feat: Validation script rewrite with more checks. (#237)

### Summary

Adding a new script (replacing previously existing one) for customers to
be able to run after applying CFT in order to validate and help
troubleshoot any issues.

Checks included:
* Cross-Account Role Policy Simulation (Applies for Rift and EMR/DBX)
* Rift Compute roles policy simulation
* Rift VPC (Subnets, Security Group) validation
* EMR VPC (Subnets) validation

Included a readme with instructions - script can be run most easily with
`uv`, but also can be run in virtualenv (with dependencies listed in
readme, directly in
[cli.py](https://app.graphite.dev/github/pr/tecton-ai/tecton-terraform-setup/237/feat-Validation-script-rewrite-with-more-checks.?org=tecton-ai#file-scripts/validate-tecton.py),
and also a requirements file).

Running the script looks like:
```sh
uv run scripts/validate-tecton.py \
  --compute-engine rift \
  --terraform-outputs outputs.json
```

Also added [readme within script directory
](https://github.com/tecton-ai/tecton-terraform-setup/blob/validate-v2/scripts/tecton_validate/README.md)describing
implementation/how to add more checks.
### Testing


![image.png](https://graphite-user-uploaded-assets-prod.s3.amazonaws.com/oEOVnVDr6Oa3V9nHrGBV/b16660a5-3cfd-4993-a381-eaa5db03c139.png)


![image.png](https://graphite-user-uploaded-assets-prod.s3.amazonaws.com/oEOVnVDr6Oa3V9nHrGBV/1c1d8281-a562-4699-a28c-2a6c9d7d6afe.png)

Author: eshiferax

.gitignore

@@ -2,3 +2,5 @@
 *.iml
 **/.terraform
 
+scripts/.venv/
+*.pyc

README.md

@@ -62,3 +62,7 @@ module "tecton" {
 ```
 
 Please refer to the specific `README.md` within each module's directory for detailed instructions and the full list of variables for that module.
+
+
+### Validation Script
+There is a validation script ([details here](./scripts/README.md)) that can be run after applying one of the above modules, to check that the expected resources are in lace.

modules/dataplane_rift_with_emr/README.md

@@ -38,7 +38,6 @@ module "tecton" {
   tecton_control_plane_account_id    = "987654321098"     # Replace with Tecton's Control Plane Account ID
   cross_account_external_id          = "your-external-id" # Replace with the External ID from Tecton
   tecton_control_plane_role_name     = "TectonControlPlaneRole" # Role name from Tecton
-  include_crossaccount_bucket_access = false
 
   # Get outputs destination URL from Tecton
   outputs_location_config = {

modules/tecton_outputs/README.md

@@ -104,7 +104,7 @@ Refer to `variables.tf` for full documentation of new parameters.
 |------|-------------|------|---------|:--------:|
 | <a name="input_control_plane_account_id"></a> [control\_plane\_account\_id](#input\_control\_plane\_account\_id) | The AWS account ID of the Tecton control plane | `string` | n/a | yes |
 | <a name="input_deployment_name"></a> [deployment\_name](#input\_deployment\_name) | The name of the Tecton deployment | `string` | n/a | yes |
-| <a name="input_outputs_data"></a> [outputs\_data](#input\_outputs\_data) | Tecton deployment outputs data to store in S3. Different deployment types (controlplane\_rift, dataplane\_rift, emr, databricks, etc.) will provide different subsets of these fields. | <pre>object({<br/>    # Core fields - present in all deployment types<br/>    deployment_name           = string<br/>    region                   = string  <br/>    cross_account_role_arn   = string<br/>    cross_account_external_id = string<br/>    kms_key_arn              = optional(string)<br/><br/>    # Rift compute fields - present in dataplane_rift and dataplane_rift_with_emr<br/>    compute_manager_arn                 = optional(string)<br/>    compute_instance_profile_arn        = optional(string) <br/>    compute_arn                         = optional(string)<br/>    vm_workload_subnet_ids              = optional(string)<br/>    anyscale_docker_target_repo         = optional(string)<br/>    nat_gateway_public_ips              = optional(list(string))<br/>    rift_compute_security_group_id      = optional(string)<br/><br/>    # EMR/Spark fields - present in emr and dataplane_rift_with_emr<br/>    spark_role_arn                      = optional(string)<br/>    spark_instance_profile_arn          = optional(string)<br/>    emr_master_role_arn                 = optional(string)<br/>    notebook_cluster_id                 = optional(string)<br/>    vpc_id                              = optional(string)<br/>    emr_subnet_id                       = optional(string)<br/>    emr_subnet_route_table_ids          = optional(list(string))<br/>    emr_security_group_id               = optional(string)<br/>    emr_service_security_group_id       = optional(string)<br/><br/>    # Databricks-specific fields - present in databricks module<br/>    spark_role_name                     = optional(string)<br/>    spark_instance_profile_name         = optional(string)<br/>    databricks_workspace_url            = optional(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_outputs_data"></a> [outputs\_data](#input\_outputs\_data) | Tecton deployment outputs data to store in S3. Different deployment types (controlplane\_rift, dataplane\_rift, emr, databricks, etc.) will provide different subsets of these fields. | <pre>object({<br/>    # Core fields - present in all deployment types<br/>    deployment_name           = string<br/>    region                   = string  <br/>    cross_account_role_arn   = string<br/>    cross_account_external_id = string<br/>    kms_key_arn              = optional(string)<br/>    dataplane_account_id     = optional(string)<br/><br/>    # Rift compute fields - present in dataplane_rift and dataplane_rift_with_emr<br/>    compute_manager_arn                 = optional(string)<br/>    compute_instance_profile_arn        = optional(string) <br/>    compute_arn                         = optional(string)<br/>    vm_workload_subnet_ids              = optional(string)<br/>    anyscale_docker_target_repo         = optional(string)<br/>    nat_gateway_public_ips              = optional(list(string))<br/>    rift_compute_security_group_id      = optional(string)<br/><br/>    # EMR/Spark fields - present in emr and dataplane_rift_with_emr<br/>    spark_role_arn                      = optional(string)<br/>    spark_instance_profile_arn          = optional(string)<br/>    emr_master_role_arn                 = optional(string)<br/>    notebook_cluster_id                 = optional(string)<br/>    vpc_id                              = optional(string)<br/>    emr_subnet_id                       = optional(string)<br/>    emr_subnet_route_table_ids          = optional(list(string))<br/>    emr_security_group_id               = optional(string)<br/>    emr_service_security_group_id       = optional(string)<br/><br/>    # Databricks-specific fields - present in databricks module<br/>    spark_role_name                     = optional(string)<br/>    spark_instance_profile_name         = optional(string)<br/>    databricks_workspace_url            = optional(string)<br/>  })</pre> | n/a | yes |
 | <a name="input_outputs_location_config"></a> [outputs\_location\_config](#input\_outputs\_location\_config) | Configuration for where to store the outputs. | <pre>object({<br/>    type = string # "new_bucket", "offline_store_bucket_path", or "tecton_hosted_presigned"<br/>    <br/>    # For offline_store_bucket_path<br/>    offline_store_bucket_name    = optional(string)<br/>    offline_store_bucket_path_prefix = optional(string, "internal/tecton-outputs/")<br/>    <br/>    # For tecton_hosted_presigned<br/>    tecton_presigned_write_url = optional(string)<br/>    trigger_upload             = optional(bool, false)<br/>  })</pre> | <pre>{<br/>  "tecton_presigned_write_url": "",<br/>  "trigger_upload": false,<br/>  "type": "tecton_hosted_presigned"<br/>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to resources | `map(string)` | `{}` | no |  
 ## Outputs

modules/tecton_outputs/variables.tf

@@ -23,6 +23,7 @@ variable "outputs_data" {
     cross_account_role_arn   = string
     cross_account_external_id = string
     kms_key_arn              = optional(string)
+    dataplane_account_id     = optional(string)
 
     # Rift compute fields - present in dataplane_rift and dataplane_rift_with_emr
     compute_manager_arn                 = optional(string)

scripts/README.md

@@ -1,20 +1,61 @@
-# Tecton Terraform Setup Scripts
+# Tecton Terraform Setup Validation
 
 ## Validate
 
-Databricks example:
+The `validate-tecton.py` script checks/validates your Tecton AWS setup based on the compute engine you're using.
 
-- This script should be run as a role which:
-    - can assume the cross-account role passed in as `--ca-role`
-    - has the permission: `iam:SimulateCustomPolicy` on `*`
-- If necessary, use of `aws-vault exec <some_other_role> -- ...` may be done as well for role chaining
+### Prerequisites
 
+- Python 3.9+
+- [uv](https://docs.astral.sh/uv/) (recommended) or Python environment with the following dependencies installed: `boto3`, `rich`, `jinja2`, `requests` ([requirements.txt](./requirements.txt))
+- AWS credentials configured (via CLI, environment variables, or IAM role) with [permissions required for simulating policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#permissions-required_policy-simulator), along with permissions to view S3 and VPC resources. Ideally, the same role you used to run the terraform modules.
+
+### Usage
+
+After _applying_ the terraform module (e.g `dataplane_rift`, `emr`, etc..), write the outputs to a json file with `terraform output -json > outputs.json`.
+
+#### Quick Start with uv (Recommended)
+
+The easiest way to run the validation script is with `uv`, which automatically handles all dependencies:
+
+
+**Rift Compute Engine:**
 ```shell
-python3 validate.py \
-  --region us-west-2 \
-  --external-id 'abd123' \
-  --account-id '1234567890' \
-  --ca-role 'my-tecton-deployment-ca-role' \
-  --deployment-name 'my-tecton-deployment' \
-  --spark-role 'my-tecton-deployment-spark-role'
+uv run scripts/validate-tecton.py \
+  --compute-engine rift \
+  --terraform-outputs outputs.json
 ```
+
+**Databricks Compute Engine:**
+```shell
+uv run scripts/validate-tecton.py \
+  --compute-engine databricks \
+  --terraform-outputs outputs.json
+```
+
+**Spark/EMR Compute Engine:**
+```shell
+uv run scripts/validate-tecton.py \
+  --compute-engine emr \
+  --terraform-outputs outputs.json
+```
+
+#### Alternative: Traditional Python
+
+If you prefer not to use uv, you can install dependencies manually and run with Python:
+
+You can find the [requirements.txt](./requirements.txt) file in this repo.
+
+```shell
+# (In virtual env) Install dependencies
+pip install -r requirements.txt
+
+# Run validation
+python3 scripts/validate-tecton.py \
+  --compute-engine rift \
+  --terraform-outputs outputs.json
+```
+
+### Contributing
+
+See [./tecton_validate/README.md](./tecton_validate/README.md) for details on how to add new checks.

scripts/requirements.txt

@@ -1,3 +1,18 @@
-boto3==1.25.5
-Jinja2==3.0.3
-Requests==2.31.0
+boto3==1.38.40
+botocore==1.38.40
+certifi==2025.6.15
+charset-normalizer==3.4.2
+idna==3.10
+Jinja2==3.1.6
+jmespath==1.0.1
+markdown-it-py==3.0.0
+MarkupSafe==3.0.2
+mdurl==0.1.2
+Pygments==2.19.1
+python-dateutil==2.9.0.post0
+requests==2.32.4
+rich==14.0.0
+s3transfer==0.13.0
+six==1.17.0
+typing_extensions==4.14.0
+urllib3==1.26.20

scripts/tecton_validate/README.md

@@ -0,0 +1,126 @@
+
+## Checks
+
+The validation system uses a modular check architecture that automatically discovers and runs validation checks based on the compute engine.
+
+### Core Components
+
+- **ValidationResult**: Represents the outcome of a single check with `name`, `success` (bool), `details`, and optional `remediation`
+- **ValidationCheck**: Couples a validation function with metadata (`name`, `run`, `remediation`, `only_for`)
+- **Check modules**: Python files in `tecton_validate/checks/` that define validation logic
+
+### How Checks Work
+
+1. **Auto-discovery**: All `.py` files in `tecton_validate/checks/` are automatically imported
+2. **Aggregation**: Each module's `CHECKS` list is collected into a master list
+3. **Filtering**: Only checks applicable to the specified `--compute-engine` are executed
+4. **Execution**: Each check receives CLI args, boto3 session, and Rich console for output
+
+### Adding a New Check
+
+Create a new check by adding a function and registering it in any check module:
+
+```python
+# In tecton_validate/checks/my_new_checks.py
+from tecton_validate.validation_types import ValidationCheck, ValidationResult
+import argparse
+import boto3
+from rich.console import Console
+
+def _check_my_feature(args: argparse.Namespace, session: boto3.Session, console: Console) -> ValidationResult:
+    """Check some aspect of the infrastructure."""
+    try:
+        # Your validation logic here
+        if everything_looks_good:
+            return ValidationResult(
+                name="My Feature Check",
+                success=True,
+                details="Feature is properly configured."
+            )
+        else:
+            return ValidationResult(
+                name="My Feature Check", 
+                success=False,
+                details="Feature misconfiguration detected.",
+                remediation="Run 'terraform apply' to fix the configuration."
+            )
+    except Exception as e:
+        return ValidationResult(
+            name="My Feature Check",
+            success=False, 
+            details=f"Error during validation: {e}",
+            remediation="Check AWS permissions and network connectivity."
+        )
+
+# Register the check
+CHECKS = [
+    ValidationCheck(
+        name="My Feature Check",
+        run=_check_my_feature,
+        remediation="Ensure feature is enabled in your Terraform configuration.",
+    )
+]
+```
+
+### Restricting Checks to Specific Compute Engines
+
+To make a check run only for certain compute engines, add an `only_for` attribute to the ValidationCheck object:
+
+```python
+# Check runs only for EMR
+MyCheck.only_for = ["emr"]
+
+# Check runs for multiple engines  
+MyCheck.only_for = ["emr", "databricks"]
+
+# No only_for attribute = runs for all engines (default)
+```
+
+Available compute engines: `"rift"`, `"emr"`, `"databricks"`
+
+### Expected Function Signature
+
+All check functions must follow this signature:
+
+```python
+def check_function(
+    args: argparse.Namespace,    # CLI arguments
+    session: boto3.Session,      # Configured AWS session  
+    console: Console             # Rich console for output
+) -> ValidationResult:
+    pass
+```
+
+### Common Patterns
+
+**AWS Resource Checks:**
+```python
+def _check_s3_bucket(args, session, console):
+    s3 = session.client("s3")
+    bucket_name = f"tecton-{args.cluster_name}"
+    try:
+        s3.head_bucket(Bucket=bucket_name)
+        return ValidationResult("S3 Bucket", True, f"Bucket {bucket_name} exists")
+    except ClientError:
+        return ValidationResult("S3 Bucket", False, f"Bucket {bucket_name} not found")
+```
+
+**IAM Policy Validation:**
+```python
+from tecton_validate.policy_test import test_policy
+
+def _check_iam_permissions(args, session, console):
+    result = test_policy(session, role_arn, policy_document, actions_to_test)
+    return ValidationResult("IAM Permissions", result.success, result.details)
+```
+
+**Terraform Output Integration:**
+```python
+from tecton_validate.terraform import load_terraform_outputs
+
+def _check_terraform_resource(args, session, console):
+    if args.terraform_outputs:
+        outputs = load_terraform_outputs(args.terraform_outputs)
+        resource_id = outputs.get("my_resource_id")
+        # Validate the resource exists...
+```

scripts/tecton_validate/__init__.py

@@ -0,0 +1,13 @@
+from importlib import import_module
+from pkgutil import iter_modules
+from pathlib import Path
+
+# Public types re-exported for convenience
+from .validation_types import ValidationResult, ValidationCheck  # noqa: F401
+
+# Build aggregated CHECKS list dynamically so cli can pull everything automatically.
+CHECKS = []
+_checks_path = Path(__file__).with_suffix("").parent / "checks"
+for _m in iter_modules([str(_checks_path)]):
+    mod = import_module(f".{_m.name}", package="tecton_validate.checks")
+    CHECKS.extend(getattr(mod, "CHECKS", []))

scripts/tecton_validate/checks/__init__.py

@@ -0,0 +1 @@
+CHECKS = []  # populated by sub-modules