backport of commit c018510

.copywrite.hcl

@@ -2,7 +2,7 @@ schema_version = 1
 
 project {
   license        = "MPL-2.0"
-  copyright_year = 2020
+  copyright_year = 2023
 
   header_ignore = [
     ".github/**",

.github/workflows/actionlint.yml

@@ -13,6 +13,6 @@ jobs:
     steps:
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
       - name: Check workflow files
-        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint@sha256:3f24bf9d72ca67af6f9f8f3cc63b0e24621b57bf421cecfc452c3312e32b68cc # 1.6.24
+        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint@sha256:02ccb6d91e4cb4a7b21eb99d5274d257e81ae667688d730e89d7ea0d6d35db91
         with:
           args: -color -ignore SC2129 -ignore "'property \"download-path\" is not defined in object type'"

.github/workflows/build.yml

@@ -1,13 +1,9 @@
 name: build
 
 on:
-  push:
-    branches:
-      - '**'
-    tags-ignore:
-      - '**'
-  workflow_call:
-  workflow_dispatch:
+  - workflow_dispatch
+  - push
+  - workflow_call
 
 env:
   PKG_NAME: "boundary"
@@ -403,6 +399,7 @@ jobs:
     needs:
       - set-product-version
       - product-metadata
+      - build-linux
       - build-docker
     uses: ./.github/workflows/enos-run.yml
     with:

.github/workflows/check-legacy-links-format.yml

@@ -0,0 +1,22 @@
+name: Legacy Link Format Checker
+
+on:
+  push:
+    paths:
+      - "website/content/**/*.mdx"
+      - "website/data/*-nav-data.json"
+      - ".github/workflows/check-legacy-links-format.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  check-links:
+    if: github.repository == 'hashicorp/boundary'
+    uses: hashicorp/dev-portal/.github/workflows/docs-content-check-legacy-links-format.yml@475289345d312552b745224b46895f51cc5fc490
+    with:
+      repo-owner: "hashicorp"
+      repo-name: "boundary"
+      commit-sha: ${{ github.sha }}
+      mdx-directory: "website/content"
+      nav-data-directory: "website/data"

.github/workflows/enos-run.yml

@@ -78,9 +78,10 @@ jobs:
         include:
           - filter: 'e2e_aws builder:crt'
           - filter: 'e2e_database'
-          - filter: 'e2e_docker_base builder:crt'
-          - filter: 'e2e_docker_base_with_vault builder:crt'
-    runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
+          - filter: 'e2e_static builder:crt'
+          - filter: 'e2e_static_with_vault builder:crt'
+          # - filter: 'e2e_ui builder:crt' # Don't run UI tests yet. takes too long.
+    runs-on: ${{ fromJSON(vars.RUNNER) }}
     env:
       GITHUB_TOKEN: ${{ secrets.SERVICE_USER_GITHUB_TOKEN }}
       # Scenario variables
@@ -181,21 +182,14 @@ jobs:
         run: |
           wget https://releases.hashicorp.com/vault/1.12.2/vault_1.12.2_linux_amd64.zip -O /tmp/test-deps/vault.zip
       - name: Install Vault CLI
-        if: matrix.filter == 'e2e_aws_base_with_vault builder:crt' || matrix.filter == 'e2e_database' || matrix.filter == 'e2e_ui builder:crt' || matrix.filter == 'e2e_docker_base_with_vault builder:crt'
+        if: matrix.filter == 'e2e_static_with_vault builder:crt' || matrix.filter == 'e2e_database' || matrix.filter == 'e2e_ui builder:crt' || matrix.filter == 'e2e_docker builder:crt'
         run: |
           unzip /tmp/test-deps/vault.zip -d /usr/local/bin
       - name: Add hosts to /etc/hosts
         # This enables the use of `boundary connect` with docker containers
-        if: contains(matrix.filter, 'e2e_docker')
+        if: matrix.filter == 'e2e_docker builder:crt'
         run: |
           sudo echo "127.0.0.1 localhost boundary" | sudo tee -a /etc/hosts
-      - name: GH fix for localhost resolution
-        if: github.repository == 'hashicorp/boundary' && contains(matrix.filter, 'e2e_docker')
-        run: |
-          cat /etc/hosts && echo "-----------"
-          sudo sed -i 's/::1 *localhost ip6-localhost ip6-loopback/::1 ip6 -localhost ip6-loopback/g' /etc/hosts
-          cat /etc/hosts
-          ssh -V
       - name: Download Boundary Linux AMD64 bundle
         id: download
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@@ -207,14 +201,14 @@ jobs:
           unzip ${{steps.download.outputs.download-path}}/*.zip -d enos/support/boundary
           mv ${{steps.download.outputs.download-path}}/*.zip enos/support/boundary.zip
       - name: Download Boundary Linux AMD64 docker image
-        if: contains(matrix.filter, 'e2e_docker')
+        if: matrix.filter == 'e2e_docker builder:crt'
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         id: download-docker
         with:
           name: ${{ inputs.docker-image-file }}
           path: ./enos/support/downloads
       - name: Rename docker image file
-        if: contains(matrix.filter, 'e2e_docker')
+        if: matrix.filter == 'e2e_docker builder:crt'
         run: |
           mv ${{ steps.download-docker.outputs.download-path }}/*.tar enos/support/boundary_docker_image.tar
       - name: Set up Node.js

.github/workflows/make-gen-delta.yml

@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   make-gen-delta:
-    name: "Check for uncommitted changes from make gen"
+    name: "Check for uncommited changes from make gen"
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
@@ -26,9 +26,6 @@ jobs:
         uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "${{ steps.get-go-version.outputs.go-version }}"
-      - name: Running go mod tidy
-        run: |
-          go mod tidy
       - name: Install Dependencies
         run: |
           make tools

.release/linux/package/etc/boundary.d/boundary.hcl

@@ -1,71 +1,3 @@
-# # Note that this is an example config file and is not intended to be functional as-is.
-# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/controller
+# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration
 
-# # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
 # disable_mlock = true
-
-# # Controller configuration block
-# controller {
-#   # This name attr must be unique across all controller instances if running in HA mode
-#   name = "demo-controller-1"
-#   description = "A controller for a demo!"
-
-#   # Database URL for postgres. This can be a direct "postgres://"
-#   # URL, or it can be "file://" to read the contents of a file to
-#   # supply the url, or "env://" to name an environment variable
-#   # that contains the URL.
-#   database {
-#       url = "postgresql://boundary:[email protected]:5432/boundary"
-#   }
-# }
-
-# # API listener configuration block
-# listener "tcp" {
-#   # Should be the address of the NIC that the controller server will be reached on
-#   address = "10.0.0.1"
-#   # The purpose of this listener block
-#   purpose = "api"
-
-#   tls_disable = false
-
-#   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
-#   # to appropriate values.
-#   #cors_enabled = true
-#   #cors_allowed_origins = ["https://yourcorp.yourdomain.com", "serve://boundary"]
-# }
-
-# # Data-plane listener configuration block (used for worker coordination)
-# listener "tcp" {
-#   # Should be the IP of the NIC that the worker will connect on
-#   address = "10.0.0.1"
-#   # The purpose of this listener
-#   purpose = "cluster"
-# }
-
-# # Root KMS configuration block: this is the root key for Boundary
-# # Use a production KMS such as AWS KMS in production installs
-# kms "aead" {
-#   purpose = "root"
-#   aead_type = "aes-gcm"
-#   key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
-#   key_id = "global_root"
-# }
-
-# # Worker authorization KMS
-# # Use a production KMS such as AWS KMS for production installs
-# # This key is the same key used in the worker configuration
-# kms "aead" {
-#   purpose = "worker-auth"
-#   aead_type = "aes-gcm"
-#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
-#   key_id = "global_worker-auth"
-# }
-
-# # Recovery KMS block: configures the recovery key for Boundary
-# # Use a production KMS such as AWS KMS for production installs
-# kms "aead" {
-#   purpose = "recovery"
-#   aead_type = "aes-gcm"
-#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
-#   key_id = "global_recovery"
-# }

.release/linux/package/etc/boundary.d/controller.hcl

@@ -0,0 +1,71 @@
+# # Note that this is an example systemd file and is not intended to be functional as-is.
+# # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/controller
+
+# # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
+# # disable_mlock = true
+
+# # Controller configuration block
+# controller {
+#   # This name attr must be unique across all controller instances if running in HA mode
+#   name = "demo-controller-1"
+#   description = "A controller for a demo!"
+
+#   # Database URL for postgres. This can be a direct "postgres://"
+#   # URL, or it can be "file://" to read the contents of a file to
+#   # supply the url, or "env://" to name an environment variable
+#   # that contains the URL.
+#   database {
+#       url = "postgresql://boundary:[email protected]:5432/boundary"
+#   }
+# }
+
+# # API listener configuration block
+# listener "tcp" {
+#   # Should be the address of the NIC that the controller server will be reached on
+#   address = "10.0.0.1"
+#   # The purpose of this listener block
+#   purpose = "api"
+
+#   tls_disable = false
+
+#   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
+#   # to appropriate values.
+#   #cors_enabled = true
+#   #cors_allowed_origins = ["https://yourcorp.yourdomain.com", "serve://boundary"]
+# }
+
+# # Data-plane listener configuration block (used for worker coordination)
+# listener "tcp" {
+#   # Should be the IP of the NIC that the worker will connect on
+#   address = "10.0.0.1"
+#   # The purpose of this listener
+#   purpose = "cluster"
+# }
+
+# # Root KMS configuration block: this is the root key for Boundary
+# # Use a production KMS such as AWS KMS in production installs
+# kms "aead" {
+#   purpose = "root"
+#   aead_type = "aes-gcm"
+#   key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
+#   key_id = "global_root"
+# }
+
+# # Worker authorization KMS
+# # Use a production KMS such as AWS KMS for production installs
+# # This key is the same key used in the worker configuration
+# kms "aead" {
+#   purpose = "worker-auth"
+#   aead_type = "aes-gcm"
+#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+#   key_id = "global_worker-auth"
+# }
+
+# # Recovery KMS block: configures the recovery key for Boundary
+# # Use a production KMS such as AWS KMS for production installs
+# kms "aead" {
+#   purpose = "recovery"
+#   aead_type = "aes-gcm"
+#   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+#   key_id = "global_recovery"
+# }

.release/linux/package/etc/boundary.d/worker.hcl

@@ -1,4 +1,4 @@
-# # Note that this is an example config file and is not intended to be functional as-is.
+# # Note that this is an example systemd file and is not intended to be functional as-is.
 # # Full configuration options can be found at https://www.boundaryproject.io/docs/configuration/worker
 
 # listener "tcp" {

.release/linux/package/usr/lib/systemd/system/boundary.service

@@ -10,7 +10,7 @@ User=boundary
 Group=boundary
 ProtectSystem=full
 ProtectHome=read-only
-ExecStart=/usr/bin/boundary server -config=/etc/boundary.d/boundary.hcl
+ExecStart=/usr/bin/boundary server -config=/etc/boundary.d/%i.hcl
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT
@@ -20,4 +20,4 @@ TimeoutStopSec=30
 LimitMEMLOCK=infinity
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

CHANGELOG.md

@@ -2,60 +2,10 @@
 
 Canonical reference for changes, improvements, and bugfixes for Boundary.
 
-## 0.13.1 (2023/07/10)
+## Next
 
 ### New and Improved
 
-* roles: In grants, the `id` field has been changed to `ids` (but `id` will
-  still be accepted for now, up until 0.15.0). In the `ids` field, multiple IDs
-  can now be specified in a grant, either via commas (text format) or array
-  (JSON format). ([PR](https://github.com/hashicorp/boundary/pull/3263)).
-* dev environment: When running `boundary dev` the initial LDAP auth-method with an
-  ID of `amldap_1234567890` is now in a public-active state, so it will be returned
-  in the response from `boundary auth-methods list`
-
-### Deprecations/Changes
-
-* Grants can now accept more than one ID per grant string (or entry in JSON) via
-  the `ids` parameter. In 0.15.0 the ability to add new grants via the `id`
-  parameter will be removed.
-
-### Bug Fixes
-
-* PKI worker authentication: A worker authentication record can be stored more than once, if it matches the 
-  existing record for that worker auth key ID. Fixes an edge case where a worker attempted authorization
-  and the controller successfully stored the worker auth record but went down before returning authorization
-  details to the worker. ([PR](https://github.com/hashicorp/boundary/pull/3389))
-* LDAP managed groups: adding/setting/removing a principal to a role now works
-  properly when it's an LDAP managed group.
-  ([PR](https://github.com/hashicorp/boundary/pull/3361) and
-  [PR](https://github.com/hashicorp/boundary/pull/3363))  
-
-## 0.13.0 (2023/06/13)
-
-### New and Improved
-
-* SSH Session Recordings (Enterprise and HCP Boundary only): SSH targets can now
-  be configured to record sessions. Recordings are signed and stored in a
-  Storage Bucket. Recordings can be played back in the admin UI.
-  * Storage Buckets: This release introduces Storage Buckets, a Boundary
-    resource that represents a bucket in an external object store. Storage
-    Buckets can be defined at the global or org scope. When associated with an
-    SSH target, the storage bucket is used to store session recordings. This
-    release includes support for AWS S3 only.
-  * BSR (Boundary Session Recording) file format: BSR is a new specification
-    that defines a hierarchical directory structure of files and a binary file
-    format. The contents of a BSR include all data transmitted between a user
-    and a target during a single session, relevant session metadata and summary
-    information. The BSR also includes checksum and signature files for
-    cryptographically verifying BSR contents, and a set of KMS wrapped keys for
-    use in BSR verification. The BSR format is intended to be extensible to
-    support various protocols. With this release BSR supports the SSH protocol.
-    It also supports converting an SSH channel recording into an
-    [asciicast](https://github.com/asciinema/asciinema/blob/develop/doc/asciicast-v2.md)
-    format that is playable by asciinema.
-  * To learn more about this new feature, refer to the
-    [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording).
 * KMS workers: KMS workers now have feature parity with PKI workers (they
   support multi-hop and Vault private access) and support separate KMSes for
   authenticating downstreams across different networks. See the [worker
@@ -75,9 +25,7 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   ([PR](https://github.com/hashicorp/boundary/pull/2912))
 * ui: Display external names when listing dynamic hosts ([PR](https://github.com/hashicorp/boundary-ui/pull/1664))
 * ui: Add support for LDAP authentication ([PR](https://github.com/hashicorp/boundary-ui/pull/1645))
-* Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI,
-  admin console, and desktop client. ([PR](https://github.com/hashicorp/boundary/pull/3074))
-* Add configuration for license reporting (Enterprise only)
+* Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI, admin console, and desktop client. ([PR](https://github.com/hashicorp/boundary/pull/3074))
 
 ### Deprecations/Changes
 
@@ -104,13 +52,13 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   incorrectly being generated for auth token resources, which do not support
   versioning. This is technically a breaking change, but it was a no-op option
   anyways that there was no reason to be using. It has now been removed.
-* Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin 
+* Plugins: With the introduction of new plugin services, the Azure and AWS Host plugin 
   repositories have been renamed to drop the `host` element of the repository name: 
 
    - https://github.com/hashicorp/boundary-plugin-host-aws -> https://github.com/hashicorp/boundary-plugin-aws
    - https://github.com/hashicorp/boundary-plugin-host-azure -> https://github.com/hashicorp/boundary-plugin-azure
 
-  Similarly the `plugins/host` package has been renamed to `plugins/boundary`
+  similarly the `plugins/host` package has been renamed to `plugins/boundary`
   ([PR1](https://github.com/hashicorp/boundary/pull/3262),
   [PR2](https://github.com/hashicorp/boundary-plugin-aws/pull/24),
   [PR3](https://github.com/hashicorp/boundary-plugin-azure/pull/12),