Testing with mocks: despite overriding resource, returned value is still random?

I defined an AWS API Gateway domain name resource in my Terraform code and I want to test that it’s properly configured when deployed. To do so, I use mock_provider aws{} and I then override the attribute coming from another resource:

# main.tf excerpt

resource "aws_api_gateway_domain_name" "api_domain_name" {
  domain_name = var.domain

  regional_certificate_arn = data.aws_acm_certificate.main_cert.arn
  security_policy          = "TLS_1_2"

  mutual_tls_authentication {
    truststore_uri = aws_s3_object.truststore_file.id
  }
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

And here are my tests:

# main.tftest.hcl excerpt
mock_provider aws {}

run "test_api_gateway_domain_name" {
    override_data {
        target = data.aws_acm_certificate.main_cert
        values = {
            arn = "arn:aws:acm:::certificate/blblbl"
        }
    }
    override_resource {
        target = aws_s3_object.truststore_file
        values = {
            id = "s3://blblbl"
        }
    }
    variables {
        domain = "domain"
    }

    assert {
        condition = aws_api_gateway_domain_name.api_domain_name.mutual_tls_authentication[0].truststore_uri == "s3://blblbl"
        error_message = "Invalid truststore URI"
    }
}

When I run it (terraform test) it tells me that the truststore_uri attribute has been randomly generated:

# Console output excerpt

│ Error: Test assertion failed
│ 
│   on tests/main.tftest.hcl line 137, in run "test_api_gateway_domain_name":
│  137:         condition = aws_api_gateway_domain_name.api_domain_name.mutual_tls_authentication[0].truststore_uri == "s3://blblbl"
│     ├────────────────
│     │ aws_api_gateway_domain_name.api_domain_name.mutual_tls_authentication[0].truststore_uri is "ucgosl81"
│ 
│ Invalid truststore URI

I know from the docs that this value is generated by the mocking framework but I don’t get why, since I am overriding this value.

What am I doing wrong here?

terraform version:

Terraform v1.7.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.34.0

I am seeing the exact same behaviour in Terraform 1.8.4 attempting to mock the vra provider.
None of the overridden values I’ve provided have any effect. All values return back a random 8 character alphanumeric string.

Apologies for the very long delay on any response here.

@avazula - I’m not able to reproduce the behaviour that you’re seeing. Are you able to share the configuration for the overridden resource and data source? I appreciate it’s been a very long time for you so very likely you don’t have context on this anymore.

For the avoidance of doubt, here is the complete configuration and testing files that I used:

# main.tf

terraform {
    required_providers {
      aws = {
        source = "hashicorp/aws"
        version = "5.34.0"
      }
    }
}

resource "aws_api_gateway_domain_name" "api_domain_name" {
  domain_name = var.domain

  regional_certificate_arn = data.aws_acm_certificate.main_cert.arn
  security_policy          = "TLS_1_2"

  mutual_tls_authentication {
    truststore_uri = aws_s3_object.truststore_file.id
  }
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

variable "domain" {
    type = string
}

data "aws_acm_certificate" "main_cert" {
    domain = var.domain
}

resource "aws_s3_object" "truststore_file" {
    bucket = "my_bucket"
    key = "my_file"
}
# main.tftest.hcl

mock_provider "aws" {}

run "test_api_gateway_domain_name" {
    override_data {
        target = data.aws_acm_certificate.main_cert
        values = {
            arn = "arn:aws:acm:::certificate/blblbl"
        }
    }
    override_resource {
        target = aws_s3_object.truststore_file
        values = {
            id = "s3://blblbl"
        }
    }
    variables {
        domain = "domain"
    }

    assert {
        condition = aws_api_gateway_domain_name.api_domain_name.mutual_tls_authentication[0].truststore_uri == "s3://blblbl"
        error_message = "Invalid truststore URI"
    }
}

And the complete output:

~/terraform/62338/internal > terraform version
Terraform v1.7.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.34.0

Your version of Terraform is out of date! The latest version
is 1.9.3. You can update by downloading from https://www.terraform.io/downloads.html
~/terraform/62338/internal > terraform test -verbose
main.tftest.hcl... in progress
  run "test_api_gateway_domain_name"... pass

# data.aws_acm_certificate.main_cert:
data "aws_acm_certificate" "main_cert" {
    arn               = "arn:aws:acm:::certificate/blblbl"
    certificate       = "34qkrjuj"
    certificate_chain = "zwlutiqb"
    domain            = "domain"
    id                = "1f2rqisz"
    status            = "07a1uqa6"
    tags              = {}
}

# aws_api_gateway_domain_name.api_domain_name:
resource "aws_api_gateway_domain_name" "api_domain_name" {
    arn                                    = "vkwgvx24"
    certificate_upload_date                = "v1bb1sru"
    cloudfront_domain_name                 = "mfswm3nq"
    cloudfront_zone_id                     = "2o1go0st"
    domain_name                            = "domain"
    id                                     = "3jn5b3vl"
    ownership_verification_certificate_arn = "dsa9yytk"
    regional_certificate_arn               = "arn:aws:acm:::certificate/blblbl"
    regional_domain_name                   = "fg30zl8i"
    regional_zone_id                       = "iz3eo7ea"
    security_policy                        = "TLS_1_2"
    tags_all                               = {}

    endpoint_configuration {
        types = [
            "REGIONAL",
        ]
    }

    mutual_tls_authentication {
        truststore_uri = "s3://blblbl"
    }
}

# aws_s3_object.truststore_file:
resource "aws_s3_object" "truststore_file" {
    acl                    = "r82eaxsd"
    bucket                 = "my_bucket"
    bucket_key_enabled     = false
    checksum_crc32         = "u88euev0"
    checksum_crc32c        = "s1p60bdb"
    checksum_sha1          = "3sgwb8i2"
    checksum_sha256        = "ncghnjzx"
    content_type           = "791j4g1c"
    etag                   = "8woqikmn"
    id                     = "s3://blblbl"
    key                    = "my_file"
    kms_key_id             = "l53wrdcg"
    server_side_encryption = "cjxu80tr"
    storage_class          = "fxcd8s0v"
    tags_all               = {}
    version_id             = "3fn33ivp"
}

main.tftest.hcl... tearing down
main.tftest.hcl... pass

Success! 1 passed, 0 failed.

Note, the use of the -verbose flag will tell you exactly what value is being assigned to each attribute. Most are being set randomly, but the ones that I’ve specified in my test file are being overridden.

@joshua.skirde - are you able to share any of the configuration for which you are seeing the incorrect behaviour?

I know you’ve been in touch with Ryan directly, so you could also continue the conversion there and ask that any configuration you can provide gets forwarded to me.