luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

test: wait for nc to be listening before enabling auditor (#23142) (#23150) 

Rather than assuming a short sleep will work, we instead wait until netcat is listening of the socket. We've also configured the netcat listener to persist after the first connection, which allows Vault and us to check the connection without the process closing.

As we implemented this we also ran into AWS issues in us-east-1 and us-west-2, so we've changed our deploy regions until those issues are resolved.

Signed-off-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Ryan Cragun 2023-09-18 15:10:37 -06:00 committed by GitHub
parent 7cf02909cc
commit 9da2fc4b8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
132 changed files with 311 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
enos/ci/aws-nuke.yml
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
regions:
- eu-north-1

2
enos/ci/bootstrap/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/ci/bootstrap/outputs.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
output "keys" {
value = {

2
enos/ci/bootstrap/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "aws_ssh_public_key" {
description = "The public key to use for the ssh key"

2
enos/ci/service-user-iam/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/ci/service-user-iam/outputs.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
output "ci_role" {
value = {

2
enos/ci/service-user-iam/providers.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
provider "aws" {
region = "us-east-1"

2
enos/ci/service-user-iam/service-quotas.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
locals {
// This is the code of the service quota to request a change for. Each adjustable limit has a

2
enos/ci/service-user-iam/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "repository" {
description = "The GitHub repository, either vault or vault-enterprise"

8
enos/enos-globals.hcl
View File

@ -15,8 +15,14 @@ globals {
"ubuntu" = var.ubuntu_distro_version
}
packages = ["jq"]
distro_packages = {
ubuntu = ["netcat"]
rhel = ["nc"]
}
sample_attributes = {
aws_region = ["us-east-1", "us-west-2"]
# aws_region = ["us-east-1", "us-west-2"]
# NOTE(9/18/23): use more expensive regions temporarily until AWS network outage is resolved.
aws_region = ["us-east-2", "us-west-1"]
}
tags = merge({
"Project Name" : var.project_name

2
enos/enos-modules.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
module "autopilot_upgrade_storageconfig" {
source = "./modules/autopilot_upgrade_storageconfig"

2
enos/enos-providers.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
provider "aws" "default" {
region = var.aws_region

24
enos/enos-scenario-agent.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "agent" {
matrix {
@ -109,17 +109,17 @@ scenario "agent" {
}
variables {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_name = step.create_vault_cluster_targets.cluster_name
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path
packages = global.packages
storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir"
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_name = step.create_vault_cluster_targets.cluster_name
enable_audit_devices = var.vault_enable_audit_devices
install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path
packages = concat(global.packages, global.distro_packages[matrix.distro])
storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir"
}
}

14
enos/enos-scenario-autopilot.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "autopilot" {
matrix {
@ -115,15 +115,15 @@ scenario "autopilot" {
cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null
packages = global.packages
packages = concat(global.packages, global.distro_packages[matrix.distro])
release = var.vault_autopilot_initial_release
storage_backend = "raft"
storage_backend_addl_config = {
autopilot_upgrade_version = var.vault_autopilot_initial_release.version
}
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_file_audit_device = var.vault_enable_file_audit_device
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_audit_devices = var.vault_enable_audit_devices
}
}
@ -216,7 +216,7 @@ scenario "autopilot" {
license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = global.packages
packages = concat(global.packages, global.distro_packages[matrix.distro])
root_token = step.create_vault_cluster.root_token
shamir_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null
storage_backend = "raft"
@ -224,7 +224,7 @@ scenario "autopilot" {
storage_node_prefix = "upgrade_node"
target_hosts = step.create_vault_cluster_upgrade_targets.hosts
unseal_method = matrix.seal
enable_file_audit_device = var.vault_enable_file_audit_device
enable_audit_devices = var.vault_enable_audit_devices
}
}

24
enos/enos-scenario-proxy.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "proxy" {
matrix {
@ -101,17 +101,17 @@ scenario "proxy" {
}
variables {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_name = step.create_vault_cluster_targets.cluster_name
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path
packages = global.packages
storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir"
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_name = step.create_vault_cluster_targets.cluster_name
enable_audit_devices = var.vault_enable_audit_devices
install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path
packages = concat(global.packages, global.distro_packages[matrix.distro])
storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir"
}
}

66
enos/enos-scenario-replication.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
// The replication scenario configures performance replication between two Vault clusters and verifies
// known_primary_cluster_addrs are updated on secondary Vault cluster with the IP addresses of replaced
@ -239,15 +239,15 @@ scenario "replication" {
edition = var.backend_edition
version = matrix.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.primary_backend
target_hosts = step.create_primary_cluster_targets.hosts
unseal_method = matrix.primary_seal
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = concat(global.packages, global.distro_packages[matrix.distro])
storage_backend = matrix.primary_backend
target_hosts = step.create_primary_cluster_targets.hosts
unseal_method = matrix.primary_seal
}
}
@ -296,15 +296,15 @@ scenario "replication" {
edition = var.backend_edition
version = matrix.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.secondary_backend
target_hosts = step.create_secondary_cluster_targets.hosts
unseal_method = matrix.secondary_seal
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = concat(global.packages, global.distro_packages[matrix.distro])
storage_backend = matrix.secondary_backend
target_hosts = step.create_secondary_cluster_targets.hosts
unseal_method = matrix.secondary_seal
}
}
@ -538,20 +538,20 @@ scenario "replication" {
edition = var.backend_edition
version = matrix.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
force_unseal = matrix.primary_seal == "shamir"
initialize_cluster = false
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = global.packages
root_token = step.create_primary_cluster.root_token
shamir_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : null
storage_backend = matrix.primary_backend
storage_node_prefix = "newprimary_node"
target_hosts = step.create_primary_cluster_additional_targets.hosts
unseal_method = matrix.primary_seal
enable_audit_devices = var.vault_enable_audit_devices
force_unseal = matrix.primary_seal == "shamir"
initialize_cluster = false
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = concat(global.packages, global.distro_packages[matrix.distro])
root_token = step.create_primary_cluster.root_token
shamir_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : null
storage_backend = matrix.primary_backend
storage_node_prefix = "newprimary_node"
target_hosts = step.create_primary_cluster_additional_targets.hosts
unseal_method = matrix.primary_seal
}
}

20
enos/enos-scenario-smoke.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "smoke" {
matrix {
@ -180,15 +180,15 @@ scenario "smoke" {
edition = var.backend_edition
version = matrix.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.artifact_path
manage_service = local.manage_service
packages = concat(global.packages, global.distro_packages[matrix.distro])
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
}
}

17
enos/enos-scenario-ui.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "ui" {
matrix {
@ -166,13 +166,14 @@ scenario "ui" {
edition = var.backend_edition
version = local.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = local.seal
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path
packages = global.distro_packages["ubuntu"]
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = local.seal
}
}

18
enos/enos-scenario-upgrade.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "upgrade" {
matrix {
@ -180,14 +180,14 @@ scenario "upgrade" {
edition = var.backend_edition
version = matrix.consul_version
} : null
enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
packages = global.packages
release = var.vault_upgrade_initial_release
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_audit_devices = var.vault_enable_audit_devices
install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null
packages = concat(global.packages, global.distro_packages[matrix.distro])
release = var.vault_upgrade_initial_release
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
}
}

2
enos/enos-terraform.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform_cli "default" {
plugin_cache_dir = var.terraform_plugin_cache_dir != null ? abspath(var.terraform_plugin_cache_dir) : null

6
enos/enos-variables.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "artifactory_username" {
type = string
@ -142,8 +142,8 @@ variable "vault_build_date" {
default = ""
}
variable "vault_enable_file_audit_device" {
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
variable "vault_enable_audit_devices" {
description = "If true every audit device will be enabled"
type = bool
default = true
}

11
enos/enos.vars.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
# artifactory_username is the username to use when testing an artifact stored in artfactory.
# artifactory_username = "yourname@hashicorp.com"
@ -87,9 +87,12 @@
# date to match"
# vault_build_date = "2023-07-07T14:06:37Z" // make ci-get-date for example
# vault_enable_file_audit_device sets whether or not to enable the 'file' audit device. It true it
# will be enabled at the path /var/log/vault_audit.log
# vault_enable_file_audit_device = true
# vault_enable_audit_devices sets whether or not to enable every audit device. It true
# a file audit device will be enabled at the path /var/log/vault_audit.log, the syslog
# audit device will be enabled, and a socket audit device connecting to 127.0.0.1:9090
# will be enabled. The netcat program is run in listening mode to provide an endpoint
# that the socket audit device can connect to.
# vault_enable_audit_devices = true
# vault_install_dir is the directory where the vault binary will be installed on
# the remote machines.

2
enos/k8s/enos-modules-k8s.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
module "create_kind_cluster" {
source = "../modules/local_kind_cluster"

2
enos/k8s/enos-providers-k8s.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
provider "enos" "default" {}

2
enos/k8s/enos-scenario-k8s.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
scenario "k8s" {
matrix {

2
enos/k8s/enos-terraform-k8s.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform "k8s" {
required_version = ">= 1.2.0"

2
enos/k8s/enos-variables-k8s.hcl
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_image_repository" {
description = "The repository for the docker image to load, i.e. hashicorp/vault"

2
enos/modules/autopilot_upgrade_storageconfig/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_product_version" {}

2
enos/modules/backend_consul/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_version = ">= 1.2.0"

2
enos/modules/backend_consul/outputs.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
output "private_ips" {
description = "Consul cluster target host private_ips"

2
enos/modules/backend_consul/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "cluster_name" {
type = string

2
enos/modules/backend_raft/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
// Shim module to handle the fact that Vault doesn't actually need a backend module when we use raft.
terraform {

2
enos/modules/build_crt/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
# Shim module since CRT provided things will use the crt_bundle_path variable
variable "bundle_path" {

2
enos/modules/build_local/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/build_local/scripts/build.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -eux -o pipefail

3
enos/modules/create_vpc/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
data "aws_availability_zones" "available" {
state = "available"

3
enos/modules/create_vpc/outputs.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "vpc_id" {
description = "Created VPC ID"
value = aws_vpc.vpc.id

3
enos/modules/create_vpc/variables.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "name" {
type = string
default = "vault-ci"

3
enos/modules/ec2_info/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
locals {
architectures = toset(["arm64", "x86_64"])
canonical_owner_id = "099720109477"

2
enos/modules/generate_secondary_token/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/get_local_metadata/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/get_local_metadata/scripts/build_date.sh
View File

@ -1,6 +1,6 @@
#!/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -eu -o pipefail

2
enos/modules/get_local_metadata/scripts/version.sh
View File

@ -1,6 +1,6 @@
#!/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -euo pipefail

2
enos/modules/k8s_deploy_vault/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_version = ">= 1.0"

2
enos/modules/k8s_deploy_vault/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "context_name" {
type = string

2
enos/modules/k8s_vault_verify_build_date/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {

2
enos/modules/k8s_vault_verify_build_date/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_instance_count" {
type = number

2
enos/modules/k8s_vault_verify_replication/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {

2
enos/modules/k8s_vault_verify_replication/scripts/smoke-verify-replication.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
# The Vault replication smoke test, documented in

2
enos/modules/k8s_vault_verify_replication/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_instance_count" {
type = number

2
enos/modules/k8s_vault_verify_ui/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {

2
enos/modules/k8s_vault_verify_ui/scripts/smoke-verify-ui.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/k8s_vault_verify_ui/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_instance_count" {
type = number

2
enos/modules/k8s_vault_verify_version/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {

2
enos/modules/k8s_vault_verify_version/scripts/get-status.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/k8s_vault_verify_version/scripts/smoke-verify-version.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
# The Vault smoke test to verify the Vault version installed

2
enos/modules/k8s_vault_verify_version/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_instance_count" {
type = number

2
enos/modules/k8s_vault_verify_write_data/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {

2
enos/modules/k8s_vault_verify_write_data/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_instance_count" {
type = number

2
enos/modules/load_docker_image/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/local_kind_cluster/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/read_license/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "file_name" {}

2
enos/modules/shutdown_multiple_nodes/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/shutdown_node/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

3
enos/modules/target_ec2_fleet/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
# We need to specify the provider source in each module until we publish it

3
enos/modules/target_ec2_fleet/outputs.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "cluster_name" {
value = local.cluster_name
}

3
enos/modules/target_ec2_fleet/variables.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "ami_id" {
description = "The machine image identifier"
type = string

3
enos/modules/target_ec2_instances/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
# We need to specify the provider source in each module until we publish it

3
enos/modules/target_ec2_instances/outputs.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "cluster_name" {
value = local.cluster_name
}

3
enos/modules/target_ec2_instances/variables.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "ami_id" {
description = "The machine image identifier"
type = string

3
enos/modules/target_ec2_shim/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
# We need to specify the provider source in each module until we publish it

3
enos/modules/target_ec2_spot_fleet/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
# We need to specify the provider source in each module until we publish it

3
enos/modules/target_ec2_spot_fleet/outputs.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "cluster_name" {
value = local.cluster_name
}

3
enos/modules/target_ec2_spot_fleet/variables.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "ami_id" {
description = "The machine image identifier"
type = string

2
enos/modules/vault_agent/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_agent/templates/set-up-approle-and-agent.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_artifactory_artifact/locals.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
locals {

2
enos/modules/vault_artifactory_artifact/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_artifactory_artifact/outputs.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
output "url" {

11
enos/modules/vault_cluster/main.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {
# We need to specify the provider source in each module until we publish it
@ -15,7 +18,7 @@ locals {
audit_device_file_path = "/var/log/vault/vault_audit.log"
bin_path = "${var.install_dir}/vault"
consul_bin_path = "${var.consul_install_dir}/consul"
enable_audit_device = var.enable_file_audit_device && var.initialize_cluster
enable_audit_devices = var.enable_audit_devices && var.initialize_cluster
// In order to get Terraform to plan we have to use collections with keys
// that are known at plan time. In order for our module to work our var.target_hosts
// must be a map with known keys at plan time. Here we're creating locals
@ -277,7 +280,7 @@ resource "enos_remote_exec" "create_audit_log_dir" {
]
for_each = toset([
for idx, host in toset(local.instances) : idx
if var.enable_file_audit_device
if var.enable_audit_devices
])
environment = {
@ -294,14 +297,14 @@ resource "enos_remote_exec" "create_audit_log_dir" {
}
}
resource "enos_remote_exec" "enable_file_audit_device" {
resource "enos_remote_exec" "enable_audit_devices" {
depends_on = [
enos_remote_exec.create_audit_log_dir,
enos_vault_unseal.leader,
]
for_each = toset([
for idx in local.leader : idx
if local.enable_audit_device
if local.enable_audit_devices
])
environment = {

5
enos/modules/vault_cluster/outputs.tf
View File

@ -1,6 +1,9 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "audit_device_file_path" {
description = "The file path for the audit device, if enabled"
value = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled"
value = var.enable_audit_devices ? local.audit_device_file_path : "file audit device not enabled"
}
output "cluster_name" {

3
enos/modules/vault_cluster/scripts/create_audit_log_dir.sh
View File

@ -1,4 +1,7 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -eux

34
enos/modules/vault_cluster/scripts/enable_audit_logging.sh
View File

@ -1,5 +1,35 @@
#!/bin/env sh
#!/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -eux
set -exo pipefail
# Run nc to listen on port 9090 for the socket auditor. We spawn nc
# with nohup to ensure that the listener doesn't expect a SIGHUP and
# thus block the SSH session from exiting or terminating on exit.
# We immediately write to STDIN from /dev/null to give nc an
# immediate EOF so as to not block on expecting STDIN.
nohup nc -kl 9090 &> /dev/null < /dev/null &
# Wait for nc to be listening before we attempt to enable the socket auditor.
retries=3
count=0
until nc -zv 127.0.0.1 9090 &> /dev/null < /dev/null; do
wait=$((2 ** count))
count=$((count + 1))
if [ "$count" -lt "$retries" ]; then
sleep "$wait"
else
echo "Timed out waiting for nc to listen on 127.0.0.1:9090" 1>&2
exit 1
fi
done
sleep 1
# Enable the auditors.
$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"
$VAULT_BIN_PATH audit enable syslog tag="vault" facility="AUTH"
$VAULT_BIN_PATH audit enable socket address="127.0.0.1:9090" || true

7
enos/modules/vault_cluster/templates/install-packages.sh
View File

@ -1,4 +1,7 @@
#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -ex -o pipefail
@ -38,8 +41,8 @@ if [ -f /etc/debian_version ]; then
cd /tmp
retry 5 sudo apt update
retry 5 sudo apt install -y "$${packages[@]}"
retry 5 sudo apt install -y $${packages[@]}
else
cd /tmp
retry 7 sudo yum -y install "$${packages[@]}"
retry 7 sudo yum -y install $${packages[@]}
fi

3
enos/modules/vault_cluster/templates/vault-write-license.sh
View File

@ -1,4 +1,7 @@
#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
license='${license}'
if test $license = "none"; then

7
enos/modules/vault_cluster/variables.tf
View File

@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "artifactory_release" {
type = object({
username = string
@ -93,8 +96,8 @@ variable "consul_release" {
}
}
variable "enable_file_audit_device" {
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
variable "enable_audit_devices" {
description = "If true every audit device will be enabled"
type = bool
default = true
}

2
enos/modules/vault_get_cluster_ips/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_get_cluster_ips/scripts/get-leader-private-ip.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_proxy/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_proxy/templates/set-up-approle-and-proxy.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_proxy/templates/use-proxy.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_raft_remove_peer/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_raft_remove_peer/templates/raft-remove-peer.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_setup_perf_primary/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_setup_perf_primary/scripts/configure-vault-pr-primary.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -e

2
enos/modules/vault_setup_perf_secondary/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_test_ui/main.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
terraform {
required_providers {

2
enos/modules/vault_test_ui/outputs.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
output "ui_test_stderr" {
value = var.ui_run_tests ? enos_local_exec.test_ui[0].stderr : "No std out tests where not run"

2
enos/modules/vault_test_ui/scripts/test_ui.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
set -eux -o pipefail

2
enos/modules/vault_test_ui/variables.tf
View File

@ -1,5 +1,5 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# SPDX-License-Identifier: BUSL-1.1
variable "vault_addr" {
description = "The host address for the vault instance to test"

Some files were not shown because too many files have changed in this diff Show More