Skip to content

Feat/localstack staging smoke gate#5124

Open
Adarshkumar0509 wants to merge 20 commits into
OWASP:mainfrom
Adarshkumar0509:feat/localstack-staging-smoke-gate
Open

Feat/localstack staging smoke gate#5124
Adarshkumar0509 wants to merge 20 commits into
OWASP:mainfrom
Adarshkumar0509:feat/localstack-staging-smoke-gate

Conversation

@Adarshkumar0509

@Adarshkumar0509 Adarshkumar0509 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Proposed change

Resolves #5078

  • Implements Part B from the issue a pre-deploy smoke gate in the staging CD pipeline.
  • The smoke job runs after run-image-sign and blocks run-infrastructure-bootstrap on failure. It applies the 4 Phase 1 modules against LocalStack using real staging values (not test fixtures) to catch naming regressions before anything touches staging AWS.

Changes:

  • Smoke tests for ecr-cache, kms, parameters, storage modules
  • infrastructure/scripts/run-smoke-tests.sh auto-starts LocalStack if not running, handles S3 prevent_destroy overrides, runs only smoke files
  • make test-infrastructure-smoke target
  • run-infrastructure-smoke.yaml reusable workflow
  • run-ci-cd.yaml and ci-cd-staging.yaml wired accordingly
  • README updated with local run instructions
  • Actually it Does not touch Part A's integration tests.

Checklist

  • I followed the contributing workflow
  • I verified that my code works as intended and resolves the issue as described
  • I ran all required checks and tests locally; all warnings addressed and failures resolved
  • I used AI for code, documentation, tests, or communication related to this PR

Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
@github-actions github-actions Bot added docs Improvements or additions to documentation makefile ci infrastructure labels Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Adarshkumar0509, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 seconds

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 04c41215-8b4f-4b01-9868-fcd86e3faef5

📥 Commits

Reviewing files that changed from the base of the PR and between 9c7bbaa and 7a78981.

📒 Files selected for processing (3)
  • infrastructure/modules/parameters/tests/smoke.tftest.hcl
  • infrastructure/modules/storage/tests/smoke.tftest.hcl
  • infrastructure/scripts/run-smoke-tests.sh

Walkthrough

This PR adds LocalStack-backed infrastructure smoke testing: new CI/CD workflow wiring for LOCALSTACK_AUTH_TOKEN, a reusable smoke-test workflow, an updated Makefile with a new test-infrastructure-smoke target, a run-smoke-tests.sh script managing LocalStack lifecycle, per-module Terraform smoke test files, and documentation/dictionary updates.

Changes

LocalStack Smoke Testing Infrastructure

Layer / File(s) Summary
CI/CD workflow wiring
.github/workflows/ci-cd-staging.yaml, .github/workflows/run-ci-cd.yaml, .github/workflows/run-infrastructure-smoke.yaml
Adds LOCALSTACK_AUTH_TOKEN secret plumbing, a new run-infrastructure-smoke job required before bootstrap, and a reusable workflow that conditionally runs smoke tests based on secret presence.
Makefile targets and runner script
infrastructure/Makefile, infrastructure/scripts/run-smoke-tests.sh
Updates test-infrastructure to filter tests per-file, adds test-infrastructure-smoke target, and adds a script that starts/verifies LocalStack, overrides S3 lifecycle protection, runs filtered Terraform smoke tests, and reports pass/fail counts.
Per-module Terraform smoke tests
infrastructure/modules/ecr-cache/tests/smoke.tftest.hcl, infrastructure/modules/kms/tests/smoke.tftest.hcl, infrastructure/modules/parameters/tests/smoke.tftest.hcl, infrastructure/modules/storage/tests/smoke.tftest.hcl, infrastructure/modules/ecr-cache/.terraform.lock.hcl
Adds Terraform test configs targeting local AWS endpoints with assertions validating created ECR, KMS, SSM parameter, and storage resources against staging naming/values, plus a lock file hash update.
Documentation and dictionary
infrastructure/README.md, cspell/custom-dict.txt
Adds a Testing section documenting mock and LocalStack smoke test commands, and adds "tftest" to the spelling dictionary.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related issues

  • Add Terraform integration tests #5078: Adds LocalStack-backed smoke testing and LOCALSTACK_AUTH_TOKEN plumbing across the same CI/CD workflows and infrastructure test paths described by this issue.

Suggested reviewers: rudransh-shrivastava, kasya, arkid15r

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: adding a LocalStack-based staging smoke gate.
Description check ✅ Passed The description matches the changeset and describes the smoke gate, workflows, tests, and script updates.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 issues found across 12 files

Confidence score: 2/5

  • .github/workflows/run-infrastructure-smoke.yaml points to ./.github/actions/setup-terraform-environment, but that composite action is missing, so the smoke workflow is likely to fail at startup and block reliable CI signal — add/restore the action (or update uses: to a valid path) before merging.
  • infrastructure/scripts/run-smoke-tests.sh uses a LocalStack readiness match that can report healthy while required services are still unavailable, which can make smoke results flaky and mask real regressions — tighten the pattern to the same key/value pair per service before merging.
  • infrastructure/scripts/run-smoke-tests.sh does not fail fast when LOCALSTACK_AUTH_TOKEN is unset, so runs can proceed and fail later with less actionable errors (notably for paid-plan services like ECR) — add an early token presence check and clear exit message.
  • Test coverage in infrastructure/modules/parameters/tests/smoke.tftest.hcl and infrastructure/modules/storage/tests/smoke.tftest.hcl has blind spots (django_secret_key name not asserted; can(module.fixtures_bucket.arn) is non-informative), which weakens regression detection — add a .name assertion and replace can(...) with a meaningful ARN/value assertion.

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/run-infrastructure-smoke.yaml
Comment thread infrastructure/scripts/run-smoke-tests.sh Outdated
Comment thread infrastructure/scripts/run-smoke-tests.sh Outdated
Comment thread infrastructure/modules/parameters/tests/smoke.tftest.hcl
Comment thread infrastructure/modules/storage/tests/smoke.tftest.hcl Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/run-infrastructure-smoke.yaml:
- Around line 21-42: The smoke-gate workflow is currently fail-open: when
LOCALSTACK_AUTH_TOKEN is missing, check-secrets only sets has-token=false and
the downstream run-infrastructure-smoke-tests job is skipped, letting
run-infrastructure-bootstrap continue. Update the gating logic in check-secrets
and run-infrastructure-smoke-tests so the pre-deploy gate enforces the intended
behavior when the secret is absent, either by failing the workflow or by
explicitly blocking bootstrap instead of silently no-oping. Verify the chosen
behavior aligns with the optional-secret design and preserves the intended
security/regression gate semantics.

In `@infrastructure/Makefile`:
- Around line 10-23: The Makefile’s Terraform test filter-building logic is
duplicated in run-smoke-tests.sh, so the two paths can drift when test file
naming changes. Extract the shared “discover *.tftest.hcl files, split smoke vs
non-smoke, and assemble -filter args” behavior into one helper script and have
both the Makefile loop and run-smoke-tests.sh call it, using a mode flag such as
exclude-smoke or only-smoke. Keep the existing behavior aligned by reusing the
same helper for the logic currently embedded in the Makefile’s module/test_dir
loop and the script’s smoke-test discovery.

In `@infrastructure/scripts/run-smoke-tests.sh`:
- Around line 115-118: The no-smoke-tests error in the run_smoke_tests.sh flow
is currently written to standard output instead of standard error. Update the
error handling inside the test_count check to match the existing stderr pattern
used earlier in the script by redirecting the echo in that branch to stderr,
keeping the exit behavior unchanged.
- Around line 13-29: Update wait_for_localstack in run-smoke-tests.sh so the
readiness probe also checks that ecr and ssm are available, not just s3, kms,
iam, and sts. Keep the existing curl-based health check and extend the combined
grep condition in wait_for_localstack so the smoke tests that depend on
ecr-cache and parameters do not start until all required LocalStack services are
ready.
- Around line 13-44: The EXIT trap in the LocalStack smoke-test script can fire
before cleanup helpers are defined, causing command-not-found failures and
leaving the container behind. Move the teardown helper definitions for cleanup
and override_s3_lifecycle above the readiness and startup logic in
run-smoke-tests.sh, or register the trap only after those functions exist, so
the trap always resolves the correct symbols.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9a9a6a67-4fc9-4476-b6d2-87de71ff04c9

📥 Commits

Reviewing files that changed from the base of the PR and between f7d0fba and 9c7bbaa.

📒 Files selected for processing (12)
  • .github/workflows/ci-cd-staging.yaml
  • .github/workflows/run-ci-cd.yaml
  • .github/workflows/run-infrastructure-smoke.yaml
  • cspell/custom-dict.txt
  • infrastructure/Makefile
  • infrastructure/README.md
  • infrastructure/modules/ecr-cache/.terraform.lock.hcl
  • infrastructure/modules/ecr-cache/tests/smoke.tftest.hcl
  • infrastructure/modules/kms/tests/smoke.tftest.hcl
  • infrastructure/modules/parameters/tests/smoke.tftest.hcl
  • infrastructure/modules/storage/tests/smoke.tftest.hcl
  • infrastructure/scripts/run-smoke-tests.sh

Comment thread .github/workflows/run-infrastructure-smoke.yaml
Comment thread infrastructure/Makefile
Comment thread infrastructure/scripts/run-smoke-tests.sh
Comment thread infrastructure/scripts/run-smoke-tests.sh Outdated
Comment thread infrastructure/scripts/run-smoke-tests.sh
Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 3 files (changes from recent commits).

Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.

Re-trigger cubic

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.73%. Comparing base (19acaa0) to head (7a78981).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5124   +/-   ##
=======================================
  Coverage   98.73%   98.73%           
=======================================
  Files         536      536           
  Lines       16980    16980           
  Branches     2418     2418           
=======================================
  Hits        16765    16765           
  Misses        123      123           
  Partials       92       92           
Flag Coverage Δ
backend 99.44% <ø> (ø)
frontend 96.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 19acaa0...7a78981. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Adarshkumar0509 <adarshkumarthakur0509@gmail.com>
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Re-trigger cubic

@Adarshkumar0509 Adarshkumar0509 marked this pull request as ready for review July 2, 2026 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci docs Improvements or additions to documentation infrastructure makefile

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Terraform integration tests

1 participant