From ea2394098491a32ede3ef666bc7743d9a60a1338 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 10:50:09 -0400 Subject: [PATCH 1/6] add tests for iam roles with and without path --- smoke_tests/ecs_fargate/outputs.tf | 8 ++ .../ecs_fargate/role-parsing-with-path.tf | 74 ++++++++++++ .../ecs_fargate/role-parsing-without-path.tf | 74 ++++++++++++ tests/role_parsing_test.go | 110 ++++++++++++++++++ 4 files changed, 266 insertions(+) create mode 100644 smoke_tests/ecs_fargate/role-parsing-with-path.tf create mode 100644 smoke_tests/ecs_fargate/role-parsing-without-path.tf create mode 100644 tests/role_parsing_test.go diff --git a/smoke_tests/ecs_fargate/outputs.tf b/smoke_tests/ecs_fargate/outputs.tf index ebb4c85..05c5064 100644 --- a/smoke_tests/ecs_fargate/outputs.tf +++ b/smoke_tests/ecs_fargate/outputs.tf @@ -29,3 +29,11 @@ output "cws-only" { output "logging-only" { value = module.dd_task_logging_only } + +output "role-parsing-with-path" { + value = module.dd_task_role_parsing_with_path +} + +output "role-parsing-without-path" { + value = module.dd_task_role_parsing_without_path +} diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf new file mode 100644 index 0000000..e2f4963 --- /dev/null +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -0,0 +1,74 @@ +# Unless explicitly stated otherwise all files in this repository are licensed +# under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2025-present Datadog, Inc. + +################################################################################ +# Test: Role ARN parsing with path +# This test verifies that the module correctly parses role names from ARNs +# that include paths (e.g., /my-path/role-name) +################################################################################ + +# Create IAM roles with paths to test the parsing logic +resource "aws_iam_role" "test_task_role_with_path" { + name = "${var.test_prefix}-task-role-with-path" + path = "/test-path/" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + Action = "sts:AssumeRole" + }] + }) +} + +resource "aws_iam_role" "test_execution_role_with_path" { + name = "${var.test_prefix}-execution-role-with-path" + path = "/test-execution-path/" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + Action = "sts:AssumeRole" + }] + }) +} + +# Attach required policies to execution role +resource "aws_iam_role_policy_attachment" "test_execution_role_policy" { + role = aws_iam_role.test_execution_role_with_path.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +module "dd_task_role_parsing_with_path" { + source = "../../modules/ecs_fargate" + + # Use roles with paths to test parsing + task_role = aws_iam_role.test_task_role_with_path + execution_role = aws_iam_role.test_execution_role_with_path + + dd_api_key = var.dd_api_key + dd_site = var.dd_site + dd_service = var.dd_service + dd_essential = true + + # Configure Task Definition + family = "${var.test_prefix}-role-parsing-with-path" + container_definitions = jsonencode([ + { + name = "test-app", + image = "nginx:latest", + essential = true, + } + ]) + + requires_compatibilities = ["FARGATE"] +} diff --git a/smoke_tests/ecs_fargate/role-parsing-without-path.tf b/smoke_tests/ecs_fargate/role-parsing-without-path.tf new file mode 100644 index 0000000..36cc7ec --- /dev/null +++ b/smoke_tests/ecs_fargate/role-parsing-without-path.tf @@ -0,0 +1,74 @@ +# Unless explicitly stated otherwise all files in this repository are licensed +# under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2025-present Datadog, Inc. + +################################################################################ +# Test: Role ARN parsing without path +# This test verifies that the module correctly parses role names from ARNs +# that do NOT include paths (e.g., role-name directly) +################################################################################ + +# Create IAM roles without paths to test the parsing logic +resource "aws_iam_role" "test_task_role_without_path" { + name = "${var.test_prefix}-task-role-without-path" + # No path specified - defaults to "/" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + Action = "sts:AssumeRole" + }] + }) +} + +resource "aws_iam_role" "test_execution_role_without_path" { + name = "${var.test_prefix}-execution-role-without-path" + # No path specified - defaults to "/" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + Action = "sts:AssumeRole" + }] + }) +} + +# Attach required policies to execution role +resource "aws_iam_role_policy_attachment" "test_execution_role_policy_no_path" { + role = aws_iam_role.test_execution_role_without_path.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +module "dd_task_role_parsing_without_path" { + source = "../../modules/ecs_fargate" + + # Use roles without paths to test parsing + task_role = aws_iam_role.test_task_role_without_path + execution_role = aws_iam_role.test_execution_role_without_path + + dd_api_key = var.dd_api_key + dd_site = var.dd_site + dd_service = var.dd_service + dd_essential = true + + # Configure Task Definition + family = "${var.test_prefix}-role-parsing-without-path" + container_definitions = jsonencode([ + { + name = "test-app", + image = "nginx:latest", + essential = true, + } + ]) + + requires_compatibilities = ["FARGATE"] +} diff --git a/tests/role_parsing_test.go b/tests/role_parsing_test.go new file mode 100644 index 0000000..44c32e0 --- /dev/null +++ b/tests/role_parsing_test.go @@ -0,0 +1,110 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2025-present Datadog, Inc. + +package test + +import ( + "encoding/json" + "log" + "strings" + + "github.com/aws/aws-sdk-go-v2/service/ecs/types" + "github.com/gruntwork-io/terratest/modules/terraform" +) + +// TestRoleParsingWithPath tests that the module correctly parses role names from ARNs with paths +func (s *ECSFargateSuite) TestRoleParsingWithPath() { + log.Println("TestRoleParsingWithPath: Running test...") + + // Retrieve the task output for the "role-parsing-with-path" module + var containers []types.ContainerDefinition + task := terraform.OutputMap(s.T(), s.terraformOptions, "role-parsing-with-path") + + s.Equal(s.testPrefix+"-role-parsing-with-path", task["family"], "Unexpected task family name") + + err := json.Unmarshal([]byte(task["container_definitions"]), &containers) + s.NoError(err, "Failed to parse container definitions") + + // Verify that the task was created successfully (which means role parsing worked) + s.NotEmpty(task["arn"], "Task definition ARN should not be empty") + s.NotEmpty(task["revision"], "Task definition revision should not be empty") + + // Verify the task role ARN contains the expected path + taskRoleArn := task["task_role_arn"] + s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") + s.Contains(taskRoleArn, "/test-path/", "Task role ARN should contain the path '/test-path/'") + s.Contains(taskRoleArn, s.testPrefix+"-task-role-with-path", "Task role ARN should contain the expected role name") + + // Verify the execution role ARN contains the expected path + executionRoleArn := task["execution_role_arn"] + s.NotEmpty(executionRoleArn, "Execution role ARN should not be empty") + s.Contains(executionRoleArn, "/test-execution-path/", "Execution role ARN should contain the path '/test-execution-path/'") + s.Contains(executionRoleArn, s.testPrefix+"-execution-role-with-path", "Execution role ARN should contain the expected role name") + + // Test Agent Container exists and is configured + agentContainer, found := GetContainer(containers, "datadog-agent") + s.True(found, "Container datadog-agent not found in definitions") + s.NotNil(agentContainer.Image, "Agent container image should not be nil") + + // Test application container exists + appContainer, found := GetContainer(containers, "test-app") + s.True(found, "Container test-app not found in definitions") + s.Equal("nginx:latest", *appContainer.Image, "Unexpected image for test-app") + + log.Println("TestRoleParsingWithPath: Role parsing with path test completed successfully") +} + +// TestRoleParsingWithoutPath tests that the module correctly parses role names from ARNs without paths +func (s *ECSFargateSuite) TestRoleParsingWithoutPath() { + log.Println("TestRoleParsingWithoutPath: Running test...") + + // Retrieve the task output for the "role-parsing-without-path" module + var containers []types.ContainerDefinition + task := terraform.OutputMap(s.T(), s.terraformOptions, "role-parsing-without-path") + + s.Equal(s.testPrefix+"-role-parsing-without-path", task["family"], "Unexpected task family name") + + err := json.Unmarshal([]byte(task["container_definitions"]), &containers) + s.NoError(err, "Failed to parse container definitions") + + // Verify that the task was created successfully (which means role parsing worked) + s.NotEmpty(task["arn"], "Task definition ARN should not be empty") + s.NotEmpty(task["revision"], "Task definition revision should not be empty") + + // Verify the task role ARN does NOT contain additional paths (should be at root) + taskRoleArn := task["task_role_arn"] + s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") + s.Contains(taskRoleArn, s.testPrefix+"-task-role-without-path", "Task role ARN should contain the expected role name") + + // For roles without explicit paths, AWS defaults to "/" so the ARN format should be: + // arn:aws:iam::account:role/role-name (not arn:aws:iam::account:role/path/role-name) + roleArnParts := strings.Split(taskRoleArn, "/") + s.Equal(2, len(roleArnParts), "Role ARN without path should have exactly 2 parts when split by '/'") + s.Contains(roleArnParts[1], s.testPrefix+"-task-role-without-path", "Role name should be the second part after splitting by '/'") + + // Verify the execution role ARN does NOT contain additional paths + executionRoleArn := task["execution_role_arn"] + s.NotEmpty(executionRoleArn, "Execution role ARN should not be empty") + s.Contains(executionRoleArn, s.testPrefix+"-execution-role-without-path", "Execution role ARN should contain the expected role name") + + execRoleArnParts := strings.Split(executionRoleArn, "/") + s.Equal(2, len(execRoleArnParts), "Execution role ARN without path should have exactly 2 parts when split by '/'") + s.Contains(execRoleArnParts[1], s.testPrefix+"-execution-role-without-path", "Execution role name should be the second part after splitting by '/'") + + // Test that containers are properly configured + s.GreaterOrEqual(len(containers), 2, "Expected at least 2 containers (datadog-agent + test-app)") + + // Test Agent Container exists and is configured + agentContainer, found := GetContainer(containers, "datadog-agent") + s.True(found, "Container datadog-agent not found in definitions") + s.NotNil(agentContainer.Image, "Agent container image should not be nil") + + // Test application container exists + appContainer, found := GetContainer(containers, "test-app") + s.True(found, "Container test-app not found in definitions") + s.Equal("nginx:latest", *appContainer.Image, "Unexpected image for test-app") + + log.Println("TestRoleParsingWithoutPath: Role parsing without path test completed successfully") +} From 049ef86b58430be56ce7481854cb13d1f186ca36 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 11:27:42 -0400 Subject: [PATCH 2/6] chore: pass just arn object to validate both cases. --- .../ecs_fargate/role-parsing-with-path.tf | 10 +---- .../ecs_fargate/role-parsing-without-path.tf | 10 +---- tests/role_parsing_test.go | 37 ------------------- 3 files changed, 4 insertions(+), 53 deletions(-) diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf index e2f4963..7c5b598 100644 --- a/smoke_tests/ecs_fargate/role-parsing-with-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -53,7 +53,7 @@ module "dd_task_role_parsing_with_path" { # Use roles with paths to test parsing task_role = aws_iam_role.test_task_role_with_path - execution_role = aws_iam_role.test_execution_role_with_path + execution_role = { arn = aws_iam_role.test_execution_role_with_path.arn } dd_api_key = var.dd_api_key dd_site = var.dd_site @@ -62,13 +62,7 @@ module "dd_task_role_parsing_with_path" { # Configure Task Definition family = "${var.test_prefix}-role-parsing-with-path" - container_definitions = jsonencode([ - { - name = "test-app", - image = "nginx:latest", - essential = true, - } - ]) + container_definitions = jsonencode([]) requires_compatibilities = ["FARGATE"] } diff --git a/smoke_tests/ecs_fargate/role-parsing-without-path.tf b/smoke_tests/ecs_fargate/role-parsing-without-path.tf index 36cc7ec..9eb949b 100644 --- a/smoke_tests/ecs_fargate/role-parsing-without-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-without-path.tf @@ -53,7 +53,7 @@ module "dd_task_role_parsing_without_path" { # Use roles without paths to test parsing task_role = aws_iam_role.test_task_role_without_path - execution_role = aws_iam_role.test_execution_role_without_path + execution_role = { arn = aws_iam_role.test_execution_role_without_path.arn } dd_api_key = var.dd_api_key dd_site = var.dd_site @@ -62,13 +62,7 @@ module "dd_task_role_parsing_without_path" { # Configure Task Definition family = "${var.test_prefix}-role-parsing-without-path" - container_definitions = jsonencode([ - { - name = "test-app", - image = "nginx:latest", - essential = true, - } - ]) + container_definitions = jsonencode([]) requires_compatibilities = ["FARGATE"] } diff --git a/tests/role_parsing_test.go b/tests/role_parsing_test.go index 44c32e0..e073c01 100644 --- a/tests/role_parsing_test.go +++ b/tests/role_parsing_test.go @@ -18,7 +18,6 @@ import ( func (s *ECSFargateSuite) TestRoleParsingWithPath() { log.Println("TestRoleParsingWithPath: Running test...") - // Retrieve the task output for the "role-parsing-with-path" module var containers []types.ContainerDefinition task := terraform.OutputMap(s.T(), s.terraformOptions, "role-parsing-with-path") @@ -27,40 +26,24 @@ func (s *ECSFargateSuite) TestRoleParsingWithPath() { err := json.Unmarshal([]byte(task["container_definitions"]), &containers) s.NoError(err, "Failed to parse container definitions") - // Verify that the task was created successfully (which means role parsing worked) s.NotEmpty(task["arn"], "Task definition ARN should not be empty") s.NotEmpty(task["revision"], "Task definition revision should not be empty") - // Verify the task role ARN contains the expected path taskRoleArn := task["task_role_arn"] s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") s.Contains(taskRoleArn, "/test-path/", "Task role ARN should contain the path '/test-path/'") s.Contains(taskRoleArn, s.testPrefix+"-task-role-with-path", "Task role ARN should contain the expected role name") - // Verify the execution role ARN contains the expected path executionRoleArn := task["execution_role_arn"] s.NotEmpty(executionRoleArn, "Execution role ARN should not be empty") s.Contains(executionRoleArn, "/test-execution-path/", "Execution role ARN should contain the path '/test-execution-path/'") s.Contains(executionRoleArn, s.testPrefix+"-execution-role-with-path", "Execution role ARN should contain the expected role name") - - // Test Agent Container exists and is configured - agentContainer, found := GetContainer(containers, "datadog-agent") - s.True(found, "Container datadog-agent not found in definitions") - s.NotNil(agentContainer.Image, "Agent container image should not be nil") - - // Test application container exists - appContainer, found := GetContainer(containers, "test-app") - s.True(found, "Container test-app not found in definitions") - s.Equal("nginx:latest", *appContainer.Image, "Unexpected image for test-app") - - log.Println("TestRoleParsingWithPath: Role parsing with path test completed successfully") } // TestRoleParsingWithoutPath tests that the module correctly parses role names from ARNs without paths func (s *ECSFargateSuite) TestRoleParsingWithoutPath() { log.Println("TestRoleParsingWithoutPath: Running test...") - // Retrieve the task output for the "role-parsing-without-path" module var containers []types.ContainerDefinition task := terraform.OutputMap(s.T(), s.terraformOptions, "role-parsing-without-path") @@ -69,22 +52,17 @@ func (s *ECSFargateSuite) TestRoleParsingWithoutPath() { err := json.Unmarshal([]byte(task["container_definitions"]), &containers) s.NoError(err, "Failed to parse container definitions") - // Verify that the task was created successfully (which means role parsing worked) s.NotEmpty(task["arn"], "Task definition ARN should not be empty") s.NotEmpty(task["revision"], "Task definition revision should not be empty") - // Verify the task role ARN does NOT contain additional paths (should be at root) taskRoleArn := task["task_role_arn"] s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") s.Contains(taskRoleArn, s.testPrefix+"-task-role-without-path", "Task role ARN should contain the expected role name") - // For roles without explicit paths, AWS defaults to "/" so the ARN format should be: - // arn:aws:iam::account:role/role-name (not arn:aws:iam::account:role/path/role-name) roleArnParts := strings.Split(taskRoleArn, "/") s.Equal(2, len(roleArnParts), "Role ARN without path should have exactly 2 parts when split by '/'") s.Contains(roleArnParts[1], s.testPrefix+"-task-role-without-path", "Role name should be the second part after splitting by '/'") - // Verify the execution role ARN does NOT contain additional paths executionRoleArn := task["execution_role_arn"] s.NotEmpty(executionRoleArn, "Execution role ARN should not be empty") s.Contains(executionRoleArn, s.testPrefix+"-execution-role-without-path", "Execution role ARN should contain the expected role name") @@ -92,19 +70,4 @@ func (s *ECSFargateSuite) TestRoleParsingWithoutPath() { execRoleArnParts := strings.Split(executionRoleArn, "/") s.Equal(2, len(execRoleArnParts), "Execution role ARN without path should have exactly 2 parts when split by '/'") s.Contains(execRoleArnParts[1], s.testPrefix+"-execution-role-without-path", "Execution role name should be the second part after splitting by '/'") - - // Test that containers are properly configured - s.GreaterOrEqual(len(containers), 2, "Expected at least 2 containers (datadog-agent + test-app)") - - // Test Agent Container exists and is configured - agentContainer, found := GetContainer(containers, "datadog-agent") - s.True(found, "Container datadog-agent not found in definitions") - s.NotNil(agentContainer.Image, "Agent container image should not be nil") - - // Test application container exists - appContainer, found := GetContainer(containers, "test-app") - s.True(found, "Container test-app not found in definitions") - s.Equal("nginx:latest", *appContainer.Image, "Unexpected image for test-app") - - log.Println("TestRoleParsingWithoutPath: Role parsing without path test completed successfully") } From d8f836f2d86af63906554e25a9c992d78afd811e Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 11:40:34 -0400 Subject: [PATCH 3/6] chore: rename task role path name --- smoke_tests/ecs_fargate/role-parsing-with-path.tf | 2 +- tests/role_parsing_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf index 7c5b598..7e4a33e 100644 --- a/smoke_tests/ecs_fargate/role-parsing-with-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -12,7 +12,7 @@ # Create IAM roles with paths to test the parsing logic resource "aws_iam_role" "test_task_role_with_path" { name = "${var.test_prefix}-task-role-with-path" - path = "/test-path/" + path = "/test-task-path/" assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/tests/role_parsing_test.go b/tests/role_parsing_test.go index e073c01..529291a 100644 --- a/tests/role_parsing_test.go +++ b/tests/role_parsing_test.go @@ -31,7 +31,7 @@ func (s *ECSFargateSuite) TestRoleParsingWithPath() { taskRoleArn := task["task_role_arn"] s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") - s.Contains(taskRoleArn, "/test-path/", "Task role ARN should contain the path '/test-path/'") + s.Contains(taskRoleArn, "/test-task-path/", "Task role ARN should contain the path '/test-path/'") s.Contains(taskRoleArn, s.testPrefix+"-task-role-with-path", "Task role ARN should contain the expected role name") executionRoleArn := task["execution_role_arn"] From a6b8946fe31341741bd296282ac4bf5a8c488f06 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 11:44:28 -0400 Subject: [PATCH 4/6] chore: terraform fmt --- smoke_tests/ecs_fargate/role-parsing-with-path.tf | 2 +- smoke_tests/ecs_fargate/role-parsing-without-path.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf index 7e4a33e..b702479 100644 --- a/smoke_tests/ecs_fargate/role-parsing-with-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -61,7 +61,7 @@ module "dd_task_role_parsing_with_path" { dd_essential = true # Configure Task Definition - family = "${var.test_prefix}-role-parsing-with-path" + family = "${var.test_prefix}-role-parsing-with-path" container_definitions = jsonencode([]) requires_compatibilities = ["FARGATE"] diff --git a/smoke_tests/ecs_fargate/role-parsing-without-path.tf b/smoke_tests/ecs_fargate/role-parsing-without-path.tf index 9eb949b..78b2886 100644 --- a/smoke_tests/ecs_fargate/role-parsing-without-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-without-path.tf @@ -61,7 +61,7 @@ module "dd_task_role_parsing_without_path" { dd_essential = true # Configure Task Definition - family = "${var.test_prefix}-role-parsing-without-path" + family = "${var.test_prefix}-role-parsing-without-path" container_definitions = jsonencode([]) requires_compatibilities = ["FARGATE"] From d1bcbb2fa160ba0b87662c47511c00095fe9bed3 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 11:51:09 -0400 Subject: [PATCH 5/6] chore: use terraform-test path circumventing ci iam perms --- smoke_tests/ecs_fargate/role-parsing-with-path.tf | 4 ++-- tests/role_parsing_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf index b702479..ad39a2c 100644 --- a/smoke_tests/ecs_fargate/role-parsing-with-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -12,7 +12,7 @@ # Create IAM roles with paths to test the parsing logic resource "aws_iam_role" "test_task_role_with_path" { name = "${var.test_prefix}-task-role-with-path" - path = "/test-task-path/" + path = "/terraform-test/" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -28,7 +28,7 @@ resource "aws_iam_role" "test_task_role_with_path" { resource "aws_iam_role" "test_execution_role_with_path" { name = "${var.test_prefix}-execution-role-with-path" - path = "/test-execution-path/" + path = "/terraform-test/" assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/tests/role_parsing_test.go b/tests/role_parsing_test.go index 529291a..e84e701 100644 --- a/tests/role_parsing_test.go +++ b/tests/role_parsing_test.go @@ -31,12 +31,12 @@ func (s *ECSFargateSuite) TestRoleParsingWithPath() { taskRoleArn := task["task_role_arn"] s.NotEmpty(taskRoleArn, "Task role ARN should not be empty") - s.Contains(taskRoleArn, "/test-task-path/", "Task role ARN should contain the path '/test-path/'") + s.Contains(taskRoleArn, "/terraform-test/", "Task role ARN should contain the path '/test-path/'") s.Contains(taskRoleArn, s.testPrefix+"-task-role-with-path", "Task role ARN should contain the expected role name") executionRoleArn := task["execution_role_arn"] s.NotEmpty(executionRoleArn, "Execution role ARN should not be empty") - s.Contains(executionRoleArn, "/test-execution-path/", "Execution role ARN should contain the path '/test-execution-path/'") + s.Contains(executionRoleArn, "/terraform-test/", "Execution role ARN should contain the path '/terraform-test/'") s.Contains(executionRoleArn, s.testPrefix+"-execution-role-with-path", "Execution role ARN should contain the expected role name") } From b4e3aae1f3d9ab901456e6618f680c978c1f4312 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Thu, 4 Sep 2025 13:07:47 -0400 Subject: [PATCH 6/6] chore: task def comments --- smoke_tests/ecs_fargate/role-parsing-with-path.tf | 4 +--- smoke_tests/ecs_fargate/role-parsing-without-path.tf | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/smoke_tests/ecs_fargate/role-parsing-with-path.tf b/smoke_tests/ecs_fargate/role-parsing-with-path.tf index ad39a2c..69f224d 100644 --- a/smoke_tests/ecs_fargate/role-parsing-with-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-with-path.tf @@ -4,9 +4,7 @@ # Copyright 2025-present Datadog, Inc. ################################################################################ -# Test: Role ARN parsing with path -# This test verifies that the module correctly parses role names from ARNs -# that include paths (e.g., /my-path/role-name) +# Task Definition: IAM Role with path in name ################################################################################ # Create IAM roles with paths to test the parsing logic diff --git a/smoke_tests/ecs_fargate/role-parsing-without-path.tf b/smoke_tests/ecs_fargate/role-parsing-without-path.tf index 78b2886..30c3db5 100644 --- a/smoke_tests/ecs_fargate/role-parsing-without-path.tf +++ b/smoke_tests/ecs_fargate/role-parsing-without-path.tf @@ -4,9 +4,7 @@ # Copyright 2025-present Datadog, Inc. ################################################################################ -# Test: Role ARN parsing without path -# This test verifies that the module correctly parses role names from ARNs -# that do NOT include paths (e.g., role-name directly) +# Task Definition: IAM Role without path in name ################################################################################ # Create IAM roles without paths to test the parsing logic