LIME-2122 - Added Template Tests for CloudFormation Templates

.github/workflows/pr-check.yml

@@ -54,7 +54,18 @@ jobs:
 
   # pact test placeholder
 
-  # infra test placholder
+  infra-tests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    concurrency:
+      group: infra-tests-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    steps:
+      - name: Setup Node
+        uses: govuk-one-login/github-actions/node/install-dependencies@4c76410195b5fcb1804fc7c183ed20704252830f
+      - name: CloudFormation template tests
+        run: npm run test:infra
 
   deploy-preview:
     name: Deploy preview stack
@@ -113,13 +124,15 @@ jobs:
       - pre-commit
       - unit-tests
       - api-tests
+      - infra-tests
     if: always()
     steps:
       - run: |
           failed=()
           [[ "${{ needs.pre-commit.result }}" != "success" ]] && failed+=("pre-commit")
           [[ "${{ needs.unit-tests.result }}" != "success" ]] && failed+=("unit-tests")
           [[ "${{ needs.api-tests.result }}" != "success" ]] && failed+=("api-tests")
+          [[ "${{ needs.infra-tests.result }}" != "success" ]] && failed+=("infra-tests")
           if [[ ${#failed[@]} -gt 0 ]]; then
             echo "The following jobs failed: ${failed[*]}"
             exit 1

README.md

@@ -35,6 +35,9 @@ See the Lime onboarding guide for detailed setup instructions.
 ### Run all tests
 `npm test`
 
+### Run Infra tests
+`npm run test:infra`
+
 ### Run with coverage
 `npm run test:coverage`
 

package.json

@@ -23,6 +23,7 @@
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "test:api": "cucumber-js --profile api",
+    "test:infra": "vitest run --config vitest.infra.config.ts",
     "type-check": "tsc --noEmit"
   },
   "devDependencies": {
@@ -40,7 +41,9 @@
     "tsx": "4.19.4",
     "typescript": "5.9.3",
     "typescript-eslint": "8.56.0",
-    "vitest": "4.1.5"
+    "vitest": "4.1.5",
+    "yaml": "2.9.0",
+    "zod": "4.4.3"
   },
   "dependencies": {
     "@aws-lambda-powertools/logger": "2.31.0",

test/infra/helpers.ts

@@ -0,0 +1,58 @@
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { parse } from 'yaml'
+import { z } from 'zod'
+
+const cfnTagNames = [
+  'And',
+  'Base64',
+  'Cidr',
+  'Condition',
+  'Equals',
+  'FindInMap',
+  'GetAtt',
+  'GetAZs',
+  'If',
+  'ImportValue',
+  'Join',
+  'Not',
+  'Or',
+  'Ref',
+  'Select',
+  'Split',
+  'Sub',
+  'Transform'
+]
+const cfnTags = cfnTagNames.flatMap((name) => [
+  { collection: 'seq' as const, resolve: (seq: unknown) => seq, tag: `!${name}` },
+  { resolve: (str: string) => str, tag: `!${name}` }
+])
+
+export const loadTemplate = (relativePath: string): Record<string, unknown> =>
+  parse(readFileSync(resolve(__dirname, '../../deploy', relativePath), 'utf-8'), {
+    customTags: cfnTags
+  }) as Record<string, unknown>
+
+// Common CloudFormation schemas
+export const cfnParameterSchema = z.object({
+  AllowedValues: z.array(z.string()).optional(),
+  Default: z.union([z.string(), z.number()]).optional(),
+  Description: z.string().optional(),
+  Type: z.string()
+})
+
+export const cfnOutputSchema = z.object({
+  Condition: z.string().optional(),
+  Description: z.string().optional(),
+  Export: z.object({ Name: z.unknown() }).optional(),
+  Value: z.unknown()
+})
+
+export const openApiSchema = z.object({
+  info: z.object({
+    title: z.string(),
+    version: z.string()
+  }),
+  openapi: z.string().regex(/^3\.\d+\.\d+$/),
+  paths: z.record(z.string(), z.record(z.string(), z.unknown()))
+})

test/infra/private-api.test.ts

@@ -0,0 +1,79 @@
+import { loadTemplate, openApiSchema } from './helpers'
+import { describe, expect, it } from 'vitest'
+
+const template = loadTemplate('private-api.yaml')
+
+const paths = template['paths'] as Record<string, Record<string, unknown>>
+
+describe('private-api.yaml structure', () => {
+  it('is a valid OpenAPI 3.x document', () => {
+    expect(openApiSchema.safeParse(template).success).toBe(true)
+  })
+
+  it('has title', () => {
+    const info = template['info'] as Record<string, string>
+    expect(info['title']).toBe('Open Banking Credential Issuer Private API')
+  })
+})
+
+describe('private-api.yaml paths', () => {
+  const expectedPaths = ['/basic-function', '/authorization', '/session']
+
+  it.each(expectedPaths)('has path: %s', (path) => {
+    expect(paths).toHaveProperty(path)
+  })
+
+  it('/basic-function has POST with aws_proxy integration', () => {
+    const post = paths['/basic-function']?.['post'] as Record<string, unknown>
+    const integration = post['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('aws_proxy')
+  })
+
+  it('/authorization has GET method', () => {
+    expect(paths['/authorization']).toHaveProperty('get')
+  })
+
+  it('/session has POST method', () => {
+    expect(paths['/session']).toHaveProperty('post')
+  })
+})
+
+describe('private-api.yaml components', () => {
+  const components = template['components'] as Record<string, Record<string, unknown>>
+
+  it('defines SessionHeader parameter', () => {
+    expect(components['parameters']).toHaveProperty('SessionHeader')
+  })
+
+  it('defines required schemas', () => {
+    const schemas = components['schemas']
+    expect(schemas).toHaveProperty('Authorization')
+    expect(schemas).toHaveProperty('AuthorizationResponse')
+    expect(schemas).toHaveProperty('Error')
+    expect(schemas).toHaveProperty('Session')
+  })
+})
+
+describe('private-api.yaml request validators', () => {
+  const validators = template['x-amazon-apigateway-request-validators'] as Record<string, unknown>
+
+  it('defines Validate both', () => {
+    expect(validators).toHaveProperty('Validate both')
+  })
+
+  it('defines Validate Param only', () => {
+    expect(validators).toHaveProperty('Validate Param only')
+  })
+})
+
+describe('private-api.yaml route validator assignments', () => {
+  it('/authorization applies Validate both', () => {
+    const get = paths['/authorization']?.['get'] as Record<string, unknown>
+    expect(get['x-amazon-apigateway-request-validator']).toBe('Validate both')
+  })
+
+  it('/session applies Validate both', () => {
+    const post = paths['/session']?.['post'] as Record<string, unknown>
+    expect(post['x-amazon-apigateway-request-validator']).toBe('Validate both')
+  })
+})

test/infra/public-api.test.ts

@@ -0,0 +1,83 @@
+import { loadTemplate, openApiSchema } from './helpers'
+import { describe, expect, it } from 'vitest'
+
+const template = loadTemplate('public-api.yaml')
+
+const paths = template['paths'] as Record<string, Record<string, unknown>>
+
+describe('public-api.yaml structure', () => {
+  it('is a valid OpenAPI 3.x document', () => {
+    expect(openApiSchema.safeParse(template).success).toBe(true)
+  })
+
+  it('has title', () => {
+    const info = template['info'] as Record<string, string>
+    expect(info['title']).toBe('Open Banking Credential Issuer Public API')
+  })
+})
+
+describe('public-api.yaml paths', () => {
+  const expectedPaths = ['/health', '/.well-known/jwks.json', '/token']
+
+  it.each(expectedPaths)('has path: %s', (path) => {
+    expect(paths).toHaveProperty(path)
+  })
+
+  it('/health has GET with mock integration', () => {
+    const get = paths['/health']?.['get'] as Record<string, unknown>
+    const integration = get['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('mock')
+  })
+
+  it('/token has POST method', () => {
+    expect(paths['/token']).toHaveProperty('post')
+  })
+
+  it('/.well-known/jwks.json has GET with S3 integration', () => {
+    const get = paths['/.well-known/jwks.json']?.['get'] as Record<string, unknown>
+    const integration = get['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('aws')
+  })
+})
+
+describe('public-api.yaml components', () => {
+  const components = template['components'] as Record<string, Record<string, unknown>>
+  const schemas = components['schemas']
+
+  it('defines required schemas', () => {
+    expect(schemas).toHaveProperty('JWKSFile')
+    expect(schemas).toHaveProperty('TokenResponse')
+    expect(schemas).toHaveProperty('Error')
+  })
+})
+
+describe('public-api.yaml request validators', () => {
+  const validators = template['x-amazon-apigateway-request-validators'] as Record<string, unknown>
+
+  it('defines Validate both', () => {
+    expect(validators).toHaveProperty('Validate both')
+  })
+
+  it('defines Validate Param only', () => {
+    expect(validators).toHaveProperty('Validate Param only')
+  })
+})
+
+describe('public-api.yaml /token security and validation', () => {
+  const post = paths['/token']?.['post'] as Record<string, unknown>
+
+  it('applies Validate both request validator', () => {
+    expect(post['x-amazon-apigateway-request-validator']).toBe('Validate both')
+  })
+
+  it('has api_key security requirement', () => {
+    const security = post['security'] as Record<string, unknown>[]
+    expect(security).toBeDefined()
+    expect(security.some((s) => 'api_key' in s)).toBe(true)
+  })
+
+  it('uses aws_proxy integration', () => {
+    const integration = post['x-amazon-apigateway-integration'] as Record<string, string>
+    expect(integration['type']).toBe('aws_proxy')
+  })
+})