Backport of audit file changes to release/1.14.x (#20985)
This commit is contained in:
parent
df28de636b
commit
d323aa33df
|
@ -0,0 +1 @@
|
|||
package test_backend
|
|
@ -150,6 +150,7 @@ scenario "agent" {
|
|||
storage_backend = "raft"
|
||||
target_hosts = step.create_vault_cluster_targets.hosts
|
||||
unseal_method = "shamir"
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -244,4 +245,9 @@ scenario "agent" {
|
|||
description = "The Vault cluster unseal keys hex"
|
||||
value = step.create_vault_cluster.unseal_keys_hex
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_vault_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -164,6 +164,7 @@ scenario "autopilot" {
|
|||
}
|
||||
target_hosts = step.create_vault_cluster_targets.hosts
|
||||
unseal_method = matrix.seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -521,4 +522,9 @@ scenario "autopilot" {
|
|||
description = "The Vault cluster public IPs"
|
||||
value = step.upgrade_vault_cluster_with_autopilot.public_ips
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_vault_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -194,6 +194,7 @@ scenario "replication" {
|
|||
storage_backend = matrix.primary_backend
|
||||
target_hosts = step.create_primary_cluster_targets.hosts
|
||||
unseal_method = matrix.primary_seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -267,6 +268,7 @@ scenario "replication" {
|
|||
storage_backend = matrix.secondary_backend
|
||||
target_hosts = step.create_secondary_cluster_targets.hosts
|
||||
unseal_method = matrix.secondary_seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -732,4 +734,9 @@ scenario "replication" {
|
|||
description = "The Vault updated secondary cluster primaries connection status"
|
||||
value = step.verify_updated_performance_replication.secondary_replication_data_primaries
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_primary_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -197,6 +197,7 @@ scenario "smoke" {
|
|||
storage_backend = matrix.backend
|
||||
target_hosts = step.create_vault_cluster_targets.hosts
|
||||
unseal_method = matrix.seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -384,4 +385,9 @@ scenario "smoke" {
|
|||
description = "The Vault cluster unseal keys hex"
|
||||
value = step.create_vault_cluster.unseal_keys_hex
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_vault_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -159,6 +159,7 @@ scenario "ui" {
|
|||
storage_backend = matrix.backend
|
||||
target_hosts = step.create_vault_cluster_targets.hosts
|
||||
unseal_method = local.seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -243,4 +244,9 @@ scenario "ui" {
|
|||
description = "The stdout of the ui tests that ran"
|
||||
value = step.test_ui.ui_test_stdout
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_vault_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -191,6 +191,7 @@ scenario "upgrade" {
|
|||
storage_backend = matrix.backend
|
||||
target_hosts = step.create_vault_cluster_targets.hosts
|
||||
unseal_method = matrix.seal
|
||||
enable_file_audit_device = var.vault_enable_file_audit_device
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -401,4 +402,9 @@ scenario "upgrade" {
|
|||
description = "The Vault cluster unseal keys hex"
|
||||
value = step.create_vault_cluster.unseal_keys_hex
|
||||
}
|
||||
|
||||
output "vault_audit_device_file_path" {
|
||||
description = "The file path for the file audit device, if enabled"
|
||||
value = step.create_vault_cluster.audit_device_file_path
|
||||
}
|
||||
}
|
||||
|
|
|
@ -200,3 +200,9 @@ variable "ui_run_tests" {
|
|||
description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "vault_enable_file_audit_device" {
|
||||
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
|
|
@ -61,7 +61,7 @@ variable "product_version" {
|
|||
}
|
||||
|
||||
resource "enos_local_exec" "build" {
|
||||
scripts = ["${path.module}/scripts/build.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/build.sh")]
|
||||
|
||||
environment = {
|
||||
BUNDLE_PATH = var.bundle_path,
|
||||
|
|
|
@ -10,7 +10,7 @@ terraform {
|
|||
}
|
||||
|
||||
resource "enos_local_exec" "get_build_date" {
|
||||
scripts = ["${path.module}/scripts/build_date.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/build_date.sh")]
|
||||
}
|
||||
|
||||
output "build_date" {
|
||||
|
@ -18,7 +18,7 @@ output "build_date" {
|
|||
}
|
||||
|
||||
resource "enos_local_exec" "get_version" {
|
||||
scripts = ["${path.module}/scripts/version.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/version.sh")]
|
||||
}
|
||||
|
||||
output "version" {
|
||||
|
|
|
@ -61,6 +61,9 @@ locals {
|
|||
path = "vault"
|
||||
})
|
||||
]
|
||||
audit_device_file_path = "/var/log/vault_audit.log"
|
||||
vault_service_user = "vault"
|
||||
enable_audit_device = var.enable_file_audit_device && var.initialize_cluster
|
||||
}
|
||||
|
||||
resource "enos_remote_exec" "install_packages" {
|
||||
|
@ -165,7 +168,7 @@ resource "enos_vault_start" "leader" {
|
|||
}
|
||||
license = var.license
|
||||
manage_service = var.manage_service
|
||||
username = "vault"
|
||||
username = local.vault_service_user
|
||||
unit_name = "vault"
|
||||
|
||||
transport = {
|
||||
|
@ -204,7 +207,7 @@ resource "enos_vault_start" "followers" {
|
|||
}
|
||||
license = var.license
|
||||
manage_service = var.manage_service
|
||||
username = "vault"
|
||||
username = local.vault_service_user
|
||||
unit_name = "vault"
|
||||
|
||||
transport = {
|
||||
|
@ -214,6 +217,31 @@ resource "enos_vault_start" "followers" {
|
|||
}
|
||||
}
|
||||
|
||||
# We need to ensure that the directory used for audit logs is present and accessible to the vault
|
||||
# user on all nodes, since logging will only happen on the leader.
|
||||
resource "enos_remote_exec" "create_audit_log_dir" {
|
||||
depends_on = [
|
||||
enos_vault_start.followers,
|
||||
]
|
||||
for_each = toset([
|
||||
for idx, host in toset(local.instances) : idx
|
||||
if local.enable_audit_device
|
||||
])
|
||||
|
||||
environment = {
|
||||
LOG_FILE_PATH = local.audit_device_file_path
|
||||
SERVICE_USER = local.vault_service_user
|
||||
}
|
||||
|
||||
scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
host = var.target_hosts[each.value].public_ip
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "enos_vault_init" "leader" {
|
||||
depends_on = [
|
||||
enos_vault_start.followers,
|
||||
|
@ -258,6 +286,32 @@ resource "enos_vault_unseal" "leader" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "enos_remote_exec" "enable_file_audit_device" {
|
||||
depends_on = [
|
||||
enos_vault_unseal.leader,
|
||||
]
|
||||
for_each = toset([
|
||||
for idx in local.leader : idx
|
||||
if local.enable_audit_device
|
||||
])
|
||||
|
||||
environment = {
|
||||
VAULT_TOKEN = enos_vault_init.leader[each.key].root_token
|
||||
VAULT_ADDR = "http://127.0.0.1:8200"
|
||||
VAULT_BIN_PATH = local.bin_path
|
||||
LOG_FILE_PATH = local.audit_device_file_path
|
||||
SERVICE_USER = local.vault_service_user
|
||||
}
|
||||
|
||||
scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
host = var.target_hosts[each.key].public_ip
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "enos_vault_unseal" "followers" {
|
||||
depends_on = [
|
||||
enos_vault_init.leader,
|
||||
|
|
|
@ -53,3 +53,8 @@ output "cluster_name" {
|
|||
description = "The Vault cluster name"
|
||||
value = var.cluster_name
|
||||
}
|
||||
|
||||
output "audit_device_file_path" {
|
||||
description = "The file path for the audit device, if enabled"
|
||||
value = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled"
|
||||
}
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/env sh
|
||||
|
||||
set -eux
|
||||
|
||||
LOG_DIR=$(dirname "$LOG_FILE_PATH")
|
||||
|
||||
sudo mkdir -p "$LOG_DIR"
|
||||
sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR"
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/env sh
|
||||
|
||||
set -eux
|
||||
|
||||
$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"
|
|
@ -174,3 +174,9 @@ variable "unseal_method" {
|
|||
error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported."
|
||||
}
|
||||
}
|
||||
|
||||
variable "enable_file_audit_device" {
|
||||
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
|
|
@ -77,7 +77,7 @@ resource "enos_remote_exec" "get_leader_private_ip" {
|
|||
VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips)
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/get-leader-private-ip.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
|
@ -42,7 +42,7 @@ resource "enos_remote_exec" "configure_pr_primary" {
|
|||
vault_install_dir = var.vault_install_dir
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
|
@ -48,7 +48,7 @@ resource "enos_remote_exec" "wait_until_sealed" {
|
|||
VAULT_INSTALL_DIR = var.vault_install_dir
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/wait-until-sealed.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
@ -92,7 +92,7 @@ resource "enos_remote_exec" "unseal_followers" {
|
|||
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/unseal-node.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
@ -117,7 +117,7 @@ resource "enos_remote_exec" "unseal_followers_again" {
|
|||
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/unseal-node.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
|
@ -59,7 +59,7 @@ resource "enos_remote_exec" "verify_replication_status_on_primary" {
|
|||
SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/verify-replication-status.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
@ -76,7 +76,7 @@ resource "enos_remote_exec" "verify_replication_status_on_secondary" {
|
|||
SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/verify-replication-status.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
|
@ -38,7 +38,7 @@ resource "enos_remote_exec" "verify_kv_on_node" {
|
|||
VAULT_INSTALL_DIR = var.vault_install_dir
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/verify-data.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/verify-data.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
|
@ -63,7 +63,7 @@ resource "enos_remote_exec" "smoke-enable-secrets-kv" {
|
|||
VAULT_INSTALL_DIR = var.vault_install_dir
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/smoke-enable-secrets-kv.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/smoke-enable-secrets-kv.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
@ -85,7 +85,7 @@ resource "enos_remote_exec" "smoke-write-test-data" {
|
|||
TEST_VALUE = "fire"
|
||||
}
|
||||
|
||||
scripts = ["${path.module}/scripts/smoke-write-test-data.sh"]
|
||||
scripts = [abspath("${path.module}/scripts/smoke-write-test-data.sh")]
|
||||
|
||||
transport = {
|
||||
ssh = {
|
||||
|
|
Loading…
Reference in New Issue