mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-17 20:17:00 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
420 lines
13 KiB
HCL
420 lines
13 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
scenario "upgrade" {
|
|
matrix {
|
|
arch = ["amd64", "arm64"]
|
|
backend = ["consul", "raft"]
|
|
artifact_source = ["local", "crt", "artifactory"]
|
|
artifact_type = ["bundle", "package"]
|
|
consul_version = ["1.14.2", "1.13.4", "1.12.7"]
|
|
distro = ["ubuntu", "rhel"]
|
|
edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
|
|
seal = ["awskms", "shamir"]
|
|
|
|
# Packages are not offered for the oss, ent.fips1402, and ent.hsm.fips1402 editions
|
|
exclude {
|
|
edition = ["oss", "ent.fips1402", "ent.hsm.fips1402"]
|
|
artifact_type = ["package"]
|
|
}
|
|
}
|
|
|
|
terraform_cli = terraform_cli.default
|
|
terraform = terraform.default
|
|
providers = [
|
|
provider.aws.default,
|
|
provider.enos.ubuntu,
|
|
provider.enos.rhel
|
|
]
|
|
|
|
locals {
|
|
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic"))
|
|
backend_tag_key = "VaultStorage"
|
|
build_tags = {
|
|
"oss" = ["ui"]
|
|
"ent" = ["ui", "enterprise", "ent"]
|
|
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
|
|
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
|
|
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
|
|
}
|
|
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
|
|
distro_version = {
|
|
"rhel" = var.rhel_distro_version
|
|
"ubuntu" = var.ubuntu_distro_version
|
|
}
|
|
enos_provider = {
|
|
rhel = provider.enos.rhel
|
|
ubuntu = provider.enos.ubuntu
|
|
}
|
|
packages = ["jq"]
|
|
tags = merge({
|
|
"Project Name" : var.project_name
|
|
"Project" : "Enos",
|
|
"Environment" : "ci"
|
|
}, var.tags)
|
|
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
|
|
vault_install_dir_packages = {
|
|
rhel = "/bin"
|
|
ubuntu = "/usr/bin"
|
|
}
|
|
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : local.vault_install_dir_packages[matrix.distro]
|
|
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
|
|
}
|
|
|
|
# This step gets/builds the upgrade artifact that we will upgrade to
|
|
step "build_vault" {
|
|
module = "build_${matrix.artifact_source}"
|
|
|
|
variables {
|
|
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition]
|
|
bundle_path = local.bundle_path
|
|
goarch = matrix.arch
|
|
goos = "linux"
|
|
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
|
|
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
|
|
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
|
|
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
|
|
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
|
|
product_version = var.vault_product_version
|
|
artifact_type = matrix.artifact_type
|
|
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
|
|
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
|
|
revision = var.vault_revision
|
|
}
|
|
}
|
|
|
|
step "ec2_info" {
|
|
module = module.ec2_info
|
|
}
|
|
|
|
step "create_vpc" {
|
|
module = module.create_vpc
|
|
|
|
variables {
|
|
common_tags = local.tags
|
|
}
|
|
}
|
|
|
|
// This step reads the contents of the backend license if we're using a Consul backend and
|
|
// the edition is "ent".
|
|
step "read_backend_license" {
|
|
skip_step = matrix.backend == "raft" || var.backend_edition == "oss"
|
|
module = module.read_license
|
|
|
|
variables {
|
|
file_name = local.backend_license_path
|
|
}
|
|
}
|
|
|
|
step "read_vault_license" {
|
|
skip_step = matrix.edition == "oss"
|
|
module = module.read_license
|
|
|
|
variables {
|
|
file_name = local.vault_license_path
|
|
}
|
|
}
|
|
|
|
step "create_vault_cluster_targets" {
|
|
module = module.target_ec2_instances
|
|
depends_on = [step.create_vpc]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]]
|
|
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
|
|
cluster_tag_key = local.vault_tag_key
|
|
common_tags = local.tags
|
|
vpc_id = step.create_vpc.vpc_id
|
|
}
|
|
}
|
|
|
|
step "create_vault_cluster_backend_targets" {
|
|
module = matrix.backend == "consul" ? module.target_ec2_instances : module.target_ec2_shim
|
|
depends_on = [step.create_vpc]
|
|
|
|
providers = {
|
|
enos = provider.enos.ubuntu
|
|
}
|
|
|
|
variables {
|
|
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
|
|
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
|
|
cluster_tag_key = local.backend_tag_key
|
|
common_tags = local.tags
|
|
vpc_id = step.create_vpc.vpc_id
|
|
}
|
|
}
|
|
|
|
step "create_backend_cluster" {
|
|
module = "backend_${matrix.backend}"
|
|
depends_on = [
|
|
step.create_vault_cluster_backend_targets,
|
|
]
|
|
|
|
providers = {
|
|
enos = provider.enos.ubuntu
|
|
}
|
|
|
|
variables {
|
|
cluster_name = step.create_vault_cluster_backend_targets.cluster_name
|
|
cluster_tag_key = local.backend_tag_key
|
|
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
|
|
release = {
|
|
edition = var.backend_edition
|
|
version = matrix.consul_version
|
|
}
|
|
target_hosts = step.create_vault_cluster_backend_targets.hosts
|
|
}
|
|
}
|
|
|
|
step "create_vault_cluster" {
|
|
module = module.vault_cluster
|
|
depends_on = [
|
|
step.create_backend_cluster,
|
|
step.build_vault,
|
|
step.create_vault_cluster_targets
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
awskms_unseal_key_arn = step.create_vpc.kms_key_arn
|
|
backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name
|
|
backend_cluster_tag_key = local.backend_tag_key
|
|
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
|
|
cluster_name = step.create_vault_cluster_targets.cluster_name
|
|
consul_release = matrix.backend == "consul" ? {
|
|
edition = var.backend_edition
|
|
version = matrix.consul_version
|
|
} : null
|
|
enable_file_audit_device = var.vault_enable_file_audit_device
|
|
install_dir = local.vault_install_dir
|
|
license = matrix.edition != "oss" ? step.read_vault_license.license : null
|
|
packages = local.packages
|
|
release = var.vault_upgrade_initial_release
|
|
storage_backend = matrix.backend
|
|
target_hosts = step.create_vault_cluster_targets.hosts
|
|
unseal_method = matrix.seal
|
|
}
|
|
}
|
|
|
|
step "get_vault_cluster_ips" {
|
|
module = module.vault_get_cluster_ips
|
|
depends_on = [step.create_vault_cluster]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_root_token = step.create_vault_cluster.root_token
|
|
}
|
|
}
|
|
|
|
step "verify_write_test_data" {
|
|
module = module.vault_verify_write_data
|
|
depends_on = [
|
|
step.create_vault_cluster,
|
|
step.get_vault_cluster_ips
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
|
|
leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_root_token = step.create_vault_cluster.root_token
|
|
}
|
|
}
|
|
|
|
# This step upgrades the Vault cluster to the var.vault_product_version
|
|
# by getting a bundle or package of that version from the matrix.artifact_source
|
|
step "upgrade_vault" {
|
|
module = module.vault_upgrade
|
|
depends_on = [
|
|
step.create_vault_cluster,
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_api_addr = "http://localhost:8200"
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_local_artifact_path = local.bundle_path
|
|
vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null
|
|
vault_seal_type = matrix.seal
|
|
}
|
|
}
|
|
|
|
step "verify_vault_version" {
|
|
module = module.vault_verify_version
|
|
depends_on = [
|
|
step.create_backend_cluster,
|
|
step.upgrade_vault,
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_edition = matrix.edition
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
|
|
vault_revision = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
|
|
vault_build_date = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
|
|
vault_root_token = step.create_vault_cluster.root_token
|
|
}
|
|
}
|
|
|
|
step "get_updated_vault_cluster_ips" {
|
|
module = module.vault_get_cluster_ips
|
|
depends_on = [
|
|
step.create_vault_cluster,
|
|
step.upgrade_vault
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_root_token = step.create_vault_cluster.root_token
|
|
}
|
|
}
|
|
|
|
step "verify_vault_unsealed" {
|
|
module = module.vault_verify_unsealed
|
|
depends_on = [
|
|
step.create_vault_cluster,
|
|
step.get_updated_vault_cluster_ips,
|
|
step.upgrade_vault,
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_install_dir = local.vault_install_dir
|
|
}
|
|
}
|
|
|
|
step "verify_read_test_data" {
|
|
module = module.vault_verify_read_data
|
|
depends_on = [
|
|
step.get_updated_vault_cluster_ips,
|
|
step.verify_write_test_data,
|
|
step.verify_vault_unsealed
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
node_public_ips = step.get_updated_vault_cluster_ips.follower_public_ips
|
|
vault_install_dir = local.vault_install_dir
|
|
}
|
|
}
|
|
|
|
step "verify_raft_auto_join_voter" {
|
|
skip_step = matrix.backend != "raft"
|
|
module = module.vault_verify_raft_auto_join_voter
|
|
depends_on = [
|
|
step.create_backend_cluster,
|
|
step.upgrade_vault,
|
|
]
|
|
|
|
providers = {
|
|
enos = local.enos_provider[matrix.distro]
|
|
}
|
|
|
|
variables {
|
|
vault_install_dir = local.vault_install_dir
|
|
vault_instances = step.create_vault_cluster_targets.hosts
|
|
vault_root_token = step.create_vault_cluster.root_token
|
|
}
|
|
}
|
|
|
|
output "audit_device_file_path" {
|
|
description = "The file path for the file audit device, if enabled"
|
|
value = step.create_vault_cluster.audit_device_file_path
|
|
}
|
|
|
|
output "awskms_unseal_key_arn" {
|
|
description = "The Vault cluster KMS key arn"
|
|
value = step.create_vpc.kms_key_arn
|
|
}
|
|
|
|
output "cluster_name" {
|
|
description = "The Vault cluster name"
|
|
value = step.create_vault_cluster.cluster_name
|
|
}
|
|
|
|
output "hosts" {
|
|
description = "The Vault cluster target hosts"
|
|
value = step.create_vault_cluster.target_hosts
|
|
}
|
|
|
|
output "private_ips" {
|
|
description = "The Vault cluster private IPs"
|
|
value = step.create_vault_cluster.private_ips
|
|
}
|
|
|
|
output "public_ips" {
|
|
description = "The Vault cluster public IPs"
|
|
value = step.create_vault_cluster.public_ips
|
|
}
|
|
|
|
output "root_token" {
|
|
description = "The Vault cluster root token"
|
|
value = step.create_vault_cluster.root_token
|
|
}
|
|
|
|
output "recovery_key_shares" {
|
|
description = "The Vault cluster recovery key shares"
|
|
value = step.create_vault_cluster.recovery_key_shares
|
|
}
|
|
|
|
output "recovery_keys_b64" {
|
|
description = "The Vault cluster recovery keys b64"
|
|
value = step.create_vault_cluster.recovery_keys_b64
|
|
}
|
|
|
|
output "recovery_keys_hex" {
|
|
description = "The Vault cluster recovery keys hex"
|
|
value = step.create_vault_cluster.recovery_keys_hex
|
|
}
|
|
|
|
output "unseal_keys_b64" {
|
|
description = "The Vault cluster unseal keys"
|
|
value = step.create_vault_cluster.unseal_keys_b64
|
|
}
|
|
|
|
output "unseal_keys_hex" {
|
|
description = "The Vault cluster unseal keys hex"
|
|
value = step.create_vault_cluster.unseal_keys_hex
|
|
}
|
|
}
|