VAULT-38463: Fix Enos LDAP issue for dev tests (#31407)

Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -199,6 +199,7 @@ jobs:
             echo 'ENOS_VAR_vault_revision=${{ inputs.vault-revision }}'
             echo 'ENOS_VAR_vault_upgrade_initial_version=${{ matrix.attributes.upgrade_initial_version }}'
             echo 'ENOS_VAR_verify_aws_secrets_engine=false'
+            echo 'ENOS_VAR_verify_ldap_secrets_engine=false'
             echo 'ENOS_VAR_verify_log_secrets=true'
           } | tee -a "$GITHUB_ENV"
       - uses: hashicorp/setup-terraform@v3

enos/enos-modules.hcl

@@ -323,15 +323,17 @@ module "vault_verify_removed_node_shim" {
 module "vault_verify_secrets_engines_create" {
   source = "./modules/verify_secrets_engines/modules/create"
 
-  create_aws_secrets_engine = var.verify_aws_secrets_engine
-  vault_install_dir         = var.vault_install_dir
+  aws_enabled       = var.verify_aws_secrets_engine
+  ldap_enabled      = var.verify_ldap_secrets_engine
+  vault_install_dir = var.vault_install_dir
 }
 
 module "vault_verify_secrets_engines_read" {
   source = "./modules/verify_secrets_engines/modules/read"
 
-  verify_aws_secrets_engine = var.verify_aws_secrets_engine
-  vault_install_dir         = var.vault_install_dir
+  aws_enabled       = var.verify_aws_secrets_engine
+  ldap_enabled      = var.verify_ldap_secrets_engine
+  vault_install_dir = var.vault_install_dir
 }
 
 module "vault_verify_secrets_engines_delete" {

enos/enos-scenario-upgrade.hcl

@@ -720,6 +720,7 @@ scenario "upgrade" {
       vault_edition     = matrix.edition
       vault_install_dir = global.vault_install_dir[matrix.artifact_type]
       vault_root_token  = step.create_vault_cluster.root_token
+
     }
   }
 

enos/enos-variables.hcl

@@ -62,12 +62,6 @@ variable "backend_log_level" {
   default     = "trace"
 }
 
-variable "project_name" {
-  description = "The description of the project"
-  type        = string
-  default     = "vault-enos-integration"
-}
-
 variable "distro_version_amzn" {
   description = "The version of Amazon Linux 2 to use"
   type        = string
@@ -98,6 +92,12 @@ variable "distro_version_ubuntu" {
   default     = "24.04" // or "22.04"
 }
 
+variable "project_name" {
+  description = "The description of the project"
+  type        = string
+  default     = "vault-enos-integration"
+}
+
 variable "tags" {
   description = "Tags that will be applied to infrastructure resources that support tagging"
   type        = map(string)
@@ -205,6 +205,12 @@ variable "verify_aws_secrets_engine" {
   default     = false
 }
 
+variable "verify_ldap_secrets_engine" {
+  description = "If true we'll verify LDAP secrets engines behavior"
+  type        = bool
+  default     = false
+}
+
 variable "verify_log_secrets" {
   description = "If true and var.vault_enable_audit_devices is true we'll verify that the audit log does not contain unencrypted secrets. Requires var.vault_radar_license_path to be set to a valid license file."
   type        = bool

enos/modules/verify_secrets_engines/modules/create/aws.tf

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 module "create_aws_secrets_engine" {
-  count  = var.create_aws_secrets_engine ? 1 : 0
+  count  = var.aws_enabled ? 1 : 0
   source = "./aws"
 
   hosts             = var.hosts
@@ -13,7 +13,7 @@ module "create_aws_secrets_engine" {
 }
 
 locals {
-  aws_state = var.create_aws_secrets_engine ? module.create_aws_secrets_engine[0].state : null
+  aws_state = var.aws_enabled ? module.create_aws_secrets_engine[0].state : null
 }
 
 output "aws" {

enos/modules/verify_secrets_engines/modules/create/ldap.tf

@@ -1,71 +1,26 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-variable "ldap_password" {
-  type        = string
-  description = "The LDAP Server admin password"
-  default     = "password1"
+module "create_ldap_secret_engine" {
+  depends_on = [
+    enos_remote_exec.policy_write_kv_writer,
+  ]
+  count  = var.ldap_enabled ? 1 : 0
+  source = "./ldap"
+
+  integration_host_state = var.integration_host_state
+  ip_version             = var.ip_version
+  leader_host            = var.leader_host
+  ports                  = var.ports
+  vault_addr             = var.vault_addr
+  vault_root_token       = var.vault_root_token
+  vault_install_dir      = var.vault_install_dir
 }
 
 locals {
-  ldap_output = {
-    ip_version        = var.ip_version
-    ldap_mount        = "ldap"
-    host              = var.integration_host_state.ldap.host
-    port              = var.ports.ldap.port
-    username          = "enos"
-    pw                = var.ldap_password
-    vault_policy_name = local.kv_output.writer_policy_name
-  }
+  ldap_output = var.ldap_enabled ? module.create_ldap_secret_engine[0].ldap : null
 }
 
 output "ldap" {
   value = local.ldap_output
 }
-
-# Enable LDAP secrets engine
-resource "enos_remote_exec" "secrets_enable_ldap_secret" {
-  environment = {
-    ENGINE            = local.ldap_output.ldap_mount
-    MOUNT             = local.ldap_output.ldap_mount
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-# Configuring Openldap Server and Vault LDAP
-resource "enos_remote_exec" "ldap_configurations" {
-  depends_on = [
-    enos_remote_exec.policy_write_kv_writer,
-    enos_remote_exec.secrets_enable_ldap_secret
-  ]
-
-  environment = {
-    MOUNT             = local.ldap_output.ldap_mount
-    LDAP_SERVER       = local.ldap_output.host.private_ip
-    LDAP_PORT         = local.ldap_output.port
-    LDAP_USERNAME     = local.ldap_output.username
-    LDAP_ADMIN_PW     = local.ldap_output.pw
-    POLICY_NAME       = local.ldap_output.vault_policy_name
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  scripts = [abspath("${path.module}/../../scripts/ldap-configs.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}

enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf

@@ -0,0 +1,120 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+variable "leader_host" {
+  type = object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  })
+
+  description = "Vault cluster leader host"
+}
+
+variable "vault_addr" {
+  type        = string
+  description = "The local vault API listen address"
+}
+
+variable "vault_install_dir" {
+  type        = string
+  description = "The directory where the Vault binary will be installed"
+}
+
+variable "vault_root_token" {
+  type        = string
+  description = "The Vault root token"
+  default     = null
+}
+
+variable "ldap_password" {
+  type        = string
+  description = "The LDAP Server admin password"
+  default     = "password1"
+}
+
+variable "integration_host_state" {
+  description = "The state of the test server from the 'set_up_external_integration' module"
+}
+
+variable "ip_version" {
+  type        = string
+  description = "IP Version (4 or 6)"
+  default     = "4"
+}
+
+variable "ports" {
+  description = "Port configuration for services"
+  type = map(object({
+    port        = string
+    description = string
+  }))
+}
+
+locals {
+  ldap_output = {
+    ip_version = var.ip_version
+    ldap_mount = "ldap"
+    host       = var.integration_host_state.ldap.host
+    port       = var.ports.ldap.port
+    username   = "enos"
+    pw         = var.ldap_password
+  }
+}
+
+output "ldap" {
+  value = local.ldap_output
+}
+
+# Enable LDAP secrets engine
+resource "enos_remote_exec" "secrets_enable_ldap_secret" {
+  environment = {
+    ENGINE            = local.ldap_output.ldap_mount
+    MOUNT             = local.ldap_output.ldap_mount
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/secrets-enable.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Configuring Openldap Server and Vault LDAP
+resource "enos_remote_exec" "ldap_configurations" {
+  depends_on = [
+    enos_remote_exec.secrets_enable_ldap_secret
+  ]
+
+  environment = {
+    MOUNT             = local.ldap_output.ldap_mount
+    LDAP_SERVER       = local.ldap_output.host.private_ip
+    LDAP_PORT         = local.ldap_output.port
+    LDAP_USERNAME     = local.ldap_output.username
+    LDAP_ADMIN_PW     = local.ldap_output.pw
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-configs.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}

enos/modules/verify_secrets_engines/modules/create/main.tf

@@ -9,7 +9,7 @@ terraform {
   }
 }
 
-variable "create_aws_secrets_engine" {
+variable "aws_enabled" {
   type        = bool
   description = <<-EOF
     Whether or not we'll verify the AWS secrets engine. Due to the various security requirements in
@@ -22,6 +22,12 @@ variable "create_aws_secrets_engine" {
   default     = false
 }
 
+variable "ldap_enabled" {
+  type        = bool
+  description = "Whether or not we'll verify the LDAP secrets engine"
+  default     = false
+}
+
 variable "ipv4_cidr" {
   type        = string
   description = "The CIDR block for the VPC when using IPv4 mode"

enos/modules/verify_secrets_engines/modules/read/aws.tf

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 module "verify_aws_secrets_engine" {
-  count  = var.verify_aws_secrets_engine ? 1 : 0
+  count  = var.aws_enabled ? 1 : 0
   source = "./aws"
 
   create_state            = var.create_state

enos/modules/verify_secrets_engines/modules/read/ldap.tf

@@ -1,29 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-locals {
-  ldap_login_data = jsondecode(enos_remote_exec.ldap_verify_configs.stdout)
-}
-
 # Verifying Vault LDAP Configurations
-resource "enos_remote_exec" "ldap_verify_configs" {
+module "verify_ldap_secret_engine" {
+  count  = var.ldap_enabled ? 1 : 0
+  source = "./ldap"
 
-  environment = {
-    MOUNT             = "${var.create_state.ldap.ldap_mount}"
-    LDAP_SERVER       = "${var.create_state.ldap.host.private_ip}"
-    LDAP_PORT         = "${var.create_state.ldap.port}"
-    LDAP_USERNAME     = "${var.create_state.ldap.username}"
-    LDAP_ADMIN_PW     = "${var.create_state.ldap.pw}"
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
+  create_state      = var.create_state
+  vault_addr        = var.vault_addr
+  vault_root_token  = var.vault_root_token
+  vault_install_dir = var.vault_install_dir
 
-  scripts = [abspath("${path.module}/../../scripts/ldap-verify-configs")]
-
-  transport = {
-    ssh = {
-      host = var.hosts[0].public_ip
-    }
-  }
+  hosts = var.hosts
 }
+

enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf

@@ -0,0 +1,66 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+variable "hosts" {
+  type = map(object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  }))
+  description = "The Vault cluster instances that were created"
+}
+
+variable "create_state" {
+  description = "The state of the secrets engines from the 'create' module"
+}
+
+variable "vault_addr" {
+  type        = string
+  description = "The local vault API listen address"
+}
+
+variable "vault_install_dir" {
+  type        = string
+  description = "The directory where the Vault binary will be installed"
+}
+
+variable "vault_root_token" {
+  type        = string
+  description = "The Vault root token"
+  default     = null
+}
+
+locals {
+  ldap_login_data = jsondecode(enos_remote_exec.ldap_verify_configs.stdout)
+}
+
+# Verifying Vault LDAP Configurations
+resource "enos_remote_exec" "ldap_verify_configs" {
+
+  environment = {
+    MOUNT             = "${var.create_state.ldap.ldap_mount}"
+    LDAP_SERVER       = "${var.create_state.ldap.host.private_ip}"
+    LDAP_PORT         = "${var.create_state.ldap.port}"
+    LDAP_USERNAME     = "${var.create_state.ldap.username}"
+    LDAP_ADMIN_PW     = "${var.create_state.ldap.pw}"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-verify-configs")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}

enos/modules/verify_secrets_engines/modules/read/main.tf

@@ -50,7 +50,7 @@ variable "vault_root_token" {
   default     = null
 }
 
-variable "verify_aws_secrets_engine" {
+variable "aws_enabled" {
   type        = bool
   description = <<-EOF
     Whether or not we'll verify the AWS secrets engine. Due to the various security requirements in
@@ -63,6 +63,12 @@ variable "verify_aws_secrets_engine" {
   default     = false
 }
 
+variable "ldap_enabled" {
+  type        = bool
+  description = "Whether or not we'll verify the LDAP secrets engine"
+  default     = false
+}
+
 variable "verify_aws_engine_creds" {
   type    = bool
   default = true

enos/modules/verify_secrets_engines/scripts/ldap-verify-configs

@@ -38,4 +38,4 @@ VAULT_LDAP_TOKEN=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.client_token")
 VAULT_POLICY_COUNT=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.policies | length")
 [[ -z "$VAULT_POLICY_COUNT" ]] && fail "Vault LDAP number of policies does not look correct: ${VAULT_POLICY_COUNT}"
 
-echo "${VAULT_LDAP_LOGIN}"
+echo "${VAULT_LDAP_LOGIN}"