refact(e2e): Split Vault Boundary Controller setup from secrets policy creation

8 months ago · 3de584cafa
parent 9575d5f239
commit 3de584cafa
9 changed files with 150 additions and 94 deletions
--- a/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go
@ -65,7 +65,7 @@ func TestApiVaultLdapCredentialLibrary(t *testing.T) {
 	require.NoError(t, err)

 	// Configure Vault for LDAP.
-	boundaryPolicyName, _, ldapPolicyFilePath := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(context.Background(), "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -73,7 +73,7 @@ func TestApiVaultLdapCredentialLibrary(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})

-	ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, ldapPolicyFilePath,
+	ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath,
 		c.LdapAddress, c.LdapAdminDn, c.LdapAdminPassword,
 		c.LdapDomainDn, c.LdapUserName, c.LdapGroupName,
 	)
@ -235,7 +235,7 @@ func TestCliVaultLdapCredentialLibrary(t *testing.T) {
 	require.NoError(t, err)

 	// Configure Vault for LDAP.
-	boundaryPolicyName, _, ldapPolicyFilePath := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(context.Background(), "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -243,7 +243,7 @@ func TestCliVaultLdapCredentialLibrary(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})

-	ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, ldapPolicyFilePath,
+	ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath,
 		c.LdapAddress, c.LdapAdminDn, c.LdapAdminPassword,
 		c.LdapDomainDn, c.LdapUserName, c.LdapGroupName,
 	)
--- a/testing/internal/e2e/tests/base_with_vault/credential_store_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/credential_store_test.go
@ -55,7 +55,7 @@ func TestCliVaultCredentialStore(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -75,13 +75,26 @@ func TestCliVaultCredentialStore(t *testing.T) {
 	})

 	// Create credentials in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	passwordSecretName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath)
-	domainSecretName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com", kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	passwordSecretName, passwordPolicyName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser)
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", passwordPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	domainSecretName, domainPolicyName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com")
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", domainPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -93,7 +106,9 @@ func TestCliVaultCredentialStore(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			"-policy="+boundaryPolicyName,
-			"-policy="+kvPolicyName,
+			"-policy="+privateKeyPolicyName,
+			"-policy="+passwordPolicyName,
+			"-policy="+domainPolicyName,
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
@ -243,7 +258,7 @@ func TestApiVaultCredentialStore(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	output := e2e.RunCommand(ctx, "vault",
 		e2e.WithArgs("secrets", "enable", "-path="+c.VaultSecretPath, "kv-v2"),
 	)
@ -255,11 +270,30 @@ func TestApiVaultCredentialStore(t *testing.T) {
 		require.NoError(t, output.Err, string(output.Stderr))
 	})

-	// Create credential in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	passwordSecretName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath)
-	domainSecretName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com", kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	// Create credentials in vault
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	passwordSecretName, passwordPolicyName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser)
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", passwordPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	domainSecretName, domainPolicyName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com")
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", domainPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
 	t.Log("Created Vault Credentials")

 	// Create vault token for boundary
@ -268,7 +302,9 @@ func TestApiVaultCredentialStore(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			"-policy="+boundaryPolicyName,
-			"-policy="+kvPolicyName,
+			"-policy="+privateKeyPolicyName,
+			"-policy="+passwordPolicyName,
+			"-policy="+domainPolicyName,
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go
@ -41,7 +41,7 @@ func TestCliPaginateCredentialLibraries(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -61,11 +61,10 @@ func TestCliPaginateCredentialLibraries(t *testing.T) {
 	})

 	// Create credentials in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -76,7 +75,7 @@ func TestCliPaginateCredentialLibraries(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			"-policy="+boundaryPolicyName,
-			"-policy="+kvPolicyName,
+			"-policy="+privateKeyPolicyName,
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
@ -194,7 +193,7 @@ func TestApiPaginateCredentialLibraries(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -214,11 +213,10 @@ func TestApiPaginateCredentialLibraries(t *testing.T) {
 	})

 	// Create credentials in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -229,7 +227,7 @@ func TestApiPaginateCredentialLibraries(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			"-policy="+boundaryPolicyName,
-			"-policy="+kvPolicyName,
+			"-policy="+privateKeyPolicyName,
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go
@ -53,7 +53,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -73,11 +73,10 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) {
 	})

 	// Create credential in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -89,7 +88,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			fmt.Sprintf("-policy=%s", boundaryPolicyName),
-			fmt.Sprintf("-policy=%s", kvPolicyName),
+			fmt.Sprintf("-policy=%s", privateKeyPolicyName),
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go
@ -53,7 +53,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -73,11 +73,10 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) {
 	})

 	// Create credential in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -89,7 +88,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			fmt.Sprintf("-policy=%s", boundaryPolicyName),
-			fmt.Sprintf("-policy=%s", kvPolicyName),
+			fmt.Sprintf("-policy=%s", privateKeyPolicyName),
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go
@ -54,7 +54,7 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -74,11 +74,10 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) {
 	})

 	// Create credential in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -90,7 +89,7 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			fmt.Sprintf("-policy=%s", boundaryPolicyName),
-			fmt.Sprintf("-policy=%s", kvPolicyName),
+			fmt.Sprintf("-policy=%s", privateKeyPolicyName),
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go
+++ b/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go
@ -49,7 +49,7 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) {
 	require.NoError(t, err)

 	// Configure vault
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
 			e2e.WithArgs("policy", "delete", boundaryPolicyName),
@ -69,11 +69,10 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) {
 	})

 	// Create credential in vault
-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
 	t.Cleanup(func() {
 		output := e2e.RunCommand(ctx, "vault",
-			e2e.WithArgs("policy", "delete", kvPolicyName),
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 	})
@ -85,7 +84,7 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) {
 			"token", "create",
 			"-no-default-policy=true",
 			fmt.Sprintf("-policy=%s", boundaryPolicyName),
-			fmt.Sprintf("-policy=%s", kvPolicyName),
+			fmt.Sprintf("-policy=%s", privateKeyPolicyName),
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/tests/database/migration_test.go
+++ b/testing/internal/e2e/tests/database/migration_test.go
@ -278,22 +278,36 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T
 	require.NoError(t, err)

 	// Create vault credentials
-	boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl")
+	boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl")
 	output := e2e.RunCommand(ctx, "vault",
 		e2e.WithArgs("secrets", "enable", "-path="+c.VaultSecretPath, "kv-v2"),
 	)
 	require.NoError(t, output.Err, string(output.Stderr))

-	privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath)
-	passwordSecretName, _ := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath)
-	kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath)
+	privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath)
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", privateKeyPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+
+	passwordSecretName, passwordPolicyName, _ := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser)
+	t.Cleanup(func() {
+		output := e2e.RunCommand(ctx, "vault",
+			e2e.WithArgs("policy", "delete", passwordPolicyName),
+		)
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
 	t.Log("Created Vault Credential")
+
 	output = e2e.RunCommand(ctx, "vault",
 		e2e.WithArgs(
 			"token", "create",
 			"-no-default-policy=true",
 			"-policy="+boundaryPolicyName,
-			"-policy="+kvPolicyName,
+			"-policy="+privateKeyPolicyName,
+			"-policy="+passwordPolicyName,
 			"-orphan=true",
 			"-period=20m",
 			"-renewable=true",
--- a/testing/internal/e2e/vault/vault.go
+++ b/testing/internal/e2e/vault/vault.go
@ -8,6 +8,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"testing"
@ -24,25 +25,15 @@ type CreateTokenResponse struct {
 	}
 }

-// Setup verifies if appropriate credentials are set and adds the boundary controller
-// policy to vault. Returns the vault address.
-func Setup(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName, kvPolicyFilePath, ldapPolicyFilePath string) {
+// SetupForBoundaryController verifies if appropriate credentials are set and
+// adds the boundary controller policy to vault. Returns the policy name.
+func SetupForBoundaryController(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName string) {
 	// Set up boundary policy
 	boundaryPolicyFilePath, err := filepath.Abs(boundaryControllerFilePath)
 	require.NoError(t, err)
-	boundaryPolicyName = WritePolicy(t, context.Background(), boundaryPolicyFilePath)
+	boundaryPolicyName = WritePolicy(t, t.Context(), boundaryPolicyFilePath)

-	// Create kv policy
-	kvPolicyFilePath = fmt.Sprintf("%s/%s", t.TempDir(), "kv-policy.hcl")
-	_, err = os.Create(kvPolicyFilePath)
-	require.NoError(t, err)
-
-	// Create ldap policy
-	ldapPolicyFilePath = fmt.Sprintf("%s/%s", t.TempDir(), "ldap-policy.hcl")
-	_, err = os.Create(ldapPolicyFilePath)
-	require.NoError(t, err)
-
-	return boundaryPolicyName, kvPolicyFilePath, ldapPolicyFilePath
+	return boundaryPolicyName
 }

 // SetupLdap sets a Vault server up for LDAP against an OpenLDAP server. It
@ -52,7 +43,7 @@ func Setup(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName,
 // clean-up in place to run after a test is complete. When applicable, callers
 // should destroy the Vault LDAP policy and LDAP secrets engine this function
 // creates.
-func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAddr, ldapAdminDn, ldapAdminPw, ldapDn, ldapUser, ldapGroup string) string {
+func SetupLdap(t testing.TB, vaultLdapMountPath, ldapAddr, ldapAdminDn, ldapAdminPw, ldapDn, ldapUser, ldapGroup string) string {
 	// Enable LDAP secrets engine.
 	output := e2e.RunCommand(t.Context(), "vault",
 		e2e.WithArgs("secrets", "enable", fmt.Sprintf("-path=%s", vaultLdapMountPath), "ldap"),
@ -60,8 +51,10 @@ func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAd
 	require.NoError(t, output.Err, string(output.Stderr))

 	// Define and write LDAP access policy to Vault.
-	f, err := os.OpenFile(vaultLdapPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644)
+	vaultLdapPolicyFilePath := path.Join(t.TempDir(), "ldap-policy.hcl")
+	f, err := os.Create(vaultLdapPolicyFilePath)
 	require.NoError(t, err)
+
 	_, err = fmt.Fprintf(f, `
 		path "%[1]s/static-cred/%[2]s" {
 			capabilities = ["read"]
@ -148,21 +141,27 @@ func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAd
 	return policyName
 }

-// CreateKvPrivateKeyCredential creates a private key credential in vault and creates a vault policy
-// to be able to read that credential. Returns the name of the policy.
-func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string, keyPath string, kvPolicyFilePath string) string {
+// CreateKvPrivateKeyCredential creates a private key credential in vault and
+// creates a vault policy to be able to read that credential. Returns the secret
+// and policy names. Note that this function does not put any clean-up in place
+// to run after a test is complete. When applicable, callers should destroy the
+// policy and secret this function creates.
+func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string, keyPath string) (secretName string, policyName string) {
 	secretName, err := base62.Random(16)
 	require.NoError(t, err)

-	// Update policy file
-	f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644)
+	policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-pk-%s-policy.hcl", secretName))
+	f, err := os.Create(policyFilePath)
 	require.NoError(t, err)
-	_, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
+
+	_, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
 		secretPath,
 		secretName,
-	))
+	)
 	require.NoError(t, err)

+	policyName = WritePolicy(t, t.Context(), policyFilePath)
+
 	// Create secret
 	output := e2e.RunCommand(context.Background(), "vault",
 		e2e.WithArgs(
@ -175,24 +174,31 @@ func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string,
 	)
 	require.NoError(t, output.Err, string(output.Stderr))

-	return secretName
+	return secretName, policyName
 }

-// CreateKvPasswordCredential creates a username/password credential in vault and creates a vault
-// policy to be able to read that credential. Returns the name of the policy
-func CreateKvPasswordCredential(t testing.TB, secretPath string, user string, kvPolicyFilePath string) (secretName string, password string) {
+// CreateKvPasswordCredential creates a username/password credential in vault
+// and creates a vault policy to be able to read that credential. Returns the
+// secret and policy names as well as the password for the secret. Note that
+// this function does not put any clean-up in place to run after a test is
+// complete. When applicable, callers should destroy the policy and secret this
+// function creates.
+func CreateKvPasswordCredential(t testing.TB, secretPath string, user string) (secretName string, policyName string, password string) {
 	secretName, err := base62.Random(16)
 	require.NoError(t, err)

-	// Update policy file
-	f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644)
+	policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-up-%s-policy.hcl", secretName))
+	f, err := os.Create(policyFilePath)
 	require.NoError(t, err)
-	_, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
+
+	_, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
 		secretPath,
 		secretName,
-	))
+	)
 	require.NoError(t, err)

+	policyName = WritePolicy(t, t.Context(), policyFilePath)
+
 	// Create secret
 	password, err = base62.Random(16)
 	require.NoError(t, err)
@ -207,24 +213,30 @@ func CreateKvPasswordCredential(t testing.TB, secretPath string, user string, kv
 	)
 	require.NoError(t, output.Err, string(output.Stderr))

-	return secretName, password
+	return secretName, policyName, password
 }

-// CreateKvPasswordDomainCredential creates a username/password/domain credential in vault and creates a vault
-// policy to be able to read that credential. Returns the name of the policy
-func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user string, domain string, kvPolicyFilePath string) (secretName string, password string) {
+// CreateKvPasswordDomainCredential creates a username/password/domain
+// credential in vault and creates a vault policy to be able to read that
+// credential. Returns the name of the policy. Note that this function does not
+// put any clean-up in place to run after a test is complete. When applicable,
+// callers should destroy the policy and secret this function creates.
+func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user string, domain string) (secretName string, policyName string, password string) {
 	secretName, err := base62.Random(16)
 	require.NoError(t, err)

-	// Update policy file
-	f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644)
+	policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-upd-%s-policy.hcl", secretName))
+	f, err := os.Create(policyFilePath)
 	require.NoError(t, err)
-	_, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
+
+	_, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n",
 		secretPath,
 		secretName,
-	))
+	)
 	require.NoError(t, err)

+	policyName = WritePolicy(t, t.Context(), policyFilePath)
+
 	// Create secret
 	password, err = base62.Random(16)
 	require.NoError(t, err)
@ -240,7 +252,7 @@ func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user stri
 	)
 	require.NoError(t, output.Err, string(output.Stderr))

-	return secretName, password
+	return secretName, policyName, password
 }

 // WritePolicy adds a policy to vault. Provide a name for the policy that you want to create as well