diff --git a/release-version.yaml b/.github/release-version.yaml
similarity index 95%
rename from release-version.yaml
rename to .github/release-version.yaml
index 2319a0c..b443248 100644
--- a/release-version.yaml
+++ b/.github/release-version.yaml
@@ -1,6 +1,6 @@
## Update this file for a new release version.
-module_version: "0.1.0"
+module_version: "0.2.0"
## Example for manual release notes.
# release_notes: |
diff --git a/.github/workflows/module-testing.yaml b/.github/workflows/module-testing.yaml
new file mode 100644
index 0000000..b1ba1f2
--- /dev/null
+++ b/.github/workflows/module-testing.yaml
@@ -0,0 +1,107 @@
+name: Module Testing
+
+on:
+ workflow_dispatch:
+ pull_request:
+ paths:
+ - './*.tf' ## trigger if any terraform file has ben modified in repo root.
+ - 'scripts/*.sh' ## trigger if any involved script has been modified.
+ - 'tests/*.tftest.hcl' ## trigger if any test has been modified.
+ - 'examples/complete/*.tf' ## trigger if complete example has been modified.
+ - '.github/workflows/module-testing.yaml' ## trigger if this workflow has been modified.
+
+permissions:
+ pull-requests: write
+
+concurrency:
+ group: testing
+
+jobs:
+ moduleTesting:
+ runs-on: ubuntu-latest
+ env:
+ ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
+ ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+ ARM_CLIENT_SECRET: "${{ secrets.AZURE_CLIENT_SECRET }}"
+ ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID}}"
+
+ steps:
+ - uses: actions/checkout@v4
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: 1.6
+ terraform_wrapper: true
+
+ ## Static Analysis and Linting Test (Unit Testing)
+ - name: Terraform validate on all examples
+ run: |
+ CURRENT_DIR="$(pwd)"
+ for dir in ./examples/*; do
+ if [[ -d "$dir" ]]; then
+ echo "$dir"
+ cd "$dir" || exit
+ terraform init
+ terraform validate
+ cd "${CURRENT_DIR}" || exit
+ fi
+ done
+
+ ## Integrating testing using terraform native testing
+ - name: Testing example
+ working-directory: "${{ github.workspace }}/tests"
+ id: testing
+ run: |
+ pwd
+ terraform init
+ terraform test -no-color -var-file=multiple-identities.auto.tfvars
+
+ - uses: actions/github-script@v7
+ if: github.event_name == 'pull_request' && always() && !cancelled()
+ env:
+ TEST_OUTPUT: "${{ steps.testing.outputs.stdout }}"
+ TEST_ERROR: "${{ steps.testing.outputs.stderr }}"
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ // 1. Retrieve existing bot comments for the PR
+ const { data: comments } = await github.rest.issues.listComments({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ issue_number: context.issue.number,
+ })
+ const botComment = comments.find(comment => {
+ return comment.user.type === 'Bot' && comment.body.includes('Test Results')
+ })
+ // 2. Set output data
+ const output = `### Test Results :gear: Status: \`${{ steps.testing.outcome }}\`
+
+ - \`Test Output:\`
+
+ \`\`\`bash\n
+ ${process.env.TEST_OUTPUT}
+ \`\`\`
+
+ - \`Test Error Message:\`
+
+ \`\`\`bash\n
+ ${process.env.TEST_ERROR}
+ \`\`\`
+
+ *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+ // 3. If we have a comment, update it, otherwise create a new one
+ if (botComment) {
+ github.rest.issues.updateComment({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ comment_id: botComment.id,
+ body: output
+ })
+ } else {
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: output
+ })
+ }
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
index f807f78..934a7d5 100644
--- a/.github/workflows/publish-release.yaml
+++ b/.github/workflows/publish-release.yaml
@@ -23,6 +23,7 @@ jobs:
fetch-depth: 0 ## to get all tags
- name: Create GitHub release
+ working-directory: ./.github
run: |
release_tag="v$(yq '.module_version' "./release-version.yaml")"
release_notes="$(yq '.release_notes' "./release-version.yaml")"
diff --git a/.gitignore b/.gitignore
index 9b8a46e..7b80872 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,8 +10,8 @@ crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
@@ -32,3 +32,5 @@ override.tf.json
# Ignore CLI configuration files
.terraformrc
terraform.rc
+
+!multiple-identities.auto.tfvars
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 671cfe4..18df3c4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-->
+## v0.2.0
+
+### Added
+- Added example for creating multiple identities using individual combination of azure built-in and custom roles.
+
+### Others
+- Added automated tests for the example `multiple-identities`.
+ - To verify the core functionality of the module , create identities, assign multiple role and generate federated credentials.
+
## v0.1.0
### Added
diff --git a/examples/Makefile b/examples/Makefile
index 637cbd5..c9e37b0 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -35,4 +35,4 @@ clean-all: clean
.Phony: docs
docs:
- terraform-docs --header-from local.tf markdown --sort-by required . > README.md
\ No newline at end of file
+ terraform-docs --header-from versions.tf markdown --sort-by required . > README.md
\ No newline at end of file
diff --git a/examples/multiple-identities/.terraform.lock.hcl b/examples/multiple-identities/.terraform.lock.hcl
new file mode 100644
index 0000000..e1beb27
--- /dev/null
+++ b/examples/multiple-identities/.terraform.lock.hcl
@@ -0,0 +1,48 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+ version = "3.85.0"
+ constraints = "~> 3.55"
+ hashes = [
+ "h1:BX6+m8KJATrpqlwBSyA63Fmwjvgwcs/v1qwB7B5GLCU=",
+ "h1:JLkmrm6Jcy4m0a3SrT26EU7b0njwFuhfflBZWUij7mA=",
+ "h1:UW2HuNrkVexKwNYbkI1Xr/B3ip/cCgizIjfKN+ulpPs=",
+ "h1:vPlaTsywMaTyPPYPy0t8twBwrYOGckDFg4kQ5yyJG0U=",
+ "zh:1ae6c0d82b5801641a17094b84f2ec1dcac699c1c4e40669a267511061414a34",
+ "zh:259e9386a43aabecb1205b0ceea2d205223637c09b66d806a89fed04f3343253",
+ "zh:4d940f9c14fece4f1d9219ac9d104202e5561bddc5024e5ac97f3f93eea20110",
+ "zh:530bca70b950e835f63c796c694106d701e5de0e2cf096fa35f08afd5c254594",
+ "zh:69e6b7f44ffbe0383b6485bb9db26781eb7869503889303e202967900a6b35ed",
+ "zh:8528e7d054254daae06eeb2bf343d566d3908a024fdfb5e515fbdbe0669c15eb",
+ "zh:98d66edfa89ed9a431ca37be384e5dfe7fa20bdc732c6e7d30f3f922ca3b29dc",
+ "zh:b8d37cedeffeb6bd37d4ec79fc2da19ed6b57d1ac08d835395dfa4fb3cfdf447",
+ "zh:bbc94e89cd6c0d59c2e5ed0bce852cac8435b6dc2e979691ee84af4c8b2c9bb8",
+ "zh:ceb4c624e8bb56bbcfe53e3c4ed4b4d27c3a5b62e5f4890b32c98b60b83c7827",
+ "zh:f08c5bf19eb25f668633964c6bfa823aa0ead785824082533c4a6cff3959e3d0",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+ version = "2.24.0"
+ constraints = "~> 2.24"
+ hashes = [
+ "h1:4ojr5ZPWH3v4sTuFtJIrgT6DGPFqekcFaStbSQ2JLr0=",
+ "h1:8Ov9r+eCpuqY9LNjG3I8vKT0hX/FkyzuDxQySZVt9i4=",
+ "h1:Q8+R+wE1XMfJjIixxdBo6qVni01a/P6ceSGJ+kR2z/0=",
+ "h1:u9lRMCdNXcB5/WQTZVMvGhNliW2pKOzj3SOVbu9yPpg=",
+ "zh:0ed83ec390a7e75c4990ebce698f14234de2b6204ed9a01cd042bb7ea5f26564",
+ "zh:195150e4fdab259c70088528006f4604557a051e037ebe8de64e92840f27e40a",
+ "zh:1a334af55f7a74adf033eb871c9fe7e9e648b41ab84321114ef4ca0e7a34fba6",
+ "zh:1ef68c3832691de21a61bf1a4e268123f3e08850712eda0b893cac908a0d1bc1",
+ "zh:44a1c58e5a6646e62b0bad653319c245f3b635dd03554dea2707a38f553e4a52",
+ "zh:54b5b374c4386f7f05b3fe986f9cb57bde4beab3bdf6ee33444f2b9a81b8af64",
+ "zh:aa8c2687ab784b72f8cdad8d3c3673dea83b33561e7b3f2d287ef0d06ff2a9e5",
+ "zh:e6ecba0503052ef3ad49ad56e17b2a73d9b55e30fcb82b040189d281e25e1a3b",
+ "zh:f105393f6487d3eb1f1636ba42d10c82950ddfef852244c1bca8d526fa23a9a3",
+ "zh:f17a8f1914ec66d80ccacecd40123362cf093abee3d3aa1ff9f8f687d8736f85",
+ "zh:f394b12ef01fa0bdf666a43ad152eb3890134f35e635ea056b18771c292de46e",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/examples/multiple-identities/Makefile b/examples/multiple-identities/Makefile
new file mode 100644
index 0000000..af2ff5b
--- /dev/null
+++ b/examples/multiple-identities/Makefile
@@ -0,0 +1 @@
+include ../Makefile
\ No newline at end of file
diff --git a/examples/multiple-identities/README.md b/examples/multiple-identities/README.md
new file mode 100644
index 0000000..ac518e3
--- /dev/null
+++ b/examples/multiple-identities/README.md
@@ -0,0 +1,40 @@
+# Introduction
+
+This example show the example of using the module to create a multiple user-managed identities and assign a combination of azure built-in and newly created custom role definitions via module.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [azurerm](#provider\_azurerm) | 3.85.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [multiple\_identities](#module\_multiple\_identities) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [identities](#input\_identities) | (optional) Identities to create. See README for more information.It includes all the inputs from the role\_assignments block in the module. | set(object({
service_account_name = string
namespace = string
role_assignments = set(object({
role_definition_name = optional(string)
name = optional(string, null)
create_custom_role = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
scope = optional(string)
custom_role_description = optional(string)
custom_role_definition_id = optional(string, null)
custom_role_actions = optional(set(string), [])
custom_role_data_actions = optional(set(string), [])
custom_role_not_actions = optional(set(string), [])
custom_role_not_data_actions = optional(set(string), [])
custom_role_assignable_scopes = optional(set(string), null)
}))
})) | `[]` | no |
+| [namespace](#input\_namespace) | (optional) namesapce for example-service-account-02, need variable to over-ride in tests. | `string` | `"default"` | no |
+| [service\_account\_name](#input\_service\_account\_name) | (optional) Service Account name for second example, need variable to over-ride in tests. | `string` | `"example-service-account-02"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [client\_ids](#output\_client\_ids) | The IDs of the apps associated with the Identities |
+| [subjects](#output\_subjects) | The subjects for the Federated Identity Credential associated with the Identities |
diff --git a/examples/multiple-identities/local.tf b/examples/multiple-identities/local.tf
new file mode 100644
index 0000000..06ab751
--- /dev/null
+++ b/examples/multiple-identities/local.tf
@@ -0,0 +1,48 @@
+locals {
+ prefix = "wi-multi-module"
+
+ tags = {
+ github_repo = "ishuar/terraform-azure-workload-identity"
+ managed_by = "terraform"
+ used_case = "tf-az-wi-module-dev"
+ }
+
+ example-service-account-01 = [
+ ########### Identity with Azure built-in role ###########
+ {
+ service_account_name = "example-service-account-01"
+ namespace = "example-01"
+ role_assignments = [
+ {
+ role_definition_name = "Reader"
+ scope = azurerm_resource_group.this.id
+ },
+ ]
+ },
+ ]
+ example-service-account-02 = [
+ ########### Identity with Azure built-in and custom role ###########
+ {
+ service_account_name = var.service_account_name # for testing purposes
+ namespace = var.namespace # for testing purposes
+ role_assignments = [
+ {
+ role_definition_name = "Reader"
+ scope = azurerm_resource_group.this.id
+ },
+ {
+ role_definition_name = "blob-reader"
+ scope = azurerm_resource_group.this.id
+ create_custom_role = true
+ custom_role_data_actions = [
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+ ]
+ }
+ ]
+ }
+ ]
+ identities = concat(
+ local.example-service-account-01,
+ local.example-service-account-02
+ )
+}
diff --git a/examples/multiple-identities/main.tf b/examples/multiple-identities/main.tf
new file mode 100644
index 0000000..fce0109
--- /dev/null
+++ b/examples/multiple-identities/main.tf
@@ -0,0 +1,19 @@
+resource "azurerm_resource_group" "this" {
+ location = "North Europe"
+ name = "${local.prefix}-resources"
+}
+
+### Multiple Identities using for_each on the module level ###
+
+module "multiple_identities" {
+ ## check variables.tf for variable definition
+ for_each = { for identity in local.identities : identity.service_account_name => identity }
+
+ source = "../../"
+ resource_group_name = azurerm_resource_group.this.name
+ location = azurerm_resource_group.this.location
+ oidc_issuer_url = "https://token.actions.githubusercontent.com"
+ service_account_name = each.value.service_account_name
+ namespace = each.value.namespace
+ role_assignments = each.value.role_assignments
+}
diff --git a/examples/multiple-identities/outputs.tf b/examples/multiple-identities/outputs.tf
new file mode 100644
index 0000000..59faf38
--- /dev/null
+++ b/examples/multiple-identities/outputs.tf
@@ -0,0 +1,9 @@
+output "client_ids" {
+ value = { for k, v in module.multiple_identities : k => v.client_id }
+ description = "The IDs of the apps associated with the Identities"
+}
+
+output "subjects" {
+ value = { for k, v in module.multiple_identities : k => v.subject }
+ description = "The subjects for the Federated Identity Credential associated with the Identities"
+}
diff --git a/examples/multiple-identities/variables.tf b/examples/multiple-identities/variables.tf
new file mode 100644
index 0000000..e21953e
--- /dev/null
+++ b/examples/multiple-identities/variables.tf
@@ -0,0 +1,73 @@
+## For creating multiple identities using single variable
+## you can use the following variable definition for all features.
+## this is not being used in the example, but it is here for reference.
+variable "identities" {
+ type = set(object({
+ service_account_name = string
+ namespace = string
+ role_assignments = set(object({
+ role_definition_name = optional(string)
+ name = optional(string, null)
+ create_custom_role = optional(bool, false)
+ condition = optional(string, null)
+ condition_version = optional(string, null)
+ scope = optional(string)
+ custom_role_description = optional(string)
+ custom_role_definition_id = optional(string, null)
+ custom_role_actions = optional(set(string), [])
+ custom_role_data_actions = optional(set(string), [])
+ custom_role_not_actions = optional(set(string), [])
+ custom_role_not_data_actions = optional(set(string), [])
+ custom_role_assignable_scopes = optional(set(string), null)
+ }))
+ }))
+ description = "(optional) Identities to create. See README for more information.It includes all the inputs from the role_assignments block in the module."
+ default = [
+ # ########### Identity with Azure built-in role ###########
+ # {
+ # service_account_name = "example-service-account-01"
+ # namespace = "example-01"
+ # role_assignments = [
+ # {
+ # role_definition_name = "Reader"
+ # scope =
+ # },
+ # ]
+ # },
+ # ########### Identity with Azure built-in and custom role ###########
+ # {
+ # service_account_name = "example-service-account-02"
+ # namespace = "example-02"
+ # create_custom_role = true
+ # role_assignments = [
+ # {
+ # role_definition_name = "Reader"
+ # scope =
+ # },
+ # {
+ # role_definition_name = "blob-reader"
+ # scope =
+ # create_custom_role = true
+ # custom_role_data_actions = [
+ # "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+ # ]
+ # }
+ # ]
+ # }
+ ]
+}
+
+##### Testing #####
+# Path: ../../tests/multiple-identities.auto.tfvars
+###################
+
+variable "service_account_name" {
+ type = string
+ description = "(optional) Service Account name for second example, need variable to over-ride in tests."
+ default = "example-service-account-02"
+}
+variable "namespace" {
+ type = string
+ description = "(optional) namesapce for example-service-account-02, need variable to over-ride in tests."
+ default = "default"
+}
diff --git a/examples/multiple-identities/versions.tf b/examples/multiple-identities/versions.tf
new file mode 100644
index 0000000..82539f0
--- /dev/null
+++ b/examples/multiple-identities/versions.tf
@@ -0,0 +1,9 @@
+/**
+* # Introduction
+*
+* This example show the example of using the module to create a multiple user-managed identities and assign a combination of azure built-in and newly created custom role definitions via module.
+*/
+
+provider "azurerm" {
+ features {}
+}
diff --git a/examples/simple/local.tf b/examples/simple/local.tf
index b2871ee..68fda0d 100644
--- a/examples/simple/local.tf
+++ b/examples/simple/local.tf
@@ -1,11 +1,5 @@
-/**
-* # Introduction
-*
-* This example show the simplest example of using the module to create a single user-managed identity and assign one custom and built-in role to it respectively.
-*/
-
locals {
- prefix = "wi-module"
+ prefix = "wi-sim-module"
tags = {
github_repo = "ishuar/terraform-azure-workload-identity"
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
index ab91b24..7ffe0ad 100644
--- a/examples/simple/versions.tf
+++ b/examples/simple/versions.tf
@@ -1,3 +1,9 @@
+/**
+* # Introduction
+*
+* This example show the simplest example of using the module to create a single user-managed identity and assign one custom and built-in role to it respectively.
+*/
+
provider "azurerm" {
features {}
}
diff --git a/tests/.terraform.lock.hcl b/tests/.terraform.lock.hcl
new file mode 100644
index 0000000..e1beb27
--- /dev/null
+++ b/tests/.terraform.lock.hcl
@@ -0,0 +1,48 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+ version = "3.85.0"
+ constraints = "~> 3.55"
+ hashes = [
+ "h1:BX6+m8KJATrpqlwBSyA63Fmwjvgwcs/v1qwB7B5GLCU=",
+ "h1:JLkmrm6Jcy4m0a3SrT26EU7b0njwFuhfflBZWUij7mA=",
+ "h1:UW2HuNrkVexKwNYbkI1Xr/B3ip/cCgizIjfKN+ulpPs=",
+ "h1:vPlaTsywMaTyPPYPy0t8twBwrYOGckDFg4kQ5yyJG0U=",
+ "zh:1ae6c0d82b5801641a17094b84f2ec1dcac699c1c4e40669a267511061414a34",
+ "zh:259e9386a43aabecb1205b0ceea2d205223637c09b66d806a89fed04f3343253",
+ "zh:4d940f9c14fece4f1d9219ac9d104202e5561bddc5024e5ac97f3f93eea20110",
+ "zh:530bca70b950e835f63c796c694106d701e5de0e2cf096fa35f08afd5c254594",
+ "zh:69e6b7f44ffbe0383b6485bb9db26781eb7869503889303e202967900a6b35ed",
+ "zh:8528e7d054254daae06eeb2bf343d566d3908a024fdfb5e515fbdbe0669c15eb",
+ "zh:98d66edfa89ed9a431ca37be384e5dfe7fa20bdc732c6e7d30f3f922ca3b29dc",
+ "zh:b8d37cedeffeb6bd37d4ec79fc2da19ed6b57d1ac08d835395dfa4fb3cfdf447",
+ "zh:bbc94e89cd6c0d59c2e5ed0bce852cac8435b6dc2e979691ee84af4c8b2c9bb8",
+ "zh:ceb4c624e8bb56bbcfe53e3c4ed4b4d27c3a5b62e5f4890b32c98b60b83c7827",
+ "zh:f08c5bf19eb25f668633964c6bfa823aa0ead785824082533c4a6cff3959e3d0",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+ version = "2.24.0"
+ constraints = "~> 2.24"
+ hashes = [
+ "h1:4ojr5ZPWH3v4sTuFtJIrgT6DGPFqekcFaStbSQ2JLr0=",
+ "h1:8Ov9r+eCpuqY9LNjG3I8vKT0hX/FkyzuDxQySZVt9i4=",
+ "h1:Q8+R+wE1XMfJjIixxdBo6qVni01a/P6ceSGJ+kR2z/0=",
+ "h1:u9lRMCdNXcB5/WQTZVMvGhNliW2pKOzj3SOVbu9yPpg=",
+ "zh:0ed83ec390a7e75c4990ebce698f14234de2b6204ed9a01cd042bb7ea5f26564",
+ "zh:195150e4fdab259c70088528006f4604557a051e037ebe8de64e92840f27e40a",
+ "zh:1a334af55f7a74adf033eb871c9fe7e9e648b41ab84321114ef4ca0e7a34fba6",
+ "zh:1ef68c3832691de21a61bf1a4e268123f3e08850712eda0b893cac908a0d1bc1",
+ "zh:44a1c58e5a6646e62b0bad653319c245f3b635dd03554dea2707a38f553e4a52",
+ "zh:54b5b374c4386f7f05b3fe986f9cb57bde4beab3bdf6ee33444f2b9a81b8af64",
+ "zh:aa8c2687ab784b72f8cdad8d3c3673dea83b33561e7b3f2d287ef0d06ff2a9e5",
+ "zh:e6ecba0503052ef3ad49ad56e17b2a73d9b55e30fcb82b040189d281e25e1a3b",
+ "zh:f105393f6487d3eb1f1636ba42d10c82950ddfef852244c1bca8d526fa23a9a3",
+ "zh:f17a8f1914ec66d80ccacecd40123362cf093abee3d3aa1ff9f8f687d8736f85",
+ "zh:f394b12ef01fa0bdf666a43ad152eb3890134f35e635ea056b18771c292de46e",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..fbb0cca
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1 @@
+include ../examples/Makefile
\ No newline at end of file
diff --git a/tests/README.md b/tests/README.md
new file mode 100644
index 0000000..0f1115e
--- /dev/null
+++ b/tests/README.md
@@ -0,0 +1,4 @@
+# Terraform Testing
+
+- [Terraform Native Test](https://developer.hashicorp.com/terraform/language/tests)
+- [Testing Hashicorp Terraform](https://www.hashicorp.com/blog/testing-hashicorp-terraform)
\ No newline at end of file
diff --git a/tests/multiple-identities.auto.tfvars b/tests/multiple-identities.auto.tfvars
new file mode 100644
index 0000000..b2a81dc
--- /dev/null
+++ b/tests/multiple-identities.auto.tfvars
@@ -0,0 +1,2 @@
+service_account_name = "test-service-account"
+namespace = "test"
diff --git a/tests/multiple-identities.tftest.hcl b/tests/multiple-identities.tftest.hcl
new file mode 100644
index 0000000..a6439bf
--- /dev/null
+++ b/tests/multiple-identities.tftest.hcl
@@ -0,0 +1,12 @@
+## Test to ensure that azure workload identity is created as expected.
+## This test is run as part of the CI/CD pipeline.
+
+run "multiple_identities" {
+ module {
+ source = "../examples/multiple-identities"
+ }
+ assert {
+ condition = module.multiple_identities["${var.service_account_name}"].subject == "system:serviceaccount:${var.namespace}:${var.service_account_name}"
+ error_message = "Unexpected federated credential subject for service account ${var.service_account_name}"
+ }
+}
diff --git a/tests/versions.tf b/tests/versions.tf
new file mode 100644
index 0000000..a76228a
--- /dev/null
+++ b/tests/versions.tf
@@ -0,0 +1,18 @@
+## tftest.hcl needs terraform config as it neeed to init the module.
+## And terraform can not init in empty directory.
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "~> 3.55"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = "~>2.24"
+ }
+ }
+ required_version = ">= 1.3"
+}
+provider "azurerm" {
+ features {}
+}