From ffef710a6082a9efcecbe92640ba675f69c3b44d Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 28 May 2025 12:34:09 -0400 Subject: [PATCH 1/7] add redis changes --- .../redis_config.tf | 4 ++++ .../variables.tf | 19 +++++++++++++++ modules/settings/tfe_redis_config.tf | 4 ++++ modules/settings/variables.tf | 24 +++++++++++++++++++ 4 files changed, 51 insertions(+) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 1037d903..365e35c5 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -13,6 +13,10 @@ locals { TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name TFE_REDIS_SENTINEL_PASSWORD = var.redis_sentinel_password TFE_REDIS_SENTINEL_USERNAME = var.redis_sentinel_user + TFE_REDIS_CA_CERT_PATH = var.redis_ca_cert_path + TFE_REDIS_CLIENT_CERT_PATH = var.redis_client_cert_path + TFE_REDIS_CLIENT_KEY_PATH = var.redis_client_key_path + TFE_REDIS_USE_MTLS = var.redis_use_mtls } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 94ca38ed..717bbf3c 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -209,6 +209,25 @@ variable "redis_use_tls" { description = "Whether or not to use TLS to access Redis. Defaults to false if no value is given." } +variable "redis_ca_cert_path" { + type = string + description = "Path to a file containing the CA certificate for Redis TLS connections. Leave blank to not use a CA certificate for Redis TLS connections. Defaults to \"\" if no value is given." +} +variable "redis_client_cert_path" { + type = string + description = "Path to a file containing the client certificate for Redis TLS connections. Leave blank to not use a client certificate for Redis TLS connections. Defaults to \"\" if no value is given." +} + +variable "redis_client_key_path" { + type = string + description = "Path to a file containing the client key for Redis TLS connections. Leave blank to not use a client key for Redis TLS connections. Defaults to \"\" if no value is given." +} + +variable "redis_use_mtls" { + type = bool + description = "Whether or not to use mutual TLS to access Redis. Defaults to false if no value is given." +} + variable "redis_user" { type = string description = "Redis server user. Leave blank to not use a user when authenticating. Defaults to \"\" if no value is given." diff --git a/modules/settings/tfe_redis_config.tf b/modules/settings/tfe_redis_config.tf index 198b493a..e21535c9 100644 --- a/modules/settings/tfe_redis_config.tf +++ b/modules/settings/tfe_redis_config.tf @@ -22,6 +22,10 @@ locals { redis_use_tls = { value = var.redis_use_tls != null ? var.redis_use_tls ? "1" : "0" : null } + + redis_use_mtls = { + value = var.redis_use_mtls != null ? var.redis_use_mtls ? "1" : "0" : null + } } redis_configuration = var.production_type == "active-active" ? local.redis_configs : {} diff --git a/modules/settings/variables.tf b/modules/settings/variables.tf index 2ad8cfb5..c368818a 100644 --- a/modules/settings/variables.tf +++ b/modules/settings/variables.tf @@ -266,6 +266,30 @@ variable "redis_use_tls" { description = "Redis service requires TLS. If true, the external Redis instance will use port 6380, otherwise 6379." } +variable "redis_use_mtls" { + default = null + type = bool + description = "Redis service requires mutual TLS authentication. If true, the external Redis instance will use TLS certs for authentication." +} + +variable "redis_ca_cert_path" { + default = null + type = string + description = "(Required when redis_use_mtls is true) The path to the CA certificate file for the Redis instance." +} + +variable "redis_client_cert_path" { + default = null + type = string + description = "(Required when redis_use_mtls is true) The path to the client certificate file for the Redis instance." +} + +variable "redis_client_key_path" { + default = null + type = string + description = "(Required when redis_use_mtls is true) The path to the client key file for the Redis instance." +} + # ------------------------------------------------------ # Mounted Disk # ------------------------------------------------------ From 547a81cb4717532ed2503f7bab13c736a95f48e7 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 30 May 2025 12:02:52 -0400 Subject: [PATCH 2/7] updates for redis cert --- .../runtime_container_engine_config/main.tf | 5 ++++ modules/tfe_init/main.tf | 17 ++++++++++- .../templates/aws.ubuntu.docker.tfe.sh.tpl | 29 +++++++++++++++++++ modules/tfe_init/variables.tf | 25 +++++++++++++++- 4 files changed, 74 insertions(+), 2 deletions(-) diff --git a/modules/runtime_container_engine_config/main.tf b/modules/runtime_container_engine_config/main.tf index 145909e2..0960102f 100644 --- a/modules/runtime_container_engine_config/main.tf +++ b/modules/runtime_container_engine_config/main.tf @@ -83,6 +83,11 @@ locals { source = "/etc/tfe/ssl" target = "/etc/ssl/private/terraform-enterprise" }, + { + type = "bind" + source = "/etc/tfe/ssl/redis" + target = "/etc/ssl/private/terraform-enterprise/redis" + }, { type = "volume" source = "terraform-enterprise-cache" diff --git a/modules/tfe_init/main.tf b/modules/tfe_init/main.tf index 2bcfca59..85207099 100644 --- a/modules/tfe_init/main.tf +++ b/modules/tfe_init/main.tf @@ -7,6 +7,12 @@ locals { tls_bootstrap_cert_pathname = "${local.tls_bootstrap_path}/cert.pem" tls_bootstrap_key_pathname = "${local.tls_bootstrap_path}/key.pem" tls_bootstrap_ca_pathname = "${local.tls_bootstrap_path}/bundle.pem" + + redis_bootstrap_path = "/etc/tfe/ssl/redis" + redis_bootstrap_cert_pathname = "${local.redis_bootstrap_path}/cert.pem" + redis_bootstrap_key_pathname = "${local.redis_bootstrap_path}/key.pem" + redis_bootstrap_ca_pathname = "${local.redis_bootstrap_path}/ca_cert.pem" + user_data_template = { aws = { ubuntu = { @@ -62,10 +68,19 @@ locals { tls_bootstrap_ca_pathname = local.tls_bootstrap_ca_pathname docker_compose = var.docker_compose_yaml podman_kube_config = var.podman_kube_yaml - + ca_certificate_secret_id = var.ca_certificate_secret_id certificate_secret_id = var.certificate_secret_id key_secret_id = var.key_secret_id + + enable_redis_mtls = var.enable_redis_mtls + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_certificate_secret_id = var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id + + redis_bootstrap_cert_pathname = local.redis_bootstrap_cert_pathname + redis_bootstrap_key_pathname = local.redis_bootstrap_key_pathname + redis_bootstrap_ca_pathname = local.redis_bootstrap_ca_pathname proxy_ip = var.proxy_ip proxy_port = var.proxy_port diff --git a/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl b/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl index e05c2b76..42f85155 100644 --- a/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl +++ b/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl @@ -53,6 +53,15 @@ echo $certificate_data_b64 | base64 --decode > ${tls_bootstrap_cert_pathname} echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapCert configuration" | tee -a $log_pathname %{ endif ~} +%{ if enable_redis_mtls == true ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisCertBootstrap" | tee -a $log_pathname +redis_certificate_data_b64=$(get_base64_secrets ${redis_certificate_secret_id}) +mkdir -p $(dirname ${redis_bootstrap_cert_pathname}) +echo $redis_certificate_data_b64 | base64 --decode > ${redis_bootstrap_cert_pathname} +%{ else ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping RedisCertBootstrap configuration" | tee -a $log_pathname +%{ endif ~} + %{ if key_secret_id != null ~} echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure TlsBootstrapKey" | tee -a $log_pathname key_data_b64=$(get_base64_secrets ${key_secret_id}) @@ -62,6 +71,17 @@ chmod 0600 ${tls_bootstrap_key_pathname} %{ else ~} echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname %{ endif ~} + +%{ if redis_client_key_secret_id != null ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisKeyBootstrap" | tee -a $log_pathname +redis_key_data_b64=$(get_base64_secrets ${redis_client_key_secret_id}) +mkdir -p $(dirname ${redis_bootstrap_key_pathname}) +echo $redis_key_data_b64 | base64 --decode > ${redis_bootstrap_key_pathname} +chmod 0600 ${redis_bootstrap_key_pathname} +%{ else ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname +%{ endif ~} + ca_certificate_directory="/dev/null" ca_certificate_directory=/usr/local/share/ca-certificates/extra ca_cert_filepath="$ca_certificate_directory/tfe-ca-certificate.crt" @@ -74,6 +94,15 @@ echo $ca_certificate_data_b64 | base64 --decode > $ca_cert_filepath echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping CA certificate configuration" | tee -a $log_pathname %{ endif ~} +%{ if redis_ca_certificate_secret_id != null ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure Redis CA cert" | tee -a $log_pathname +redis_ca_certificate_data_b64=$(get_base64_secrets ${redis_ca_certificate_secret_id}) +mkdir -p $(dirname ${redis_bootstrap_ca_pathname}) +echo $redis_ca_certificate_data_b64 | base64 --decode > $redis_bootstrap_ca_pathname +%{ else ~} +echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping Redis CA certificate configuration" | tee -a $log_pathname +%{ endif ~} + if [ -f "$ca_cert_filepath" ] then update-ca-certificates diff --git a/modules/tfe_init/variables.tf b/modules/tfe_init/variables.tf index 2fca90ec..a3189804 100644 --- a/modules/tfe_init/variables.tf +++ b/modules/tfe_init/variables.tf @@ -1,6 +1,12 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 +variable "enable_redis_mtls" { + default = false + type = bool + description = "Should Redis mTLS be enabled? This requires the redis_ca_certificate_secret_id, redis_client_key_secret_id and redis_client_certificate_secret_id variables to be set." +} + variable "ca_certificate_secret_id" { default = null type = string @@ -13,6 +19,18 @@ variable "certificate_secret_id" { description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)." } +variable "redis_ca_certificate_secret_id" { + default = null + type = string + description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate of a certificate authority (CA) to be trusted by the TFE instance(s)." +} + +variable "redis_client_certificate_secret_id" { + default = null + type = string + description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)." +} + variable "cloud" { default = null type = string @@ -89,7 +107,6 @@ variable "key_secret_id" { description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)." } - variable "operational_mode" { default = null description = "A special string to control the operational mode of Terraform Enterprise. Valid values are: 'external' for External Services mode; 'disk' for Mounted Disk mode; 'active-active' for Active/Active mode." @@ -112,6 +129,12 @@ variable "proxy_port" { description = "Port that the proxy server will use" } +variable "redis_client_key_secret_id" { + default = null + type = string + description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)." +} + variable "registry" { default = null type = string From 4fbfb22b9d3b1c4491a65052ae9590130426136f Mon Sep 17 00:00:00 2001 From: Sandra Maria Peter <83961684+sandrampeter@users.noreply.github.com> Date: Wed, 4 Jun 2025 17:30:38 -0400 Subject: [PATCH 3/7] Update main.tf --- modules/tfe_init/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/tfe_init/main.tf b/modules/tfe_init/main.tf index 85207099..af3f7a87 100644 --- a/modules/tfe_init/main.tf +++ b/modules/tfe_init/main.tf @@ -11,7 +11,7 @@ locals { redis_bootstrap_path = "/etc/tfe/ssl/redis" redis_bootstrap_cert_pathname = "${local.redis_bootstrap_path}/cert.pem" redis_bootstrap_key_pathname = "${local.redis_bootstrap_path}/key.pem" - redis_bootstrap_ca_pathname = "${local.redis_bootstrap_path}/ca_cert.pem" + redis_bootstrap_ca_pathname = "${local.redis_bootstrap_path}/cacert.pem" user_data_template = { aws = { From 41563fd0bef5ccdf377a1788ba6d34425996877c Mon Sep 17 00:00:00 2001 From: Sandra Maria Peter <83961684+sandrampeter@users.noreply.github.com> Date: Wed, 4 Jun 2025 18:19:36 -0400 Subject: [PATCH 4/7] Update aws.ubuntu.docker.tfe.sh.tpl --- modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl b/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl index 42f85155..2d729cb8 100644 --- a/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl +++ b/modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl @@ -98,7 +98,7 @@ echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping CA certificate configur echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure Redis CA cert" | tee -a $log_pathname redis_ca_certificate_data_b64=$(get_base64_secrets ${redis_ca_certificate_secret_id}) mkdir -p $(dirname ${redis_bootstrap_ca_pathname}) -echo $redis_ca_certificate_data_b64 | base64 --decode > $redis_bootstrap_ca_pathname +echo $redis_ca_certificate_data_b64 | base64 --decode > ${redis_bootstrap_ca_pathname} %{ else ~} echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping Redis CA certificate configuration" | tee -a $log_pathname %{ endif ~} From 390868b74e60f74b0231067981fd8754eb5f8827 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 6 Jun 2025 10:54:51 -0400 Subject: [PATCH 5/7] fmt --- modules/tfe_init/main.tf | 8 ++++---- modules/tfe_init/variables.tf | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/tfe_init/main.tf b/modules/tfe_init/main.tf index 85207099..6fe029c6 100644 --- a/modules/tfe_init/main.tf +++ b/modules/tfe_init/main.tf @@ -7,7 +7,7 @@ locals { tls_bootstrap_cert_pathname = "${local.tls_bootstrap_path}/cert.pem" tls_bootstrap_key_pathname = "${local.tls_bootstrap_path}/key.pem" tls_bootstrap_ca_pathname = "${local.tls_bootstrap_path}/bundle.pem" - + redis_bootstrap_path = "/etc/tfe/ssl/redis" redis_bootstrap_cert_pathname = "${local.redis_bootstrap_path}/cert.pem" redis_bootstrap_key_pathname = "${local.redis_bootstrap_path}/key.pem" @@ -68,15 +68,15 @@ locals { tls_bootstrap_ca_pathname = local.tls_bootstrap_ca_pathname docker_compose = var.docker_compose_yaml podman_kube_config = var.podman_kube_yaml - + ca_certificate_secret_id = var.ca_certificate_secret_id certificate_secret_id = var.certificate_secret_id key_secret_id = var.key_secret_id - + enable_redis_mtls = var.enable_redis_mtls redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id redis_certificate_secret_id = var.redis_client_certificate_secret_id - redis_client_key_secret_id = var.redis_client_key_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id redis_bootstrap_cert_pathname = local.redis_bootstrap_cert_pathname redis_bootstrap_key_pathname = local.redis_bootstrap_key_pathname diff --git a/modules/tfe_init/variables.tf b/modules/tfe_init/variables.tf index a3189804..bb68abc3 100644 --- a/modules/tfe_init/variables.tf +++ b/modules/tfe_init/variables.tf @@ -22,13 +22,13 @@ variable "certificate_secret_id" { variable "redis_ca_certificate_secret_id" { default = null type = string - description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate of a certificate authority (CA) to be trusted by the TFE instance(s)." + description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate of a certificate authority (CA) to be trusted by the redis instance" } variable "redis_client_certificate_secret_id" { default = null type = string - description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)." + description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for redis instance." } variable "cloud" { @@ -132,7 +132,7 @@ variable "proxy_port" { variable "redis_client_key_secret_id" { default = null type = string - description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)." + description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the redis instance" } variable "registry" { From 8610632351b3a7497dc9c2e93dc2c479f69350f9 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 6 Jun 2025 11:31:03 -0400 Subject: [PATCH 6/7] remove unused --- modules/settings/variables.tf | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/modules/settings/variables.tf b/modules/settings/variables.tf index c368818a..9da185bd 100644 --- a/modules/settings/variables.tf +++ b/modules/settings/variables.tf @@ -272,24 +272,6 @@ variable "redis_use_mtls" { description = "Redis service requires mutual TLS authentication. If true, the external Redis instance will use TLS certs for authentication." } -variable "redis_ca_cert_path" { - default = null - type = string - description = "(Required when redis_use_mtls is true) The path to the CA certificate file for the Redis instance." -} - -variable "redis_client_cert_path" { - default = null - type = string - description = "(Required when redis_use_mtls is true) The path to the client certificate file for the Redis instance." -} - -variable "redis_client_key_path" { - default = null - type = string - description = "(Required when redis_use_mtls is true) The path to the client key file for the Redis instance." -} - # ------------------------------------------------------ # Mounted Disk # ------------------------------------------------------ From 61dcb115f0a3ad318caec7320aa10644b87c1e8e Mon Sep 17 00:00:00 2001 From: Sandra Maria Peter <83961684+sandrampeter@users.noreply.github.com> Date: Mon, 9 Jun 2025 16:32:54 -0400 Subject: [PATCH 7/7] Update variables.tf with defaults --- modules/runtime_container_engine_config/variables.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 32014143..69bb4c1b 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -218,20 +218,24 @@ variable "redis_use_tls" { variable "redis_ca_cert_path" { type = string description = "Path to a file containing the CA certificate for Redis TLS connections. Leave blank to not use a CA certificate for Redis TLS connections. Defaults to \"\" if no value is given." + default = null } variable "redis_client_cert_path" { type = string description = "Path to a file containing the client certificate for Redis TLS connections. Leave blank to not use a client certificate for Redis TLS connections. Defaults to \"\" if no value is given." + default = null } variable "redis_client_key_path" { type = string description = "Path to a file containing the client key for Redis TLS connections. Leave blank to not use a client key for Redis TLS connections. Defaults to \"\" if no value is given." + default = null } variable "redis_use_mtls" { type = bool description = "Whether or not to use mutual TLS to access Redis. Defaults to false if no value is given." + default = false } variable "redis_user" {