test(e2e): Add test that uses new worker resource (#3177)

3 years ago · 33f3a5ff9c
parent 98a6318760
commit 33f3a5ff9c
6 changed files with 165 additions and 11 deletions
--- a/enos/enos-scenario-e2e-aws.hcl
+++ b/enos/enos-scenario-e2e-aws.hcl
@ -167,13 +167,53 @@ scenario "e2e_aws" {
    }
  }

+  step "create_isolated_worker" {
+    module     = module.worker
+    depends_on = [step.create_boundary_cluster]
+    variables {
+      vpc_name                  = step.create_base_infra.vpc_id
+      availability_zones        = step.create_base_infra.availability_zone_names
+      kms_key_arn               = step.create_base_infra.kms_key_arn
+      ubuntu_ami_id             = step.create_base_infra.ami_ids["ubuntu"]["amd64"]
+      local_artifact_path       = step.build_boundary.artifact_path
+      boundary_install_dir      = local.boundary_install_dir
+      iam_instance_profile_name = step.create_boundary_cluster.iam_instance_profile_name
+      name_prefix               = step.create_boundary_cluster.name_prefix
+      cluster_tag               = step.create_boundary_cluster.cluster_tag
+      controller_addresses      = step.create_boundary_cluster.public_controller_addresses
+      controller_sg_id          = step.create_boundary_cluster.controller_aux_sg_id
+      worker_type_tags          = ["worker_e2e_test"]
+    }
+  }
+
+  step "create_isolated_target" {
+    module = module.target
+    depends_on = [
+      step.create_base_infra,
+      step.create_isolated_worker
+    ]
+
+    variables {
+      ami_id               = step.create_base_infra.ami_ids["ubuntu"]["amd64"]
+      aws_ssh_keypair_name = var.aws_ssh_keypair_name
+      enos_user            = var.enos_user
+      instance_type        = var.target_instance_type
+      vpc_id               = step.create_base_infra.vpc_id
+      target_count         = 1
+      subnet_ids           = step.create_isolated_worker.subnet_ids
+      ingress_cidr         = ["10.13.9.0/24"]
+    }
+  }
+
  step "run_e2e_test" {
    module = module.test_e2e
    depends_on = [
      step.create_boundary_cluster,
      step.create_targets_with_tag1,
      step.create_targets_with_tag2,
-      step.iam_setup
+      step.iam_setup,
+      step.create_isolated_worker,
+      step.create_isolated_target
    ]

    variables {
@ -193,6 +233,8 @@ scenario "e2e_aws" {
      aws_host_set_ips1        = step.create_targets_with_tag1.target_ips
      aws_host_set_filter2     = step.create_tag2_inputs.tag_string
      aws_host_set_ips2        = step.create_targets_with_tag2.target_ips
+      target_ip                = step.create_isolated_target.target_ips[0]
+      worker_tags              = step.create_isolated_worker.worker_tags
    }
  }

--- a/enos/modules/target/main.tf
+++ b/enos/modules/target/main.tf
@ -13,6 +13,10 @@ variable "enos_user" {}
 variable "additional_tags" {
  default = {}
 }
+variable "ingress_cidr" {
+  type    = list(string)
+  default = ["10.0.0.0/8"]
+}

 resource "aws_security_group" "boundary_target" {
  name_prefix = "boundary-target-sg"
@ -24,7 +28,7 @@ resource "aws_security_group" "boundary_target" {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
-    cidr_blocks = ["10.0.0.0/8"]
+    cidr_blocks = var.ingress_cidr
  }

  egress {
--- a/enos/modules/test_e2e/main.tf
+++ b/enos/modules/test_e2e/main.tf
@ -112,6 +112,10 @@ variable "aws_host_set_ips2" {
  type        = list(string)
  default     = [""]
 }
+variable "worker_tags" {
+  type    = list(string)
+  default = [""]
+}

 locals {
  aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path)
@ -142,6 +146,7 @@ resource "enos_local_exec" "run_e2e_test" {
    E2E_AWS_HOST_SET_IPS          = local.aws_host_set_ips1,
    E2E_AWS_HOST_SET_FILTER2      = var.aws_host_set_filter2,
    E2E_AWS_HOST_SET_IPS2         = local.aws_host_set_ips2
+    E2E_WORKER_TAG                = jsonencode(var.worker_tags),
  }

  inline = var.debug_no_run ? [""] : ["set -o pipefail; PATH=\"${var.local_boundary_dir}:$PATH\" go test -v ${var.test_package} -count=1 -json | tparse -follow -format plain 2>&1 | tee ${path.module}/../../test-e2e-${local.package_name}.log"]
--- a/enos/modules/worker/main.tf
+++ b/enos/modules/worker/main.tf
@ -81,19 +81,18 @@ resource "aws_security_group" "default" {
    cidr_blocks = ["${data.enos_environment.current.public_ip_address}/32"]
  }

-  egress {
-    description = "Communication from Boundary worker to controller"
-    from_port   = 9201
-    to_port     = 9201
+  ingress {
+    description = "Communication from Boundary controller to worker"
+    from_port   = 9202
+    to_port     = 9202
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
-    description = "Communication from Boundary worker to controller"
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

--- a/testing/internal/e2e/tests/aws/env_test.go
+++ b/testing/internal/e2e/tests/aws/env_test.go
@ -14,7 +14,9 @@ type config struct {
 	AwsHostSetIps2     string `envconfig:"E2E_AWS_HOST_SET_IPS2" required:"true"`    // e.g. "[\"1.2.3.4\"]"
 	TargetSshKeyPath   string `envconfig:"E2E_SSH_KEY_PATH" required:"true"`         // e.g. "/Users/username/key.pem"
 	TargetSshUser      string `envconfig:"E2E_SSH_USER" required:"true"`             // e.g. "ubuntu"
-	TargetPort         string `envconfig:"E2E_SSH_PORT" required:"true"`
+	TargetPort         string `envconfig:"E2E_SSH_PORT" required:"true"`             // e.g. "22"
+	TargetIp           string `envconfig:"E2E_TARGET_IP" required:"true"`            // e.g. "192.168.0.1"
+	WorkerTags         string `envconfig:"E2E_WORKER_TAG" required:"true"`           // e.g. "[\"tag1\", \"tag2\"]"
 }

 func loadConfig() (*config, error) {
--- a/testing/internal/e2e/tests/aws/worker_test.go
+++ b/testing/internal/e2e/tests/aws/worker_test.go
@ -0,0 +1,102 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package aws_test
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/boundary/testing/internal/e2e"
+	"github.com/hashicorp/boundary/testing/internal/e2e/boundary"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCliWorker(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+	c, err := loadConfig()
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	boundary.AuthenticateAdminCli(t, ctx)
+	newOrgId := boundary.CreateNewOrgCli(t, ctx)
+	t.Cleanup(func() {
+		ctx := context.Background()
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", newOrgId))
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	newProjectId := boundary.CreateNewProjectCli(t, ctx, newOrgId)
+	newTargetId := boundary.CreateNewAddressTargetCli(t, ctx, newProjectId, c.TargetPort, c.TargetIp)
+
+	// Set incorrect worker filter, expect connection failure
+	t.Logf("Setting incorrect worker filter...")
+	output := e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"targets", "update", "tcp",
+			"-id", newTargetId,
+			"-egress-worker-filter", `"prod" in "/tags/type"`,
+			"-format", "json",
+		),
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	output = e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"connect",
+			"-target-id", newTargetId,
+			"-exec", "/usr/bin/ssh", "--",
+			"-l", c.TargetSshUser,
+			"-i", c.TargetSshKeyPath,
+			"-o", "UserKnownHostsFile=/dev/null",
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes", // forces the use of the provided key
+			"-o", "ConnectTimeout=3",
+			"-p", "{{boundary.port}}", // this is provided by boundary
+			"{{boundary.ip}}",
+			"hostname", "-i",
+		),
+	)
+	require.Error(t, output.Err, string(output.Stderr))
+	require.Equal(t, output.ExitCode, 255)
+	require.Contains(t, string(output.Stderr), "timed out")
+	t.Logf("Successfully detected connection failure")
+
+	// Set correct worker filter, expect connection success
+	var workerTags []string
+	err = json.Unmarshal([]byte(c.WorkerTags), &workerTags)
+	require.NoError(t, err)
+	require.NotEmpty(t, workerTags)
+
+	t.Logf("Setting correct worker filter...")
+	output = e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"targets", "update", "tcp",
+			"-id", newTargetId,
+			"-egress-worker-filter", fmt.Sprintf(`"%s" in "/tags/type"`, workerTags[0]),
+			"-format", "json",
+		),
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+
+	output = e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"connect",
+			"-target-id", newTargetId,
+			"-exec", "/usr/bin/ssh", "--",
+			"-l", c.TargetSshUser,
+			"-i", c.TargetSshKeyPath,
+			"-o", "UserKnownHostsFile=/dev/null",
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes", // forces the use of the provided key
+			"-o", "ConnectTimeout=3",
+			"-p", "{{boundary.port}}", // this is provided by boundary
+			"{{boundary.ip}}",
+			"hostname", "-i",
+		),
+	)
+	require.NoError(t, output.Err, string(output.Stderr))
+	t.Logf("Successfully connected to target")
+}