CMSgov · juliareynolds-nava · Jan 13, 2026 · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026
@@ -0,0 +1,41 @@
+name: tf-module-test
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'terraform/modules/**'
+
+concurrency:
+  group: tf-module-test
+
+env:
+  TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  apply:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159  # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - uses: cmsgov/cdap/actions/setup-sops@84a6bcee5b70d63c44f8fec4f9b542cb5ec29a54
+      - uses: cmsgov/cdap/actions/setup-yq@328406d6e1d435b4e3da598bcdab22e576c3945e
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.NON_PROD_ACCOUNT }}:role/delegatedadmin/developer/cdap-test-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47
+        id: changed-dirs
+        with:
+          files: |
+            terraform/modules/**
+          dir_names: 'true'
+      - run: scripts/tf-module-test
+        env:
+          APP: cdap
+          ENV: test
+          CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }}
@@ -0,0 +1,24 @@
+# Library to be sourced into scripts for running tofu destroy
+# in a GitHub Action.
+
+echo "::group::$dir tofu destroy"
+
+export TF_VAR_app="$APP"
+export TF_VAR_env="$ENV"
+tofu_warning=""
+tofu_error=""
+
+echo "Removing resources for $dir"
+if ! tofu destroy -auto-approve; then
+  job_error=true
+  tofu_error="Error in tofu apply for $dir"
+fi
+
+echo "::endgroup::"
+
+if [ -n "$tofu_warning" ]; then
+  echo "::warning::$tofu_warning"
+fi
+if [ -n "$tofu_error" ]; then
+  echo "::error::$tofu_error"
+fi
@@ -0,0 +1,40 @@
+# Library to be sourced into scripts for running tofu init, plan, and apply
+# in a GitHub Action.
+
+echo "::group::$dir tofu"
+
+if ! tofu init -reconfigure -backend-config="$repo_root/terraform/backends/${APP}-${ENV}.s3.tfbackend"; then
+  job_error=true
+  echo "::endgroup::"
+  echo "::error::Error in tofu init for $dir"
+  continue
+fi
+
+export TF_VAR_app="$APP"
+export TF_VAR_env="$ENV"
+tofu_warning=""
+tofu_error=""
+if tofu plan -detailed-exitcode -out "$temp_plan_out"; then
+  echo "No changes planned for $dir"
+elif [ "$?" -eq "2" ]; then # Detailed exit code is 2, meaning changes are planned
+  tofu_warning="Changes planned for $dir"
+else
+  job_error=true
+  tofu_error="Error in tofu plan for $dir"
+fi
+
+if [[ -n "$tofu_warning" && "$APPLY" == "true" ]]; then
+  echo "Applying plan for $dir"
+  if ! tofu apply "$temp_plan_out"; then
+    job_error=true
+    tofu_error="Error in tofu apply for $dir"
+  fi
+fi
+echo "::endgroup::"
+
+if [ -n "$tofu_warning" ]; then
+  echo "::warning::$tofu_warning"
+fi
+if [ -n "$tofu_error" ]; then
+  echo "::error::$tofu_error"
+fi
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Run tests on tf modules. Used in the tf-module-test workflow.
+set -e
+
+repo_root="$(git rev-parse --show-toplevel)"
+script_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
+job_error=false
+temp_plan_out=$(mktemp)
+APPLY=true
+
+for dir in $CHANGED_DIRS; do
+  dir_absolute="$repo_root/$dir"
+  [ ! -d "$dir_absolute/test" ] && echo "No directory found at $dir. Skipping" && continue
+  cd "$dir_absolute"
+  [ ! -f "test/test.sh" ] && echo "No test.sh file found in $dir/test. Skipping" && continue
+  dir=$dir/test
+
+  source $script_dir/lib/tofu-init-plan-apply.sh
+
+  # The test.sh script must use test_warning, test_error, and job_error
+  # variables and "continue" as done in tofu lib scripts rather than erroring
+  # out to allow for looping through dirs.
+  test_warning=""
+  test_error=""
+  echo "::group::$dir test"
+  source test.sh
+  echo "::endgroup::"
+  if [ -n "$test_warning" ]; then
+    echo "::warning::$test_warning"
+  fi
+  if [ -n "$test_error" ]; then
+    echo "::error::$test_error"
+  fi
+
+  source $script_dir/lib/tofu-destroy.sh
+done
+
+if [ "$job_error" == "true" ]; then
+  exit 1
+fi
@@ -2,6 +2,7 @@
 # Run tofu plan across all services. Used in the tofu-plan and tofu-apply workflows.
 
 repo_root="$(git rev-parse --show-toplevel)"
+script_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
 job_error=false
 temp_plan_out=$(mktemp)
 
@@ -41,43 +42,7 @@ for dir in $(ls "$repo_root/terraform/services"); do
       ;;
   esac
 
-  echo "::group::$dir tofu"
-
-  if ! tofu init -reconfigure -backend-config="../../backends/${APP}-${ENV}.s3.tfbackend"; then
-    job_error=true
-    echo "::endgroup::"
-    echo "::error::Error in tofu init for $dir"
-    continue
-  fi
-
-  export TF_VAR_app="$APP"
-  export TF_VAR_env="$ENV"
-  tofu_warning=""
-  tofu_error=""
-  if tofu plan -detailed-exitcode -out "$temp_plan_out"; then
-    echo "No changes planned for $dir"
-  elif [ "$?" -eq "2" ]; then # Detailed exit code is 2, meaning changes are planned
-    tofu_warning="Changes planned for $dir"
-  else
-    job_error=true
-    tofu_error="Error in tofu plan for $dir"
-  fi
-
-  if [[ -n "$tofu_warning" && "$APPLY" == "true" ]]; then
-    echo "Applying plan for $dir"
-    if ! tofu apply "$temp_plan_out"; then
-      job_error=true
-      tofu_error="Error in tofu apply for $dir"
-    fi
-  fi
-  echo "::endgroup::"
-
-  if [ -n "$tofu_warning" ]; then
-    echo "::warning::$tofu_warning"
-  fi
-  if [ -n "$tofu_error" ]; then
-    echo "::error::$tofu_error"
-  fi
+  source $script_dir/lib/tofu-run.sh
 done
 
 if [ "$job_error" == "true" ]; then

@@ -32,7 +32,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.100.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
@@ -43,13 +43,14 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_ecs_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
+| [aws_service_discovery_http_namespace.cluster_service_connect_namespace](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_http_namespace) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name_override"></a> [cluster\_name\_override](#input\_cluster\_name\_override) | Name of the ecs cluster. | `string` | `null` | no |
-| <a name="input_platform"></a> [platform](#input\_platform) | Object that describes standardized platform values. | `any` | n/a | yes |
+| <a name="input_platform"></a> [platform](#input\_platform) | Object that describes standardized platform values. | <pre>object({<br/>    app = string,<br/>    env = string,<br/>    kms_alias_primary = object({<br/>      target_key_arn = string<br/>    }),<br/>    service          = string,<br/>    is_ephemeral_env = string<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 

@@ -1,3 +1,13 @@
+locals {
+  name = var.cluster_name_override != null ? var.cluster_name_override : "${var.platform.app}-${var.platform.env}-${var.platform.service}"
+}
+
+resource "aws_service_discovery_http_namespace" "cluster_service_connect_namespace" {
+  name = local.name
+  description = "Service Connect namespace for ${local.name}"
+}
+
+
 resource "aws_ecs_cluster" "this" {
   name = var.cluster_name_override != null ? var.cluster_name_override : "${var.platform.app}-${var.platform.env}-${var.platform.service}"
 
@@ -6,10 +16,20 @@ resource "aws_ecs_cluster" "this" {
     value = var.platform.is_ephemeral_env ? "disabled" : "enabled"
   }
 
+  service_connect_defaults {
+    namespace = aws_service_discovery_http_namespace.cluster_service_connect_namespace.arn
+  }
+
   configuration {
     managed_storage_configuration {
       fargate_ephemeral_storage_kms_key_id = var.platform.kms_alias_primary.target_key_arn
       kms_key_id                           = var.platform.kms_alias_primary.target_key_arn
     }
   }
+
+  depends_on = [aws_service_discovery_http_namespace.cluster_service_connect_namespace]
 }
+
+
+
+
@@ -2,8 +2,8 @@ variable "app" {
   description = "The short name for the delivery team or ADO."
   type        = string
   validation {
-    condition     = contains(["ab2d", "bcda", "dpc"], var.app)
-    error_message = "Invalid short var.app (application). Must be one of ab2d, bcda, or dpc."
+    condition     = contains(["ab2d", "bcda", "cdap", "dpc"], var.app)
+    error_message = "Invalid short var.app (application). Must be one of ab2d, bcda, cdap or dpc."
   }
 }