scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Amazon Linux, openSUSE Leap, and SUSE SLES support to Enos scenarios and modules (#25983)

Browse Source 
Add Consul edition support to Enos scenarios and modules
Add Linux distros and Consul edition to Enos samples
Bump RHEL versions to 9.3 and 8.9
This commit is contained in:
Rebecca Willett
2024-06-05 12:58:35 -04:00
committed by GitHub
parent ef10c1a2a4
commit c28739512a
38 changed files with 947 additions and 375 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/test-run-enos-scenario-matrix.yml vendored
View File

@@ -96,7 +96,13 @@ jobs:
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.vault-version }}
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
ENOS_VAR_consul_license_path: ./support/consul.hclic
ENOS_VAR_vault_license_path: ./support/vault.hclic
ENOS_VAR_distro_version_amzn2: ${{ matrix.attributes.distro_version_amzn2 }}
ENOS_VAR_distro_version_leap: ${{ matrix.attributes.distro_version_leap }}
ENOS_VAR_distro_version_rhel: ${{ matrix.attributes.distro_version_rhel }}
ENOS_VAR_distro_version_sles: ${{ matrix.attributes.distro_version_sles }}
ENOS_VAR_distro_version_ubuntu: ${{ matrix.attributes.distro_version_ubuntu }}
ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -134,6 +140,11 @@ jobs:
- if: contains(inputs.sample-name, 'ent')
name: Configure Vault license
run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
- if: contains(matrix.scenario.id.filter, 'consul_edition:ent')
name: Configure Consul license
run: |
echo "matrix.scenario.id.filter: ${{ matrix.scenario.id.filter }}"
echo "${{ secrets.CONSUL_LICENSE }}" > ./enos/support/consul.hclic || true
- id: launch
name: enos scenario launch ${{ matrix.scenario.id.filter }}
# Continue once and retry to handle occasional blips when creating infrastructure.

17
enos/enos-dev-scenario-pr-replication.hcl
View File

@@ -69,13 +69,13 @@ scenario "dev_pr_replication" {
EOF
// The matrix is where we define all the baseline combinations that enos can utilize to customize
// your scenario. By default enos attempts to perform your command an the entire product! Most
// of the time you'll want to reduce that by passing in a filter.
// your scenario. By default enos attempts to perform your command on the entire product of these
// possible comginations! Most of the time you'll want to reduce that by passing in a filter.
// Run 'enos scenario list --help' to see more about how filtering scenarios works in enos.
matrix {
arch = ["amd64", "arm64"]
artifact = ["local", "deb", "rpm", "zip"]
distro = ["ubuntu", "rhel"]
distro = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
primary_backend = ["consul", "raft"]
primary_seal = ["awskms", "pkcs11", "shamir"]
@@ -117,8 +117,8 @@ scenario "dev_pr_replication" {
// Here we declare all of the providers that we might need for our scenario.
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
// These are variable values that are local to our scenario. They are evaluated after external
@@ -127,7 +127,10 @@ scenario "dev_pr_replication" {
// The enos provider uses different ssh transport configs for different distros (as
// specified in enos-providers.hcl), and we need to be able to access both of those here.
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
// We install vault packages from artifactory. If you wish to use one of these variants you'll
@@ -139,7 +142,7 @@ scenario "dev_pr_replication" {
// If you are using an ent edition, you will need a Vault license. Common convention
// is to store it at ./support/vault.hclic, but you may change this path according
// to your own preference.
vault_install_dir = matrix.artifact == "zip" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
vault_install_dir = matrix.artifact == "zip" || matrix.artifact == "local" ? global.vault_install_dir["bundle"] : global.vault_install_dir["package"]
}
// Begin scenario steps. These are the steps we'll perform to get your cluster up and running.

19
enos/enos-dev-scenario-single-cluster.hcl
View File

@@ -68,14 +68,14 @@ scenario "dev_single_cluster" {
EOF
// The matrix is where we define all the baseline combinations that enos can utilize to customize
// your scenario. By default enos attempts to perform your command an the entire product! Most
// of the time you'll want to reduce that by passing in a filter.
// your scenario. By default enos attempts to perform your command on the entire product of these
// possible comginations! Most of the time you'll want to reduce that by passing in a filter.
// Run 'enos scenario list --help' to see more about how filtering scenarios works in enos.
matrix {
arch = ["amd64", "arm64"]
artifact = ["local", "deb", "rpm", "zip"]
backend = ["consul", "raft"]
distro = ["ubuntu", "rhel"]
distro = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
edition = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
seal = ["awskms", "pkcs11", "shamir"]
@@ -107,10 +107,12 @@ scenario "dev_single_cluster" {
terraform = terraform.default
// Here we declare all of the providers that we might need for our scenario.
// There are two different configurations for the Enos provider, each specifying
// SSH transport configs for different Linux distros.
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
// These are variable values that are local to our scenario. They are evaluated after external
@@ -119,7 +121,10 @@ scenario "dev_single_cluster" {
// The enos provider uses different ssh transport configs for different distros (as
// specified in enos-providers.hcl), and we need to be able to access both of those here.
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
// We install vault packages from artifactory. If you wish to use one of these variants you'll
@@ -131,7 +136,7 @@ scenario "dev_single_cluster" {
// If you are using an ent edition, you will need a Vault license. Common convention
// is to store it at ./support/vault.hclic, but you may change this path according
// to your own preference.
vault_install_dir = matrix.artifact == "zip" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
vault_install_dir = matrix.artifact == "zip" || matrix.artifact == "local" ? global.vault_install_dir["bundle"] : global.vault_install_dir["package"]
}
// Begin scenario steps. These are the steps we'll perform to get your cluster up and running.

45
enos/enos-globals.hcl
View File

@@ -16,20 +16,43 @@ globals {
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
config_modes = ["env", "file"]
consul_editions = ["ce", "ent"]
consul_versions = ["1.14.11", "1.15.7", "1.16.3", "1.17.0"]
distros = ["ubuntu", "rhel"]
distros = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
# Different distros may require different packages, or use different aliases for the same package
distro_packages = {
amzn2 = ["nc"]
leap = ["netcat", "openssl"]
rhel = ["nc"]
# When installing Vault RPM packages on a SLES AMI, the openssl package provided
# isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
# "correctly" named one in our package installation before installing Vault.
sles = ["netcat-openbsd", "openssl"]
ubuntu = ["netcat"]
}
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
"amzn2" = var.distro_version_amzn2
"leap" = var.distro_version_leap
"rhel" = var.distro_version_rhel
"sles" = var.distro_version_sles
"ubuntu" = var.distro_version_ubuntu
}
editions = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
packages = ["jq"]
distro_packages = {
ubuntu = ["netcat"]
rhel = ["nc"]
package_manager = {
"amzn2" = "yum"
"leap" = "zypper"
"rhel" = "yum"
"sles" = "zypper"
"ubuntu" = "apt"
}
packages = ["jq"]
sample_attributes = {
aws_region = ["us-east-1", "us-west-2"]
aws_region = ["us-east-1", "us-west-2"]
distro_version_amzn2 = ["2"]
distro_version_leap = ["15.4", "15.5"]
distro_version_rhel = ["8.9", "9.3"]
distro_version_sles = ["v15_sp5_standard"]
distro_version_ubuntu = ["20.04", "22.04"]
}
seals = ["awskms", "pkcs11", "shamir"]
tags = merge({
@@ -42,9 +65,9 @@ globals {
// that use this global might not work as expected with earlier versions. Below 1.8.x is
// not supported in any way.
upgrade_initial_versions = ["1.11.12", "1.12.11", "1.13.11", "1.14.7", "1.15.3"]
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
vault_install_dir = {
bundle = "/opt/vault/bin"
package = "/usr/bin"
}
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key

4
enos/enos-providers.hcl
View File

@@ -5,7 +5,8 @@ provider "aws" "default" {
region = var.aws_region
}
provider "enos" "rhel" {
# This default SSH user is used in RHEL, Amazon Linux, SUSE, and Leap distros
provider "enos" "ec2_user" {
transport = {
ssh = {
user = "ec2-user"
@@ -14,6 +15,7 @@ provider "enos" "rhel" {
}
}
# This default SSH user is used in the Ubuntu distro
provider "enos" "ubuntu" {
transport = {
ssh = {

24
enos/enos-samples-ce-build.hcl
View File

@@ -97,7 +97,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -107,7 +107,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -117,7 +117,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -127,7 +127,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -141,7 +141,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -151,7 +151,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -161,7 +161,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -171,7 +171,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
exclude {
@@ -191,6 +191,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -200,6 +201,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -209,6 +211,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -218,6 +221,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -231,6 +235,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -240,6 +245,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -249,6 +255,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -258,6 +265,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}

24
enos/enos-samples-ce-release.hcl
View File

@@ -97,7 +97,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -107,7 +107,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -117,7 +117,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -127,7 +127,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -141,7 +141,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -151,7 +151,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -161,7 +161,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -171,7 +171,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"]
}
}
@@ -185,6 +185,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -194,6 +195,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -203,6 +205,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -212,6 +215,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -225,6 +229,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -234,6 +239,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -243,6 +249,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}
@@ -252,6 +259,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"]
}
}

58
enos/enos-scenario-agent.hcl
View File

@@ -8,6 +8,7 @@ scenario "agent" {
artifact_type = global.artifact_types
backend = global.backends
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -30,24 +31,39 @@ scenario "agent" {
seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
manage_service = matrix.artifact_type == "bundle"
}
step "get_local_metadata" {
@@ -89,9 +105,9 @@ scenario "agent" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -169,9 +185,9 @@ scenario "agent" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +212,13 @@ scenario "agent" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -226,7 +242,7 @@ scenario "agent" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -244,7 +260,7 @@ scenario "agent" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
vault_agent_template_destination = "/tmp/agent_output.txt"
@@ -281,7 +297,7 @@ scenario "agent" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -297,7 +313,7 @@ scenario "agent" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -314,7 +330,7 @@ scenario "agent" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -334,7 +350,7 @@ scenario "agent" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -352,7 +368,7 @@ scenario "agent" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -371,7 +387,7 @@ scenario "agent" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -389,7 +405,7 @@ scenario "agent" {
variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}

54
enos/enos-scenario-autopilot.hcl
View File

@@ -34,24 +34,40 @@ scenario "autopilot" {
seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_autopilot_default_max_leases = semverconstraint(matrix.initial_version, ">=1.16.0-0") ? "300000" : ""
}
@@ -159,7 +175,7 @@ scenario "autopilot" {
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_license.license : null
packages = concat(global.packages, global.distro_packages[matrix.distro])
release = {
@@ -191,7 +207,7 @@ scenario "autopilot" {
variables {
vault_hosts = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -211,7 +227,7 @@ scenario "autopilot" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -245,7 +261,7 @@ scenario "autopilot" {
log_level = var.vault_log_level
force_unseal = matrix.seal == "shamir"
initialize_cluster = false
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -274,7 +290,7 @@ scenario "autopilot" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
}
}
@@ -291,7 +307,7 @@ scenario "autopilot" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token
}
@@ -312,7 +328,7 @@ scenario "autopilot" {
variables {
vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_autopilot_upgrade_status = "await-server-removal"
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster.target_hosts
vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token
}
@@ -332,7 +348,7 @@ scenario "autopilot" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts
}
@@ -354,7 +370,7 @@ scenario "autopilot" {
variables {
vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -375,7 +391,7 @@ scenario "autopilot" {
variables {
node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips
vault_instance_count = 6
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -395,7 +411,7 @@ scenario "autopilot" {
variables {
operator_instance = step.get_updated_vault_cluster_ips.leader_public_ip
remove_vault_instances = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instance_count = 3
vault_root_token = step.create_vault_cluster.root_token
}
@@ -434,7 +450,7 @@ scenario "autopilot" {
variables {
vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_autopilot_upgrade_status = "idle"
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -455,7 +471,7 @@ scenario "autopilot" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
}
}
@@ -476,7 +492,7 @@ scenario "autopilot" {
variables {
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -519,7 +535,7 @@ scenario "autopilot" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.create_vault_cluster.root_token
}

57
enos/enos-scenario-proxy.hcl
View File

@@ -8,6 +8,7 @@ scenario "proxy" {
artifact_type = global.artifact_types
backend = global.backends
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -30,24 +31,40 @@ scenario "proxy" {
seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
step "get_local_metadata" {
@@ -89,9 +106,9 @@ scenario "proxy" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -169,9 +186,9 @@ scenario "proxy" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +213,13 @@ scenario "proxy" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -226,7 +243,7 @@ scenario "proxy" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -243,7 +260,7 @@ scenario "proxy" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -259,7 +276,7 @@ scenario "proxy" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -275,7 +292,7 @@ scenario "proxy" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -292,7 +309,7 @@ scenario "proxy" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -312,7 +329,7 @@ scenario "proxy" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -327,7 +344,7 @@ scenario "proxy" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -343,7 +360,7 @@ scenario "proxy" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -361,7 +378,7 @@ scenario "proxy" {
variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}

95
enos/enos-scenario-replication.hcl
View File

@@ -10,6 +10,7 @@ scenario "replication" {
artifact_source = global.artifact_sources
artifact_type = global.artifact_types
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -40,24 +41,40 @@ scenario "replication" {
secondary_seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir[matrix.artifact_type]
}
step "get_local_metadata" {
@@ -99,9 +116,9 @@ scenario "replication" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = (matrix.primary_backend == "raft" && matrix.secondary_backend == "raft") || var.backend_edition == "ce"
skip_step = (matrix.primary_backend == "raft" && matrix.secondary_backend == "raft") || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -255,9 +272,9 @@ scenario "replication" {
variables {
cluster_name = step.create_primary_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_primary_cluster_backend_targets.hosts
@@ -281,14 +298,14 @@ scenario "replication" {
backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = global.backend_tag_key
config_mode = matrix.config_mode
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_primary_cluster_targets.cluster_name
consul_release = matrix.primary_backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -313,9 +330,9 @@ scenario "replication" {
variables {
cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.secondary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_secondary_cluster_backend_targets.hosts
@@ -339,14 +356,14 @@ scenario "replication" {
backend_cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = global.backend_tag_key
config_mode = matrix.config_mode
consul_license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.secondary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_secondary_cluster_targets.cluster_name
consul_release = matrix.secondary_backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -370,7 +387,7 @@ scenario "replication" {
variables {
vault_instances = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -386,7 +403,7 @@ scenario "replication" {
variables {
vault_instances = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -403,7 +420,7 @@ scenario "replication" {
variables {
vault_instances = step.create_primary_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -440,7 +457,7 @@ scenario "replication" {
variables {
vault_hosts = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
}
}
@@ -464,7 +481,7 @@ scenario "replication" {
variables {
vault_hosts = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_secondary_cluster.root_token
}
}
@@ -482,7 +499,7 @@ scenario "replication" {
leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
vault_instances = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
}
}
@@ -502,7 +519,7 @@ scenario "replication" {
variables {
primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
}
}
@@ -517,7 +534,7 @@ scenario "replication" {
variables {
primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
}
}
@@ -533,7 +550,7 @@ scenario "replication" {
variables {
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_secondary_cluster.root_token
wrapping_token = step.generate_secondary_token.secondary_token
}
@@ -556,7 +573,7 @@ scenario "replication" {
variables {
follower_public_ips = step.get_secondary_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : step.create_primary_cluster.recovery_keys_hex
vault_seal_type = matrix.primary_seal == "shamir" ? matrix.primary_seal : matrix.secondary_seal
}
@@ -574,7 +591,7 @@ scenario "replication" {
variables {
vault_instances = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -591,7 +608,7 @@ scenario "replication" {
primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -609,7 +626,7 @@ scenario "replication" {
variables {
node_public_ips = step.get_secondary_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -633,15 +650,15 @@ scenario "replication" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_primary_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.primary_backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
force_unseal = matrix.primary_seal == "shamir"
initialize_cluster = false
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -666,7 +683,7 @@ scenario "replication" {
variables {
vault_instances = step.create_primary_cluster_additional_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -685,7 +702,7 @@ scenario "replication" {
variables {
vault_instances = step.create_primary_cluster_additional_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
}
}
@@ -755,7 +772,7 @@ scenario "replication" {
variables {
timeout = 120 # seconds
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token
vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts
}
@@ -775,7 +792,7 @@ scenario "replication" {
variables {
vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instance_count = step.get_remaining_hosts_replication_data.remaining_hosts_count
vault_root_token = step.create_primary_cluster.root_token
}
@@ -799,7 +816,7 @@ scenario "replication" {
primary_leader_private_ip = step.get_updated_primary_cluster_ips.leader_private_ip
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -874,7 +891,7 @@ scenario "replication" {
}
output "initial_known_primary_cluster_addresses" {
description = "The Vault secondary cluster performance replication status"
description = "The initial known Vault primary cluster addresses"
value = step.verify_performance_replication.known_primary_cluster_addrs
}
@@ -889,7 +906,7 @@ scenario "replication" {
}
output "initial_secondary_replication_data_primaries" {
description = "The Vault secondary cluster primaries connection status"
description = "The Vault secondary cluster primaries connection status"
value = step.verify_performance_replication.secondary_replication_data_primaries
}

97
enos/enos-scenario-seal-ha.hcl
View File

@@ -8,6 +8,7 @@ scenario "seal_ha" {
artifact_type = global.artifact_types
backend = global.backends
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -37,24 +38,46 @@ scenario "seal_ha" {
secondary_seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
primary_seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
secondary_seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
manage_service = matrix.artifact_type == "bundle"
}
step "get_local_metadata" {
@@ -127,9 +150,9 @@ scenario "seal_ha" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -193,9 +216,9 @@ scenario "seal_ha" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -220,13 +243,13 @@ scenario "seal_ha" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -251,7 +274,7 @@ scenario "seal_ha" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -266,7 +289,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -280,7 +303,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -302,7 +325,7 @@ scenario "seal_ha" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -320,7 +343,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -354,7 +377,7 @@ scenario "seal_ha" {
variables {
cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
manage_service = local.manage_service
seal_attributes = step.create_primary_seal_key.attributes
@@ -378,7 +401,7 @@ scenario "seal_ha" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -393,7 +416,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -408,7 +431,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token
}
@@ -426,7 +449,7 @@ scenario "seal_ha" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -441,7 +464,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -455,7 +478,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -474,7 +497,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -491,7 +514,7 @@ scenario "seal_ha" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -509,7 +532,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -525,7 +548,7 @@ scenario "seal_ha" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -541,7 +564,7 @@ scenario "seal_ha" {
variables {
node_public_ips = step.get_updated_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -570,7 +593,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_hosts = step.create_vault_cluster_targets.hosts
seal_type = "multiseal"
}
@@ -607,7 +630,7 @@ scenario "seal_ha" {
variables {
cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
manage_service = local.manage_service
seal_alias = "secondary"
@@ -630,7 +653,7 @@ scenario "seal_ha" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -646,7 +669,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -661,7 +684,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -680,7 +703,7 @@ scenario "seal_ha" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -696,7 +719,7 @@ scenario "seal_ha" {
variables {
node_public_ips = step.get_cluster_ips_after_migration.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -712,7 +735,7 @@ scenario "seal_ha" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_hosts = step.create_vault_cluster_targets.hosts
seal_type = matrix.secondary_seal
}

62
enos/enos-scenario-smoke.hcl
View File

@@ -8,6 +8,7 @@ scenario "smoke" {
artifact_type = global.artifact_types
backend = global.backends
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -30,24 +31,39 @@ scenario "smoke" {
seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
manage_service = matrix.artifact_type == "bundle"
}
step "get_local_metadata" {
@@ -89,9 +105,9 @@ scenario "smoke" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -169,9 +185,9 @@ scenario "smoke" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +212,13 @@ scenario "smoke" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
@@ -226,7 +242,7 @@ scenario "smoke" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -241,7 +257,7 @@ scenario "smoke" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -256,7 +272,7 @@ scenario "smoke" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token
}
@@ -274,7 +290,7 @@ scenario "smoke" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -289,7 +305,7 @@ scenario "smoke" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -305,7 +321,7 @@ scenario "smoke" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -322,7 +338,7 @@ scenario "smoke" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -342,7 +358,7 @@ scenario "smoke" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -360,7 +376,7 @@ scenario "smoke" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -379,7 +395,7 @@ scenario "smoke" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}
@@ -397,7 +413,7 @@ scenario "smoke" {
variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}

33
enos/enos-scenario-ui.hcl
View File

@@ -3,8 +3,9 @@
scenario "ui" {
matrix {
backend = global.backends
edition = ["ce", "ent"]
backend = global.backends
consul_edition = global.consul_editions
edition = ["ce", "ent"]
}
terraform_cli = terraform_cli.default
@@ -23,7 +24,7 @@ scenario "ui" {
"ce" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
}
bundle_path = abspath(var.vault_artifact_path)
artifact_path = abspath(var.vault_artifact_path)
distro = "ubuntu"
consul_version = "1.17.0"
seal = "awskms"
@@ -32,10 +33,6 @@ scenario "ui" {
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = var.vault_install_dir
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
@@ -47,7 +44,7 @@ scenario "ui" {
variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition]
bundle_path = local.bundle_path
artifact_path = local.artifact_path
goarch = local.arch
goos = "linux"
product_version = var.vault_product_version
@@ -78,9 +75,9 @@ scenario "ui" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -106,10 +103,10 @@ scenario "ui" {
}
variables {
ami_id = step.ec2_info.ami_ids[local.arch][local.distro][var.ubuntu_distro_version]
ami_id = step.ec2_info.ami_ids[local.arch][local.distro][var.distro_version_ubuntu]
cluster_tag_key = local.vault_tag_key
common_tags = local.tags
seal_names = step.create_seal_key.resource_names
seal_key_names = step.create_seal_key.resource_names
vpc_id = step.create_vpc.id
}
}
@@ -126,7 +123,7 @@ scenario "ui" {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
cluster_tag_key = local.backend_tag_key
common_tags = local.tags
seal_names = step.create_seal_key.resource_names
seal_key_names = step.create_seal_key.resource_names
vpc_id = step.create_vpc.id
}
}
@@ -144,9 +141,9 @@ scenario "ui" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = local.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -169,15 +166,15 @@ scenario "ui" {
backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = local.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path
local_artifact_path = local.artifact_path
packages = global.distro_packages["ubuntu"]
seal_name = step.create_seal_key.resource_name
seal_type = local.seal

66
enos/enos-scenario-upgrade.hcl
View File

@@ -8,6 +8,7 @@ scenario "upgrade" {
artifact_type = global.artifact_types
backend = global.backends
config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions
distro = global.distros
edition = global.editions
@@ -43,24 +44,39 @@ scenario "upgrade" {
seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"]
}
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
}
terraform_cli = terraform_cli.default
terraform = terraform.default
providers = [
provider.aws.default,
provider.enos.ubuntu,
provider.enos.rhel
provider.enos.ec2_user,
provider.enos.ubuntu
]
locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = {
rhel = provider.enos.rhel
amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
manage_service = matrix.artifact_type == "bundle"
}
step "get_local_metadata" {
@@ -103,9 +119,9 @@ scenario "upgrade" {
}
// This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent".
// an "ent" Consul edition.
step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce"
skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license
variables {
@@ -183,9 +199,9 @@ scenario "upgrade" {
variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
}
target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -209,13 +225,13 @@ scenario "upgrade" {
backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition
edition = matrix.consul_edition
version = matrix.consul_version
} : null
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null
packages = concat(global.packages, global.distro_packages[matrix.distro])
release = {
@@ -239,7 +255,7 @@ scenario "upgrade" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -259,7 +275,7 @@ scenario "upgrade" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -282,7 +298,7 @@ scenario "upgrade" {
vault_instances = step.create_vault_cluster_targets.hosts
vault_local_artifact_path = local.artifact_path
vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null
vault_seal_type = matrix.seal
}
@@ -303,7 +319,7 @@ scenario "upgrade" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -318,7 +334,7 @@ scenario "upgrade" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -333,7 +349,7 @@ scenario "upgrade" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token
}
@@ -351,7 +367,7 @@ scenario "upgrade" {
variables {
timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -368,7 +384,7 @@ scenario "upgrade" {
variables {
vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
}
}
@@ -386,7 +402,7 @@ scenario "upgrade" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -406,7 +422,7 @@ scenario "upgrade" {
variables {
vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -424,7 +440,7 @@ scenario "upgrade" {
variables {
node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
}
}
@@ -440,7 +456,7 @@ scenario "upgrade" {
}
variables {
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token
}
@@ -458,7 +474,7 @@ scenario "upgrade" {
variables {
vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts
}
}

34
enos/enos-variables.hcl
View File

@@ -75,10 +75,34 @@ variable "project_name" {
default = "vault-enos-integration"
}
variable "rhel_distro_version" {
variable "distro_version_amzn2" {
description = "The version of Amazon Linux 2 to use"
type = string
default = "2"
}
variable "distro_version_leap" {
description = "The version of openSUSE leap to use"
type = string
default = "15.5" // or "15.4"
}
variable "distro_version_rhel" {
description = "The version of RHEL to use"
type = string
default = "9.1" // or "8.8"
default = "9.3" // or "8.9"
}
variable "distro_version_sles" {
description = "The version of SUSE SLES to use"
type = string
default = "v15_sp5_standard"
}
variable "distro_version_ubuntu" {
description = "The version of ubuntu to use"
type = string
default = "22.04" // or "20.04"
}
variable "tags" {
@@ -93,12 +117,6 @@ variable "terraform_plugin_cache_dir" {
default = null
}
variable "ubuntu_distro_version" {
description = "The version of ubuntu to use"
type = string
default = "22.04" // or "20.04", "18.04"
}
variable "ui_test_filter" {
type = string
description = "A test filter to limit the ui tests to execute. Will be appended to the ember test command as '-f=\"<filter>\"'"

22
enos/enos.vars.hcl
View File

@@ -23,9 +23,6 @@
# aws_ssh_private_key_path is the path to the AWS keypair private key
# aws_ssh_private_key_path = "./support/private_key.pem"
# backend_edition is the backend (consul) release edition if applicable to the scenario.
# backend_edition = "ce"
# backend_license_path is the license for the backend if applicable (Consul Enterprise)".
# backend_license_path = "./support/consul.hclic"
@@ -40,8 +37,20 @@
# resources.
# project_name = "vault-enos-integration"
# rhel_distro_version is the version of RHEL to use for "distro:rhel" variants.
# rhel_distro_version = "9.1" // or "8.8"
# distro_version_amzn2 is the version of Amazon Linux 2 to use for "distro:amzn2" variants
# distro_version_amzn2 = "2"
# distro_version_leap is the version of openSUSE Leap to use for "distro:leap" variants
# distro_version_leap = "15.5" // or "15.4"
# distro_version_rhel is the version of RHEL to use for "distro:rhel" variants.
# distro_version_rhel = "9.3" // or "8.9"
# distro_version_sles is the version of SUSE SLES to use for "distro:sles" variants.
# distro_version_sles = "v15_sp5_standard"
# distro_version_ubuntu is the version of ubuntu to use for "distro:ubuntu" variants
# distro_version_ubuntu = "22.04" // or "20.04", "18.04"
# tags are a map of tags that will be applied to infrastructure resources that
# support tagging.
@@ -59,9 +68,6 @@
# cluster will be created but no tests will be run.
# ui_run_tests = true
# ubuntu_distro_version is the version of ubuntu to use for "distro:ubuntu" variants
# ubuntu_distro_version = "22.04" // or "20.04", "18.04"
# vault_artifact_path is the path to CRT generated or local vault.zip bundle. When
# using the "builder:local" variant a bundle will be built from the current branch.
# In CI it will use the output of the build workflow.

59
enos/modules/build_artifactory_artifact/locals.tf
View File

@@ -6,12 +6,18 @@ locals {
// file name extensions for the install packages of vault for the various architectures, distributions and editions
package_extensions = {
amd64 = {
ubuntu = "-1_amd64.deb"
amzn2 = "-1.x86_64.rpm"
leap = "-1.x86_64.rpm"
rhel = "-1.x86_64.rpm"
sles = "-1.x86_64.rpm"
ubuntu = "-1_amd64.deb"
}
arm64 = {
ubuntu = "-1_arm64.deb"
amzn2 = "-1.aarch64.rpm"
leap = "-1.aarch64.rpm"
rhel = "-1.aarch64.rpm"
sles = "-1.aarch64.rpm"
ubuntu = "-1_arm64.deb"
}
}
@@ -20,12 +26,19 @@ locals {
// file name prefixes for the install packages of vault for the various distributions and artifact types (package or bundle)
artifact_package_release_names = {
ubuntu = {
"ce" = "vault_"
"ent" = "vault-enterprise_",
"ent.fips1402" = "vault-enterprise-fips1402_",
"ent.hsm" = "vault-enterprise-hsm_",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402_",
amzn2 = {
"ce" = "vault-"
"ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
},
leap = {
"ce" = "vault-"
"ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
},
rhel = {
"ce" = "vault-"
@@ -33,19 +46,27 @@ locals {
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
},
sles = {
"ce" = "vault-"
"ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
}
ubuntu = {
"ce" = "vault_"
"ent" = "vault-enterprise_",
"ent.fips1402" = "vault-enterprise-fips1402_",
"ent.hsm" = "vault-enterprise-hsm_",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402_",
}
}
// edition --> artifact name edition
artifact_name_edition = {
"ce" = ""
"ent" = ""
"ent.hsm" = ".hsm"
"ent.fips1402" = ".fips1402"
"ent.hsm.fips1402" = ".hsm.fips1402"
}
artifact_name_prefix = var.artifact_type == "package" ? local.artifact_package_release_names[var.distro][var.edition] : "vault_"
# Prefix for the artifact name. Ex: vault_, vault-, vault-enterprise_, vault-enterprise-hsm-fips1402-, etc
artifact_name_prefix = var.artifact_type == "package" ? local.artifact_package_release_names[var.distro][var.edition] : "vault_"
# Suffix and extension for the artifact name. Ex: _linux_<arch>.zip,
artifact_name_extension = var.artifact_type == "package" ? local.package_extensions[var.arch][var.distro] : "_linux_${var.arch}.zip"
artifact_name = var.artifact_type == "package" ? "${local.artifact_name_prefix}${replace(local.artifact_version, "-", "~")}${local.artifact_name_extension}" : "${local.artifact_name_prefix}${var.product_version}${local.artifact_name_extension}"
# Combine prefix/suffix/extension together to form the artifact name
artifact_name = var.artifact_type == "package" ? "${local.artifact_name_prefix}${replace(local.artifact_version, "-", "~")}${local.artifact_name_extension}" : "${local.artifact_name_prefix}${var.product_version}${local.artifact_name_extension}"
}

30
enos/modules/disable_selinux/main.tf Normal file
View File

@@ -0,0 +1,30 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}
variable "hosts" {
type = map(object({
private_ip = string
public_ip = string
}))
description = "The hosts to install packages on"
}
resource "enos_remote_exec" "make_selinux_permissive" {
for_each = var.hosts
scripts = [abspath("${path.module}/scripts/make-selinux-permissive.sh")]
transport = {
ssh = {
host = each.value.public_ip
}
}
}

18
enos/modules/disable_selinux/scripts/make-selinux-permissive.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
if ! type getenforce &> /dev/null; then
exit 0
fi
if sudo getenforce | grep Enforcing; then
sudo setenforce 0
fi

161
enos/modules/ec2_info/main.tf
View File

@@ -1,27 +1,50 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
# Note: in order to use the openSUSE Leap AMIs, the AWS account in use must "subscribe"
# and accept SUSE's terms of use. You can do this at the links below. If the AWS account
# you are using is already subscribed, this confirmation will be displayed on each page.
# openSUSE Leap arm64 subscription: https://aws.amazon.com/marketplace/server/procurement?productId=a516e959-df54-4035-bb1a-63599b7a6df9
# openSUSE leap amd64 subscription: https://aws.amazon.com/marketplace/server/procurement?productId=5535c495-72d4-4355-b169-54ffa874f849
locals {
architectures = toset(["arm64", "x86_64"])
amzn2_owner_id = "591542846629"
canonical_owner_id = "099720109477"
sles_owner_id = "013907871322"
suse_owner_id = "679593333241"
rhel_owner_id = "309956199498"
ids = {
"arm64" = {
"amzn2" = {
"2" = data.aws_ami.amzn2["arm64"].id
}
"rhel" = {
"8.8" = data.aws_ami.rhel_88["arm64"].id
"9.1" = data.aws_ami.rhel_91["arm64"].id
"8.9" = data.aws_ami.rhel_89["arm64"].id
"9.3" = data.aws_ami.rhel_93["arm64"].id
}
"sles" = {
"v15_sp5_standard" = data.aws_ami.sles_15_sp5_standard["arm64"].id
}
"ubuntu" = {
"18.04" = data.aws_ami.ubuntu_1804["arm64"].id
"20.04" = data.aws_ami.ubuntu_2004["arm64"].id
"22.04" = data.aws_ami.ubuntu_2204["arm64"].id
}
}
"amd64" = {
"amzn2" = {
"2" = data.aws_ami.amzn2["x86_64"].id
}
"leap" = {
"15.4" = data.aws_ami.leap_154.id
"15.5" = data.aws_ami.leap_155.id
}
"rhel" = {
"7.9" = data.aws_ami.rhel_79.id
"8.8" = data.aws_ami.rhel_88["x86_64"].id
"9.1" = data.aws_ami.rhel_91["x86_64"].id
"8.9" = data.aws_ami.rhel_89["x86_64"].id
"9.3" = data.aws_ami.rhel_93["x86_64"].id
}
"sles" = {
"v15_sp5_standard" = data.aws_ami.sles_15_sp5_standard["x86_64"].id
}
"ubuntu" = {
"18.04" = data.aws_ami.ubuntu_1804["x86_64"].id
@@ -98,13 +121,14 @@ data "aws_ami" "ubuntu_2204" {
owners = [local.canonical_owner_id]
}
data "aws_ami" "rhel_79" {
data "aws_ami" "rhel_89" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-7.9*HVM-20*"]
values = ["RHEL-8.9*HVM-20*"]
}
filter {
@@ -114,56 +138,105 @@ data "aws_ami" "rhel_79" {
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
}
data "aws_ami" "rhel_93" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-9.3*HVM-20*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
}
data "aws_ami" "amzn2" {
most_recent = true
for_each = local.architectures
filter {
name = "name"
values = ["amzn2-ami-ecs-hvm-2.0*"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.amzn2_owner_id]
}
data "aws_ami" "sles_15_sp5_standard" {
most_recent = true
for_each = local.architectures
filter {
name = "name"
values = ["suse-sles-15-sp5-v*-hvm-*"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.sles_owner_id]
}
data "aws_ami" "leap_154" {
most_recent = true
filter {
name = "name"
values = ["openSUSE-Leap-15.4*"]
}
filter {
name = "architecture"
# Note: arm64 AMIs are offered for Leap 15.5, but not 15.4. For now we will
# only use x86_64 for both in order to not introduce complexity in our matrix
# exclusions.
values = ["x86_64"]
}
owners = [local.rhel_owner_id]
owners = [local.suse_owner_id]
}
data "aws_ami" "rhel_88" {
data "aws_ami" "leap_155" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-8.8*HVM-20*"]
values = ["openSUSE-Leap-15.5*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
name = "architecture"
# Note: arm64 AMIs are offered for Leap 15.5, but not 15.4. For now we will
# only use x86_64 for both in order to not introduce complexity in our matrix
# exclusions.
values = ["x86_64"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
}
data "aws_ami" "rhel_91" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-9.1*HVM-20*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
owners = [local.suse_owner_id]
}
data "aws_region" "current" {}

61
enos/modules/install_packages/main.tf
View File

@@ -9,6 +9,32 @@ terraform {
}
}
locals {
arch = {
"amd64" = "x86_64"
"arm64" = "aarch64"
}
package_manager = {
# Note: though we generally use "amzn2" as our distro name for Amazon Linux 2,
# enos_host_info.hosts[each.key].distro returns "amzn", so that is what we reference here.
"amzn" = "yum"
"opensuse-leap" = "zypper"
"rhel" = "yum"
"sles" = "zypper"
"ubuntu" = "apt"
}
distro_repos = {
# Currently sles is the only distro that requires setting up repos before installing packages
"sles" = {
"15.5" = "https://download.opensuse.org/repositories/network:utilities/SLE_15_SP5/network:utilities.repo"
}
"rhel" = {
"8.9" = "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm"
"9.3" = "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
}
}
}
variable "packages" {
type = list(string)
default = []
@@ -34,10 +60,43 @@ variable "retry_interval" {
default = 2
}
resource "enos_remote_exec" "install_packages" {
resource "enos_host_info" "hosts" {
for_each = var.hosts
transport = {
ssh = {
host = each.value.public_ip
}
}
}
# Set up repos for each distro (in order to install some packages, some distros
# require us to manually add the repo for that package first)
resource "enos_remote_exec" "distro_repo_setup" {
for_each = var.hosts
environment = {
DISTRO = enos_host_info.hosts[each.key].distro
DISTRO_REPOS = try(local.distro_repos[enos_host_info.hosts[each.key].distro][enos_host_info.hosts[each.key].distro_version], "__none")
RETRY_INTERVAL = var.retry_interval
TIMEOUT_SECONDS = var.timeout
}
scripts = [abspath("${path.module}/scripts/distro-repo-setup.sh")]
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_remote_exec" "install_packages" {
for_each = var.hosts
depends_on = [enos_remote_exec.distro_repo_setup]
environment = {
PACKAGE_MANAGER = local.package_manager[enos_host_info.hosts[each.key].distro]
PACKAGES = length(var.packages) >= 1 ? join(" ", var.packages) : "__skip"
RETRY_INTERVAL = var.retry_interval
TIMEOUT_SECONDS = var.timeout

57
enos/modules/install_packages/scripts/distro-repo-setup.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$DISTRO" ]] && fail "DISTRO env variable has not been set"
[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
setup_repos() {
# If we don't have any repos on the list for this distro, no action needed.
if [ ${#DISTRO_REPOS[@]} -lt 1 ]; then
echo "DISTRO_REPOS is empty; No repos required for the packages for this Linux distro."
return 0
fi
# Wait for cloud-init to finish so it doesn't race with any of our package installations.
# Note: Amazon Linux 2 throws Python 2.7 errors when running `cloud-init status` as
# non-root user (known bug).
sudo cloud-init status --wait
case $DISTRO in
"sles")
for repo in ${DISTRO_REPOS}; do
sudo zypper addrepo "${repo}"
done
;;
"rhel")
for repo in ${DISTRO_REPOS}; do
sudo rm -r /var/cache/dnf
sudo dnf install -y "${repo}"
sudo dnf update -y --refresh
done
;;
*)
return
;;
esac
}
begin_time=$(date +%s)
end_time=$((begin_time + TIMEOUT_SECONDS))
while [ "$(date +%s)" -lt "$end_time" ]; do
if setup_repos; then
exit 0
fi
sleep "$RETRY_INTERVAL"
done
fail "Timed out waiting for distro repos to install"

78
enos/modules/install_packages/scripts/install-packages.sh
View File

@@ -9,41 +9,75 @@ fail() {
exit 1
}
[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
[[ -z "$PACKAGES" ]] && fail "PACKAGES env variable has not been set"
[[ -z "${RETRY_INTERVAL}" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "${TIMEOUT_SECONDS}" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
[[ -z "${PACKAGES}" ]] && fail "PACKAGES env variable has not been set"
[[ -z "${PACKAGE_MANAGER}" ]] && fail "PACKAGE_MANAGER env variable has not been set"
install_packages() {
if [ "$PACKAGES" = "__skip" ]; then
if [[ "${PACKAGES}" = "__skip" ]]; then
return 0
fi
fi
echo "Installing Dependencies: $PACKAGES"
if [ -f /etc/debian_version ]; then
# Do our best to make sure that we don't race with cloud-init. Wait a reasonable time until we
# see ec2 in the sources list. Very rarely cloud-init will take longer than we wait. In that case
# we'll just install our packages.
grep ec2 /etc/apt/sources.list || true
set -x
echo "Installing Dependencies: ${PACKAGES}"
cd /tmp
sudo apt update
# shellcheck disable=2068
sudo apt install -y ${PACKAGES[@]}
else
cd /tmp
# shellcheck disable=2068
sudo yum -y install ${PACKAGES[@]}
fi
# Use the default package manager of the current Linux distro to install packages
case $PACKAGE_MANAGER in
"apt")
sudo apt update
for package in ${PACKAGES}; do
if dpkg -s "${package}"; then
continue
else
echo "Installing ${package}"
sudo apt install -y "${package}"
fi
done
;;
"yum")
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
continue
else
echo "Installing ${package}"
sudo yum -y install "${package}"
fi
done
;;
"zypper")
cd /tmp
sudo zypper --gpg-auto-import-keys ref
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
continue
else
echo "Installing ${package}"
sudo zypper --non-interactive install "${package}"
date
fi
sudo zypper search -i
done
;;
*)
fail "No matching package manager provided."
;;
esac
}
begin_time=$(date +%s)
end_time=$((begin_time + TIMEOUT_SECONDS))
while [ "$(date +%s)" -lt "$end_time" ]; do
while [[ "$(date +%s)" -lt "${end_time}" ]]; do
if install_packages; then
exit 0
fi
sleep "$RETRY_INTERVAL"
sleep "${RETRY_INTERVAL}"
done
fail "Timed out waiting for packages to install"

15
enos/modules/softhsm_create_vault_keys/main.tf
View File

@@ -22,11 +22,12 @@ variable "hosts" {
}
locals {
pin = resource.random_string.pin.result
aes_label = "vault_hsm_aes_${local.pin}"
hmac_label = "vault_hsm_hmac_${local.pin}"
target = tomap({ "1" = var.hosts[0] })
token = "${var.cluster_id}_${local.pin}"
pin = resource.random_string.pin.result
aes_label = "vault_hsm_aes_${local.pin}"
hmac_label = "vault_hsm_hmac_${local.pin}"
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
target = tomap({ "1" = var.hosts[0] })
token = "${var.cluster_id}_${local.pin}"
}
resource "random_string" "pin" {
@@ -95,10 +96,6 @@ resource "enos_remote_exec" "get_keys" {
}
}
locals {
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
}
output "seal_attributes" {
description = "Seal device specific attributes. Contains all required keys for the seal stanza"
value = local.seal_attributes

10
enos/modules/start_vault/main.tf
View File

@@ -52,7 +52,9 @@ locals {
// keys on a machines that have different shared object locations.
merge(
try({ for key, val in var.seal_attributes : key => val if key != "token_base64" && key != "token_dir" }, {}),
try({ lib = module.maybe_configure_hsm.lib }, {})
# Note: the below reference has to point to a specific instance of the maybe_configure_hsm
# module (in this case [0]) due to the maybe_configure_hsm module call using `count` to control whether it runs or not.
try({ lib = module.maybe_configure_hsm[0].lib }, {})
),
)
}
@@ -81,7 +83,9 @@ locals {
},
merge(
try({ for key, val in var.seal_attributes_secondary : key => val if key != "token_base64" && key != "token_dir" }, {}),
try({ lib = module.maybe_configure_hsm_secondary.lib }, {})
# Note: the below reference has to point to a specific instance of the maybe_configure_hsm_secondary
# module (in this case [0]) due to the maybe_configure_hsm_secondary module call using `count` to control whether it runs or not.
try({ lib = module.maybe_configure_hsm_secondary[0].lib }, {})
),
)
}
@@ -135,6 +139,7 @@ locals {
# the key data that was passed in via seal attributes.
module "maybe_configure_hsm" {
source = "../softhsm_distribute_vault_keys"
count = (var.seal_type == "pkcs11" || var.seal_type_secondary == "pkcs11") ? 1 : 0
hosts = var.target_hosts
token_base64 = local.token_base64
@@ -143,6 +148,7 @@ module "maybe_configure_hsm" {
module "maybe_configure_hsm_secondary" {
source = "../softhsm_distribute_vault_keys"
depends_on = [module.maybe_configure_hsm]
count = (var.seal_type == "pkcs11" || var.seal_type_secondary == "pkcs11") ? 1 : 0
hosts = var.target_hosts
token_base64 = local.token_base64_secondary

1
enos/modules/target_ec2_fleet/main.tf
View File

@@ -335,4 +335,5 @@ data "aws_instance" "targets" {
for_each = local.instances
instance_id = aws_ec2_fleet.targets.fleet_instance_set[0].instance_ids[each.key]
}

6
enos/modules/target_ec2_fleet/variables.tf
View File

@@ -26,6 +26,12 @@ variable "common_tags" {
}
}
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_mem_min" {
description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)"
type = number

10
enos/modules/target_ec2_instances/main.tf
View File

@@ -257,3 +257,13 @@ resource "aws_instance" "targets" {
},
)
}
module "disable_selinux" {
source = "../disable_selinux"
count = var.disable_selinux == true ? 1 : 0
hosts = { for idx in range(var.instance_count) : idx => {
public_ip = aws_instance.targets[idx].public_ip
private_ip = aws_instance.targets[idx].private_ip
} }
}

6
enos/modules/target_ec2_instances/variables.tf
View File

@@ -24,6 +24,12 @@ variable "common_tags" {
default = { "Project" : "vault-ci" }
}
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_count" {
description = "The number of target instances to create"
type = number

1
enos/modules/target_ec2_shim/main.tf
View File

@@ -16,6 +16,7 @@ variable "ami_id" { default = null }
variable "cluster_name" { default = null }
variable "cluster_tag_key" { default = null }
variable "common_tags" { default = null }
variable "disable_selinux" { default = true }
variable "instance_count" { default = 3 }
variable "instance_cpu_max" { default = null }
variable "instance_cpu_min" { default = null }

10
enos/modules/target_ec2_spot_fleet/main.tf
View File

@@ -454,3 +454,13 @@ data "aws_instance" "targets" {
instance_id = data.aws_instances.targets.ids[each.key]
}
module "disable_selinux" {
source = "../disable_selinux"
count = var.disable_selinux == true ? 1 : 0
hosts = { for idx in range(var.instance_count) : idx => {
public_ip = aws_instance.targets[idx].public_ip
private_ip = aws_instance.targets[idx].private_ip
} }
}

6
enos/modules/target_ec2_spot_fleet/variables.tf
View File

@@ -26,6 +26,12 @@ variable "common_tags" {
}
}
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_mem_min" {
description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)"
type = number

49
enos/modules/vault_cluster/main.tf
View File

@@ -37,6 +37,13 @@ locals {
"pkcs11" = null
}
leader = toset(slice(local.instances, 0, 1))
netcat_command = {
amzn = "nc"
opensuse-leap = "netcat"
rhel = "nc"
sles = "nc"
ubuntu = "netcat"
}
recovery_shares = {
"awskms" = 5
"shamir" = null
@@ -50,6 +57,16 @@ locals {
vault_service_user = "vault"
}
resource "enos_host_info" "hosts" {
for_each = var.target_hosts
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_bundle_install" "consul" {
for_each = {
for idx, host in var.target_hosts : idx => var.target_hosts[idx]
@@ -66,8 +83,21 @@ resource "enos_bundle_install" "consul" {
}
}
# We run install_packages before we install Vault because for some combinations of
# certain Linux distros and artifact types (e.g. SLES and RPM packages), there may
# be packages that are required to perform Vault installation (e.g. openssl).
module "install_packages" {
source = "../install_packages"
hosts = var.target_hosts
packages = var.packages
}
resource "enos_bundle_install" "vault" {
for_each = var.target_hosts
depends_on = [
module.install_packages, // Don't race for the package manager locks with install_packages
]
destination = var.install_dir
release = var.release == null ? var.release : merge({ product = "vault" }, var.release)
@@ -81,22 +111,17 @@ resource "enos_bundle_install" "vault" {
}
}
module "install_packages" {
source = "../install_packages"
depends_on = [
enos_bundle_install.vault, // Don't race for the package manager locks with vault install
]
hosts = var.target_hosts
packages = var.packages
}
resource "enos_consul_start" "consul" {
for_each = enos_bundle_install.consul
bin_path = local.consul_bin_path
data_dir = var.consul_data_dir
config = {
# GetPrivateInterfaces is a go-sockaddr template that helps Consul get the correct
# addr in all of our default cases. This is required in the case of Amazon Linux,
# because amzn2 has a default docker listener that will make Consul try to use the
# incorrect addr.
bind_addr = "{{ GetPrivateInterfaces | include \"type\" \"IP\" | sort \"default\" | limit 1 | attr \"address\"}}"
data_dir = var.consul_data_dir
datacenter = "dc1"
retry_join = ["provider=aws tag_key=${var.backend_cluster_tag_key} tag_value=${var.backend_cluster_name}"]
@@ -122,6 +147,7 @@ module "start_vault" {
depends_on = [
enos_consul_start.consul,
module.install_packages,
enos_bundle_install.vault,
]
@@ -307,7 +333,8 @@ resource "enos_remote_exec" "start_audit_socket_listener" {
])
environment = {
SOCKET_PORT = local.audit_socket_port
NETCAT_COMMAND = local.netcat_command[enos_host_info.hosts[each.key].distro]
SOCKET_PORT = local.audit_socket_port
}
scripts = [abspath("${path.module}/scripts/start-audit-socket-listener.sh")]

2
enos/modules/vault_cluster/scripts/enable-audit-devices.sh
View File

@@ -1,4 +1,4 @@
#!/bin/env bash
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

10
enos/modules/vault_cluster/scripts/start-audit-socket-listener.sh
View File

@@ -1,4 +1,4 @@
#!/bin/env bash
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
@@ -9,18 +9,19 @@ fail() {
exit 1
}
[[ -z "$NETCAT_COMMAND" ]] && fail "NETCAT_COMMAND env variable has not been set"
[[ -z "$SOCKET_PORT" ]] && fail "SOCKET_PORT env variable has not been set"
socket_listener_procs() {
pgrep -x nc
pgrep -x "${NETCAT_COMMAND}"
}
kill_socket_listener() {
pkill nc
pkill "${NETCAT_COMMAND}"
}
test_socket_listener() {
nc -zvw 2 127.0.0.1 "$SOCKET_PORT" < /dev/null
"${NETCAT_COMMAND}" -zvw 2 127.0.0.1 "$SOCKET_PORT" < /dev/null
}
start_socket_listener() {
@@ -42,6 +43,7 @@ read_log() {
}
main() {
if socket_listener_procs; then
# Clean up old nc's that might not be working
kill_socket_listener

8
enos/modules/vault_cluster/variables.tf
View File

@@ -100,6 +100,12 @@ variable "consul_release" {
}
}
variable "distro_version" {
type = string
description = "The Linux distro version"
default = null
}
variable "enable_audit_devices" {
description = "If true every audit device will be enabled"
type = bool
@@ -120,7 +126,7 @@ variable "initialize_cluster" {
variable "install_dir" {
type = string
description = "The directory where the vault binary will be installed"
description = "The directory where the Vault binary will be installed"
default = "/opt/vault/bin"
}

2
enos/modules/vault_verify_raft_auto_join_voter/scripts/verify-raft-auto-join-voter.sh
View File

@@ -47,4 +47,4 @@ export VAULT_ADDR='http://127.0.0.1:8200'
# Retry a few times because it can take some time for things to settle after
# all the nodes are unsealed
retry 7 check_voter_status
retry 10 check_voter_status