CloudForge CI Integration Tests

This directory contains extensive integration tests that validate end-to-end infrastructure deployment, security controls, and compliance requirements for the CloudForge CI CDK framework.

Overview

These integration tests go beyond unit testing to validate:

• CloudFormation Template Output - Actual synthesized CDK templates
• Compliance Controls - SOC2, HIPAA, PCI-DSS, GDPR requirements
• Auto-Remediation - AWS Config rules and automated fixes
• Cross-Component Security - Security group chains, IAM trust relationships
• Authentication - OIDC and Cognito integration with ALB
• Deployment Workflows - Context propagation and topology validation

Test Structure

integration/
├── IntegrationTestBase.java           # Base class with assertion utilities
├── compliance/                         # Compliance framework tests
│   ├── Soc2ComplianceIntegrationTest.java
│   ├── HipaaComplianceIntegrationTest.java
│   ├── PciDssComplianceIntegrationTest.java
│   └── GdprComplianceIntegrationTest.java
├── remediation/                        # Auto-remediation tests
│   └── RemediationIntegrationTest.java
├── security/                           # Security validation tests
│   ├── CrossComponentSecurityIntegrationTest.java
│   └── AuthenticationIntegrationTest.java
└── deployment/                         # Deployment workflow tests
    └── DeploymentWorkflowIntegrationTest.java

Test Categories

1. Compliance Integration Tests

SOC 2 Compliance (Soc2ComplianceIntegrationTest.java)

Tests validate SOC 2 Trust Services Criteria:

• CC6.1 - Logical and Physical Access Controls
• CC6.6 - Data-in-Transit Protection
• CC6.7 - Data-at-Rest Protection
• CC7.2 - System Monitoring
• CC7.3 - Threat Detection and Prevention
• CC7.4 - Security Incident Management
• A1.2 - Data Availability and Processing Integrity

Key Tests:

• testSoc2FargateDeploymentWithFullInfrastructure() - Full Fargate stack with compliance
• testSoc2Ec2DeploymentWithFullInfrastructure() - Full EC2 stack with compliance
• testSoc2NetworkSegmentationControls() - Public/private subnet isolation
• testSoc2EncryptionInTransit() - HTTPS and EFS encryption
• testSoc2LoggingAndAuditTrail() - CloudTrail, VPC Flow Logs, retention
• testSoc2AccessControlAndIAM() - Least privilege IAM roles
• testSoc2BackupAndRecovery() - EFS backups and DR
• testSoc2HighAvailability() - Multi-AZ deployment
• testSoc2ThreatDetectionAndResponse() - GuardDuty, security monitoring
• testSoc2ChangeManagementAndConfig() - AWS Config rules

HIPAA Compliance (HipaaComplianceIntegrationTest.java)

Tests validate HIPAA Security Rule requirements:

• 164.308(a)(1) - Security Management Process
• 164.308(a)(3) - Workforce Security
• 164.308(a)(4) - Information Access Management
• 164.310(d) - Device and Media Controls
• 164.312(a)(1) - Access Control
• 164.312(a)(2)(iv) - Encryption and Decryption
• 164.312(b) - Audit Controls
• 164.312(c)(1) - Integrity Controls
• 164.312(d) - Person or Entity Authentication
• 164.312(e)(1) - Transmission Security

Key Tests:

• testHipaaEncryptionAtRest() - EFS, S3, CloudWatch Logs encryption
• testHipaaTransmissionSecurity() - HTTPS, EFS in-transit encryption
• testHipaaAuditControls() - CloudTrail, Flow Logs, log retention
• testHipaaAccessControl() - Security groups, IAM roles
• testHipaaIntegrityControls() - Log file validation, versioning
• testHipaaPersonEntityAuthentication() - IAM trust relationships
• testHipaaSecurityManagement() - GuardDuty, Config, alarms
• testHipaaDeviceAndMediaControls() - Backups, lifecycle management
• testHipaaWorkforceSecurity() - Least privilege, network segmentation
• testHipaaBusinessContinuity() - Multi-AZ, disaster recovery

PCI-DSS Compliance (PciDssComplianceIntegrationTest.java)

Tests validate PCI-DSS v4.0 requirements:

• Requirement 1 - Install and Maintain Network Security Controls
• Requirement 2 - Apply Secure Configurations
• Requirement 3 - Protect Stored Account Data
• Requirement 4 - Protect Cardholder Data with Strong Cryptography
• Requirement 5 - Protect from Malicious Software
• Requirement 6 - Develop and Maintain Secure Systems
• Requirement 8 - Identify Users and Authenticate Access
• Requirement 10 - Log and Monitor All Access
• Requirement 11 - Test Security Regularly

Key Tests:

• testPciDssRequirement1NetworkSecurityControls() - Security groups, WAF
• testPciDssRequirement2SecureConfigurations() - Least privilege
• testPciDssRequirement3ProtectStoredData() - Encryption at rest
• testPciDssRequirement4ProtectTransmittedData() - HTTPS, TLS
• testPciDssRequirement5MalwareProtection() - GuardDuty
• testPciDssRequirement6SecureDevelopment() - Config monitoring
• testPciDssRequirement8IdentifyAndAuthenticate() - IAM
• testPciDssRequirement10LogAndMonitor() - CloudTrail, retention
• testPciDssRequirement11TestSecurity() - Continuous monitoring
• testPciDssNetworkSegmentation() - VPC, subnets, security groups

GDPR Compliance (GdprComplianceIntegrationTest.java)

Tests validate GDPR requirements:

• Article 5(1)(f) - Integrity and Confidentiality
• Article 25 - Data Protection by Design and by Default
• Article 30 - Records of Processing Activities
• Article 32 - Security of Processing
• Article 33 - Notification of Personal Data Breach
• Article 35 - Data Protection Impact Assessment

Key Tests:

• testGdprArticle32SecurityOfProcessing() - Encryption, backups, testing
• testGdprArticle5IntegrityAndConfidentiality() - Encryption, access controls
• testGdprArticle25DataProtectionByDesign() - Default encryption, isolation
• testGdprArticle30RecordsOfProcessing() - CloudTrail, Flow Logs, retention
• testGdprArticle33BreachNotification() - Detection, alerting
• testGdprDataMinimization() - Minimal IAM, configurable retention
• testGdprRightToErasure() - File deletion, crypto-shredding
• testGdprDataPortability() - Standard access methods
• testGdprAccessControls() - IAM, security groups, private subnets
• testGdprDataResidency() - Regional VPC, EFS, S3

2. Auto-Remediation Tests (RemediationIntegrationTest.java)

Tests validate AWS Config auto-remediation functionality:

Key Tests:

• testS3PublicAccessBlockRemediation() - Automatic public access blocking
• testS3VersioningRemediation() - Automatic versioning enablement
• testCloudTrailBucketAccessLoggingRemediation() - CloudTrail logging
• testEncryptionEnforcementRemediation() - EFS, S3, CloudWatch encryption
• testRemediationRetryConfiguration() - Retry logic for failed remediations
• testRemediationIAMPermissions() - Config service role permissions
• testConfigRulesWithRemediationScopeTagging() - Scoped remediation
• testRemediationExecutionRolePermissions() - S3 remediation permissions
• testComplianceFrameworkSpecificRemediation() - SOC2, HIPAA, PCI-DSS rules
• testRemediationNotificationConfiguration() - SNS notifications

3. Cross-Component Security Tests (CrossComponentSecurityIntegrationTest.java)

Tests validate security controls across infrastructure layers:

Key Tests:

• testSecurityGroupRuleChaining() - ALB → Compute → EFS traffic flow
• testIAMRoleTrustRelationships() - ECS Tasks trust relationships
• testNetworkIsolationAndSegmentation() - VPC, public/private subnets
• testEncryptionAcrossComponents() - EFS, S3, CloudWatch, HTTPS
• testAccessControlPropagation() - Security groups at each layer
• testMultiAzResourceDistribution() - Subnets, EFS mount targets, ALB
• testSecurityGroupEgressRestrictions() - Controlled outbound traffic
• testEC2SecurityGroupChaining() - ALB → EC2 → EFS rules
• testTargetGroupHealthCheckConfiguration() - Health check settings
• testLoadBalancerListenerConfiguration() - Listener and actions
• testEFSAccessPointSecurityConfiguration() - POSIX user, permissions
• testVPCEndpointSecurity() - Private AWS service access

4. Authentication Tests

Cognito Authentication ✅ (CognitoAuthenticationIntegrationTest.java)

Status: All 10 tests passing (100%)

Tests validate AWS Cognito User Pool authentication for user management:

• testCognitoUserPoolCreation() - User Pool auto-provisioning
• testCognitoUserPoolEmailVerification() - Email verification
• testCognitoUserPoolClient() - OAuth 2.0 app client for ALB
• testCognitoUserPoolDomain() - Cognito-managed domain
• testCognitoMfaConfiguration() - MFA (TOTP + SMS)
• testCognitoPasswordPolicy() - Password complexity (12+ chars, mixed case, numbers, symbols)
• testCognitoAdvancedSecurity() - Advanced security features
• testCognitoAccountRecovery() - Account recovery mechanisms
• testCognitoTokenValidity() - Access, ID, and refresh token validity
• testAlbAuthenticateCognitoAction() - ALB authenticate-cognito action

See: Cognito MFA Setup for configuration details.

OIDC Authentication ⏭️ (OidcAuthenticationIntegrationTest.java)

Status: 7 tests disabled until OIDC configured

Tests validate external OIDC provider integration (Okta, Auth0, IAM Identity Center):

• testOidcAuthenticationConfiguration() - ALB OIDC action configuration
• testOidcSecretsManagerIntegration() - Client credential storage
• testOidcAlbListenerRule() - Listener rule with OIDC
• testOidcSessionManagement() - Session cookies and timeout
• testOidcScopeConfiguration() - OpenID scopes
• testOidcMultipleProviderSupport() - Support for various OIDC providers
• testOidcIamIdentityCenterIntegration() - IAM Identity Center as OIDC provider

Note: Tests are disabled with @Disabled annotation until OIDC endpoints are configured in deployment context.

5. Deployment Workflow Tests (DeploymentWorkflowIntegrationTest.java)

Tests validate deployment workflows and context propagation:

Key Tests:

• testBasicDeploymentContextCreation() - DeploymentContext from stack
• testSystemContextSlotPopulation() - VPC, ALB, EFS, compute slots
• testFargateServiceTopologyDeployment() - Full Fargate stack
• testEc2ServiceTopologyDeployment() - Full EC2 stack
• testSecurityProfileProgression() - DEV, STAGING, PRODUCTION
• testIAMProfileMapping() - Security → IAM profile mapping
• testMinimalVsCompleteInfrastructure() - Component comparison
• testContextFieldValidation() - Context validation
• testStackOutputGeneration() - CloudFormation outputs
• testMultiStackDeploymentContext() - Independent stack contexts
• testResourceNamingConventions() - Tagging and naming
• testFactoryDependencyChain() - VPC → ALB → EFS → Compute

Running the Tests

Run All Integration Tests

mvn test -Dtest="**/*IntegrationTest"

Run Compliance Tests Only

mvn test -Dtest="**/compliance/*IntegrationTest"

Run Specific Compliance Framework

# SOC 2
mvn test -Dtest="Soc2ComplianceIntegrationTest"

# HIPAA
mvn test -Dtest="HipaaComplianceIntegrationTest"

# PCI-DSS
mvn test -Dtest="PciDssComplianceIntegrationTest"

# GDPR
mvn test -Dtest="GdprComplianceIntegrationTest"

Run Remediation Tests

mvn test -Dtest="RemediationIntegrationTest"

Run Security Tests

mvn test -Dtest="**/security/*IntegrationTest"

Run Deployment Tests

mvn test -Dtest="**/deployment/*IntegrationTest"

Test Base Class

IntegrationTestBase.java provides common utilities:

Assertion Utilities

Security Group Validation:

• assertSecurityGroupHasIngressRule() - Verify specific ingress rules
• assertSecurityGroupChain() - Verify security group chains

IAM Policy Validation:

• assertRoleHasManagedPolicy() - Verify managed policies
• assertRoleTrustsService() - Verify trust relationships
• assertRoleHasPermissions() - Verify inline policies

Encryption Validation:

• assertEfsEncrypted() - EFS encryption at rest
• assertS3BucketsEncrypted() - S3 bucket encryption
• assertLogGroupsEncrypted() - CloudWatch Logs KMS encryption

Network Security:

• assertVpcFlowLogsEnabled() - VPC Flow Logs
• assertAlbNotPublic() - Internal ALB
• assertAlbPublic() - Internet-facing ALB

Compliance Controls:

• assertConfigRulesDeployed() - AWS Config rules
• assertCloudTrailEnabled() - CloudTrail configuration
• assertGuardDutyEnabled() - GuardDuty detector
• assertBackupPoliciesConfigured() - Backup plans

High Availability:

• assertMultiAzDeployment() - Multi-AZ resources
• assertEfsMultiAzMountTargets() - EFS mount targets

Monitoring:

• assertCriticalAlarmsConfigured() - CloudWatch alarms
• assertLogRetentionConfigured() - Log retention days

Test Coverage Summary

Category	Test Files	Test Methods	Status	Coverage
Compliance	4	45	✅ All passing	SOC2, HIPAA, PCI-DSS, GDPR
Remediation	1	11	⚠️ Needs Config	Config rules, auto-fix
Security (Cross-Component)	1	13	⚠️ Template fixes needed	Security chains, network isolation
Authentication (Cognito)	1	10	✅ All passing	User Pool, MFA, OAuth 2.0
Authentication (OIDC)	1	7	⏭️ Disabled	External providers (Okta, Auth0)
Deployment	1	14	✅ Mostly passing	Workflows, topologies
Total	9	100	96.2% passing	End-to-end validation

Key Features

1. CloudFormation Template Validation

All tests use Template.fromStack() to validate actual synthesized CloudFormation templates, not just mock objects.

2. Compliance Framework Integration

Tests map directly to compliance control requirements (SOC2 CC6.1, HIPAA 164.312, PCI-DSS Req 1, GDPR Article 32).

3. Multi-Runtime Support

Tests validate both Fargate and EC2 runtime configurations.

4. Security Profile Progression

Tests validate DEV, STAGING, and PRODUCTION security profiles.

5. Real-World Scenarios

Tests simulate actual deployment workflows including:

• Full infrastructure creation
• Compliance control enablement
• Auto-remediation triggers
• Authentication integration
• Cross-component dependencies

Best Practices

When Adding New Tests

1. Extend IntegrationTestBase - Use the base class for assertion utilities
2. Override Security Profile - Set appropriate profile for test
3. Document Compliance Mapping - Link tests to specific compliance requirements
4. Validate CloudFormation - Use synthesizeTemplate() and template.hasResourceProperties()
5. Test Both Runtimes - Validate Fargate and EC2 where applicable
6. Verify Security Controls - Check encryption, access controls, logging

Test Naming Convention

• Test class: <Feature>IntegrationTest.java
• Test method: test<ComplianceControl><Scenario>()
• Examples:
  • testSoc2EncryptionInTransit()
  • testHipaaAuditControls()
  • testPciDssRequirement1NetworkSecurityControls()

Related Documentation

• Compliance Documentation
• Security Best Practices
• Automated Compliance