Skip to content

Manual Test Runbook — F1: Baseline Module

Owner: Sagar  |  Time: ~20 min  |  Sandbox: snowops-sandbox-01

Prerequisites

  • Sandbox subscription access active (PIM activated if required)
  • az login done; az account show confirms the sandbox subscription is selected
  • Identity has Contributor + User Access Administrator on the sandbox subscription (the second is needed to write subscription-scope policy assignments)
  • Local tooling: terraform >= 1.6, go >= 1.22, az CLI >= 2.50
  • SNOWOPS_SANDBOX_SUBSCRIPTION_ID and SNOWOPS_SANDBOX_TENANT_ID env vars set
  • Working directory: repo root

Steps

Part A — terraform validate (no cloud, ~1 min)

  1. Run the validate-only test to confirm the HCL compiles cleanly:
cd tests/terratest
go test -v -timeout 5m ./modules/azure/... -run TestBaselineValidate
  1. Confirm output ends with PASS.

Part B — full integration test (real Azure, ~12 min)

  1. Ensure env vars are exported (same as X2 / F6):
export SNOWOPS_SANDBOX_SUBSCRIPTION_ID="<sandbox-subscription-guid>"
export SNOWOPS_SANDBOX_TENANT_ID="<sandbox-tenant-guid>"
  1. Run the integration test:
cd tests/terratest
go test -v -tags integration -timeout 25m ./modules/azure/... -run TestBaselineModule
  1. Watch the output for these key steps:
  2. InitAndApply on baseline fixture creates: RG → workspace → policy set definition → policy assignment → activity log diagnostic.
  3. All output assertions pass (workspace ID under sandbox sub, policy assignment keyed by sandbox sub GUID, diagnostic setting scoped to the sub).
  4. Destroy completes in reverse order without error.

Part C — manual spot-check (optional, ~3 min)

  1. While the test is running, after InitAndApply completes but before destroy, verify the policy assignment lives at sub scope:
az policy assignment list --scope "/subscriptions/${SNOWOPS_SANDBOX_SUBSCRIPTION_ID}" \
  --query "[?starts_with(name, 'snowops-f1-test-')].{name:name, scope:scope, policyDefinitionId:policyDefinitionId}" \
  --output table

Expected: exactly one row whose name matches the unique initiative name from the test log (e.g., snowops-f1-test-abc123), with policyDefinitionId pointing to a Microsoft.Authorization/policySetDefinitions/... ARM path.

  1. Verify the workspace and its Activity Log diagnostic:
# Workspace
az monitor log-analytics workspace show \
  --resource-group "snowops-f1-test-<suffix>-rg" \
  --workspace-name "snowops-f1-test-<suffix>-law" \
  --query "{sku:sku.name, retention:retentionInDays, ingestionEnabled:publicNetworkAccessForIngestion}" \
  --output table

# Activity Log diagnostic forwarding into it
az monitor diagnostic-settings subscription list \
  --query "value[?starts_with(name, 'snowops-f1-test-')].{name:name, workspace:workspaceId}" \
  --output table

Expected: workspace shows sku.name = PerGB2018, retention = 30, publicNetworkAccessForIngestion = Enabled. Diagnostic-settings list shows one row with the workspace ID matching the workspace's ARM ID.

  1. Confirm policy compliance state is being evaluated (read-only):
az policy state list --policy-assignment "snowops-f1-test-<suffix>" \
  --query "[].{resource:resourceId, state:complianceState, policy:policyDefinitionName}" \
  --output table

Expected: results may take 5–30 min to populate; an empty list immediately after apply is normal. The check is that the command itself does not error out, confirming Azure recognizes the assignment.

Pass criteria

  • TestBaselineValidate passes (no cloud needed)
  • TestBaselineModule passes end-to-end (real Azure apply + destroy)
  • Workspace created in the test RG with PerGB2018 SKU + 30-day retention
  • Policy set definition created with name snowops-f1-test-<suffix>
  • Subscription-scope policy assignment present on the sandbox sub
  • Activity Log diagnostic forwards 8 categories into the new workspace
  • All Destroy calls complete without error
  • No orphaned resource groups remain (verify with az group list -o table)
  • All test resources tagged ephemeral = true (X7 cleanup safety net)

Teardown

The test fixture tags all resources ephemeral=true. If the test fails mid-run and resources are orphaned, clean up manually:

# RG (workspace + everything under it)
az group delete --name "snowops-f1-test-<suffix>-rg" --yes --no-wait

# Sub-scope leftovers (policy assignment, set definition, activity-log diagnostic)
az policy assignment delete \
  --name "snowops-f1-test-<suffix>" \
  --scope "/subscriptions/${SNOWOPS_SANDBOX_SUBSCRIPTION_ID}"

az policy set-definition delete \
  --name "snowops-f1-test-<suffix>" \
  --subscription "${SNOWOPS_SANDBOX_SUBSCRIPTION_ID}"

az monitor diagnostic-settings subscription delete \
  --name "snowops-f1-test-<suffix>" \
  --yes

Or let the X7 nightly cleanup workflow handle the RG; the sub-scope artifacts need manual removal because they are not RG-scoped.

Sign-off

  • Tester: _  |  Date: _  |  Result: PASS / FAIL / N/A
  • Notes: