scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 09:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
174da88b9dda59267dae73007f6ecda49d7f634a
vault/enos/modules/softhsm_distribute_vault_keys/main.tf
Ryan Cragun 174da88b9d VAULT-28146: Add IPV6 support to enos scenarios (#27884) 
* VAULT-28146: Add IPV6 support to enos scenarios

Add support for testing all raft storage scenarios and variants when
running Vault with IPV6 networking. We retain our previous support for
IPV4 and create a new variant `ip_version` which can be used to
configure the IP version that we wish to test with.

It's important to note that the VPC in IPV6 mode is technically mixed
and that target machines still associate public IPV6 addresses. That
allows us to execute our resources against them from IPV4 networks like
developer machines and CI runners. Despite that, we've taken care to
ensure that only IPV6 addresses are used in IPV6 mode.

Because we previously had assumed the IP Version, Vault address, and
listener ports in so many places, this PR is essentially a rewrite and
removal of those assumptions. There are also a few places where
improvements to scenarios have been included as I encountered them while
working on the IPV6 changes.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-07-30 11:00:27 -06:00

110 lines
2.6 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
version = ">= 0.4.9"
}
}
}
variable "hosts" {
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
description = "The hosts for whom we'll distribute the softhsm tokens and keys"
}
variable "token_base64" {
type = string
description = "The base64 encoded gzipped tarball of the softhsm token"
}
locals {
// The user/group name for softhsm
softhsm_groups = {
"rhel" = "ods"
"ubuntu" = "softhsm"
}
// Determine if we should skip distribution. If we haven't been passed in a base64 token tarball
// we should short circuit the rest of the module.
skip = var.token_base64 == null || var.token_base64 == "" ? true : false
}
module "install" {
// TODO: Should packages take a string instead of array so we can plan with unknown values that could change?
source = "../softhsm_install"
hosts = var.hosts
include_tools = false # we don't need opensc on machines that did not create the HSM.
}
module "initialize" {
source = "../softhsm_init"
depends_on = [module.install]
hosts = var.hosts
skip = local.skip
}
# In order for the vault service to access our keys we need to deal with ownership of files. Make
# sure we have a vault user on the machine if it doesn't already exist. Our distribution script
# below will handle adding vault to the "softhsm" group and setting ownership of the tokens.
resource "enos_user" "vault" {
for_each = var.hosts
name = "vault"
home_dir = "/etc/vault.d"
shell = "/bin/false"
transport = {
ssh = {
host = each.value.public_ip
}
}
}
// Get the host information so we can ensure that the correct user/group is used for softhsm.
resource "enos_host_info" "hosts" {
for_each = var.hosts
transport = {
ssh = {
host = each.value.public_ip
}
}
}
// Distribute our softhsm token and keys to the given hosts.
resource "enos_remote_exec" "distribute_token" {
for_each = var.hosts
depends_on = [
module.initialize,
enos_user.vault,
enos_host_info.hosts,
]
environment = {
TOKEN_BASE64 = var.token_base64
TOKEN_DIR = module.initialize.token_dir
SOFTHSM_GROUP = local.softhsm_groups[enos_host_info.hosts[each.key].distro]
}
scripts = [abspath("${path.module}/scripts/distribute-token.sh")]
transport = {
ssh = {
host = each.value.public_ip
}
}
}
output "lib" {
value = module.install.lib
}
Reference in New Issue View Git Blame Copy Permalink