Snowflake Export Testing
Depot supports Snowflake export to S3 via transactions.
How to write export actions/transactions can be found here.
Writing export tests
In most cases you will need to use stage overrides to test export functionality
In order to invoke export in test context add export action on DepotTest builder with same parameters that you would
call export action
To assert what was exported add .checkExport action on DepotTest builder where:
exportPathmatches export actionexportOptions.pathsourceSchemamatches export actionsourceactualis singleton array that matches export actiontargetexpectedUriis folder path to expected files
Currently depot-test supports only JSON and simple comma-separated CSV with header.
For other types or custom CSV assertions will be user side responsibility.
Until Depot-test has ability to return files ask Depot team to help
with workaround.
DepotTest.in(TestNs)
.export({
exportOptions: {
path: "/path/",
formatSchema: "my.schema.Format"
},
target: "my.schema.Stage",
source: "my.schema.Source",
})
.checkExport({
exportPath: "/path/",
sourceSchema: "my.schema.Source",
actual: ["my.schema.Stage"],
expectedUri: "/some/path/expected/"
})
if createAssertionFiles flag is true(default) files be created in folder matching assertions under expectedUri
Permissions
To run export tests it's necessary to set up two permissions:
- snowflake storage integration for the user who runs the tests
- s3 access to assert exported files
- s3 bucket to export files to
Snowflake integration
How to create snowflake integration:
- create IAM role with trust relationship
- create snowflake integration matching pattern
<DB_NAME>_S3where db name is the same as in depot.properties - update IAM role trust relationship with credentials from integration
- add access to S# bucket policy to the IAM role
full guide can be found here
S3 access local runs
To provide access for depot-test add aws.profile to depot-test and make sure your user have access to the bucket that
you use in stage.url
S3 access for aws-codeBuild
To provide access for depot-test in code build add access policy with s3 access to the code build role.
Role can be located codeBuild run "build details" under "Environment" with field name "Service role"
example s3 policy
{
"actions": [
"s3:*"
],
"resources": [
"arn:aws:s3:::some-service-ci",
"arn:aws:s3:::some-service-ci/*"
]
}
S3 access for github actions
To provide access for depot-test in github action you will need:
OIDC role (sphinx pipeline factory create it for all services)
to setup OIDC connection for your test job:
In your workflow file:
OIDC requires AWS_ROLE_TO_ASSUME secret to be present at job context.
Add permissions to read Github id tokens(necessary for OIDC action). On job level add
permissions:
id-token: write
contents: read
and add OIDC to test step
- name: Setup OIDC Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: "eu-west-1"
role-to-assume: "${{ secrets.AWS_ROLE_TO_ASSUME }}"
role-duration-seconds: 7000
Make sure that your OIDC role has permissions for specific action for example if in case CI is run on pull request you
will need to add pull request token to OIDC role trust relationship i.e.
"token.actions.githubusercontent.com:sub": "repo:stage-tech/<repo name>:pull_request"
in
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<redacted>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:stage-tech/<repo name>:pull_request"
}
}
}
]
}
OIDC role in sphinx project is managed by pipeline factory therefore your changes could be overridden. Ticket to tackle this here
also OIDC role must have access policy to the bucket used in CI for export test i.e.
example s3 policy:
{
"actions": [
"s3:*"
],
"resources": [
"arn:aws:s3:::some-service-ci",
"arn:aws:s3:::some-service-ci/*"
]
}