diff --git a/enos/ci/hcp-resources/main.tf b/enos/ci/hcp-resources/main.tf index e1265f2512..ef07379fc2 100644 --- a/enos/ci/hcp-resources/main.tf +++ b/enos/ci/hcp-resources/main.tf @@ -27,11 +27,17 @@ provider "aws" { region = var.aws_region } +module "generate_ssh_key" { + source = "../../modules/aws_ssh_keypair" + + enos_user = var.enos_user +} + provider "enos" { transport = { ssh = { user = "ubuntu" - private_key_path = abspath(var.aws_ssh_private_key_path) + private_key_path = module.generate_ssh_key.private_key_path } } } @@ -85,7 +91,7 @@ module "base_infra" { } module "worker" { - depends_on = [module.base_infra] + depends_on = [module.base_infra, module.generate_ssh_key] source = "../../modules/aws_boundary" controller_count = 0 @@ -93,7 +99,8 @@ module "worker" { db_create = false aws_region = var.aws_region hcp_boundary_cluster_id = var.hcp_boundary_cluster_id - ssh_aws_keypair = var.aws_ssh_keypair_name + aws_ssh_keypair_name = module.generate_ssh_key.key_pair_name + aws_ssh_private_key = module.generate_ssh_key.private_key_pem boundary_license = module.license.license kms_key_arn = module.base_infra.kms_key_arn ubuntu_ami_id = module.base_infra.ami_ids["ubuntu"]["amd64"] @@ -129,7 +136,8 @@ module "target" { source = "../../modules/aws_target" target_count = var.target_count - aws_ssh_keypair_name = var.aws_ssh_keypair_name + aws_ssh_keypair_name = module.generate_ssh_key.key_pair_name + aws_ssh_private_key = module.generate_ssh_key.private_key_pem instance_type = local.target_instance_type enos_user = local.cluster_tag environment = local.environment_tag diff --git a/enos/ci/hcp-resources/variables.tf b/enos/ci/hcp-resources/variables.tf index 37a211f324..b499433f88 100644 --- a/enos/ci/hcp-resources/variables.tf +++ b/enos/ci/hcp-resources/variables.tf @@ -22,6 +22,11 @@ variable "boundary_license_path" { type = string } +variable "enos_user" { + description = "Name of user and used to tage AWS resources." + type = string +} + variable "aws_ssh_keypair_name" { description = "Name of the AWS EC2 keypair to use for SSH access" type = string diff --git a/enos/enos-modules.hcl b/enos/enos-modules.hcl index e4008cc113..862dc91777 100644 --- a/enos/enos-modules.hcl +++ b/enos/enos-modules.hcl @@ -23,7 +23,6 @@ module "aws_boundary" { alb_listener_api_port = var.alb_listener_api_port boundary_binary_name = var.boundary_binary_name - ssh_aws_keypair = var.aws_ssh_keypair_name } module "aws_worker" { @@ -35,8 +34,6 @@ module "aws_worker" { "Enos User" : var.enos_user, "Environment" : var.environment } - - ssh_aws_keypair = var.aws_ssh_keypair_name } module "aws_bucket" { @@ -114,6 +111,10 @@ module "map2list" { source = "./modules/map2list" } +module "aws_ssh_keypair" { + source = "./modules/aws_ssh_keypair" +} + module "aws_target" { source = "./modules/aws_target" target_count = var.target_count @@ -142,8 +143,6 @@ module "vault" { "Enos User" : var.enos_user, "Environment" : var.environment } - - ssh_aws_keypair = var.aws_ssh_keypair_name } module "test_e2e" { diff --git a/enos/enos-scenario-e2e-aws-base.hcl b/enos/enos-scenario-e2e-aws-base.hcl index 1cc2c78179..5463e72b51 100644 --- a/enos/enos-scenario-e2e-aws-base.hcl +++ b/enos/enos-scenario-e2e-aws-base.hcl @@ -14,10 +14,9 @@ scenario "e2e_aws_base" { } locals { - aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - boundary_install_dir = abspath(var.boundary_install_dir) - license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) - local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null + boundary_install_dir = abspath(var.boundary_install_dir) + license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) + local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null build_path = { "local" = "/tmp", "crt" = var.crt_bundle_path == null ? null : abspath(var.crt_bundle_path) @@ -76,12 +75,21 @@ scenario "e2e_aws_base" { } } + step "generate_ssh_key" { + module = module.aws_ssh_keypair + + variables { + enos_user = var.enos_user + } + } + step "create_boundary_cluster" { module = module.aws_boundary depends_on = [ step.create_base_infra, step.create_db_password, - step.build_boundary + step.build_boundary, + step.generate_ssh_key ] variables { @@ -100,16 +108,22 @@ scenario "e2e_aws_base" { worker_count = var.worker_count worker_instance_type = var.worker_instance_type aws_region = var.aws_region + aws_ssh_keypair_name = step.generate_ssh_key.key_pair_name + aws_ssh_private_key = step.generate_ssh_key.private_key_pem } } step "create_target" { - module = module.aws_target - depends_on = [step.create_base_infra] + module = module.aws_target + depends_on = [ + step.create_base_infra, + step.generate_ssh_key + ] variables { ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] - aws_ssh_keypair_name = var.aws_ssh_keypair_name + aws_ssh_keypair_name = step.generate_ssh_key.key_pair_name + aws_ssh_private_key = step.generate_ssh_key.private_key_pem enos_user = var.enos_user instance_type = var.target_instance_type vpc_id = step.create_base_infra.vpc_id @@ -122,7 +136,8 @@ scenario "e2e_aws_base" { module = module.test_e2e depends_on = [ step.create_boundary_cluster, - step.create_target + step.create_target, + step.generate_ssh_key ] variables { @@ -133,7 +148,7 @@ scenario "e2e_aws_base" { auth_login_name = step.create_boundary_cluster.auth_login_name auth_password = step.create_boundary_cluster.auth_password local_boundary_dir = local.local_boundary_dir - aws_ssh_private_key_path = local.aws_ssh_private_key_path + aws_ssh_private_key_path = step.generate_ssh_key.private_key_path target_address = step.create_target.target_private_ips[0] target_user = "ubuntu" target_port = "22" diff --git a/enos/enos-scenario-e2e-aws-rdp-base.hcl b/enos/enos-scenario-e2e-aws-rdp-base.hcl index e5f32bd71b..7cf3dffbc7 100644 --- a/enos/enos-scenario-e2e-aws-rdp-base.hcl +++ b/enos/enos-scenario-e2e-aws-rdp-base.hcl @@ -24,12 +24,11 @@ scenario "e2e_aws_rdp_base" { } locals { - aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - boundary_install_dir = abspath(var.boundary_install_dir) - local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null - local_boundary_src_dir = var.local_boundary_src_dir != null ? abspath(var.local_boundary_src_dir) : null - boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) - ip_version = "4" + boundary_install_dir = abspath(var.boundary_install_dir) + local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null + local_boundary_src_dir = var.local_boundary_src_dir != null ? abspath(var.local_boundary_src_dir) : null + boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) + ip_version = "4" build_path_linux = { "local" = "/tmp", @@ -74,6 +73,14 @@ scenario "e2e_aws_rdp_base" { } } + step "generate_ssh_key" { + module = module.aws_ssh_keypair + + variables { + enos_user = var.enos_user + } + } + step "build_boundary_linux" { module = matrix.builder == "crt" ? module.build_crt : module.build_local @@ -131,6 +138,7 @@ scenario "e2e_aws_rdp_base" { module = module.vault depends_on = [ step.create_base_infra, + step.generate_ssh_key ] variables { @@ -146,7 +154,9 @@ scenario "e2e_aws_rdp_base" { version = var.vault_version edition = "oss" } - vpc_id = step.create_base_infra.vpc_id + vpc_id = step.create_base_infra.vpc_id + aws_ssh_keypair_name = step.generate_ssh_key.key_pair_name + aws_ssh_private_key = step.generate_ssh_key.private_key_pem } } @@ -175,7 +185,8 @@ scenario "e2e_aws_rdp_base" { step.build_boundary_linux, step.create_windows_client, step.create_vault_cluster, - step.read_boundary_license + step.read_boundary_license, + step.generate_ssh_key ] variables { @@ -200,6 +211,8 @@ scenario "e2e_aws_rdp_base" { ip_version = local.ip_version recording_storage_path = "/recording" alb_sg_additional_ips = step.create_windows_client.public_ip_list + aws_ssh_keypair_name = step.generate_ssh_key.key_pair_name + aws_ssh_private_key = step.generate_ssh_key.private_key_pem } } @@ -302,7 +315,7 @@ scenario "e2e_aws_rdp_base" { auth_login_name = step.create_boundary_cluster.auth_login_name auth_password = step.create_boundary_cluster.auth_password local_boundary_dir = local.local_boundary_dir - aws_ssh_private_key_path = local.aws_ssh_private_key_path + aws_ssh_private_key_path = step.generate_ssh_key.private_key_path target_user = "ubuntu" target_port = "22" aws_bucket_name = step.create_bucket.bucket_name diff --git a/enos/enos-scenario-e2e-aws.hcl b/enos/enos-scenario-e2e-aws.hcl index 489bd2f568..3ac856cdc8 100644 --- a/enos/enos-scenario-e2e-aws.hcl +++ b/enos/enos-scenario-e2e-aws.hcl @@ -16,11 +16,10 @@ scenario "e2e_aws" { } locals { - aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - boundary_install_dir = abspath(var.boundary_install_dir) - local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null - boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) - vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic")) + boundary_install_dir = abspath(var.boundary_install_dir) + local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null + boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) + vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic")) build_path = { "local" = "/tmp", @@ -82,10 +81,19 @@ scenario "e2e_aws" { } } + step "generate_ssh_key" { + module = module.aws_ssh_keypair + + variables { + enos_user = var.enos_user + } + } + step "create_vault_cluster" { module = module.vault depends_on = [ step.create_base_infra, + step.generate_ssh_key ] variables { @@ -101,7 +109,9 @@ scenario "e2e_aws" { version = var.vault_version edition = "oss" } - vpc_id = step.create_base_infra.vpc_id + vpc_id = step.create_base_infra.vpc_id + aws_ssh_keypair_name = step.generate_ssh_key.key_pair_name + aws_ssh_private_key = step.generate_ssh_key.private_key_pem } } @@ -154,20 +164,21 @@ scenario "e2e_aws" { step "create_targets_with_tag1" { module = module.aws_target - depends_on = [step.create_base_infra] + depends_on = [step.create_base_infra, step.generate_ssh_key] variables { - ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] - aws_ssh_keypair_name = var.aws_ssh_keypair_name - enos_user = var.enos_user - instance_type = var.target_instance_type - vpc_id = step.create_base_infra.vpc_id - target_count = var.target_count <= 1 ? 2 : var.target_count - additional_tags = step.create_tag1_inputs.tag_map - subnet_ids = step.create_boundary_cluster.subnet_ids - ingress_cidr = matrix.ip_version == "4" ? ["10.0.0.0/8"] : [] - ingress_ipv6_cidr = step.create_boundary_cluster.worker_ipv6_cidr - ip_version = matrix.ip_version + ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] + ssh_aws_keypair = step.generate_ssh_key.key_pair_name + ssh_private_key = step.generate_ssh_key.private_key_pem + enos_user = var.enos_user + instance_type = var.target_instance_type + vpc_id = step.create_base_infra.vpc_id + target_count = var.target_count <= 1 ? 2 : var.target_count + additional_tags = step.create_tag1_inputs.tag_map + subnet_ids = step.create_boundary_cluster.subnet_ids + ingress_cidr = matrix.ip_version == "4" ? ["10.0.0.0/8"] : [] + ingress_ipv6_cidr = step.create_boundary_cluster.worker_ipv6_cidr + ip_version = matrix.ip_version } } @@ -197,7 +208,7 @@ scenario "e2e_aws" { step "create_isolated_worker" { module = module.aws_worker - depends_on = [step.create_boundary_cluster] + depends_on = [step.create_boundary_cluster, step.generate_ssh_key] variables { vpc_id = step.create_base_infra.vpc_id availability_zones = step.create_base_infra.availability_zone_names @@ -214,6 +225,8 @@ scenario "e2e_aws" { worker_type_tags = [local.isolated_tag] ip_version = matrix.ip_version config_file_path = "templates/worker.hcl" + ssh_aws_keypair = step.generate_ssh_key.key_pair_name + ssh_private_key = step.generate_ssh_key.private_key_pem } } @@ -235,21 +248,23 @@ scenario "e2e_aws" { module = module.aws_target depends_on = [ step.create_base_infra, - step.create_isolated_worker + step.create_isolated_worker, + step.generate_ssh_key ] variables { - ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] - aws_ssh_keypair_name = var.aws_ssh_keypair_name - enos_user = var.enos_user - instance_type = var.target_instance_type - vpc_id = step.create_base_infra.vpc_id - target_count = 1 - subnet_ids = step.create_isolated_worker.subnet_ids - ingress_cidr = matrix.ip_version == "4" ? ["10.13.9.0/24"] : [] - ingress_ipv6_cidr = step.create_isolated_worker.worker_ipv6_cidr - additional_tags = step.create_tag2_inputs.tag_map - ip_version = matrix.ip_version + ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] + ssh_aws_keypair = step.generate_ssh_key.key_pair_name + ssh_private_key = step.generate_ssh_key.private_key_pem + enos_user = var.enos_user + instance_type = var.target_instance_type + vpc_id = step.create_base_infra.vpc_id + target_count = 1 + subnet_ids = step.create_isolated_worker.subnet_ids + ingress_cidr = matrix.ip_version == "4" ? ["10.13.9.0/24"] : [] + ingress_ipv6_cidr = step.create_isolated_worker.worker_ipv6_cidr + additional_tags = step.create_tag2_inputs.tag_map + ip_version = matrix.ip_version } } @@ -260,7 +275,8 @@ scenario "e2e_aws" { step.create_targets_with_tag1, step.iam_setup, step.create_isolated_worker, - step.create_isolated_target + step.create_isolated_target, + step.generate_ssh_key ] variables { @@ -271,7 +287,7 @@ scenario "e2e_aws" { auth_login_name = step.create_boundary_cluster.auth_login_name auth_password = step.create_boundary_cluster.auth_password local_boundary_dir = local.local_boundary_dir - aws_ssh_private_key_path = local.aws_ssh_private_key_path + aws_ssh_private_key_path = step.generate_ssh_key.private_key_path target_user = "ubuntu" target_port = "22" aws_access_key_id = step.iam_setup.access_key_id diff --git a/enos/enos-scenario-e2e-database.hcl b/enos/enos-scenario-e2e-database.hcl index c274847a84..d746d483b3 100644 --- a/enos/enos-scenario-e2e-database.hcl +++ b/enos/enos-scenario-e2e-database.hcl @@ -10,9 +10,8 @@ scenario "e2e_database" { ] locals { - aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null - license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) + local_boundary_dir = var.local_boundary_dir != null ? abspath(var.local_boundary_dir) : null + license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic")) tags = merge({ "Project Name" : var.project_name @@ -31,6 +30,14 @@ scenario "e2e_database" { } } + step "generate_ssh_key" { + module = module.aws_ssh_keypair + + variables { + enos_user = var.enos_user + } + } + step "find_azs" { module = module.aws_az_finder @@ -76,11 +83,12 @@ scenario "e2e_database" { step "create_targets_with_tag" { module = module.aws_target - depends_on = [step.create_base_infra] + depends_on = [step.create_base_infra, step.generate_ssh_key] variables { ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] - aws_ssh_keypair_name = var.aws_ssh_keypair_name + aws_ssh_keypair_name = module.generate_ssh_key.key_pair_name + aws_ssh_private_key = module.generate_ssh_key.private_key_pem enos_user = var.enos_user instance_type = var.target_instance_type vpc_id = step.create_base_infra.vpc_id @@ -114,7 +122,8 @@ scenario "e2e_database" { module = module.test_e2e depends_on = [ step.create_targets_with_tag, - step.iam_setup + step.iam_setup, + step.generate_ssh_key ] variables { @@ -123,7 +132,7 @@ scenario "e2e_database" { boundary_license = var.boundary_edition != "oss" ? step.read_license.license : "" local_boundary_dir = local.local_boundary_dir target_user = "ubuntu" - aws_ssh_private_key_path = local.aws_ssh_private_key_path + aws_ssh_private_key_path = step.generate_ssh_key.private_key_path aws_access_key_id = step.iam_setup.access_key_id aws_secret_access_key = step.iam_setup.secret_access_key aws_host_set_filter1 = step.create_tag_inputs.tag_string diff --git a/enos/enos.hcl b/enos/enos.hcl index c9aa4219fd..750887fdfb 100644 --- a/enos/enos.hcl +++ b/enos/enos.hcl @@ -32,8 +32,7 @@ provider "aws" "default" { provider "enos" "default" { transport = { ssh = { - user = "ubuntu" - private_key_path = abspath(var.aws_ssh_private_key_path) + user = "ubuntu" } } } diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf index b53879f4d6..95251fa971 100644 --- a/enos/modules/aws_boundary/boundary-instances.tf +++ b/enos/modules/aws_boundary/boundary-instances.tf @@ -12,7 +12,7 @@ resource "aws_instance" "controller" { aws_security_group.boundary_aux_sg.id, ] subnet_id = tolist(data.aws_subnets.infra.ids)[count.index % length(data.aws_subnets.infra.ids)] - key_name = var.ssh_aws_keypair + key_name = var.aws_ssh_keypair_name iam_instance_profile = aws_iam_instance_profile.boundary_profile.name monitoring = var.controller_monitoring ipv6_address_count = local.network_stack[var.ip_version].ipv6_address_count @@ -45,7 +45,7 @@ resource "aws_instance" "worker" { instance_type = var.worker_instance_type vpc_security_group_ids = [aws_security_group.boundary_sg.id] subnet_id = tolist(data.aws_subnets.infra.ids)[count.index % length(data.aws_subnets.infra.ids)] - key_name = var.ssh_aws_keypair + key_name = var.aws_ssh_keypair_name iam_instance_profile = aws_iam_instance_profile.boundary_profile.name monitoring = var.worker_monitoring ipv6_address_count = local.network_stack[var.ip_version].ipv6_address_count @@ -83,7 +83,8 @@ resource "enos_bundle_install" "controller" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -100,7 +101,8 @@ resource "enos_remote_exec" "update_path_controller" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -138,7 +140,8 @@ resource "enos_file" "controller_config" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -153,7 +156,8 @@ resource "enos_boundary_init" "controller" { transport = { ssh = { - host = try(var.ip_version == "6" ? aws_instance.controller[0].ipv6_addresses[0] : aws_instance.controller[0].public_ip, null) + host = try(var.ip_version == "6" ? aws_instance.controller[0].ipv6_addresses[0] : aws_instance.controller[0].public_ip, null) + private_key = var.aws_ssh_private_key } } @@ -170,7 +174,8 @@ resource "enos_boundary_start" "controller_start" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } @@ -195,7 +200,8 @@ resource "enos_remote_exec" "create_controller_audit_log_dir" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.controller[tonumber(each.value)].ipv6_addresses[0] : aws_instance.controller[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -212,7 +218,8 @@ resource "enos_bundle_install" "worker" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -229,7 +236,8 @@ resource "enos_remote_exec" "update_path_worker" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -256,7 +264,8 @@ resource "enos_file" "worker_config" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -273,7 +282,8 @@ resource "enos_boundary_start" "worker_start" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -293,7 +303,8 @@ resource "enos_remote_exec" "create_worker_audit_log_dir" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -313,7 +324,8 @@ resource "enos_remote_exec" "create_worker_auth_storage_dir" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } @@ -325,7 +337,8 @@ resource "enos_remote_exec" "get_worker_token" { inline = ["timeout 10s bash -c 'set -eo pipefail; until journalctl -u boundary.service | cat | grep \"Worker Auth Registration Request: .*\" | rev | cut -d \" \" -f 1 | rev | xargs; do sleep 2; done'"] transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + host = var.ip_version == "6" ? aws_instance.worker[tonumber(each.value)].ipv6_addresses[0] : aws_instance.worker[tonumber(each.value)].public_ip + private_key = var.aws_ssh_private_key } } } diff --git a/enos/modules/aws_boundary/variables.tf b/enos/modules/aws_boundary/variables.tf index 9293ac2674..835f7323e1 100644 --- a/enos/modules/aws_boundary/variables.tf +++ b/enos/modules/aws_boundary/variables.tf @@ -110,11 +110,17 @@ variable "ssh_user" { default = "ubuntu" } -variable "ssh_aws_keypair" { +variable "aws_ssh_keypair_name" { description = "SSH keypair used to connect to EC2 instances" type = string } +variable "aws_ssh_private_key" { + description = "SSH private key content for connecting to instances" + type = string + sensitive = true +} + variable "ubuntu_ami_id" { description = "Ubuntu LTS AMI from enos-infra" type = string diff --git a/enos/modules/aws_ssh_keypair/main.tf b/enos/modules/aws_ssh_keypair/main.tf new file mode 100644 index 0000000000..99cf436f96 --- /dev/null +++ b/enos/modules/aws_ssh_keypair/main.tf @@ -0,0 +1,42 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + tls = { + source = "hashicorp/tls" + } + local = { + source = "hashicorp/local" + } + } +} + +resource "tls_private_key" "ssh" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "aws_key_pair" "generated" { + key_name = "enos-${var.enos_user}-${formatdate("YYYYMMDD-hhmmss", timestamp())}" + public_key = tls_private_key.ssh.public_key_openssh +} + +resource "local_sensitive_file" "private_key" { + content = tls_private_key.ssh.private_key_pem + filename = "${path.root}/.terraform/tmp/ssh-key-${aws_key_pair.generated.key_name}" + file_permission = "0400" +} + +output "key_pair_name" { + value = aws_key_pair.generated.key_name +} + +output "private_key_path" { + value = abspath(local_sensitive_file.private_key.filename) +} + +output "private_key_pem" { + value = tls_private_key.ssh.private_key_pem + sensitive = true +} \ No newline at end of file diff --git a/enos/modules/aws_ssh_keypair/variables.tf b/enos/modules/aws_ssh_keypair/variables.tf new file mode 100644 index 0000000000..454f626224 --- /dev/null +++ b/enos/modules/aws_ssh_keypair/variables.tf @@ -0,0 +1,4 @@ +variable "enos_user" { + description = "The user running the tests, this is by default your OS user or Github User" + type = string +} \ No newline at end of file diff --git a/enos/modules/aws_target/main.tf b/enos/modules/aws_target/main.tf index 6ca55635fd..ca358f2403 100644 --- a/enos/modules/aws_target/main.tf +++ b/enos/modules/aws_target/main.tf @@ -17,6 +17,7 @@ variable "environment" {} variable "project_name" {} variable "instance_type" {} variable "aws_ssh_keypair_name" {} +variable "aws_ssh_private_key" {} variable "enos_user" {} variable "additional_tags" { default = {} @@ -149,7 +150,8 @@ resource "enos_remote_exec" "wait" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.target[each.key].ipv6_addresses[0] : aws_instance.target[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.target[each.key].ipv6_addresses[0] : aws_instance.target[each.key].public_ip + private_key = var.aws_ssh_private_key } } } diff --git a/enos/modules/aws_vault/variables.tf b/enos/modules/aws_vault/variables.tf index 2b8d4d714e..6f61f36911 100644 --- a/enos/modules/aws_vault/variables.tf +++ b/enos/modules/aws_vault/variables.tf @@ -118,11 +118,17 @@ variable "sg_additional_ipv6_ips" { default = [] } -variable "ssh_aws_keypair" { +variable "aws_ssh_keypair_name" { description = "SSH keypair used to connect to EC2 instances" type = string } +variable "aws_ssh_private_key" { + description = "SSH private key content for connecting to instances" + type = string + sensitive = true +} + variable "storage_backend" { type = string description = "The type of Vault storage backend which will be used" diff --git a/enos/modules/aws_vault/vault-instances.tf b/enos/modules/aws_vault/vault-instances.tf index 484e32bea4..9c6f597a2e 100644 --- a/enos/modules/aws_vault/vault-instances.tf +++ b/enos/modules/aws_vault/vault-instances.tf @@ -7,7 +7,7 @@ resource "aws_instance" "vault_instance" { instance_type = var.instance_type vpc_security_group_ids = [aws_security_group.enos_vault_sg[0].id] subnet_id = tolist(data.aws_subnets.infra.ids)[each.key % length(data.aws_subnets.infra.ids)] - key_name = var.ssh_aws_keypair + key_name = var.aws_ssh_keypair_name iam_instance_profile = aws_iam_instance_profile.vault_profile[0].name ipv6_address_count = local.network_stack[var.ip_version].ipv6_address_count tags = merge( @@ -37,7 +37,8 @@ resource "enos_remote_exec" "install_dependencies" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.value].ipv6_addresses[0] : aws_instance.vault_instance[each.value].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.value].ipv6_addresses[0] : aws_instance.vault_instance[each.value].public_ip + private_key = var.aws_ssh_private_key } } } @@ -53,7 +54,8 @@ resource "enos_bundle_install" "consul" { transport = { ssh = { - host = var.ip_version == "6" ? each.value.ipv6_addresses[0] : each.value.public_ip + host = var.ip_version == "6" ? each.value.ipv6_addresses[0] : each.value.public_ip + private_key = var.aws_ssh_private_key } } } @@ -68,7 +70,8 @@ resource "enos_bundle_install" "vault" { transport = { ssh = { - host = var.ip_version == "6" ? each.value.ipv6_addresses[0] : each.value.public_ip + host = var.ip_version == "6" ? each.value.ipv6_addresses[0] : each.value.public_ip + private_key = var.aws_ssh_private_key } } } @@ -94,7 +97,8 @@ resource "enos_consul_start" "consul" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + private_key = var.aws_ssh_private_key } } } @@ -136,7 +140,8 @@ resource "enos_vault_start" "leader" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + private_key = var.aws_ssh_private_key } } } @@ -177,7 +182,8 @@ resource "enos_vault_start" "followers" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + private_key = var.aws_ssh_private_key } } } @@ -200,7 +206,8 @@ resource "enos_vault_init" "leader" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + private_key = var.aws_ssh_private_key } } } @@ -218,7 +225,8 @@ resource "enos_vault_unseal" "leader" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + private_key = var.aws_ssh_private_key } } } @@ -243,7 +251,8 @@ resource "enos_remote_exec" "create_audit_log_dir" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.value].ipv6_addresses[0] : aws_instance.vault_instance[each.value].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.value].ipv6_addresses[0] : aws_instance.vault_instance[each.value].public_ip + private_key = var.aws_ssh_private_key } } } @@ -272,7 +281,8 @@ resource "enos_remote_exec" "init_audit_device" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + private_key = var.aws_ssh_private_key } } } @@ -295,7 +305,8 @@ resource "enos_vault_unseal" "followers" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + private_key = var.aws_ssh_private_key } } } @@ -321,7 +332,8 @@ resource "enos_vault_unseal" "when_vault_unseal_when_no_init_is_set" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[each.key].ipv6_addresses[0] : aws_instance.vault_instance[each.key].public_ip + private_key = var.aws_ssh_private_key } } } @@ -341,7 +353,8 @@ resource "enos_remote_exec" "vault_write_license" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + private_key = var.aws_ssh_private_key } } } @@ -360,7 +373,8 @@ resource "enos_remote_exec" "vault_kms_policy" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + host = var.ip_version == "6" ? aws_instance.vault_instance[0].ipv6_addresses[0] : aws_instance.vault_instance[0].public_ip + private_key = var.aws_ssh_private_key } } } diff --git a/enos/modules/aws_worker/main.tf b/enos/modules/aws_worker/main.tf index d208a3d2fa..fb27d25aa8 100644 --- a/enos/modules/aws_worker/main.tf +++ b/enos/modules/aws_worker/main.tf @@ -140,7 +140,7 @@ resource "aws_instance" "worker" { instance_type = var.worker_instance_type vpc_security_group_ids = [aws_security_group.default.id] subnet_id = aws_subnet.default.id - key_name = var.ssh_aws_keypair + key_name = var.aws_ssh_keypair_name iam_instance_profile = aws_iam_instance_profile.boundary_profile.name monitoring = var.worker_monitoring @@ -178,7 +178,8 @@ resource "enos_bundle_install" "worker" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + private_key = var.aws_ssh_private_key } } } @@ -194,7 +195,8 @@ resource "enos_remote_exec" "update_path_worker" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + private_key = var.aws_ssh_private_key } } } @@ -224,7 +226,8 @@ resource "enos_file" "worker_config" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + private_key = var.aws_ssh_private_key } } } @@ -240,7 +243,8 @@ resource "enos_boundary_start" "worker_start" { recording_storage_path = var.recording_storage_path != "" ? var.recording_storage_path : null transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + private_key = var.aws_ssh_private_key } } } @@ -259,7 +263,8 @@ resource "enos_remote_exec" "create_worker_audit_log_dir" { transport = { ssh = { - host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + host = var.ip_version == "6" ? aws_instance.worker.ipv6_addresses[0] : aws_instance.worker.public_ip + private_key = var.aws_ssh_private_key } } } diff --git a/enos/modules/aws_worker/variables.tf b/enos/modules/aws_worker/variables.tf index 56fde62e4e..8bbac328c7 100644 --- a/enos/modules/aws_worker/variables.tf +++ b/enos/modules/aws_worker/variables.tf @@ -34,11 +34,17 @@ variable "worker_instance_type" { default = "t2.small" } -variable "ssh_aws_keypair" { - description = "The name of the SSH keypair used to connect to EC2 instances" +variable "aws_ssh_keypair_name" { + description = "SSH keypair used to connect to EC2 instances" type = string } +variable "aws_ssh_private_key" { + description = "SSH private key content for connecting to instances" + type = string + sensitive = true +} + variable "worker_monitoring" { description = "Enable detailed monitoring for workers" type = bool diff --git a/enos/modules/test_e2e/main.tf b/enos/modules/test_e2e/main.tf index 621dc036a7..92d4a71b12 100644 --- a/enos/modules/test_e2e/main.tf +++ b/enos/modules/test_e2e/main.tf @@ -51,11 +51,12 @@ variable "target_user" { type = string default = "" } + variable "aws_ssh_private_key_path" { - description = "Local Path to key used to SSH onto created hosts" + description = "Path to the private key used to SSH into AWS instances" type = string - default = "" } + variable "target_address" { description = "Address of target" type = string @@ -258,10 +259,9 @@ variable "ip_version" { } locals { - aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - aws_host_set_ips1 = jsonencode(var.aws_host_set_ips1) - aws_host_set_ips2 = jsonencode(var.aws_host_set_ips2) - package_name = reverse(split("/", var.test_package))[0] + aws_host_set_ips1 = jsonencode(var.aws_host_set_ips1) + aws_host_set_ips2 = jsonencode(var.aws_host_set_ips2) + package_name = reverse(split("/", var.test_package))[0] } resource "enos_local_exec" "run_e2e_test" { @@ -275,7 +275,7 @@ resource "enos_local_exec" "run_e2e_test" { E2E_TARGET_ADDRESS = var.target_address E2E_TARGET_PORT = var.target_port E2E_SSH_USER = var.target_user - E2E_SSH_KEY_PATH = local.aws_ssh_private_key_path + E2E_SSH_KEY_PATH = var.aws_ssh_private_key_path E2E_SSH_CA_KEY = "" VAULT_ADDR = var.vault_addr_public VAULT_TOKEN = var.vault_root_token