test(e2e): Add support for an hcp worker

enos/enos-variables.hcl

@@ -192,3 +192,11 @@ variable "go_version" {
   type        = string
   default     = ""
 }
+
+variable "hcp_boundary_cluster_id" {
+  description = "ID of the Boundary cluster in HCP"
+  type        = string
+  default     = ""
+  // If using HCP int, ensure that the cluster id starts with "int-"
+  // Example: "int-19283a-123123-..."
+}

enos/modules/aws_boundary/boundary-instances.tf

@@ -124,7 +124,7 @@ resource "enos_file" "controller_config" {
 }
 
 resource "enos_boundary_init" "controller" {
-  count = local.is_restored_db ? 0 : 1 // init not required when we restore from a snapshot
+  count = !local.is_restored_db && var.controller_count > 0 ? 1 : 0 // init not required when we restore from a snapshot
 
   bin_name    = var.boundary_binary_name
   bin_path    = var.boundary_install_dir
@@ -133,7 +133,7 @@ resource "enos_boundary_init" "controller" {
 
   transport = {
     ssh = {
-      host = aws_instance.controller[0].public_ip
+      host = try(aws_instance.controller[0].public_ip, null)
     }
   }
 
@@ -217,14 +217,15 @@ resource "enos_file" "worker_config" {
   depends_on  = [enos_bundle_install.worker]
   destination = "/etc/boundary/boundary.hcl"
   content = templatefile("${path.module}/${var.worker_config_file_path}", {
-    id                     = each.value
-    kms_key_id             = data.aws_kms_key.kms_key.id,
-    controller_ips         = jsonencode(aws_instance.controller.*.private_ip),
-    public_addr            = aws_instance.worker[tonumber(each.value)].public_ip
-    region                 = var.aws_region
-    type                   = jsonencode(var.worker_type_tags)
-    recording_storage_path = var.recording_storage_path
-    audit_log_dir          = local.audit_log_directory
+    id                      = each.value
+    kms_key_id              = data.aws_kms_key.kms_key.id,
+    controller_ips          = jsonencode(aws_instance.controller.*.private_ip),
+    public_addr             = aws_instance.worker[tonumber(each.value)].public_ip
+    region                  = var.aws_region
+    type                    = jsonencode(var.worker_type_tags)
+    recording_storage_path  = var.recording_storage_path
+    audit_log_dir           = local.audit_log_directory
+    hcp_boundary_cluster_id = var.hcp_boundary_cluster_id
   })
   for_each = toset([for idx in range(var.worker_count) : tostring(idx)])
 
@@ -271,3 +272,15 @@ resource "enos_remote_exec" "create_worker_audit_log_dir" {
     }
   }
 }
+
+resource "enos_remote_exec" "get_worker_token" {
+  depends_on = [enos_boundary_start.worker_start]
+  for_each   = var.hcp_boundary_cluster_id != "" ? toset([for idx in range(var.worker_count) : tostring(idx)]) : []
+
+  inline = ["timeout 10s bash -c 'set -eo pipefail; until journalctl -u boundary.service | cat | grep \"Worker Auth Registration Request: .*\" | rev | cut -d \" \" -f 1 | rev | xargs; do sleep 2; done'"]
+  transport = {
+    ssh = {
+      host = aws_instance.worker[tonumber(each.value)].public_ip
+    }
+  }
+}

enos/modules/aws_boundary/outputs.tf

@@ -225,3 +225,10 @@ output "pet_id" {
   description = "The ID of the random_pet used in this module"
   value       = random_pet.default.id
 }
+
+output "worker_tokens" {
+  description = "If available, worker tokens used to register to Boundary"
+  value = try([
+    for token in enos_remote_exec.get_worker_token : trimspace(token.stdout)
+  ], null)
+}

enos/modules/aws_boundary/security-groups.tf

@@ -88,7 +88,7 @@ resource "aws_security_group" "boundary_alb_sg" {
       cidr_blocks = flatten([
         formatlist("%s/32", data.enos_environment.localhost.public_ipv4_addresses),
         join(",", data.aws_vpc.infra.cidr_block_associations.*.cidr_block),
-        format("%s/32", aws_instance.controller.0.public_ip),
+        try(format("%s/32", aws_instance.controller.0.public_ip), []),
         formatlist("%s/32", var.alb_sg_additional_ips)
       ])
       description      = ingress.key

enos/modules/aws_boundary/templates/worker_hcp_bsr.hcl

@@ -0,0 +1,63 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+listener "tcp" {
+  purpose = "proxy"
+  tls_disable = true
+  address = "0.0.0.0"
+}
+
+hcp_boundary_cluster_id = "${hcp_boundary_cluster_id}"
+
+worker {
+  public_addr = "${public_addr}"
+
+  tags {
+    type   = ${type}
+    region = ["${region}"]
+  }
+
+  auth_storage_path = "/tmp/boundary/worker"
+  recording_storage_path = "${recording_storage_path}"
+}
+
+events {
+  audit_enabled        = true
+  observations_enabled = true
+  sysevents_enabled    = true
+
+  sink "stderr" {
+    name        = "all-events"
+    description = "All events sent to stderr"
+    event_types = ["*"]
+    format      = "cloudevents-json"
+
+    deny_filters = [
+      "\"/data/request_info/method\" contains \"Status\"",
+      "\"/data/request_info/path\" contains \"/health\"",
+    ]
+  }
+
+  sink {
+    name        = "audit-sink"
+    description = "Audit sent to a file"
+    event_types = ["audit"]
+    format      = "cloudevents-json"
+
+    deny_filters = [
+      "\"/data/request_info/method\" contains \"Status\"",
+    ]
+
+    file {
+      path      = "${audit_log_dir}"
+      file_name = "audit.log"
+    }
+
+    audit_config {
+      audit_filter_overrides {
+        secret    = "encrypt"
+        sensitive = "hmac-sha256"
+      }
+    }
+  }
+}

enos/modules/aws_boundary/variables.tf

@@ -370,3 +370,11 @@ variable "recording_storage_path" {
   type        = string
   default     = ""
 }
+
+variable "hcp_boundary_cluster_id" {
+  description = "ID of the Boundary cluster in HCP"
+  type        = string
+  default     = ""
+  // If using HCP int, ensure that the cluster id starts with "int-"
+  // Example: "int-19283a-123123-..."
+}

enos/modules/aws_iam_setup/main.tf

@@ -73,8 +73,7 @@ output "access_key_id" {
 }
 
 output "secret_access_key" {
-  value     = aws_iam_access_key.boundary.secret
-  sensitive = true
+  value = nonsensitive(aws_iam_access_key.boundary.secret)
 }
 
 output "user_name" {