Add terraform test coverage for vpc + quilt modules

[sir-sigurd]

Description

Pre-factoring PR: adds the repo's first automated module tests, so logic is verified beyond fmt/validate. This is groundwork for safely changing the vpc module's network-input validation (e.g. the Transit Gateway work in #115) — a pure-logic validation bug that validate can't catch now fails a test instead.

Plan-only and provider-mocked: no AWS credentials, no infrastructure.

• modules/vpc — characterizes new-vs-existing network input validation: valid new/existing configs (internal + external ALB) plan cleanly; contradictory inputs trip the configuration_error precondition.
• modules/quilt — smoke-tests the public module end-to-end (vpc + db + search + CloudFormation) via a thin wrapper root that re-exposes only the non-sensitive stack name.

Run in a new CI test job. CI Terraform is bumped 1.5.0 → 1.10.0 (the mocked-provider test framework needs ≥ 1.7; 1.10.0 matches the floor examples/main.tf already declares).

No module behavior changes — additions are test-only plus the CI/Terraform-version bump, so there is no user-facing impact.

TODO

• No CHANGELOG entry: test/CI tooling only, nothing user-facing changes.
• No dev-stack deploy needed: no deployable change.

Greptile Summary

This PR adds the repository's first automated module tests for modules/vpc and modules/quilt, using Terraform's plan-only mocked-provider framework. No module behavior is changed — all additions are test infrastructure plus a Terraform version bump (1.5.0 → 1.10.0) required by the mock_provider feature.

• modules/vpc/tests/validation.tftest.hcl — characterises four valid VPC-config paths (new/existing × external/internal ALB) and two explicit rejection cases that exercise the configuration_error precondition.
• modules/quilt/tests/smoke/ — a thin wrapper root (needed to avoid the sensitive-output restriction on module.quilt.stack) plus four smoke-test runs covering the same VPC-path combinations end-to-end.
• CI — new test matrix job runs terraform init -backend=false && terraform test for both test roots; .terraform.lock.hcl is added to .gitignore.

Confidence Score: 5/5

Safe to merge — all changes are test infrastructure and CI configuration with no modifications to any deployable module.

The PR only adds test files, a fixture YAML, CI job configuration, and a README section. No production module logic is touched. The new tests are plan-only with a mocked AWS provider, so they carry no risk of infrastructure side-effects. The one finding is a missing required_version guard in the smoke test wrapper, which is a developer-experience nit with no impact on correctness or CI.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds a test matrix job running terraform init -backend=false && terraform test for modules/vpc and modules/quilt/tests/smoke; bumps Terraform from 1.5.0 to 1.10.0 in all jobs.
.gitignore	Adds .terraform.lock.hcl to the ignore list, formalising the existing convention of not committing generated lock files.
modules/quilt/tests/smoke/main.tf	New wrapper root that re-exposes only the non-sensitive stack_name output, enabling terraform test to run against the quilt module without hitting the sensitive-output restriction. Missing required_version = ">= 1.7" that would guard against opaque failures with older Terraform.
modules/quilt/tests/smoke/smoke.tftest.hcl	Smoke tests covering four VPC-path combinations (new/existing × external/internal ALB) via plan-only mocked provider; each run asserts the stack name propagates correctly.
modules/quilt/tests/smoke/fixtures/quilt.yaml	Minimal valid CloudFormation template stub providing a resolvable template_file path for plan-time filemd5 evaluation; clearly documented as non-deployable.
modules/vpc/tests/validation.tftest.hcl	Characterisation tests for all four valid VPC-config paths plus two explicit rejection cases; both new-VPC runs include the section-label assertion and the no-❌ assertion.
README.md	Adds a "Test" section documenting the plan-only mocked-provider workflow and the Terraform ≥ 1.7 requirement.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    CI["CI: test job\n(matrix)"]
    VPC_DIR["modules/vpc\n(terraform test)"]
    SMOKE_DIR["modules/quilt/tests/smoke\n(terraform test)"]

    CI --> VPC_DIR
    CI --> SMOKE_DIR

    VPC_DIR --> VTESTS["validation.tftest.hcl\n4 valid + 2 rejection runs"]
    VTESTS --> VPC_MOD["modules/vpc\n(mocked aws provider)"]

    SMOKE_DIR --> STESTS["smoke.tftest.hcl\n4 plan runs"]
    SMOKE_DIR --> WRAPPER["main.tf wrapper root\nre-exposes stack_name only"]
    STESTS --> WRAPPER
    WRAPPER --> QUILT_MOD["modules/quilt"]
    QUILT_MOD --> VPC_MOD2["modules/vpc\n(mocked aws provider)"]
    QUILT_MOD --> DB_MOD["modules/db"]
    QUILT_MOD --> SEARCH_MOD["modules/search"]
    QUILT_MOD --> CFN["aws_cloudformation_stack\n(fixture: quilt.yaml)"]

Loading

_{Reviews (3): Last reviewed commit: "Address review: existing-VPC + internal-..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Adds initial automated Terraform module tests (plan-only, AWS provider mocked) and wires them into CI to validate module logic beyond fmt/validate, especially around VPC input validation and the public quilt module wiring.

Changes:

• Add terraform test characterization tests for modules/vpc network-input validation behavior.
• Add a smoke-test wrapper root + fixture to exercise modules/quilt end-to-end in a mocked, plan-only test.
• Add a new CI test job and bump CI Terraform from 1.5.0 to 1.10.0.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
modules/vpc/tests/validation.tftest.hcl	Adds mocked-provider plan tests covering valid/invalid new-vs-existing VPC input combinations.
modules/quilt/tests/smoke/smoke.tftest.hcl	Adds mocked-provider smoke tests asserting the wrapper exposes expected non-sensitive output.
modules/quilt/tests/smoke/main.tf	Adds a wrapper root module for testing modules/quilt without exposing sensitive outputs.
modules/quilt/tests/smoke/fixtures/quilt.yaml	Adds a minimal CloudFormation template fixture so plan-time template/file checks resolve.
.gitignore	Ignores .terraform.lock.hcl.
.github/workflows/ci.yml	Bumps Terraform version and adds a CI job to run terraform test in selected directories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sir-sigurd]

LGTM. Design: sound — scope is coherent (the TF 1.5.0 → 1.10.0 bump is a real prerequisite, since mock_provider needs ≥ 1.7, and it matches the >= 1.10.0 floor examples/main.tf already declares), and the test-framework wiring checks out: I ran the suite locally and confirmed the mocked provider attaches across the whole tree (vpc + db + search + CFN), the required_providers-at-root block is what makes that attachment happen, expect_failures trips on the precondition rather than some unrelated error, and both layouts discover their .tftest.hcl files.

As groundwork the coverage is deliberately a first pass, so these are notes for the #115 refactor rather than asks on this PR:

• An internal = true smoke run would exercise the most conditional wiring in quilt/main.tf — the PublicSubnets/UserSubnets null-coalescing and the var.internal-gated api endpoint — which is the surface the Transit Gateway work is most likely to touch. The vpc-level test already covers internal = true; this is just the end-to-end path.
• The current tests pin "valid plans clean / contradictory fails fast" but not which requirement failed (the expect_failures on output.configuration_error collapses all rows into one boolean) or that the requirement checklist stays complete (a silently dropped row would still pass !strcontains(..., "❌")). Localizing the failing row needs a precondition-free output to assert against, so it fits naturally alongside #115 once the row structure settles.

Two small things worth doing here:

• The README "Terraform cheat sheet" has Init/Lint/Validate/Plan but no Test entry, and nothing in the repo records that running the tests needs Terraform ≥ 1.7 (for mock_provider). A one-line "Test" entry (terraform init -backend=false && terraform test from a module/wrapper dir) would give a contributor editing the vpc precondition or quilt wiring a documented way to reproduce CI.
• A one-line caution in modules/quilt/tests/smoke/main.tf that the wrapper must not output module.quilt.stack or any *_password (the whole point of re-exposing only stack.name), and that new quilt inputs need threading through here or smoke coverage silently narrows.

Reviewed against 51eae3b

[sir-sigurd]

@greptileai please re-review

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

[sir-sigurd]

@greptileai please re-review

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.