From e1d078fa9ff855e3c1ca97043f55e6718b739892 Mon Sep 17 00:00:00 2001
From: Mike Baum <mike.baum@hashicorp.com>
Date: Thu, 16 Feb 2023 17:07:30 -0500
Subject: [PATCH] [QT-444] Use repo isolated AWS account for enos CI tests
 (#2727)

* [QT-444] Use repo isolated AWS account for enos CI tests
---
 .github/workflows/enos-run.yml                   | 16 ++++++++--------
 ...otstrap-oss.yml => test-ci-bootstrap-oss.yml} | 10 +++++-----
 .github/workflows/test-ci-cleanup-oss.yml        |  8 ++------
 enos/README.md                                   |  2 +-
 enos/ci/service-user-iam/main.tf                 |  9 ++++++++-
 enos/modules/iam_setup/main.tf                   |  7 ++++---
 6 files changed, 28 insertions(+), 24 deletions(-)
 rename .github/workflows/{enos-ci-bootstrap-oss.yml => test-ci-bootstrap-oss.yml} (82%)

diff --git a/.github/workflows/enos-run.yml b/.github/workflows/enos-run.yml
index 35e5b6dc96..346a19387a 100644
--- a/.github/workflows/enos-run.yml
+++ b/.github/workflows/enos-run.yml
@@ -66,10 +66,10 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
       - name: Set up Enos
@@ -79,7 +79,7 @@ jobs:
       - name: Set up AWS SSH private key
         run: |
           mkdir -p ./enos/support
-          echo "${{ secrets.ENOS_CI_SSH_KEY }}" > ./enos/support/private_key.pem
+          echo "${{ secrets.SSH_KEY_PRIVATE_CI }}" > ./enos/support/private_key.pem
           chmod 600 ./enos/support/private_key.pem
       - name: Set up dependency cache
         id: dep-cache
@@ -126,7 +126,7 @@ jobs:
         # Use the same env vars from the following step
         env:
           ENOS_VAR_aws_region: us-east-1
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
+          ENOS_VAR_aws_ssh_keypair_name: ${{ github.event.repository.name }}-ci-ssh-key
           ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
           ENOS_VAR_local_boundary_dir: ./support/
           ENOS_VAR_crt_bundle_path: ./support/boundary.zip
@@ -143,7 +143,7 @@ jobs:
         continue-on-error: true
         env:
           ENOS_VAR_aws_region: us-east-1
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
+          ENOS_VAR_aws_ssh_keypair_name: ${{ github.event.repository.name }}-ci-ssh-key
           ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
           ENOS_VAR_local_boundary_dir: ./support/
           ENOS_VAR_crt_bundle_path: ./support/boundary.zip
@@ -171,7 +171,7 @@ jobs:
         if: steps.run.outcome == 'failure'
         env:
           ENOS_VAR_aws_region: us-east-1
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
+          ENOS_VAR_aws_ssh_keypair_name: ${{ github.event.repository.name }}-ci-ssh-key
           ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
           ENOS_VAR_local_boundary_dir: ./support/
           ENOS_VAR_crt_bundle_path: ./support/boundary.zip
@@ -183,7 +183,7 @@ jobs:
       - name: Destroy Enos scenario
         env:
           ENOS_VAR_aws_region: us-east-1
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
+          ENOS_VAR_aws_ssh_keypair_name: ${{ github.event.repository.name }}-ci-ssh-key
           ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
           ENOS_VAR_local_boundary_dir: ./support/
           ENOS_VAR_crt_bundle_path: ./support/boundary.zip
diff --git a/.github/workflows/enos-ci-bootstrap-oss.yml b/.github/workflows/test-ci-bootstrap-oss.yml
similarity index 82%
rename from .github/workflows/enos-ci-bootstrap-oss.yml
rename to .github/workflows/test-ci-bootstrap-oss.yml
index 105986c3d5..c288ef392d 100644
--- a/.github/workflows/enos-ci-bootstrap-oss.yml
+++ b/.github/workflows/test-ci-bootstrap-oss.yml
@@ -1,4 +1,4 @@
-name: enos-ci-bootstrap-oss
+name: test-ci-bootstrap-oss
 
 on:
   pull_request:
@@ -6,13 +6,13 @@ on:
       - main
     paths:
       - enos/ci/**
-      - .github/workflows/enos-ci-bootstrap-oss.yml
+      - .github/workflows/test-ci-bootstrap-oss.yml
   push:
     branches:
       - main
     paths:
       - enos/ci/**
-      - .github/workflows/enos-ci-bootstrap-oss.yml
+      - .github/workflows/test-ci-bootstrap-oss.yml
 
 jobs:
   bootstrap-ci-oss:
@@ -28,12 +28,12 @@ jobs:
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v1-node16
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::271311691044:role/github_actions-boundary_ci
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
       - name: Init Terraform
diff --git a/.github/workflows/test-ci-cleanup-oss.yml b/.github/workflows/test-ci-cleanup-oss.yml
index e283b406f2..23ea520b5d 100644
--- a/.github/workflows/test-ci-cleanup-oss.yml
+++ b/.github/workflows/test-ci-cleanup-oss.yml
@@ -10,6 +10,7 @@ jobs:
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     outputs:
       regions: ${{steps.setup.outputs.regions}}
+      account_id: ${{steps.setup.outputs.account_id}}
     steps:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
@@ -25,10 +26,6 @@ jobs:
         run: |
           echo "regions=$(aws ec2 describe-regions --region us-east-1 --output json --query 'Regions[].RegionName' | tr -d '\n ')" >> $GITHUB_OUTPUT
           echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT
-      - name: Get account ID
-        id: setup_aws
-        run: |
-          echo "account_id=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | awk -F'"' '/"accountId"/ { print $4 }')" >> $GITHUB_OUTPUT
 
   aws-nuke:
     if: ${{ github.event.repository.name == 'boundary' }}
@@ -58,8 +55,7 @@ jobs:
       - name: Configure
         run: |
           cp enos/ci/aws-nuke.yml .
-          echo "test: ${{ needs.setup.output.account_num }}"
-          sed -i "s/ACCOUNT_NUM/${{ needs.setup.output.account_num }}/g" aws-nuke.yml
+          sed -i "s/ACCOUNT_NUM/${{ needs.setup.outputs.account_id }}/g" aws-nuke.yml
           sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml
       # We don't care if cleanup succeeds or fails, because dependencies be dependenceies,
       # we'll fail on actually actionable things in the quota steep afterwards.
diff --git a/enos/README.md b/enos/README.md
index dca48a6459..5879aa912c 100644
--- a/enos/README.md
+++ b/enos/README.md
@@ -158,7 +158,7 @@ Here are the steps to configure the GitHub Actions service user:
 2. **Execute the Terraform module**
 ```shell
 > cd ./enos/ci/service-user-iam
-> export TF_WORKSPACE=<repo name>-ci-service-user-iam
+> export TF_WORKSPACE=<repo name>-ci-enos-service-user-iam
 > export TF_TOKEN_app_terraform_io=<Terraform Cloud Token>
 > export TF_VAR_repository=<repository name>
 > terraform init
diff --git a/enos/ci/service-user-iam/main.tf b/enos/ci/service-user-iam/main.tf
index 4f99eebbcb..b59bb6b77f 100644
--- a/enos/ci/service-user-iam/main.tf
+++ b/enos/ci/service-user-iam/main.tf
@@ -18,10 +18,16 @@ terraform {
 locals {
   enterprise_repositories = ["boundary-enterprise", "boundary-hcp"]
   is_ent                  = contains(local.enterprise_repositories, var.repository)
-  service_user            = "github_actions-boundary_ci"
+  service_user            = data.aws_iam_user.service_user.user_name
   oss_aws_account_id      = "271311691044"
 }
 
+
+data "aws_iam_user" "service_user" {
+  # This is the user created in the hashicorp/hc-service-users repo
+  user_name = "github_actions-boundary_ci"
+}
+
 resource "aws_iam_role" "role" {
   count = local.is_ent ? 0 : 1 // only create a role for the OSS repositories
 
@@ -158,6 +164,7 @@ data "aws_iam_policy_document" "enos_policy_document" {
       "iam:CreatePolicy",
       "iam:CreateRole",
       "iam:CreateRole",
+      "iam:CreateServiceLinkedRole",
       "iam:CreateUser",
       "iam:CreateUserPolicy",
       "iam:CreateUserTag",
diff --git a/enos/modules/iam_setup/main.tf b/enos/modules/iam_setup/main.tf
index edcaa48169..b11442eb1d 100644
--- a/enos/modules/iam_setup/main.tf
+++ b/enos/modules/iam_setup/main.tf
@@ -12,9 +12,10 @@ locals {
 }
 
 resource "aws_iam_user" "boundary" {
-  name                 = "boundary-e2e-${var.test_id}"
-  tags                 = { boundary-demo = local.user_email }
-  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/BoundaryDemoPermissionsBoundary"
+  name = "boundary-e2e-${var.test_id}"
+  # These are disabled currently, as we cannot lock down this user and still perform certain tests with the service user
+  #  tags                 = { boundary-demo = local.user_email }
+  #  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/BoundaryDemoPermissionsBoundary"
 }
 
 resource "aws_iam_user_policy" "boundary" {