Merge remote-tracking branch 'remotes/from/ce/main'

Author: hc-github-team-secure-vault-core

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -197,6 +197,7 @@ jobs:
             echo 'ENOS_VAR_vault_revision=${{ inputs.vault-revision }}'
             echo 'ENOS_VAR_vault_upgrade_initial_version=${{ matrix.attributes.upgrade_initial_version }}'
             echo 'ENOS_VAR_verify_aws_secrets_engine=false'
+            echo 'ENOS_VAR_verify_kmip_secrets_engine=true'
             echo 'ENOS_VAR_verify_ldap_secrets_engine=false'
             echo 'ENOS_VAR_verify_log_secrets=true'
           } | tee -a "$GITHUB_ENV"

changelog/_9394.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui/auth: the role field on the SAML login form now auto-fills from the `role` URL query string parameter
+```

enos/enos-modules.hcl

@@ -333,6 +333,7 @@ module "vault_verify_secrets_engines_create" {
 
   aws_enabled       = var.verify_aws_secrets_engine
   ldap_enabled      = var.verify_ldap_secrets_engine
+  kmip_enabled      = var.verify_kmip_secrets_engine
   vault_install_dir = var.vault_install_dir
 }
 
@@ -341,6 +342,7 @@ module "vault_verify_secrets_engines_read" {
 
   aws_enabled       = var.verify_aws_secrets_engine
   ldap_enabled      = var.verify_ldap_secrets_engine
+  kmip_enabled      = var.verify_kmip_secrets_engine
   vault_install_dir = var.vault_install_dir
 }
 

enos/enos-variables.hcl

@@ -205,6 +205,12 @@ variable "verify_aws_secrets_engine" {
   default     = false
 }
 
+variable "verify_kmip_secrets_engine" {
+  description = "If true we'll verify KMIP secrets engines behavior"
+  type        = bool
+  default     = false
+}
+
 variable "verify_ldap_secrets_engine" {
   description = "If true we'll verify LDAP secrets engines behavior"
   type        = bool

enos/modules/verify_secrets_engines/modules/create/kmip.tf

@@ -1,182 +1,27 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-variable "kmip_listen_address" {
-  type        = string
-  description = "The KMIP listen address for the Vault server"
-  default     = "0.0.0.0"
+module "create_kmip_secret_engine" {
+  depends_on = [
+    enos_remote_exec.policy_write_kv_writer,
+  ]
+  count  = var.kmip_enabled ? 1 : 0
+  source = "./kmip"
+
+  integration_host_state = var.integration_host_state
+  ip_version             = var.ip_version
+  leader_host            = var.leader_host
+  ports                  = var.ports
+  vault_addr             = var.vault_addr
+  vault_edition          = var.vault_edition
+  vault_root_token       = var.vault_root_token
+  vault_install_dir      = var.vault_install_dir
 }
 
 locals {
-  kmip_scope_name  = "kmip_scope"
-  kmip_role_name   = "kmip_role"
-  kmip_cert_format = "pem"
-  kmip_mount_path  = "kmip"
-
-  // Response data - only access if Vault Enterprise (count > 0)
-  server_ca   = var.vault_edition == "ce" ? "" : enos_remote_exec.kmip_configure[0].stdout
-  client_cert = var.vault_edition == "ce" ? "" : enos_remote_exec.kmip_generate_certificate[0].stdout
-
-  kmip_output = {
-    server_ca      = local.server_ca
-    client_cert    = local.client_cert
-    test_server_ip = var.integration_host_state.kmip.host.public_ip
-    port           = var.ports.kmip.port
-  }
+  kmip_output = var.kmip_enabled ? module.create_kmip_secret_engine[0].kmip : null
 }
 
 output "kmip" {
   value = local.kmip_output
 }
-
-resource "enos_remote_exec" "secrets_enable_kmip_secret" {
-  environment = {
-    ENGINE            = "kmip"
-    MOUNT             = local.kmip_mount_path
-    VAULT_ADDR        = var.vault_addr
-    VAULT_TOKEN       = var.vault_root_token
-    VAULT_INSTALL_DIR = var.vault_install_dir
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-resource "enos_remote_exec" "kmip_configure" {
-  depends_on = [enos_remote_exec.secrets_enable_kmip_secret]
-  environment = {
-    MOUNT             = local.kmip_mount_path
-    VAULT_ADDR        = var.vault_addr
-    VAULT_TOKEN       = var.vault_root_token
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    KMIP_MOUNT        = local.kmip_mount_path
-    KMIP_LISTEN_ADDR  = var.kmip_listen_address
-    KMIP_PORT         = var.ports.kmip.port
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/kmip/kmip-configure.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-# Creating KMIP Scope
-resource "enos_remote_exec" "kmip_create_scope" {
-  depends_on = [enos_remote_exec.kmip_configure]
-
-  environment = {
-    REQPATH           = "${local.kmip_mount_path}/scope/${local.kmip_scope_name}"
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/write.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-# Creating KMIP Role
-resource "enos_remote_exec" "kmip_create_role" {
-  depends_on = [enos_remote_exec.kmip_create_scope]
-
-  environment = {
-    REQPATH = "${local.kmip_mount_path}/scope/${local.kmip_scope_name}/role/${local.kmip_role_name}"
-    PAYLOAD = jsonencode({
-      operation_all = true,
-    })
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/write.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-# Generating KMIP Certificate
-resource "enos_remote_exec" "kmip_generate_certificate" {
-  depends_on = [enos_remote_exec.kmip_create_role]
-
-  environment = {
-    MOUNT             = local.kmip_mount_path
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-    SCOPE_NAME        = local.kmip_scope_name
-    ROLE_NAME         = local.kmip_role_name
-    CERT_FORMAT       = local.kmip_cert_format
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/kmip/kmip-generate-cert.sh")]
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}
-
-# Managing KMIP Roles
-resource "enos_remote_exec" "kmip_manage_roles" {
-  depends_on = [enos_remote_exec.kmip_generate_certificate]
-  environment = {
-    REQPATH = "${local.kmip_mount_path}/scope/${local.kmip_scope_name}/role/${local.kmip_role_name}"
-    PAYLOAD = jsonencode({
-      operation_activate = true,
-      operation_create   = true,
-      operation_get      = true
-    })
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  // Only perform KMIP operations for Vault Enterprise
-  // The KMIP secrets engine is not available in Vault CE
-  count = var.vault_edition == "ce" ? 0 : 1
-
-  scripts = [abspath("${path.module}/../../scripts/write.sh")]
-
-  transport = {
-    ssh = {
-      host = var.leader_host.public_ip
-    }
-  }
-}