kb/testing
Terraform testing is real, not a myth. The native `.tftest.hcl` (TF 1.6+) with `run` and `assert`, mock providers for unit tests without a cloud, Terratest for integration scenarios in Go, terraform-compliance for BDD policy. What to test, what to skip, and how to keep the test suite from becoming a project of its own.
A mock provider replaces a real AWS provider with synthetic responses. Tests run without the cloud, in seconds rather than minutes. Declare one in `*.tftest.hcl` with `mock_provider "aws"`. To substitute a single resource or data source, use `override_resource` or `override_data`. Without mocks, every `command = apply` block requires LocalStack.
Since version 1.6, Terraform ships a built-in test runner. Files named `*.tftest.hcl` describe scenarios through `run` blocks (each a mini plan or apply) and `assert` checks. The `terraform test` command runs all of them and reports pass/fail. No cloud account is required: with `command = plan` the runner evaluates expressions against plan output and creates no resources.
terraform-compliance reads a plan file (`plan.json`) and applies BDD rules written in Gherkin. "Given a resource of type X, it must contain a property Y" reads cleanly for non-engineers and enforces policy before apply. It is an alternative to OPA/Rego for teams that prefer natural language, though it is less capable: you cannot write complex cross-resource checks.
Infrastructure is not an application, so do not apply the test pyramid literally. Test module contracts, business rules, complex expressions, and refactors that should produce no destroy. Do not test that the provider works, that the AWS API returns 200, or that a trivial `name = var.name` holds. The goal is to catch regressions, not to prove correctness.