mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-27 10:00:32 -04:00
13c7838ab3
* [VAULT-42245] Add IBM license update to enos upgrade scenario (#12661) * initial changes * more changes * test * test changes * Fix test * try ignoring customer id * clean up * more clean up * lint * PR comments * make edition a variable * lint * PR comments * add default for customer id * fix script and lint * specify license file * Apply suggestion from @ryancragun Co-authored-by: Ryan Cragun <me@ryan.ec> * always configure ibm license * Update enos/modules/verify_log_secrets/main.tf Co-authored-by: Ryan Cragun <me@ryan.ec> * lint --------- Co-authored-by: Ryan Cragun <me@ryan.ec> * lint --------- Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com> Co-authored-by: Ryan Cragun <me@ryan.ec>
103 lines
2.7 KiB
HCL
103 lines
2.7 KiB
HCL
# Copyright IBM Corp. 2016, 2025
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
terraform {
|
|
required_providers {
|
|
enos = {
|
|
source = "registry.terraform.io/hashicorp-forge/enos"
|
|
}
|
|
}
|
|
}
|
|
|
|
variable "audit_log_file_path" {
|
|
type = string
|
|
}
|
|
|
|
variable "leader_host" {
|
|
type = object({
|
|
ipv6 = string
|
|
private_ip = string
|
|
public_ip = string
|
|
})
|
|
description = "The cluster leader host. Only the leader write to the audit log"
|
|
}
|
|
|
|
variable "radar_install_dir" {
|
|
type = string
|
|
description = "The directory where the Vault binary will be installed"
|
|
default = "/opt/vault-radar/bin"
|
|
}
|
|
|
|
variable "radar_license_path" {
|
|
description = "The path to a vault-radar license file"
|
|
}
|
|
|
|
variable "radar_version" {
|
|
description = "The version of Vault Radar to install"
|
|
default = "0.29.0" # must be >= 0.17.0
|
|
// NOTE: A `semverconstraint` validation condition would be very useful here
|
|
// when we get around to exporting our custom enos funcs in the provider.
|
|
}
|
|
|
|
variable "vault_addr" {
|
|
type = string
|
|
description = "The local vault API listen address"
|
|
}
|
|
|
|
variable "vault_root_token" {
|
|
type = string
|
|
description = "The vault root token"
|
|
}
|
|
|
|
variable "vault_unit_name" {
|
|
type = string
|
|
description = "The vault unit name"
|
|
default = "vault"
|
|
}
|
|
|
|
variable "vault_ibm_license_customer_id" {
|
|
type = string
|
|
description = "The customer ID associated with the IBM license, if one is being used. This gets flagged by Radar in the logs, so we need to explicitly ignore it. The customer ID can be decoded from your license using the vault CLI: VAULT_LICENSE_PATH=<path>pao.lic vault license inspect"
|
|
default = ""
|
|
}
|
|
|
|
resource "enos_bundle_install" "radar" {
|
|
destination = var.radar_install_dir
|
|
|
|
release = {
|
|
product = "vault-radar"
|
|
version = var.radar_version
|
|
// Radar doesn't have CE/Ent editions. CE is equivalent to no edition metadata.
|
|
edition = "ce"
|
|
}
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = var.leader_host.public_ip
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_remote_exec" "scan_logs_for_secrets" {
|
|
depends_on = [
|
|
enos_bundle_install.radar,
|
|
]
|
|
|
|
environment = {
|
|
AUDIT_LOG_FILE_PATH = var.audit_log_file_path
|
|
VAULT_ADDR = var.vault_addr
|
|
VAULT_RADAR_INSTALL_DIR = var.radar_install_dir
|
|
VAULT_RADAR_LICENSE = file(var.radar_license_path)
|
|
VAULT_TOKEN = var.vault_root_token
|
|
VAULT_UNIT_NAME = var.vault_unit_name
|
|
VAULT_IBM_LICENSE_CUSTOMER_ID = var.vault_ibm_license_customer_id
|
|
}
|
|
|
|
scripts = [abspath("${path.module}/scripts/scan_logs_for_secrets.sh")]
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = var.leader_host.public_ip
|
|
}
|
|
}
|
|
}
|