Skip to content

Commit

Permalink
[QT-426] Ensure file audit device is only enabled if the leader is in…
Browse files Browse the repository at this point in the history
…itialized. (hashicorp#20974)
  • Loading branch information
Mike Baum authored Jun 3, 2023
1 parent 155003a commit 2c9a75b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
5 changes: 3 additions & 2 deletions enos/modules/vault_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ locals {
]
audit_device_file_path = "/var/log/vault_audit.log"
vault_service_user = "vault"
enable_audit_device = var.enable_file_audit_device && var.initialize_cluster
}

resource "enos_remote_exec" "install_packages" {
Expand Down Expand Up @@ -224,7 +225,7 @@ resource "enos_remote_exec" "create_audit_log_dir" {
]
for_each = toset([
for idx, host in toset(local.instances) : idx
if var.enable_file_audit_device
if local.enable_audit_device
])

environment = {
Expand Down Expand Up @@ -291,7 +292,7 @@ resource "enos_remote_exec" "enable_file_audit_device" {
]
for_each = toset([
for idx in local.leader : idx
if var.enable_file_audit_device
if local.enable_audit_device
])

environment = {
Expand Down
2 changes: 1 addition & 1 deletion enos/modules/vault_cluster/scripts/enable_audit_logging.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@

set -eux

sudo su "$SERVICE_USER" -c "VAULT_TOKEN=$VAULT_TOKEN VAULT_ADDR=$VAULT_ADDR $VAULT_BIN_PATH audit enable file file_path=$LOG_FILE_PATH"
$VAULT_BIN_PATH audit enable file file_path="$LOG_FILE_PATH"

0 comments on commit 2c9a75b

Please sign in to comment.