backport of commit 0115b5e (hashicorp#20963)

Co-authored-by: Mike Baum <mike.baum@hashicorp.com>
fopina · Jun 2, 2023 · 1720d31 · 1720d31
1 parent f06b721
commit 1720d31
Show file tree

Hide file tree

Showing 21 changed files with 179 additions and 58 deletions.
diff --git a/command/test-backend/main.go b/command/test-backend/main.go
@@ -0,0 +1 @@
+package test_backend
diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl
@@ -140,13 +140,14 @@ scenario "agent" {
       config_env_vars = {
         VAULT_LOG_LEVEL = var.vault_log_level
       }
-      install_dir         = var.vault_install_dir
-      license             = matrix.edition != "oss" ? step.read_license.license : null
-      local_artifact_path = local.bundle_path
-      packages            = local.packages
-      storage_backend     = "raft"
-      target_hosts        = step.create_vault_cluster_targets.hosts
-      unseal_method       = "shamir"
+      install_dir              = var.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      local_artifact_path      = local.bundle_path
+      packages                 = local.packages
+      storage_backend          = "raft"
+      target_hosts             = step.create_vault_cluster_targets.hosts
+      unseal_method            = "shamir"
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -241,4 +242,9 @@ scenario "agent" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl
@@ -159,8 +159,9 @@ scenario "autopilot" {
       storage_backend_addl_config = {
         autopilot_upgrade_version = var.vault_autopilot_initial_release.version
       }
-      target_hosts  = step.create_vault_cluster_targets.hosts
-      unseal_method = matrix.seal
+      target_hosts             = step.create_vault_cluster_targets.hosts
+      unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -518,4 +519,9 @@ scenario "autopilot" {
     description = "The Vault cluster public IPs"
     value       = step.upgrade_vault_cluster_with_autopilot.public_ips
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-scenario-replication.hcl b/enos/enos-scenario-replication.hcl
@@ -184,13 +184,14 @@ scenario "replication" {
         edition = var.backend_edition
         version = matrix.consul_version
       } : null
-      install_dir         = local.vault_install_dir
-      license             = matrix.edition != "oss" ? step.read_license.license : null
-      local_artifact_path = local.bundle_path
-      packages            = local.packages
-      storage_backend     = matrix.primary_backend
-      target_hosts        = step.create_primary_cluster_targets.hosts
-      unseal_method       = matrix.primary_seal
+      install_dir              = local.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      local_artifact_path      = local.bundle_path
+      packages                 = local.packages
+      storage_backend          = matrix.primary_backend
+      target_hosts             = step.create_primary_cluster_targets.hosts
+      unseal_method            = matrix.primary_seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -257,13 +258,14 @@ scenario "replication" {
         edition = var.backend_edition
         version = matrix.consul_version
       } : null
-      install_dir         = local.vault_install_dir
-      license             = matrix.edition != "oss" ? step.read_license.license : null
-      local_artifact_path = local.bundle_path
-      packages            = local.packages
-      storage_backend     = matrix.secondary_backend
-      target_hosts        = step.create_secondary_cluster_targets.hosts
-      unseal_method       = matrix.secondary_seal
+      install_dir              = local.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      local_artifact_path      = local.bundle_path
+      packages                 = local.packages
+      storage_backend          = matrix.secondary_backend
+      target_hosts             = step.create_secondary_cluster_targets.hosts
+      unseal_method            = matrix.secondary_seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -729,4 +731,9 @@ scenario "replication" {
     description = "The Vault updated secondary cluster primaries connection status"
     value       = step.verify_updated_performance_replication.secondary_replication_data_primaries
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_primary_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl
@@ -187,13 +187,14 @@ scenario "smoke" {
         edition = var.backend_edition
         version = matrix.consul_version
       } : null
-      install_dir         = local.vault_install_dir
-      license             = matrix.edition != "oss" ? step.read_license.license : null
-      local_artifact_path = local.bundle_path
-      packages            = local.packages
-      storage_backend     = matrix.backend
-      target_hosts        = step.create_vault_cluster_targets.hosts
-      unseal_method       = matrix.seal
+      install_dir              = local.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      local_artifact_path      = local.bundle_path
+      packages                 = local.packages
+      storage_backend          = matrix.backend
+      target_hosts             = step.create_vault_cluster_targets.hosts
+      unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -381,4 +382,9 @@ scenario "smoke" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-scenario-ui.hcl b/enos/enos-scenario-ui.hcl
@@ -150,12 +150,13 @@ scenario "ui" {
         edition = var.backend_edition
         version = local.consul_version
       } : null
-      install_dir         = local.vault_install_dir
-      license             = matrix.edition != "oss" ? step.read_license.license : null
-      local_artifact_path = local.bundle_path
-      storage_backend     = matrix.backend
-      target_hosts        = step.create_vault_cluster_targets.hosts
-      unseal_method       = local.seal
+      install_dir              = local.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      local_artifact_path      = local.bundle_path
+      storage_backend          = matrix.backend
+      target_hosts             = step.create_vault_cluster_targets.hosts
+      unseal_method            = local.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -240,4 +241,9 @@ scenario "ui" {
     description = "The stdout of the ui tests that ran"
     value       = step.test_ui.ui_test_stdout
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl
@@ -181,13 +181,14 @@ scenario "upgrade" {
         edition = var.backend_edition
         version = matrix.consul_version
       } : null
-      install_dir     = local.vault_install_dir
-      license         = matrix.edition != "oss" ? step.read_license.license : null
-      packages        = local.packages
-      release         = var.vault_upgrade_initial_release
-      storage_backend = matrix.backend
-      target_hosts    = step.create_vault_cluster_targets.hosts
-      unseal_method   = matrix.seal
+      install_dir              = local.vault_install_dir
+      license                  = matrix.edition != "oss" ? step.read_license.license : null
+      packages                 = local.packages
+      release                  = var.vault_upgrade_initial_release
+      storage_backend          = matrix.backend
+      target_hosts             = step.create_vault_cluster_targets.hosts
+      unseal_method            = matrix.seal
+      enable_file_audit_device = var.vault_enable_file_audit_device
     }
   }
 
@@ -398,4 +399,9 @@ scenario "upgrade" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "vault_audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
 }
diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl
@@ -197,3 +197,9 @@ variable "ui_run_tests" {
   description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
   default     = true
 }
+
+variable "vault_enable_file_audit_device" {
+  description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
+  type        = bool
+  default     = true
+}
diff --git a/enos/modules/build_local/main.tf b/enos/modules/build_local/main.tf
@@ -58,7 +58,7 @@ variable "product_version" {
 }
 
 resource "enos_local_exec" "build" {
-  scripts = ["${path.module}/scripts/build.sh"]
+  scripts = [abspath("${path.module}/scripts/build.sh")]
 
   environment = {
     BUNDLE_PATH = var.bundle_path,

diff --git a/enos/modules/get_local_metadata/main.tf b/enos/modules/get_local_metadata/main.tf
@@ -7,15 +7,15 @@ terraform {
 }
 
 resource "enos_local_exec" "get_build_date" {
-  scripts = ["${path.module}/scripts/build_date.sh"]
+  scripts = [abspath("${path.module}/scripts/build_date.sh")]
 }
 
 output "build_date" {
   value = trimspace(enos_local_exec.get_build_date.stdout)
 }
 
 resource "enos_local_exec" "get_version" {
-  scripts = ["${path.module}/scripts/version.sh"]
+  scripts = [abspath("${path.module}/scripts/version.sh")]
 }
 
 output "version" {

diff --git a/enos/modules/vault_cluster/main.tf b/enos/modules/vault_cluster/main.tf
@@ -61,6 +61,8 @@ locals {
       path    = "vault"
     })
   ]
+  audit_device_file_path = "/var/log/vault_audit.log"
+  vault_service_user     = "vault"
 }
 
 resource "enos_remote_exec" "install_packages" {
@@ -165,7 +167,7 @@ resource "enos_vault_start" "leader" {
   }
   license        = var.license
   manage_service = var.manage_service
-  username       = "vault"
+  username       = local.vault_service_user
   unit_name      = "vault"
 
   transport = {
@@ -204,7 +206,7 @@ resource "enos_vault_start" "followers" {
   }
   license        = var.license
   manage_service = var.manage_service
-  username       = "vault"
+  username       = local.vault_service_user
   unit_name      = "vault"
 
   transport = {
@@ -214,6 +216,31 @@ resource "enos_vault_start" "followers" {
   }
 }
 
+# We need to ensure that the directory used for audit logs is present and accessible to the vault
+# user on all nodes, since logging will only happen on the leader.
+resource "enos_remote_exec" "create_audit_log_dir" {
+  depends_on = [
+    enos_vault_start.followers,
+  ]
+  for_each = toset([
+    for idx, host in toset(local.instances) : idx
+    if var.enable_file_audit_device
+  ])
+
+  environment = {
+    LOG_FILE_PATH = local.audit_device_file_path
+    SERVICE_USER  = local.vault_service_user
+  }
+
+  scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")]
+
+  transport = {
+    ssh = {
+      host = var.target_hosts[each.value].public_ip
+    }
+  }
+}
+
 resource "enos_vault_init" "leader" {
   depends_on = [
     enos_vault_start.followers,
@@ -258,6 +285,32 @@ resource "enos_vault_unseal" "leader" {
   }
 }
 
+resource "enos_remote_exec" "enable_file_audit_device" {
+  depends_on = [
+    enos_vault_unseal.leader,
+  ]
+  for_each = toset([
+    for idx in local.leader : idx
+    if var.enable_file_audit_device
+  ])
+
+  environment = {
+    VAULT_TOKEN    = enos_vault_init.leader[each.key].root_token
+    VAULT_ADDR     = "http://127.0.0.1:8200"
+    VAULT_BIN_PATH = local.bin_path
+    LOG_FILE_PATH  = local.audit_device_file_path
+    SERVICE_USER   = local.vault_service_user
+  }
+
+  scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")]
+
+  transport = {
+    ssh = {
+      host = var.target_hosts[each.key].public_ip
+    }
+  }
+}
+
 resource "enos_vault_unseal" "followers" {
   depends_on = [
     enos_vault_init.leader,

diff --git a/enos/modules/vault_cluster/outputs.tf b/enos/modules/vault_cluster/outputs.tf
@@ -53,3 +53,8 @@ output "cluster_name" {
   description = "The Vault cluster name"
   value       = var.cluster_name
 }
+
+output "audit_device_file_path" {
+  description = "The file path for the audit device, if enabled"
+  value       = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled"
+}
diff --git a/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh b/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh
@@ -0,0 +1,8 @@
+#!/bin/env sh
+
+set -eux
+
+LOG_DIR=$(dirname "$LOG_FILE_PATH")
+
+sudo mkdir -p "$LOG_DIR"
+sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR"
diff --git a/enos/modules/vault_cluster/scripts/enable_audit_logging.sh b/enos/modules/vault_cluster/scripts/enable_audit_logging.sh
@@ -0,0 +1,5 @@
+#!/bin/env sh
+
+set -eux
+
+sudo su "$SERVICE_USER" -c "VAULT_TOKEN=$VAULT_TOKEN VAULT_ADDR=$VAULT_ADDR $VAULT_BIN_PATH audit enable file file_path=$LOG_FILE_PATH"
diff --git a/enos/modules/vault_cluster/variables.tf b/enos/modules/vault_cluster/variables.tf
@@ -174,3 +174,9 @@ variable "unseal_method" {
     error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported."
   }
 }
+
+variable "enable_file_audit_device" {
+  description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
+  type        = bool
+  default     = true
+}
diff --git a/enos/modules/vault_get_cluster_ips/main.tf b/enos/modules/vault_get_cluster_ips/main.tf
@@ -74,7 +74,7 @@ resource "enos_remote_exec" "get_leader_private_ip" {
     VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips)
   }
 
-  scripts = ["${path.module}/scripts/get-leader-private-ip.sh"]
+  scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")]
 
   transport = {
     ssh = {

diff --git a/enos/modules/vault_setup_perf_primary/main.tf b/enos/modules/vault_setup_perf_primary/main.tf
@@ -39,7 +39,7 @@ resource "enos_remote_exec" "configure_pr_primary" {
     vault_install_dir = var.vault_install_dir
   }
 
-  scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"]
+  scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")]
 
   transport = {
     ssh = {