upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

VAULT-35602: Adding Enos OpenLDAP test (#30801)

Browse source 
* VAULT-35602: adding Enos LDAP Tests

* adding godaddy tests

* updating external integration target module name
This commit is contained in:
Tin Vo 2025-07-23 13:11:12 -07:00 committed by GitHub
parent 266f8e5d26
commit 857e66b3e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 827 additions and 145 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
enos/enos-descriptions.hcl
View file

@ -25,6 +25,10 @@ globals {
for Vault target nodes to access it the AWSKMS key are handled in the target modules.
EOF
create_external_integration_target = <<-EOF
Creates the infrastructure necessary to host external services that we need to test some integrations.
EOF
create_vault_cluster = <<-EOF
Create the the Vault cluster. In this module we'll install, configure, start, initialize and
unseal all the nodes in the Vault. After initialization it also enables various audit engines.
@ -102,6 +106,10 @@ globals {
start the Vault agent.
EOF
set_up_external_integration_target = <<-EOF
Installs and configures software services on those target machines to test integrations.
EOF
stop_vault = <<-EOF
Stop the Vault cluster by stopping the vault service via systemctl.
EOF

28
enos/enos-globals.hcl
View file

@ -22,26 +22,26 @@ globals {
// Different distros may require different packages, or use different aliases for the same package
distro_packages = {
amzn = {
"2" = ["nc"]
"2023" = ["nc"]
"2" = ["nc", "openldap-clients"]
"2023" = ["nc", "openldap-clients"]
}
leap = {
"15.6" = ["netcat", "openssl"]
"15.6" = ["netcat", "openssl", "openldap2-client"]
}
rhel = {
"8.10" = ["nc"]
"9.5" = ["nc"]
"8.10" = ["nc", "openldap-clients"]
"9.5" = ["nc", "openldap-clients"]
}
sles = {
// When installing Vault RPM packages on a SLES AMI, the openssl package provided
// isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
// "correctly" named one in our package installation before installing Vault.
"15.6" = ["netcat-openbsd", "openssl"]
"15.6" = ["netcat-openbsd", "openssl", "openldap2-client"]
}
ubuntu = {
"20.04" = ["netcat"]
"22.04" = ["netcat"]
"24.04" = ["netcat-openbsd"]
"20.04" = ["netcat", "ldap-utils"]
"22.04" = ["netcat", "ldap-utils"]
"24.04" = ["netcat-openbsd", "ldap-utils"]
}
}
distro_version = {
@ -70,6 +70,16 @@ globals {
port = 22
protocol = "tcp"
},
ldap : {
description = "LDAP"
port = 389
protocol = "tcp"
},
ldaps : {
description = "LDAPS"
port = 636
protocol = "tcp"
},
vault_agent : {
description = "Vault Agent"
port = 8100

6
enos/enos-modules.hcl
View file

@ -56,6 +56,12 @@ module "create_vpc" {
common_tags = var.tags
}
module "set_up_external_integration_target" {
source = "./modules/set_up_external_integration_target"
ldap_version = "1.5.0"
}
module "choose_follower_host" {
source = "./modules/choose_follower_host"
}

51
enos/enos-scenario-agent.hcl
View file

@ -171,6 +171,23 @@ scenario "agent" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -207,6 +224,26 @@ scenario "agent" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.backend}"
@ -253,7 +290,8 @@ scenario "agent" {
depends_on = [
step.create_backend_cluster,
step.build_vault,
step.create_vault_cluster_targets
step.create_vault_cluster_targets,
step.set_up_external_integration_target
]
providers = {
@ -479,7 +517,9 @@ scenario "agent" {
step "verify_secrets_engines_create" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.verify_vault_unsealed]
depends_on = [
step.verify_vault_unsealed
]
providers = {
enos = local.enos_provider[matrix.distro]
@ -507,6 +547,8 @@ scenario "agent" {
variables {
hosts = step.create_vault_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -642,6 +684,11 @@ scenario "agent" {
value = step.create_vault_cluster.cluster_name
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "hosts" {
description = "The Vault cluster target hosts"
value = step.create_vault_cluster.hosts

47
enos/enos-scenario-autopilot.hcl
View file

@ -168,6 +168,23 @@ scenario "autopilot" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -207,6 +224,26 @@ scenario "autopilot" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_vault_cluster" {
description = <<-EOF
${global.description.create_vault_cluster} In this instance we'll create a Vault Cluster with
@ -216,7 +253,8 @@ scenario "autopilot" {
module = module.vault_cluster
depends_on = [
step.build_vault,
step.create_vault_cluster_targets
step.create_vault_cluster_targets,
step.set_up_external_integration_target
]
providers = {
@ -378,6 +416,8 @@ scenario "autopilot" {
variables {
hosts = step.create_vault_cluster.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = local.vault_install_dir
@ -914,6 +954,11 @@ scenario "autopilot" {
value = step.create_vault_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "cluster_name" {
description = "The Vault cluster name"
value = step.create_vault_cluster.cluster_name

51
enos/enos-scenario-dr-replication.hcl
View file

@ -211,6 +211,23 @@ scenario "dr_replication" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
// Create all of our instances for both primary and secondary clusters
step "create_primary_cluster_targets" {
description = global.description.create_vault_cluster_targets
@ -288,6 +305,26 @@ scenario "dr_replication" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_primary_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.primary_backend}"
@ -334,7 +371,8 @@ scenario "dr_replication" {
depends_on = [
step.create_primary_backend_cluster,
step.build_vault,
step.create_primary_cluster_targets
step.create_primary_cluster_targets,
step.set_up_external_integration_target
]
providers = {
@ -679,7 +717,9 @@ scenario "dr_replication" {
step "verify_secrets_engines_on_primary" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.get_primary_cluster_ips]
depends_on = [
step.get_primary_cluster_ips
]
providers = {
enos = local.enos_provider[matrix.distro]
@ -707,6 +747,8 @@ scenario "dr_replication" {
variables {
hosts = step.create_primary_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_primary_cluster_ips.leader_host
vault_addr = step.create_primary_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -1264,6 +1306,11 @@ scenario "dr_replication" {
value = step.create_primary_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "primary_cluster_hosts" {
description = "The Vault primary cluster target hosts"
value = step.create_primary_cluster_targets.hosts

51
enos/enos-scenario-pr-replication.hcl
View file

@ -211,6 +211,23 @@ scenario "pr_replication" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
// Create all of our instances for both primary and secondary clusters
step "create_primary_cluster_targets" {
description = global.description.create_vault_cluster_targets
@ -310,6 +327,26 @@ scenario "pr_replication" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_primary_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.primary_backend}"
@ -356,7 +393,8 @@ scenario "pr_replication" {
depends_on = [
step.create_primary_backend_cluster,
step.build_vault,
step.create_primary_cluster_targets
step.create_primary_cluster_targets,
step.set_up_external_integration_target
]
providers = {
@ -701,7 +739,9 @@ scenario "pr_replication" {
step "verify_secrets_engines_on_primary" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.get_primary_cluster_ips]
depends_on = [
step.get_primary_cluster_ips
]
providers = {
enos = local.enos_provider[matrix.distro]
@ -729,6 +769,8 @@ scenario "pr_replication" {
variables {
hosts = step.create_primary_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_primary_cluster_ips.leader_host
vault_addr = step.create_primary_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -1238,6 +1280,11 @@ scenario "pr_replication" {
value = step.create_primary_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "primary_cluster_hosts" {
description = "The Vault primary cluster target hosts"
value = step.create_primary_cluster_targets.hosts

51
enos/enos-scenario-proxy.hcl
View file

@ -178,6 +178,23 @@ scenario "proxy" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -214,11 +231,32 @@ scenario "proxy" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.backend}"
depends_on = [
step.create_vault_cluster_backend_targets
step.create_vault_cluster_backend_targets,
step.set_up_external_integration_target
]
providers = {
@ -456,7 +494,9 @@ scenario "proxy" {
step "verify_secrets_engines_create" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.verify_vault_unsealed]
depends_on = [
step.verify_vault_unsealed
]
providers = {
enos = local.enos_provider[matrix.distro]
@ -484,6 +524,8 @@ scenario "proxy" {
variables {
hosts = step.create_vault_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -614,6 +656,11 @@ scenario "proxy" {
value = step.create_vault_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "cluster_name" {
description = "The Vault cluster name"
value = step.create_vault_cluster.cluster_name

49
enos/enos-scenario-seal-ha.hcl
View file

@ -210,6 +210,23 @@ scenario "seal_ha" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -246,11 +263,32 @@ scenario "seal_ha" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.backend}"
depends_on = [
step.create_vault_cluster_backend_targets
step.create_vault_cluster_backend_targets,
step.set_up_external_integration_target
]
providers = {
@ -437,7 +475,7 @@ scenario "seal_ha" {
depends_on = [
step.create_vault_cluster,
step.get_vault_cluster_ips,
step.verify_vault_unsealed,
step.verify_vault_unsealed
]
providers = {
@ -466,6 +504,8 @@ scenario "seal_ha" {
variables {
hosts = step.create_vault_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -1071,6 +1111,11 @@ scenario "seal_ha" {
value = step.create_vault_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "cluster_name" {
description = "The Vault cluster name"
value = step.create_vault_cluster.cluster_name

49
enos/enos-scenario-smoke.hcl
View file

@ -168,6 +168,23 @@ scenario "smoke" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -204,6 +221,26 @@ scenario "smoke" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.backend}"
@ -251,6 +288,7 @@ scenario "smoke" {
step.create_backend_cluster,
step.build_vault,
step.create_vault_cluster_targets,
step.set_up_external_integration_target
]
providers = {
@ -559,7 +597,9 @@ scenario "smoke" {
step "verify_secrets_engines_create" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.vault_remove_node_and_verify]
depends_on = [
step.vault_remove_node_and_verify
]
providers = {
enos = local.enos_provider[matrix.distro]
@ -587,6 +627,8 @@ scenario "smoke" {
variables {
hosts = step.create_vault_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@ -696,6 +738,11 @@ scenario "smoke" {
value = step.create_vault_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "cluster_name" {
description = "The Vault cluster name"
value = step.create_vault_cluster.cluster_name

47
enos/enos-scenario-upgrade.hcl
View file

@ -180,6 +180,23 @@ scenario "upgrade" {
}
}
step "create_external_integration_target" {
description = global.description.create_external_integration_target
module = module.target_ec2_instances
depends_on = [step.create_vpc]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
cluster_tag_key = global.vault_tag_key
common_tags = global.tags
vpc_id = step.create_vpc.id
}
}
step "create_vault_cluster_targets" {
description = global.description.create_vault_cluster_targets
module = module.target_ec2_instances
@ -216,11 +233,32 @@ scenario "upgrade" {
}
}
step "set_up_external_integration_target" {
description = global.description.set_up_external_integration_target
module = module.set_up_external_integration_target
depends_on = [
step.create_external_integration_target
]
providers = {
enos = local.enos_provider["ubuntu"]
}
variables {
hosts = step.create_external_integration_target.hosts
ip_version = matrix.ip_version
packages = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
ldap_port = global.ports.ldap.port
ldaps_port = global.ports.ldaps.port
}
}
step "create_backend_cluster" {
description = global.description.create_backend_cluster
module = "backend_${matrix.backend}"
depends_on = [
step.create_vault_cluster_backend_targets,
step.set_up_external_integration_target
]
providers = {
@ -399,7 +437,7 @@ scenario "upgrade" {
module = module.vault_verify_secrets_engines_create
depends_on = [
step.create_vault_cluster,
step.get_vault_cluster_ips,
step.get_vault_cluster_ips
]
providers = {
@ -428,6 +466,8 @@ scenario "upgrade" {
variables {
hosts = step.create_vault_cluster_targets.hosts
ip_version = matrix.ip_version
ldap_host = step.set_up_external_integration_target.state.ldap.host
leader_host = step.get_vault_cluster_ips.leader_host
vault_addr = step.create_vault_cluster.api_addr_localhost
// Use the install dir for our initial version, which always comes from a zip bundle
@ -802,6 +842,11 @@ scenario "upgrade" {
value = step.create_vault_cluster.audit_device_file_path
}
output "external_integration_server_ldap" {
description = "The LDAP test servers info"
value = step.set_up_external_integration_target.state.ldap
}
output "cluster_name" {
description = "The Vault cluster name"
value = step.create_vault_cluster.cluster_name

63
enos/modules/set_up_external_integration_target/main.tf Executable file
View file

@ -0,0 +1,63 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}
locals {
test_server_address = var.ip_version == "6" ? var.hosts[0].ipv6 : var.hosts[0].public_ip
ldap_server = {
domain = "enos.com"
org = "hashicorp"
admin_pw = "password1"
version = var.ldap_version
port = var.ldap_port
secure_port = var.ldaps_port
ip_version = var.ip_version
host = var.hosts[0]
}
}
# Outputs
output "state" {
value = {
ldap = local.ldap_server
}
}
# We run install_packages before we install Vault because for some combinations of
# certain Linux distros and artifact types (e.g. SLES and RPM packages), there may
# be packages that are required to perform Vault installation (e.g. openssl).
module "install_packages" {
source = "../install_packages"
hosts = var.hosts
packages = var.packages
}
# Creating OpenLDAP Server
resource "enos_remote_exec" "setup_openldap" {
depends_on = [module.install_packages]
environment = {
LDAP_CONTAINER_VERSION = local.ldap_server.version
LDAP_DOMAIN = local.ldap_server.domain
LDAP_ORG = local.ldap_server.org
LDAP_ADMIN_PW = local.ldap_server.admin_pw
LDAP_IP_ADDRESS = local.test_server_address
LDAP_PORT = local.ldap_server.port
LDAPS_PORT = local.ldap_server.secure_port
}
scripts = [abspath("${path.module}/scripts/set-up-openldap.sh")]
transport = {
ssh = {
host = local.ldap_server.host.public_ip
}
}
}

36
enos/modules/set_up_external_integration_target/scripts/set-up-openldap.sh Executable file
View file

@ -0,0 +1,36 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$LDAP_DOMAIN" ]] && fail "LDAP_DOMAIN env variable has not been set"
[[ -z "$LDAP_ORG" ]] && fail "LDAP_ORG env variable has not been set"
[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
[[ -z "$LDAP_CONTAINER_VERSION" ]] && fail "LDAP_CONTAINER_VERSION env variable has not been set"
[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
[[ -z "$LDAPS_PORT" ]] && fail "LDAPS_PORT env variable has not been set"
# Pulling image
CONTAINER_CMD="sudo podman"
LDAP_DOCKER_NAME="docker.io/osixia/openldap:${LDAP_CONTAINER_VERSION}"
echo "Pulling image: ${LDAP_DOCKER_NAME}"
$CONTAINER_CMD pull "${LDAP_DOCKER_NAME}"
# Run OpenLDAP container
echo "Starting OpenLDAP container..."
$CONTAINER_CMD run -d \
--name openldap \
-p "${LDAP_PORT}:${LDAP_PORT}" \
-p "${LDAPS_PORT}:${LDAPS_PORT}" \
-e LDAP_ORGANISATION="${LDAP_ORG}" \
-e LDAP_DOMAIN="${LDAP_DOMAIN}" \
-e LDAP_ADMIN_PASSWORD="${LDAP_ADMIN_PW}" \
"${LDAP_DOCKER_NAME}"
echo "OpenLDAP server is now running in Docker!"

41
enos/modules/set_up_external_integration_target/variables.tf Normal file
View file

@ -0,0 +1,41 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "hosts" {
description = "The target machines host addresses to use for the Vault cluster"
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
}
variable "ip_version" {
type = string
description = "IP Version (4 or 6)"
default = "4"
}
variable "ldap_port" {
type = string
description = "OpenLDAP Server port"
default = "389"
}
variable "ldaps_port" {
type = string
description = "OpenLDAP Server secure port"
default = "636"
}
variable "ldap_version" {
type = string
description = "OpenLDAP Server Version to use"
default = "1.5.0"
}
variable "packages" {
type = list(string)
description = "A list of packages to install via the target host package manager"
default = []
}

86
enos/modules/verify_secrets_engines/modules/create/auth.tf
View file

@ -145,89 +145,3 @@ resource "enos_remote_exec" "auth_login_testuser" {
}
}
}
# Enable ldap auth
resource "enos_remote_exec" "auth_enable_ldap" {
environment = {
AUTH_METHOD = "ldap"
AUTH_PATH = local.auth_ldap_path
VAULT_ADDR = var.vault_addr
VAULT_TOKEN = var.vault_root_token
VAULT_INSTALL_DIR = var.vault_install_dir
}
scripts = [abspath("${path.module}/../../scripts/auth-enable.sh")]
transport = {
ssh = {
host = var.leader_host.public_ip
}
}
}
# Write the initial ldap config
# This is a one time write to the leader node.
resource "enos_remote_exec" "auth_write_ldap_config" {
depends_on = [
enos_remote_exec.auth_enable_ldap
]
environment = {
AUTH_PATH = local.auth_ldap_path
GROUPATTR = "memberOf"
GROUPDN = "CN=Users,DC=corp,DC=example,DC=net"
INSECURE_TLS = "true"
POLICIES = local.auth_ldap_path
UPNDOMAIN = "corp.example.net"
URL = "ldaps://ldap.example.com"
USERATTR = "sAMAccountName"
USERDN = "CN=Users,DC=corp,DC=example,DC=net"
VAULT_ADDR = var.vault_addr
VAULT_INSTALL_DIR = var.vault_install_dir
VAULT_TOKEN = var.vault_root_token
}
scripts = [abspath("${path.module}/../../scripts/auth-ldap-write.sh")]
transport = {
ssh = {
host = var.leader_host.public_ip
}
}
}
# Update the ldap config. Choose a random node each time to ensure that writes
# to all nodes are forwarded correctly and behave as we expect.
resource "random_integer" "auth_update_ldap_config_idx" {
min = 0
max = length(var.hosts) - 1
}
resource "enos_remote_exec" "auth_update_ldap_config" {
depends_on = [
enos_remote_exec.auth_write_ldap_config
]
environment = {
AUTH_PATH = local.auth_ldap_path
GROUPATTR = "memberOf"
GROUPDN = "CN=Users,DC=corp,DC=example,DC=net"
INSECURE_TLS = "true"
POLICIES = local.auth_ldap_path
UPNDOMAIN = "corp.example.net"
URL = "ldaps://ldap2.example.com"
USERATTR = "sAMAccountName"
USERDN = "CN=Users,DC=corp,DC=example,DC=net"
VAULT_ADDR = var.vault_addr
VAULT_INSTALL_DIR = var.vault_install_dir
VAULT_TOKEN = var.vault_root_token
}
scripts = [abspath("${path.module}/../../scripts/auth-ldap-write.sh")]
transport = {
ssh = {
host = var.hosts[random_integer.auth_update_ldap_config_idx.result].public_ip
}
}
}

2
enos/modules/verify_secrets_engines/modules/create/aws/aws.tf
View file

@ -59,7 +59,7 @@ locals {
aws_access_key = aws_iam_access_key.aws_enos_test_user.id
aws_secret_key = aws_iam_access_key.aws_enos_test_user.secret
mount = local.aws_mount
region = data.aws_region.current.name
region = data.aws_region.current.region
vault_aws_role = local.vault_aws_role
}
}

65
enos/modules/verify_secrets_engines/modules/create/ldap.tf Normal file
View file

@ -0,0 +1,65 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
locals {
ldap_output = {
ip_version = var.ip_version
ldap_mount = "ldap"
host = var.ldap_host
port = var.ldap_port
username = "enos"
pw = var.ldap_password
vault_policy_name = local.kv_output.writer_policy_name
}
}
output "ldap" {
value = local.ldap_output
}
# Enable LDAP secrets engine
resource "enos_remote_exec" "secrets_enable_ldap_secret" {
environment = {
ENGINE = local.ldap_output.ldap_mount
MOUNT = local.ldap_output.ldap_mount
VAULT_ADDR = var.vault_addr
VAULT_INSTALL_DIR = var.vault_install_dir
VAULT_TOKEN = var.vault_root_token
}
scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")]
transport = {
ssh = {
host = var.leader_host.public_ip
}
}
}
# Configuring Openldap Server and Vault LDAP
resource "enos_remote_exec" "ldap_configurations" {
depends_on = [
enos_remote_exec.policy_write_kv_writer,
enos_remote_exec.secrets_enable_ldap_secret
]
environment = {
MOUNT = local.ldap_output.ldap_mount
LDAP_SERVER = var.ldap_host.private_ip
LDAP_PORT = local.ldap_output.port
LDAP_USERNAME = local.ldap_output.username
LDAP_ADMIN_PW = local.ldap_output.pw
POLICY_NAME = local.ldap_output.vault_policy_name
VAULT_ADDR = var.vault_addr
VAULT_INSTALL_DIR = var.vault_install_dir
VAULT_TOKEN = var.vault_root_token
}
scripts = [abspath("${path.module}/../../scripts/ldap-configs.sh")]
transport = {
ssh = {
host = var.leader_host.public_ip
}
}
}

28
enos/modules/verify_secrets_engines/modules/create/main.tf
View file

@ -31,6 +31,33 @@ variable "hosts" {
description = "The Vault cluster instances that were created"
}
variable "ip_version" {
type = string
description = "IP Version (4 or 6)"
default = "4"
}
variable "ldap_host" {
type = object({
ipv6 = string
private_ip = string
public_ip = string
})
description = "The external server instances that were created"
}
variable "ldap_port" {
type = string
description = "The LDAP Server port"
default = "389"
}
variable "ldap_password" {
type = string
description = "The LDAP Server admin password"
default = "password1"
}
variable "leader_host" {
type = object({
ipv6 = string
@ -64,5 +91,6 @@ output "state" {
kv = local.kv_output
pki = local.pki_output
aws = local.aws_state
ldap = local.ldap_output
}
}

29
enos/modules/verify_secrets_engines/modules/read/ldap.tf Normal file
View file

@ -0,0 +1,29 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
locals {
ldap_login_data = jsondecode(enos_remote_exec.ldap_verify_configs.stdout)
}
# Verifying Vault LDAP Configurations
resource "enos_remote_exec" "ldap_verify_configs" {
environment = {
MOUNT = "${var.create_state.ldap.ldap_mount}"
LDAP_SERVER = "${var.create_state.ldap.host.private_ip}"
LDAP_PORT = "${var.create_state.ldap.port}"
LDAP_USERNAME = "${var.create_state.ldap.username}"
LDAP_ADMIN_PW = "${var.create_state.ldap.pw}"
VAULT_ADDR = var.vault_addr
VAULT_INSTALL_DIR = var.vault_install_dir
VAULT_TOKEN = var.vault_root_token
}
scripts = [abspath("${path.module}/../../scripts/ldap-verify-configs")]
transport = {
ssh = {
host = var.hosts[0].public_ip
}
}
}

36
enos/modules/verify_secrets_engines/scripts/auth-ldap-write.sh
View file

@ -1,36 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$AUTH_PATH" ]] && fail "AUTH_PATH env variable has not been set"
[[ -z "$GROUPATTR" ]] && fail "GROUPATTR env variable has not been set"
[[ -z "$GROUPDN" ]] && fail "GROUPDN env variable has not been set"
[[ -z "$INSECURE_TLS" ]] && fail "INSECURE_TLS env variable has not been set"
[[ -z "$UPNDOMAIN" ]] && fail "UPNDOMAIN env variable has not been set"
[[ -z "$URL" ]] && fail "URL env variable has not been set"
[[ -z "$USERATTR" ]] && fail "USERATTR env variable has not been set"
[[ -z "$USERDN" ]] && fail "USERDN env variable has not been set"
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
binpath=${VAULT_INSTALL_DIR}/vault
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
export VAULT_FORMAT=json
"$binpath" write "auth/$AUTH_PATH/config" \
url="$URL" \
userdn="$USERDN" \
userattr="$USERATTR" \
groupdn="$GROUPDN" \
groupattr="$GROUPATTR" \
upndomain="$UPNDOMAIN" \
insecure_tls="$INSECURE_TLS"

107
enos/modules/verify_secrets_engines/scripts/ldap-configs.sh Executable file
View file

@ -0,0 +1,107 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
[[ -z "$LDAP_SERVER" ]] && fail "LDAP_SERVER env variable has not been set"
[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
[[ -z "$LDAP_USERNAME" ]] && fail "LDAP_USERNAME env variable has not been set"
[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
binpath=${VAULT_INSTALL_DIR}/vault
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
export VAULT_FORMAT=json
echo "OpenLDAP: Checking for OpenLDAP Server Connection: ${LDAP_SERVER}:${LDAP_PORT}"
ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}"
# Creating Users Org Unit LDIF file and adding users organizational unit
echo "OpenLDAP: Creating Users Org Unit LDIF file and adding users organizational unit"
GROUP_LDIF="group.ldif"
cat << EOF > ${GROUP_LDIF}
dn: ou=users,dc=$LDAP_USERNAME,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=$LDAP_USERNAME,dc=com
objectClass: organizationalUnit
ou: groups
EOF
ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF}
echo "OpenLDAP: Creating User LDIF file and adding user to LDAP"
USER_LDIF="user.ldif"
cat << EOF > ${USER_LDIF}
# User: enos
dn: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com
objectClass: inetOrgPerson
sn: $LDAP_USERNAME
cn: $LDAP_USERNAME user
uid: $LDAP_USERNAME
userPassword: $LDAP_ADMIN_PW
# Group: devs
dn: cn=devs,ou=groups,dc=$LDAP_USERNAME,dc=com
objectClass: groupOfNames
cn: devs
member: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com
EOF
ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF}
echo "Vault: Creating ldap auth and creating auth/ldap/config route"
"$binpath" auth enable "${MOUNT}" > /dev/null 2>&1 || echo "Warning: Vault ldap auth already enabled"
"$binpath" write "auth/${MOUNT}/config" \
url="ldap://test_${LDAP_SERVER}:${LDAP_PORT}" \
binddn="cn=admin,dc=${LDAP_USERNAME},dc=com" \
bindpass="${LDAP_ADMIN_PW}" \
userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \
userattr="uid" \
groupdn="ou=groups,dc=${LDAP_USERNAME},dc=com" \
groupfilter="(&(objectClass=groupOfNames)(member={{.UserDN}}))" \
groupattr="cn" \
insecure_tls=true
echo "Vault: Updating ldap auth and creating auth/ldap/config route"
"$binpath" write "auth/${MOUNT}/config" \
url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
binddn="cn=admin,dc=${LDAP_USERNAME},dc=com" \
bindpass="${LDAP_ADMIN_PW}" \
userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \
userattr="uid" \
groupdn="ou=groups,dc=${LDAP_USERNAME},dc=com" \
groupfilter="(&(objectClass=groupOfNames)(member={{.UserDN}}))" \
groupattr="cn" \
insecure_tls=true
echo "Vault: Creating Vault Policy for LDAP and assigning user to policy"
VAULT_LDAP_POLICY="ldap_reader.hcl"
cat << EOF > ${VAULT_LDAP_POLICY}
path "secret/data/*" {
capabilities = ["read", "list"]
}
EOF
LDAP_READER_POLICY="reader-policy"
"$binpath" policy write ${LDAP_READER_POLICY} "${VAULT_LDAP_POLICY}"
"$binpath" write "auth/${MOUNT}/users/${LDAP_USERNAME}" policies="${LDAP_READER_POLICY}"
echo "Vault: Creating Vault Policy for LDAP DEV and assigning user to policy"
VAULT_LDAP_DEV_POLICY="ldap_dev.hcl"
cat << EOF > ${VAULT_LDAP_DEV_POLICY}
path "secret/data/dev/*" {
capabilities = ["read", "list"]
}
EOF
LDAP_DEV_POLICY="dev-policy"
"$binpath" policy write ${LDAP_DEV_POLICY} "${VAULT_LDAP_DEV_POLICY}"
"$binpath" write "auth/${MOUNT}/groups/devs" policies="${LDAP_DEV_POLICY}"

41
enos/modules/verify_secrets_engines/scripts/ldap-verify-configs Normal file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
[[ -z "$LDAP_SERVER" ]] && fail "LDAP_SERVER env variable has not been set"
[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
[[ -z "$LDAP_USERNAME" ]] && fail "LDAP_USERNAME env variable has not been set"
[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
binpath=${VAULT_INSTALL_DIR}/vault
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
export VAULT_FORMAT=json
# Verifying LDAP Server Configs
LDAP_UID=$(ldapsearch -x -LLL -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=${LDAP_USERNAME})" 2>/dev/null)
[[ -z "$LDAP_UID" ]] && fail "Could not search ldap server for uid: ${LDAP_USERNAME}"
# Authenticate Using Vault LDAP login
VAULT_LDAP_LOGIN=$("$binpath" login -method=${MOUNT} username=${LDAP_USERNAME} password=${LDAP_ADMIN_PW})
# Verifying Vault LDAP Login Token
VAULT_LDAP_TOKEN=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.client_token")
[[ -z "$VAULT_LDAP_TOKEN" ]] && fail "Vault LDAP could not log in correctly: ${VAULT_LDAP_TOKEN}"
# Verifying Vault LDAP Policies
VAULT_POLICY_COUNT=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.policies | length")
[[ -z "$VAULT_POLICY_COUNT" ]] && fail "Vault LDAP number of policies does not look correct: ${VAULT_POLICY_COUNT}"
echo "${VAULT_LDAP_LOGIN}"