feat: group membership tests (#18)

westonplatter · web-flow · commit 8d43a90077f8 · 2025-08-04T13:36:31.000-06:00
## Summary - Add test for multiple users in single group scenario - Add test for single user belonging to multiple groups - Add test for user referencing non-existent group (failure case) ## Test Coverage Added - **Multiple Users, Single Group**: Validates that multiple users can be assigned to the same group with different roles (member, owner, manager) - **Single User, Multiple Groups**: Verifies one user can belong to multiple groups while ensuring they're not added to unused groups - **Non-existent Group Reference**: Tests failure handling when users reference groups that don't exist in the groups variable ## Technical Details - All tests use mock provider for safe execution - Tests validate proper role assignment and group membership creation - Comprehensive assertions ensure group_id, email, and role mappings work correctly - Failure test confirms proper error handling for configuration issues 🤖 Generated with [Claude Code](https://claude.ai/code)
diff --git a/.gitignore b/.gitignore
@@ -45,5 +45,6 @@ backend.tf.json
 **/*.*swp
 **/.DS_Store
 
+CLAUDE.md
 .cursor/rules
 .claude
diff --git a/tests/variables_users.tftest.hcl b/tests/variables_users.tftest.hcl
@@ -492,3 +492,178 @@ run "group_member_type_invalid" {
 
   expect_failures = [var.users]
 }
+
+# -----------------------------------------------------------------------------
+# --- validate multiple users in single group
+# -----------------------------------------------------------------------------
+
+run "multiple_users_single_group_success" {
+  command = apply # Uses mock provider, no real resources created
+
+  providers = {
+    googleworkspace = googleworkspace.mock
+  }
+
+  variables {
+    users = {
+      "user1@example.com" = {
+        primary_email = "user1@example.com"
+        family_name  = "One"
+        given_name   = "User"
+        groups = {
+          "shared-team" = {
+            role = "member"
+          }
+        }
+      }
+      "user2@example.com" = {
+        primary_email = "user2@example.com"
+        family_name  = "Two"
+        given_name   = "User"
+        groups = {
+          "shared-team" = {
+            role = "owner"
+          }
+        }
+      }
+      "user3@example.com" = {
+        primary_email = "user3@example.com"
+        family_name  = "Three"
+        given_name   = "User"
+        groups = {
+          "shared-team" = {
+            role = "manager"
+          }
+        }
+      }
+    }
+    groups = {
+      "shared-team" = {
+        name  = "Shared Team"
+        email = "shared-team@example.com"
+      }
+    }
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["shared-team@example.com/user1@example.com"].role == "MEMBER"
+    error_message = "Expected user1 role to be 'MEMBER', got: ${googleworkspace_group_member.user_to_groups["shared-team@example.com/user1@example.com"].role}"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["shared-team@example.com/user2@example.com"].role == "OWNER"
+    error_message = "Expected user2 role to be 'OWNER', got: ${googleworkspace_group_member.user_to_groups["shared-team@example.com/user2@example.com"].role}"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["shared-team@example.com/user3@example.com"].role == "MANAGER"
+    error_message = "Expected user3 role to be 'MANAGER', got: ${googleworkspace_group_member.user_to_groups["shared-team@example.com/user3@example.com"].role}"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["shared-team@example.com/user1@example.com"].group_id == "shared-team@example.com"
+    error_message = "Expected group_id to be 'shared-team@example.com'"
+  }
+}
+
+run "single_user_multiple_groups_success" {
+  command = apply # Uses mock provider, no real resources created
+
+  providers = {
+    googleworkspace = googleworkspace.mock
+  }
+
+  variables {
+    users = {
+      "multi.group@example.com" = {
+        primary_email = "multi.group@example.com"
+        family_name  = "Group"
+        given_name   = "Multi"
+        groups = {
+          "dev-team" = {
+            role = "member"
+          }
+          "admin-team" = {
+            role = "owner"
+          }
+        }
+      }
+    }
+    groups = {
+      "dev-team" = {
+        name  = "Development Team"
+        email = "dev-team@example.com"
+      }
+      "admin-team" = {
+        name  = "Admin Team"
+        email = "admin-team@example.com"
+      }
+      "not-used-group" = {
+        name  = "Not Used Group"
+        email = "not-used-group@example.com"
+      }
+    }
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["dev-team@example.com/multi.group@example.com"].role == "MEMBER"
+    error_message = "Expected user role in dev-team to be 'MEMBER', got: ${googleworkspace_group_member.user_to_groups["dev-team@example.com/multi.group@example.com"].role}"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["admin-team@example.com/multi.group@example.com"].role == "OWNER"
+    error_message = "Expected user role in admin-team to be 'OWNER', got: ${googleworkspace_group_member.user_to_groups["admin-team@example.com/multi.group@example.com"].role}"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["dev-team@example.com/multi.group@example.com"].email == "multi.group@example.com"
+    error_message = "Expected user email in dev-team to be 'multi.group@example.com'"
+  }
+
+  assert {
+    condition = googleworkspace_group_member.user_to_groups["admin-team@example.com/multi.group@example.com"].email == "multi.group@example.com"
+    error_message = "Expected user email in admin-team to be 'multi.group@example.com'"
+  }
+
+  assert {
+    condition = !contains(keys(googleworkspace_group_member.user_to_groups), "not-used-group@example.com/multi.group@example.com")
+    error_message = "Expected user to not be in not-used-group"
+  }
+}
+
+run "user_references_nonexistent_group_failure" {
+  command = plan
+
+  providers = {
+    googleworkspace = googleworkspace.mock
+  }
+
+  variables {
+    users = {
+      "bad.user@example.com" = {
+        primary_email = "bad.user@example.com"
+        family_name  = "User"
+        given_name   = "Bad"
+        groups = {
+          "existing-group" = {
+            role = "member"
+          }
+          "missing-group" = {
+            role = "member"
+          }
+        }
+      }
+    }
+    groups = {
+      "existing-group" = {
+        name  = "Existing Group"
+        email = "existing-group@example.com"
+      }
+      # Note: missing-group is not defined here
+    }
+  }
+
+  expect_failures = [
+    googleworkspace_group_member.user_to_groups
+  ]
+}
