From 33f3a5ff9c78412eab5c5a5fa0c5b238dc528092 Mon Sep 17 00:00:00 2001 From: Michael Li Date: Mon, 24 Apr 2023 16:58:39 -0400 Subject: [PATCH] test(e2e): Add test that uses new worker resource (#3177) --- enos/enos-scenario-e2e-aws.hcl | 44 +++++++- enos/modules/target/main.tf | 6 +- enos/modules/test_e2e/main.tf | 5 + enos/modules/worker/main.tf | 15 ++- testing/internal/e2e/tests/aws/env_test.go | 4 +- testing/internal/e2e/tests/aws/worker_test.go | 102 ++++++++++++++++++ 6 files changed, 165 insertions(+), 11 deletions(-) create mode 100644 testing/internal/e2e/tests/aws/worker_test.go diff --git a/enos/enos-scenario-e2e-aws.hcl b/enos/enos-scenario-e2e-aws.hcl index 87b5a074fd..684f94bcac 100644 --- a/enos/enos-scenario-e2e-aws.hcl +++ b/enos/enos-scenario-e2e-aws.hcl @@ -167,13 +167,53 @@ scenario "e2e_aws" { } } + step "create_isolated_worker" { + module = module.worker + depends_on = [step.create_boundary_cluster] + variables { + vpc_name = step.create_base_infra.vpc_id + availability_zones = step.create_base_infra.availability_zone_names + kms_key_arn = step.create_base_infra.kms_key_arn + ubuntu_ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] + local_artifact_path = step.build_boundary.artifact_path + boundary_install_dir = local.boundary_install_dir + iam_instance_profile_name = step.create_boundary_cluster.iam_instance_profile_name + name_prefix = step.create_boundary_cluster.name_prefix + cluster_tag = step.create_boundary_cluster.cluster_tag + controller_addresses = step.create_boundary_cluster.public_controller_addresses + controller_sg_id = step.create_boundary_cluster.controller_aux_sg_id + worker_type_tags = ["worker_e2e_test"] + } + } + + step "create_isolated_target" { + module = module.target + depends_on = [ + step.create_base_infra, + step.create_isolated_worker + ] + + variables { + ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] + aws_ssh_keypair_name = var.aws_ssh_keypair_name + enos_user = var.enos_user + instance_type = var.target_instance_type + vpc_id = step.create_base_infra.vpc_id + target_count = 1 + subnet_ids = step.create_isolated_worker.subnet_ids + ingress_cidr = ["10.13.9.0/24"] + } + } + step "run_e2e_test" { module = module.test_e2e depends_on = [ step.create_boundary_cluster, step.create_targets_with_tag1, step.create_targets_with_tag2, - step.iam_setup + step.iam_setup, + step.create_isolated_worker, + step.create_isolated_target ] variables { @@ -193,6 +233,8 @@ scenario "e2e_aws" { aws_host_set_ips1 = step.create_targets_with_tag1.target_ips aws_host_set_filter2 = step.create_tag2_inputs.tag_string aws_host_set_ips2 = step.create_targets_with_tag2.target_ips + target_ip = step.create_isolated_target.target_ips[0] + worker_tags = step.create_isolated_worker.worker_tags } } diff --git a/enos/modules/target/main.tf b/enos/modules/target/main.tf index c3800b62f2..ef5644af7a 100644 --- a/enos/modules/target/main.tf +++ b/enos/modules/target/main.tf @@ -13,6 +13,10 @@ variable "enos_user" {} variable "additional_tags" { default = {} } +variable "ingress_cidr" { + type = list(string) + default = ["10.0.0.0/8"] +} resource "aws_security_group" "boundary_target" { name_prefix = "boundary-target-sg" @@ -24,7 +28,7 @@ resource "aws_security_group" "boundary_target" { from_port = 22 to_port = 22 protocol = "tcp" - cidr_blocks = ["10.0.0.0/8"] + cidr_blocks = var.ingress_cidr } egress { diff --git a/enos/modules/test_e2e/main.tf b/enos/modules/test_e2e/main.tf index 657610ecd7..aeb6ac53dd 100644 --- a/enos/modules/test_e2e/main.tf +++ b/enos/modules/test_e2e/main.tf @@ -112,6 +112,10 @@ variable "aws_host_set_ips2" { type = list(string) default = [""] } +variable "worker_tags" { + type = list(string) + default = [""] +} locals { aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) @@ -142,6 +146,7 @@ resource "enos_local_exec" "run_e2e_test" { E2E_AWS_HOST_SET_IPS = local.aws_host_set_ips1, E2E_AWS_HOST_SET_FILTER2 = var.aws_host_set_filter2, E2E_AWS_HOST_SET_IPS2 = local.aws_host_set_ips2 + E2E_WORKER_TAG = jsonencode(var.worker_tags), } inline = var.debug_no_run ? [""] : ["set -o pipefail; PATH=\"${var.local_boundary_dir}:$PATH\" go test -v ${var.test_package} -count=1 -json | tparse -follow -format plain 2>&1 | tee ${path.module}/../../test-e2e-${local.package_name}.log"] diff --git a/enos/modules/worker/main.tf b/enos/modules/worker/main.tf index 395ceca302..1720069e76 100644 --- a/enos/modules/worker/main.tf +++ b/enos/modules/worker/main.tf @@ -81,19 +81,18 @@ resource "aws_security_group" "default" { cidr_blocks = ["${data.enos_environment.current.public_ip_address}/32"] } - egress { - description = "Communication from Boundary worker to controller" - from_port = 9201 - to_port = 9201 + ingress { + description = "Communication from Boundary controller to worker" + from_port = 9202 + to_port = 9202 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { - description = "Communication from Boundary worker to controller" - from_port = 443 - to_port = 443 - protocol = "tcp" + from_port = 0 + to_port = 0 + protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } diff --git a/testing/internal/e2e/tests/aws/env_test.go b/testing/internal/e2e/tests/aws/env_test.go index 8ac3ab9208..7d750b7547 100644 --- a/testing/internal/e2e/tests/aws/env_test.go +++ b/testing/internal/e2e/tests/aws/env_test.go @@ -14,7 +14,9 @@ type config struct { AwsHostSetIps2 string `envconfig:"E2E_AWS_HOST_SET_IPS2" required:"true"` // e.g. "[\"1.2.3.4\"]" TargetSshKeyPath string `envconfig:"E2E_SSH_KEY_PATH" required:"true"` // e.g. "/Users/username/key.pem" TargetSshUser string `envconfig:"E2E_SSH_USER" required:"true"` // e.g. "ubuntu" - TargetPort string `envconfig:"E2E_SSH_PORT" required:"true"` + TargetPort string `envconfig:"E2E_SSH_PORT" required:"true"` // e.g. "22" + TargetIp string `envconfig:"E2E_TARGET_IP" required:"true"` // e.g. "192.168.0.1" + WorkerTags string `envconfig:"E2E_WORKER_TAG" required:"true"` // e.g. "[\"tag1\", \"tag2\"]" } func loadConfig() (*config, error) { diff --git a/testing/internal/e2e/tests/aws/worker_test.go b/testing/internal/e2e/tests/aws/worker_test.go new file mode 100644 index 0000000000..a13224b58a --- /dev/null +++ b/testing/internal/e2e/tests/aws/worker_test.go @@ -0,0 +1,102 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package aws_test + +import ( + "context" + "encoding/json" + "fmt" + "testing" + + "github.com/hashicorp/boundary/testing/internal/e2e" + "github.com/hashicorp/boundary/testing/internal/e2e/boundary" + "github.com/stretchr/testify/require" +) + +func TestCliWorker(t *testing.T) { + e2e.MaybeSkipTest(t) + c, err := loadConfig() + require.NoError(t, err) + + ctx := context.Background() + boundary.AuthenticateAdminCli(t, ctx) + newOrgId := boundary.CreateNewOrgCli(t, ctx) + t.Cleanup(func() { + ctx := context.Background() + boundary.AuthenticateAdminCli(t, ctx) + output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", newOrgId)) + require.NoError(t, output.Err, string(output.Stderr)) + }) + newProjectId := boundary.CreateNewProjectCli(t, ctx, newOrgId) + newTargetId := boundary.CreateNewAddressTargetCli(t, ctx, newProjectId, c.TargetPort, c.TargetIp) + + // Set incorrect worker filter, expect connection failure + t.Logf("Setting incorrect worker filter...") + output := e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "targets", "update", "tcp", + "-id", newTargetId, + "-egress-worker-filter", `"prod" in "/tags/type"`, + "-format", "json", + ), + ) + require.NoError(t, output.Err, string(output.Stderr)) + + output = e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "connect", + "-target-id", newTargetId, + "-exec", "/usr/bin/ssh", "--", + "-l", c.TargetSshUser, + "-i", c.TargetSshKeyPath, + "-o", "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=no", + "-o", "IdentitiesOnly=yes", // forces the use of the provided key + "-o", "ConnectTimeout=3", + "-p", "{{boundary.port}}", // this is provided by boundary + "{{boundary.ip}}", + "hostname", "-i", + ), + ) + require.Error(t, output.Err, string(output.Stderr)) + require.Equal(t, output.ExitCode, 255) + require.Contains(t, string(output.Stderr), "timed out") + t.Logf("Successfully detected connection failure") + + // Set correct worker filter, expect connection success + var workerTags []string + err = json.Unmarshal([]byte(c.WorkerTags), &workerTags) + require.NoError(t, err) + require.NotEmpty(t, workerTags) + + t.Logf("Setting correct worker filter...") + output = e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "targets", "update", "tcp", + "-id", newTargetId, + "-egress-worker-filter", fmt.Sprintf(`"%s" in "/tags/type"`, workerTags[0]), + "-format", "json", + ), + ) + require.NoError(t, output.Err, string(output.Stderr)) + + output = e2e.RunCommand(ctx, "boundary", + e2e.WithArgs( + "connect", + "-target-id", newTargetId, + "-exec", "/usr/bin/ssh", "--", + "-l", c.TargetSshUser, + "-i", c.TargetSshKeyPath, + "-o", "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=no", + "-o", "IdentitiesOnly=yes", // forces the use of the provided key + "-o", "ConnectTimeout=3", + "-p", "{{boundary.port}}", // this is provided by boundary + "{{boundary.ip}}", + "hostname", "-i", + ), + ) + require.NoError(t, output.Err, string(output.Stderr)) + t.Logf("Successfully connected to target") +}