From ed0fbb9a17672335bfb8fc63bfc9675ef4ab1cdb Mon Sep 17 00:00:00 2001 From: Johan Brandhorst-Satzkorn Date: Fri, 14 Feb 2025 20:40:04 +0000 Subject: [PATCH] backport of commit fbc039ae1cd0c085f6494a40a743b1d54959e12d --- .github/workflows/build.yml | 20 +++++----- .github/workflows/enos-run.yml | 12 +++--- .github/workflows/fuzz.yml | 4 +- .github/workflows/linting.yml | 2 +- .github/workflows/make-gen-delta.yml | 2 +- .github/workflows/security-scan.yml | 4 +- .github/workflows/test-cli-ui_oss.yml | 2 +- .github/workflows/test-race.yml | 6 +-- .github/workflows/test.yml | 6 +-- .release/security-scan.hcl | 21 ++++++++++ CHANGELOG.md | 40 ------------------- CODEOWNERS | 13 +----- enos/README.md | 10 ----- .../enos-scenario-e2e-aws-base-with-vault.hcl | 4 +- ...os-scenario-e2e-docker-base-with-vault.hcl | 4 +- ...s-scenario-e2e-docker-base-with-worker.hcl | 4 +- ...ker-worker-registration-controller-led.hcl | 4 +- ...-docker-worker-registration-worker-led.hcl | 4 +- enos/enos-scenario-e2e-ui-aws.hcl | 4 +- enos/enos-scenario-e2e-ui-docker.hcl | 4 +- enos/modules/aws_vault/outputs.tf | 7 +++- enos/modules/docker_vault/main.tf | 4 +- enos/modules/test_e2e/main.tf | 21 ++++------ enos/modules/test_e2e_docker/main.tf | 16 ++++---- enos/modules/test_e2e_docker/test_runner.sh | 3 +- enos/modules/test_e2e_ui/main.tf | 14 ++++--- go.mod | 4 +- internal/cmd/commands/database/funcs.go | 2 - internal/db/schema/migrations/oss/testing.go | 1 - internal/db/schema/schema.go | 1 - internal/gen/controller.swagger.json | 2 +- internal/oplog/testing.go | 1 - .../e2e/tests/base_with_vault/env_test.go | 7 ++-- .../e2e/tests/base_with_worker/env_test.go | 5 ++- version/VERSION | 2 +- .../docs/concepts/host-discovery/aws.mdx | 28 +++---------- 36 files changed, 118 insertions(+), 170 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b64a65c4fc..95e5103378 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,7 +48,7 @@ jobs: echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" cache: false @@ -108,7 +108,7 @@ jobs: repository: boundary version: ${{ needs.set-product-version.outputs.product-version }} product: ${{ env.PKG_NAME }} - - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: metadata.json path: ${{ steps.generate-metadata-file.outputs.filepath }} @@ -139,7 +139,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ matrix.go }} cache: false @@ -163,7 +163,7 @@ jobs: id: set-sha run: echo "sha=$(head -n1 internal/ui/VERSION | cut -d ' ' -f1)" >> "$GITHUB_OUTPUT" - name: Download UI artifact - uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8 + uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7 with: workflow: build-admin-ui.yaml commit: ${{ steps.set-sha.outputs.sha }} @@ -209,7 +209,7 @@ jobs: - name: Set up Git run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ matrix.go }} cache: false @@ -231,7 +231,7 @@ jobs: id: set-sha run: echo "sha=$(head -n1 internal/ui/VERSION | cut -d ' ' -f1)" >> "$GITHUB_OUTPUT" - name: Download UI artifact - uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8 + uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7 with: workflow: build-admin-ui.yaml commit: ${{ steps.set-sha.outputs.sha }} @@ -279,12 +279,12 @@ jobs: echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV" echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV" - name: Upload RPM package - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ env.RPM_PACKAGE }} path: out/${{ env.RPM_PACKAGE }} - name: Upload DEB package - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ env.DEB_PACKAGE }} path: out/${{ env.DEB_PACKAGE }} @@ -309,7 +309,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ matrix.go }} cache: false @@ -331,7 +331,7 @@ jobs: id: set-sha run: echo "sha=$(head -n1 internal/ui/VERSION | cut -d ' ' -f1)" >> "$GITHUB_OUTPUT" - name: Download UI artifact - uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8 + uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7 with: workflow: build-admin-ui.yaml commit: ${{ steps.set-sha.outputs.sha }} diff --git a/.github/workflows/enos-run.yml b/.github/workflows/enos-run.yml index f7639a9349..b042c88190 100644 --- a/.github/workflows/enos-run.yml +++ b/.github/workflows/enos-run.yml @@ -38,7 +38,7 @@ jobs: with: fetch-depth: '0' - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ inputs.go-version }} cache: false @@ -110,7 +110,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ inputs.go-version }} cache: false @@ -234,7 +234,7 @@ jobs: run: | mv ${{ steps.download-docker.outputs.download-path }}/*.tar enos/support/boundary_docker_image.tar - name: Set up Node.js - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 if: contains(matrix.filter, 'e2e_ui') with: node-version: '16.x' @@ -282,7 +282,7 @@ jobs: SCENARIO=$(echo "${{ matrix.filter }}" | cut -d' ' -f1,3 | sed 's/:/_/g') echo fragment="${SCENARIO}" >> "$GITHUB_OUTPUT" - name: Upload e2e tests output - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: test-${{ steps.split.outputs.fragment }} path: enos/*.log @@ -295,7 +295,7 @@ jobs: docker logs database - name: Upload e2e UI tests debug info if: contains(matrix.filter, 'e2e_ui') && steps.run.outcome == 'failure' - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: test-e2e-ui-debug path: enos/support/src/boundary-ui/ui/admin/tests/e2e/artifacts/test-failures @@ -308,7 +308,7 @@ jobs: enos scenario launch --timeout 60m0s --chdir ./enos ${{ matrix.filter }} - name: Upload Debug Data if: ${{ always() && steps.run_retry.outcome == 'failure' }} - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: # The name of the artifact is the same as the matrix scenario name with the spaces replaced with underscores and colons replaced by equals. name: ${{ steps.prepare_scenario.outputs.debug_data_artifact_name }} diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 743a0e6217..d78287e8fa 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -42,14 +42,14 @@ jobs: run: | echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" - shell: bash run: go test ./internal/perms -fuzz=FuzzParse -fuzztime=30s - name: Upload fuzz failure seed corpus as run artifact if: failure() - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: fuzz-corpus path: ./internal/perms/testdata/fuzz diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index c7a0fe7468..2accb79d60 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -24,7 +24,7 @@ jobs: echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" - name: Install Dependencies diff --git a/.github/workflows/make-gen-delta.yml b/.github/workflows/make-gen-delta.yml index 9f0eed44b4..9ab0d99daf 100644 --- a/.github/workflows/make-gen-delta.yml +++ b/.github/workflows/make-gen-delta.yml @@ -23,7 +23,7 @@ jobs: echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" - name: Running go mod tidy diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 999a92f83d..e5d7806711 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -28,7 +28,7 @@ jobs: echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" cache: false @@ -79,7 +79,7 @@ jobs: repository: "$PWD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # codeql-bundle-v2.20.3 + uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # codeql-bundle-v2.20.0 with: sarif_file: results.sarif diff --git a/.github/workflows/test-cli-ui_oss.yml b/.github/workflows/test-cli-ui_oss.yml index bba9a2dad5..93c651bca3 100644 --- a/.github/workflows/test-cli-ui_oss.yml +++ b/.github/workflows/test-cli-ui_oss.yml @@ -36,7 +36,7 @@ jobs: path: /tmp/bats-cli-ui-deps key: enos-bats-cli-ui-deps-jq-1.6-password-store-1.7.4-vault-1.12.2 - name: Set up Node for Bats install - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 16 - name: Install Bats via NPM diff --git a/.github/workflows/test-race.yml b/.github/workflows/test-race.yml index 12d47c29bb..a31c78962f 100644 --- a/.github/workflows/test-race.yml +++ b/.github/workflows/test-race.yml @@ -36,7 +36,7 @@ jobs: echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" cache: false @@ -95,7 +95,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ needs.setup.outputs.go-version }}" cache: false @@ -127,7 +127,7 @@ jobs: ulimit -Ha - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ needs.setup.outputs.go-version }}" cache: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cdc39c8506..f2dc8563e0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,7 +36,7 @@ jobs: echo "Building with Go $(cat .go-version)" echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ steps.get-go-version.outputs.go-version }}" cache: false @@ -95,7 +95,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ needs.setup.outputs.go-version }}" cache: false @@ -127,7 +127,7 @@ jobs: ulimit -Ha - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "${{ needs.setup.outputs.go-version }}" cache: false diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index da2c1a239d..db033ac545 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -5,6 +5,16 @@ container { dependencies = true alpine_secdb = true secrets = false + + # Triage items that are _safe_ to ignore here. Note that this list should be + # periodically cleaned up to remove items that are no longer found by the scanner. + triage { + suppress { + vulnerabilities = [ + "CVE-2024-13176", # openssl@3.3.2-r4 + ] + } + } } binary { @@ -13,4 +23,15 @@ binary { osv = true oss_index = true nvd = true + + # Triage items that are _safe_ to ignore here. Note that this list should be + # periodically cleaned up to remove items that are no longer found by the scanner. + triage { + suppress { + vulnerabilities = [ + "GO-2025-3408", # yamux@v0.1.1 + "GHSA-29qp-crvh-w22m", # yamux@v0.1.1 + ] + } + } } diff --git a/CHANGELOG.md b/CHANGELOG.md index b3a4d8a43e..4238e254d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,49 +62,9 @@ maintainability of worker queries, and improve DB performance. ([PR](https://git * Go Cryptography dependency update to address CVE-2024-45337 ([PR](https://github.com/hashicorp/boundary/pull/5354)). -## 0.18.3 (2025/02/10) (Enterprise only) -### Bug fixes - -* Fix bug where database transactions were not using the correct reader & writer functions - and context. - ([PR](https://github.com/hashicorp/boundary/pull/5522)). -* Remove unnecessary subquery from alias refresh - ([PR](https://github.com/hashicorp/boundary/pull/5481)). - -### Security - -* Go Networking dependency update to address CVE-2024-45338 and GO-2024-3333 - ([PR])(https://github.com/hashicorp/boundary/pull/5406). -* Go Cryptography dependency update to address CVE-2024-45337 - ([PR](https://github.com/hashicorp/boundary/pull/5365)). - -## 0.17.4 (2025/02/10) (Enterprise only) -### Bug fixes - -* Fix bug where database transactions were not using the correct reader & writer functions - and context. - ([PR](https://github.com/hashicorp/boundary/pull/5522)). -* Remove unnecessary subquery from alias refresh - ([PR](https://github.com/hashicorp/boundary/pull/5481)). - -### Security - -* Go Networking dependency update to address CVE-2024-45338 and GO-2024-3333 - ([PR])(https://github.com/hashicorp/boundary/pull/5528). -* Go Cryptography dependency update to address CVE-2024-45337 - ([PR](https://github.com/hashicorp/boundary/pull/5366)). - ## 0.18.2 (2024/12/12) ### Bug fixes -* Fixed an issue where session recordings would fail when large numbers of - sessions were created around the same time. ([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/55)) -* Fixed an issue where the controller would incorrectly handle HTTP requests - and stop prematurely. ([PR](https://github.com/hashicorp/boundary/pull/5304)) - -## 0.17.3 (2024/12/12) -### Bug fixes - * Fixed an issue where session recordings would fail when large numbers of sessions were created around the same time. ([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/55)) * Fixed an issue where the controller would incorrectly handle HTTP requests diff --git a/CODEOWNERS b/CODEOWNERS index c307950dda..2520668fd3 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,15 +2,6 @@ # the repo, unless a later match takes precedence. * @hashicorp/boundary -# engineering and web presence get notified of, and can approve changes to, web tooling, but not content. +# web presence and education -/website/ @hashicorp/web-presence @hashicorp/boundary -/website/data/ -/website/public/ -/website/content/ - -# education and engineering get notified of, and can approve changes to web content. - -/website/data/ @hashicorp/boundary-education-approvers @hashicorp/boundary -/website/public/ @hashicorp/boundary-education-approvers @hashicorp/boundary -/website/content/ @hashicorp/boundary-education-approvers @hashicorp/boundary +/website/ @hashicorp/boundary-education-approvers @hashicorp/web-presence @hashicorp/boundary \ No newline at end of file diff --git a/enos/README.md b/enos/README.md index 7511d97695..476e651ddf 100644 --- a/enos/README.md +++ b/enos/README.md @@ -57,16 +57,6 @@ See [enos.vars.hcl](./enos.vars.hcl) for complete descriptions of each variable. You can either modify `enos.vars.hcl` directly or create your own copy at `enos-local.vars.hcl` which gets ignored by git. -### System File Modifications - -For docker-based scenarios, you will need to modify `/etc/hosts` to include the -following lines -``` -127.0.0.1 localhost boundary -127.0.0.1 localhost worker -127.0.0.1 localhost vault -``` - ## Executing Scenarios From the `enos` directory: diff --git a/enos/enos-scenario-e2e-aws-base-with-vault.hcl b/enos/enos-scenario-e2e-aws-base-with-vault.hcl index b352f5885a..8a912a9387 100644 --- a/enos/enos-scenario-e2e-aws-base-with-vault.hcl +++ b/enos/enos-scenario-e2e-aws-base-with-vault.hcl @@ -159,8 +159,8 @@ scenario "e2e_aws_base_with_vault" { target_address = step.create_target.target_private_ips[0] target_user = "ubuntu" target_port = "22" - vault_addr = step.create_vault_cluster.instance_addresses[0] - vault_addr_internal = step.create_vault_cluster.instance_addresses[0] + vault_addr_public = step.create_vault_cluster.instance_addresses[0] + vault_addr_private = step.create_vault_cluster.instance_addresses[0] vault_root_token = step.create_vault_cluster.vault_root_token aws_region = var.aws_region max_page_size = step.create_boundary_cluster.max_page_size diff --git a/enos/enos-scenario-e2e-docker-base-with-vault.hcl b/enos/enos-scenario-e2e-docker-base-with-vault.hcl index 4e14211a20..637e068751 100644 --- a/enos/enos-scenario-e2e-docker-base-with-vault.hcl +++ b/enos/enos-scenario-e2e-docker-base-with-vault.hcl @@ -136,8 +136,8 @@ scenario "e2e_docker_base_with_vault" { target_address = step.create_host.address target_port = step.create_host.port target_user = "ubuntu" - vault_addr = step.create_vault.address - vault_addr_internal = step.create_vault.address_internal + vault_addr_public = step.create_vault.address_public + vault_addr_private = step.create_vault.address_private vault_root_token = step.create_vault.token vault_port = step.create_vault.port max_page_size = step.create_boundary.max_page_size diff --git a/enos/enos-scenario-e2e-docker-base-with-worker.hcl b/enos/enos-scenario-e2e-docker-base-with-worker.hcl index bf75db9528..d4ccd13a33 100644 --- a/enos/enos-scenario-e2e-docker-base-with-worker.hcl +++ b/enos/enos-scenario-e2e-docker-base-with-worker.hcl @@ -177,8 +177,8 @@ scenario "e2e_docker_base_with_worker" { target_address = step.create_host.address target_port = step.create_host.port target_user = "ubuntu" - vault_addr = step.create_vault.address - vault_addr_internal = step.create_vault.address_internal + vault_addr_public = step.create_vault.address_public + vault_addr_private = step.create_vault.address_private vault_root_token = step.create_vault.token vault_port = step.create_vault.port worker_tag_egress = local.egress_tag diff --git a/enos/enos-scenario-e2e-docker-worker-registration-controller-led.hcl b/enos/enos-scenario-e2e-docker-worker-registration-controller-led.hcl index 36e108bcd9..bf437060d0 100644 --- a/enos/enos-scenario-e2e-docker-worker-registration-controller-led.hcl +++ b/enos/enos-scenario-e2e-docker-worker-registration-controller-led.hcl @@ -192,8 +192,8 @@ scenario "e2e_docker_worker_registration_controller_led" { target_address = step.create_host.address target_port = step.create_host.port target_user = "ubuntu" - vault_addr = step.create_vault.address - vault_addr_internal = step.create_vault.address_internal + vault_addr_public = step.create_vault.address_public + vault_addr_private = step.create_vault.address_private vault_root_token = step.create_vault.token vault_port = step.create_vault.port worker_tag_egress = local.egress_tag diff --git a/enos/enos-scenario-e2e-docker-worker-registration-worker-led.hcl b/enos/enos-scenario-e2e-docker-worker-registration-worker-led.hcl index a896848a13..bfe13004d9 100644 --- a/enos/enos-scenario-e2e-docker-worker-registration-worker-led.hcl +++ b/enos/enos-scenario-e2e-docker-worker-registration-worker-led.hcl @@ -207,8 +207,8 @@ scenario "e2e_docker_worker_registration_worker_led" { target_address = step.create_host.address target_port = step.create_host.port target_user = "ubuntu" - vault_addr = step.create_vault.address - vault_addr_internal = step.create_vault.address_internal + vault_addr_public = step.create_vault.address_public + vault_addr_private = step.create_vault.address_private vault_root_token = step.create_vault.token vault_port = step.create_vault.port worker_tag_egress = local.egress_tag diff --git a/enos/enos-scenario-e2e-ui-aws.hcl b/enos/enos-scenario-e2e-ui-aws.hcl index 4c6142edbb..af089748d1 100644 --- a/enos/enos-scenario-e2e-ui-aws.hcl +++ b/enos/enos-scenario-e2e-ui-aws.hcl @@ -201,8 +201,8 @@ scenario "e2e_ui_aws" { target_address = step.create_targets_with_tag.target_private_ips[0] target_user = "ubuntu" target_port = "22" - vault_addr = step.create_vault_cluster.instance_addresses[0] - vault_addr_internal = step.create_vault_cluster.instance_addresses[0] + vault_addr_public = step.create_vault_cluster.instance_addresses[0] + vault_addr_private = step.create_vault_cluster.instance_addresses_private[0] vault_root_token = step.create_vault_cluster.vault_root_token aws_access_key_id = step.iam_setup.access_key_id aws_secret_access_key = step.iam_setup.secret_access_key diff --git a/enos/enos-scenario-e2e-ui-docker.hcl b/enos/enos-scenario-e2e-ui-docker.hcl index 080f5e3dc3..290c90f03b 100644 --- a/enos/enos-scenario-e2e-ui-docker.hcl +++ b/enos/enos-scenario-e2e-ui-docker.hcl @@ -168,8 +168,8 @@ scenario "e2e_ui_docker" { target_user = "ubuntu" target_ca_key = step.create_host.ca_key_private target_ca_key_public = step.create_host.ca_key_public - vault_addr = step.create_vault.address - vault_addr_internal = step.create_vault.address_internal + vault_addr_public = step.create_vault.address_public + vault_addr_private = step.create_vault.address_private vault_root_token = step.create_vault.token vault_port = step.create_vault.port ldap_address = step.create_ldap_server.address diff --git a/enos/modules/aws_vault/outputs.tf b/enos/modules/aws_vault/outputs.tf index fb04f22412..1947ab1073 100644 --- a/enos/modules/aws_vault/outputs.tf +++ b/enos/modules/aws_vault/outputs.tf @@ -18,7 +18,12 @@ output "instance_private_ips" { output "instance_addresses" { description = "Addresses of Vault instances" - value = [for instance in aws_instance.vault_instance : "http://${instance.public_ip}:8200"] + value = var.ip_version == "4" ? [for instance in aws_instance.vault_instance : "http://${instance.public_ip}:8200"] : flatten([for instance in aws_instance.vault_instance : instance.ipv6_addresses]) +} + +output "instance_addresses_private" { + description = "Private addresses of Vault instances" + value = [for instance in aws_instance.vault_instance : "http://${instance.private_ip}:8200"] } output "key_id" { diff --git a/enos/modules/docker_vault/main.tf b/enos/modules/docker_vault/main.tf index c013e99525..1103325de8 100644 --- a/enos/modules/docker_vault/main.tf +++ b/enos/modules/docker_vault/main.tf @@ -132,11 +132,11 @@ resource "enos_local_exec" "check_health" { inline = ["timeout 10s bash -c 'until vault status; do sleep 2; done'"] } -output "address" { +output "address_public" { value = "http://${var.container_name}:${var.vault_port}" } -output "address_internal" { +output "address_private" { value = "http://${var.container_name}:${var.vault_port_internal}" } diff --git a/enos/modules/test_e2e/main.tf b/enos/modules/test_e2e/main.tf index ff964386a4..7dac110885 100644 --- a/enos/modules/test_e2e/main.tf +++ b/enos/modules/test_e2e/main.tf @@ -66,13 +66,14 @@ variable "target_port" { type = string default = "" } -variable "vault_addr" { - description = "External network address of Vault. Will be converted to a URL below" +variable "vault_addr_public" { + description = "Public address to a vault instance" type = string default = "" } -variable "vault_addr_internal" { - description = "Internal network address of Vault (i.e. within a docker network). Will be converted to a URL below" + +variable "vault_addr_private" { + description = "Private address to a vault instance" type = string default = "" } @@ -81,11 +82,6 @@ variable "vault_root_token" { type = string default = "" } -variable "vault_port" { - description = "External Port that vault instance is attached to (outside of docker network)" - type = string - default = "8200" -} variable "aws_access_key_id" { description = "Access Key Id for AWS IAM user used in dynamic host catalogs" type = string @@ -174,8 +170,6 @@ variable "ip_version" { locals { aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path) - vault_addr = var.vault_addr != "" ? "http://${var.vault_addr}:${var.vault_port}" : "" - vault_addr_internal = var.vault_addr_internal != "" ? "http://${var.vault_addr_internal}:8200" : local.vault_addr aws_host_set_ips1 = jsonencode(var.aws_host_set_ips1) aws_host_set_ips2 = jsonencode(var.aws_host_set_ips2) package_name = reverse(split("/", var.test_package))[0] @@ -194,9 +188,10 @@ resource "enos_local_exec" "run_e2e_test" { E2E_SSH_USER = var.target_user E2E_SSH_KEY_PATH = local.aws_ssh_private_key_path E2E_SSH_CA_KEY = "" - VAULT_ADDR = local.vault_addr + VAULT_ADDR = var.vault_addr_public VAULT_TOKEN = var.vault_root_token - E2E_VAULT_ADDR = local.vault_addr_internal + E2E_VAULT_ADDR_PUBLIC = var.vault_addr_public + E2E_VAULT_ADDR_PRIVATE = var.vault_addr_private E2E_AWS_ACCESS_KEY_ID = var.aws_access_key_id E2E_AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key E2E_AWS_HOST_SET_FILTER = var.aws_host_set_filter1 diff --git a/enos/modules/test_e2e_docker/main.tf b/enos/modules/test_e2e_docker/main.tf index 254e5d627a..d79d7e9d29 100644 --- a/enos/modules/test_e2e_docker/main.tf +++ b/enos/modules/test_e2e_docker/main.tf @@ -94,13 +94,14 @@ variable "target_ca_key" { type = string default = "" } -variable "vault_addr" { - description = "External network address of Vault. Will be converted to a URL below" +variable "vault_addr_public" { + description = "Public address to a vault instance" type = string default = "" } -variable "vault_addr_internal" { - description = "Internal network address of Vault (i.e. within a docker network). Will be converted to a URL below" + +variable "vault_addr_private" { + description = "Private address to a vault instance" type = string default = "" } @@ -314,10 +315,11 @@ resource "enos_local_exec" "run_e2e_test" { E2E_SSH_USER = var.target_user E2E_SSH_KEY_PATH = local.aws_ssh_private_key_path E2E_SSH_CA_KEY = var.target_ca_key - VAULT_ADDR = var.vault_addr - VAULT_ADDR_INTERNAL = var.vault_addr_internal + VAULT_ADDR = var.vault_addr_public + VAULT_ADDR_INTERNAL = var.vault_addr_private VAULT_TOKEN = var.vault_root_token - E2E_VAULT_ADDR = var.vault_addr_internal + E2E_VAULT_ADDR_PUBLIC = var.vault_addr_public + E2E_VAULT_ADDR_PRIVATE = var.vault_addr_private E2E_BUCKET_NAME = var.bucket_name E2E_BUCKET_ENDPOINT_URL = var.bucket_endpoint_url E2E_BUCKET_USER_ID = var.bucket_user_id diff --git a/enos/modules/test_e2e_docker/test_runner.sh b/enos/modules/test_e2e_docker/test_runner.sh index 24e1e99d5b..9e8c330f55 100644 --- a/enos/modules/test_e2e_docker/test_runner.sh +++ b/enos/modules/test_e2e_docker/test_runner.sh @@ -31,7 +31,8 @@ docker run \ -e "E2E_MINIO_ALIAS=$E2E_MINIO_ALIAS" \ -e "VAULT_ADDR=$VAULT_ADDR_INTERNAL" \ -e "VAULT_TOKEN=$VAULT_TOKEN" \ - -e "E2E_VAULT_ADDR=$E2E_VAULT_ADDR" \ + -e "E2E_VAULT_ADDR_PUBLIC=$E2E_VAULT_ADDR_PUBLIC" \ + -e "E2E_VAULT_ADDR_PRIVATE=$E2E_VAULT_ADDR_PRIVATE" \ -e "E2E_POSTGRES_USER=$E2E_POSTGRES_USER" \ -e "E2E_POSTGRES_PASSWORD=$E2E_POSTGRES_PASSWORD" \ -e "E2E_POSTGRES_DB_NAME=$E2E_POSTGRES_DB_NAME" \ diff --git a/enos/modules/test_e2e_ui/main.tf b/enos/modules/test_e2e_ui/main.tf index 2f3348dba9..72896bce31 100644 --- a/enos/modules/test_e2e_ui/main.tf +++ b/enos/modules/test_e2e_ui/main.tf @@ -73,13 +73,14 @@ variable "target_ca_key_public" { type = string default = "" } -variable "vault_addr" { - description = "External network address of Vault. Will be converted to a URL below" +variable "vault_addr_public" { + description = "Public address to a vault instance" type = string default = "" } -variable "vault_addr_internal" { - description = "Internal network address of Vault (i.e. within a docker network). Will be converted to a URL below" + +variable "vault_addr_private" { + description = "Private address to a vault instance" type = string default = "" } @@ -211,9 +212,10 @@ resource "enos_local_exec" "run_e2e_test" { E2E_SSH_KEY_PATH = local.aws_ssh_private_key_path E2E_SSH_CA_KEY = var.target_ca_key E2E_SSH_CA_KEY_PUBLIC = var.target_ca_key_public - VAULT_ADDR = var.vault_addr + VAULT_ADDR = var.vault_addr_public VAULT_TOKEN = var.vault_root_token - E2E_VAULT_ADDR = var.vault_addr_internal + E2E_VAULT_ADDR_PUBLIC = var.vault_addr_public + E2E_VAULT_ADDR_PRIVATE = var.vault_addr_private E2E_AWS_ACCESS_KEY_ID = var.aws_access_key_id E2E_AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key E2E_AWS_HOST_SET_FILTER = var.aws_host_set_filter diff --git a/go.mod b/go.mod index 279d0e6954..89f56b1f5e 100644 --- a/go.mod +++ b/go.mod @@ -16,8 +16,8 @@ require ( github.com/google/go-cmp v0.6.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 - github.com/hashicorp/boundary/api v0.0.54 - github.com/hashicorp/boundary/sdk v0.0.50 + github.com/hashicorp/boundary/api v0.0.50 + github.com/hashicorp/boundary/sdk v0.0.48 github.com/hashicorp/cap v0.5.1-0.20240315182732-faa330bfb8df github.com/hashicorp/dawdle v0.5.0 github.com/hashicorp/eventlogger v0.2.9 diff --git a/internal/cmd/commands/database/funcs.go b/internal/cmd/commands/database/funcs.go index 0ab80316a7..2e667982fb 100644 --- a/internal/cmd/commands/database/funcs.go +++ b/internal/cmd/commands/database/funcs.go @@ -46,13 +46,11 @@ func migrateDatabase(ctx context.Context, ui cli.Ui, dialect, u string, initiali // This is an advisory lock on the DB which is released when the DB session ends. if err := man.ExclusiveLock(ctx); err != nil { ui.Error("Unable to capture a lock on the database.") - _ = man.Close(ctx) return noop, 2 } unlock := func() { // We don't report anything since this should resolve itself anyways. _ = man.ExclusiveUnlock(ctx) - _ = man.Close(ctx) } st, err := man.CurrentState(ctx) diff --git a/internal/db/schema/migrations/oss/testing.go b/internal/db/schema/migrations/oss/testing.go index c7b5fc3645..3c17567ab2 100644 --- a/internal/db/schema/migrations/oss/testing.go +++ b/internal/db/schema/migrations/oss/testing.go @@ -19,7 +19,6 @@ func ApplyMigration(t *testing.T, ctx context.Context, d *sql.DB, migrationId in schema.TestCreatePartialEditions(schema.Dialect(dialect), schema.PartialEditions{"oss": migrationId}), )) require.NoError(t, err) - t.Cleanup(func() { m.Close(context.Background()) }) _, err = m.ApplyMigrations(ctx) require.NoError(t, err) state, err := m.CurrentState(ctx) diff --git a/internal/db/schema/schema.go b/internal/db/schema/schema.go index 039991762c..bf12da1e54 100644 --- a/internal/db/schema/schema.go +++ b/internal/db/schema/schema.go @@ -25,7 +25,6 @@ func MigrateStore(ctx context.Context, dialect Dialect, url string, opt ...Optio if err != nil { return false, errors.Wrap(ctx, err, op) } - defer sMan.Close(ctx) st, err := sMan.CurrentState(ctx) if err != nil { diff --git a/internal/gen/controller.swagger.json b/internal/gen/controller.swagger.json index f4d8e62c9a..72a32a3daa 100644 --- a/internal/gen/controller.swagger.json +++ b/internal/gen/controller.swagger.json @@ -3,7 +3,7 @@ "info": { "title": "Boundary controller HTTP API", "description": "Welcome to the Boundary controller HTTP API documentation. This page provides a reference guide for using the Boundary controller API, a JSON-based HTTP API. The API implements commonly seen HTTP API patterns for status codes, paths, and errors. See the [API overview](https://developer.hashicorp.com/boundary/docs/api-clients/api) for more information.\n\nBefore you read this page, it is useful to understand Boundary's [domain model](https://developer.hashicorp.com/boundary/docs/concepts/domain-model) and to be aware of the terminology used here. To get started, search for the service you want to interact with in the sidebar to the left. Each resource in Boundary, such as accounts and credential stores, has its own service. Each service contains all the API endpoints for the resource.\n## Status codes\n- `2XX`: Boundary returns a code between `200` and `299` on success. Generally this is `200`, but implementations should be prepared to accept any `2XX` status code as indicating success. If a call returns a `2XX` code that is not `200`, it follows well-understood semantics for those status codes.\n- `400`: Boundary returns `400` when a command cannot be completed due to invalid user input, except for a properly-formatted identifier that does not map to an existing resource, which returns a `404` as discussed below.\n- `401`: Boundary returns `401` if no authentication token is provided or if the provided token is invalid. A valid token that simply does not have permission for a resource returns a `403` instead. A token that is invalid or missing, but where the anonymous user (`u_anon`) is able to successfully perform the action, will not return a `401` but instead will return the result of the action.\n- `403`: Boundary returns `403` if a provided token was valid but does not have the grants required to perform the requested action.\n- `404`: Boundary returns `404` if a resource cannot be found. Note that this happens _prior_ to authentication/authorization checking in nearly all cases as the resource information (such as its scope, available actions, etc.) is a required part of that check. As a result, an action against a resource that does not exist returns a `404` instead of a `401` or `403`. While this could be considered an information leak, since IDs are randomly generated and this only discloses whether an ID is valid, it's tolerable as it allows for far simpler and more robust client implementation.\n- `405`: Boundary returns a `405` to indicate that the method (HTTP verb or custom action) is not implemented for the given resource.\n- `429`: Boundary returns a `429` if any of the API rate limit quotas have been exhausted for the resource and action. It includes the `Retry-After` header so that the client knows how long to wait before making a new request.\n- `500`: Boundary returns `500` if an error occurred that is not (directly) tied to invalid user input. If a `500` is generated, information about the error is logged to Boundary's server log but is not generally provided to the client.\n- `503`: Boundary returns a `503` if it is unable to store a quota due to the API rate limit being exceeded. It includes the `Retry-After` header so that the client knows how long to wait before making a new request.\n## List pagination\nBoundary uses [API pagination](https://developer.hashicorp.com/boundary/docs/api-clients/api/pagination) to support searching and filtering large lists of results efficiently.", - "version": "0.19.0", + "version": "0.19.1", "contact": { "name": "HashiCorp Boundary", "url": "https://www.boundaryproject.io/" diff --git a/internal/oplog/testing.go b/internal/oplog/testing.go index f5f5ba5845..18509cafbc 100644 --- a/internal/oplog/testing.go +++ b/internal/oplog/testing.go @@ -125,7 +125,6 @@ func testInitStore(t testing.TB, cleanup func() error, url string) { require.NoError(t, err) sm, err := schema.NewManager(ctx, schema.Dialect(dialect), d) require.NoError(t, err) - t.Cleanup(func() { sm.Close(context.Background()) }) _, err = sm.ApplyMigrations(ctx) require.NoError(t, err) } diff --git a/testing/internal/e2e/tests/base_with_vault/env_test.go b/testing/internal/e2e/tests/base_with_vault/env_test.go index b732f31bda..c213a2e80d 100644 --- a/testing/internal/e2e/tests/base_with_vault/env_test.go +++ b/testing/internal/e2e/tests/base_with_vault/env_test.go @@ -13,9 +13,10 @@ type config struct { // Note: Key is base64 encoded TargetCaKey string `envconfig:"E2E_SSH_CA_KEY" required:"true"` // VaultAddr is the address that the Boundary server uses to interact with the running Vault instance - VaultAddr string `envconfig:"E2E_VAULT_ADDR" required:"true"` // e.g. "http://127.0.0.1:8200" - VaultSecretPath string `envconfig:"E2E_VAULT_SECRET_PATH" default:"e2e_secrets"` - MaxPageSize int `envconfig:"E2E_MAX_PAGE_SIZE" default:"1000"` + VaultAddr string `envconfig:"E2E_VAULT_ADDR_PUBLIC" required:"true"` // e.g. "http://127.0.0.1:8200" + VaultAddrPrivate string `envconfig:"E2E_VAULT_ADDR_PRIVATE" required:"true"` // e.g. "http://10.10.10.10:8200" + VaultSecretPath string `envconfig:"E2E_VAULT_SECRET_PATH" default:"e2e_secrets"` + MaxPageSize int `envconfig:"E2E_MAX_PAGE_SIZE" default:"1000"` } func loadTestConfig() (*config, error) { diff --git a/testing/internal/e2e/tests/base_with_worker/env_test.go b/testing/internal/e2e/tests/base_with_worker/env_test.go index 7ecd3ab80f..8246251d2e 100644 --- a/testing/internal/e2e/tests/base_with_worker/env_test.go +++ b/testing/internal/e2e/tests/base_with_worker/env_test.go @@ -14,8 +14,9 @@ type config struct { WorkerTagEgress string `envconfig:"E2E_WORKER_TAG_EGRESS" required:"true"` // e.g. "egress" WorkerTagCollocated string `envconfig:"E2E_WORKER_TAG_COLLOCATED" required:"true"` // e.g. "collocated" // VaultAddr is the address that the Boundary server uses to interact with the running Vault instance - VaultAddr string `envconfig:"E2E_VAULT_ADDR" required:"true"` // e.g. "http://127.0.0.1:8200" - VaultSecretPath string `envconfig:"E2E_VAULT_SECRET_PATH" default:"e2e_secrets"` + VaultAddr string `envconfig:"E2E_VAULT_ADDR_PUBLIC" required:"true"` // e.g. "http://127.0.0.1:8200" + VaultAddrPrivate string `envconfig:"E2E_VAULT_ADDR_PRIVATE" required:"true"` // e.g. "http://10.10.10.10:8200" + VaultSecretPath string `envconfig:"E2E_VAULT_SECRET_PATH" default:"e2e_secrets"` } func loadTestConfig() (*config, error) { diff --git a/version/VERSION b/version/VERSION index 3f46c4d182..4559101363 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -0.19.0 \ No newline at end of file +0.19.1 \ No newline at end of file diff --git a/website/content/docs/concepts/host-discovery/aws.mdx b/website/content/docs/concepts/host-discovery/aws.mdx index f475e0d81d..869ab034c0 100644 --- a/website/content/docs/concepts/host-discovery/aws.mdx +++ b/website/content/docs/concepts/host-discovery/aws.mdx @@ -91,29 +91,13 @@ Perform the following steps to set up a host catalog using [AssumeRole](https:// { "Effect": "Allow", "Action": [ - "ec2:Describe*", - "ec2:GetSecurityGroupsForVpc" + "sts:AssumeRole" ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "elasticloadbalancing:Describe*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cloudwatch:ListMetrics", - "cloudwatch:GetMetricStatistics", - "cloudwatch:Describe*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "autoscaling:Describe*", - "Resource": "*" + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + } } ] }