Merge pull request #57 from devopshobbies/final-test

Shayan-Ghani · web-flow · commit 8062cc70ad20 · 2024-09-04T18:40:54.000+03:30
BVSTACK End-to-End test
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,5 +35,5 @@ jobs:
       - name: Create Release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
         with:
-          body: ${{ steps.github_release.outputs.changelog }}
+          body: ${{ steps.bump.outputs.changelog }}
           tag_name: ${{ steps.bump.outputs.new_tag }}
diff --git a/.gitignore b/.gitignore
@@ -51,4 +51,6 @@ to-research
 *VBox*.log
 **/bin/boundary**
 **test-play**
-virtualenv
+virtualenv
+
+**boundary*creds*.txt
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ This project provides a comprehensive, hands-on experience in Infrastructure as
     # Run in development:
     ./start.sh -e development
     ```
-
+> you'll be prompted to choose which NIC you want to bridge to by Vagrant.
 
 4. **Enter Vault Password**: You will be prompted to enter the Vault password four times to decrypt Ansible Vault-encrypted files (e.g., `inventory.ini`) unless the related [issue](https://github.com/devopshobbies/boundary-vault-stack/issues/24) is resolved.
 
diff --git a/ansible/handlers/container_healthcheck.yml b/ansible/handlers/container_healthcheck.yml
@@ -10,8 +10,21 @@
     - "{{ INFO.results }}"
   loop_control:
     label: "{{ item.container.Name | default('Unknown Container', true ) }}"
-  when: item.container.State.Running and item.container.State.Restarting != true
+  when: 
+    - item is defined
+    - item.container.State.Running | bool 
+    - item.container.State.Restarting != true
 
+- name: handle errors if occurred  
+  include_tasks: "{{handlers}}/fail_task.yml"
+  vars:
+    message: "Container {{ item.container.Name }} is NOT healthy"
+  with_items :
+    - "{{ INFO.results }}"
+  loop_control:
+    label: "ID : {{ item.container.Id | default('Unknown Container ID', true ) }} , NAME: {{ item.container.Name | default('Unknown Container ID', true ) }}"
+  when : 
+    - item is not defined or item.container.State.Running != true
 
 - name: handle errors if container not healthy 
   include_tasks: "{{handlers}}/service_healthcheck.yml"
@@ -20,7 +33,10 @@
     PATH: "{{ service_path }}"
   with_items :
     - "{{ INFO.results }}"
-  when: item.exists != true and item.container.Name != '/vault'
+  when: 
+   - item is defined
+   - item.exists != true
+   - item.container.Name != '/vault'
 
 - name: fetch the logfile for the unhealthy container(s)
   # become: true
@@ -35,12 +51,3 @@
     label: "{{ item.container.LogPath | default('Unknown Container', true )  }}" 
   when: item.container.State.Running != true
 
-- name: handle errors if occurred  
-  include_tasks: "{{handlers}}/fail_task.yml"
-  vars:
-    message: "Container {{ item.container.Name }} is NOT healthy"
-  with_items :
-    - "{{ INFO.results }}"
-  loop_control:
-    label: "ID : {{ item.container.Id | default('Unknown Container ID', true ) }} , NAME: {{ item.container.Name | default('Unknown Container ID', true ) }}"
-  when : item.container.State.Running != true
diff --git a/ansible/handlers/fail_task.yml b/ansible/handlers/fail_task.yml
@@ -1,4 +1,4 @@
 - name: Fail if a task failed
   fail:
     msg: "{{ output.stderr | default(output.stdout, true) | default(message, true) }}"
-  when: output.rc|default(1) != 0
+  when: output.rc != 0
diff --git a/ansible/host_vars/localhost b/ansible/host_vars/localhost
@@ -6,6 +6,7 @@ vault_addr: "127.0.0.1:8200"
 boundary_addr: "127.0.0.1:9200"
 handlers: "{{ playbook_dir }}/handlers"
 log_dir: "{{ playbook_dir | dirname }}/logs"
+secret_dir : "{{stack_dir}}/secrets"
 
 # environment variables
 STACK_ENV: "{{ lookup('env', 'STACK_ENV') }}"
diff --git a/ansible/roles/boundary/defaults/main.yml b/ansible/roles/boundary/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 STACK_INIT: true
 STACK_ENV: development
+SSH_INJECTION: false
diff --git a/artifacts/wiki/index.html b/artifacts/wiki/index.html
@@ -29,7 +29,7 @@
             <ul>
                 <li><a href="#getting-started">Getting Started</a></li>
                 <li><a href="#about-hashicorp-vault-and-boundary">About Hashicorp Vault and Boundary</a></li>
-                <li><a href="#workflows">Workflows</a>
+                <li><a href="#workflow">Workflow</a>
                     <ul>
                         <li><a href="#vault">Vault</a></li>
                         <li><a href="#boundary">Boundary</a></li>
@@ -84,12 +84,37 @@ <h2 id="about-hashicorp-vault-and-boundary" class="section-header">About Hashico
             </div>
 
             <div class="workflows section">
-                <h2 id="workflows" class="section-header">Workflows</h2>
+                <h2 id="workflow" class="section-header">Workflow</h2>
+                <p>After the environment is prepared, Ansible deploys Vault using Docker Compose. The Vault server is
+                    first initialized by the <span class="bold">vault-init</span> service, which runs the `init.sh`
+                    script and calls the `init_vault_setup` function. This process unseals Vault, creates the necessary
+                    secret engines, policies, tokens, and other basic configurations. Once the deployment is complete, the
+                    <span class="bold">Transit-token</span> and <span class="bold">secrets.txt</span> file, containing
+                    all the essential tokens and keys, are generated and stored in the `secrets/secrets.txt` file on the
+                    controller machine.
+
+                    Next, the Terraform role is applied to configure Vault, utilizing the generated tokens and
+                    variables. Following this, the deployment shifts focus to Boundary. To enable Boundary to use
+                    Vault's Transit Engine for Encryption as a Service (EaaS), the Transit token (already stored in
+                    `secrets.txt`) is passed to the Boundary role. Once the Boundary database (PostgreSQL) is up and
+                    running, it is initialized using the <span class="bold">db-init</span> service. Finally, Boundary is
+                    deployed with the initial credentials saved in <span
+                        class="bold">secrets/boundary-init-creds.txt</span>. Terraform resources are then applied using
+                    the <span class="bold">Vault Transit recovery key</span> and <span class="bold">Transit
+                        token</span>.
+
+                    To use the stack, you need to install the Boundary and Vault clients (ensure the server and client
+                    versions match). Once installed, you can start using BVSTACK.
+
+                    You can checkout the boundary UI at <span class="bold"><a href="http://192.168.1.15:9200">http://192.168.1.15:9200</a> </span> and Vault at  <span class="bold"><a href="http://192.168.1.15:8200">http://192.168.1.15:8200</a> .</span>
+
+                </p>
+
                 <h3 id="vault" class="section-header">Vault</h3>
                 <p>Vault workflow involves setting up authentication methods, secret engines, and policies. The key
                     components of Vault server setup include:</p>
                 <img src="./vault.png" alt="vault diagram">
-          
+
                 <h3 id="boundary" class="section-header">Boundary</h3>
                 <p>Boundary workflow involves managing sessions, targets, and credentials. The key
                     components of Boundary server setup include:
@@ -137,7 +162,9 @@ <h4>SSH_INJECTION (optional)</h4>
                 <p class="default">default : false</p>
 
                 <h4>STACK_SERVER (optional)</h4>
-                <p>If set to false, vagrant and virtualbox won't be used to spin up BVSTACK. Instead you must create both Controller, BVSTACK and Client machines <span class="bold">manually</span> using your prefered method; ensure to address them in the inventory file accordingly.</p>
+                <p>If set to false, vagrant and virtualbox won't be used to spin up BVSTACK. Instead you must create
+                    both Controller, BVSTACK and Client machines <span class="bold">manually</span> using your prefered
+                    method; ensure to address them in the inventory file accordingly.</p>
                 <ul class="options">
                     <li>true</li>
                     <li>false</li>
@@ -276,6 +303,11 @@ <h3>Exit Code 4: Arguments and Options are Invalid.</h3>
                 <h2 id="bear-in-mind">Bear In Mind</h2>
                 <p>Keep the following in mind when working with the Boundary-Vault stack:</p>
                 <ul>
+                    <li>Since Boundary Terraform uses Vault recovery transit key you must export the transit-token as
+                        VAULT_TOKEN
+                        <span class="bold">(secrets/secrets.txt)</span> before planning/applying the code. Otherwise,
+                        you should use auth-method credentials to communicate with the boundary api.
+                    </li>
                     <li>If you have issues with DockerHub make sure you change the image registry in deployments and
                         `prepare_env` role.</li>
                     <li>If the target node(s) get restarted, the <span class="bold">vault</span> gets sealed and <span
diff --git a/boundary/config/boundary.hcl b/boundary/config/boundary.hcl
@@ -20,7 +20,7 @@ worker {
     type   = ["prod", "servers"]
   }
 
-  public_addr = "127.0.0.1"
+  public_addr = "192.168.1.15"
 }
 
 listener "tcp" {
diff --git a/boundary/terraform/main.tf b/boundary/terraform/main.tf
@@ -9,6 +9,7 @@ data "boundary_user" "global_scope_admin" {
 #----------
 
 resource "boundary_scope" "global" {
+  name = "Global"
   global_scope = true
   description  = "highest-level Scope for administrators"
   scope_id     = "global"
diff --git a/boundary/terraform/output.tf b/boundary/terraform/output.tf
@@ -14,7 +14,7 @@ output "target_id" {
 }
 
 output "scope_id" {
-  value       = "the scope id for admins: ${boundary_scope.global.scope_id}"
+  value       = "the scope id for admins: ${boundary_scope.corp.scope_id}"
   description = "show the id of ssh private key"
 }
 
diff --git a/boundary/terraform/terraform.tf b/boundary/terraform/terraform.tf
@@ -5,7 +5,7 @@
 
 terraform {
   required_providers {
-    vault = {
+    boundary = {
       source  = "hashicorp/boundary"
       version = "1.1.15"
     }
diff --git a/boundary/terraform/terraform.tfvars.sample b/boundary/terraform/terraform.tfvars.sample
@@ -2,9 +2,9 @@
 
 hosts_info = [ {
  name = "development",
- ip = "192.168.1.15",
+ ip = "192.168.1.16",
  ssh_user = "vagrant",
- ssh_port = "2222"
+ ssh_port = "22"
   ssh_key_path = "~/.ssh/id_rsa",
  ssh_key_name = "dev_priv_key"
   }
@@ -37,7 +37,7 @@ test_server_name = "testing"
 test_ssh_port = 22
 
 # provider variables
-boundary_address = "https://boundary.dvh.tech"
+boundary_address = "http://192.168.1.15:9200"
 
 auth_method_id = "auth_method_id"
 login_name     = "userpassName"
@@ -81,4 +81,4 @@ session_recording_read_list = "id=*;type=session-recording;actions=list,read"
 # vault cred store
 vault_sign_path = "ssh-signer/issue/boundary-client"
 vault_username  = "admin"
-vault_address   = "http://vault:8200"
+vault_address   = "http://192.168.1.15:8200"
diff --git a/boundary/terraform/variables.tf b/boundary/terraform/variables.tf
@@ -73,7 +73,7 @@ variable "main_cred_store_name" {
 variable "SSH_INJECTION" {
   type = bool
   default = false
-  description = "wehter to use ssh credential library"
+  description = "whehter to use ssh credential library"
 }
 
 variable "test_ssh_port" {
diff --git a/deploy/boundary.yml b/deploy/boundary.yml
@@ -25,7 +25,6 @@ services:
     command: ["database", "init", "-config", "/boundary/boundary.hcl"]
     volumes:
       - "../boundary/config/:/boundary"
-      # - "/etc/letsencrypt/live/${BOUNDARY_DOMAIN}/:/etc/boundary.d/tls"
     environment:
       - BOUNDARY_PG_URL=postgresql://postgres:RP5YgRtK7WQEIdR@boundary_db/boundary?sslmode=disable
       - WHOST=127.0.0.1
@@ -47,10 +46,11 @@ services:
     restart: always
     volumes:
       - "../boundary/config/:/boundary/"
+      - "/srv/boundary/logs/:/var/log/boundary/"
     ports:
       - "9200:9200"
+      - "9202:9202" # worker
     #   - "9201:9201"
-    #   - "9202:9202"
     environment:
       - BOUNDARY_PG_URL=postgresql://postgres:RP5YgRtK7WQEIdR@boundary_db/boundary?sslmode=disable
       - HOSTNAME=boundary
diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh
@@ -21,7 +21,6 @@ function inject_ssh_cred(){
 
 function delete_token(){
     sed -i '/^transit_token/d' $var_file
-    return 0
 }
 
 if [[ $1 == "-d" ]]; then
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-source "${STACK_DIR}/linter.sh"
+source "${STACK_DIR}/scripts/linter.sh"
 
 export COMPOSE_DIR="${STACK_DIR}/deploy"
 
diff --git a/scripts/init.sh b/scripts/init.sh
@@ -1,6 +1,6 @@
 # !/bin/env bash
 
-set -e
+set -e -o pipefail
 
 function usage() {
     cat <<EOF
@@ -61,9 +61,14 @@ function init_boundary_iac(){
   token=$(cat $secret_file | grep "transit-token" | awk '{print $2}')
   export VAULT_TOKEN="$token"
   export BOUNDARY_ADDR="$BOUNDARY_ADDR"
-  export TF_VAR_SSH_INJECTION=$SSH_INJECTION
-  terraform apply --auto-approve 2>&1 | sed -r "s/\x1B\[[0-9;]*[mGKH]//g" > "${HOME_DIR}/logs/terraform/boundary-logs.txt"
-  return 0
+  # ssh_injection=$(echo "$SSH_INJECTION" | tr '[:upper:]' '[:lower:]')
+  # export TF_VAR_SSH_INJECTION=$ssh_injection
+
+  log_path="${HOME_DIR}/logs/terraform/boundary-logs.txt"
+  if ! terraform plan &> /dev/null; then
+    echo -e "Terraform Plan failed for Vault, check the logs at $log_path \n\n" >&2
+  fi
+  terraform apply --auto-approve 2>&1 | sed -r "s/\x1B\[[0-9;]*[mGKH]//g" > $log_path
 }
 
 function init_vault_iac(){
@@ -76,7 +81,11 @@ function init_vault_iac(){
   root_token="$(cat $secret_file | head -n1 | awk '{print $8}')"
   export VAULT_TOKEN="$root_token"
   
-  terraform apply --auto-approve 2>&1 | sed -r "s/\x1B\[[0-9;]*[mGKH]//g" > "${HOME_DIR}/logs/terraform/vault-logs.txt";
+  log_path="${HOME_DIR}/logs/terraform/vault-logs.txt"
+  if ! terraform plan &> /dev/null ;then
+    echo -e "Terraform Plan failed for Vault, check the logs at $log_path \n\n" >&2
+  fi
+  terraform apply --auto-approve 2>&1 | sed -r "s/\x1B\[[0-9;]*[mGKH]//g" > $log_path
 }
 
 ## vault init container to setup vault and get killed right after.
diff --git a/vagrantfile b/vagrantfile
@@ -5,17 +5,17 @@ Vagrant.configure("2") do |config|
   config.vm.box = "ubuntu/focal64" # or another box of your choice
 
   # Set the name of the VM
-  config.vm.define "BVSTACK" do |node|
-    node.vm.hostname = "BVSTACK"
+  config.vm.define "bvstack" do |node|
+    node.vm.host_name = "bvstack"
 
     # Network configuration: Bridge
     node.vm.network "public_network", ip: "192.168.1.15"
 
     # Resources: CPU and RAM
     node.vm.provider "virtualbox" do |vb|
-      vb.name = "BVSTACK"
-      vb.memory = 2048
-      vb.cpus = 1
+      vb.name = "bvstack"
+      vb.memory = 4096
+      vb.cpus = 2
     end
   end
   
diff --git a/vault/terraform/terraform.tfvars.sample b/vault/terraform/terraform.tfvars.sample
@@ -3,11 +3,19 @@ transit_keynames = ["root-boundary", "worker-auth-boundary", "recovery-boundary"
 login_creds = {
   "admin" = "administrator"
 }
+
+transit_admins = {
+  "admin" = "administrator"
+}
+
 policies = {
   "admins"              = "policies/admin-policy.hcl",
-  "boundary-transit"         = "policies/boundary-transit.hcl",
-  "transit-admin" = "policies/transit-admin.hcl"
+  "boundary-transit"    = "policies/boundary-transit.hcl",
+  "transit-admin"       = "policies/transit-admin.hcl"
   "ssh"                 = "policies/ssh.hcl",
   "boundary-controller" = "policies/boundary-controller.hcl",
-  "testapp" = "policies/testapp.hcl"
+  "testapp"             = "policies/testapp.hcl"
 }
+
+cipher_path    = "/kv/apps"
+cipher_kv_name = "testapp"

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ worker {`
`20`	`20`	`type = ["prod", "servers"]`
`21`	`21`	`}`
`22`	`22`
`23`		`- public_addr = "127.0.0.1"`
	`23`	`+ public_addr = "192.168.1.15"`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`listener "tcp" {`