diff --git a/enos/enos-scenario-e2e-aws-rdp-base.hcl b/enos/enos-scenario-e2e-aws-rdp-base.hcl index 935a1f9dc6..e39888aaed 100644 --- a/enos/enos-scenario-e2e-aws-rdp-base.hcl +++ b/enos/enos-scenario-e2e-aws-rdp-base.hcl @@ -29,6 +29,7 @@ scenario "e2e_aws_rdp_base" { local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null local_boundary_src_dir = var.local_boundary_src_dir != null ? abspath(var.local_boundary_src_dir) : null boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) + ip_version = "4" build_path_linux = { "local" = "/tmp", @@ -61,7 +62,7 @@ scenario "e2e_aws_rdp_base" { } step "create_base_infra" { - module = module.aws_vpc_ipv6 + module = local.ip_version == "4" ? module.aws_vpc : module.aws_vpc_ipv6 depends_on = [ step.find_azs, @@ -113,6 +114,7 @@ scenario "e2e_aws_rdp_base" { boundary_cli_zip_path = step.build_boundary_windows.artifact_path boundary_src_path = local.local_boundary_src_dir github_token = var.github_token + ip_version = local.ip_version } } @@ -138,7 +140,7 @@ scenario "e2e_aws_rdp_base" { kms_key_arn = step.create_base_infra.kms_key_arn storage_backend = "raft" unseal_method = "shamir" - ip_version = "dual" + ip_version = local.ip_version vault_release = { version = var.vault_version edition = "oss" @@ -160,6 +162,7 @@ scenario "e2e_aws_rdp_base" { variables { vpc_id = step.create_base_infra.vpc_id server_version = matrix.rdp_server == "2016" ? "2019" : matrix.rdp_server + ip_version = local.ip_version } } @@ -193,7 +196,7 @@ scenario "e2e_aws_rdp_base" { vault_address = step.create_vault_cluster.instance_public_ips[0] vault_transit_token = step.create_vault_cluster.vault_transit_token aws_region = var.aws_region - ip_version = "dual" + ip_version = local.ip_version recording_storage_path = "/recording" alb_sg_additional_ips = step.create_windows_client.public_ip_list } @@ -245,7 +248,7 @@ scenario "e2e_aws_rdp_base" { server_version = matrix.rdp_server == "2016" ? "2019" : matrix.rdp_server boundary_cli_zip_path = step.build_boundary_windows.artifact_path kms_key_arn = step.create_base_infra.kms_key_arn - controller_ip = step.create_boundary_cluster.public_controller_addresses[0] + controller_ip = step.create_boundary_cluster.controller_ips_private iam_name = step.create_boundary_cluster.iam_instance_profile_name boundary_security_group = step.create_boundary_cluster.boundary_sg_id active_directory_domain = step.create_rdp_domain_controller.domain_name @@ -255,6 +258,7 @@ scenario "e2e_aws_rdp_base" { domain_controller_private_key = step.create_rdp_domain_controller.ssh_private_key domain_controller_sec_group_id_list = step.create_rdp_domain_controller.security_group_id_list aws_region = var.aws_region + ip_version = local.ip_version } } @@ -275,6 +279,7 @@ scenario "e2e_aws_rdp_base" { domain_admin_password = step.create_rdp_domain_controller.password domain_controller_private_key = step.create_rdp_domain_controller.ssh_private_key domain_controller_sec_group_id_list = step.create_rdp_domain_controller.security_group_id_list + ip_version = local.ip_version } } diff --git a/enos/modules/aws_boundary/outputs.tf b/enos/modules/aws_boundary/outputs.tf index 9d87978a3a..d36524ba9a 100644 --- a/enos/modules/aws_boundary/outputs.tf +++ b/enos/modules/aws_boundary/outputs.tf @@ -6,6 +6,11 @@ output "controller_ips" { value = var.ip_version == "6" ? flatten(aws_instance.controller.*.ipv6_addresses) : aws_instance.controller.*.public_ip } +output "controller_ips_private" { + description = "Private IPs of boundary controllers" + value = var.ip_version == "6" || var.ip_version == "dual" ? flatten(aws_instance.controller.*.ipv6_addresses) : aws_instance.controller.*.private_ip +} + output "worker_ips" { description = "Public IPs of boundary workers" value = var.ip_version == "6" ? flatten(aws_instance.worker.*.ipv6_addresses) : aws_instance.worker.*.public_ip diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf index 81f5feea71..a38279aa65 100644 --- a/enos/modules/aws_rdp_domain_controller/main.tf +++ b/enos/modules/aws_rdp_domain_controller/main.tf @@ -78,7 +78,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -92,7 +92,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -107,7 +107,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -121,7 +121,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -136,7 +136,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -150,7 +150,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -165,7 +165,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -179,7 +179,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -194,7 +194,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -209,7 +209,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -223,7 +223,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], data.aws_vpc.infra.ipv6_cidr_block ]) @@ -238,7 +238,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], ]) } @@ -251,7 +251,7 @@ resource "aws_security_group" "rdp_ingress" { formatlist("%s/32", data.enos_environment.current.public_ipv4_addresses), join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block), ]) - ipv6_cidr_blocks = flatten([ + ipv6_cidr_blocks = var.ip_version == "4" ? [] : flatten([ [for ip in coalesce(data.enos_environment.current.public_ipv6_addresses, []) : cidrsubnet("${ip}/64", 0, 0)], ]) } @@ -268,7 +268,7 @@ resource "aws_security_group" "allow_all_internal" { protocol = "-1" self = true cidr_blocks = [data.aws_vpc.infra.cidr_block] - ipv6_cidr_blocks = [data.aws_vpc.infra.ipv6_cidr_block] + ipv6_cidr_blocks = var.ip_version == "4" ? [] : [data.aws_vpc.infra.ipv6_cidr_block] } egress { @@ -297,7 +297,7 @@ resource "aws_instance" "domain_controller" { vpc_security_group_ids = [aws_security_group.rdp_ingress.id, aws_security_group.allow_all_internal.id] key_name = aws_key_pair.rdp-key.key_name subnet_id = data.aws_subnets.infra.ids[0] - ipv6_address_count = 1 + ipv6_address_count = var.ip_version == "6" || var.ip_version == "dual" ? 1 : 0 root_block_device { volume_type = "gp2" diff --git a/enos/modules/aws_rdp_domain_controller/variables.tf b/enos/modules/aws_rdp_domain_controller/variables.tf index 7d1693fe80..9b0565415b 100644 --- a/enos/modules/aws_rdp_domain_controller/variables.tf +++ b/enos/modules/aws_rdp_domain_controller/variables.tf @@ -39,6 +39,12 @@ variable "aws_key_pair_name" { default = "RDPKey" } +variable "ip_version" { + type = string + description = "IP version to use for security group rules. Valid values are '4', '6', or 'dual'." + default = "4" +} + # ================================================================= # domain information # ================================================================= @@ -46,4 +52,4 @@ variable "active_directory_domain" { type = string description = "The name of the Active Directory domain to be created on the Windows Domain Controller." default = "mydomain.com" -} \ No newline at end of file +} diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf index 1b712788d8..c3d64d8825 100644 --- a/enos/modules/aws_rdp_member_server/main.tf +++ b/enos/modules/aws_rdp_member_server/main.tf @@ -48,7 +48,7 @@ resource "aws_instance" "member_server" { vpc_security_group_ids = var.domain_controller_sec_group_id_list key_name = var.domain_controller_aws_keypair_name subnet_id = data.aws_subnets.infra.ids[0] - ipv6_address_count = 1 + ipv6_address_count = var.ip_version == "6" || var.ip_version == "dual" ? 1 : 0 root_block_device { volume_type = "gp2" diff --git a/enos/modules/aws_rdp_member_server/variables.tf b/enos/modules/aws_rdp_member_server/variables.tf index 9640902616..d924f529a3 100644 --- a/enos/modules/aws_rdp_member_server/variables.tf +++ b/enos/modules/aws_rdp_member_server/variables.tf @@ -44,6 +44,12 @@ variable "active_directory_domain" { description = "The name of the Active Directory domain to be created on the Windows Domain Controller." } +variable "ip_version" { + type = string + description = "IP version to use for security group rules. Valid values are '4', '6', or 'dual'." + default = "4" +} + # ================================================================= # domain controller information # ================================================================= @@ -76,4 +82,4 @@ variable "kerberos_only" { type = bool description = "Only allow kerberos auth" default = false -} \ No newline at end of file +} diff --git a/enos/modules/aws_rdp_member_server_with_worker/main.tf b/enos/modules/aws_rdp_member_server_with_worker/main.tf index 62fbbafb90..4fc906c74a 100644 --- a/enos/modules/aws_rdp_member_server_with_worker/main.tf +++ b/enos/modules/aws_rdp_member_server_with_worker/main.tf @@ -75,7 +75,7 @@ resource "aws_instance" "worker" { key_name = var.domain_controller_aws_keypair_name subnet_id = data.aws_subnets.infra.ids[0] iam_instance_profile = var.iam_name - ipv6_address_count = 1 + ipv6_address_count = var.ip_version == "6" || var.ip_version == "dual" ? 1 : 0 root_block_device { volume_type = "gp2" @@ -312,7 +312,7 @@ resource "local_file" "worker_config" { enos_local_exec.add_boundary_cli, ] content = templatefile("${path.module}/${var.worker_config_file_path}", { - controller_ip = var.controller_ip + controller_ip = var.ip_version == "4" ? jsonencode(var.controller_ip) : jsonencode(formatlist("[%s]:9201", flatten(var.controller_ip))) aws_kms_key = data.aws_kms_key.kms_key.id aws_region = var.aws_region worker_public_ip = aws_instance.worker.public_ip diff --git a/enos/modules/aws_rdp_member_server_with_worker/scripts/worker.hcl b/enos/modules/aws_rdp_member_server_with_worker/scripts/worker.hcl index 23526d2b27..378c2f063f 100644 --- a/enos/modules/aws_rdp_member_server_with_worker/scripts/worker.hcl +++ b/enos/modules/aws_rdp_member_server_with_worker/scripts/worker.hcl @@ -18,7 +18,7 @@ listener "tcp" { worker { public_addr = "${worker_public_ip}" name = "win-worker-0" - initial_upstreams = ["[${controller_ip}]:9201"] + initial_upstreams = ${controller_ip} tags { type = ["worker", "rdp", "windows"] } diff --git a/enos/modules/aws_rdp_member_server_with_worker/variables.tf b/enos/modules/aws_rdp_member_server_with_worker/variables.tf index 7bf52cefb5..d0ab961e75 100644 --- a/enos/modules/aws_rdp_member_server_with_worker/variables.tf +++ b/enos/modules/aws_rdp_member_server_with_worker/variables.tf @@ -33,6 +33,12 @@ variable "prefix" { default = "enos" } +variable "ip_version" { + type = string + description = "IP version to use for security group rules. Valid values are '4', '6', or 'dual'." + default = "4" +} + # ================================================================= # aws configuration variables # ================================================================= @@ -50,8 +56,8 @@ variable "aws_region" { variable "controller_ip" { description = "IP address of the controller instance" - type = string - default = "" + type = list(string) + default = [] } variable "iam_name" { diff --git a/enos/modules/aws_windows_client/main.tf b/enos/modules/aws_windows_client/main.tf index daa6f0a282..df247f978d 100644 --- a/enos/modules/aws_windows_client/main.tf +++ b/enos/modules/aws_windows_client/main.tf @@ -142,7 +142,7 @@ resource "aws_instance" "client" { vpc_security_group_ids = [aws_security_group.windows_client.id] key_name = aws_key_pair.rdp-key.key_name subnet_id = data.aws_subnets.infra.ids[0] - ipv6_address_count = 1 + ipv6_address_count = var.ip_version == "6" || var.ip_version == "dual" ? 1 : 0 root_block_device { volume_type = "gp2" diff --git a/enos/modules/aws_windows_client/scripts/setup.ps1 b/enos/modules/aws_windows_client/scripts/setup.ps1 index fade50bc06..ec8d9a3a67 100644 --- a/enos/modules/aws_windows_client/scripts/setup.ps1 +++ b/enos/modules/aws_windows_client/scripts/setup.ps1 @@ -87,4 +87,8 @@ if ("${github_token}" -ne "") { $newPath, [EnvironmentVariableTarget]::Machine ) + + # go mod download + cd $src_destination + go mod download } diff --git a/enos/modules/aws_windows_client/variables.tf b/enos/modules/aws_windows_client/variables.tf index 3632f7acb4..31c890148e 100644 --- a/enos/modules/aws_windows_client/variables.tf +++ b/enos/modules/aws_windows_client/variables.tf @@ -33,6 +33,12 @@ variable "prefix" { default = "enos" } +variable "ip_version" { + type = string + description = "IP version to use for security group rules. Valid values are '4', '6', or 'dual'." + default = "4" +} + # ================================================================= # additional resources # =================================================================