Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

framework-integ: Support specification of awsPcaAuthorityArn in framework integ tests #32621

Open
ren-yamanashi opened this issue Dec 21, 2024 · 7 comments
Open

framework-integ: Support specification of awsPcaAuthorityArn in framework integ tests #32621

ren-yamanashi opened this issue Dec 21, 2024 · 7 comments
Labels
@aws-cdk/integ-tests documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p3

Comments

@ren-yamanashi
Copy link
Contributor

Describe the issue

Currently, the following document on integ testing of the framework does not describe the specification of awsPcaAuthorityArn.

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/README.md

However, in the following MR that I am currently working on, I encountered a use case where I want to specify awsPcaAuthorityArn in the integ test.

#32605

Therefore, I would like you to add support for specifying awsPcaAuthorityArn in integ tests.
(I expect it will probably be in the form of adding an environment variable).

Thank you in advance.

Links

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/README.md
@ren-yamanashi ren-yamanashi added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Dec 21, 2024
@ren-yamanashi ren-yamanashi mentioned this issue Dec 21, 2024
Open
1 task
@pahud
Copy link
Contributor

pahud commented Dec 23, 2024

I guess you might need tricks like this?

aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts

Lines 22 to 26 in 8718767

const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID;
if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.');
const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME;
if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.');
const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME;

@pahud pahud added effort/medium Medium work item – several days of effort p3 and removed needs-triage This issue or PR still needs to be triaged. labels Dec 23, 2024
@ren-yamanashi
Copy link
Contributor Author

I guess you might need tricks like this?

aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts

Lines 22 to 26 in 8718767

const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID;
if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.');
const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME;
if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.');
const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME;

@pahud

Yes, such a statement is required. However, there is no information in the documentation on which environment variable to use when specifying awsPcaAuthorityArn.

Also, this environment variable is needed when performing CI, but I do not know what value to specify for which key.

Therefore, I would like to ask for the following two things

  1. definition of the environment variable to use when using awsPcaAuthorityArn(and change docs)
  2. adding 1 environment variable to the environment variables used by CI

This was referenced Jan 1, 2025
Open
Open
Open
@ren-yamanashi
Copy link
Contributor Author

I would like to know the progress of this issue. This issue is difficult for me to implement, but is needed for the following issues

#32605

@mazyu36
Copy link
Contributor

mazyu36 commented Jan 12, 2025

Is my understanding correct that a private CA certificate is required to perform this integration test?

Since the Private CA cost itself is very expensive, I think we should first discuss whether we should perform integration tests at all.
The existing aws-acmpca module doesn't have integration tests either.

(I apologize if I'm saying anything incorrect, as I'm not very familiar with PCA)

@ren-yamanashi
Copy link
Contributor Author

ren-yamanashi commented Jan 12, 2025
edited
Loading

Is my understanding correct that a private CA certificate is required to perform this integration test?

Since the Private CA cost itself is very expensive, I think we should first discuss whether we should perform integration tests at all. The existing aws-acmpca module doesn't have integration tests either.

(I apologize if I'm saying anything incorrect, as I'm not very familiar with PCA)

@mazyu36

Yes, that is correct.

Thank you for suggestion!

Would it be more appropriate to open a new Discussions for discussion?

@mazyu36
Copy link
Contributor

mazyu36 commented Jan 12, 2025

How about submitting #32605 without an integration test and explaining the reason in an Exemption Request to get the maintainer’s feedback?

By the way, the mechanism of this hosted zone embeds dummy values into the template during integration test runs, instead of using the actual values applied in the tests. Therefore, it is necessary to own the domain itself for testing purposes.

As a result, even if this mechanism were implemented in PCA, you would still need to own the PCA to run the integration test.

@ren-yamanashi
Copy link
Contributor Author

How about submitting #32605 without an integration test and explaining the reason in an Exemption Request to get the maintainer’s feedback?

By the way, the mechanism of this hosted zone embeds dummy values into the template during integration test runs, instead of using the actual values applied in the tests. Therefore, it is necessary to own the domain itself for testing purposes.

As a result, even if this mechanism were implemented in PCA, you would still need to own the PCA to run the integration test.

@mazyu36

Thank you suggestion!

As suggested, I will submitting #32605 without an integration test and explaining the reason in an Exemption Request 🙏.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/integ-tests documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @mazyu36 @ren-yamanashi