From 96a15e545a905353d74492f4a73481f14806ceaa Mon Sep 17 00:00:00 2001
From: Anthony Roy <anthony.roy@digital.trade.gov.uk>
Date: Mon, 27 Jan 2025 15:30:40 +0000
Subject: [PATCH] Tests for the new data-migration structure

---
 data-migration/outputs.tf            |  4 ++
 data-migration/tests/unit.tftest.hcl | 69 +++++++++++++++++++++----
 s3/tests/unit.tftest.hcl             | 77 +++++++++++++++++++++++++++-
 3 files changed, 140 insertions(+), 10 deletions(-)

diff --git a/data-migration/outputs.tf b/data-migration/outputs.tf
index a52e08aaa..a982b21b0 100644
--- a/data-migration/outputs.tf
+++ b/data-migration/outputs.tf
@@ -2,3 +2,7 @@
 output "module_exists" {
   value = true
 }
+
+output "sources" {
+  value = var.sources
+}
\ No newline at end of file
diff --git a/data-migration/tests/unit.tftest.hcl b/data-migration/tests/unit.tftest.hcl
index f7e378a9c..072b59202 100644
--- a/data-migration/tests/unit.tftest.hcl
+++ b/data-migration/tests/unit.tftest.hcl
@@ -1,11 +1,17 @@
 mock_provider "aws" {}
 
 variables {
-  config = {
-    "source_bucket_arn"  = "test-source-bucket-arn"
-    "source_kms_key_arn" = "test-source-kms-key-arn"
-    "worker_role_arn"    = "test-role-arn"
-  }
+  sources = [
+    {
+      "source_bucket_arn"  = "test-source-bucket-arn"
+      "source_kms_key_arn" = "test-source-kms-key-arn"
+      "worker_role_arn"    = "test-role-arn"
+    },
+    {
+      "source_bucket_arn" = "test-source-bucket-arn-2"
+      "worker_role_arn"   = "test-role-arn-2"
+    }
+  ]
   destination_bucket_arn        = "test-destination-bucket-arn"
   destination_bucket_identifier = "test-destination-bucket-name"
 }
@@ -63,16 +69,61 @@ run "data_migration_unit_test" {
     condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[3].actions, "kms:Decrypt")
     error_message = "Statement should contain kms:Decrypt"
   }
+  # source buckets
+  assert {
+    condition     = length(data.aws_iam_policy_document.s3_migration_policy_document.statement[0].resources) == 4
+    error_message = "Should have 4 elements"
+  }
+  assert {
+    condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[0].resources, "test-source-bucket-arn")
+    error_message = "Should contain: test-source-bucket-arn"
+  }
+  assert {
+    condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[0].resources, "test-source-bucket-arn/*")
+    error_message = "Should contain: test-source-bucket-arn/*"
+  }
+  assert {
+    condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[0].resources, "test-source-bucket-arn-2")
+    error_message = "Should contain: test-source-bucket-arn-2"
+  }
+  assert {
+    condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[0].resources, "test-source-bucket-arn-2/*")
+    error_message = "Should contain: test-source-bucket-arn-2/*"
+  }
+  # worker arns
+  assert {
+    condition     = length(tolist(data.aws_iam_policy_document.allow_assume_role.statement[0].principals)[0].identifiers) == 2
+    error_message = "Should have 2 elements"
+  }
+  assert {
+    condition     = contains(tolist(data.aws_iam_policy_document.allow_assume_role.statement[0].principals)[0].identifiers, "test-role-arn")
+    error_message = "Should contain: test-role-arn"
+  }
+  assert {
+    condition     = contains(tolist(data.aws_iam_policy_document.allow_assume_role.statement[0].principals)[0].identifiers, "test-role-arn-2")
+    error_message = "Should contain: test-role-arn-2"
+  }
+  # kms keys
+  assert {
+    condition     = length(data.aws_iam_policy_document.s3_migration_policy_document.statement[3].resources) == 1
+    error_message = "Should have 1 elements"
+  }
+  assert {
+    condition     = contains(data.aws_iam_policy_document.s3_migration_policy_document.statement[3].resources, "test-source-kms-key-arn")
+    error_message = "Should contain: test-source-kms-key-arn"
+  }
 }
 
 run "data_migration_without_source_kms_key" {
   command = plan
 
   variables {
-    config = {
-      "source_bucket_arn" = "test-source-bucket-arn"
-      "worker_role_arn"   = "test-role-arn"
-    }
+    sources = [
+      {
+        "source_bucket_arn" = "test-source-bucket-arn"
+        "worker_role_arn"   = "test-role-arn"
+      }
+    ]
     destination_bucket_arn        = "test-destination-bucket-arn"
     destination_bucket_identifier = "test-destination-bucket-name"
   }
diff --git a/s3/tests/unit.tftest.hcl b/s3/tests/unit.tftest.hcl
index e53d8ce2b..e16e0fa23 100644
--- a/s3/tests/unit.tftest.hcl
+++ b/s3/tests/unit.tftest.hcl
@@ -215,7 +215,7 @@ run "aws_s3_bucket_lifecycle_configuration_no_prefix_unit_test" {
   }
 }
 
-run "aws_s3_bucket_data_migration_unit_test" {
+run "aws_s3_bucket_data_migration_legacy_config_unit_test" {
   command = plan
 
   variables {
@@ -236,6 +236,81 @@ run "aws_s3_bucket_data_migration_unit_test" {
     condition     = module.data_migration[0].module_exists
     error_message = "data migration module should be created"
   }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].worker_role_arn == "arn:aws:iam::1234:role/service-role/my-privileged-arn"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].source_kms_key_arn == "arn:aws:iam::1234:my-external-kms-key-arn"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].source_bucket_arn == "arn:aws:s3::1234:my-source-bucket"
+    error_message = "data migration worker_role_arn should be present"
+  }
+}
+
+run "aws_s3_bucket_data_migration_unit_test" {
+  command = plan
+
+  variables {
+    config = {
+      "bucket_name" = "dbt-terraform-test-s3-cross-account",
+      "type"        = "s3",
+      "data_migration" = {
+        "import_sources" = [
+          {
+            "worker_role_arn"    = "arn:aws:iam::1234:role/service-role/my-privileged-arn",
+            "source_kms_key_arn" = "arn:aws:iam::1234:my-external-kms-key-arn",
+            "source_bucket_arn"  = "arn:aws:s3::1234:my-source-bucket"
+          },
+          {
+            "worker_role_arn"    = "arn:aws:iam::1234:role/service-role/my-privileged-arn-2",
+            "source_kms_key_arn" = "arn:aws:iam::1234:my-external-kms-key-arn-2",
+            "source_bucket_arn"  = "arn:aws:s3::1234:my-source-bucket-2"
+          },
+        ]
+      }
+    }
+  }
+
+  assert {
+    condition     = module.data_migration[0].module_exists
+    error_message = "data migration module should be created"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].worker_role_arn == "arn:aws:iam::1234:role/service-role/my-privileged-arn"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].source_kms_key_arn == "arn:aws:iam::1234:my-external-kms-key-arn"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[0].source_bucket_arn == "arn:aws:s3::1234:my-source-bucket"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[1].worker_role_arn == "arn:aws:iam::1234:role/service-role/my-privileged-arn-2"
+    error_message = "data migration worker_role_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[1].source_kms_key_arn == "arn:aws:iam::1234:my-external-kms-key-arn-2"
+    error_message = "data migration source_kms_key_arn should be present"
+  }
+
+  assert {
+    condition     = module.data_migration[0].sources[1].source_bucket_arn == "arn:aws:s3::1234:my-source-bucket-2"
+    error_message = "data migration source_bucket_arn should be present"
+  }
 }
 
 run "aws_s3_bucket_not_data_migration_unit_test" {