upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-26 17:49:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
vault/enos/enos-variables.hcl
Vault Automation ad9a5b1e0a
[VAULT-34888] enos: backport changes for Fyre scenarios for testing on linux/s390x 
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.

We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.

The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.

We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.

To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.

This PR is massive and covers the following tickets:

    VAULT-40635
    VAULT-40636
    VAULT-44591
    VAULT-34888
    VAULT-34887
    VAULT-34886
    VAULT-34885
    VAULT-34884

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-22 10:21:47 -06:00

284 lines
8.3 KiB
HCL
Raw Blame History

// Copyright IBM Corp. 2016, 2025
// SPDX-License-Identifier: BUSL-1.1
variable "artifactory_token" {
type = string
description = "The token to use when authenticating to artifactory"
default = null
sensitive = true
}
variable "artifactory_host" {
type = string
description = "The artifactory host to search for vault artifacts"
default = "https://artifactory.hashicorp.engineering/artifactory"
}
variable "artifactory_repo" {
type = string
description = "The artifactory repo to search for vault artifacts"
default = "hashicorp-crt-stable-local*"
}
variable "aws_region" {
description = "The AWS region where we'll create infrastructure"
type = string
default = "us-east-1"
}
variable "aws_ssh_keypair_name" {
description = "The AWS keypair to use for SSH"
type = string
default = "enos-ci-ssh-key"
}
variable "aws_ssh_private_key_path" {
description = "The path to the AWS keypair private key"
type = string
default = "./support/private_key.pem"
}
variable "backend_edition" {
description = "The backend release edition if applicable"
type = string
default = "ce" // or "ent"
}
variable "backend_instance_type" {
description = "The instance type to use for the Vault backend. Must be arm64/nitro compatible"
type = string
default = "t4g.small"
}
variable "backend_license_path" {
description = "The license for the backend if applicable (Consul Enterprise)"
type = string
default = null
}
variable "backend_log_level" {
description = "The server log level for the backend. Supported values include 'trace', 'debug', 'info', 'warn', 'error'"
type = string
default = "trace"
}
variable "blackbox_test_filter" {
type = list(string)
description = "Override list of specific blackbox test packages (e.g., ['core', 'secrets']) or test names (e.g., ['TestUnsealedStatus']). Empty list uses scenario defaults. Package names are converted to directory paths automatically."
default = []
}
variable "fyre_expiration" {
type = string
description = "The Fyre VM expiration time in hours"
default = null
}
variable "fyre_quota_type" {
type = string
description = "The Fyre quota type to use when provisioning VMs. quick_burn is not available for z"
default = "product_group" // or "quick_burn",
}
variable "fyre_quick_burn_ttl" {
type = string
description = "If using the quick_burn quota, the time to live in hours"
default = "12"
}
variable "fyre_product_group_id" {
type = number
description = "The Fyre product group ID used to provision test VMs"
default = null
}
variable "fyre_public_key_path" {
type = string
description = "Path to the RFC 4716 formatted public key used for SSH access to Fyre VMs"
default = "./support/ssh_key.pub"
}
variable "fyre_private_key_path" {
type = string
description = "Path to the private key corresponding to fyre_vm_public_key_path"
default = "./support/ssh_key"
}
variable "distro_version_amzn" {
description = "The version of Amazon Linux 2 to use"
type = string
default = "2023" // or "2", though pkcs11 has not been tested with 2
}
variable "distro_version_centos" {
description = "The version of CentOS Stream to use"
type = string
default = "10" // or "9"
}
variable "distro_version_rhel" {
description = "The version of RedHat Enterprise Linux to use"
type = string
default = "10.1" // or "8.10", "9.7"
}
variable "distro_version_rocky" {
description = "The version of Rocky Enterprise Linux to use"
type = string
default = "10.1" // or "8.10", "9.7"
}
variable "distro_version_sles" {
description = "The version of SUSE Enterprise Linux to use"
type = string
default = "16.0" // or "15.7"
}
variable "distro_version_ubuntu" {
description = "The version of Ubuntu Linux to use"
type = string
default = "24.04" // or "22.04" or "24.04"
}
variable "project_name" {
description = "The description of the project"
type = string
default = "vault-enos-integration"
}
variable "tags" {
description = "Tags that will be applied to infrastructure resources that support tagging"
type = map(string)
default = null
}
variable "terraform_plugin_cache_dir" {
description = "The directory to cache Terraform modules and providers"
type = string
default = null
}
variable "ui_test_filter" {
type = string
description = "A test filter to limit the ui tests to execute. Will be appended to the ember test command as '-f=\"<filter>\"'"
default = null
}
variable "ui_run_tests" {
type = bool
description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
default = true
}
variable "vault_artifact_type" {
description = "The type of Vault artifact to use when installing Vault from artifactory. It should be 'package' for .deb or .rpm package and 'bundle' for .zip bundles"
default = "bundle"
}
variable "vault_artifact_path" {
description = "Path to CRT generated or local vault.zip bundle"
type = string
default = "/tmp/vault.zip"
}
variable "vault_build_date" {
description = "The build date for Vault artifact"
type = string
default = ""
}
variable "vault_enable_audit_devices" {
description = "If true every audit device will be enabled"
type = bool
default = true
}
variable "vault_install_dir" {
type = string
description = "The directory where the Vault binary will be installed"
default = "/opt/vault/bin"
}
variable "vault_instance_count" {
description = "How many instances to create for the Vault cluster"
type = number
default = 3
}
variable "vault_license_path" {
description = "The path to a valid Vault enterprise edition license. This is only required for non-ce editions"
type = string
default = null
}
variable "vault_ibm_license_path" {
description = "The path to a valid IBM PAO license. This is only required when testing a license update during the upgrade scenario"
type = string
default = null
}
variable "vault_ibm_license_edition" {
description = "The edition to select when using an IBM PAO license. This should match the edition of a valid Vault entitlement in the license located at var.vault_ibm_license_path."
type = string
default = null
}
variable "vault_local_build_tags" {
description = "The build tags to pass to the Go compiler for builder:local variants"
type = list(string)
default = null
}
variable "vault_log_level" {
description = "The server log level for Vault logs. Supported values (in order of detail) are trace, debug, info, warn, and err."
type = string
default = "trace"
}
variable "vault_product_version" {
description = "The version of Vault we are testing"
type = string
default = null
}
variable "vault_radar_license_path" {
description = "The license for vault-radar which is used to verify the audit log"
type = string
default = null
}
variable "vault_revision" {
description = "The git sha of Vault artifact we are testing"
type = string
default = null
}
variable "vault_upgrade_initial_version" {
description = "The Vault release to deploy before upgrading"
type = string
default = "1.16.31"
}
variable "verify_aws_secrets_engine" {
description = "If true we'll verify AWS secrets engines behavior. Because of user creation restrictions in Doormat AWS accounts, only turn this on for CI, as it depends on resources that exist only in those accounts"
type = bool
default = false
}
variable "verify_kmip_secrets_engine" {
description = "If true we'll verify KMIP secrets engines behavior"
type = bool
default = true
}
variable "verify_ldap_secrets_engine" {
description = "If true we'll verify LDAP secrets engines behavior"
type = bool
default = true
}
variable "verify_log_secrets" {
description = "If true and var.vault_enable_audit_devices is true we'll verify that the audit log does not contain unencrypted secrets. Requires var.vault_radar_license_path to be set to a valid license file."
type = bool
default = false // Only because it requires a Vault Radar license
}
Reference in a new issue View git blame Copy permalink