VAULT-31185 & 31186/use identity token auth for Artifactory in Vault CE & Ent (#31255)

* removed artifactory_username

* updated artifactory token

* ran enos fmt

* ran terraform fmt

* debugging/ testing - pinned enos version, added null username

* byyyyy

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -131,8 +131,7 @@ jobs:
           caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
           token: ${{ steps.vault-auth.outputs.token }}
           secrets: |
-            kv/data/github/${{ github.repository }}/artifactory token | ARTIFACTORY_TOKEN;
+            kv/data/github/${{ github.repository }}/artifactory bearer-token | ARTIFACTORY_BEARER_TOKEN;
-            kv/data/github/${{ github.repository }}/artifactory username | ARTIFACTORY_USER;
             kv/data/github/${{ github.repository }}/aws access-key-id | AWS_ACCESS_KEY_ID_CI;
             kv/data/github/${{ github.repository }}/aws secret-access-key | AWS_SECRET_ACCESS_KEY_CI;
             kv/data/github/${{ github.repository }}/aws role-arn | AWS_ROLE_ARN_CI;
@@ -146,8 +145,7 @@ jobs:
         run: |
           if [[ "${{ needs.metadata.outputs.is-enterprise }}" != 'true' ]]; then
             {
-              echo "artifactory-user=${{ secrets.ARTIFACTORY_USER }}"
+              echo "artifactory-token=${{ secrets.ARTIFACTORY_BEARER_TOKEN }}"
-              echo "artifactory-token=${{ secrets.ARTIFACTORY_TOKEN }}"
               echo "aws-access-key-id=${{ secrets.AWS_ACCESS_KEY_ID_CI }}"
               echo "aws-secret-access-key=${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}"
               echo "aws-role-arn=${{ secrets.AWS_ROLE_ARN_CI }}"
@@ -162,8 +160,7 @@ jobs:
            } | tee -a "$GITHUB_OUTPUT"
           else
             {
-              echo "artifactory-user=${{ steps.vault-secrets.outputs.ARTIFACTORY_USER }}"
+              echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_BEARER_TOKEN }}"
-              echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_TOKEN }}"
               echo "aws-access-key-id=${{ steps.vault-secrets.outputs.AWS_ACCESS_KEY_ID_CI }}"
               echo "aws-secret-access-key=${{ steps.vault-secrets.outputs.AWS_SECRET_ACCESS_KEY_CI }}"
               echo "aws-role-arn=${{ steps.vault-secrets.outputs.AWS_ROLE_ARN_CI }}"
@@ -183,7 +180,6 @@ jobs:
           {
             echo "GITHUB_TOKEN=${{ steps.secrets.outputs.github-token }}"
             echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
-            echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}"
             echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}"
             echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}"
             echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}"

enos/README.md

@@ -184,7 +184,6 @@ unzipped Vault binary at the `vault_local_binary_path`.
 
 ## `artifact_source:artifactory`
 This variant is for running the Enos scenario to test an artifact from Artifactory. It requires following Enos variables to be set:
-* `artifactory_username`
 * `artifactory_token`
 * `aws_ssh_keypair_name`
 * `aws_ssh_private_key_path`

enos/enos-dev-scenario-pr-replication.hcl

@@ -113,12 +113,10 @@ scenario "dev_pr_replication" {
         artifactory_repo:
           The artifactory host to search. It's very unlikely that you'll want to change this. The
           default value is where CRT will publish packages.
-        artifactory_username:
-          The artifactory username associated with your token. You'll need this if you wish to use
-          deb or rpm artifacts! You can request access via Okta.
         artifactory_token:
-          The artifactory token associated with your username. You'll need this if you wish to use
+          The artifactory identity token to use for authentication. You'll need this if you wish
-          deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
+          to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
+          group and using 'doormat artifactory create-token'.
         dev_build_local_ui:
           If you are not testing any changes in the UI, set to false. This will save time by not
           building the entire UI. If you need to test the UI, set to true.
@@ -151,7 +149,6 @@ scenario "dev_pr_replication" {
       // required.
       artifactory_host  = local.use_artifactory ? var.artifactory_host : null
       artifactory_repo  = local.use_artifactory ? var.artifactory_repo : null
-      artifactory_username = local.use_artifactory ? var.artifactory_username : null
       artifactory_token = local.use_artifactory ? var.artifactory_token : null
       distro            = matrix.distro
     }

enos/enos-dev-scenario-single-cluster.hcl

@@ -107,12 +107,10 @@ scenario "dev_single_cluster" {
         artifactory_repo:
           The artifactory host to search. It's very unlikely that you'll want to change this. The
           default value is where CRT will publish packages.
-        artifactory_username:
-          The artifactory username associated with your token. You'll need this if you wish to use
-          deb or rpm artifacts! You can request access via Okta.
         artifactory_token:
-          The artifactory token associated with your username. You'll need this if you wish to use
+          The artifactory identity token to use for authentication. You'll need this if you wish
-          deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
+          to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
+          group and using 'doormat artifactory create-token'.
         dev_build_local_ui:
           If you are not testing any changes in the UI, set to false. This will save time by not
           building the entire UI. If you need to test the UI, set to true.
@@ -145,7 +143,6 @@ scenario "dev_single_cluster" {
       // required.
       artifactory_host  = local.use_artifactory ? var.artifactory_host : null
       artifactory_repo  = local.use_artifactory ? var.artifactory_repo : null
-      artifactory_username = local.use_artifactory ? var.artifactory_username : null
       artifactory_token = local.use_artifactory ? var.artifactory_token : null
       distro            = matrix.distro
       distro_version    = global.distro_version[matrix.distro]

enos/enos-scenario-agent.hcl

@@ -27,7 +27,6 @@ scenario "agent" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -108,7 +107,6 @@ scenario "agent" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-autopilot.hcl

@@ -29,7 +29,6 @@ scenario "autopilot" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value defined in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -118,7 +117,6 @@ scenario "autopilot" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-benchmark.hcl

@@ -134,7 +134,6 @@ scenario "benchmark" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-dr-replication.hcl

@@ -32,7 +32,6 @@ scenario "dr_replication" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -131,7 +130,6 @@ scenario "dr_replication" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-pr-replication.hcl

@@ -32,7 +32,6 @@ scenario "pr_replication" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -131,7 +130,6 @@ scenario "pr_replication" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-proxy.hcl

@@ -27,7 +27,6 @@ scenario "proxy" {
   https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
   Variables required for some scenario variants:
-    - artifactory_username (if using `artifact_source:artifactory` in your filter)
     - artifactory_token (if using `artifact_source:artifactory` in your filter)
     - aws_region (if different from the default value in enos-variables.hcl)
     - consul_license_path (if using an ENT edition of Consul)
@@ -115,7 +114,6 @@ scenario "proxy" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-seal-ha.hcl

@@ -30,7 +30,6 @@ scenario "seal_ha" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -129,7 +128,6 @@ scenario "seal_ha" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-smoke.hcl

@@ -26,7 +26,6 @@ scenario "smoke" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -107,7 +106,6 @@ scenario "smoke" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-scenario-upgrade.hcl

@@ -27,7 +27,6 @@ scenario "upgrade" {
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
     Variables required for some scenario variants:
-      - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
       - aws_region (if different from the default value in enos-variables.hcl)
       - consul_license_path (if using an ENT edition of Consul)
@@ -117,7 +116,6 @@ scenario "upgrade" {
       goos              = "linux"
       artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
       artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
-      artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
       artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
       arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
       product_version   = var.vault_product_version

enos/enos-variables.hcl

@@ -1,13 +1,6 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-variable "artifactory_username" {
-  type        = string
-  description = "The username to use when testing an artifact from artifactory"
-  default     = null
-  sensitive   = true
-}
-
 variable "artifactory_token" {
   type        = string
   description = "The token to use when authenticating to artifactory"

enos/enos.vars.hcl

@@ -1,9 +1,6 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 
-// artifactory_username is the username to use when testing an artifact stored in artfactory.
-// artifactory_username = "yourname@hashicorp.com"
-
 // artifactory_token is the token to use when authenticating to artifactory.
 // artifactory_token = "yourtoken"
 

enos/modules/build_artifactory_artifact/main.tf

@@ -10,12 +10,6 @@ terraform {
   }
 }
 
-variable "artifactory_username" {
-  type        = string
-  description = "The username to use when connecting to artifactory"
-  default     = null
-}
-
 variable "artifactory_token" {
   type        = string
   description = "The token to use when connecting to artifactory"
@@ -58,7 +52,6 @@ module "artifact_metadata" {
 }
 
 data "enos_artifactory_item" "vault" {
-  username = var.artifactory_username
   token = var.artifactory_token
   name  = module.artifact_metadata.artifact_name
   host  = var.artifactory_host
@@ -95,7 +88,7 @@ output "vault_artifactory_release" {
   value = {
     url      = data.enos_artifactory_item.vault.results[0].url
     sha256   = data.enos_artifactory_item.vault.results[0].sha256
-    username = var.artifactory_username
     token    = var.artifactory_token
+    username = null # username is not an optional value yet
   }
 }

enos/modules/build_artifactory_package/main.tf

@@ -5,6 +5,7 @@ terraform {
   required_providers {
     enos = {
       source  = "registry.terraform.io/hashicorp-forge/enos"
+      version = ">= 0.6.1"
     }
   }
 }
@@ -14,11 +15,6 @@ variable "arch" {
   description = "The architecture for the desired artifact"
 }
 
-variable "artifactory_username" {
-  type        = string
-  description = "The username to use when connecting to Artifactory"
-}
-
 variable "artifactory_token" {
   type        = string
   description = "The token to use when connecting to Artifactory"
@@ -73,7 +69,6 @@ module "artifact_metadata" {
 }
 
 data "enos_artifactory_item" "vault" {
-  username = var.artifactory_username
   token = var.artifactory_token
   name  = module.artifact_metadata.artifact_name
   host  = var.artifactory_host
@@ -109,7 +104,7 @@ output "release" {
   value = {
     url      = data.enos_artifactory_item.vault.results[0].url
     sha256   = data.enos_artifactory_item.vault.results[0].sha256
-    username = var.artifactory_username
     token    = var.artifactory_token
+    username = null # username is not optional yet
   }
 }

enos/modules/build_crt/main.tf

@@ -24,7 +24,6 @@ variable "goos" {
 
 variable "artifactory_host" { default = null }
 variable "artifactory_repo" { default = null }
-variable "artifactory_username" { default = null }
 variable "artifactory_token" { default = null }
 variable "arch" { default = null }
 variable "artifact_path" { default = null }

enos/modules/build_local/main.tf

@@ -38,7 +38,6 @@ variable "goos" {
 
 variable "artifactory_host" { default = null }
 variable "artifactory_repo" { default = null }
-variable "artifactory_username" { default = null }
 variable "artifactory_token" { default = null }
 variable "arch" { default = null }
 variable "artifact_type" { default = null }