vault/enos/modules/softhsm_install/main.tf

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

terraform {
  required_providers {
    enos = {
      source = "registry.terraform.io/hashicorp-forge/enos"
    }
  }
}

variable "hosts" {
  type = map(object({
    ipv6       = string
    private_ip = string
    public_ip  = string
  }))
  description = "The hosts that will have access to the softhsm. We assume they're all the same platform and architecture"
}

variable "include_tools" {
  type        = bool
  default     = false
  description = "Install opensc pkcs11-tools along with softhsm"
}

variable "retry_interval" {
  type        = string
  default     = "2"
  description = "How long to wait between retries"
}

variable "timeout" {
  type        = string
  default     = "15"
  description = "How many seconds to wait before timing out"
}

locals {
  packages = var.include_tools ? {
    // These packages match the distros that are currently defined in the `ec2_info` module.
    amzn = {
      "2023" = ["softhsm", "opensc"]
    }
    rhel = {
      "8.10" = ["softhsm", "opensc"]
      "9.4"  = ["softhsm", "opensc"]
    }
    ubuntu = {
      "20.04" = ["softhsm", "opensc"]
      "22.04" = ["softhsm", "opensc"]
      "24.04" = ["softhsm2", "opensc"]
    }
    } : {
    amzn = {
      "2023" = ["softhsm"]
    }
    rhel = {
      "8.10" = ["softhsm"]
      "9.4"  = ["softhsm"]
    }
    ubuntu = {
      "20.04" = ["softhsm"]
      "22.04" = ["softhsm"]
      "24.04" = ["softhsm2"]
    }
  }
}

// Get the host information so we can ensure that we install the correct packages depending on the
// distro and distro version
resource "enos_host_info" "target" {
  transport = {
    ssh = {
      host = var.hosts["0"].public_ip
    }
  }
}

module "install_softhsm" {
  source = "../install_packages"

  hosts    = var.hosts
  packages = local.packages[enos_host_info.target.distro][enos_host_info.target.distro_version]
}

resource "enos_remote_exec" "find_shared_object" {
  for_each   = var.hosts
  depends_on = [module.install_softhsm]

  environment = {
    RETRY_INTERVAL  = var.retry_interval
    TIMEOUT_SECONDS = var.timeout
  }

  scripts = [abspath("${path.module}/scripts/find-shared-object.sh")]

  transport = {
    ssh = {
      host = each.value.public_ip
    }
  }
}

locals {
  object_paths = compact(distinct(values(enos_remote_exec.find_shared_object)[*].stdout))
}

output "lib" {
  value = local.object_paths[0]

  precondition {
    condition     = length(local.object_paths) == 1
    error_message = "SoftHSM targets cannot have different libsofthsm2.so shared object paths. Are they all the same Linux distro?"
  }
}
[QT-627] enos: add `pkcs11` seal testing with softhsm (#24349) Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec> 2023-12-08 16:00:45 -05:00			`# Copyright (c) HashiCorp, Inc.`
			`# SPDX-License-Identifier: BUSL-1.1`

			`terraform {`
			`required_providers {`
			`enos = {`
[QT-695] Add `config_mode` variant to some scenarios (#26380) Add `config_mode` variant to some scenarios so we can dynamically change how we primarily configure the Vault cluster, either by a configuration file or with environment variables. As part of this change we also: * Start consuming the Enos terraform provider from public Terraform registry. * Remove the old `seal_ha_beta` variant as it is no longer required. * Add a module that performs a `vault operator step-down` so that we can force leader elections in scenarios. * Wire up an operator step-down into some scenarios to test both the old and new multiseal code paths during leader elections. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-04-22 14:34:47 -04:00			`source = "registry.terraform.io/hashicorp-forge/enos"`
[QT-627] enos: add `pkcs11` seal testing with softhsm (#24349) Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec> 2023-12-08 16:00:45 -05:00			`}`
			`}`
			`}`

			`variable "hosts" {`
			`type = map(object({`
VAULT-28146: Add IPV6 support to enos scenarios (#27884) * VAULT-28146: Add IPV6 support to enos scenarios Add support for testing all raft storage scenarios and variants when running Vault with IPV6 networking. We retain our previous support for IPV4 and create a new variant `ip_version` which can be used to configure the IP version that we wish to test with. It's important to note that the VPC in IPV6 mode is technically mixed and that target machines still associate public IPV6 addresses. That allows us to execute our resources against them from IPV4 networks like developer machines and CI runners. Despite that, we've taken care to ensure that only IPV6 addresses are used in IPV6 mode. Because we previously had assumed the IP Version, Vault address, and listener ports in so many places, this PR is essentially a rewrite and removal of those assumptions. There are also a few places where improvements to scenarios have been included as I encountered them while working on the IPV6 changes. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-07-30 13:00:27 -04:00			`ipv6 = string`
[QT-627] enos: add `pkcs11` seal testing with softhsm (#24349) Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec> 2023-12-08 16:00:45 -05:00			`private_ip = string`
			`public_ip = string`
			`}))`
			`description = "The hosts that will have access to the softhsm. We assume they're all the same platform and architecture"`
			`}`

			`variable "include_tools" {`
			`type = bool`
			`default = false`
			`description = "Install opensc pkcs11-tools along with softhsm"`
			`}`

			`variable "retry_interval" {`
			`type = string`
			`default = "2"`
			`description = "How long to wait between retries"`
			`}`

			`variable "timeout" {`
			`type = string`
			`default = "15"`
			`description = "How many seconds to wait before timing out"`
			`}`

			`locals {`
VAULT-29583: Modernize default distributions in enos scenarios (#28012) * VAULT-29583: Modernize default distributions in enos scenarios Our scenarios have been running the last gen of distributions in CI. This updates our default distributions as follows: - Amazon: 2023 - Leap: 15.6 - RHEL: 8.10, 9.4 - SLES: 15.6 - Ubuntu: 20.04, 24.04 With these changes we also unlock a few new variants combinations: - `distro:amzn seal:pkcs11` - `arch:arm64 distro:leap` We also normalize our distro key for Amazon Linux to `amzn`, which matches the uname output on both versions that we've supported. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-09 15:43:28 -04:00			`packages = var.include_tools ? {`
			// These packages match the distros that are currently defined in the `ec2_info` module.
			`amzn = {`
			`"2023" = ["softhsm", "opensc"]`
			`}`
			`rhel = {`
			`"8.10" = ["softhsm", "opensc"]`
			`"9.4" = ["softhsm", "opensc"]`
			`}`
			`ubuntu = {`
			`"20.04" = ["softhsm", "opensc"]`
			`"22.04" = ["softhsm", "opensc"]`
			`"24.04" = ["softhsm2", "opensc"]`
			`}`
			`} : {`
			`amzn = {`
			`"2023" = ["softhsm"]`
			`}`
			`rhel = {`
			`"8.10" = ["softhsm"]`
			`"9.4" = ["softhsm"]`
			`}`
			`ubuntu = {`
			`"20.04" = ["softhsm"]`
			`"22.04" = ["softhsm"]`
			`"24.04" = ["softhsm2"]`
			`}`
			`}`
			`}`

			`// Get the host information so we can ensure that we install the correct packages depending on the`
			`// distro and distro version`
			`resource "enos_host_info" "target" {`
			`transport = {`
			`ssh = {`
			`host = var.hosts["0"].public_ip`
			`}`
			`}`
[QT-627] enos: add `pkcs11` seal testing with softhsm (#24349) Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec> 2023-12-08 16:00:45 -05:00			`}`

			`module "install_softhsm" {`
			`source = "../install_packages"`

			`hosts = var.hosts`
VAULT-29583: Modernize default distributions in enos scenarios (#28012) * VAULT-29583: Modernize default distributions in enos scenarios Our scenarios have been running the last gen of distributions in CI. This updates our default distributions as follows: - Amazon: 2023 - Leap: 15.6 - RHEL: 8.10, 9.4 - SLES: 15.6 - Ubuntu: 20.04, 24.04 With these changes we also unlock a few new variants combinations: - `distro:amzn seal:pkcs11` - `arch:arm64 distro:leap` We also normalize our distro key for Amazon Linux to `amzn`, which matches the uname output on both versions that we've supported. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-09 15:43:28 -04:00			`packages = local.packages[enos_host_info.target.distro][enos_host_info.target.distro_version]`
[QT-627] enos: add `pkcs11` seal testing with softhsm (#24349) Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec> 2023-12-08 16:00:45 -05:00			`}`

			`resource "enos_remote_exec" "find_shared_object" {`
			`for_each = var.hosts`
			`depends_on = [module.install_softhsm]`

			`environment = {`
			`RETRY_INTERVAL = var.retry_interval`
			`TIMEOUT_SECONDS = var.timeout`
			`}`

			`scripts = [abspath("${path.module}/scripts/find-shared-object.sh")]`

			`transport = {`
			`ssh = {`
			`host = each.value.public_ip`
			`}`
			`}`
			`}`

			`locals {`
			`object_paths = compact(distinct(values(enos_remote_exec.find_shared_object)[*].stdout))`
			`}`

			`output "lib" {`
			`value = local.object_paths[0]`

			`precondition {`
			`condition = length(local.object_paths) == 1`
			`error_message = "SoftHSM targets cannot have different libsofthsm2.so shared object paths. Are they all the same Linux distro?"`
			`}`
			`}`