From d323aa33df57d48cb722ae4e5eb6ffd61eb8899d Mon Sep 17 00:00:00 2001 From: Mike Baum Date: Mon, 5 Jun 2023 11:46:59 -0400 Subject: [PATCH] Backport of audit file changes to release/1.14.x (#20985) --- command/test-backend/main.go | 1 + enos/enos-scenario-agent.hcl | 20 ++++--- enos/enos-scenario-autopilot.hcl | 10 +++- enos/enos-scenario-replication.hcl | 35 ++++++----- enos/enos-scenario-smoke.hcl | 20 ++++--- enos/enos-scenario-ui.hcl | 18 ++++-- enos/enos-scenario-upgrade.hcl | 20 ++++--- enos/enos-variables.hcl | 6 ++ enos/modules/build_local/main.tf | 2 +- enos/modules/get_local_metadata/main.tf | 4 +- enos/modules/vault_cluster/main.tf | 58 ++++++++++++++++++- enos/modules/vault_cluster/outputs.tf | 5 ++ .../scripts/create_audit_log_dir.sh | 8 +++ .../scripts/enable_audit_logging.sh | 5 ++ enos/modules/vault_cluster/variables.tf | 6 ++ enos/modules/vault_get_cluster_ips/main.tf | 2 +- enos/modules/vault_setup_perf_primary/main.tf | 2 +- enos/modules/vault_unseal_nodes/main.tf | 6 +- .../main.tf | 4 +- enos/modules/vault_verify_read_data/main.tf | 2 +- enos/modules/vault_verify_write_data/main.tf | 4 +- 21 files changed, 180 insertions(+), 58 deletions(-) create mode 100644 command/test-backend/main.go create mode 100755 enos/modules/vault_cluster/scripts/create_audit_log_dir.sh create mode 100644 enos/modules/vault_cluster/scripts/enable_audit_logging.sh diff --git a/command/test-backend/main.go b/command/test-backend/main.go new file mode 100644 index 000000000..90ffa4e77 --- /dev/null +++ b/command/test-backend/main.go @@ -0,0 +1 @@ +package test_backend diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl index 7b643ec9a..a0e38ec89 100644 --- a/enos/enos-scenario-agent.hcl +++ b/enos/enos-scenario-agent.hcl @@ -143,13 +143,14 @@ scenario "agent" { config_env_vars = { VAULT_LOG_LEVEL = var.vault_log_level } - install_dir = var.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = "raft" - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = "shamir" + install_dir = var.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = "raft" + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = "shamir" + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -244,4 +245,9 @@ scenario "agent" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl index 3f94652af..cf84ce607 100644 --- a/enos/enos-scenario-autopilot.hcl +++ b/enos/enos-scenario-autopilot.hcl @@ -162,8 +162,9 @@ scenario "autopilot" { storage_backend_addl_config = { autopilot_upgrade_version = var.vault_autopilot_initial_release.version } - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -521,4 +522,9 @@ scenario "autopilot" { description = "The Vault cluster public IPs" value = step.upgrade_vault_cluster_with_autopilot.public_ips } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-replication.hcl b/enos/enos-scenario-replication.hcl index 79a586c1e..9daeef1e3 100644 --- a/enos/enos-scenario-replication.hcl +++ b/enos/enos-scenario-replication.hcl @@ -187,13 +187,14 @@ scenario "replication" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.primary_backend - target_hosts = step.create_primary_cluster_targets.hosts - unseal_method = matrix.primary_seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.primary_backend + target_hosts = step.create_primary_cluster_targets.hosts + unseal_method = matrix.primary_seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -260,13 +261,14 @@ scenario "replication" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.secondary_backend - target_hosts = step.create_secondary_cluster_targets.hosts - unseal_method = matrix.secondary_seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.secondary_backend + target_hosts = step.create_secondary_cluster_targets.hosts + unseal_method = matrix.secondary_seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -732,4 +734,9 @@ scenario "replication" { description = "The Vault updated secondary cluster primaries connection status" value = step.verify_updated_performance_replication.secondary_replication_data_primaries } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_primary_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl index 24283d486..43e997e20 100644 --- a/enos/enos-scenario-smoke.hcl +++ b/enos/enos-scenario-smoke.hcl @@ -190,13 +190,14 @@ scenario "smoke" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -384,4 +385,9 @@ scenario "smoke" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-ui.hcl b/enos/enos-scenario-ui.hcl index 3b54dcafd..9cd734a75 100644 --- a/enos/enos-scenario-ui.hcl +++ b/enos/enos-scenario-ui.hcl @@ -153,12 +153,13 @@ scenario "ui" { edition = var.backend_edition version = local.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = local.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = local.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -243,4 +244,9 @@ scenario "ui" { description = "The stdout of the ui tests that ran" value = step.test_ui.ui_test_stdout } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index ef6b81923..49109ced3 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -184,13 +184,14 @@ scenario "upgrade" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - packages = local.packages - release = var.vault_upgrade_initial_release - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + packages = local.packages + release = var.vault_upgrade_initial_release + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -401,4 +402,9 @@ scenario "upgrade" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl index 65a43f891..ef445d0a2 100644 --- a/enos/enos-variables.hcl +++ b/enos/enos-variables.hcl @@ -200,3 +200,9 @@ variable "ui_run_tests" { description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run" default = true } + +variable "vault_enable_file_audit_device" { + description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log" + type = bool + default = true +} diff --git a/enos/modules/build_local/main.tf b/enos/modules/build_local/main.tf index c7ee686e3..a55850076 100644 --- a/enos/modules/build_local/main.tf +++ b/enos/modules/build_local/main.tf @@ -61,7 +61,7 @@ variable "product_version" { } resource "enos_local_exec" "build" { - scripts = ["${path.module}/scripts/build.sh"] + scripts = [abspath("${path.module}/scripts/build.sh")] environment = { BUNDLE_PATH = var.bundle_path, diff --git a/enos/modules/get_local_metadata/main.tf b/enos/modules/get_local_metadata/main.tf index 29376aa86..1c5dc84be 100644 --- a/enos/modules/get_local_metadata/main.tf +++ b/enos/modules/get_local_metadata/main.tf @@ -10,7 +10,7 @@ terraform { } resource "enos_local_exec" "get_build_date" { - scripts = ["${path.module}/scripts/build_date.sh"] + scripts = [abspath("${path.module}/scripts/build_date.sh")] } output "build_date" { @@ -18,7 +18,7 @@ output "build_date" { } resource "enos_local_exec" "get_version" { - scripts = ["${path.module}/scripts/version.sh"] + scripts = [abspath("${path.module}/scripts/version.sh")] } output "version" { diff --git a/enos/modules/vault_cluster/main.tf b/enos/modules/vault_cluster/main.tf index 08455ca8f..96032d15d 100644 --- a/enos/modules/vault_cluster/main.tf +++ b/enos/modules/vault_cluster/main.tf @@ -61,6 +61,9 @@ locals { path = "vault" }) ] + audit_device_file_path = "/var/log/vault_audit.log" + vault_service_user = "vault" + enable_audit_device = var.enable_file_audit_device && var.initialize_cluster } resource "enos_remote_exec" "install_packages" { @@ -165,7 +168,7 @@ resource "enos_vault_start" "leader" { } license = var.license manage_service = var.manage_service - username = "vault" + username = local.vault_service_user unit_name = "vault" transport = { @@ -204,7 +207,7 @@ resource "enos_vault_start" "followers" { } license = var.license manage_service = var.manage_service - username = "vault" + username = local.vault_service_user unit_name = "vault" transport = { @@ -214,6 +217,31 @@ resource "enos_vault_start" "followers" { } } +# We need to ensure that the directory used for audit logs is present and accessible to the vault +# user on all nodes, since logging will only happen on the leader. +resource "enos_remote_exec" "create_audit_log_dir" { + depends_on = [ + enos_vault_start.followers, + ] + for_each = toset([ + for idx, host in toset(local.instances) : idx + if local.enable_audit_device + ]) + + environment = { + LOG_FILE_PATH = local.audit_device_file_path + SERVICE_USER = local.vault_service_user + } + + scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")] + + transport = { + ssh = { + host = var.target_hosts[each.value].public_ip + } + } +} + resource "enos_vault_init" "leader" { depends_on = [ enos_vault_start.followers, @@ -258,6 +286,32 @@ resource "enos_vault_unseal" "leader" { } } +resource "enos_remote_exec" "enable_file_audit_device" { + depends_on = [ + enos_vault_unseal.leader, + ] + for_each = toset([ + for idx in local.leader : idx + if local.enable_audit_device + ]) + + environment = { + VAULT_TOKEN = enos_vault_init.leader[each.key].root_token + VAULT_ADDR = "http://127.0.0.1:8200" + VAULT_BIN_PATH = local.bin_path + LOG_FILE_PATH = local.audit_device_file_path + SERVICE_USER = local.vault_service_user + } + + scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")] + + transport = { + ssh = { + host = var.target_hosts[each.key].public_ip + } + } +} + resource "enos_vault_unseal" "followers" { depends_on = [ enos_vault_init.leader, diff --git a/enos/modules/vault_cluster/outputs.tf b/enos/modules/vault_cluster/outputs.tf index 8e72ef446..819962050 100644 --- a/enos/modules/vault_cluster/outputs.tf +++ b/enos/modules/vault_cluster/outputs.tf @@ -53,3 +53,8 @@ output "cluster_name" { description = "The Vault cluster name" value = var.cluster_name } + +output "audit_device_file_path" { + description = "The file path for the audit device, if enabled" + value = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled" +} diff --git a/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh b/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh new file mode 100755 index 000000000..582bfdb14 --- /dev/null +++ b/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh @@ -0,0 +1,8 @@ +#!/bin/env sh + +set -eux + +LOG_DIR=$(dirname "$LOG_FILE_PATH") + +sudo mkdir -p "$LOG_DIR" +sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR" diff --git a/enos/modules/vault_cluster/scripts/enable_audit_logging.sh b/enos/modules/vault_cluster/scripts/enable_audit_logging.sh new file mode 100644 index 000000000..aa8ae837f --- /dev/null +++ b/enos/modules/vault_cluster/scripts/enable_audit_logging.sh @@ -0,0 +1,5 @@ +#!/bin/env sh + +set -eux + +$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH" diff --git a/enos/modules/vault_cluster/variables.tf b/enos/modules/vault_cluster/variables.tf index d7be243e2..5976ff361 100644 --- a/enos/modules/vault_cluster/variables.tf +++ b/enos/modules/vault_cluster/variables.tf @@ -174,3 +174,9 @@ variable "unseal_method" { error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported." } } + +variable "enable_file_audit_device" { + description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log" + type = bool + default = true +} diff --git a/enos/modules/vault_get_cluster_ips/main.tf b/enos/modules/vault_get_cluster_ips/main.tf index d627e2454..25a890210 100644 --- a/enos/modules/vault_get_cluster_ips/main.tf +++ b/enos/modules/vault_get_cluster_ips/main.tf @@ -77,7 +77,7 @@ resource "enos_remote_exec" "get_leader_private_ip" { VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips) } - scripts = ["${path.module}/scripts/get-leader-private-ip.sh"] + scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")] transport = { ssh = { diff --git a/enos/modules/vault_setup_perf_primary/main.tf b/enos/modules/vault_setup_perf_primary/main.tf index 75e998eb3..268a5323c 100644 --- a/enos/modules/vault_setup_perf_primary/main.tf +++ b/enos/modules/vault_setup_perf_primary/main.tf @@ -42,7 +42,7 @@ resource "enos_remote_exec" "configure_pr_primary" { vault_install_dir = var.vault_install_dir } - scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"] + scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")] transport = { ssh = { diff --git a/enos/modules/vault_unseal_nodes/main.tf b/enos/modules/vault_unseal_nodes/main.tf index b353fa8a5..b8b86b3ba 100644 --- a/enos/modules/vault_unseal_nodes/main.tf +++ b/enos/modules/vault_unseal_nodes/main.tf @@ -48,7 +48,7 @@ resource "enos_remote_exec" "wait_until_sealed" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/wait-until-sealed.sh"] + scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")] transport = { ssh = { @@ -92,7 +92,7 @@ resource "enos_remote_exec" "unseal_followers" { UNSEAL_KEYS = join(",", var.vault_unseal_keys) } - scripts = ["${path.module}/scripts/unseal-node.sh"] + scripts = [abspath("${path.module}/scripts/unseal-node.sh")] transport = { ssh = { @@ -117,7 +117,7 @@ resource "enos_remote_exec" "unseal_followers_again" { UNSEAL_KEYS = join(",", var.vault_unseal_keys) } - scripts = ["${path.module}/scripts/unseal-node.sh"] + scripts = [abspath("${path.module}/scripts/unseal-node.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_performance_replication/main.tf b/enos/modules/vault_verify_performance_replication/main.tf index 36848f7ad..6604f8c12 100644 --- a/enos/modules/vault_verify_performance_replication/main.tf +++ b/enos/modules/vault_verify_performance_replication/main.tf @@ -59,7 +59,7 @@ resource "enos_remote_exec" "verify_replication_status_on_primary" { SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip } - scripts = ["${path.module}/scripts/verify-replication-status.sh"] + scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")] transport = { ssh = { @@ -76,7 +76,7 @@ resource "enos_remote_exec" "verify_replication_status_on_secondary" { SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip } - scripts = ["${path.module}/scripts/verify-replication-status.sh"] + scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_read_data/main.tf b/enos/modules/vault_verify_read_data/main.tf index 853c9cbc3..8a4d7ea7a 100644 --- a/enos/modules/vault_verify_read_data/main.tf +++ b/enos/modules/vault_verify_read_data/main.tf @@ -38,7 +38,7 @@ resource "enos_remote_exec" "verify_kv_on_node" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/verify-data.sh"] + scripts = [abspath("${path.module}/scripts/verify-data.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_write_data/main.tf b/enos/modules/vault_verify_write_data/main.tf index c17a094b5..2369e51dd 100644 --- a/enos/modules/vault_verify_write_data/main.tf +++ b/enos/modules/vault_verify_write_data/main.tf @@ -63,7 +63,7 @@ resource "enos_remote_exec" "smoke-enable-secrets-kv" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/smoke-enable-secrets-kv.sh"] + scripts = [abspath("${path.module}/scripts/smoke-enable-secrets-kv.sh")] transport = { ssh = { @@ -85,7 +85,7 @@ resource "enos_remote_exec" "smoke-write-test-data" { TEST_VALUE = "fire" } - scripts = ["${path.module}/scripts/smoke-write-test-data.sh"] + scripts = [abspath("${path.module}/scripts/smoke-write-test-data.sh")] transport = { ssh = {