问题内容
我有一个函数,它接受 aws openidconnectprovider pulumi 资源的输入并创建一个 iam 角色,并附加一个包含来自该 oidc 提供商的信息的 assumerolepolicy。
问题:我正在尝试为此函数编写测试并模拟 oidc 提供程序以作为函数调用的输入。我无法理解如何正确地模拟它,以便测试输出显示我所期望的内容,目前看来模拟的数据没有像我预期的那样出现。
看来我没有正确使用模拟,但我在这里放弃了示例
此处有更多文档
package mypkg
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func createmycustomrole(ctx *pulumi.context, name string, oidcprovider *iam.openidconnectprovider, opts ...pulumi.resourceoption) (*iam.role, error) {
role := &iam.role{}
componenturn := fmt.sprintf("%s-custom-role", name)
err := ctx.registercomponentresource("pkg:aws:mycustomrole", componenturn, role, opts...)
if err != nil {
return nil, err
}
url := oidc.url.applyt(func(s string) string {
return fmt.sprint(strings.replaceall(s, "https://", ""), ":sub")
}).(pulumi.stringoutput)
assumerolepolicy := pulumi.sprintf(`{
"version": "2012-10-17",
"statement": [{
"effect": "allow",
"principal": { "federated": "%s" },
"action": "sts:assumerolewithwebidentity",
"condition": {
"stringequals": {
"%s": [
"system:serviceaccount:kube-system:*",
"system:serviceaccount:kube-system:cluster-autoscaler"
]
}
}
}]
}`, oidcprovider.arn, url)
roleurn := fmt.sprintf("%s-custom-role", name)
role, err = iam.newrole(ctx, roleurn, &iam.roleargs{
name: pulumi.string(roleurn),
description: pulumi.string("create custom role"),
assumerolepolicy: assumerolepolicy,
tags: pulumi.tostringmap(map[string]string{"project": "test"}),
})
if err != nil {
return nil, err
}
return role, nil
}
package mypkg
import (
"sync"
"testing"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/stretchr/testify/assert"
)
type mocks int
func (mocks) newresource(args pulumi.mockresourceargs) (string, resource.propertymap, error) {
return args.name + "_id", args.inputs, nil
}
func (mocks) call(args pulumi.mockcallargs) (resource.propertymap, error) {
outputs := map[string]interface{}{}
if args.token == "aws:iam/getopenidconnectprovider:getopenidconnectprovider" {
outputs["arn"] = "arn:aws:iam::123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/abc"
outputs["id"] = "abc"
outputs["url"] = "https://someurl"
}
return resource.newpropertymapfrommap(outputs), nil
}
func testcreatemycustomrole(t *testing.t) {
err := pulumi.runerr(func(ctx *pulumi.context) error {
// gets the mocked oidc provider to use as input for the createdefaultautoscalerrole
oidc, err := iam.getopenidconnectprovider(ctx, "get-test-oidc-provider", pulumi.id("abc"), &iam.openidconnectproviderstate{})
assert.noerror(t, err)
infra, err := createmycustomrole(ctx, "role1", oidc})
assert.noerror(t, err)
var wg sync.waitgroup
wg.add(1)
// check 1: assume role policy is formatted correctly
pulumi.all(infra.urn(), infra.assumerolepolicy).applyt(func(all []interface{}) error {
urn := all[0].(pulumi.urn)
assumerolepolicy := all[1].(string)
assert.equal(t, `{
"version": "2012-10-17",
"statement": [{
"effect": "allow",
"principal": { "federated": "arn:aws:iam::123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/abc" },
"action": "sts:assumerolewithwebidentity",
"condition": {
"stringequals": {
"someurl:sub": [
"system:serviceaccount:kube-system:*",
"system:serviceaccount:kube-system:cluster-autoscaler"
]
}
}
}]
}`, assumerolepolicy)
wg.done()
return nil
})
wg.wait()
return nil
}, pulumi.withmocks("project", "stack", mocks(0)))
assert.noerror(t, err)
}
output
diff:
--- expected
+++ actual
@@ -4,3 +4,3 @@
"effect": "allow",
- "principal": { "federated": "arn:aws:iam::123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/abc" },
+ "principal": { "federated": "" },
"action": "sts:assumerolewithwebidentity",
@@ -8,3 +8,3 @@
"stringequals": {
- "someurl:sub": [
+ ":sub": [
"system:serviceaccount:kube-system:*",
test: testcreatemycustomrole
正确答案
原来我使用了 newresource 错误。
当在测试函数中调用 getopenidconnectprovider 时,它会读取资源并创建一个新的资源输出,从而触发对mocks.newresource的调用
修复方法是使用模拟输出在 newresource 函数调用中为 getopenidconnectprovider openidconnectprovider 返回的资源类型定义一个 if 语句。
func (mocks) newresource(args pulumi.mockresourceargs) (string, resource.propertymap, error) {
pulumi.printf(args.typetoken)
outputs := args.inputs.mappable()
if args.typetoken == "aws:iam/openidconnectprovider:openidconnectprovider" {
outputs["arn"] = "arn:aws:iam::123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/abc"
outputs["id"] = "abc"
outputs["url"] = "https://someurl"
}
return args.name + "_id", resource.newpropertymapfrommap(outputs), nil
}
func (mocks) call(args pulumi.mockcallargs) (resource.propertymap, error) {
outputs := map[string]interface{}{}
return resource.newpropertymapfrommap(outputs), nil
}
下面的代码片段是我更改了 assert 以便它无法显示与上面对 newresource 所做的更改相比现在的差异
Diff:
--- Expected
Actual
@@ -8,3 +8,3 @@
"StringEquals": {
- "b:sub": [
+ "someurl:sub": [
"system:serviceaccount:kube-system:*", 
