Backport of audit file changes to release/1.14.x (#20985)

This commit is contained in:
Mike Baum 2023-06-05 11:46:59 -04:00 committed by GitHub
parent df28de636b
commit d323aa33df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 180 additions and 58 deletions

View File

@ -0,0 +1 @@
package test_backend

View File

@ -150,6 +150,7 @@ scenario "agent" {
storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir"
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -244,4 +245,9 @@ scenario "agent" {
description = "The Vault cluster unseal keys hex"
value = step.create_vault_cluster.unseal_keys_hex
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_vault_cluster.audit_device_file_path
}
}

View File

@ -164,6 +164,7 @@ scenario "autopilot" {
}
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -521,4 +522,9 @@ scenario "autopilot" {
description = "The Vault cluster public IPs"
value = step.upgrade_vault_cluster_with_autopilot.public_ips
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_vault_cluster.audit_device_file_path
}
}

View File

@ -194,6 +194,7 @@ scenario "replication" {
storage_backend = matrix.primary_backend
target_hosts = step.create_primary_cluster_targets.hosts
unseal_method = matrix.primary_seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -267,6 +268,7 @@ scenario "replication" {
storage_backend = matrix.secondary_backend
target_hosts = step.create_secondary_cluster_targets.hosts
unseal_method = matrix.secondary_seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -732,4 +734,9 @@ scenario "replication" {
description = "The Vault updated secondary cluster primaries connection status"
value = step.verify_updated_performance_replication.secondary_replication_data_primaries
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_primary_cluster.audit_device_file_path
}
}

View File

@ -197,6 +197,7 @@ scenario "smoke" {
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -384,4 +385,9 @@ scenario "smoke" {
description = "The Vault cluster unseal keys hex"
value = step.create_vault_cluster.unseal_keys_hex
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_vault_cluster.audit_device_file_path
}
}

View File

@ -159,6 +159,7 @@ scenario "ui" {
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = local.seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -243,4 +244,9 @@ scenario "ui" {
description = "The stdout of the ui tests that ran"
value = step.test_ui.ui_test_stdout
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_vault_cluster.audit_device_file_path
}
}

View File

@ -191,6 +191,7 @@ scenario "upgrade" {
storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal
enable_file_audit_device = var.vault_enable_file_audit_device
}
}
@ -401,4 +402,9 @@ scenario "upgrade" {
description = "The Vault cluster unseal keys hex"
value = step.create_vault_cluster.unseal_keys_hex
}
output "vault_audit_device_file_path" {
description = "The file path for the file audit device, if enabled"
value = step.create_vault_cluster.audit_device_file_path
}
}

View File

@ -200,3 +200,9 @@ variable "ui_run_tests" {
description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
default = true
}
variable "vault_enable_file_audit_device" {
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
type = bool
default = true
}

View File

@ -61,7 +61,7 @@ variable "product_version" {
}
resource "enos_local_exec" "build" {
scripts = ["${path.module}/scripts/build.sh"]
scripts = [abspath("${path.module}/scripts/build.sh")]
environment = {
BUNDLE_PATH = var.bundle_path,

View File

@ -10,7 +10,7 @@ terraform {
}
resource "enos_local_exec" "get_build_date" {
scripts = ["${path.module}/scripts/build_date.sh"]
scripts = [abspath("${path.module}/scripts/build_date.sh")]
}
output "build_date" {
@ -18,7 +18,7 @@ output "build_date" {
}
resource "enos_local_exec" "get_version" {
scripts = ["${path.module}/scripts/version.sh"]
scripts = [abspath("${path.module}/scripts/version.sh")]
}
output "version" {

View File

@ -61,6 +61,9 @@ locals {
path = "vault"
})
]
audit_device_file_path = "/var/log/vault_audit.log"
vault_service_user = "vault"
enable_audit_device = var.enable_file_audit_device && var.initialize_cluster
}
resource "enos_remote_exec" "install_packages" {
@ -165,7 +168,7 @@ resource "enos_vault_start" "leader" {
}
license = var.license
manage_service = var.manage_service
username = "vault"
username = local.vault_service_user
unit_name = "vault"
transport = {
@ -204,7 +207,7 @@ resource "enos_vault_start" "followers" {
}
license = var.license
manage_service = var.manage_service
username = "vault"
username = local.vault_service_user
unit_name = "vault"
transport = {
@ -214,6 +217,31 @@ resource "enos_vault_start" "followers" {
}
}
# We need to ensure that the directory used for audit logs is present and accessible to the vault
# user on all nodes, since logging will only happen on the leader.
resource "enos_remote_exec" "create_audit_log_dir" {
depends_on = [
enos_vault_start.followers,
]
for_each = toset([
for idx, host in toset(local.instances) : idx
if local.enable_audit_device
])
environment = {
LOG_FILE_PATH = local.audit_device_file_path
SERVICE_USER = local.vault_service_user
}
scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")]
transport = {
ssh = {
host = var.target_hosts[each.value].public_ip
}
}
}
resource "enos_vault_init" "leader" {
depends_on = [
enos_vault_start.followers,
@ -258,6 +286,32 @@ resource "enos_vault_unseal" "leader" {
}
}
resource "enos_remote_exec" "enable_file_audit_device" {
depends_on = [
enos_vault_unseal.leader,
]
for_each = toset([
for idx in local.leader : idx
if local.enable_audit_device
])
environment = {
VAULT_TOKEN = enos_vault_init.leader[each.key].root_token
VAULT_ADDR = "http://127.0.0.1:8200"
VAULT_BIN_PATH = local.bin_path
LOG_FILE_PATH = local.audit_device_file_path
SERVICE_USER = local.vault_service_user
}
scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")]
transport = {
ssh = {
host = var.target_hosts[each.key].public_ip
}
}
}
resource "enos_vault_unseal" "followers" {
depends_on = [
enos_vault_init.leader,

View File

@ -53,3 +53,8 @@ output "cluster_name" {
description = "The Vault cluster name"
value = var.cluster_name
}
output "audit_device_file_path" {
description = "The file path for the audit device, if enabled"
value = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled"
}

View File

@ -0,0 +1,8 @@
#!/bin/env sh
set -eux
LOG_DIR=$(dirname "$LOG_FILE_PATH")
sudo mkdir -p "$LOG_DIR"
sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR"

View File

@ -0,0 +1,5 @@
#!/bin/env sh
set -eux
$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"

View File

@ -174,3 +174,9 @@ variable "unseal_method" {
error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported."
}
}
variable "enable_file_audit_device" {
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
type = bool
default = true
}

View File

@ -77,7 +77,7 @@ resource "enos_remote_exec" "get_leader_private_ip" {
VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips)
}
scripts = ["${path.module}/scripts/get-leader-private-ip.sh"]
scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")]
transport = {
ssh = {

View File

@ -42,7 +42,7 @@ resource "enos_remote_exec" "configure_pr_primary" {
vault_install_dir = var.vault_install_dir
}
scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"]
scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")]
transport = {
ssh = {

View File

@ -48,7 +48,7 @@ resource "enos_remote_exec" "wait_until_sealed" {
VAULT_INSTALL_DIR = var.vault_install_dir
}
scripts = ["${path.module}/scripts/wait-until-sealed.sh"]
scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")]
transport = {
ssh = {
@ -92,7 +92,7 @@ resource "enos_remote_exec" "unseal_followers" {
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
}
scripts = ["${path.module}/scripts/unseal-node.sh"]
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
transport = {
ssh = {
@ -117,7 +117,7 @@ resource "enos_remote_exec" "unseal_followers_again" {
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
}
scripts = ["${path.module}/scripts/unseal-node.sh"]
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
transport = {
ssh = {

View File

@ -59,7 +59,7 @@ resource "enos_remote_exec" "verify_replication_status_on_primary" {
SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
}
scripts = ["${path.module}/scripts/verify-replication-status.sh"]
scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
transport = {
ssh = {
@ -76,7 +76,7 @@ resource "enos_remote_exec" "verify_replication_status_on_secondary" {
SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip
}
scripts = ["${path.module}/scripts/verify-replication-status.sh"]
scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")]
transport = {
ssh = {

View File

@ -38,7 +38,7 @@ resource "enos_remote_exec" "verify_kv_on_node" {
VAULT_INSTALL_DIR = var.vault_install_dir
}
scripts = ["${path.module}/scripts/verify-data.sh"]
scripts = [abspath("${path.module}/scripts/verify-data.sh")]
transport = {
ssh = {

View File

@ -63,7 +63,7 @@ resource "enos_remote_exec" "smoke-enable-secrets-kv" {
VAULT_INSTALL_DIR = var.vault_install_dir
}
scripts = ["${path.module}/scripts/smoke-enable-secrets-kv.sh"]
scripts = [abspath("${path.module}/scripts/smoke-enable-secrets-kv.sh")]
transport = {
ssh = {
@ -85,7 +85,7 @@ resource "enos_remote_exec" "smoke-write-test-data" {
TEST_VALUE = "fire"
}
scripts = ["${path.module}/scripts/smoke-write-test-data.sh"]
scripts = [abspath("${path.module}/scripts/smoke-write-test-data.sh")]
transport = {
ssh = {