Skip to content

ROSAENG-60112 | test: add unit tests for pkg/aws#3299

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
olucasfreitas:ROSAENG-60112-1A
Jul 1, 2026
Merged

ROSAENG-60112 | test: add unit tests for pkg/aws#3299
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
olucasfreitas:ROSAENG-60112-1A

Conversation

@olucasfreitas

@olucasfreitas olucasfreitas commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

PR Summary

Add meaningful unit tests for previously untested files and functions in pkg/aws/, focusing on ROSA-specific business logic rather than thin AWS SDK wrappers.

Detailed Description of the Issue

The pkg/aws/ package is the largest shared package in the ROSA CLI and contains critical business logic for IAM role lifecycle management, OIDC provider operations, CloudFormation stack management, service quota validation, policy document processing, and STS role operations. Many of these functions had no automated coverage despite being called across dozens of CLI commands.

This PR adds focused tests for the functions that contain real ROSA decision logic, while intentionally skipping thin pass-through wrappers that would only test mock wiring.

Related Issues and PRs

Type of Change

  • feat
  • fix
  • docs
  • style
  • refactor
  • test
  • chore
  • build
  • ci
  • perf

Previous Behavior

Large portions of pkg/aws/ had no automated test coverage, including entire files like idps.go, quota.go, policy_document.go, cloudformation.go (beyond EnsureOsdCcsAdminUser), and sts.go.

Behavior After This Change

309 specs in pkg/aws (up from 121 baseline). New coverage across 8 test files:

File Specs What's covered
idps_test.go 11 OIDC provider Create/Has/Delete with tags, NoSuchEntity, URL mismatch
quota_test.go 7 GetServiceQuota lookup, GetIAMServiceQuota via mock
policy_document_test.go 30 Parse, interpolate, principals, actions, GenerateRolePolicyDoc, GovCloud
helpers_additional_test.go ~63 ARN/path/proxy validators, name builders, isSTS, resolveSTSRole
cloudformation_test.go 22 CheckStackReady, GetCFStack, DeleteCFStack, UpdateStack no-op, buildInput
sts_test.go 25 ValidateRoleARNAccountID, HasPermissionsBoundary, SortRolesByLinkedRole, DeleteUserRole, DeleteOCMRole
client_additional_test.go 14 CheckRoleExists, GetRoleByARN, GetRoleByName, SecretsManager CRUD
policies_additional_test.go 14 hasCompatibleMajorMinorVersionTags (semver upgrade logic), IsPolicyCompatible

Intentionally not included:

  • ValidateSCP (deep SimulatePrincipalPolicy paginator dependencies)
  • ValidateQuota/ListServiceQuotas (internal paginator, not mockable cleanly)
  • CreateS3Bucket/DeleteS3Bucket (5+ chained S3 mock expectations)
  • Thin pass-through wrappers that only test mock wiring

How to Test (Step-by-Step)

Preconditions

  • Go toolchain installed
  • Repository cloned with hooks installed

Test Steps

  1. go test ./pkg/aws/... -count=1 -v
  2. go vet ./pkg/aws/...

Expected Results

  • 309/309 specs pass
  • go vet clean

Proof of the Fix

  • Pre-push checks passed (format, build, lint, coverage, unit tests)

Breaking Changes

  • No breaking changes

Developer Verification Checklist

  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • make install-hooks has been run in this clone.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make test passes.
  • make lint passes.
  • make rosa passes.
  • Documentation or repo-local agent guidance was added/updated where appropriate.
  • Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

  • Tests
    • Added/expanded Ginkgo/Gomega test suites covering AWS client behavior: CloudFormation stack readiness/deletion/update handling, IAM OIDC provider create/list/delete, STS role/account validation and cleanup flows, and service quota lookup.
    • Expanded IAM policy document tests for parsing, interpolation (partition/arn handling), and action permission evaluation.
    • Added helper-focused unit tests for ARN/ID formatting, option/subnet formatting, deterministic naming, and STS role detection.
    • Extended policy compatibility testing using OpenShift version tags, including GovCloud scenarios, malformed inputs, and error propagation.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 30, 2026
@olucasfreitas olucasfreitas changed the title ROSAENG-60112 | test: add unit tests for pkg/aws (Phase 1A) ROSAENG-60112 | test: add unit tests for pkg/aws Jun 30, 2026
@olucasfreitas olucasfreitas marked this pull request as ready for review June 30, 2026 13:56
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2026
@openshift-ci openshift-ci Bot requested review from amandahla and davidleerh June 30, 2026 13:56
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c2d0b8bd-7b54-4e1a-b2dd-167c763527ea

📥 Commits

Reviewing files that changed from the base of the PR and between 0df0e84 and 7282901.

📒 Files selected for processing (7)
  • pkg/aws/cloudformation_test.go
  • pkg/aws/helpers_test.go
  • pkg/aws/idps_test.go
  • pkg/aws/policies_test.go
  • pkg/aws/policy_document_test.go
  • pkg/aws/quota_test.go
  • pkg/aws/sts_test.go
🚧 Files skipped from review as they are similar to previous changes (7)
  • pkg/aws/quota_test.go
  • pkg/aws/sts_test.go
  • pkg/aws/idps_test.go
  • pkg/aws/policies_test.go
  • pkg/aws/cloudformation_test.go
  • pkg/aws/policy_document_test.go
  • pkg/aws/helpers_test.go

📝 Walkthrough

Walkthrough

New Ginkgo/Gomega test coverage was added under pkg/aws for CloudFormation, IAM OIDC provider operations, policy document utilities, service quota lookup, STS role flows, helper functions, and policy compatibility logic. The changes add mocked AWS client setup and assertions for request formation, response handling, validation cases, and error propagation across these areas.

Suggested reviewers

  • davidleerh
  • marcolan018

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❌ Error One new Ginkgo title embeds the date-like literal 2012-10-17, which the check forbids in test names. Rename that spec to a static description, e.g. use 'default version' instead of the literal policy version date.
Test Structure And Quality ⚠️ Warning New specs mostly use bare Gomega assertions like Expect(err).NotTo(HaveOccurred()) with no diagnostic messages. Add short failure messages to key assertions (e.g. Expect(err).NotTo(HaveOccurred(), "failed to update stack")) and keep the rest consistent.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, follows the required ticket/type format, and accurately describes the main change: adding tests for pkg/aws.
Description check ✅ Passed The PR description mostly matches the template and includes the required summary, issue context, related links, testing, and verification sections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Microshift Test Compatibility ✅ Passed Added specs are unit tests for pkg/aws AWS SDK/mocks only; no OpenShift APIs, MicroShift guards, or unsupported cluster assumptions found.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The added Ginkgo specs are pure pkg/aws unit tests with mocks; no SNO skip labels, topology checks, or multi-node assumptions were found.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds pkg/aws unit tests; no manifests, controllers, pod specs, or topology-aware scheduling code were changed, so no new scheduling constraints.
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes were found in the added test files or pkg/aws suite entrypoints; only normal Ginkgo RunSpecs stubs and spec bodies appear.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The new Ginkgo suites are mock-based unit tests; no live AWS, public internet, or host/IP construction calls were found. IPv4 literals are only validator inputs.
No-Weak-Crypto ✅ Passed Scanned the touched pkg/aws test files; none reference MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed PR only adds Go test files under pkg/aws; no container/K8s manifests or privileged settings are introduced.
No-Sensitive-Data-In-Logs ✅ Passed No logging calls or writer output found in the added test files; only fixtures/error strings appear, so nothing logs sensitive data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🧹 Nitpick comments (3)
pkg/aws/helpers_additional_test.go (1)

252-268: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Drop the redundant fmt.Sprintf wrappers here and remove the now-unused fmt import.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/aws/helpers_additional_test.go` around lines 252 - 268, The tests in
SetSubnetOption are wrapping static expected strings with fmt.Sprintf
unnecessarily, and fmt becomes unused as a result. Update the expectations in
helpers_additional_test.go to use plain string literals in the SetSubnetOption
assertions, and remove the fmt import from the test file if it is no longer
referenced anywhere else.

Source: Linters/SAST tools

pkg/aws/quota_test.go (1)

149-155: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Match the request payload, not the exact context value.

These expectations hard-code context.Background(), so they will fail if GetIAMServiceQuota is updated to use a derived timeout/cancelable context without changing its observable behavior. Prefer gomock.Any() for the context.Context argument and keep the assertion on ServiceCode/QuotaCode.

♻️ Proposed change
-			mockIAMQuotaAPI.EXPECT().GetServiceQuota(
-				context.Background(),
+			mockIAMQuotaAPI.EXPECT().GetServiceQuota(
+				gomock.Any(),
 				&servicequotas.GetServiceQuotaInput{
 					ServiceCode: awsSdk.String(IAMServiceCode),
 					QuotaCode:   awsSdk.String(quotaCode),
 				},
 			).Return(expectedOutput, nil)
@@
-			mockIAMQuotaAPI.EXPECT().GetServiceQuota(
-				context.Background(),
+			mockIAMQuotaAPI.EXPECT().GetServiceQuota(
+				gomock.Any(),
 				&servicequotas.GetServiceQuotaInput{
 					ServiceCode: awsSdk.String(IAMServiceCode),
 					QuotaCode:   awsSdk.String(quotaCode),
 				},
 			).Return(nil, fmt.Errorf("access denied"))

As per path instructions, "context.Context for cancellation and timeouts" and "Flag weak tests that only restate implementation or changes that weaken existing assertions."

Also applies to: 167-173

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/aws/quota_test.go` around lines 149 - 155, The test expectations in
GetIAMServiceQuota are too strict about the exact context value and should not
pin to context.Background(). Update the mocked GetServiceQuota call to accept
any context argument while still asserting the request payload fields in
servicequotas.GetServiceQuotaInput, specifically ServiceCode and QuotaCode.
Apply the same change in the matching expectation block elsewhere in
quota_test.go so the test stays stable if GetIAMServiceQuota switches to a
derived cancelable or timeout context.

Source: Path instructions

pkg/aws/cloudformation_test.go (1)

404-411: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid baking nil-vs-empty slice internals into this spec.

These assertions require buildCreateStackInput to return nil slices specifically, even though the observable behavior here is just "no params/tags". BeEmpty() keeps the test focused on behavior and avoids failing on harmless refactors.

Suggested change
 	Expect(*input.StackName).To(Equal("stack"))
 	Expect(*input.TemplateBody).To(Equal("body"))
 	Expect(input.Capabilities).To(HaveLen(3))
-	Expect(input.Parameters).To(BeNil())
-	Expect(input.Tags).To(BeNil())
+	Expect(input.Parameters).To(BeEmpty())
+	Expect(input.Tags).To(BeEmpty())

As per coding guidelines, "Be explicit about nil versus empty slices only when behavior truly depends on it."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/aws/cloudformation_test.go` around lines 404 - 411, The spec for
buildCreateStackInput is asserting nil slices for Parameters and Tags, which
couples the test to an internal representation instead of the observable
behavior. Update the cloudformation_test expectations in the "Handles empty
params and tags" case to use BeEmpty() for the Parameters and Tags fields while
keeping the existing StackName, TemplateBody, and Capabilities checks unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/aws/client_additional_test.go`:
- Around line 196-259: The Secrets Manager tests currently use gomock.Any() for
the API inputs, so they do not verify the request payloads built by
CreateSecretInSecretsManager and DeleteSecretInSecretsManager. Update the
expectations on mockSecretsManagerAPI.CreateSecret, DescribeSecret, and
DeleteSecret to match the actual request structs and assert fields like
Description, SecretString, tags.RedHatManaged, SecretId, and
ForceDeleteWithoutRecovery=true. Keep the assertions in the Context blocks for
CreateSecretInSecretsManager and DeleteSecretInSecretsManager so these specs
validate the exact behavior.

In `@pkg/aws/cloudformation_test.go`:
- Around line 298-320: The DeleteOsdCcsAdminUser tests only verify error
handling and don’t assert the stack name being deleted, so they can miss
regressions where DeleteStack targets the wrong stack. In the existing
DeleteOsdCcsAdminUser specs around mockCfAPI.EXPECT().DeleteStack, add an
assertion on the DeleteStackInput.StackName argument just like the DeleteCFStack
test does, while keeping the current TokenAlreadyExistsException and propagation
checks intact.

In `@pkg/aws/policies_additional_test.go`:
- Around line 116-123: The `IsPolicyCompatible` tests are too loose because
`mockIamAPI.EXPECT().ListPolicyTags` uses `gomock.Any()` for the request, so
they do not verify the requested ARN is forwarded correctly. Update the
expectations in the affected specs to match the specific
`*iam.ListPolicyTagsInput` and assert its `PolicyArn` equals the ARN passed to
`IsPolicyCompatible`, while keeping the existing tag/version assertions intact.

In `@pkg/aws/policy_document_test.go`:
- Around line 222-225: The test in GetAllowedActions is overfitting to a nil
return for an empty PolicyDocument. Update the assertion in the
NewPolicyDocument/GetAllowedActions case to check for an empty result instead of
nil, so the test validates the semantic contract while still allowing future
implementations to return an empty slice.
- Around line 77-86: The test for PolicyStatement.GetAWSPrincipals currently
uses an order-insensitive assertion, so it can miss regressions in principal
normalization order. Update the assertion in the GetAWSPrincipals test to verify
the returned slice order exactly, using the PolicyStatement and GetAWSPrincipals
symbols to locate it. Keep the expected principals in the same sequence so the
test reflects the order-sensitive behavior relied on by the downstream caller in
policies.go.

In `@pkg/aws/sts_test.go`:
- Around line 402-420: Add a focused test for the non-DeleteConflictException
DeletePolicy path in the DeleteOCMRole flow. Extend the sts_test.go coverage
around DeleteOCMRole to verify that when mockIamAPI.DeletePolicy returns a
different error, the method aborts and returns that error instead of continuing.
Keep the existing DeleteConflictException test, but add a separate case in the
same test suite using DeleteOCMRole, DeletePolicy, and the IAM mocks to assert
the default failure branch.
- Around line 279-317: These DeleteUserRole specs are too permissive because
they use gomock.Any() for destructive IAM inputs, so regressions that target the
wrong role or policy could still pass. Tighten the expectations in
DeleteUserRole-related tests by asserting the actual RoleName and PolicyArn
values passed to ListAttachedRolePolicies, DetachRolePolicy, GetRole,
DeleteRolePermissionsBoundary, and DeleteRole instead of matching everything
with gomock.Any(). Keep the assertions focused on the critical request payloads
so the tests verify the correct resources are being deleted.

---

Nitpick comments:
In `@pkg/aws/cloudformation_test.go`:
- Around line 404-411: The spec for buildCreateStackInput is asserting nil
slices for Parameters and Tags, which couples the test to an internal
representation instead of the observable behavior. Update the
cloudformation_test expectations in the "Handles empty params and tags" case to
use BeEmpty() for the Parameters and Tags fields while keeping the existing
StackName, TemplateBody, and Capabilities checks unchanged.

In `@pkg/aws/helpers_additional_test.go`:
- Around line 252-268: The tests in SetSubnetOption are wrapping static expected
strings with fmt.Sprintf unnecessarily, and fmt becomes unused as a result.
Update the expectations in helpers_additional_test.go to use plain string
literals in the SetSubnetOption assertions, and remove the fmt import from the
test file if it is no longer referenced anywhere else.

In `@pkg/aws/quota_test.go`:
- Around line 149-155: The test expectations in GetIAMServiceQuota are too
strict about the exact context value and should not pin to context.Background().
Update the mocked GetServiceQuota call to accept any context argument while
still asserting the request payload fields in
servicequotas.GetServiceQuotaInput, specifically ServiceCode and QuotaCode.
Apply the same change in the matching expectation block elsewhere in
quota_test.go so the test stays stable if GetIAMServiceQuota switches to a
derived cancelable or timeout context.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c41d6d33-5f37-47ab-96ef-0c1e8380933f

📥 Commits

Reviewing files that changed from the base of the PR and between 2ece616 and b20c973.

📒 Files selected for processing (8)
  • pkg/aws/client_additional_test.go
  • pkg/aws/cloudformation_test.go
  • pkg/aws/helpers_additional_test.go
  • pkg/aws/idps_test.go
  • pkg/aws/policies_additional_test.go
  • pkg/aws/policy_document_test.go
  • pkg/aws/quota_test.go
  • pkg/aws/sts_test.go

Comment thread pkg/aws/client_additional_test.go Outdated
Comment thread pkg/aws/cloudformation_test.go
Comment thread pkg/aws/policies_additional_test.go Outdated
Comment thread pkg/aws/policy_document_test.go Outdated
Comment thread pkg/aws/policy_document_test.go Outdated
Comment thread pkg/aws/sts_test.go
Comment thread pkg/aws/sts_test.go
@amandahla

Copy link
Copy Markdown
Contributor

@olucasfreitas

Several specs look like thin pass-through + mock wiring, which the PR description says you intentionally skipped.
Should these be dropped, or tightened with ROSA-specific assertions (tags, error mapping, branching)?

  • pkg/aws/client_additional_test.go: CheckRoleExists, GetRoleByName, GetIAMServiceQuota, CreateSecretInSecretsManager, DeleteSecretInSecretsManager (especially where gomock.Any() is used and inputs/tags are not checked)
  • pkg/aws/sts_test.go: HasPermissionsBoundary
  • pkg/aws/cloudformation_test.go: DeleteCFStack, GetCFStack, DescribeCFStackResources (when they only assert mock success/error propagation)

Or should the ones with real branching stay — e.g. DeleteOCMRole, DeleteUserRole, UpdateStack no-op, CheckStackReadyOrNotExisting — and only the list above be removed or upgraded?

@coderabbitai give your opinion

Comment thread pkg/aws/sts_test.go Outdated
Comment thread pkg/aws/cloudformation_test.go Outdated
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== File map =="
fd -t f 'client_additional_test.go|sts_test.go|cloudformation_test.go|client.go|sts.go|cloudformation.go|quota.go' pkg/aws

echo
echo "== Outline: pkg/aws/client_additional_test.go =="
ast-grep outline pkg/aws/client_additional_test.go --view expanded || true

echo
echo "== Outline: pkg/aws/sts_test.go =="
ast-grep outline pkg/aws/sts_test.go --view expanded || true

echo
echo "== Outline: pkg/aws/cloudformation_test.go =="
ast-grep outline pkg/aws/cloudformation_test.go --view expanded || true

echo
echo "== Candidate implementation locations =="
rg -nP --type=go -C2 '\b(CheckRoleExists|GetRoleByName|GetIAMServiceQuota|CreateSecretInSecretsManager|DeleteSecretInSecretsManager|HasPermissionsBoundary|DeleteCFStack|GetCFStack|DescribeCFStackResources|DeleteOCMRole|DeleteUserRole|UpdateStack|CheckStackReadyOrNotExisting)\b' pkg/aws

echo
echo "== Read focused slices: client tests =="
sed -n '1,260p' pkg/aws/client_additional_test.go

echo
echo "== Read focused slices: sts tests =="
sed -n '1,260p' pkg/aws/sts_test.go

echo
echo "== Read focused slices: cloudformation tests =="
sed -n '1,280p' pkg/aws/cloudformation_test.go

echo
echo "== Read focused slices: relevant implementations =="
for f in pkg/aws/client.go pkg/aws/sts.go pkg/aws/cloudformation.go pkg/aws/quota.go; do
  if [ -f "$f" ]; then
    echo
    echo "---- $f ----"
    rg -nP --type=go -C4 '\bfunc\s+\(.*\)\s*(CheckRoleExists|GetRoleByName|GetIAMServiceQuota|CreateSecretInSecretsManager|DeleteSecretInSecretsManager|HasPermissionsBoundary|DeleteCFStack|GetCFStack|DescribeCFStackResources|DeleteOCMRole|DeleteUserRole|UpdateStack|CheckStackReadyOrNotExisting)\b' "$f" || true
  fi
done

Length of output: 74264


@amandahla I’d be selective here: keep the tests that exercise branching/error-mapping, and either tighten or drop the thin wrappers.

My opinion, based on the current implementations:

Keep

  • CheckRoleExists — meaningful because it maps NoSuchEntity to (false, "", nil) and returns the ARN on success.
  • DeleteSecretInSecretsManager — meaningful because it has real branching: DescribeSecret first, treat ResourceNotFoundException as success, then delete.
  • GetCFStack — borderline, but I’d keep it because it adds behavior beyond pass-through: empty DescribeStacks result becomes a custom “No CF stacks with name …” error.
  • DeleteOCMRole, DeleteUserRole, UpdateStack, CheckStackReadyOrNotExisting — definitely keep; these match the PR’s stated goal.

Tighten

  • CreateSecretInSecretsManager — only worth keeping if it asserts the constructed request, not just the return value. Specifically, check Name, SecretString, and the derived Description.
  • GetIAMServiceQuota — only worth keeping if it asserts the request shape, especially that ServiceCode is fixed to IAM and QuotaCode is passed through correctly.

Drop unless upgraded

  • GetRoleByName — currently just “calls GetRole, returns role/error”.
  • HasPermissionsBoundary — currently just “calls GetRole, checks nil vs non-nil”.
  • DeleteCFStack — pure pass-through with input wiring.
  • DescribeCFStackResources — mostly pass-through today; the stack-name assertion helps, but not enough by itself for this PR’s scope.

So if I were reviewing the PR against its own description, I’d recommend:

  1. Keep the real-logic tests.
  2. Upgrade CreateSecretInSecretsManager and GetIAMServiceQuota if the team wants those helpers covered.
  3. Remove the rest of the thin wrapper specs rather than padding coverage.

One nuance: gomock.Any() is fine for context.Context and variadic options, but not for the primary AWS input struct when request shaping is the whole value of the test.

Comment thread pkg/aws/cloudformation_test.go Outdated
Comment thread pkg/aws/helpers_additional_test.go Outdated
Comment thread pkg/aws/policies_additional_test.go Outdated
Comment thread pkg/aws/policies_additional_test.go Outdated
Comment thread pkg/aws/client_additional_test.go Outdated
Comment thread pkg/aws/quota_test.go Outdated
Comment thread pkg/aws/sts_test.go Outdated
Comment thread pkg/aws/quota_test.go
Comment thread pkg/aws/idps_test.go
Comment thread pkg/aws/sts_test.go
Comment thread pkg/aws/client_additional_test.go Outdated
@amandahla

amandahla commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas @coderabbitai Explaining some comments: I asked Cursor to use e2e as a checklist of behaviors pkg/aws must support → unit should cover those functions/branches or explain why not.
So, if there are comments that dont need to be applied/covered in another test somewhere, no action required.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@amandahla That makes sense — thanks for clarifying.

I’ll use that standard going forward for this PR: treat the e2e flows as the checklist of required pkg/aws behaviors, and only push on unit tests when they leave a real behavior/branch uncovered or when the omission should be explicitly justified.

So yes: if a comment doesn’t imply a missing behavior gap or coverage that needs to exist elsewhere, no action required.


✏️ Learnings added
Learnt from: amandahla
URL: https://github.com/openshift/rosa/pull/3299

Timestamp: 2026-06-30T15:12:11.187Z
Learning: For the ROSA repository, when reviewing unit-test PRs in `pkg/aws`, use end-to-end scenarios as the checklist of required behaviors. Unit tests should cover the relevant functions/branches for those behaviors or explicitly explain why coverage is omitted; if a review comment does not point to a real uncovered behavior gap or missing explanation elsewhere, no action is required.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@amandahla Got it — that makes sense.

I’ll use that standard for this PR: treat the e2e coverage as the behavior checklist for pkg/aws, and only push on unit-test comments when they point to a missing function/branch behavior that should be covered or explicitly justified. If a comment doesn’t imply a real coverage gap elsewhere, then no action is needed.


✏️ Learnings added
Learnt from: amandahla
URL: https://github.com/openshift/rosa/pull/3299

Timestamp: 2026-06-30T15:12:21.197Z
Learning: For pull request reviews in the `openshift/rosa` repository when evaluating unit tests under `pkg/aws`, use end-to-end tests as a checklist of required behaviors. Unit tests should either cover the corresponding functions and branches or explain why coverage is intentionally omitted. If a review comment does not point to a real missing behavior that needs to be covered elsewhere, no action is required.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

@olucasfreitas

Copy link
Copy Markdown
Contributor Author

Agreed with the assessment. Dropping the thin pass-through tests (GetRoleByName, SecretsManager, DeleteCFStack, GetCFStack, DescribeCFStackResources, HasPermissionsBoundary, GetIAMServiceQuota) and keeping only the ones with real branching logic. Also merging the *_additional_test.go files into their originals per the file-organization feedback.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
pkg/aws/cloudformation_test.go (2)

197-246: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

UpdateStack still misses the post-update waiter branch.

The current cases stop before the main success flow. There's no spec proving that a successful UpdateStack call actually waits for completion or that waiter failures are propagated, so that behavior can regress unnoticed. As per coding guidelines, "Add focused automated tests when behavior changes in a way that could regress" and "Do not weaken tests. Tests should prove correctness, not hide regressions." As per path instructions, "Review for test coverage impact..."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/aws/cloudformation_test.go` around lines 197 - 246, Add test coverage for
the successful UpdateStack path in UpdateStack/UpdateStack so the waiter branch
is exercised: verify that a non-error update calls the post-update waiter, and
add a case where the waiter returns an error to ensure it is propagated. Use the
existing awsClient.UpdateStack, mockCfAPI.EXPECT().UpdateStack, and any
waiter/mock hook used by the success flow to locate and extend the current
UpdateStack specs.

Sources: Coding guidelines, Path instructions


166-195: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Cover the successful delete path as well.

These specs only exercise the early returns from DeleteOsdCcsAdminUser. The branch where DeleteStack succeeds and the method waits for stack deletion is still untested, so a regression that skips waitForStackDeleteComplete or drops its error would pass here. As per coding guidelines, "All code should be covered by tests" and "Do not weaken tests. Tests should prove correctness, not hide regressions." As per path instructions, "Review for test coverage impact..." and "Flag weak tests that only restate implementation or changes that weaken existing assertions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/aws/cloudformation_test.go` around lines 166 - 195, Add test coverage for
the successful path in DeleteOsdCcsAdminUser, not just the
TokenAlreadyExistsException and generic error branches. In the
cloudformation_test.go specs, use the DeleteOsdCcsAdminUser behavior to verify
that when DeleteStack succeeds, the method still calls
waitForStackDeleteComplete and returns nil only when that wait completes
successfully. If waitForStackDeleteComplete returns an error, assert that
DeleteOsdCcsAdminUser propagates it.

Sources: Coding guidelines, Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/aws/helpers_test.go`:
- Around line 993-1020: The `resolveSTSRole` test suite is missing coverage for
the malformed STS assumed-role shape, so add a focused negative test alongside
the existing `resolveSTSRole` cases. In `helpers_test.go`, create an ARN with
service `sts` and a resource beginning with `assumed-role/` but with too few
path segments, then assert `resolveSTSRole` returns an error. Keep the test
grouped with the current `When("the ARN is a valid STS assumed-role")` and
`When("the ARN is not an STS ARN")` blocks so it clearly validates the
resource-shape parsing branch.

In `@pkg/aws/sts_test.go`:
- Around line 235-240: The DeleteRole gomock expectation is matching an extra
variadic argument that the real call never passes, so the expectation does not
match awsClient.DeleteRole. Update the DeleteRole expectation in the sts test to
match only the context and iam.DeleteRoleInput arguments, using the existing
mockIamAPI expectation setup, so it aligns with the actual iamClient.DeleteRole
invocation that omits optFns.

---

Outside diff comments:
In `@pkg/aws/cloudformation_test.go`:
- Around line 197-246: Add test coverage for the successful UpdateStack path in
UpdateStack/UpdateStack so the waiter branch is exercised: verify that a
non-error update calls the post-update waiter, and add a case where the waiter
returns an error to ensure it is propagated. Use the existing
awsClient.UpdateStack, mockCfAPI.EXPECT().UpdateStack, and any waiter/mock hook
used by the success flow to locate and extend the current UpdateStack specs.
- Around line 166-195: Add test coverage for the successful path in
DeleteOsdCcsAdminUser, not just the TokenAlreadyExistsException and generic
error branches. In the cloudformation_test.go specs, use the
DeleteOsdCcsAdminUser behavior to verify that when DeleteStack succeeds, the
method still calls waitForStackDeleteComplete and returns nil only when that
wait completes successfully. If waitForStackDeleteComplete returns an error,
assert that DeleteOsdCcsAdminUser propagates it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1730acfa-cc70-4a47-b915-ee6b72327a78

📥 Commits

Reviewing files that changed from the base of the PR and between b20c973 and e9d21ee.

📒 Files selected for processing (6)
  • pkg/aws/cloudformation_test.go
  • pkg/aws/helpers_test.go
  • pkg/aws/policies_test.go
  • pkg/aws/policy_document_test.go
  • pkg/aws/quota_test.go
  • pkg/aws/sts_test.go
💤 Files with no reviewable changes (1)
  • pkg/aws/quota_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/aws/policy_document_test.go

Comment thread pkg/aws/helpers_test.go
Comment thread pkg/aws/sts_test.go Outdated
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2026
@olucasfreitas

Copy link
Copy Markdown
Contributor Author

/override ci/prow/security

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas: Overrode contexts on behalf of olucasfreitas: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Add meaningful tests for previously untested files and functions in
pkg/aws, focusing on ROSA-specific business logic.

Test files:
- idps_test.go: OIDC provider Create/Has/Delete
- quota_test.go: GetServiceQuota lookup
- policy_document_test.go: parse, interpolate, principals, actions
- helpers_test.go: ARN validators, name builders, isSTS, resolveSTSRole
- cloudformation_test.go: CheckStackReady, UpdateStack no-op,
  DeleteOsdCcsAdminUser, buildInput helpers
- sts_test.go: ValidateRoleARNAccountID, SortRolesByLinkedRole,
  DeleteUserRole, DeleteOCMRole
- policies_test.go: hasCompatibleMajorMinorVersionTags, IsPolicyCompatible
@amandahla

Copy link
Copy Markdown
Contributor

/approve
/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [amandahla,olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@olucasfreitas

Copy link
Copy Markdown
Contributor Author

/retest

@olucasfreitas

Copy link
Copy Markdown
Contributor Author

/override ci/prow/security

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas: Overrode contexts on behalf of olucasfreitas: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.01%. Comparing base (9c0c55a) to head (1209e32).
⚠️ Report is 11 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3299      +/-   ##
==========================================
+ Coverage   27.02%   28.01%   +0.98%     
==========================================
  Files         334      334              
  Lines       36704    36704              
==========================================
+ Hits         9920    10282     +362     
+ Misses      26029    25668     -361     
+ Partials      755      754       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit d0b6326 into openshift:master Jul 1, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants