scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Amazon Linux, openSUSE Leap, and SUSE SLES support to Enos scenarios and modules (#25983)

Browse Source 
Add Consul edition support to Enos scenarios and modules
Add Linux distros and Consul edition to Enos samples
Bump RHEL versions to 9.3 and 8.9
This commit is contained in:
Rebecca Willett
2024-06-05 12:58:35 -04:00
committed by GitHub
parent ef10c1a2a4
commit c28739512a
38 changed files with 947 additions and 375 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/test-run-enos-scenario-matrix.yml vendored
View File

@@ -96,7 +96,13 @@ jobs:
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }} ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.vault-version }} ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.vault-version }}
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }} ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
ENOS_VAR_consul_license_path: ./support/consul.hclic
ENOS_VAR_vault_license_path: ./support/vault.hclic ENOS_VAR_vault_license_path: ./support/vault.hclic
ENOS_VAR_distro_version_amzn2: ${{ matrix.attributes.distro_version_amzn2 }}
ENOS_VAR_distro_version_leap: ${{ matrix.attributes.distro_version_leap }}
ENOS_VAR_distro_version_rhel: ${{ matrix.attributes.distro_version_rhel }}
ENOS_VAR_distro_version_sles: ${{ matrix.attributes.distro_version_sles }}
ENOS_VAR_distro_version_ubuntu: ${{ matrix.attributes.distro_version_ubuntu }}
ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data
steps: steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -134,6 +140,11 @@ jobs:
- if: contains(inputs.sample-name, 'ent') - if: contains(inputs.sample-name, 'ent')
name: Configure Vault license name: Configure Vault license
run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
- if: contains(matrix.scenario.id.filter, 'consul_edition:ent')
name: Configure Consul license
run: |
echo "matrix.scenario.id.filter: ${{ matrix.scenario.id.filter }}"
echo "${{ secrets.CONSUL_LICENSE }}" > ./enos/support/consul.hclic || true
- id: launch - id: launch
name: enos scenario launch ${{ matrix.scenario.id.filter }} name: enos scenario launch ${{ matrix.scenario.id.filter }}
# Continue once and retry to handle occasional blips when creating infrastructure. # Continue once and retry to handle occasional blips when creating infrastructure.

17
enos/enos-dev-scenario-pr-replication.hcl
View File

@@ -69,13 +69,13 @@ scenario "dev_pr_replication" {
EOF EOF
// The matrix is where we define all the baseline combinations that enos can utilize to customize // The matrix is where we define all the baseline combinations that enos can utilize to customize
// your scenario. By default enos attempts to perform your command an the entire product! Most // your scenario. By default enos attempts to perform your command on the entire product of these
// of the time you'll want to reduce that by passing in a filter. // possible comginations! Most of the time you'll want to reduce that by passing in a filter.
// Run 'enos scenario list --help' to see more about how filtering scenarios works in enos. // Run 'enos scenario list --help' to see more about how filtering scenarios works in enos.
matrix { matrix {
arch = ["amd64", "arm64"] arch = ["amd64", "arm64"]
artifact = ["local", "deb", "rpm", "zip"] artifact = ["local", "deb", "rpm", "zip"]
distro = ["ubuntu", "rhel"] distro = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
primary_backend = ["consul", "raft"] primary_backend = ["consul", "raft"]
primary_seal = ["awskms", "pkcs11", "shamir"] primary_seal = ["awskms", "pkcs11", "shamir"]
@@ -117,8 +117,8 @@ scenario "dev_pr_replication" {
// Here we declare all of the providers that we might need for our scenario. // Here we declare all of the providers that we might need for our scenario.
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
// These are variable values that are local to our scenario. They are evaluated after external // These are variable values that are local to our scenario. They are evaluated after external
@@ -127,7 +127,10 @@ scenario "dev_pr_replication" {
// The enos provider uses different ssh transport configs for different distros (as // The enos provider uses different ssh transport configs for different distros (as
// specified in enos-providers.hcl), and we need to be able to access both of those here. // specified in enos-providers.hcl), and we need to be able to access both of those here.
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
// We install vault packages from artifactory. If you wish to use one of these variants you'll // We install vault packages from artifactory. If you wish to use one of these variants you'll
@@ -139,7 +142,7 @@ scenario "dev_pr_replication" {
// If you are using an ent edition, you will need a Vault license. Common convention // If you are using an ent edition, you will need a Vault license. Common convention
// is to store it at ./support/vault.hclic, but you may change this path according // is to store it at ./support/vault.hclic, but you may change this path according
// to your own preference. // to your own preference.
vault_install_dir = matrix.artifact == "zip" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro] vault_install_dir = matrix.artifact == "zip" || matrix.artifact == "local" ? global.vault_install_dir["bundle"] : global.vault_install_dir["package"]
} }
// Begin scenario steps. These are the steps we'll perform to get your cluster up and running. // Begin scenario steps. These are the steps we'll perform to get your cluster up and running.

19
enos/enos-dev-scenario-single-cluster.hcl
View File

@@ -68,14 +68,14 @@ scenario "dev_single_cluster" {
EOF EOF
// The matrix is where we define all the baseline combinations that enos can utilize to customize // The matrix is where we define all the baseline combinations that enos can utilize to customize
// your scenario. By default enos attempts to perform your command an the entire product! Most // your scenario. By default enos attempts to perform your command on the entire product of these
// of the time you'll want to reduce that by passing in a filter. // possible comginations! Most of the time you'll want to reduce that by passing in a filter.
// Run 'enos scenario list --help' to see more about how filtering scenarios works in enos. // Run 'enos scenario list --help' to see more about how filtering scenarios works in enos.
matrix { matrix {
arch = ["amd64", "arm64"] arch = ["amd64", "arm64"]
artifact = ["local", "deb", "rpm", "zip"] artifact = ["local", "deb", "rpm", "zip"]
backend = ["consul", "raft"] backend = ["consul", "raft"]
distro = ["ubuntu", "rhel"] distro = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
edition = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
seal = ["awskms", "pkcs11", "shamir"] seal = ["awskms", "pkcs11", "shamir"]
@@ -107,10 +107,12 @@ scenario "dev_single_cluster" {
terraform = terraform.default terraform = terraform.default
// Here we declare all of the providers that we might need for our scenario. // Here we declare all of the providers that we might need for our scenario.
// There are two different configurations for the Enos provider, each specifying
// SSH transport configs for different Linux distros.
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
// These are variable values that are local to our scenario. They are evaluated after external // These are variable values that are local to our scenario. They are evaluated after external
@@ -119,7 +121,10 @@ scenario "dev_single_cluster" {
// The enos provider uses different ssh transport configs for different distros (as // The enos provider uses different ssh transport configs for different distros (as
// specified in enos-providers.hcl), and we need to be able to access both of those here. // specified in enos-providers.hcl), and we need to be able to access both of those here.
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
// We install vault packages from artifactory. If you wish to use one of these variants you'll // We install vault packages from artifactory. If you wish to use one of these variants you'll
@@ -131,7 +136,7 @@ scenario "dev_single_cluster" {
// If you are using an ent edition, you will need a Vault license. Common convention // If you are using an ent edition, you will need a Vault license. Common convention
// is to store it at ./support/vault.hclic, but you may change this path according // is to store it at ./support/vault.hclic, but you may change this path according
// to your own preference. // to your own preference.
vault_install_dir = matrix.artifact == "zip" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro] vault_install_dir = matrix.artifact == "zip" || matrix.artifact == "local" ? global.vault_install_dir["bundle"] : global.vault_install_dir["package"]
} }
// Begin scenario steps. These are the steps we'll perform to get your cluster up and running. // Begin scenario steps. These are the steps we'll perform to get your cluster up and running.

43
enos/enos-globals.hcl
View File

@@ -16,20 +16,43 @@ globals {
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"] "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
} }
config_modes = ["env", "file"] config_modes = ["env", "file"]
consul_editions = ["ce", "ent"]
consul_versions = ["1.14.11", "1.15.7", "1.16.3", "1.17.0"] consul_versions = ["1.14.11", "1.15.7", "1.16.3", "1.17.0"]
distros = ["ubuntu", "rhel"] distros = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
# Different distros may require different packages, or use different aliases for the same package
distro_packages = {
amzn2 = ["nc"]
leap = ["netcat", "openssl"]
rhel = ["nc"]
# When installing Vault RPM packages on a SLES AMI, the openssl package provided
# isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
# "correctly" named one in our package installation before installing Vault.
sles = ["netcat-openbsd", "openssl"]
ubuntu = ["netcat"]
}
distro_version = { distro_version = {
"rhel" = var.rhel_distro_version "amzn2" = var.distro_version_amzn2
"ubuntu" = var.ubuntu_distro_version "leap" = var.distro_version_leap
"rhel" = var.distro_version_rhel
"sles" = var.distro_version_sles
"ubuntu" = var.distro_version_ubuntu
} }
editions = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] editions = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
packages = ["jq"] package_manager = {
distro_packages = { "amzn2" = "yum"
ubuntu = ["netcat"] "leap" = "zypper"
rhel = ["nc"] "rhel" = "yum"
"sles" = "zypper"
"ubuntu" = "apt"
} }
packages = ["jq"]
sample_attributes = { sample_attributes = {
aws_region = ["us-east-1", "us-west-2"] aws_region = ["us-east-1", "us-west-2"]
distro_version_amzn2 = ["2"]
distro_version_leap = ["15.4", "15.5"]
distro_version_rhel = ["8.9", "9.3"]
distro_version_sles = ["v15_sp5_standard"]
distro_version_ubuntu = ["20.04", "22.04"]
} }
seals = ["awskms", "pkcs11", "shamir"] seals = ["awskms", "pkcs11", "shamir"]
tags = merge({ tags = merge({
@@ -42,9 +65,9 @@ globals {
// that use this global might not work as expected with earlier versions. Below 1.8.x is // that use this global might not work as expected with earlier versions. Below 1.8.x is
// not supported in any way. // not supported in any way.
upgrade_initial_versions = ["1.11.12", "1.12.11", "1.13.11", "1.14.7", "1.15.3"] upgrade_initial_versions = ["1.11.12", "1.12.11", "1.13.11", "1.14.7", "1.15.3"]
vault_install_dir_packages = { vault_install_dir = {
rhel = "/bin" bundle = "/opt/vault/bin"
ubuntu = "/usr/bin" package = "/usr/bin"
} }
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic")) vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key vault_tag_key = "Type" // enos_vault_start expects Type as the tag key

4
enos/enos-providers.hcl
View File

@@ -5,7 +5,8 @@ provider "aws" "default" {
region = var.aws_region region = var.aws_region
} }
provider "enos" "rhel" { # This default SSH user is used in RHEL, Amazon Linux, SUSE, and Leap distros
provider "enos" "ec2_user" {
transport = { transport = {
ssh = { ssh = {
user = "ec2-user" user = "ec2-user"
@@ -14,6 +15,7 @@ provider "enos" "rhel" {
} }
} }
# This default SSH user is used in the Ubuntu distro
provider "enos" "ubuntu" { provider "enos" "ubuntu" {
transport = { transport = {
ssh = { ssh = {

24
enos/enos-samples-ce-build.hcl
View File

@@ -97,7 +97,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -107,7 +107,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -117,7 +117,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -127,7 +127,7 @@ sample "build_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -141,7 +141,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -151,7 +151,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -161,7 +161,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -171,7 +171,7 @@ sample "build_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
exclude { exclude {
@@ -191,6 +191,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["crt"] artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -200,6 +201,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["crt"] artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -209,6 +211,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["crt"] artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -218,6 +221,7 @@ sample "build_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["crt"] artifact_source = ["crt"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -231,6 +235,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -240,6 +245,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -249,6 +255,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -258,6 +265,7 @@ sample "build_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["crt"] artifact_source = ["crt"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }

24
enos/enos-samples-ce-release.hcl
View File

@@ -97,7 +97,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -107,7 +107,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -117,7 +117,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -127,7 +127,7 @@ sample "release_ce_linux_arm64_rpm" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -141,7 +141,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -151,7 +151,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -161,7 +161,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -171,7 +171,7 @@ sample "release_ce_linux_amd64_rpm" {
arch = ["amd64"] arch = ["amd64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["package"] artifact_type = ["package"]
distro = ["rhel"] distro = ["amzn2", "leap", "rhel", "sles"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -185,6 +185,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -194,6 +195,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -203,6 +205,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -212,6 +215,7 @@ sample "release_ce_linux_amd64_zip" {
arch = ["amd64"] arch = ["amd64"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -225,6 +229,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -234,6 +239,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -243,6 +249,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }
@@ -252,6 +259,7 @@ sample "release_ce_linux_arm64_zip" {
arch = ["arm64"] arch = ["arm64"]
artifact_source = ["artifactory"] artifact_source = ["artifactory"]
artifact_type = ["bundle"] artifact_type = ["bundle"]
distro = ["amzn2", "ubuntu"]
edition = ["ce"] edition = ["ce"]
} }
} }

56
enos/enos-scenario-agent.hcl
View File

@@ -8,6 +8,7 @@ scenario "agent" {
artifact_type = global.artifact_types artifact_type = global.artifact_types
backend = global.backends backend = global.backends
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -30,24 +31,39 @@ scenario "agent" {
seal = ["pkcs11"] seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -89,9 +105,9 @@ scenario "agent" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -169,9 +185,9 @@ scenario "agent" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +212,13 @@ scenario "agent" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -226,7 +242,7 @@ scenario "agent" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -244,7 +260,7 @@ scenario "agent" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
vault_agent_template_destination = "/tmp/agent_output.txt" vault_agent_template_destination = "/tmp/agent_output.txt"
@@ -281,7 +297,7 @@ scenario "agent" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -297,7 +313,7 @@ scenario "agent" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -314,7 +330,7 @@ scenario "agent" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -334,7 +350,7 @@ scenario "agent" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -352,7 +368,7 @@ scenario "agent" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -371,7 +387,7 @@ scenario "agent" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -389,7 +405,7 @@ scenario "agent" {
variables { variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }

54
enos/enos-scenario-autopilot.hcl
View File

@@ -34,24 +34,40 @@ scenario "autopilot" {
seal = ["pkcs11"] seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro] vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_autopilot_default_max_leases = semverconstraint(matrix.initial_version, ">=1.16.0-0") ? "300000" : "" vault_autopilot_default_max_leases = semverconstraint(matrix.initial_version, ">=1.16.0-0") ? "300000" : ""
} }
@@ -159,7 +175,7 @@ scenario "autopilot" {
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_license.license : null license = matrix.edition != "ce" ? step.read_license.license : null
packages = concat(global.packages, global.distro_packages[matrix.distro]) packages = concat(global.packages, global.distro_packages[matrix.distro])
release = { release = {
@@ -191,7 +207,7 @@ scenario "autopilot" {
variables { variables {
vault_hosts = step.create_vault_cluster.target_hosts vault_hosts = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -211,7 +227,7 @@ scenario "autopilot" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster.target_hosts vault_instances = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -245,7 +261,7 @@ scenario "autopilot" {
log_level = var.vault_log_level log_level = var.vault_log_level
force_unseal = matrix.seal == "shamir" force_unseal = matrix.seal == "shamir"
initialize_cluster = false initialize_cluster = false
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_license.license : null license = matrix.edition != "ce" ? step.read_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -274,7 +290,7 @@ scenario "autopilot" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
} }
} }
@@ -291,7 +307,7 @@ scenario "autopilot" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token
} }
@@ -312,7 +328,7 @@ scenario "autopilot" {
variables { variables {
vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_autopilot_upgrade_status = "await-server-removal" vault_autopilot_upgrade_status = "await-server-removal"
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster.target_hosts vault_instances = step.create_vault_cluster.target_hosts
vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token vault_root_token = step.upgrade_vault_cluster_with_autopilot.root_token
} }
@@ -332,7 +348,7 @@ scenario "autopilot" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts
} }
@@ -354,7 +370,7 @@ scenario "autopilot" {
variables { variables {
vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_hosts = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -375,7 +391,7 @@ scenario "autopilot" {
variables { variables {
node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips
vault_instance_count = 6 vault_instance_count = 6
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -395,7 +411,7 @@ scenario "autopilot" {
variables { variables {
operator_instance = step.get_updated_vault_cluster_ips.leader_public_ip operator_instance = step.get_updated_vault_cluster_ips.leader_public_ip
remove_vault_instances = step.create_vault_cluster.target_hosts remove_vault_instances = step.create_vault_cluster.target_hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instance_count = 3 vault_instance_count = 3
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -434,7 +450,7 @@ scenario "autopilot" {
variables { variables {
vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_autopilot_upgrade_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_autopilot_upgrade_status = "idle" vault_autopilot_upgrade_status = "idle"
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -455,7 +471,7 @@ scenario "autopilot" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
} }
} }
@@ -476,7 +492,7 @@ scenario "autopilot" {
variables { variables {
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -519,7 +535,7 @@ scenario "autopilot" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts vault_instances = step.upgrade_vault_cluster_with_autopilot.target_hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }

57
enos/enos-scenario-proxy.hcl
View File

@@ -8,6 +8,7 @@ scenario "proxy" {
artifact_type = global.artifact_types artifact_type = global.artifact_types
backend = global.backends backend = global.backends
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -30,24 +31,40 @@ scenario "proxy" {
seal = ["pkcs11"] seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro] vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -89,9 +106,9 @@ scenario "proxy" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -169,9 +186,9 @@ scenario "proxy" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +213,13 @@ scenario "proxy" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -226,7 +243,7 @@ scenario "proxy" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -243,7 +260,7 @@ scenario "proxy" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -259,7 +276,7 @@ scenario "proxy" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -275,7 +292,7 @@ scenario "proxy" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -292,7 +309,7 @@ scenario "proxy" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -312,7 +329,7 @@ scenario "proxy" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -327,7 +344,7 @@ scenario "proxy" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -343,7 +360,7 @@ scenario "proxy" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -361,7 +378,7 @@ scenario "proxy" {
variables { variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }

93
enos/enos-scenario-replication.hcl
View File

@@ -10,6 +10,7 @@ scenario "replication" {
artifact_source = global.artifact_sources artifact_source = global.artifact_sources
artifact_type = global.artifact_types artifact_type = global.artifact_types
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -40,24 +41,40 @@ scenario "replication" {
secondary_seal = ["pkcs11"] secondary_seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro] vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir[matrix.artifact_type]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -99,9 +116,9 @@ scenario "replication" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = (matrix.primary_backend == "raft" && matrix.secondary_backend == "raft") || var.backend_edition == "ce" skip_step = (matrix.primary_backend == "raft" && matrix.secondary_backend == "raft") || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -255,9 +272,9 @@ scenario "replication" {
variables { variables {
cluster_name = step.create_primary_cluster_backend_targets.cluster_name cluster_name = step.create_primary_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_primary_cluster_backend_targets.hosts target_hosts = step.create_primary_cluster_backend_targets.hosts
@@ -281,14 +298,14 @@ scenario "replication" {
backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_primary_cluster_targets.cluster_name cluster_name = step.create_primary_cluster_targets.cluster_name
consul_release = matrix.primary_backend == "consul" ? { consul_release = matrix.primary_backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -313,9 +330,9 @@ scenario "replication" {
variables { variables {
cluster_name = step.create_secondary_cluster_backend_targets.cluster_name cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.secondary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_secondary_cluster_backend_targets.hosts target_hosts = step.create_secondary_cluster_backend_targets.hosts
@@ -339,14 +356,14 @@ scenario "replication" {
backend_cluster_name = step.create_secondary_cluster_backend_targets.cluster_name backend_cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.secondary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_secondary_cluster_targets.cluster_name cluster_name = step.create_secondary_cluster_targets.cluster_name
consul_release = matrix.secondary_backend == "consul" ? { consul_release = matrix.secondary_backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -370,7 +387,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_primary_cluster_targets.hosts vault_instances = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -386,7 +403,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_secondary_cluster_targets.hosts vault_instances = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -403,7 +420,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_primary_cluster_targets.hosts vault_instances = step.create_primary_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -440,7 +457,7 @@ scenario "replication" {
variables { variables {
vault_hosts = step.create_primary_cluster_targets.hosts vault_hosts = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
} }
@@ -464,7 +481,7 @@ scenario "replication" {
variables { variables {
vault_hosts = step.create_secondary_cluster_targets.hosts vault_hosts = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_secondary_cluster.root_token vault_root_token = step.create_secondary_cluster.root_token
} }
} }
@@ -482,7 +499,7 @@ scenario "replication" {
leader_public_ip = step.get_primary_cluster_ips.leader_public_ip leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
leader_private_ip = step.get_primary_cluster_ips.leader_private_ip leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
vault_instances = step.create_primary_cluster_targets.hosts vault_instances = step.create_primary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
} }
@@ -502,7 +519,7 @@ scenario "replication" {
variables { variables {
primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
} }
@@ -517,7 +534,7 @@ scenario "replication" {
variables { variables {
primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip primary_leader_public_ip = step.get_primary_cluster_ips.leader_public_ip
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
} }
@@ -533,7 +550,7 @@ scenario "replication" {
variables { variables {
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_secondary_cluster.root_token vault_root_token = step.create_secondary_cluster.root_token
wrapping_token = step.generate_secondary_token.secondary_token wrapping_token = step.generate_secondary_token.secondary_token
} }
@@ -556,7 +573,7 @@ scenario "replication" {
variables { variables {
follower_public_ips = step.get_secondary_cluster_ips.follower_public_ips follower_public_ips = step.get_secondary_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : step.create_primary_cluster.recovery_keys_hex vault_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : step.create_primary_cluster.recovery_keys_hex
vault_seal_type = matrix.primary_seal == "shamir" ? matrix.primary_seal : matrix.secondary_seal vault_seal_type = matrix.primary_seal == "shamir" ? matrix.primary_seal : matrix.secondary_seal
} }
@@ -574,7 +591,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_secondary_cluster_targets.hosts vault_instances = step.create_secondary_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -591,7 +608,7 @@ scenario "replication" {
primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip primary_leader_private_ip = step.get_primary_cluster_ips.leader_private_ip
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -609,7 +626,7 @@ scenario "replication" {
variables { variables {
node_public_ips = step.get_secondary_cluster_ips.follower_public_ips node_public_ips = step.get_secondary_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -633,15 +650,15 @@ scenario "replication" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_primary_cluster_targets.cluster_name cluster_name = step.create_primary_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.primary_backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.primary_backend == "consul" ? { consul_release = matrix.primary_backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
force_unseal = matrix.primary_seal == "shamir" force_unseal = matrix.primary_seal == "shamir"
initialize_cluster = false initialize_cluster = false
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -666,7 +683,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_primary_cluster_additional_targets.hosts vault_instances = step.create_primary_cluster_additional_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -685,7 +702,7 @@ scenario "replication" {
variables { variables {
vault_instances = step.create_primary_cluster_additional_targets.hosts vault_instances = step.create_primary_cluster_additional_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
} }
@@ -755,7 +772,7 @@ scenario "replication" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts
} }
@@ -775,7 +792,7 @@ scenario "replication" {
variables { variables {
vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts vault_hosts = step.get_remaining_hosts_replication_data.remaining_hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instance_count = step.get_remaining_hosts_replication_data.remaining_hosts_count vault_instance_count = step.get_remaining_hosts_replication_data.remaining_hosts_count
vault_root_token = step.create_primary_cluster.root_token vault_root_token = step.create_primary_cluster.root_token
} }
@@ -799,7 +816,7 @@ scenario "replication" {
primary_leader_private_ip = step.get_updated_primary_cluster_ips.leader_private_ip primary_leader_private_ip = step.get_updated_primary_cluster_ips.leader_private_ip
secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip secondary_leader_public_ip = step.get_secondary_cluster_ips.leader_public_ip
secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip secondary_leader_private_ip = step.get_secondary_cluster_ips.leader_private_ip
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -874,7 +891,7 @@ scenario "replication" {
} }
output "initial_known_primary_cluster_addresses" { output "initial_known_primary_cluster_addresses" {
description = "The Vault secondary cluster performance replication status" description = "The initial known Vault primary cluster addresses"
value = step.verify_performance_replication.known_primary_cluster_addrs value = step.verify_performance_replication.known_primary_cluster_addrs
} }

95
enos/enos-scenario-seal-ha.hcl
View File

@@ -8,6 +8,7 @@ scenario "seal_ha" {
artifact_type = global.artifact_types artifact_type = global.artifact_types
backend = global.backends backend = global.backends
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -37,24 +38,46 @@ scenario "seal_ha" {
secondary_seal = ["pkcs11"] secondary_seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
primary_seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
secondary_seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -127,9 +150,9 @@ scenario "seal_ha" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -193,9 +216,9 @@ scenario "seal_ha" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -220,13 +243,13 @@ scenario "seal_ha" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -251,7 +274,7 @@ scenario "seal_ha" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -266,7 +289,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -280,7 +303,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -302,7 +325,7 @@ scenario "seal_ha" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -320,7 +343,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -354,7 +377,7 @@ scenario "seal_ha" {
variables { variables {
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
manage_service = local.manage_service manage_service = local.manage_service
seal_attributes = step.create_primary_seal_key.attributes seal_attributes = step.create_primary_seal_key.attributes
@@ -378,7 +401,7 @@ scenario "seal_ha" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -393,7 +416,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -408,7 +431,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -426,7 +449,7 @@ scenario "seal_ha" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -441,7 +464,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -455,7 +478,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -474,7 +497,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -491,7 +514,7 @@ scenario "seal_ha" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -509,7 +532,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -525,7 +548,7 @@ scenario "seal_ha" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -541,7 +564,7 @@ scenario "seal_ha" {
variables { variables {
node_public_ips = step.get_updated_cluster_ips.follower_public_ips node_public_ips = step.get_updated_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -570,7 +593,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
seal_type = "multiseal" seal_type = "multiseal"
} }
@@ -607,7 +630,7 @@ scenario "seal_ha" {
variables { variables {
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
manage_service = local.manage_service manage_service = local.manage_service
seal_alias = "secondary" seal_alias = "secondary"
@@ -630,7 +653,7 @@ scenario "seal_ha" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -646,7 +669,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -661,7 +684,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -680,7 +703,7 @@ scenario "seal_ha" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -696,7 +719,7 @@ scenario "seal_ha" {
variables { variables {
node_public_ips = step.get_cluster_ips_after_migration.follower_public_ips node_public_ips = step.get_cluster_ips_after_migration.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -712,7 +735,7 @@ scenario "seal_ha" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
seal_type = matrix.secondary_seal seal_type = matrix.secondary_seal
} }

60
enos/enos-scenario-smoke.hcl
View File

@@ -8,6 +8,7 @@ scenario "smoke" {
artifact_type = global.artifact_types artifact_type = global.artifact_types
backend = global.backends backend = global.backends
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -30,24 +31,39 @@ scenario "smoke" {
seal = ["pkcs11"] seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -89,9 +105,9 @@ scenario "smoke" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -169,9 +185,9 @@ scenario "smoke" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -196,13 +212,13 @@ scenario "smoke" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path local_artifact_path = local.artifact_path
manage_service = local.manage_service manage_service = local.manage_service
@@ -226,7 +242,7 @@ scenario "smoke" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -241,7 +257,7 @@ scenario "smoke" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -256,7 +272,7 @@ scenario "smoke" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -274,7 +290,7 @@ scenario "smoke" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -289,7 +305,7 @@ scenario "smoke" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -305,7 +321,7 @@ scenario "smoke" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -322,7 +338,7 @@ scenario "smoke" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -342,7 +358,7 @@ scenario "smoke" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -360,7 +376,7 @@ scenario "smoke" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -379,7 +395,7 @@ scenario "smoke" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }
@@ -397,7 +413,7 @@ scenario "smoke" {
variables { variables {
node_public_ips = step.get_vault_cluster_ips.follower_public_ips node_public_ips = step.get_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }

29
enos/enos-scenario-ui.hcl
View File

@@ -4,6 +4,7 @@
scenario "ui" { scenario "ui" {
matrix { matrix {
backend = global.backends backend = global.backends
consul_edition = global.consul_editions
edition = ["ce", "ent"] edition = ["ce", "ent"]
} }
@@ -23,7 +24,7 @@ scenario "ui" {
"ce" = ["ui"] "ce" = ["ui"]
"ent" = ["ui", "enterprise", "ent"] "ent" = ["ui", "enterprise", "ent"]
} }
bundle_path = abspath(var.vault_artifact_path) artifact_path = abspath(var.vault_artifact_path)
distro = "ubuntu" distro = "ubuntu"
consul_version = "1.17.0" consul_version = "1.17.0"
seal = "awskms" seal = "awskms"
@@ -32,10 +33,6 @@ scenario "ui" {
"Project" : "Enos", "Project" : "Enos",
"Environment" : "ci" "Environment" : "ci"
}, var.tags) }, var.tags)
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = var.vault_install_dir vault_install_dir = var.vault_install_dir
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic")) vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
@@ -47,7 +44,7 @@ scenario "ui" {
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition]
bundle_path = local.bundle_path artifact_path = local.artifact_path
goarch = local.arch goarch = local.arch
goos = "linux" goos = "linux"
product_version = var.vault_product_version product_version = var.vault_product_version
@@ -78,9 +75,9 @@ scenario "ui" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -106,10 +103,10 @@ scenario "ui" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[local.arch][local.distro][var.ubuntu_distro_version] ami_id = step.ec2_info.ami_ids[local.arch][local.distro][var.distro_version_ubuntu]
cluster_tag_key = local.vault_tag_key cluster_tag_key = local.vault_tag_key
common_tags = local.tags common_tags = local.tags
seal_names = step.create_seal_key.resource_names seal_key_names = step.create_seal_key.resource_names
vpc_id = step.create_vpc.id vpc_id = step.create_vpc.id
} }
} }
@@ -126,7 +123,7 @@ scenario "ui" {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"] ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
cluster_tag_key = local.backend_tag_key cluster_tag_key = local.backend_tag_key
common_tags = local.tags common_tags = local.tags
seal_names = step.create_seal_key.resource_names seal_key_names = step.create_seal_key.resource_names
vpc_id = step.create_vpc.id vpc_id = step.create_vpc.id
} }
} }
@@ -144,9 +141,9 @@ scenario "ui" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key cluster_tag_key = local.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = local.consul_version version = local.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -169,15 +166,15 @@ scenario "ui" {
backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = local.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = local.consul_version version = local.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.artifact_path
packages = global.distro_packages["ubuntu"] packages = global.distro_packages["ubuntu"]
seal_name = step.create_seal_key.resource_name seal_name = step.create_seal_key.resource_name
seal_type = local.seal seal_type = local.seal

64
enos/enos-scenario-upgrade.hcl
View File

@@ -8,6 +8,7 @@ scenario "upgrade" {
artifact_type = global.artifact_types artifact_type = global.artifact_types
backend = global.backends backend = global.backends
config_mode = global.config_modes config_mode = global.config_modes
consul_edition = global.consul_editions
consul_version = global.consul_versions consul_version = global.consul_versions
distro = global.distros distro = global.distros
edition = global.editions edition = global.editions
@@ -43,24 +44,39 @@ scenario "upgrade" {
seal = ["pkcs11"] seal = ["pkcs11"]
edition = ["ce", "ent", "ent.fips1402"] edition = ["ce", "ent", "ent.fips1402"]
} }
# arm64 AMIs are not offered for Leap 15.4
exclude {
distro = ["leap"]
arch = ["arm64"]
}
# softhsm packages not available for leap/sles; Enos support for softhsm
# on amzn2 to be added later.
exclude {
seal = ["pkcs11"]
distro = ["amzn2", "leap", "sles"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
terraform = terraform.default terraform = terraform.default
providers = [ providers = [
provider.aws.default, provider.aws.default,
provider.enos.ubuntu, provider.enos.ec2_user,
provider.enos.rhel provider.enos.ubuntu
] ]
locals { locals {
artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel amzn2 = provider.enos.ec2_user
leap = provider.enos.ec2_user
rhel = provider.enos.ec2_user
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
manage_service = matrix.artifact_type == "bundle" manage_service = matrix.artifact_type == "bundle"
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
} }
step "get_local_metadata" { step "get_local_metadata" {
@@ -103,9 +119,9 @@ scenario "upgrade" {
} }
// This step reads the contents of the backend license if we're using a Consul backend and // This step reads the contents of the backend license if we're using a Consul backend and
// the edition is "ent". // an "ent" Consul edition.
step "read_backend_license" { step "read_backend_license" {
skip_step = matrix.backend == "raft" || var.backend_edition == "ce" skip_step = matrix.backend == "raft" || matrix.consul_edition == "ce"
module = module.read_license module = module.read_license
variables { variables {
@@ -183,9 +199,9 @@ scenario "upgrade" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = global.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} }
target_hosts = step.create_vault_cluster_backend_targets.hosts target_hosts = step.create_vault_cluster_backend_targets.hosts
@@ -209,13 +225,13 @@ scenario "upgrade" {
backend_cluster_tag_key = global.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
config_mode = matrix.config_mode config_mode = matrix.config_mode
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
edition = var.backend_edition edition = matrix.consul_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
enable_audit_devices = var.vault_enable_audit_devices enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir install_dir = global.vault_install_dir[matrix.artifact_type]
license = matrix.edition != "ce" ? step.read_vault_license.license : null license = matrix.edition != "ce" ? step.read_vault_license.license : null
packages = concat(global.packages, global.distro_packages[matrix.distro]) packages = concat(global.packages, global.distro_packages[matrix.distro])
release = { release = {
@@ -239,7 +255,7 @@ scenario "upgrade" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -259,7 +275,7 @@ scenario "upgrade" {
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -282,7 +298,7 @@ scenario "upgrade" {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_local_artifact_path = local.artifact_path vault_local_artifact_path = local.artifact_path
vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null
vault_seal_type = matrix.seal vault_seal_type = matrix.seal
} }
@@ -303,7 +319,7 @@ scenario "upgrade" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -318,7 +334,7 @@ scenario "upgrade" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -333,7 +349,7 @@ scenario "upgrade" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
leader_host = step.get_leader_ip_for_step_down.leader_host leader_host = step.get_leader_ip_for_step_down.leader_host
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -351,7 +367,7 @@ scenario "upgrade" {
variables { variables {
timeout = 120 # seconds timeout = 120 # seconds
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -368,7 +384,7 @@ scenario "upgrade" {
variables { variables {
vault_hosts = step.create_vault_cluster_targets.hosts vault_hosts = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
} }
@@ -386,7 +402,7 @@ scenario "upgrade" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
@@ -406,7 +422,7 @@ scenario "upgrade" {
variables { variables {
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -424,7 +440,7 @@ scenario "upgrade" {
variables { variables {
node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
} }
} }
@@ -440,7 +456,7 @@ scenario "upgrade" {
} }
variables { variables {
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_root_token = step.create_vault_cluster.root_token vault_root_token = step.create_vault_cluster.root_token
} }
@@ -458,7 +474,7 @@ scenario "upgrade" {
variables { variables {
vault_edition = matrix.edition vault_edition = matrix.edition
vault_install_dir = local.vault_install_dir vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
} }
} }

34
enos/enos-variables.hcl
View File

@@ -75,10 +75,34 @@ variable "project_name" {
default = "vault-enos-integration" default = "vault-enos-integration"
} }
variable "rhel_distro_version" { variable "distro_version_amzn2" {
description = "The version of Amazon Linux 2 to use"
type = string
default = "2"
}
variable "distro_version_leap" {
description = "The version of openSUSE leap to use"
type = string
default = "15.5" // or "15.4"
}
variable "distro_version_rhel" {
description = "The version of RHEL to use" description = "The version of RHEL to use"
type = string type = string
default = "9.1" // or "8.8" default = "9.3" // or "8.9"
}
variable "distro_version_sles" {
description = "The version of SUSE SLES to use"
type = string
default = "v15_sp5_standard"
}
variable "distro_version_ubuntu" {
description = "The version of ubuntu to use"
type = string
default = "22.04" // or "20.04"
} }
variable "tags" { variable "tags" {
@@ -93,12 +117,6 @@ variable "terraform_plugin_cache_dir" {
default = null default = null
} }
variable "ubuntu_distro_version" {
description = "The version of ubuntu to use"
type = string
default = "22.04" // or "20.04", "18.04"
}
variable "ui_test_filter" { variable "ui_test_filter" {
type = string type = string
description = "A test filter to limit the ui tests to execute. Will be appended to the ember test command as '-f=\"<filter>\"'" description = "A test filter to limit the ui tests to execute. Will be appended to the ember test command as '-f=\"<filter>\"'"

22
enos/enos.vars.hcl
View File

@@ -23,9 +23,6 @@
# aws_ssh_private_key_path is the path to the AWS keypair private key # aws_ssh_private_key_path is the path to the AWS keypair private key
# aws_ssh_private_key_path = "./support/private_key.pem" # aws_ssh_private_key_path = "./support/private_key.pem"
# backend_edition is the backend (consul) release edition if applicable to the scenario.
# backend_edition = "ce"
# backend_license_path is the license for the backend if applicable (Consul Enterprise)". # backend_license_path is the license for the backend if applicable (Consul Enterprise)".
# backend_license_path = "./support/consul.hclic" # backend_license_path = "./support/consul.hclic"
@@ -40,8 +37,20 @@
# resources. # resources.
# project_name = "vault-enos-integration" # project_name = "vault-enos-integration"
# rhel_distro_version is the version of RHEL to use for "distro:rhel" variants. # distro_version_amzn2 is the version of Amazon Linux 2 to use for "distro:amzn2" variants
# rhel_distro_version = "9.1" // or "8.8" # distro_version_amzn2 = "2"
# distro_version_leap is the version of openSUSE Leap to use for "distro:leap" variants
# distro_version_leap = "15.5" // or "15.4"
# distro_version_rhel is the version of RHEL to use for "distro:rhel" variants.
# distro_version_rhel = "9.3" // or "8.9"
# distro_version_sles is the version of SUSE SLES to use for "distro:sles" variants.
# distro_version_sles = "v15_sp5_standard"
# distro_version_ubuntu is the version of ubuntu to use for "distro:ubuntu" variants
# distro_version_ubuntu = "22.04" // or "20.04", "18.04"
# tags are a map of tags that will be applied to infrastructure resources that # tags are a map of tags that will be applied to infrastructure resources that
# support tagging. # support tagging.
@@ -59,9 +68,6 @@
# cluster will be created but no tests will be run. # cluster will be created but no tests will be run.
# ui_run_tests = true # ui_run_tests = true
# ubuntu_distro_version is the version of ubuntu to use for "distro:ubuntu" variants
# ubuntu_distro_version = "22.04" // or "20.04", "18.04"
# vault_artifact_path is the path to CRT generated or local vault.zip bundle. When # vault_artifact_path is the path to CRT generated or local vault.zip bundle. When
# using the "builder:local" variant a bundle will be built from the current branch. # using the "builder:local" variant a bundle will be built from the current branch.
# In CI it will use the output of the build workflow. # In CI it will use the output of the build workflow.

55
enos/modules/build_artifactory_artifact/locals.tf
View File

@@ -6,12 +6,18 @@ locals {
// file name extensions for the install packages of vault for the various architectures, distributions and editions // file name extensions for the install packages of vault for the various architectures, distributions and editions
package_extensions = { package_extensions = {
amd64 = { amd64 = {
ubuntu = "-1_amd64.deb" amzn2 = "-1.x86_64.rpm"
leap = "-1.x86_64.rpm"
rhel = "-1.x86_64.rpm" rhel = "-1.x86_64.rpm"
sles = "-1.x86_64.rpm"
ubuntu = "-1_amd64.deb"
} }
arm64 = { arm64 = {
ubuntu = "-1_arm64.deb" amzn2 = "-1.aarch64.rpm"
leap = "-1.aarch64.rpm"
rhel = "-1.aarch64.rpm" rhel = "-1.aarch64.rpm"
sles = "-1.aarch64.rpm"
ubuntu = "-1_arm64.deb"
} }
} }
@@ -20,12 +26,19 @@ locals {
// file name prefixes for the install packages of vault for the various distributions and artifact types (package or bundle) // file name prefixes for the install packages of vault for the various distributions and artifact types (package or bundle)
artifact_package_release_names = { artifact_package_release_names = {
ubuntu = { amzn2 = {
"ce" = "vault_" "ce" = "vault-"
"ent" = "vault-enterprise_", "ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402_", "ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm_", "ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402_", "ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
},
leap = {
"ce" = "vault-"
"ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
}, },
rhel = { rhel = {
"ce" = "vault-" "ce" = "vault-"
@@ -33,19 +46,27 @@ locals {
"ent.fips1402" = "vault-enterprise-fips1402-", "ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-", "ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-", "ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
},
sles = {
"ce" = "vault-"
"ent" = "vault-enterprise-",
"ent.fips1402" = "vault-enterprise-fips1402-",
"ent.hsm" = "vault-enterprise-hsm-",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402-",
}
ubuntu = {
"ce" = "vault_"
"ent" = "vault-enterprise_",
"ent.fips1402" = "vault-enterprise-fips1402_",
"ent.hsm" = "vault-enterprise-hsm_",
"ent.hsm.fips1402" = "vault-enterprise-hsm-fips1402_",
} }
} }
// edition --> artifact name edition # Prefix for the artifact name. Ex: vault_, vault-, vault-enterprise_, vault-enterprise-hsm-fips1402-, etc
artifact_name_edition = {
"ce" = ""
"ent" = ""
"ent.hsm" = ".hsm"
"ent.fips1402" = ".fips1402"
"ent.hsm.fips1402" = ".hsm.fips1402"
}
artifact_name_prefix = var.artifact_type == "package" ? local.artifact_package_release_names[var.distro][var.edition] : "vault_" artifact_name_prefix = var.artifact_type == "package" ? local.artifact_package_release_names[var.distro][var.edition] : "vault_"
# Suffix and extension for the artifact name. Ex: _linux_<arch>.zip,
artifact_name_extension = var.artifact_type == "package" ? local.package_extensions[var.arch][var.distro] : "_linux_${var.arch}.zip" artifact_name_extension = var.artifact_type == "package" ? local.package_extensions[var.arch][var.distro] : "_linux_${var.arch}.zip"
# Combine prefix/suffix/extension together to form the artifact name
artifact_name = var.artifact_type == "package" ? "${local.artifact_name_prefix}${replace(local.artifact_version, "-", "~")}${local.artifact_name_extension}" : "${local.artifact_name_prefix}${var.product_version}${local.artifact_name_extension}" artifact_name = var.artifact_type == "package" ? "${local.artifact_name_prefix}${replace(local.artifact_version, "-", "~")}${local.artifact_name_extension}" : "${local.artifact_name_prefix}${var.product_version}${local.artifact_name_extension}"
} }

30
enos/modules/disable_selinux/main.tf Normal file
View File

@@ -0,0 +1,30 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}
variable "hosts" {
type = map(object({
private_ip = string
public_ip = string
}))
description = "The hosts to install packages on"
}
resource "enos_remote_exec" "make_selinux_permissive" {
for_each = var.hosts
scripts = [abspath("${path.module}/scripts/make-selinux-permissive.sh")]
transport = {
ssh = {
host = each.value.public_ip
}
}
}

18
enos/modules/disable_selinux/scripts/make-selinux-permissive.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
if ! type getenforce &> /dev/null; then
exit 0
fi
if sudo getenforce | grep Enforcing; then
sudo setenforce 0
fi

159
enos/modules/ec2_info/main.tf
View File

@@ -1,27 +1,50 @@
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1 # SPDX-License-Identifier: BUSL-1.1
# Note: in order to use the openSUSE Leap AMIs, the AWS account in use must "subscribe"
# and accept SUSE's terms of use. You can do this at the links below. If the AWS account
# you are using is already subscribed, this confirmation will be displayed on each page.
# openSUSE Leap arm64 subscription: https://aws.amazon.com/marketplace/server/procurement?productId=a516e959-df54-4035-bb1a-63599b7a6df9
# openSUSE leap amd64 subscription: https://aws.amazon.com/marketplace/server/procurement?productId=5535c495-72d4-4355-b169-54ffa874f849
locals { locals {
architectures = toset(["arm64", "x86_64"]) architectures = toset(["arm64", "x86_64"])
amzn2_owner_id = "591542846629"
canonical_owner_id = "099720109477" canonical_owner_id = "099720109477"
sles_owner_id = "013907871322"
suse_owner_id = "679593333241"
rhel_owner_id = "309956199498" rhel_owner_id = "309956199498"
ids = { ids = {
"arm64" = { "arm64" = {
"amzn2" = {
"2" = data.aws_ami.amzn2["arm64"].id
}
"rhel" = { "rhel" = {
"8.8" = data.aws_ami.rhel_88["arm64"].id "8.9" = data.aws_ami.rhel_89["arm64"].id
"9.1" = data.aws_ami.rhel_91["arm64"].id "9.3" = data.aws_ami.rhel_93["arm64"].id
}
"sles" = {
"v15_sp5_standard" = data.aws_ami.sles_15_sp5_standard["arm64"].id
} }
"ubuntu" = { "ubuntu" = {
"18.04" = data.aws_ami.ubuntu_1804["arm64"].id
"20.04" = data.aws_ami.ubuntu_2004["arm64"].id "20.04" = data.aws_ami.ubuntu_2004["arm64"].id
"22.04" = data.aws_ami.ubuntu_2204["arm64"].id "22.04" = data.aws_ami.ubuntu_2204["arm64"].id
} }
} }
"amd64" = { "amd64" = {
"amzn2" = {
"2" = data.aws_ami.amzn2["x86_64"].id
}
"leap" = {
"15.4" = data.aws_ami.leap_154.id
"15.5" = data.aws_ami.leap_155.id
}
"rhel" = { "rhel" = {
"7.9" = data.aws_ami.rhel_79.id "8.9" = data.aws_ami.rhel_89["x86_64"].id
"8.8" = data.aws_ami.rhel_88["x86_64"].id "9.3" = data.aws_ami.rhel_93["x86_64"].id
"9.1" = data.aws_ami.rhel_91["x86_64"].id }
"sles" = {
"v15_sp5_standard" = data.aws_ami.sles_15_sp5_standard["x86_64"].id
} }
"ubuntu" = { "ubuntu" = {
"18.04" = data.aws_ami.ubuntu_1804["x86_64"].id "18.04" = data.aws_ami.ubuntu_1804["x86_64"].id
@@ -98,13 +121,14 @@ data "aws_ami" "ubuntu_2204" {
owners = [local.canonical_owner_id] owners = [local.canonical_owner_id]
} }
data "aws_ami" "rhel_79" { data "aws_ami" "rhel_89" {
most_recent = true most_recent = true
for_each = local.architectures
# Currently latest latest point release-1 # Currently latest latest point release-1
filter { filter {
name = "name" name = "name"
values = ["RHEL-7.9*HVM-20*"] values = ["RHEL-8.9*HVM-20*"]
} }
filter { filter {
@@ -114,56 +138,105 @@ data "aws_ami" "rhel_79" {
filter { filter {
name = "architecture" name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
}
data "aws_ami" "rhel_93" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-9.3*HVM-20*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
}
data "aws_ami" "amzn2" {
most_recent = true
for_each = local.architectures
filter {
name = "name"
values = ["amzn2-ami-ecs-hvm-2.0*"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.amzn2_owner_id]
}
data "aws_ami" "sles_15_sp5_standard" {
most_recent = true
for_each = local.architectures
filter {
name = "name"
values = ["suse-sles-15-sp5-v*-hvm-*"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.sles_owner_id]
}
data "aws_ami" "leap_154" {
most_recent = true
filter {
name = "name"
values = ["openSUSE-Leap-15.4*"]
}
filter {
name = "architecture"
# Note: arm64 AMIs are offered for Leap 15.5, but not 15.4. For now we will
# only use x86_64 for both in order to not introduce complexity in our matrix
# exclusions.
values = ["x86_64"] values = ["x86_64"]
} }
owners = [local.rhel_owner_id] owners = [local.suse_owner_id]
} }
data "aws_ami" "rhel_88" { data "aws_ami" "leap_155" {
most_recent = true most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter { filter {
name = "name" name = "name"
values = ["RHEL-8.8*HVM-20*"] values = ["openSUSE-Leap-15.5*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
} }
filter { filter {
name = "architecture" name = "architecture"
values = [each.value] # Note: arm64 AMIs are offered for Leap 15.5, but not 15.4. For now we will
# only use x86_64 for both in order to not introduce complexity in our matrix
# exclusions.
values = ["x86_64"]
} }
owners = [local.rhel_owner_id] owners = [local.suse_owner_id]
}
data "aws_ami" "rhel_91" {
most_recent = true
for_each = local.architectures
# Currently latest latest point release-1
filter {
name = "name"
values = ["RHEL-9.1*HVM-20*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = [each.value]
}
owners = [local.rhel_owner_id]
} }
data "aws_region" "current" {} data "aws_region" "current" {}

61
enos/modules/install_packages/main.tf
View File

@@ -9,6 +9,32 @@ terraform {
} }
} }
locals {
arch = {
"amd64" = "x86_64"
"arm64" = "aarch64"
}
package_manager = {
# Note: though we generally use "amzn2" as our distro name for Amazon Linux 2,
# enos_host_info.hosts[each.key].distro returns "amzn", so that is what we reference here.
"amzn" = "yum"
"opensuse-leap" = "zypper"
"rhel" = "yum"
"sles" = "zypper"
"ubuntu" = "apt"
}
distro_repos = {
# Currently sles is the only distro that requires setting up repos before installing packages
"sles" = {
"15.5" = "https://download.opensuse.org/repositories/network:utilities/SLE_15_SP5/network:utilities.repo"
}
"rhel" = {
"8.9" = "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm"
"9.3" = "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
}
}
}
variable "packages" { variable "packages" {
type = list(string) type = list(string)
default = [] default = []
@@ -34,10 +60,43 @@ variable "retry_interval" {
default = 2 default = 2
} }
resource "enos_remote_exec" "install_packages" { resource "enos_host_info" "hosts" {
for_each = var.hosts
transport = {
ssh = {
host = each.value.public_ip
}
}
}
# Set up repos for each distro (in order to install some packages, some distros
# require us to manually add the repo for that package first)
resource "enos_remote_exec" "distro_repo_setup" {
for_each = var.hosts for_each = var.hosts
environment = { environment = {
DISTRO = enos_host_info.hosts[each.key].distro
DISTRO_REPOS = try(local.distro_repos[enos_host_info.hosts[each.key].distro][enos_host_info.hosts[each.key].distro_version], "__none")
RETRY_INTERVAL = var.retry_interval
TIMEOUT_SECONDS = var.timeout
}
scripts = [abspath("${path.module}/scripts/distro-repo-setup.sh")]
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_remote_exec" "install_packages" {
for_each = var.hosts
depends_on = [enos_remote_exec.distro_repo_setup]
environment = {
PACKAGE_MANAGER = local.package_manager[enos_host_info.hosts[each.key].distro]
PACKAGES = length(var.packages) >= 1 ? join(" ", var.packages) : "__skip" PACKAGES = length(var.packages) >= 1 ? join(" ", var.packages) : "__skip"
RETRY_INTERVAL = var.retry_interval RETRY_INTERVAL = var.retry_interval
TIMEOUT_SECONDS = var.timeout TIMEOUT_SECONDS = var.timeout

57
enos/modules/install_packages/scripts/distro-repo-setup.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "$DISTRO" ]] && fail "DISTRO env variable has not been set"
[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
setup_repos() {
# If we don't have any repos on the list for this distro, no action needed.
if [ ${#DISTRO_REPOS[@]} -lt 1 ]; then
echo "DISTRO_REPOS is empty; No repos required for the packages for this Linux distro."
return 0
fi
# Wait for cloud-init to finish so it doesn't race with any of our package installations.
# Note: Amazon Linux 2 throws Python 2.7 errors when running `cloud-init status` as
# non-root user (known bug).
sudo cloud-init status --wait
case $DISTRO in
"sles")
for repo in ${DISTRO_REPOS}; do
sudo zypper addrepo "${repo}"
done
;;
"rhel")
for repo in ${DISTRO_REPOS}; do
sudo rm -r /var/cache/dnf
sudo dnf install -y "${repo}"
sudo dnf update -y --refresh
done
;;
*)
return
;;
esac
}
begin_time=$(date +%s)
end_time=$((begin_time + TIMEOUT_SECONDS))
while [ "$(date +%s)" -lt "$end_time" ]; do
if setup_repos; then
exit 0
fi
sleep "$RETRY_INTERVAL"
done
fail "Timed out waiting for distro repos to install"

70
enos/modules/install_packages/scripts/install-packages.sh
View File

@@ -9,41 +9,75 @@ fail() {
exit 1 exit 1
} }
[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set" [[ -z "${RETRY_INTERVAL}" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set" [[ -z "${TIMEOUT_SECONDS}" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
[[ -z "$PACKAGES" ]] && fail "PACKAGES env variable has not been set" [[ -z "${PACKAGES}" ]] && fail "PACKAGES env variable has not been set"
[[ -z "${PACKAGE_MANAGER}" ]] && fail "PACKAGE_MANAGER env variable has not been set"
install_packages() { install_packages() {
if [ "$PACKAGES" = "__skip" ]; then if [[ "${PACKAGES}" = "__skip" ]]; then
return 0 return 0
fi fi
echo "Installing Dependencies: $PACKAGES" set -x
if [ -f /etc/debian_version ]; then echo "Installing Dependencies: ${PACKAGES}"
# Do our best to make sure that we don't race with cloud-init. Wait a reasonable time until we
# see ec2 in the sources list. Very rarely cloud-init will take longer than we wait. In that case
# we'll just install our packages.
grep ec2 /etc/apt/sources.list || true
cd /tmp # Use the default package manager of the current Linux distro to install packages
case $PACKAGE_MANAGER in
"apt")
sudo apt update sudo apt update
# shellcheck disable=2068 for package in ${PACKAGES}; do
sudo apt install -y ${PACKAGES[@]} if dpkg -s "${package}"; then
continue
else else
cd /tmp echo "Installing ${package}"
# shellcheck disable=2068 sudo apt install -y "${package}"
sudo yum -y install ${PACKAGES[@]}
fi fi
done
;;
"yum")
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
continue
else
echo "Installing ${package}"
sudo yum -y install "${package}"
fi
done
;;
"zypper")
cd /tmp
sudo zypper --gpg-auto-import-keys ref
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
continue
else
echo "Installing ${package}"
sudo zypper --non-interactive install "${package}"
date
fi
sudo zypper search -i
done
;;
*)
fail "No matching package manager provided."
;;
esac
} }
begin_time=$(date +%s) begin_time=$(date +%s)
end_time=$((begin_time + TIMEOUT_SECONDS)) end_time=$((begin_time + TIMEOUT_SECONDS))
while [ "$(date +%s)" -lt "$end_time" ]; do while [[ "$(date +%s)" -lt "${end_time}" ]]; do
if install_packages; then if install_packages; then
exit 0 exit 0
fi fi
sleep "$RETRY_INTERVAL" sleep "${RETRY_INTERVAL}"
done done
fail "Timed out waiting for packages to install" fail "Timed out waiting for packages to install"

5
enos/modules/softhsm_create_vault_keys/main.tf
View File

@@ -25,6 +25,7 @@ locals {
pin = resource.random_string.pin.result pin = resource.random_string.pin.result
aes_label = "vault_hsm_aes_${local.pin}" aes_label = "vault_hsm_aes_${local.pin}"
hmac_label = "vault_hsm_hmac_${local.pin}" hmac_label = "vault_hsm_hmac_${local.pin}"
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
target = tomap({ "1" = var.hosts[0] }) target = tomap({ "1" = var.hosts[0] })
token = "${var.cluster_id}_${local.pin}" token = "${var.cluster_id}_${local.pin}"
} }
@@ -95,10 +96,6 @@ resource "enos_remote_exec" "get_keys" {
} }
} }
locals {
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
}
output "seal_attributes" { output "seal_attributes" {
description = "Seal device specific attributes. Contains all required keys for the seal stanza" description = "Seal device specific attributes. Contains all required keys for the seal stanza"
value = local.seal_attributes value = local.seal_attributes

10
enos/modules/start_vault/main.tf
View File

@@ -52,7 +52,9 @@ locals {
// keys on a machines that have different shared object locations. // keys on a machines that have different shared object locations.
merge( merge(
try({ for key, val in var.seal_attributes : key => val if key != "token_base64" && key != "token_dir" }, {}), try({ for key, val in var.seal_attributes : key => val if key != "token_base64" && key != "token_dir" }, {}),
try({ lib = module.maybe_configure_hsm.lib }, {}) # Note: the below reference has to point to a specific instance of the maybe_configure_hsm
# module (in this case [0]) due to the maybe_configure_hsm module call using `count` to control whether it runs or not.
try({ lib = module.maybe_configure_hsm[0].lib }, {})
), ),
) )
} }
@@ -81,7 +83,9 @@ locals {
}, },
merge( merge(
try({ for key, val in var.seal_attributes_secondary : key => val if key != "token_base64" && key != "token_dir" }, {}), try({ for key, val in var.seal_attributes_secondary : key => val if key != "token_base64" && key != "token_dir" }, {}),
try({ lib = module.maybe_configure_hsm_secondary.lib }, {}) # Note: the below reference has to point to a specific instance of the maybe_configure_hsm_secondary
# module (in this case [0]) due to the maybe_configure_hsm_secondary module call using `count` to control whether it runs or not.
try({ lib = module.maybe_configure_hsm_secondary[0].lib }, {})
), ),
) )
} }
@@ -135,6 +139,7 @@ locals {
# the key data that was passed in via seal attributes. # the key data that was passed in via seal attributes.
module "maybe_configure_hsm" { module "maybe_configure_hsm" {
source = "../softhsm_distribute_vault_keys" source = "../softhsm_distribute_vault_keys"
count = (var.seal_type == "pkcs11" || var.seal_type_secondary == "pkcs11") ? 1 : 0
hosts = var.target_hosts hosts = var.target_hosts
token_base64 = local.token_base64 token_base64 = local.token_base64
@@ -143,6 +148,7 @@ module "maybe_configure_hsm" {
module "maybe_configure_hsm_secondary" { module "maybe_configure_hsm_secondary" {
source = "../softhsm_distribute_vault_keys" source = "../softhsm_distribute_vault_keys"
depends_on = [module.maybe_configure_hsm] depends_on = [module.maybe_configure_hsm]
count = (var.seal_type == "pkcs11" || var.seal_type_secondary == "pkcs11") ? 1 : 0
hosts = var.target_hosts hosts = var.target_hosts
token_base64 = local.token_base64_secondary token_base64 = local.token_base64_secondary

1
enos/modules/target_ec2_fleet/main.tf
View File

@@ -335,4 +335,5 @@ data "aws_instance" "targets" {
for_each = local.instances for_each = local.instances
instance_id = aws_ec2_fleet.targets.fleet_instance_set[0].instance_ids[each.key] instance_id = aws_ec2_fleet.targets.fleet_instance_set[0].instance_ids[each.key]
} }

6
enos/modules/target_ec2_fleet/variables.tf
View File

@@ -26,6 +26,12 @@ variable "common_tags" {
} }
} }
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_mem_min" { variable "instance_mem_min" {
description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)" description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)"
type = number type = number

10
enos/modules/target_ec2_instances/main.tf
View File

@@ -257,3 +257,13 @@ resource "aws_instance" "targets" {
}, },
) )
} }
module "disable_selinux" {
source = "../disable_selinux"
count = var.disable_selinux == true ? 1 : 0
hosts = { for idx in range(var.instance_count) : idx => {
public_ip = aws_instance.targets[idx].public_ip
private_ip = aws_instance.targets[idx].private_ip
} }
}

6
enos/modules/target_ec2_instances/variables.tf
View File

@@ -24,6 +24,12 @@ variable "common_tags" {
default = { "Project" : "vault-ci" } default = { "Project" : "vault-ci" }
} }
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_count" { variable "instance_count" {
description = "The number of target instances to create" description = "The number of target instances to create"
type = number type = number

1
enos/modules/target_ec2_shim/main.tf
View File

@@ -16,6 +16,7 @@ variable "ami_id" { default = null }
variable "cluster_name" { default = null } variable "cluster_name" { default = null }
variable "cluster_tag_key" { default = null } variable "cluster_tag_key" { default = null }
variable "common_tags" { default = null } variable "common_tags" { default = null }
variable "disable_selinux" { default = true }
variable "instance_count" { default = 3 } variable "instance_count" { default = 3 }
variable "instance_cpu_max" { default = null } variable "instance_cpu_max" { default = null }
variable "instance_cpu_min" { default = null } variable "instance_cpu_min" { default = null }

10
enos/modules/target_ec2_spot_fleet/main.tf
View File

@@ -454,3 +454,13 @@ data "aws_instance" "targets" {
instance_id = data.aws_instances.targets.ids[each.key] instance_id = data.aws_instances.targets.ids[each.key]
} }
module "disable_selinux" {
source = "../disable_selinux"
count = var.disable_selinux == true ? 1 : 0
hosts = { for idx in range(var.instance_count) : idx => {
public_ip = aws_instance.targets[idx].public_ip
private_ip = aws_instance.targets[idx].private_ip
} }
}

6
enos/modules/target_ec2_spot_fleet/variables.tf
View File

@@ -26,6 +26,12 @@ variable "common_tags" {
} }
} }
variable "disable_selinux" {
description = "Optionally disable SELinux for certain distros/versions"
type = bool
default = true
}
variable "instance_mem_min" { variable "instance_mem_min" {
description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)" description = "The minimum amount of memory in mebibytes for each instance in the fleet. (1 MiB = 1024 bytes)"
type = number type = number

47
enos/modules/vault_cluster/main.tf
View File

@@ -37,6 +37,13 @@ locals {
"pkcs11" = null "pkcs11" = null
} }
leader = toset(slice(local.instances, 0, 1)) leader = toset(slice(local.instances, 0, 1))
netcat_command = {
amzn = "nc"
opensuse-leap = "netcat"
rhel = "nc"
sles = "nc"
ubuntu = "netcat"
}
recovery_shares = { recovery_shares = {
"awskms" = 5 "awskms" = 5
"shamir" = null "shamir" = null
@@ -50,6 +57,16 @@ locals {
vault_service_user = "vault" vault_service_user = "vault"
} }
resource "enos_host_info" "hosts" {
for_each = var.target_hosts
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_bundle_install" "consul" { resource "enos_bundle_install" "consul" {
for_each = { for_each = {
for idx, host in var.target_hosts : idx => var.target_hosts[idx] for idx, host in var.target_hosts : idx => var.target_hosts[idx]
@@ -66,8 +83,21 @@ resource "enos_bundle_install" "consul" {
} }
} }
# We run install_packages before we install Vault because for some combinations of
# certain Linux distros and artifact types (e.g. SLES and RPM packages), there may
# be packages that are required to perform Vault installation (e.g. openssl).
module "install_packages" {
source = "../install_packages"
hosts = var.target_hosts
packages = var.packages
}
resource "enos_bundle_install" "vault" { resource "enos_bundle_install" "vault" {
for_each = var.target_hosts for_each = var.target_hosts
depends_on = [
module.install_packages, // Don't race for the package manager locks with install_packages
]
destination = var.install_dir destination = var.install_dir
release = var.release == null ? var.release : merge({ product = "vault" }, var.release) release = var.release == null ? var.release : merge({ product = "vault" }, var.release)
@@ -81,22 +111,17 @@ resource "enos_bundle_install" "vault" {
} }
} }
module "install_packages" {
source = "../install_packages"
depends_on = [
enos_bundle_install.vault, // Don't race for the package manager locks with vault install
]
hosts = var.target_hosts
packages = var.packages
}
resource "enos_consul_start" "consul" { resource "enos_consul_start" "consul" {
for_each = enos_bundle_install.consul for_each = enos_bundle_install.consul
bin_path = local.consul_bin_path bin_path = local.consul_bin_path
data_dir = var.consul_data_dir data_dir = var.consul_data_dir
config = { config = {
# GetPrivateInterfaces is a go-sockaddr template that helps Consul get the correct
# addr in all of our default cases. This is required in the case of Amazon Linux,
# because amzn2 has a default docker listener that will make Consul try to use the
# incorrect addr.
bind_addr = "{{ GetPrivateInterfaces | include \"type\" \"IP\" | sort \"default\" | limit 1 | attr \"address\"}}"
data_dir = var.consul_data_dir data_dir = var.consul_data_dir
datacenter = "dc1" datacenter = "dc1"
retry_join = ["provider=aws tag_key=${var.backend_cluster_tag_key} tag_value=${var.backend_cluster_name}"] retry_join = ["provider=aws tag_key=${var.backend_cluster_tag_key} tag_value=${var.backend_cluster_name}"]
@@ -122,6 +147,7 @@ module "start_vault" {
depends_on = [ depends_on = [
enos_consul_start.consul, enos_consul_start.consul,
module.install_packages,
enos_bundle_install.vault, enos_bundle_install.vault,
] ]
@@ -307,6 +333,7 @@ resource "enos_remote_exec" "start_audit_socket_listener" {
]) ])
environment = { environment = {
NETCAT_COMMAND = local.netcat_command[enos_host_info.hosts[each.key].distro]
SOCKET_PORT = local.audit_socket_port SOCKET_PORT = local.audit_socket_port
} }

2
enos/modules/vault_cluster/scripts/enable-audit-devices.sh
View File

@@ -1,4 +1,4 @@
#!/bin/env bash #!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1 # SPDX-License-Identifier: BUSL-1.1

10
enos/modules/vault_cluster/scripts/start-audit-socket-listener.sh
View File

@@ -1,4 +1,4 @@
#!/bin/env bash #!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1 # SPDX-License-Identifier: BUSL-1.1
@@ -9,18 +9,19 @@ fail() {
exit 1 exit 1
} }
[[ -z "$NETCAT_COMMAND" ]] && fail "NETCAT_COMMAND env variable has not been set"
[[ -z "$SOCKET_PORT" ]] && fail "SOCKET_PORT env variable has not been set" [[ -z "$SOCKET_PORT" ]] && fail "SOCKET_PORT env variable has not been set"
socket_listener_procs() { socket_listener_procs() {
pgrep -x nc pgrep -x "${NETCAT_COMMAND}"
} }
kill_socket_listener() { kill_socket_listener() {
pkill nc pkill "${NETCAT_COMMAND}"
} }
test_socket_listener() { test_socket_listener() {
nc -zvw 2 127.0.0.1 "$SOCKET_PORT" < /dev/null "${NETCAT_COMMAND}" -zvw 2 127.0.0.1 "$SOCKET_PORT" < /dev/null
} }
start_socket_listener() { start_socket_listener() {
@@ -42,6 +43,7 @@ read_log() {
} }
main() { main() {
if socket_listener_procs; then if socket_listener_procs; then
# Clean up old nc's that might not be working # Clean up old nc's that might not be working
kill_socket_listener kill_socket_listener

8
enos/modules/vault_cluster/variables.tf
View File

@@ -100,6 +100,12 @@ variable "consul_release" {
} }
} }
variable "distro_version" {
type = string
description = "The Linux distro version"
default = null
}
variable "enable_audit_devices" { variable "enable_audit_devices" {
description = "If true every audit device will be enabled" description = "If true every audit device will be enabled"
type = bool type = bool
@@ -120,7 +126,7 @@ variable "initialize_cluster" {
variable "install_dir" { variable "install_dir" {
type = string type = string
description = "The directory where the vault binary will be installed" description = "The directory where the Vault binary will be installed"
default = "/opt/vault/bin" default = "/opt/vault/bin"
} }

2
enos/modules/vault_verify_raft_auto_join_voter/scripts/verify-raft-auto-join-voter.sh
View File

@@ -47,4 +47,4 @@ export VAULT_ADDR='http://127.0.0.1:8200'
# Retry a few times because it can take some time for things to settle after # Retry a few times because it can take some time for things to settle after
# all the nodes are unsealed # all the nodes are unsealed
retry 7 check_voter_status retry 10 check_voter_status