diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf index 07e491da581..11cf4c6fa64 100644 --- a/enos/modules/aws_boundary/boundary-instances.tf +++ b/enos/modules/aws_boundary/boundary-instances.tf @@ -89,6 +89,11 @@ resource "enos_remote_exec" "update_path_controller" { } } +locals { + audit_log_directory = "/var/log/boundary" + service_user = "boundary" +} + resource "enos_file" "controller_config" { depends_on = [enos_bundle_install.controller] destination = "/etc/boundary/boundary.hcl" @@ -107,6 +112,7 @@ resource "enos_file" "controller_config" { cluster_port = var.listener_cluster_port region = var.aws_region max_page_size = var.max_page_size + audit_log_dir = local.audit_log_directory }) for_each = toset([for idx in range(var.controller_count) : tostring(idx)]) @@ -134,6 +140,26 @@ resource "enos_boundary_init" "controller" { depends_on = [enos_file.controller_config] } +resource "enos_remote_exec" "create_controller_audit_log_dir" { + depends_on = [ + enos_bundle_install.controller, + ] + for_each = toset([for idx in range(var.controller_count) : tostring(idx)]) + + environment = { + LOG_DIR = local.audit_log_directory + SERVICE_USER = local.service_user + } + + scripts = [abspath("${path.module}/scripts/create-audit-log-dir.sh")] + + transport = { + ssh = { + host = aws_instance.controller[tonumber(each.value)].public_ip + } + } +} + resource "enos_boundary_start" "controller_start" { for_each = toset([for idx in range(var.controller_count) : tostring(idx)]) @@ -150,7 +176,8 @@ resource "enos_boundary_start" "controller_start" { depends_on = [ enos_boundary_init.controller, - enos_file.controller_config // required in the case where we restore from a db snapshot, since the init resource will not be created + enos_file.controller_config, // required in the case where we restore from a db snapshot, since the init resource will not be created + enos_remote_exec.create_controller_audit_log_dir ] } @@ -188,7 +215,6 @@ resource "enos_remote_exec" "update_path_worker" { } } - resource "enos_file" "worker_config" { depends_on = [enos_bundle_install.worker] destination = "/etc/boundary/boundary.hcl" @@ -196,11 +222,11 @@ resource "enos_file" "worker_config" { id = each.value kms_key_id = data.aws_kms_key.kms_key.id, controller_ips = jsonencode(aws_instance.controller.*.private_ip), - public_addr = aws_instance.worker.0.public_ip + public_addr = aws_instance.worker[tonumber(each.value)].public_ip region = var.aws_region type = jsonencode(var.worker_type_tags) recording_storage_path = var.recording_storage_path - + audit_log_dir = local.audit_log_directory }) for_each = toset([for idx in range(var.worker_count) : tostring(idx)]) @@ -211,6 +237,26 @@ resource "enos_file" "worker_config" { } } +resource "enos_remote_exec" "create_worker_audit_log_dir" { + depends_on = [ + enos_bundle_install.worker, + ] + for_each = toset([for idx in range(var.worker_count) : tostring(idx)]) + + environment = { + LOG_DIR = local.audit_log_directory + SERVICE_USER = local.service_user + } + + scripts = [abspath("${path.module}/scripts/create-audit-log-dir.sh")] + + transport = { + ssh = { + host = aws_instance.worker[tonumber(each.value)].public_ip + } + } +} + resource "enos_boundary_start" "worker_start" { depends_on = [enos_boundary_start.controller_start, enos_file.worker_config] for_each = toset([for idx in range(var.worker_count) : tostring(idx)]) diff --git a/enos/modules/aws_boundary/scripts/create-audit-log-dir.sh b/enos/modules/aws_boundary/scripts/create-audit-log-dir.sh new file mode 100644 index 00000000000..a2028de1e3b --- /dev/null +++ b/enos/modules/aws_boundary/scripts/create-audit-log-dir.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -eux + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$LOG_DIR" ]] && fail "LOG_DIR env variable has not been set" +[[ -z "$SERVICE_USER" ]] && fail "SERVICE_USER env variable has not been set" + +function retry { + local retries=$1 + shift + local count=0 + + until "$@"; do + exit=$? + wait=10 + count=$((count + 1)) + + if [ "$count" -lt "$retries" ]; then + sleep "$wait" + else + return "$exit" + fi + done + + return 0 +} + +retry 7 id -a "$SERVICE_USER" + +sudo mkdir -p "$LOG_DIR" +sudo chown -R "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR" diff --git a/enos/modules/aws_boundary/templates/controller.hcl b/enos/modules/aws_boundary/templates/controller.hcl index d33c684fe6c..03739b49033 100644 --- a/enos/modules/aws_boundary/templates/controller.hcl +++ b/enos/modules/aws_boundary/templates/controller.hcl @@ -55,3 +55,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +} diff --git a/enos/modules/aws_boundary/templates/controller_bsr.hcl b/enos/modules/aws_boundary/templates/controller_bsr.hcl index 8d860671caf..d18c4eb6e1a 100644 --- a/enos/modules/aws_boundary/templates/controller_bsr.hcl +++ b/enos/modules/aws_boundary/templates/controller_bsr.hcl @@ -61,3 +61,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +} diff --git a/enos/modules/aws_boundary/templates/worker.hcl b/enos/modules/aws_boundary/templates/worker.hcl index fd636a28b29..90e2bc2d88b 100644 --- a/enos/modules/aws_boundary/templates/worker.hcl +++ b/enos/modules/aws_boundary/templates/worker.hcl @@ -29,3 +29,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +} diff --git a/enos/modules/aws_boundary/templates/worker_bsr.hcl b/enos/modules/aws_boundary/templates/worker_bsr.hcl index 4d15ae2ae47..b1446cafb0d 100644 --- a/enos/modules/aws_boundary/templates/worker_bsr.hcl +++ b/enos/modules/aws_boundary/templates/worker_bsr.hcl @@ -31,3 +31,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +} diff --git a/enos/modules/aws_worker/scripts/create-audit-log-dir.sh b/enos/modules/aws_worker/scripts/create-audit-log-dir.sh new file mode 100644 index 00000000000..a2028de1e3b --- /dev/null +++ b/enos/modules/aws_worker/scripts/create-audit-log-dir.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -eux + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$LOG_DIR" ]] && fail "LOG_DIR env variable has not been set" +[[ -z "$SERVICE_USER" ]] && fail "SERVICE_USER env variable has not been set" + +function retry { + local retries=$1 + shift + local count=0 + + until "$@"; do + exit=$? + wait=10 + count=$((count + 1)) + + if [ "$count" -lt "$retries" ]; then + sleep "$wait" + else + return "$exit" + fi + done + + return 0 +} + +retry 7 id -a "$SERVICE_USER" + +sudo mkdir -p "$LOG_DIR" +sudo chown -R "$SERVICE_USER":"$SERVICE_USER" "$LOG_DIR" diff --git a/enos/modules/aws_worker/templates/worker.hcl b/enos/modules/aws_worker/templates/worker.hcl index d18d6b5744d..60445196684 100644 --- a/enos/modules/aws_worker/templates/worker.hcl +++ b/enos/modules/aws_worker/templates/worker.hcl @@ -29,3 +29,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +} diff --git a/enos/modules/aws_worker/templates/worker_bsr.hcl b/enos/modules/aws_worker/templates/worker_bsr.hcl index 9a24c16c7da..6cd749f5d8e 100644 --- a/enos/modules/aws_worker/templates/worker_bsr.hcl +++ b/enos/modules/aws_worker/templates/worker_bsr.hcl @@ -31,3 +31,44 @@ kms "awskms" { region = "${region}" kms_key_id = "${kms_key_id}" } + +events { + audit_enabled = true + observations_enabled = true + sysevents_enabled = true + + sink "stderr" { + name = "all-events" + description = "All events sent to stderr" + event_types = ["*"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + "\"/data/request_info/path\" contains \"/health\"", + ] + } + + sink { + name = "audit-sink" + description = "Audit sent to a file" + event_types = ["audit"] + format = "cloudevents-json" + + deny_filters = [ + "\"/data/request_info/method\" contains \"Status\"", + ] + + file { + path = "${audit_log_dir}" + file_name = "audit.log" + } + + audit_config { + audit_filter_overrides { + secret = "encrypt" + sensitive = "hmac-sha256" + } + } + } +}