Testing on despatches

How to run your lambda code locally as its role (for testing)

Tue, 14 Nov 2023 14:23:37 +0000

While AWS Lambda is fantastic in providing a serverless platform with few worries about maintaining servers, it is not the easiest to test in an automated fashion with rapid feedback.

You could write end to end tests, but it means a deployment after each change and then checking the logs to see what failed. Even if you use iac (terraform/pulumi), the deployment will take seconds or a minute or two - not exact rapid test feedback.

What I have been doing is to set up a hook which is called from the lambda handler, which can also be called locally. Within the test, I then assume the role that runs the lambda and then test the hook.

This mechanism allows to me easily test that the permissions are set up correctly and that details are in place for the code to work.

For the full end to end test, I then have a simple smoke test or two.

The code samples are in golang(only because it happens to be my current language of choice), but the idea should be equally applicable in other languages.

Assuming The Role

```go roleToAssume := os.Getenv("AUTH_LAMBDA_ROLE_ARN") ctx := context.TODO() cfg, err := config.LoadDefaultConfig(ctx) if err != nil { logger.Fatal("error: ", err) } // Create the credentials from AssumeRoleProvider to assume the role // referenced by the "myRoleARN" ARN using the MFA token code provided. creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), roleToAssume) logger.Debugf("creds: %v", creds) cfg.Credentials = aws.NewCredentialsCache(creds) ```

the cfg is then passed into the New method for the resource you are interested in. e.g.:

```go ssmClient := ssm.NewFromConfig(cfg) ```

Working Example

You can find a full, working example test in my github repo under post/2023/11/autolambdatest

NOTE: It WILL automatically try and deploy a role and a ssm parameter, and it will delete it after the test.

The BeforeSuite will deploy the minimum configuration to be able to run the test, and the AfterSuite will destroy the same stack.

You will likely need to log into pulumi to get this test to work.

If you run into permissions issue for AssumeRole, read on.

AssumeRole Permissions

For this to work, the user running the tests need to have permissions to AssumeRole.

There are two steps to this. The first part is to allow "anyone" to AssumeRole the relevant role:

```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::root" }, "Action": "sts:AssumeRole" } ] } ```

This will allow "any user" to assume the role, as long as they have the permission to do so.

arn:aws:iam::[your-account]:root is a special user the represents the account (and the non-IAM root user). Since IAM (user, roles etc.) exists under the "root" account, all calls are also authenticated by this account - i.e. all users, roles etc. in IAM is also this account. There is a post on reddit discussing what exactly the root iam principal is for more information

Finally, unless you have the AdministratorAccess policy set against your account, you will also need to attach a policy to the relevant group (or your user) that grants permissions to call sts:AssumeRole (or *)

```json { "Version": "2012-10-17", "Statement": [ { "Sid": "123", "Effect": "Allow", "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::123456789012:role/desired-role"] } ] } ```

You can of course, also use * for Resource above to allow the user/group to Assume Any role. In practice, you might want to automate this as part of the creation of the relevant roles. (i.e. create the role, then give the relevant group permissions to Assume that role).

Unable to write to $HOME/.pulumi/credentials.json during bazel test

Tue, 14 Nov 2023 13:46:46 +0000

The Problem

You can add it to your ~/.bazelrc (it needs the path to be absolute)

From our integration tests, we run pulumi stack output (or in some cases pulumi up) through the automation API before we run the tests so that we can

Confirm that the stack is up
Get the relevant parameters (actual names of lambdas / dynamo db tables etc.)

However, since we use bazel for our tests, we ran into a small problem in that Bazel (rightly) prevents the tests from writing to anything outside the sandbox. This restrictions results in this error

``` error: open /home//.pulumi/credentials.json: read-only file system ```

The Solution

The easiest way to solve this is to ask bazel to allow writing to this location, which you can do with:

```bash bazel test ... --sandbox_writable_path=$HOME/.pulumi ```

bazel needs to the path to be absolute, so ~/.pulumi won't work.

Automation

It is annoying to add this flag into all the tests, but there is an way to automatically add it to all tests. You can add it to .bazelrc. Due to the aforementioned requirement for the path to be absolute, it is not possible to put it into the git repo root. However, you can put it into your home directory rool .bazelrc

$HOME/.bazelrc

``` test --sandbox_writable_path=/home//.pulumi ```

Separating out integration tests for golang in Bazel

Mon, 13 Nov 2023 13:47:53 +0000

There are many kinds of automated tests and two main kinds are integration tests and unit tests.

Unit tests are designed to run as fast as possible, so any slower processes like databases are mocked out. While super helpful and powerful in terms of providing confidence in the software, it should be only one part of the testing strategy.

Integration tests, as is implied runs tests of the different part of the software integrated together. Technically speaking, you can still mock out the database and other slower layers to keep it running quickly. However, there is value in including a database or other slower services in the process to test as them in an automated fashion.

What this does mean though, is that you want to be able to run only the unit tests or run the integration tests as well. You might also want to have smoke tests, which are run on your live production environment.

How

You could define a separate target in your BUILD file with the unit tests and let gazelle automatically build your default test target with all the tests. I found this frustrating to use as I had to keep tweaking the dependencies manually whenever anything changed (which happened often)

Tagging

The easiest way to achieve this for golang and bazel is to tag your source code files. You can do this by adding the following to the top of your integration test files

something_integration_test.go

```go //go:build integration_test package somepackage ```

You can pick any tag name you want instead of integration_test like integration, smoke_test etc.

IDE Support

You will likely need to add this source file into the IDEs build constraints to get the IDE to treat it as a source file. In IntelliJ (IDEA/Goland), you will be warned of this

If you click Edit settings, you can add the tag in

When running gazelle, you want to include the files with these tags

Gazelle

```bash bazel run //:gazelle -- -build_tags=integration_test ```

If you have multiple tags, you can separate them with commas. This command will generate a test target with all of the source files and its dependencies

Bazel Integration on test

To run only the unit tests, you test as normal:

```bash bazel test ... # or the specific target, and it'll run only the unit tests ```

To run the integration tests as well, include that tag

```bash bazel test ... --define gotags=integration_test # Will run unit & integration tests ```

Run only Unit Tests

This setup will currently not allow you to run ONLY the integration tests. To be able to do that you'll need to add a unit_test tag to the unit test files so that you can exclude them.

``` something_test.go ``` ```go //go:build integration_test package somepackage ```

You can then run only the unit tests with

```bash bazel test … --define gotags=unit_test # Will run unit & integration tests ```

Only the integration tests

```bash bazel test … --define gotags=integration_test # Will run unit & integration tests ```

Or both:

```bash bazel test … --define gotags=unit_test,integration_test # Will run unit & integration tests ```

Simpler gazelle command

You can enable the tags by default in the BUILD file so that you don't have to pass the tags into gazelle each time.

BUILD

```starlark # gazelle:build_tags unit_test,integration_test ```

You can then just run bazel run //:gazelle which will run with these tags enabled.

Sample Source

You can find sample source code demonstrating this in my github repo, under post/2023/11/separatetests

Hibernate Domain Model Testing

Tue, 23 Dec 2008 22:14:42 +0000

One of my pet peeves with Hibernate has always been how difficult it was to test it. I want to test the persistence of data, loading the data back and any specific funtionality with the domain model.

Simple? NO! The main problem was the management of the data set. I had set up, in the past fairly interesting classes to test the functionality using reflection, and injecting the data from the classes themselves through the data provider mechanism of TestNG. However, this was error prone and clunky at best. It also made dependency management of data quite cumbersome.

With a view to resolving this, I also looked at DbUnit, unitils and Ejb3Unit. They all did some things that I liked but lacked some functionality that was important.

This led me to write a simple testing infrastructure. The goal was straightforward.

I need to be able to define data in a CSV (actually it was seperated by the pipe character |, so PSV) based on entities.
The framework should automatically persist the data (and fail on errors)
It should test that it can load all that data back
It should run as many automated tests on the DOM as possible.

The framework uses the CSV files to read the data for each of the classes (using the excellent SuperCsv library). It needs an Id field for internal reference. As long as the id’s match within the CSV files for the relationships, it will be persisted correctly into the database even when the persisted id’s are different.

For example, I could have a Contact.csv with 5 records (ids 1 through 5) and a Company.csv with 3 records (ids 1 through 3).

The Contact.csv records can map to the id specified in the Company.csv file and when the records get persisted, they will be associated correctly, even if the id’s in the database end up being different.

The framework also looks for the CSV file which has the same name as the class within the location defined within the configuration file. This means that as long as the filename matches the class name, the data loading is automatic.

For simple classes, the Test case is as simple as:

```java public class CompanyTest extends DOMTest { public CompanyTest() { super(Company.class); } } ```

The system (with the help of testNG) is also easily flexible to define object model dependencies. Just override the persist method (which just calls the super.persist) and define the groups to be persist and .persist

in this particular case, it would be

```java @override @Test(groups={"persist", "Company.persist"} public void persist() { super.persist(); } ```

For all dependent classes, I then depend on the Company.persist group (For the ContactTest class for example, since it needs to link to the Company object)

You can specify OneToOne and ManyToOne relationships with just the CSV files - just defining the field name and the id of the object to pull in.

ManyToMany is more complex and requires an interim object to be created within the test section. If the Contact to Company relationship above was ManyToMany, we would create a ContactCompany class with just the two fields - Contact & Company, then create a csv file with three fields, id, Contact, & Company. The framework currently always needs an id field.

You would then need to write a method within the ContactTest or CompanyTest(I use the owning side) to read the CSV file in and pump the data. This process is a little bit complex just now.

With an appropriate amount of test data, you are able to write a test suite that can consistently test your domain model. More importantly, you can configure it to drop the database at the start of each run so that once the tests are complete, you have a database structure and data than can be used for testing of higher level components (EJB/Spring/UI/WebApp)

We currently use this framework to test the domain model as well as distribute a data set for development and testing of the higher tier functionalities.

For the future, there are several additional features this framework needs:

It currently needs the setters/getters & constructors to be public. This needs to be FIXED
Refactor the ManyToMany Relationship code to make it easier and simpler to test and pump data
See if we can ensure that additional tests which data is done within a transaction and rolled back so that the database is left in the “CSV Imported” state on completion of tests
Easier Dependency management if possible

This framework is still inside the walls of Kraya, but once the above issues are resolved and it is in a releasable state, it will be published into the open source community. If you are interested in getting a hold of it, email me and I’ll provide you with the latest version.

The easier and quicker it is to test, the more time we can spend on writing code… :-) The higher the coverage of the tests, the more confident you can be of your final product.

To more testing…