diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml index ca5f71e0e71b..f8d6f9dcca33 100644 --- a/.github/workflows/test-run-enos-scenario-matrix.yml +++ b/.github/workflows/test-run-enos-scenario-matrix.yml @@ -185,6 +185,8 @@ jobs: echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data" echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}" echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}" + echo "ENOS_VAR_aws_access_key_id=${{ steps.secrets.outputs.aws-access-key-id }}" + echo "ENOS_VAR_aws_access_secret_key=${{ steps.secrets.outputs.aws-secret-access-key }}" echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}" echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}" echo "ENOS_VAR_aws_ssh_private_key_path=./support/private_key.pem" diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl index 90507d7a9849..96845e7a4737 100644 --- a/enos/enos-scenario-smoke.hcl +++ b/enos/enos-scenario-smoke.hcl @@ -524,11 +524,14 @@ scenario "smoke" { ] variables { - hosts = step.create_vault_cluster_targets.hosts - leader_host = step.get_vault_cluster_ips.leader_host - vault_addr = step.create_vault_cluster.api_addr_localhost - vault_install_dir = global.vault_install_dir[matrix.artifact_type] - vault_root_token = step.create_vault_cluster.root_token + hosts = step.create_vault_cluster_targets.hosts + aws_region = var.aws_region + aws_access_key_id = var.aws_access_key_id + aws_access_secret_key = var.aws_access_secret_key + leader_host = step.get_vault_cluster_ips.leader_host + vault_addr = step.create_vault_cluster.api_addr_localhost + vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } @@ -601,6 +604,7 @@ scenario "smoke" { hosts = step.get_vault_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl index 91402071a979..e68a01110852 100644 --- a/enos/enos-variables.hcl +++ b/enos/enos-variables.hcl @@ -27,6 +27,18 @@ variable "artifactory_repo" { default = "hashicorp-crt-stable-local*" } +variable "aws_access_key_id" { + description = "The AWS access key id that will be used for testing" + type = string + default = null +} + +variable "aws_access_secret_key" { + description = "The AWS secret access key that will be used for testing" + type = string + default = null +} + variable "aws_region" { description = "The AWS region where we'll create infrastructure" type = string diff --git a/enos/modules/verify_secrets_engines/modules/create/aws.tf b/enos/modules/verify_secrets_engines/modules/create/aws.tf new file mode 100644 index 000000000000..a24150fcf13a --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/create/aws.tf @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +locals { + // Variables + aws_mount = "aws" # aws engine + aws_role = "test-role" + aws_region = var.aws_region + aws_access_key_id = var.aws_access_key_id + aws_access_secret_key = var.aws_access_secret_key + + // Output + aws_output = { + mount = local.aws_mount + role = local.aws_role + region = local.aws_region + access_key_id = local.aws_access_key_id + access_secret_key = local.aws_access_secret_key + } +} + +output "aws" { + value = local.aws_output +} + +# Enable aws secrets engine +resource "enos_remote_exec" "secrets_enable_aws_secret" { + environment = { + ENGINE = local.aws_mount + MOUNT = local.aws_mount + VAULT_ADDR = var.vault_addr + VAULT_TOKEN = var.vault_root_token + VAULT_INSTALL_DIR = var.vault_install_dir + } + + scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Enable kv secrets engine +resource "enos_remote_exec" "aws_generate_creds" { + depends_on = [enos_remote_exec.secrets_enable_aws_secret] + for_each = var.hosts + environment = { + AWS_REGION = local.aws_region + AWS_ACCESS_KEY_ID = local.aws_access_key_id + AWS_SECRET_ACCESS_KEY = local.aws_access_secret_key + AWS_ROLE = local.aws_role + MOUNT = local.aws_mount + VAULT_ADDR = var.vault_addr + VAULT_TOKEN = var.vault_root_token + VAULT_INSTALL_DIR = var.vault_install_dir + } + + scripts = [abspath("${path.module}/../../scripts/aws-generate-roles.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf index 89ca1c80b406..5f33915dc109 100644 --- a/enos/modules/verify_secrets_engines/modules/create/main.tf +++ b/enos/modules/verify_secrets_engines/modules/create/main.tf @@ -9,6 +9,24 @@ terraform { } } +variable "aws_region" { + type = string + description = "AWS region for aws secrets engine" + default = "us-east-1" +} + +variable "aws_access_key_id" { + type = string + description = "AWS access key for aws secrets engine" + default = null +} + +variable "aws_access_secret_key" { + type = string + description = "AWS secret access key for aws secrets engine" + default = null +} + variable "hosts" { type = map(object({ ipv6 = string @@ -49,5 +67,6 @@ output "state" { auth = local.auth_output identity = local.identity_output kv = local.kv_output + aws = local.aws_output } } diff --git a/enos/modules/verify_secrets_engines/modules/read/aws.tf b/enos/modules/verify_secrets_engines/modules/read/aws.tf new file mode 100644 index 000000000000..3e92de67efd4 --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/read/aws.tf @@ -0,0 +1,27 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# Verify PKI Certificate +resource "enos_remote_exec" "aws_verify_roles" { + for_each = var.hosts + + environment = { + AWS_REGION = var.create_state.aws.region + AWS_ACCESS_KEY_ID = var.create_state.aws.access_key_id + AWS_SECRET_ACCESS_KEY = var.create_state.aws.access_secret_key + AWS_ROLE = var.create_state.aws.role + MOUNT = var.create_state.aws.mount + VAULT_ADDR = var.vault_addr + VAULT_TOKEN = var.vault_root_token + VAULT_INSTALL_DIR = var.vault_install_dir + } + + scripts = [abspath("${path.module}/../../scripts/aws-verify-roles.sh")] + + transport = { + ssh = { + host = each.value.public_ip + } + } +} + diff --git a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh new file mode 100755 index 000000000000..472f68923e46 --- /dev/null +++ b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -e + +fail() { + echo "$1" 1>&2 + exit 1 +} + +# # -------PKI TESTING + MOUNT=aws + AWS_REGION=us-east-1 + AWS_ROLE=test-role + VAULT_ADDR=http://127.0.0.1:8200 + VAULT_INSTALL_DIR=/opt/homebrew/bin + VAULT_TOKEN=root + vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1 || echo "AWS Engine already enabled!" +echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|-------|${AWS_SECRET_ACCESS_KEY}|-----\n" +[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set" +[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set" +[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set" +[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set" +[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set" +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" + +export VAULT_FORMAT=json + +echo "Configuring Vault AWS" +"$binpath" write "${MOUNT}/config/root" access_key="${AWS_ACCESS_KEY_ID}" secret_key="${AWS_SECRET_ACCESS_KEY}" region=${AWS_REGION} || fail "Cannot set vault AWS credentials" + +echo "Setup Vault/AWS role.." +#"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role" +"$binpath" write "aws/roles/${AWS_ROLE}" \ + credential_type=iam_user \ + policy_document=-<&2 + exit 1 +} + +## # -------PKI TESTING +# MOUNT=aws +# AWS_ROLE=test-role +# VAULT_ADDR=http://127.0.0.1:8200 +# VAULT_INSTALL_DIR=/opt/homebrew/bin +# VAULT_TOKEN=root +# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1 || echo "AWS Engine already enabled!" +echo "------------${AWS_REGION}-----------${AWS_ACCESS_KEY_ID}" + +[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set" +[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set" +[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set" +[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set" +[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set" +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" + +export VAULT_FORMAT=json + +echo "Verifying roles list" +ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]') +[[ -z "$ROLE" ]] && fail "No AWS roles created!" + +echo "Verifying Root Access Key" +"$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key' +ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key') +echo "----------------${ROOT_ACCESS_KEY}---------${AWS_ACCESS_KEY_ID}" +[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID" + +# Read role +"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"