LIME-2122 - Added Template Tests for CloudFormation Templates

Added tests for the public-api, private-api and template

Author: ChrisBates1

.github/workflows/pr-check.yml

@@ -103,23 +103,33 @@ jobs:
         run: |
           aws cloudformation delete-stack --region eu-west-2 --stack-name ${{ needs.deploy-preview.outputs.stack-name }}
 
+  infra-tests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Setup Node
+        uses: ./.github/actions/node-setup
+      - name: CloudFormation template tests
+        run: npm run test:infra
+
   merge-status:
     name: Merge status
     runs-on: ubuntu-latest
     concurrency:
       group: merge-status-${{ github.event.pull_request.number }}
       cancel-in-progress: true
-    needs:
-      - pre-commit
-      - unit-tests
-      - api-tests
+    needs: [pre-commit, type-check, unit-tests, infra-tests]
     if: always()
     steps:
       - run: |
           failed=()
           [[ "${{ needs.pre-commit.result }}" != "success" ]] && failed+=("pre-commit")
           [[ "${{ needs.unit-tests.result }}" != "success" ]] && failed+=("unit-tests")
           [[ "${{ needs.api-tests.result }}" != "success" ]] && failed+=("api-tests")
+          [[ "${{ needs.infra-tests.result }}" != "success" ]] && failed+=("infra-tests")
           if [[ ${#failed[@]} -gt 0 ]]; then
             echo "The following jobs failed: ${failed[*]}"
             exit 1

README.md

@@ -38,6 +38,9 @@ See the Lime onboarding guide for detailed setup instructions.
 ### Run with coverage
 `npm run test:coverage`
 
+### Run Infra tests
+`npm run test:infra`
+
 Coverage reports are generated in coverage/ directory.
 
 ## Code Quality

package-lock.json

@@ -23,6 +23,7 @@
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "test:api": "cucumber-js --profile api",
+    "test:infra": "vitest run --config vitest.infra.config.ts",
     "type-check": "tsc --noEmit"
   },
   "devDependencies": {
@@ -40,7 +41,9 @@
     "tsx": "4.19.4",
     "typescript": "5.9.3",
     "typescript-eslint": "8.56.0",
-    "vitest": "4.1.5"
+    "vitest": "4.1.5",
+    "yaml": "2.8.3",
+    "zod": "4.3.6"
   },
   "dependencies": {
     "@aws-lambda-powertools/logger": "2.31.0",

package.json

@@ -0,0 +1,42 @@
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { parse } from 'yaml'
+import { z } from 'zod'
+
+const cfnTagNames = [
+  'And', 'Base64', 'Cidr', 'Condition', 'Equals', 'FindInMap', 'GetAtt', 'GetAZs',
+  'If', 'ImportValue', 'Join', 'Not', 'Or', 'Ref', 'Select', 'Split', 'Sub', 'Transform',
+]
+const cfnTags = cfnTagNames.flatMap((name) => [
+  { collection: 'seq' as const, resolve: (seq: unknown) => seq, tag: `!${name}` },
+  { resolve: (str: string) => str, tag: `!${name}` },
+])
+
+export const loadTemplate = (relativePath: string): Record<string, unknown> =>
+  parse(readFileSync(resolve(__dirname, '../../deploy', relativePath), 'utf-8'), {
+    customTags: cfnTags,
+  }) as Record<string, unknown>
+
+// Common CloudFormation schemas
+export const cfnParameterSchema = z.object({
+  AllowedValues: z.array(z.string()).optional(),
+  Default: z.union([z.string(), z.number()]).optional(),
+  Description: z.string().optional(),
+  Type: z.string(),
+})
+
+export const cfnOutputSchema = z.object({
+  Condition: z.string().optional(),
+  Description: z.string().optional(),
+  Export: z.object({ Name: z.unknown() }).optional(),
+  Value: z.unknown(),
+})
+
+export const openApiSchema = z.object({
+  info: z.object({
+    title: z.string(),
+    version: z.string(),
+  }),
+  openapi: z.string().regex(/^3\.\d+\.\d+$/),
+  paths: z.record(z.string(), z.record(z.string(), z.unknown())),
+})

test/infra/helpers.ts

@@ -0,0 +1,67 @@
+import { loadTemplate, openApiSchema } from './helpers'
+import { describe, expect, it } from 'vitest'
+
+const template = loadTemplate('private-api.yaml')
+
+const paths = template['paths'] as Record<string, Record<string, unknown>>
+
+describe('private-api.yaml structure', () => {
+  it('is a valid OpenAPI 3.x document', () => {
+    expect(openApiSchema.safeParse(template).success).toBe(true)
+  })
+
+  it('has title', () => {
+    const info = template['info'] as Record<string, string>
+    expect(info['title']).toBe('Open Banking Credential Issuer Private API')
+  })
+})
+
+describe('private-api.yaml paths', () => {
+  const expectedPaths = ['/basic-function', '/authorization', '/session']
+
+  it.each(expectedPaths)('has path: %s', (path) => {
+    expect(paths).toHaveProperty(path)
+  })
+
+  it('/basic-function has POST with aws_proxy integration', () => {
+    const post = paths['/basic-function']?.['post'] as Record<string, unknown>
+    const integration = post['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('aws_proxy')
+  })
+
+  it('/authorization has GET method', () => {
+    expect(paths['/authorization']).toHaveProperty('get')
+  })
+
+  it('/session has POST method', () => {
+    expect(paths['/session']).toHaveProperty('post')
+  })
+})
+
+describe('private-api.yaml components', () => {
+  const components = template['components'] as Record<string, Record<string, unknown>>
+
+  it('defines SessionHeader parameter', () => {
+    expect(components['parameters']).toHaveProperty('SessionHeader')
+  })
+
+  it('defines required schemas', () => {
+    const schemas = components['schemas']
+    expect(schemas).toHaveProperty('Authorization')
+    expect(schemas).toHaveProperty('AuthorizationResponse')
+    expect(schemas).toHaveProperty('Error')
+    expect(schemas).toHaveProperty('Session')
+  })
+})
+
+describe('private-api.yaml request validators', () => {
+  const validators = template['x-amazon-apigateway-request-validators'] as Record<string, unknown>
+
+  it('defines Validate both', () => {
+    expect(validators).toHaveProperty('Validate both')
+  })
+
+  it('defines Validate Param only', () => {
+    expect(validators).toHaveProperty('Validate Param only')
+  })
+})

test/infra/private-api.test.ts

@@ -0,0 +1,64 @@
+import { loadTemplate, openApiSchema } from './helpers'
+import { describe, expect, it } from 'vitest'
+
+const template = loadTemplate('public-api.yaml')
+
+const paths = template['paths'] as Record<string, Record<string, unknown>>
+
+describe('public-api.yaml structure', () => {
+  it('is a valid OpenAPI 3.x document', () => {
+    expect(openApiSchema.safeParse(template).success).toBe(true)
+  })
+
+  it('has title', () => {
+    const info = template['info'] as Record<string, string>
+    expect(info['title']).toBe('Open Banking Credential Issuer Public API')
+  })
+})
+
+describe('public-api.yaml paths', () => {
+  const expectedPaths = ['/health', '/.well-known/jwks.json', '/token']
+
+  it.each(expectedPaths)('has path: %s', (path) => {
+    expect(paths).toHaveProperty(path)
+  })
+
+  it('/health has GET with mock integration', () => {
+    const get = paths['/health']?.['get'] as Record<string, unknown>
+    const integration = get['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('mock')
+  })
+
+  it('/token has POST method', () => {
+    expect(paths['/token']).toHaveProperty('post')
+  })
+
+  it('/.well-known/jwks.json has GET with S3 integration', () => {
+    const get = paths['/.well-known/jwks.json']?.['get'] as Record<string, unknown>
+    const integration = get['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('aws')
+  })
+})
+
+describe('public-api.yaml components', () => {
+  const components = template['components'] as Record<string, Record<string, unknown>>
+  const schemas = components['schemas']
+
+  it('defines required schemas', () => {
+    expect(schemas).toHaveProperty('JWKSFile')
+    expect(schemas).toHaveProperty('TokenResponse')
+    expect(schemas).toHaveProperty('Error')
+  })
+})
+
+describe('public-api.yaml request validators', () => {
+  const validators = template['x-amazon-apigateway-request-validators'] as Record<string, unknown>
+
+  it('defines Validate both', () => {
+    expect(validators).toHaveProperty('Validate both')
+  })
+
+  it('defines Validate Param only', () => {
+    expect(validators).toHaveProperty('Validate Param only')
+  })
+})