Backport of audit file changes to release/1.14.x (#20985)

command/test-backend/main.go

@@ -0,0 +1 @@
+package test_backend

enos/enos-scenario-agent.hcl

@@ -150,6 +150,7 @@ scenario "agent" {
       storage_backend          = "raft"
       target_hosts             = step.create_vault_cluster_targets.hosts
       unseal_method            = "shamir"
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -244,4 +245,9 @@ scenario "agent" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }

enos/enos-scenario-autopilot.hcl

@@ -164,6 +164,7 @@ scenario "autopilot" {
       }
       target_hosts             = step.create_vault_cluster_targets.hosts
       unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -521,4 +522,9 @@ scenario "autopilot" {
     description = "The Vault cluster public IPs"
     value       = step.upgrade_vault_cluster_with_autopilot.public_ips
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }

enos/enos-scenario-replication.hcl

@@ -194,6 +194,7 @@ scenario "replication" {
       storage_backend          = matrix.primary_backend
       target_hosts             = step.create_primary_cluster_targets.hosts
       unseal_method            = matrix.primary_seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -267,6 +268,7 @@ scenario "replication" {
       storage_backend          = matrix.secondary_backend
       target_hosts             = step.create_secondary_cluster_targets.hosts
       unseal_method            = matrix.secondary_seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -732,4 +734,9 @@ scenario "replication" {
     description = "The Vault updated secondary cluster primaries connection status"
     value       = step.verify_updated_performance_replication.secondary_replication_data_primaries
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_primary_cluster.audit_device_file_path
+  }
 }

enos/enos-scenario-smoke.hcl

@@ -197,6 +197,7 @@ scenario "smoke" {
       storage_backend          = matrix.backend
       target_hosts             = step.create_vault_cluster_targets.hosts
       unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -384,4 +385,9 @@ scenario "smoke" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }

enos/enos-scenario-ui.hcl

@@ -159,6 +159,7 @@ scenario "ui" {
       storage_backend          = matrix.backend
       target_hosts             = step.create_vault_cluster_targets.hosts
       unseal_method            = local.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -243,4 +244,9 @@ scenario "ui" {
     description = "The stdout of the ui tests that ran"
     value       = step.test_ui.ui_test_stdout
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }

enos/enos-scenario-upgrade.hcl

@@ -191,6 +191,7 @@ scenario "upgrade" {
       storage_backend          = matrix.backend
       target_hosts             = step.create_vault_cluster_targets.hosts
       unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -401,4 +402,9 @@ scenario "upgrade" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }

enos/enos-variables.hcl

@@ -200,3 +200,9 @@ variable "ui_run_tests" {
   description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
   default     = true
 }
+
+variable "vault_enable_file_audit_device" {
+  description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
+  type        = bool
+  default     = true
+}

enos/modules/build_local/main.tf

@@ -61,7 +61,7 @@ variable "product_version" {
 }
 
 resource "enos_local_exec" "build" {
-  scripts = ["${path.module}/scripts/build.sh"]
+  scripts = [abspath("${path.module}/scripts/build.sh")]
 
   environment = {
     BUNDLE_PATH = var.bundle_path,

enos/modules/get_local_metadata/main.tf

@@ -10,7 +10,7 @@ terraform {
 }
 
 resource "enos_local_exec" "get_build_date" {
-  scripts = ["${path.module}/scripts/build_date.sh"]
+  scripts = [abspath("${path.module}/scripts/build_date.sh")]
 }
 
 output "build_date" {
@@ -18,7 +18,7 @@ output "build_date" {
 }
 
 resource "enos_local_exec" "get_version" {
-  scripts = ["${path.module}/scripts/version.sh"]
+  scripts = [abspath("${path.module}/scripts/version.sh")]
 }
 
 output "version" {

enos/modules/vault_cluster/main.tf

@@ -61,6 +61,9 @@ locals {
       path    = "vault"
     })
   ]
+  audit_device_file_path = "/var/log/vault_audit.log"
+  vault_service_user     = "vault"
+  enable_audit_device    = var.enable_file_audit_device && var.initialize_cluster
 }
 
 resource "enos_remote_exec" "install_packages" {
@@ -165,7 +168,7 @@ resource "enos_vault_start" "leader" {
   }
   license        = var.license
   manage_service = var.manage_service
-  username       = "vault"
+  username       = local.vault_service_user
   unit_name      = "vault"
 
   transport = {
@@ -204,7 +207,7 @@ resource "enos_vault_start" "followers" {
   }
   license        = var.license
   manage_service = var.manage_service
-  username       = "vault"
+  username       = local.vault_service_user
   unit_name      = "vault"
 
   transport = {
@@ -214,6 +217,31 @@ resource "enos_vault_start" "followers" {
   }
 }
 
+# We need to ensure that the directory used for audit logs is present and accessible to the vault
+# user on all nodes, since logging will only happen on the leader.
+resource "enos_remote_exec" "create_audit_log_dir" {
+  depends_on = [
+    enos_vault_start.followers,
+  ]
+  for_each = toset([
+    for idx, host in toset(local.instances) : idx
+    if local.enable_audit_device
+  ])
+
+  environment = {
+    LOG_FILE_PATH = local.audit_device_file_path
+    SERVICE_USER  = local.vault_service_user
+  }
+
+  scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")]
+
+  transport = {
+    ssh = {
+      host = var.target_hosts[each.value].public_ip
+    }
+  }
+}
+
 resource "enos_vault_init" "leader" {
   depends_on = [
     enos_vault_start.followers,
@@ -258,6 +286,32 @@ resource "enos_vault_unseal" "leader" {
   }
 }
 
+resource "enos_remote_exec" "enable_file_audit_device" {
+  depends_on = [
+    enos_vault_unseal.leader,
+  ]
+  for_each = toset([
+    for idx in local.leader : idx
+    if local.enable_audit_device
+  ])
+
+  environment = {
+    VAULT_TOKEN    = enos_vault_init.leader[each.key].root_token
+    VAULT_ADDR     = "http://127.0.0.1:8200"
+    VAULT_BIN_PATH = local.bin_path
+    LOG_FILE_PATH  = local.audit_device_file_path
+    SERVICE_USER   = local.vault_service_user
+  }
+
+  scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")]
+
+  transport = {
+    ssh = {
+      host = var.target_hosts[each.key].public_ip
+    }
+  }
+}
+
 resource "enos_vault_unseal" "followers" {
   depends_on = [
     enos_vault_init.leader,

enos/modules/vault_cluster/outputs.tf

@@ -53,3 +53,8 @@ output "cluster_name" {
   description = "The Vault cluster name"
   value       = var.cluster_name
 }
+
+output "audit_device_file_path" {
+  description = "The file path for the audit device, if enabled"
+  value       = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled"
+}

enos/modules/vault_cluster/scripts/create_audit_log_dir.sh

@@ -0,0 +1,8 @@
+#!/bin/env sh
+
+set -eux
+
+LOG_DIR=$(dirname "$LOG_FILE_PATH")
+
+sudo mkdir -p "$LOG_DIR"
+sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR"

enos/modules/vault_cluster/scripts/enable_audit_logging.sh

@@ -0,0 +1,5 @@
+#!/bin/env sh
+
+set -eux
+
+$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"

enos/modules/vault_cluster/variables.tf

@@ -174,3 +174,9 @@ variable "unseal_method" {
     error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported."
   }
 }
+
+variable "enable_file_audit_device" {
+  description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
+  type        = bool
+  default     = true
+}

enos/modules/vault_get_cluster_ips/main.tf

@@ -77,7 +77,7 @@ resource "enos_remote_exec" "get_leader_private_ip" {
     VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips)
   }
 
-  scripts = ["${path.module}/scripts/get-leader-private-ip.sh"]
+  scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")]
 
   transport = {
     ssh = {

enos/modules/vault_setup_perf_primary/main.tf

@@ -42,7 +42,7 @@ resource "enos_remote_exec" "configure_pr_primary" {
     vault_install_dir = var.vault_install_dir
   }
 
-  scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"]
+  scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")]
 
   transport = {
     ssh = {

enos/modules/vault_unseal_nodes/main.tf

@@ -48,7 +48,7 @@ resource "enos_remote_exec" "wait_until_sealed" {
     VAULT_INSTALL_DIR = var.vault_install_dir
   }
 
-  scripts = ["${path.module}/scripts/wait-until-sealed.sh"]
+  scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")]
 
   transport = {
     ssh = {
@@ -92,7 +92,7 @@ resource "enos_remote_exec" "unseal_followers" {
     UNSEAL_KEYS       = join(",", var.vault_unseal_keys)
   }
 
-  scripts = ["${path.module}/scripts/unseal-node.sh"]
+  scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
 
   transport = {
     ssh = {
@@ -117,7 +117,7 @@ resource "enos_remote_exec" "unseal_followers_again" {
     UNSEAL_KEYS       = join(",", var.vault_unseal_keys)
   }
 
-  scripts = ["${path.module}/scripts/unseal-node.sh"]
+  scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
 
   transport = {
     ssh = {

enos/modules/vault_verify_performance_replication/main.tf

@@ -59,7 +59,7 @@ resource "enos_remote_exec" "verify_replication_status_on_primary" {
     SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
   }
 
-  scripts = ["${path.module}/scripts/verify-replication-status.sh"]
+  scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
 
   transport = {
     ssh = {
@@ -76,7 +76,7 @@ resource "enos_remote_exec" "verify_replication_status_on_secondary" {
     SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
   }
 
-  scripts = ["${path.module}/scripts/verify-replication-status.sh"]
+  scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
 
   transport = {
     ssh = {

enos/modules/vault_verify_read_data/main.tf

@@ -38,7 +38,7 @@ resource "enos_remote_exec" "verify_kv_on_node" {
     VAULT_INSTALL_DIR = var.vault_install_dir
   }
 
-  scripts = ["${path.module}/scripts/verify-data.sh"]
+  scripts = [abspath("${path.module}/scripts/verify-data.sh")]
 
   transport = {
     ssh = {

enos/modules/vault_verify_write_data/main.tf

@@ -63,7 +63,7 @@ resource "enos_remote_exec" "smoke-enable-secrets-kv" {
     VAULT_INSTALL_DIR = var.vault_install_dir
   }
 
-  scripts = ["${path.module}/scripts/smoke-enable-secrets-kv.sh"]
+  scripts = [abspath("${path.module}/scripts/smoke-enable-secrets-kv.sh")]
 
   transport = {
     ssh = {
@@ -85,7 +85,7 @@ resource "enos_remote_exec" "smoke-write-test-data" {
     TEST_VALUE        = "fire"
   }
 
-  scripts = ["${path.module}/scripts/smoke-write-test-data.sh"]
+  scripts = [abspath("${path.module}/scripts/smoke-write-test-data.sh")]
 
   transport = {
     ssh = {