hashicorp · tvo0813 · Jan 27, 2025 · Feb 10, 2025 · Feb 13, 2025
@@ -185,6 +185,8 @@ jobs:
             echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
             echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}"
             echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}"
+            echo "ENOS_VAR_aws_access_key_id=${{ steps.secrets.outputs.aws-access-key-id }}"
+            echo "ENOS_VAR_aws_access_secret_key=${{ steps.secrets.outputs.aws-secret-access-key }}"
             echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}"
             echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}"
             echo "ENOS_VAR_aws_ssh_private_key_path=./support/private_key.pem"

@@ -524,11 +524,14 @@ scenario "smoke" {
     ]
 
     variables {
-      hosts             = step.create_vault_cluster_targets.hosts
-      leader_host       = step.get_vault_cluster_ips.leader_host
-      vault_addr        = step.create_vault_cluster.api_addr_localhost
-      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_root_token  = step.create_vault_cluster.root_token
+      hosts                 = step.create_vault_cluster_targets.hosts
+      aws_region            = var.aws_region
+      aws_access_key_id     = var.aws_access_key_id
+      aws_access_secret_key = var.aws_access_secret_key
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token      = step.create_vault_cluster.root_token
     }
   }
 
@@ -601,6 +604,7 @@ scenario "smoke" {
       hosts             = step.get_vault_cluster_ips.follower_hosts
       vault_addr        = step.create_vault_cluster.api_addr_localhost
       vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token  = step.create_vault_cluster.root_token
     }
   }
 

@@ -27,6 +27,18 @@ variable "artifactory_repo" {
   default     = "hashicorp-crt-stable-local*"
 }
 
+variable "aws_access_key_id" {
+  description = "The AWS access key id that will be used for testing"
+  type        = string
+  default     = null
+}
+
+variable "aws_access_secret_key" {
+  description = "The AWS secret access key that will be used for testing"
+  type        = string
+  default     = null
+}
+
 variable "aws_region" {
   description = "The AWS region where we'll create infrastructure"
   type        = string

@@ -0,0 +1,67 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+locals {
+  // Variables
+  aws_mount             = "aws"     # aws engine
+  aws_role              = "test-role"
+  aws_region            = var.aws_region
+  aws_access_key_id     = var.aws_access_key_id
+  aws_access_secret_key = var.aws_access_secret_key
+
+  // Output
+  aws_output = {
+    mount             = local.aws_mount
+    role              = local.aws_role
+    region            = local.aws_region
+    access_key_id     = local.aws_access_key_id
+    access_secret_key = local.aws_access_secret_key
+  }
+}
+
+output "aws" {
+  value = local.aws_output
+}
+
+# Enable aws secrets engine
+resource "enos_remote_exec" "secrets_enable_aws_secret" {
+  environment = {
+    ENGINE            = local.aws_mount
+    MOUNT             = local.aws_mount
+    VAULT_ADDR        = var.vault_addr
+    VAULT_TOKEN       = var.vault_root_token
+    VAULT_INSTALL_DIR = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Enable kv secrets engine
+resource "enos_remote_exec" "aws_generate_creds" {
+  depends_on = [enos_remote_exec.secrets_enable_aws_secret]
+  for_each   = var.hosts
+  environment = {
+    AWS_REGION            = local.aws_region
+    AWS_ACCESS_KEY_ID     = local.aws_access_key_id
+    AWS_SECRET_ACCESS_KEY = local.aws_access_secret_key
+    AWS_ROLE              = local.aws_role
+    MOUNT                 = local.aws_mount
+    VAULT_ADDR            = var.vault_addr
+    VAULT_TOKEN           = var.vault_root_token
+    VAULT_INSTALL_DIR     = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/aws-generate-roles.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
@@ -9,6 +9,24 @@ terraform {
   }
 }
 
+variable "aws_region" {
+  type        = string
+  description = "AWS region for aws secrets engine"
+  default     = "us-east-1"
+}
+
+variable "aws_access_key_id" {
+  type        = string
+  description = "AWS access key for aws secrets engine"
+  default     = null
+}
+
+variable "aws_access_secret_key" {
+  type        = string
+  description = "AWS secret access key for aws secrets engine"
+  default     = null
+}
+
 variable "hosts" {
   type = map(object({
     ipv6       = string
@@ -49,5 +67,6 @@ output "state" {
     auth     = local.auth_output
     identity = local.identity_output
     kv       = local.kv_output
+    aws      = local.aws_output
   }
 }
@@ -0,0 +1,27 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+# Verify PKI Certificate
+resource "enos_remote_exec" "aws_verify_roles" {
+  for_each = var.hosts
+
+  environment = {
+    AWS_REGION            = var.create_state.aws.region
+    AWS_ACCESS_KEY_ID     = var.create_state.aws.access_key_id
+    AWS_SECRET_ACCESS_KEY = var.create_state.aws.access_secret_key
+    AWS_ROLE              = var.create_state.aws.role
+    MOUNT                 = var.create_state.aws.mount
+    VAULT_ADDR            = var.vault_addr
+    VAULT_TOKEN           = var.vault_root_token
+    VAULT_INSTALL_DIR     = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/aws-verify-roles.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}
+
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+# # -------PKI TESTING
+ MOUNT=aws
+ AWS_REGION=us-east-1
+ AWS_ROLE=test-role
+ VAULT_ADDR=http://127.0.0.1:8200
+ VAULT_INSTALL_DIR=/opt/homebrew/bin
+ VAULT_TOKEN=root
+ vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
+echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|-------|${AWS_SECRET_ACCESS_KEY}|-----\n"
+[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
+[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
+[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
+[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set"
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+
+echo "Configuring Vault AWS"
+"$binpath" write "${MOUNT}/config/root" access_key="${AWS_ACCESS_KEY_ID}" secret_key="${AWS_SECRET_ACCESS_KEY}" region=${AWS_REGION} || fail "Cannot set vault AWS credentials"
+
+echo "Setup Vault/AWS role.."
+#"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
+"$binpath" write "aws/roles/${AWS_ROLE}" \
+    credential_type=iam_user \
+    policy_document=-<<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:*",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+echo "Verifying roles list"
+ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
+[[ -z "$ROLE" ]] && fail "No AWS roles created!"
+
+echo "Verifying Root Access Key"
+"$binpath" read "${MOUNT}/config/root"
+ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
+[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
+
+## Read role
+#"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+## # -------PKI TESTING
+# MOUNT=aws
+# AWS_ROLE=test-role
+# VAULT_ADDR=http://127.0.0.1:8200
+# VAULT_INSTALL_DIR=/opt/homebrew/bin
+# VAULT_TOKEN=root
+# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
+echo "------------${AWS_REGION}-----------${AWS_ACCESS_KEY_ID}"
+
+[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
+[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
+[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
+[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set"
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+
+echo "Verifying roles list"
+ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
+[[ -z "$ROLE" ]] && fail "No AWS roles created!"
+
+echo "Verifying Root Access Key"
+"$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key'
+ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
+echo "----------------${ROOT_ACCESS_KEY}---------${AWS_ACCESS_KEY_ID}"
+[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
+
+# Read role
+"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"