Effective Usage of `test`


TL;DR: Because this is a wordy one, I’m basically asking "What is the point of terraform test? I’ve read the docs, and the release article, but I don’t see how it allows you to test anything useful, since it seems to be limited to “did Terraform create the resources I asked it to”.

I’m starting out with terraform test, and am having trouble understanding the use-cases.

I have different levels of modules in my registry, varying in complexity. For this discussion, let’s say I have “helper” modules, and “application” modules which use those helpers. I have a helper module which generates different IAM policies for use with different application modules, and I’d like to test the policies it creates have the permissions necessary for the application module to create a limited set of resources.

I’ve gotten as far as creating some “fixtures” used as part of my helper module’s resources, having the helper module create it’s resources, and now I’m writing the actual assertion blocks. Testing things like “is the name of the policy what we expect” are fine, but what I really want to test is “does the policy allow what it’s attached to to create resources of type X”.

What I seem to be heading towards is writing another run block containing a module which essentially tries to use the policy as normal Terraform code would do. In this case, what is the difference with just using the module to see if it breaks, but say in a separate test repo.? I feel like I’m missing something.