scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e3f09b8c6d96b34c7c30c9e4929578e7dd064e5d
vault/enos/modules/softhsm_create_vault_keys/main.tf
Steven Clark e3f09b8c6d Update licensing across various source files - 1.13 (#24675) 
* Fix licensing on various files

* Update packaging to use BUSL-1.1

* Update offset within config_test_helpers.go

 - Fix a test the same way it's been fixed on main/1.15
2024-01-08 12:24:57 -05:00

132 lines
3.0 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
enos = {
source = "app.terraform.io/hashicorp-qti/enos"
}
}
}
variable "cluster_id" {
type = string
}
variable "hosts" {
type = map(object({
private_ip = string
public_ip = string
}))
description = "The hosts that will have access to the softhsm"
}
locals {
pin = resource.random_string.pin.result
aes_label = "vault_hsm_aes_${local.pin}"
hmac_label = "vault_hsm_hmac_${local.pin}"
target = tomap({ "1" = var.hosts[0] })
token = "${var.cluster_id}_${local.pin}"
}
resource "random_string" "pin" {
length = 5
lower = true
upper = false
numeric = true
special = false
}
module "install" {
source = "../softhsm_install"
hosts = local.target
include_tools = true # make sure opensc is also installed as we need it to create keys
}
module "initialize" {
source = "../softhsm_init"
depends_on = [module.install]
hosts = local.target
}
// Create our keys. Our stdout contains the requried the values for the pksc11 seal stanza
// as JSON. https://developer.hashicorp.com/vault/docs/configuration/seal/pkcs11#pkcs11-parameters
resource "enos_remote_exec" "create_keys" {
depends_on = [
module.install,
module.initialize,
]
environment = {
AES_LABEL = local.aes_label
HMAC_LABEL = local.hmac_label
PIN = resource.random_string.pin.result
TOKEN_DIR = module.initialize.token_dir
TOKEN_LABEL = local.token
SO_PIN = resource.random_string.pin.result
}
scripts = [abspath("${path.module}/scripts/create-keys.sh")]
transport = {
ssh = {
host = var.hosts[0].public_ip
}
}
}
// Get our softhsm token. Stdout is a base64 encoded gzipped tarball of the softhsm token dir. This
// allows us to pass around binary data inside of Terraform's type system.
resource "enos_remote_exec" "get_keys" {
depends_on = [enos_remote_exec.create_keys]
environment = {
TOKEN_DIR = module.initialize.token_dir
}
scripts = [abspath("${path.module}/scripts/get-keys.sh")]
transport = {
ssh = {
host = var.hosts[0].public_ip
}
}
}
locals {
seal_attributes = jsondecode(resource.enos_remote_exec.create_keys.stdout)
}
output "seal_attributes" {
description = "Seal device specific attributes. Contains all required keys for the seal stanza"
value = local.seal_attributes
}
output "token_base64" {
description = "The softhsm token and keys gzipped tarball in base64"
value = enos_remote_exec.get_keys.stdout
}
output "token_dir" {
description = "The softhsm directory where tokens and keys are stored"
value = module.initialize.token_dir
}
output "token_label" {
description = "The HSM slot token label"
value = local.token
}
output "all_attributes" {
description = "Seal device specific attributes"
value = merge(
local.seal_attributes,
{
token_base64 = enos_remote_exec.get_keys.stdout,
token_dir = module.initialize.token_dir
},
)
}
Reference in New Issue View Git Blame Copy Permalink