fix(sdk): restore single quotes in sdk-tests.yml, keep only -p no:randomly removal

fix(sdk): address copilot review comments on error message and unused parameter
fix(sdk): add autouse mock_aws fixture and leak detector to prevent AWS test leaks
2026-04-09 11:17:08 +00:00 · 2026-04-08 13:42:14 +02:00 · 2026-04-08 12:10:33 +02:00 · 2026-04-08 10:28:23 +02:00
4 changed files with 62 additions and 3 deletions
--- a/.github/workflows/sdk-tests.yml
+++ b/.github/workflows/sdk-tests.yml
@@ -216,11 +216,11 @@ jobs:
          echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"

          if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
          elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
            echo "No AWS service paths detected; skipping AWS tests."
          else
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
          fi
        env:
          STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -35,6 +35,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Azure Key Vault checks emitting incorrect findings for keys, secrets, and vault logging [(#10332)](https://github.com/prowler-cloud/prowler/pull/10332)
 - `_enabled_regions` empty-set bug in `AwsProvider.generate_regional_clients` creating boto3 clients for all 36 AWS regions instead of the audited ones, causing random CI timeouts and slow test runs [(#10598)](https://github.com/prowler-cloud/prowler/pull/10598)
 - Retrieve only the latest version from a package in AWS CodeArtifact [(#10243)](https://github.com/prowler-cloud/prowler/pull/10243)
+- AWS SDK test isolation: autouse `mock_aws` fixture and leak detector in `conftest.py` to prevent tests from hitting real AWS endpoints, with idempotent organization setup for tests calling `set_mocked_aws_provider` multiple times [(#10605)](https://github.com/prowler-cloud/prowler/pull/10605)

 ### 🔐 Security

--- a/tests/providers/aws/conftest.py
+++ b/tests/providers/aws/conftest.py
@@ -0,0 +1,46 @@
+import pytest
+from unittest.mock import patch
+
+from moto import mock_aws
+
+
+@pytest.fixture(autouse=True)
+def _mock_aws_globally():
+    """Activate moto's mock_aws for every test under tests/providers/aws/.
+
+    This prevents any test from accidentally hitting real AWS endpoints,
+    even if it forgets to add @mock_aws on the method. Tests that never
+    call boto3 are unaffected (mock_aws is a no-op in that case).
+    """
+    with mock_aws():
+        yield
+
+
+@pytest.fixture(autouse=True)
+def _detect_aws_leaks():
+    """Fail the test if any HTTP request reaches a real AWS endpoint."""
+    calls = []
+    original_send = None
+
+    try:
+        from botocore.httpsession import URLLib3Session
+
+        original_send = URLLib3Session.send
+    except ImportError:
+        yield
+        return
+
+    def tracking_send(self, request):
+        url = getattr(request, "url", str(request))
+        if ".amazonaws.com" in url:
+            calls.append(url)
+        return original_send(self, request)
+
+    with patch.object(URLLib3Session, "send", tracking_send):
+        yield
+
+    if calls:
+        pytest.fail(
+            f"Test leaked {len(calls)} real AWS call(s):\n"
+            + "\n".join(f"  - {url}" for url in calls[:5])
+        )
--- a/tests/providers/aws/utils.py
+++ b/tests/providers/aws/utils.py
@@ -116,6 +116,12 @@ def set_mocked_aws_provider(
    status: list[str] = [],
    create_default_organization: bool = True,
 ) -> AwsProvider:
+    if audited_regions is None:
+        raise ValueError(
+            "audited_regions is None, which means all 36 regions will be used. "
+            "Pass an explicit list of regions instead."
+        )
+
    if create_default_organization:
        # Create default AWS Organization
        create_default_aws_organization()
@@ -191,7 +197,13 @@ def create_default_aws_organization():
    mockdomain = "moto-example.org"
    mockemail = "@".join([mockname, mockdomain])

-    _ = organizations_client.create_organization(FeatureSet="ALL")["Organization"]["Id"]
+    try:
+        _ = organizations_client.create_organization(FeatureSet="ALL")["Organization"][
+            "Id"
+        ]
+    except organizations_client.exceptions.AlreadyInOrganizationException:
+        return
+
    account_id = organizations_client.create_account(
        AccountName=mockname, Email=mockemail
    )["CreateAccountStatus"]["AccountId"]
Author	SHA1	Message	Date
Josema Camacho	2f379f9663	fix(sdk): restore single quotes in sdk-tests.yml, keep only -p no:randomly removal	2026-04-08 13:42:14 +02:00
Josema Camacho	b50a9c5bce	fix(sdk): address copilot review comments on error message and unused parameter	2026-04-08 12:10:33 +02:00
Josema Camacho	b0d0e995ad	fix(sdk): add autouse mock_aws fixture and leak detector to prevent AWS test leaks	2026-04-08 10:28:23 +02:00