scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
174da88b9dda59267dae73007f6ecda49d7f634a
vault/enos/modules/softhsm_create_vault_keys/main.tf
Ryan Cragun 174da88b9d VAULT-28146: Add IPV6 support to enos scenarios (#27884) 
* VAULT-28146: Add IPV6 support to enos scenarios

Add support for testing all raft storage scenarios and variants when
running Vault with IPV6 networking. We retain our previous support for
IPV4 and create a new variant `ip_version` which can be used to
configure the IP version that we wish to test with.

It's important to note that the VPC in IPV6 mode is technically mixed
and that target machines still associate public IPV6 addresses. That
allows us to execute our resources against them from IPV4 networks like
developer machines and CI runners. Despite that, we've taken care to
ensure that only IPV6 addresses are used in IPV6 mode.

Because we previously had assumed the IP Version, Vault address, and
listener ports in so many places, this PR is essentially a rewrite and
removal of those assumptions. There are also a few places where
improvements to scenarios have been included as I encountered them while
working on the IPV6 changes.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-07-30 11:00:27 -06:00

130 lines
3.1 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}
variable "cluster_id" {
type = string
}
variable "hosts" {
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
description = "The hosts that will have access to the softhsm"
}
locals {
pin = resource.random_string.pin.result
aes_label = "vault_hsm_aes_${local.pin}"
hmac_label = "vault_hsm_hmac_${local.pin}"
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
target = tomap({ "1" = var.hosts[0] })
token = "${var.cluster_id}_${local.pin}"
}
resource "random_string" "pin" {
length = 5
lower = true
upper = false
numeric = true
special = false
}
module "install" {
source = "../softhsm_install"
hosts = local.target
include_tools = true # make sure opensc is also installed as we need it to create keys
}
module "initialize" {
source = "../softhsm_init"
depends_on = [module.install]
hosts = local.target
}
// Create our keys. Our stdout contains the requried the values for the pksc11 seal stanza
// as JSON. https://developer.hashicorp.com/vault/docs/configuration/seal/pkcs11#pkcs11-parameters
resource "enos_remote_exec" "create_keys" {
depends_on = [
module.install,
module.initialize,
]
environment = {
AES_LABEL = local.aes_label
HMAC_LABEL = local.hmac_label
PIN = resource.random_string.pin.result
TOKEN_DIR = module.initialize.token_dir
TOKEN_LABEL = local.token
SO_PIN = resource.random_string.pin.result
}
scripts = [abspath("${path.module}/scripts/create-keys.sh")]
transport = {
ssh = {
host = var.hosts[0].public_ip
}
}
}
// Get our softhsm token. Stdout is a base64 encoded gzipped tarball of the softhsm token dir. This
// allows us to pass around binary data inside of Terraform's type system.
resource "enos_remote_exec" "get_keys" {
depends_on = [enos_remote_exec.create_keys]
environment = {
TOKEN_DIR = module.initialize.token_dir
}
scripts = [abspath("${path.module}/scripts/get-keys.sh")]
transport = {
ssh = {
host = var.hosts[0].public_ip
}
}
}
output "seal_attributes" {
description = "Seal device specific attributes. Contains all required keys for the seal stanza"
value = local.seal_attributes
}
output "token_base64" {
description = "The softhsm token and keys gzipped tarball in base64"
value = enos_remote_exec.get_keys.stdout
}
output "token_dir" {
description = "The softhsm directory where tokens and keys are stored"
value = module.initialize.token_dir
}
output "token_label" {
description = "The HSM slot token label"
value = local.token
}
output "all_attributes" {
description = "Seal device specific attributes"
value = merge(
local.seal_attributes,
{
token_base64 = enos_remote_exec.get_keys.stdout,
token_dir = module.initialize.token_dir
},
)
}
Reference in New Issue View Git Blame Copy Permalink