From f214ba119a508e7787e903b67aede5731d35011f Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 2 Jun 2023 14:17:41 -0400 Subject: [PATCH] backport of commit 0115b5e43a41e757a533a828314c615456506eac (#20961) Co-authored-by: Mike Baum --- command/test-backend/main.go | 1 + enos/enos-scenario-agent.hcl | 20 ++++--- enos/enos-scenario-autopilot.hcl | 10 +++- enos/enos-scenario-replication.hcl | 35 +++++++----- enos/enos-scenario-smoke.hcl | 20 ++++--- enos/enos-scenario-ui.hcl | 18 ++++-- enos/enos-scenario-upgrade.hcl | 20 ++++--- enos/enos-variables.hcl | 6 ++ enos/modules/build_local/main.tf | 2 +- enos/modules/get_local_metadata/main.tf | 4 +- enos/modules/vault_cluster/main.tf | 57 ++++++++++++++++++- enos/modules/vault_cluster/outputs.tf | 5 ++ .../scripts/create_audit_log_dir.sh | 8 +++ .../scripts/enable_audit_logging.sh | 5 ++ enos/modules/vault_cluster/variables.tf | 6 ++ enos/modules/vault_get_cluster_ips/main.tf | 2 +- enos/modules/vault_setup_perf_primary/main.tf | 2 +- enos/modules/vault_unseal_nodes/main.tf | 6 +- .../main.tf | 4 +- enos/modules/vault_verify_read_data/main.tf | 2 +- enos/modules/vault_verify_write_data/main.tf | 4 +- 21 files changed, 179 insertions(+), 58 deletions(-) create mode 100644 command/test-backend/main.go create mode 100755 enos/modules/vault_cluster/scripts/create_audit_log_dir.sh create mode 100644 enos/modules/vault_cluster/scripts/enable_audit_logging.sh diff --git a/command/test-backend/main.go b/command/test-backend/main.go new file mode 100644 index 000000000000..90ffa4e77270 --- /dev/null +++ b/command/test-backend/main.go @@ -0,0 +1 @@ +package test_backend diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl index 29a1204aae83..dcda4647d461 100644 --- a/enos/enos-scenario-agent.hcl +++ b/enos/enos-scenario-agent.hcl @@ -140,13 +140,14 @@ scenario "agent" { config_env_vars = { VAULT_LOG_LEVEL = var.vault_log_level } - install_dir = var.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = "raft" - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = "shamir" + install_dir = var.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = "raft" + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = "shamir" + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -241,4 +242,9 @@ scenario "agent" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl index 53861119863f..b06fa8547b95 100644 --- a/enos/enos-scenario-autopilot.hcl +++ b/enos/enos-scenario-autopilot.hcl @@ -159,8 +159,9 @@ scenario "autopilot" { storage_backend_addl_config = { autopilot_upgrade_version = var.vault_autopilot_initial_release.version } - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -518,4 +519,9 @@ scenario "autopilot" { description = "The Vault cluster public IPs" value = step.upgrade_vault_cluster_with_autopilot.public_ips } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-replication.hcl b/enos/enos-scenario-replication.hcl index 655bf0f55131..27e24765f458 100644 --- a/enos/enos-scenario-replication.hcl +++ b/enos/enos-scenario-replication.hcl @@ -184,13 +184,14 @@ scenario "replication" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.primary_backend - target_hosts = step.create_primary_cluster_targets.hosts - unseal_method = matrix.primary_seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.primary_backend + target_hosts = step.create_primary_cluster_targets.hosts + unseal_method = matrix.primary_seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -257,13 +258,14 @@ scenario "replication" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.secondary_backend - target_hosts = step.create_secondary_cluster_targets.hosts - unseal_method = matrix.secondary_seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.secondary_backend + target_hosts = step.create_secondary_cluster_targets.hosts + unseal_method = matrix.secondary_seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -729,4 +731,9 @@ scenario "replication" { description = "The Vault updated secondary cluster primaries connection status" value = step.verify_updated_performance_replication.secondary_replication_data_primaries } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_primary_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl index 9055b8cc12df..82b61d6a57ce 100644 --- a/enos/enos-scenario-smoke.hcl +++ b/enos/enos-scenario-smoke.hcl @@ -187,13 +187,14 @@ scenario "smoke" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - packages = local.packages - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + packages = local.packages + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -381,4 +382,9 @@ scenario "smoke" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-ui.hcl b/enos/enos-scenario-ui.hcl index b1f56582702c..619cd73efc21 100644 --- a/enos/enos-scenario-ui.hcl +++ b/enos/enos-scenario-ui.hcl @@ -150,12 +150,13 @@ scenario "ui" { edition = var.backend_edition version = local.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - local_artifact_path = local.bundle_path - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = local.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + local_artifact_path = local.bundle_path + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = local.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -240,4 +241,9 @@ scenario "ui" { description = "The stdout of the ui tests that ran" value = step.test_ui.ui_test_stdout } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index 5a8a52e6f048..d39715b43c6c 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -181,13 +181,14 @@ scenario "upgrade" { edition = var.backend_edition version = matrix.consul_version } : null - install_dir = local.vault_install_dir - license = matrix.edition != "oss" ? step.read_license.license : null - packages = local.packages - release = var.vault_upgrade_initial_release - storage_backend = matrix.backend - target_hosts = step.create_vault_cluster_targets.hosts - unseal_method = matrix.seal + install_dir = local.vault_install_dir + license = matrix.edition != "oss" ? step.read_license.license : null + packages = local.packages + release = var.vault_upgrade_initial_release + storage_backend = matrix.backend + target_hosts = step.create_vault_cluster_targets.hosts + unseal_method = matrix.seal + enable_file_audit_device = var.vault_enable_file_audit_device } } @@ -398,4 +399,9 @@ scenario "upgrade" { description = "The Vault cluster unseal keys hex" value = step.create_vault_cluster.unseal_keys_hex } + + output "vault_audit_device_file_path" { + description = "The file path for the file audit device, if enabled" + value = step.create_vault_cluster.audit_device_file_path + } } diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl index ecbd7fd63e59..1d0aea6ebd6b 100644 --- a/enos/enos-variables.hcl +++ b/enos/enos-variables.hcl @@ -197,3 +197,9 @@ variable "ui_run_tests" { description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run" default = true } + +variable "vault_enable_file_audit_device" { + description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log" + type = bool + default = true +} diff --git a/enos/modules/build_local/main.tf b/enos/modules/build_local/main.tf index 7688c843b08e..11f29585eca7 100644 --- a/enos/modules/build_local/main.tf +++ b/enos/modules/build_local/main.tf @@ -58,7 +58,7 @@ variable "product_version" { } resource "enos_local_exec" "build" { - scripts = ["${path.module}/scripts/build.sh"] + scripts = [abspath("${path.module}/scripts/build.sh")] environment = { BUNDLE_PATH = var.bundle_path, diff --git a/enos/modules/get_local_metadata/main.tf b/enos/modules/get_local_metadata/main.tf index d0749c669a90..fd33673470ef 100644 --- a/enos/modules/get_local_metadata/main.tf +++ b/enos/modules/get_local_metadata/main.tf @@ -7,7 +7,7 @@ terraform { } resource "enos_local_exec" "get_build_date" { - scripts = ["${path.module}/scripts/build_date.sh"] + scripts = [abspath("${path.module}/scripts/build_date.sh")] } output "build_date" { @@ -15,7 +15,7 @@ output "build_date" { } resource "enos_local_exec" "get_version" { - scripts = ["${path.module}/scripts/version.sh"] + scripts = [abspath("${path.module}/scripts/version.sh")] } output "version" { diff --git a/enos/modules/vault_cluster/main.tf b/enos/modules/vault_cluster/main.tf index 08455ca8f648..a0034e29584f 100644 --- a/enos/modules/vault_cluster/main.tf +++ b/enos/modules/vault_cluster/main.tf @@ -61,6 +61,8 @@ locals { path = "vault" }) ] + audit_device_file_path = "/var/log/vault_audit.log" + vault_service_user = "vault" } resource "enos_remote_exec" "install_packages" { @@ -165,7 +167,7 @@ resource "enos_vault_start" "leader" { } license = var.license manage_service = var.manage_service - username = "vault" + username = local.vault_service_user unit_name = "vault" transport = { @@ -204,7 +206,7 @@ resource "enos_vault_start" "followers" { } license = var.license manage_service = var.manage_service - username = "vault" + username = local.vault_service_user unit_name = "vault" transport = { @@ -214,6 +216,31 @@ resource "enos_vault_start" "followers" { } } +# We need to ensure that the directory used for audit logs is present and accessible to the vault +# user on all nodes, since logging will only happen on the leader. +resource "enos_remote_exec" "create_audit_log_dir" { + depends_on = [ + enos_vault_start.followers, + ] + for_each = toset([ + for idx, host in toset(local.instances) : idx + if var.enable_file_audit_device + ]) + + environment = { + LOG_FILE_PATH = local.audit_device_file_path + SERVICE_USER = local.vault_service_user + } + + scripts = [abspath("${path.module}/scripts/create_audit_log_dir.sh")] + + transport = { + ssh = { + host = var.target_hosts[each.value].public_ip + } + } +} + resource "enos_vault_init" "leader" { depends_on = [ enos_vault_start.followers, @@ -258,6 +285,32 @@ resource "enos_vault_unseal" "leader" { } } +resource "enos_remote_exec" "enable_file_audit_device" { + depends_on = [ + enos_vault_unseal.leader, + ] + for_each = toset([ + for idx in local.leader : idx + if var.enable_file_audit_device + ]) + + environment = { + VAULT_TOKEN = enos_vault_init.leader[each.key].root_token + VAULT_ADDR = "http://127.0.0.1:8200" + VAULT_BIN_PATH = local.bin_path + LOG_FILE_PATH = local.audit_device_file_path + SERVICE_USER = local.vault_service_user + } + + scripts = [abspath("${path.module}/scripts/enable_audit_logging.sh")] + + transport = { + ssh = { + host = var.target_hosts[each.key].public_ip + } + } +} + resource "enos_vault_unseal" "followers" { depends_on = [ enos_vault_init.leader, diff --git a/enos/modules/vault_cluster/outputs.tf b/enos/modules/vault_cluster/outputs.tf index 8e72ef44668b..81996205065c 100644 --- a/enos/modules/vault_cluster/outputs.tf +++ b/enos/modules/vault_cluster/outputs.tf @@ -53,3 +53,8 @@ output "cluster_name" { description = "The Vault cluster name" value = var.cluster_name } + +output "audit_device_file_path" { + description = "The file path for the audit device, if enabled" + value = var.enable_file_audit_device ? local.audit_device_file_path : "file audit device not enabled" +} diff --git a/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh b/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh new file mode 100755 index 000000000000..582bfdb14337 --- /dev/null +++ b/enos/modules/vault_cluster/scripts/create_audit_log_dir.sh @@ -0,0 +1,8 @@ +#!/bin/env sh + +set -eux + +LOG_DIR=$(dirname "$LOG_FILE_PATH") + +sudo mkdir -p "$LOG_DIR" +sudo chown "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR" diff --git a/enos/modules/vault_cluster/scripts/enable_audit_logging.sh b/enos/modules/vault_cluster/scripts/enable_audit_logging.sh new file mode 100644 index 000000000000..71e7d8d9d092 --- /dev/null +++ b/enos/modules/vault_cluster/scripts/enable_audit_logging.sh @@ -0,0 +1,5 @@ +#!/bin/env sh + +set -eux + +sudo su "$SERVICE_USER" -c "VAULT_TOKEN=$VAULT_TOKEN VAULT_ADDR=$VAULT_ADDR $VAULT_BIN_PATH audit enable file file_path=$LOG_FILE_PATH" diff --git a/enos/modules/vault_cluster/variables.tf b/enos/modules/vault_cluster/variables.tf index d7be243e2efb..5976ff36176e 100644 --- a/enos/modules/vault_cluster/variables.tf +++ b/enos/modules/vault_cluster/variables.tf @@ -174,3 +174,9 @@ variable "unseal_method" { error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported." } } + +variable "enable_file_audit_device" { + description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log" + type = bool + default = true +} diff --git a/enos/modules/vault_get_cluster_ips/main.tf b/enos/modules/vault_get_cluster_ips/main.tf index dcb251358fd3..a288798e60d7 100644 --- a/enos/modules/vault_get_cluster_ips/main.tf +++ b/enos/modules/vault_get_cluster_ips/main.tf @@ -74,7 +74,7 @@ resource "enos_remote_exec" "get_leader_private_ip" { VAULT_INSTANCE_PRIVATE_IPS = jsonencode(local.instance_private_ips) } - scripts = ["${path.module}/scripts/get-leader-private-ip.sh"] + scripts = [abspath("${path.module}/scripts/get-leader-private-ip.sh")] transport = { ssh = { diff --git a/enos/modules/vault_setup_perf_primary/main.tf b/enos/modules/vault_setup_perf_primary/main.tf index 474c255a7a59..85f5cc910c76 100644 --- a/enos/modules/vault_setup_perf_primary/main.tf +++ b/enos/modules/vault_setup_perf_primary/main.tf @@ -39,7 +39,7 @@ resource "enos_remote_exec" "configure_pr_primary" { vault_install_dir = var.vault_install_dir } - scripts = ["${path.module}/scripts/configure-vault-pr-primary.sh"] + scripts = [abspath("${path.module}/scripts/configure-vault-pr-primary.sh")] transport = { ssh = { diff --git a/enos/modules/vault_unseal_nodes/main.tf b/enos/modules/vault_unseal_nodes/main.tf index 47797dcf9cb0..2bd1c6c0fbf3 100644 --- a/enos/modules/vault_unseal_nodes/main.tf +++ b/enos/modules/vault_unseal_nodes/main.tf @@ -45,7 +45,7 @@ resource "enos_remote_exec" "wait_until_sealed" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/wait-until-sealed.sh"] + scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")] transport = { ssh = { @@ -89,7 +89,7 @@ resource "enos_remote_exec" "unseal_followers" { UNSEAL_KEYS = join(",", var.vault_unseal_keys) } - scripts = ["${path.module}/scripts/unseal-node.sh"] + scripts = [abspath("${path.module}/scripts/unseal-node.sh")] transport = { ssh = { @@ -114,7 +114,7 @@ resource "enos_remote_exec" "unseal_followers_again" { UNSEAL_KEYS = join(",", var.vault_unseal_keys) } - scripts = ["${path.module}/scripts/unseal-node.sh"] + scripts = [abspath("${path.module}/scripts/unseal-node.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_performance_replication/main.tf b/enos/modules/vault_verify_performance_replication/main.tf index 910b4dd4f1df..a44eec5b0dc6 100644 --- a/enos/modules/vault_verify_performance_replication/main.tf +++ b/enos/modules/vault_verify_performance_replication/main.tf @@ -56,7 +56,7 @@ resource "enos_remote_exec" "verify_replication_status_on_primary" { SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip } - scripts = ["${path.module}/scripts/verify-replication-status.sh"] + scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")] transport = { ssh = { @@ -73,7 +73,7 @@ resource "enos_remote_exec" "verify_replication_status_on_secondary" { SECONDARY_LEADER_PRIV_IP = var.secondary_leader_private_ip } - scripts = ["${path.module}/scripts/verify-replication-status.sh"] + scripts = [abspath("${path.module}/scripts/verify-replication-status.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_read_data/main.tf b/enos/modules/vault_verify_read_data/main.tf index 8a881bb4b56d..a104e1d677a0 100644 --- a/enos/modules/vault_verify_read_data/main.tf +++ b/enos/modules/vault_verify_read_data/main.tf @@ -35,7 +35,7 @@ resource "enos_remote_exec" "verify_kv_on_node" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/verify-data.sh"] + scripts = [abspath("${path.module}/scripts/verify-data.sh")] transport = { ssh = { diff --git a/enos/modules/vault_verify_write_data/main.tf b/enos/modules/vault_verify_write_data/main.tf index 77b700dfd04a..afb2cf2bc28c 100644 --- a/enos/modules/vault_verify_write_data/main.tf +++ b/enos/modules/vault_verify_write_data/main.tf @@ -60,7 +60,7 @@ resource "enos_remote_exec" "smoke-enable-secrets-kv" { VAULT_INSTALL_DIR = var.vault_install_dir } - scripts = ["${path.module}/scripts/smoke-enable-secrets-kv.sh"] + scripts = [abspath("${path.module}/scripts/smoke-enable-secrets-kv.sh")] transport = { ssh = { @@ -82,7 +82,7 @@ resource "enos_remote_exec" "smoke-write-test-data" { TEST_VALUE = "fire" } - scripts = ["${path.module}/scripts/smoke-write-test-data.sh"] + scripts = [abspath("${path.module}/scripts/smoke-write-test-data.sh")] transport = { ssh = {