search

ewilde / terraform-provider-kibana

Kibana terraform provider
Mozilla Public License 2.0
73 stars 23 forks source link

KibanaTypeLogzio: Tests exceed Auth0 MFA rate limit #22

Closed devenney closed 5 years ago

devenney commented 5 years ago

Terraform Version

v0.11.14

Affected Resource(s)

Logzio test cases. Normal operation appears unaffected.

Terraform Configuration Files

N/A. Test cases in master branch of repository.

Debug Output

--- FAIL: TestAccDataSourceKibanaIndex_Basic (8.50s)
    testing.go:564: Error destroying resource! WARNING: Dangling resources
        may exist. The full state and error is shown below.

        Error: Error refreshing: 1 error occurred:

        * data.kibana_index.basic: 1 error occurred:

        * data.kibana_index.basic: data.kibana_index.basic: could not get saved objects, error: [Error getting MFA code: the mfa code sent is expired]

        State: <nil>

Expected Behavior

Test cases authenticate against Logz.io exactly once, exchanging the credentials and MFA token for a session token which is used throughout the tests.

Actual Behavior

The output above is erroneous due to the logic in ewilde/go-kibana logzio_authentication_handler.go#L206.

The real error is masked: 

{
  "error": "a0.mfa_too_many_codes",
  "error_description": "Too many attempts. Please wait a few minutes before retrying."
}

ConfigureProvider() is called multiple times per test case. Specifically, every time ctx.Refresh(), ctx.Plan(), ctx.Apply(), and ctx.Destroy() are called. This results in us hammering the Auth0 API to the point of exceeding the rate limit before a single test case has completed.

Steps to Reproduce

  1. Configure the environment variables for an MFA-enabled KibanaTypeLogzio test environment.
  2. TF_ACC=1 go test -v ./kibana -run TestAccDataSourceKibanaIndex_Basic
devenney commented 5 years ago

Possibly related to #15.

devenney commented 5 years ago

Proposed Solution

It seems that other providers (see terraform-providers/terraform-provider-aws) do not make use of MFA in their testing strategy. Instead, they trust that the underlying SDK has extensively tested the authentication paths.

The solution is thus:

  1. Create or identify two test accounts which are airgapped from the Form3 logz.io tenants.
  2. Create a user with access to these accounts. Importantly, this user should not require MFA.
  3. Make use of this user in our unit tests.

We should also create a user which is identical to (2) with the addition of MFA. It will then be necessary to update ewilde/go-kibana to authenticate as this user to rigorously test the MFA flow.