diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml index ab43df1af4..60d37d7b3c 100644 --- a/.github/workflows/test-run-enos-scenario-matrix.yml +++ b/.github/workflows/test-run-enos-scenario-matrix.yml @@ -199,6 +199,7 @@ jobs: echo 'ENOS_VAR_vault_revision=${{ inputs.vault-revision }}' echo 'ENOS_VAR_vault_upgrade_initial_version=${{ matrix.attributes.upgrade_initial_version }}' echo 'ENOS_VAR_verify_aws_secrets_engine=false' + echo 'ENOS_VAR_verify_ldap_secrets_engine=false' echo 'ENOS_VAR_verify_log_secrets=true' } | tee -a "$GITHUB_ENV" - uses: hashicorp/setup-terraform@v3 diff --git a/enos/enos-modules.hcl b/enos/enos-modules.hcl index 8d8b67e5f4..0b00b4a021 100644 --- a/enos/enos-modules.hcl +++ b/enos/enos-modules.hcl @@ -323,15 +323,17 @@ module "vault_verify_removed_node_shim" { module "vault_verify_secrets_engines_create" { source = "./modules/verify_secrets_engines/modules/create" - create_aws_secrets_engine = var.verify_aws_secrets_engine - vault_install_dir = var.vault_install_dir + aws_enabled = var.verify_aws_secrets_engine + ldap_enabled = var.verify_ldap_secrets_engine + vault_install_dir = var.vault_install_dir } module "vault_verify_secrets_engines_read" { source = "./modules/verify_secrets_engines/modules/read" - verify_aws_secrets_engine = var.verify_aws_secrets_engine - vault_install_dir = var.vault_install_dir + aws_enabled = var.verify_aws_secrets_engine + ldap_enabled = var.verify_ldap_secrets_engine + vault_install_dir = var.vault_install_dir } module "vault_verify_secrets_engines_delete" { diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index 0862f95f2a..86eff6f92f 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -720,6 +720,7 @@ scenario "upgrade" { vault_edition = matrix.edition vault_install_dir = global.vault_install_dir[matrix.artifact_type] vault_root_token = step.create_vault_cluster.root_token + } } diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl index fff6a93f9e..3e18310806 100644 --- a/enos/enos-variables.hcl +++ b/enos/enos-variables.hcl @@ -62,12 +62,6 @@ variable "backend_log_level" { default = "trace" } -variable "project_name" { - description = "The description of the project" - type = string - default = "vault-enos-integration" -} - variable "distro_version_amzn" { description = "The version of Amazon Linux 2 to use" type = string @@ -98,6 +92,12 @@ variable "distro_version_ubuntu" { default = "24.04" // or "22.04" } +variable "project_name" { + description = "The description of the project" + type = string + default = "vault-enos-integration" +} + variable "tags" { description = "Tags that will be applied to infrastructure resources that support tagging" type = map(string) @@ -205,6 +205,12 @@ variable "verify_aws_secrets_engine" { default = false } +variable "verify_ldap_secrets_engine" { + description = "If true we'll verify LDAP secrets engines behavior" + type = bool + default = false +} + variable "verify_log_secrets" { description = "If true and var.vault_enable_audit_devices is true we'll verify that the audit log does not contain unencrypted secrets. Requires var.vault_radar_license_path to be set to a valid license file." type = bool diff --git a/enos/modules/verify_secrets_engines/modules/create/aws.tf b/enos/modules/verify_secrets_engines/modules/create/aws.tf index a96902ed4a..66183b2b08 100644 --- a/enos/modules/verify_secrets_engines/modules/create/aws.tf +++ b/enos/modules/verify_secrets_engines/modules/create/aws.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: BUSL-1.1 module "create_aws_secrets_engine" { - count = var.create_aws_secrets_engine ? 1 : 0 + count = var.aws_enabled ? 1 : 0 source = "./aws" hosts = var.hosts @@ -13,7 +13,7 @@ module "create_aws_secrets_engine" { } locals { - aws_state = var.create_aws_secrets_engine ? module.create_aws_secrets_engine[0].state : null + aws_state = var.aws_enabled ? module.create_aws_secrets_engine[0].state : null } output "aws" { diff --git a/enos/modules/verify_secrets_engines/modules/create/ldap.tf b/enos/modules/verify_secrets_engines/modules/create/ldap.tf index d6a5eb459b..2f064296dd 100644 --- a/enos/modules/verify_secrets_engines/modules/create/ldap.tf +++ b/enos/modules/verify_secrets_engines/modules/create/ldap.tf @@ -1,71 +1,26 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -variable "ldap_password" { - type = string - description = "The LDAP Server admin password" - default = "password1" +module "create_ldap_secret_engine" { + depends_on = [ + enos_remote_exec.policy_write_kv_writer, + ] + count = var.ldap_enabled ? 1 : 0 + source = "./ldap" + + integration_host_state = var.integration_host_state + ip_version = var.ip_version + leader_host = var.leader_host + ports = var.ports + vault_addr = var.vault_addr + vault_root_token = var.vault_root_token + vault_install_dir = var.vault_install_dir } locals { - ldap_output = { - ip_version = var.ip_version - ldap_mount = "ldap" - host = var.integration_host_state.ldap.host - port = var.ports.ldap.port - username = "enos" - pw = var.ldap_password - vault_policy_name = local.kv_output.writer_policy_name - } + ldap_output = var.ldap_enabled ? module.create_ldap_secret_engine[0].ldap : null } output "ldap" { value = local.ldap_output } - -# Enable LDAP secrets engine -resource "enos_remote_exec" "secrets_enable_ldap_secret" { - environment = { - ENGINE = local.ldap_output.ldap_mount - MOUNT = local.ldap_output.ldap_mount - VAULT_ADDR = var.vault_addr - VAULT_INSTALL_DIR = var.vault_install_dir - VAULT_TOKEN = var.vault_root_token - } - - scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")] - - transport = { - ssh = { - host = var.leader_host.public_ip - } - } -} - -# Configuring Openldap Server and Vault LDAP -resource "enos_remote_exec" "ldap_configurations" { - depends_on = [ - enos_remote_exec.policy_write_kv_writer, - enos_remote_exec.secrets_enable_ldap_secret - ] - - environment = { - MOUNT = local.ldap_output.ldap_mount - LDAP_SERVER = local.ldap_output.host.private_ip - LDAP_PORT = local.ldap_output.port - LDAP_USERNAME = local.ldap_output.username - LDAP_ADMIN_PW = local.ldap_output.pw - POLICY_NAME = local.ldap_output.vault_policy_name - VAULT_ADDR = var.vault_addr - VAULT_INSTALL_DIR = var.vault_install_dir - VAULT_TOKEN = var.vault_root_token - } - - scripts = [abspath("${path.module}/../../scripts/ldap-configs.sh")] - - transport = { - ssh = { - host = var.leader_host.public_ip - } - } -} diff --git a/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf new file mode 100644 index 0000000000..0ac034dc3e --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf @@ -0,0 +1,120 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +terraform { + required_providers { + enos = { + source = "registry.terraform.io/hashicorp-forge/enos" + } + } +} + +variable "leader_host" { + type = object({ + ipv6 = string + private_ip = string + public_ip = string + }) + + description = "Vault cluster leader host" +} + +variable "vault_addr" { + type = string + description = "The local vault API listen address" +} + +variable "vault_install_dir" { + type = string + description = "The directory where the Vault binary will be installed" +} + +variable "vault_root_token" { + type = string + description = "The Vault root token" + default = null +} + +variable "ldap_password" { + type = string + description = "The LDAP Server admin password" + default = "password1" +} + +variable "integration_host_state" { + description = "The state of the test server from the 'set_up_external_integration' module" +} + +variable "ip_version" { + type = string + description = "IP Version (4 or 6)" + default = "4" +} + +variable "ports" { + description = "Port configuration for services" + type = map(object({ + port = string + description = string + })) +} + +locals { + ldap_output = { + ip_version = var.ip_version + ldap_mount = "ldap" + host = var.integration_host_state.ldap.host + port = var.ports.ldap.port + username = "enos" + pw = var.ldap_password + } +} + +output "ldap" { + value = local.ldap_output +} + +# Enable LDAP secrets engine +resource "enos_remote_exec" "secrets_enable_ldap_secret" { + environment = { + ENGINE = local.ldap_output.ldap_mount + MOUNT = local.ldap_output.ldap_mount + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/secrets-enable.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Configuring Openldap Server and Vault LDAP +resource "enos_remote_exec" "ldap_configurations" { + depends_on = [ + enos_remote_exec.secrets_enable_ldap_secret + ] + + environment = { + MOUNT = local.ldap_output.ldap_mount + LDAP_SERVER = local.ldap_output.host.private_ip + LDAP_PORT = local.ldap_output.port + LDAP_USERNAME = local.ldap_output.username + LDAP_ADMIN_PW = local.ldap_output.pw + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/ldap-configs.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf index 6bd4f3a885..ef48912729 100644 --- a/enos/modules/verify_secrets_engines/modules/create/main.tf +++ b/enos/modules/verify_secrets_engines/modules/create/main.tf @@ -9,7 +9,7 @@ terraform { } } -variable "create_aws_secrets_engine" { +variable "aws_enabled" { type = bool description = <<-EOF Whether or not we'll verify the AWS secrets engine. Due to the various security requirements in @@ -22,6 +22,12 @@ variable "create_aws_secrets_engine" { default = false } +variable "ldap_enabled" { + type = bool + description = "Whether or not we'll verify the LDAP secrets engine" + default = false +} + variable "ipv4_cidr" { type = string description = "The CIDR block for the VPC when using IPv4 mode" diff --git a/enos/modules/verify_secrets_engines/modules/read/aws.tf b/enos/modules/verify_secrets_engines/modules/read/aws.tf index e2e9a8a22f..228585887a 100644 --- a/enos/modules/verify_secrets_engines/modules/read/aws.tf +++ b/enos/modules/verify_secrets_engines/modules/read/aws.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: BUSL-1.1 module "verify_aws_secrets_engine" { - count = var.verify_aws_secrets_engine ? 1 : 0 + count = var.aws_enabled ? 1 : 0 source = "./aws" create_state = var.create_state diff --git a/enos/modules/verify_secrets_engines/modules/read/ldap.tf b/enos/modules/verify_secrets_engines/modules/read/ldap.tf index 2c6a2a1555..a4cddb84bf 100644 --- a/enos/modules/verify_secrets_engines/modules/read/ldap.tf +++ b/enos/modules/verify_secrets_engines/modules/read/ldap.tf @@ -1,29 +1,16 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -locals { - ldap_login_data = jsondecode(enos_remote_exec.ldap_verify_configs.stdout) -} - # Verifying Vault LDAP Configurations -resource "enos_remote_exec" "ldap_verify_configs" { +module "verify_ldap_secret_engine" { + count = var.ldap_enabled ? 1 : 0 + source = "./ldap" - environment = { - MOUNT = "${var.create_state.ldap.ldap_mount}" - LDAP_SERVER = "${var.create_state.ldap.host.private_ip}" - LDAP_PORT = "${var.create_state.ldap.port}" - LDAP_USERNAME = "${var.create_state.ldap.username}" - LDAP_ADMIN_PW = "${var.create_state.ldap.pw}" - VAULT_ADDR = var.vault_addr - VAULT_INSTALL_DIR = var.vault_install_dir - VAULT_TOKEN = var.vault_root_token - } + create_state = var.create_state + vault_addr = var.vault_addr + vault_root_token = var.vault_root_token + vault_install_dir = var.vault_install_dir - scripts = [abspath("${path.module}/../../scripts/ldap-verify-configs")] - - transport = { - ssh = { - host = var.hosts[0].public_ip - } - } + hosts = var.hosts } + diff --git a/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf new file mode 100644 index 0000000000..7e2151d5c0 --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf @@ -0,0 +1,66 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +terraform { + required_providers { + enos = { + source = "registry.terraform.io/hashicorp-forge/enos" + } + } +} + +variable "hosts" { + type = map(object({ + ipv6 = string + private_ip = string + public_ip = string + })) + description = "The Vault cluster instances that were created" +} + +variable "create_state" { + description = "The state of the secrets engines from the 'create' module" +} + +variable "vault_addr" { + type = string + description = "The local vault API listen address" +} + +variable "vault_install_dir" { + type = string + description = "The directory where the Vault binary will be installed" +} + +variable "vault_root_token" { + type = string + description = "The Vault root token" + default = null +} + +locals { + ldap_login_data = jsondecode(enos_remote_exec.ldap_verify_configs.stdout) +} + +# Verifying Vault LDAP Configurations +resource "enos_remote_exec" "ldap_verify_configs" { + + environment = { + MOUNT = "${var.create_state.ldap.ldap_mount}" + LDAP_SERVER = "${var.create_state.ldap.host.private_ip}" + LDAP_PORT = "${var.create_state.ldap.port}" + LDAP_USERNAME = "${var.create_state.ldap.username}" + LDAP_ADMIN_PW = "${var.create_state.ldap.pw}" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/ldap-verify-configs")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/modules/read/main.tf b/enos/modules/verify_secrets_engines/modules/read/main.tf index d42a97f8b7..76cdb2b2bc 100644 --- a/enos/modules/verify_secrets_engines/modules/read/main.tf +++ b/enos/modules/verify_secrets_engines/modules/read/main.tf @@ -50,7 +50,7 @@ variable "vault_root_token" { default = null } -variable "verify_aws_secrets_engine" { +variable "aws_enabled" { type = bool description = <<-EOF Whether or not we'll verify the AWS secrets engine. Due to the various security requirements in @@ -63,6 +63,12 @@ variable "verify_aws_secrets_engine" { default = false } +variable "ldap_enabled" { + type = bool + description = "Whether or not we'll verify the LDAP secrets engine" + default = false +} + variable "verify_aws_engine_creds" { type = bool default = true diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-verify-configs b/enos/modules/verify_secrets_engines/scripts/ldap-verify-configs index 134f129919..a2e363435c 100644 --- a/enos/modules/verify_secrets_engines/scripts/ldap-verify-configs +++ b/enos/modules/verify_secrets_engines/scripts/ldap-verify-configs @@ -38,4 +38,4 @@ VAULT_LDAP_TOKEN=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.client_token") VAULT_POLICY_COUNT=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.policies | length") [[ -z "$VAULT_POLICY_COUNT" ]] && fail "Vault LDAP number of policies does not look correct: ${VAULT_POLICY_COUNT}" -echo "${VAULT_LDAP_LOGIN}" \ No newline at end of file +echo "${VAULT_LDAP_LOGIN}"