From 1a0ded2f111cedf746c882db03bff9f5b58343c2 Mon Sep 17 00:00:00 2001 From: Michael Li Date: Mon, 26 Aug 2024 13:10:10 -0400 Subject: [PATCH 1/2] test(hcp): Define TF module for long-lived resources --- enos/ci/hcp-resources/.gitignore | 1 + enos/ci/hcp-resources/README.md | 41 ++++++ enos/ci/hcp-resources/main.tf | 226 +++++++++++++++++++++++++++++++ 3 files changed, 268 insertions(+) create mode 100644 enos/ci/hcp-resources/.gitignore create mode 100644 enos/ci/hcp-resources/README.md create mode 100644 enos/ci/hcp-resources/main.tf diff --git a/enos/ci/hcp-resources/.gitignore b/enos/ci/hcp-resources/.gitignore new file mode 100644 index 0000000000..c45cf41694 --- /dev/null +++ b/enos/ci/hcp-resources/.gitignore @@ -0,0 +1 @@ +*.tfvars diff --git a/enos/ci/hcp-resources/README.md b/enos/ci/hcp-resources/README.md new file mode 100644 index 0000000000..b25bd987f2 --- /dev/null +++ b/enos/ci/hcp-resources/README.md @@ -0,0 +1,41 @@ +# Resources for HCP testing + +This Terraform module defines resources needed to test against a long-lived HCP cluster. + +## Prerequisites + +- Gain access to the TFC `hashicorp-qti` org +- Generate a TFC API token under *Account Settings* > *Tokens* + +## Usage + +```shell +# Get AWS account credentials +doormat login +source <(doormat aws export --account ${AWS_ACCOUNT}) + +terraform login # enter TFC API token to the hashicorp-qti org +terraform init +terraform plan +terraform apply +``` + +The output contains information that we will need. For sensitive values, we will +need to use these commands. + +```shell +terraform state pull | jq .outputs.worker_tokens.value +terraform state pull | jq .outputs.bucket_secret_access_key.value +``` + +You can also find output information using the TFC UI by navigating to the +`boundary-hcp-resources` workspace. + +If any of these values have changed, we will need to update the Vault instance +that stores these values. + +## Notes + +- Created a `boundary-hcp-resources` workspace in the TFC org + - Set *Workflow* to `CLI-Driven` + - Set *Execution Mode* to `Local` diff --git a/enos/ci/hcp-resources/main.tf b/enos/ci/hcp-resources/main.tf new file mode 100644 index 0000000000..d4022d01f4 --- /dev/null +++ b/enos/ci/hcp-resources/main.tf @@ -0,0 +1,226 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + enos = { + source = "registry.terraform.io/hashicorp-forge/enos" + } + } + + cloud { + hostname = "app.terraform.io" + organization = "hashicorp-qti" + + workspaces { + name = "boundary-hcp-resources" + } + } +} + +data "aws_caller_identity" "current" {} + +provider "aws" { + region = var.aws_region +} + +provider "enos" { + transport = { + ssh = { + user = "ubuntu" + private_key_path = abspath(var.aws_ssh_private_key_path) + } + } +} + +variable "aws_region" { + description = "The AWS region to deploy resources in." + type = string + default = "us-east-1" +} + +variable "hcp_boundary_cluster_id" { + description = "The ID of the HCP Boundary cluster. If on HCP int, prepend the cluster ID with 'int-'. If on HCP dev, prepend the cluster ID with 'dev-'." + type = string +} + +variable "boundary_zip_path" { + description = "Path to Boundary zip file. Version should be a linux_amd64 enterprise variant." + type = string +} + +variable "boundary_license_path" { + description = "Path to the Boundary license file" + type = string +} + +variable "aws_ssh_keypair_name" { + description = "Name of the AWS EC2 keypair to use for SSH access" + type = string +} + +variable "aws_ssh_private_key_path" { + description = "Path to the private key file for the AWS EC2 keypair" + type = string +} + +variable "worker_count" { + description = "Number of workers to create" + type = number + default = 1 +} + +variable "target_count" { + description = "Number of targets to create" + type = number + default = 1 +} + +locals { + worker_instance_type = "t3a.small" + target_instance_type = "t2.micro" + + egress_tag = "egress" + + license_path = abspath(var.boundary_license_path) + boundary_zip_path = abspath(var.boundary_zip_path) + + cluster_tag = "boundary_hcp_testing" + project_tag = "boundary_hcp_testing" + environment_tag = "hcp" + tags = merge({ + "Project Name" : local.project_tag, + "Project" : local.project_tag, + "Environment" : local.environment_tag, + }) +} + +module "find_azs" { + source = "../../modules/aws_az_finder" + + instance_type = [ + local.worker_instance_type, + local.target_instance_type + ] +} + +module "license" { + source = "../../modules/read_license" + + file_name = abspath(local.license_path) +} + +module "iam_user" { + source = "../../modules/aws_iam_setup" + + test_id = local.environment_tag + test_email = split(":", data.aws_caller_identity.current.user_id)[1] +} + +module "base_infra" { + source = "../../modules/aws_vpc" + + availability_zones = module.find_azs.availability_zones + common_tags = local.tags +} + +module "worker" { + depends_on = [module.base_infra] + source = "../../modules/aws_boundary" + + controller_count = 0 + worker_count = var.worker_count + db_create = false + aws_region = var.aws_region + hcp_boundary_cluster_id = var.hcp_boundary_cluster_id + ssh_aws_keypair = var.aws_ssh_keypair_name + boundary_license = module.license.license + kms_key_arn = module.base_infra.kms_key_arn + ubuntu_ami_id = module.base_infra.ami_ids["ubuntu"]["amd64"] + vpc_id = module.base_infra.vpc_id + vpc_tag_module = module.base_infra.vpc_tag_module + worker_instance_type = local.worker_instance_type + worker_type_tags = [local.egress_tag] + worker_config_file_path = "templates/worker_hcp_bsr.hcl" + recording_storage_path = "/recordings" + local_artifact_path = local.boundary_zip_path + environment = local.environment_tag + project_name = local.project_tag + common_tags = local.tags +} + +module "storage_bucket" { + depends_on = [module.iam_user] + source = "../../modules/aws_bucket" + + cluster_tag = local.cluster_tag + user = module.iam_user.user_name + is_user = true +} + +module "target_tags" { + source = "../../modules/generate_aws_host_tag_vars" + + tag_name = local.project_tag + tag_value = "true" +} + +module "target" { + source = "../../modules/aws_target" + + target_count = var.target_count + aws_ssh_keypair_name = var.aws_ssh_keypair_name + instance_type = local.target_instance_type + enos_user = local.cluster_tag + environment = local.environment_tag + project_name = local.project_tag + ami_id = module.base_infra.ami_ids["ubuntu"]["amd64"] + vpc_id = module.base_infra.vpc_id + subnet_ids = module.worker.subnet_ids + additional_tags = module.target_tags.tag_map +} + +output "bucket_access_key_id" { + value = module.iam_user.access_key_id +} + +output "bucket_secret_access_key" { + sensitive = true + value = module.iam_user.secret_access_key +} + +output "bucket_name" { + value = module.storage_bucket.bucket_name +} + +output "host_set_filter" { + value = module.target_tags.tag_string +} + +output "target_public_ip" { + value = module.target.target_public_ips +} + +output "target_private_ip" { + value = module.target.target_private_ips +} + +output "target_ssh_user" { + value = "ubuntu" +} + +output "worker_ip" { + value = module.worker.worker_ips +} + +output "worker_tokens" { + sensitive = true + value = module.worker.worker_tokens +} + +output "region" { + value = var.aws_region +} From bf2385b90c56bc831cef6449dc39968f647fa78e Mon Sep 17 00:00:00 2001 From: Michael Li Date: Tue, 3 Sep 2024 15:21:06 -0400 Subject: [PATCH 2/2] CR: Move outputs and variables to its own files --- enos/ci/hcp-resources/main.tf | 85 ------------------------------ enos/ci/hcp-resources/outputs.tf | 44 ++++++++++++++++ enos/ci/hcp-resources/variables.tf | 45 ++++++++++++++++ 3 files changed, 89 insertions(+), 85 deletions(-) create mode 100644 enos/ci/hcp-resources/outputs.tf create mode 100644 enos/ci/hcp-resources/variables.tf diff --git a/enos/ci/hcp-resources/main.tf b/enos/ci/hcp-resources/main.tf index d4022d01f4..4af20e198a 100644 --- a/enos/ci/hcp-resources/main.tf +++ b/enos/ci/hcp-resources/main.tf @@ -36,49 +36,6 @@ provider "enos" { } } -variable "aws_region" { - description = "The AWS region to deploy resources in." - type = string - default = "us-east-1" -} - -variable "hcp_boundary_cluster_id" { - description = "The ID of the HCP Boundary cluster. If on HCP int, prepend the cluster ID with 'int-'. If on HCP dev, prepend the cluster ID with 'dev-'." - type = string -} - -variable "boundary_zip_path" { - description = "Path to Boundary zip file. Version should be a linux_amd64 enterprise variant." - type = string -} - -variable "boundary_license_path" { - description = "Path to the Boundary license file" - type = string -} - -variable "aws_ssh_keypair_name" { - description = "Name of the AWS EC2 keypair to use for SSH access" - type = string -} - -variable "aws_ssh_private_key_path" { - description = "Path to the private key file for the AWS EC2 keypair" - type = string -} - -variable "worker_count" { - description = "Number of workers to create" - type = number - default = 1 -} - -variable "target_count" { - description = "Number of targets to create" - type = number - default = 1 -} - locals { worker_instance_type = "t3a.small" target_instance_type = "t2.micro" @@ -182,45 +139,3 @@ module "target" { subnet_ids = module.worker.subnet_ids additional_tags = module.target_tags.tag_map } - -output "bucket_access_key_id" { - value = module.iam_user.access_key_id -} - -output "bucket_secret_access_key" { - sensitive = true - value = module.iam_user.secret_access_key -} - -output "bucket_name" { - value = module.storage_bucket.bucket_name -} - -output "host_set_filter" { - value = module.target_tags.tag_string -} - -output "target_public_ip" { - value = module.target.target_public_ips -} - -output "target_private_ip" { - value = module.target.target_private_ips -} - -output "target_ssh_user" { - value = "ubuntu" -} - -output "worker_ip" { - value = module.worker.worker_ips -} - -output "worker_tokens" { - sensitive = true - value = module.worker.worker_tokens -} - -output "region" { - value = var.aws_region -} diff --git a/enos/ci/hcp-resources/outputs.tf b/enos/ci/hcp-resources/outputs.tf new file mode 100644 index 0000000000..65ef0e0b5c --- /dev/null +++ b/enos/ci/hcp-resources/outputs.tf @@ -0,0 +1,44 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +output "bucket_access_key_id" { + value = module.iam_user.access_key_id +} + +output "bucket_secret_access_key" { + sensitive = true + value = module.iam_user.secret_access_key +} + +output "bucket_name" { + value = module.storage_bucket.bucket_name +} + +output "host_set_filter" { + value = module.target_tags.tag_string +} + +output "target_public_ip" { + value = module.target.target_public_ips +} + +output "target_private_ip" { + value = module.target.target_private_ips +} + +output "target_ssh_user" { + value = "ubuntu" +} + +output "worker_ip" { + value = module.worker.worker_ips +} + +output "worker_tokens" { + sensitive = true + value = module.worker.worker_tokens +} + +output "region" { + value = var.aws_region +} diff --git a/enos/ci/hcp-resources/variables.tf b/enos/ci/hcp-resources/variables.tf new file mode 100644 index 0000000000..7d2f2e38e7 --- /dev/null +++ b/enos/ci/hcp-resources/variables.tf @@ -0,0 +1,45 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +variable "aws_region" { + description = "The AWS region to deploy resources in." + type = string + default = "us-east-1" +} + +variable "hcp_boundary_cluster_id" { + description = "The ID of the HCP Boundary cluster. If on HCP int, prepend the cluster ID with 'int-'. If on HCP dev, prepend the cluster ID with 'dev-'." + type = string +} + +variable "boundary_zip_path" { + description = "Path to Boundary zip file. Version should be a linux_amd64 enterprise variant." + type = string +} + +variable "boundary_license_path" { + description = "Path to the Boundary license file" + type = string +} + +variable "aws_ssh_keypair_name" { + description = "Name of the AWS EC2 keypair to use for SSH access" + type = string +} + +variable "aws_ssh_private_key_path" { + description = "Path to the private key file for the AWS EC2 keypair" + type = string +} + +variable "worker_count" { + description = "Number of workers to create" + type = number + default = 1 +} + +variable "target_count" { + description = "Number of targets to create" + type = number + default = 1 +}