendered))
+    error_message = "Management interface name should be present in rendered config"
+  }
+
+  assert {
+    condition     = can(regex("name: eth1", output.cloudinit_config.rendered))
+    error_message = "Monitoring interface name should be present in rendered config"
+  }
+}
+
+# Test minimal configuration without health checks
+run "minimal_config_without_health_checks" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = can(regex("password: test-community-string", output.cloudinit_config.rendered))
+    error_message = "Community string should be present in rendered config"
+  }
+}
+
+# Test that configuration includes health check when both CIDR and gateway are provided
+run "health_check_present_when_configured" {
+  command = plan
+
+  variables {
+    fleet_community_string                       = "test-community-string"
+    sensor_license                               = "test-license-key"
+    sensor_management_interface_name             = "eth0"
+    sensor_monitoring_interface_name             = "eth1"
+    subnetwork_monitoring_cidr                   = "10.0.1.0/24"
+    subnetwork_monitoring_gateway                = "10.0.1.1"
+    sensor_health_check_probe_source_ranges_cidr = ["35.191.0.0/16"]
+  }
+
+  assert {
+    condition     = can(regex("health_check:", output.cloudinit_config.rendered))
+    error_message = "Health check section should be present when CIDR and gateway are configured"
+  }
+
+  assert {
+    condition     = can(regex("10.0.1.0/24", output.cloudinit_config.rendered))
+    error_message = "Monitoring CIDR should be present in health check config"
+  }
+
+  assert {
+    condition     = can(regex("10.0.1.1", output.cloudinit_config.rendered))
+    error_message = "Monitoring gateway should be present in health check config"
+  }
+}

tests/feature_flags.tftest.hcl

@@ -0,0 +1,115 @@
+# Test Prometheus feature flag
+run "prometheus_enabled" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+    prometheus_enabled               = true
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = can(regex("prometheus:", output.cloudinit_config.rendered))
+    error_message = "Prometheus section should be present when enabled"
+  }
+}
+
+# Test Prometheus disabled (default)
+run "prometheus_disabled" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+    prometheus_enabled               = false
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = !can(regex("prometheus:", output.cloudinit_config.rendered))
+    error_message = "Prometheus section should not be present when disabled"
+  }
+}
+
+# Test FedRAMP mode enabled
+run "fedramp_enabled" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+    fedramp_mode_enabled             = true
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = can(regex("fedramp_mode:", output.cloudinit_config.rendered))
+    error_message = "FedRAMP mode section should be present when enabled"
+  }
+}
+
+# Test FedRAMP mode disabled (default)
+run "fedramp_disabled" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+    fedramp_mode_enabled             = false
+  }
+
+  assert {
+    condition     = output.cloudinit_config.rendered != null
+    error_message = "cloudinit_config output should not be null"
+  }
+
+  assert {
+    condition     = !can(regex("fedramp_mode:", output.cloudinit_config.rendered))
+    error_message = "FedRAMP mode section should not be present when disabled"
+  }
+}
+
+# Test both features enabled together
+run "multiple_features_enabled" {
+  command = plan
+
+  variables {
+    fleet_community_string           = "test-community-string"
+    sensor_license                   = "test-license-key"
+    sensor_management_interface_name = "eth0"
+    sensor_monitoring_interface_name = "eth1"
+    prometheus_enabled               = true
+    fedramp_mode_enabled             = true
+  }
+
+  assert {
+    condition     = can(regex("prometheus:", output.cloudinit_config.rendered))
+    error_message = "Prometheus section should be present when enabled"
+  }
+
+  assert {
+    condition     = can(regex("fedramp_mode:", output.cloudinit_config.rendered))
+    error_message = "FedRAMP mode section should be present when enabled"
+  }
+}