From 69a2dde9225d600f55ae37724a2be131bb02245b Mon Sep 17 00:00:00 2001
From: Michael Li <michael.li@hashicorp.com>
Date: Mon, 26 Feb 2024 15:29:06 +0000
Subject: [PATCH] backport of commit e07a8a2d51086c9272fd106e7da5e712c77c391d

---
 enos/modules/docker_vault/config/config.json | 18 ++++++
 enos/modules/docker_vault/main.tf            | 64 +++++++++++++++-----
 2 files changed, 68 insertions(+), 14 deletions(-)
 create mode 100644 enos/modules/docker_vault/config/config.json

diff --git a/enos/modules/docker_vault/config/config.json b/enos/modules/docker_vault/config/config.json
new file mode 100644
index 0000000000..14a8599d55
--- /dev/null
+++ b/enos/modules/docker_vault/config/config.json
@@ -0,0 +1,18 @@
+{
+  "storage": {
+    "file": {
+      "path": "/vault/file"
+    }
+  },
+  "listener": [
+    {
+      "tcp": {
+        "address": "0.0.0.0:8200",
+        "tls_disable": true
+      }
+    }
+  ],
+  "default_lease_ttl": "168h",
+  "max_lease_ttl": "720h",
+  "ui": true
+}
diff --git a/enos/modules/docker_vault/main.tf b/enos/modules/docker_vault/main.tf
index d996713a03..b9266a60c7 100644
--- a/enos/modules/docker_vault/main.tf
+++ b/enos/modules/docker_vault/main.tf
@@ -32,11 +32,6 @@ variable "container_name" {
   type        = string
   default     = "vault"
 }
-variable "vault_token" {
-  description = "Vault Root Token"
-  type        = string
-  default     = "boundarytok"
-}
 variable "vault_port" {
   description = "External Port to use"
   type        = string
@@ -49,15 +44,18 @@ resource "docker_image" "vault" {
 }
 
 resource "docker_container" "vault" {
-  image = docker_image.vault.image_id
-  name  = var.container_name
-  env = [
-    "VAULT_DEV_ROOT_TOKEN_ID=${var.vault_token}"
-  ]
+  image   = docker_image.vault.image_id
+  name    = var.container_name
+  command = ["vault", "server", "-config", "/vault/config.d/config.json"]
   ports {
     internal = 8200
     external = var.vault_port
   }
+  mounts {
+    type   = "bind"
+    source = "${abspath(path.module)}/config"
+    target = "/vault/config.d"
+  }
   capabilities {
     add = ["IPC_LOCK"]
   }
@@ -69,6 +67,7 @@ resource "docker_container" "vault" {
   }
 }
 
+
 resource "enos_local_exec" "check_address" {
   depends_on = [
     docker_container.vault
@@ -77,14 +76,51 @@ resource "enos_local_exec" "check_address" {
   inline = ["timeout 10s bash -c 'until curl http://0.0.0.0:${var.vault_port}; do sleep 2; done'"]
 }
 
-resource "enos_local_exec" "check_health" {
+resource "enos_local_exec" "init_vault" {
   depends_on = [
     enos_local_exec.check_address
   ]
 
   environment = {
-    VAULT_ADDR  = "http://0.0.0.0:${var.vault_port}"
-    VAULT_TOKEN = var.vault_token
+    VAULT_ADDR        = "http://0.0.0.0:${var.vault_port}"
+    VAULT_SKIP_VERIFY = true
+  }
+
+  inline = ["vault operator init -format json"]
+}
+
+locals {
+  vault_init  = jsondecode(enos_local_exec.init_vault.stdout)
+  unseal_keys = local.vault_init["unseal_keys_b64"]
+  root_token  = local.vault_init["root_token"]
+}
+
+resource "enos_local_exec" "unseal_vault" {
+  depends_on = [
+    enos_local_exec.init_vault
+  ]
+
+  environment = {
+    VAULT_ADDR        = "http://0.0.0.0:${var.vault_port}"
+    VAULT_SKIP_VERIFY = true
+  }
+
+  # By default, vault requires 3 keys to unseal
+  count = 3
+  inline = [
+    "vault operator unseal ${local.unseal_keys[count.index]}"
+  ]
+}
+
+resource "enos_local_exec" "check_health" {
+  depends_on = [
+    enos_local_exec.init_vault
+  ]
+
+  environment = {
+    VAULT_ADDR        = "http://0.0.0.0:${var.vault_port}"
+    VAULT_TOKEN       = local.root_token
+    VAULT_SKIP_VERIFY = true
   }
 
   inline = ["timeout 10s bash -c 'until vault status; do sleep 2; done'"]
@@ -99,7 +135,7 @@ output "address_internal" {
 }
 
 output "token" {
-  value = var.vault_token
+  value = local.root_token
 }
 
 output "port" {