Skip to content

Add support redis mtls for TFE init/setting #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions modules/runtime_container_engine_config/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,11 @@ locals {
source = "/etc/tfe/ssl"
target = "/etc/ssl/private/terraform-enterprise"
},
{
type = "bind"
source = "/etc/tfe/ssl/redis"
target = "/etc/ssl/private/terraform-enterprise/redis"
},
{
type = "volume"
source = "terraform-enterprise-cache"
Expand Down
4 changes: 4 additions & 0 deletions modules/runtime_container_engine_config/redis_config.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ locals {
TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name
TFE_REDIS_SENTINEL_PASSWORD = var.redis_sentinel_password
TFE_REDIS_SENTINEL_USERNAME = var.redis_sentinel_user
TFE_REDIS_CA_CERT_PATH = var.redis_ca_cert_path
TFE_REDIS_CLIENT_CERT_PATH = var.redis_client_cert_path
TFE_REDIS_CLIENT_KEY_PATH = var.redis_client_key_path
TFE_REDIS_USE_MTLS = var.redis_use_mtls
}
redis_configuration = local.active_active ? local.redis : {}
}
19 changes: 19 additions & 0 deletions modules/runtime_container_engine_config/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,25 @@ variable "redis_use_tls" {
description = "Whether or not to use TLS to access Redis. Defaults to false if no value is given."
}

variable "redis_ca_cert_path" {
type = string
description = "Path to a file containing the CA certificate for Redis TLS connections. Leave blank to not use a CA certificate for Redis TLS connections. Defaults to \"\" if no value is given."
}
variable "redis_client_cert_path" {
type = string
description = "Path to a file containing the client certificate for Redis TLS connections. Leave blank to not use a client certificate for Redis TLS connections. Defaults to \"\" if no value is given."
}

variable "redis_client_key_path" {
type = string
description = "Path to a file containing the client key for Redis TLS connections. Leave blank to not use a client key for Redis TLS connections. Defaults to \"\" if no value is given."
}

variable "redis_use_mtls" {
type = bool
description = "Whether or not to use mutual TLS to access Redis. Defaults to false if no value is given."
}

variable "redis_user" {
type = string
description = "Redis server user. Leave blank to not use a user when authenticating. Defaults to \"\" if no value is given."
Expand Down
4 changes: 4 additions & 0 deletions modules/settings/tfe_redis_config.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ locals {
redis_use_tls = {
value = var.redis_use_tls != null ? var.redis_use_tls ? "1" : "0" : null
}

redis_use_mtls = {
value = var.redis_use_mtls != null ? var.redis_use_mtls ? "1" : "0" : null
}
}

redis_configuration = var.production_type == "active-active" ? local.redis_configs : {}
Expand Down
24 changes: 24 additions & 0 deletions modules/settings/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,30 @@ variable "redis_use_tls" {
description = "Redis service requires TLS. If true, the external Redis instance will use port 6380, otherwise 6379."
}

variable "redis_use_mtls" {
default = null
type = bool
description = "Redis service requires mutual TLS authentication. If true, the external Redis instance will use TLS certs for authentication."
}

variable "redis_ca_cert_path" {
default = null
type = string
description = "(Required when redis_use_mtls is true) The path to the CA certificate file for the Redis instance."
}

variable "redis_client_cert_path" {
default = null
type = string
description = "(Required when redis_use_mtls is true) The path to the client certificate file for the Redis instance."
}

variable "redis_client_key_path" {
default = null
type = string
description = "(Required when redis_use_mtls is true) The path to the client key file for the Redis instance."
}

# ------------------------------------------------------
# Mounted Disk
# ------------------------------------------------------
Expand Down
17 changes: 16 additions & 1 deletion modules/tfe_init/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ locals {
tls_bootstrap_cert_pathname = "${local.tls_bootstrap_path}/cert.pem"
tls_bootstrap_key_pathname = "${local.tls_bootstrap_path}/key.pem"
tls_bootstrap_ca_pathname = "${local.tls_bootstrap_path}/bundle.pem"

redis_bootstrap_path = "/etc/tfe/ssl/redis"
redis_bootstrap_cert_pathname = "${local.redis_bootstrap_path}/cert.pem"
redis_bootstrap_key_pathname = "${local.redis_bootstrap_path}/key.pem"
redis_bootstrap_ca_pathname = "${local.redis_bootstrap_path}/cacert.pem"

user_data_template = {
aws = {
ubuntu = {
Expand Down Expand Up @@ -62,10 +68,19 @@ locals {
tls_bootstrap_ca_pathname = local.tls_bootstrap_ca_pathname
docker_compose = var.docker_compose_yaml
podman_kube_config = var.podman_kube_yaml

ca_certificate_secret_id = var.ca_certificate_secret_id
certificate_secret_id = var.certificate_secret_id
key_secret_id = var.key_secret_id

enable_redis_mtls = var.enable_redis_mtls
redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id
redis_certificate_secret_id = var.redis_client_certificate_secret_id
redis_client_key_secret_id = var.redis_client_key_secret_id

redis_bootstrap_cert_pathname = local.redis_bootstrap_cert_pathname
redis_bootstrap_key_pathname = local.redis_bootstrap_key_pathname
redis_bootstrap_ca_pathname = local.redis_bootstrap_ca_pathname

proxy_ip = var.proxy_ip
proxy_port = var.proxy_port
Expand Down
29 changes: 29 additions & 0 deletions modules/tfe_init/templates/aws.ubuntu.docker.tfe.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,15 @@ echo $certificate_data_b64 | base64 --decode > ${tls_bootstrap_cert_pathname}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapCert configuration" | tee -a $log_pathname
%{ endif ~}

%{ if enable_redis_mtls == true ~}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to do this for azure and gcp as well?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally yes, just enabling it for AWS for our internal tests

echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisCertBootstrap" | tee -a $log_pathname
redis_certificate_data_b64=$(get_base64_secrets ${redis_certificate_secret_id})
mkdir -p $(dirname ${redis_bootstrap_cert_pathname})
echo $redis_certificate_data_b64 | base64 --decode > ${redis_bootstrap_cert_pathname}
%{ else ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping RedisCertBootstrap configuration" | tee -a $log_pathname
%{ endif ~}

%{ if key_secret_id != null ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure TlsBootstrapKey" | tee -a $log_pathname
key_data_b64=$(get_base64_secrets ${key_secret_id})
Expand All @@ -62,6 +71,17 @@ chmod 0600 ${tls_bootstrap_key_pathname}
%{ else ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname
%{ endif ~}

%{ if redis_client_key_secret_id != null ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisKeyBootstrap" | tee -a $log_pathname
redis_key_data_b64=$(get_base64_secrets ${redis_client_key_secret_id})
mkdir -p $(dirname ${redis_bootstrap_key_pathname})
echo $redis_key_data_b64 | base64 --decode > ${redis_bootstrap_key_pathname}
chmod 0600 ${redis_bootstrap_key_pathname}
%{ else ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname
%{ endif ~}

ca_certificate_directory="/dev/null"
ca_certificate_directory=/usr/local/share/ca-certificates/extra
ca_cert_filepath="$ca_certificate_directory/tfe-ca-certificate.crt"
Expand All @@ -74,6 +94,15 @@ echo $ca_certificate_data_b64 | base64 --decode > $ca_cert_filepath
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping CA certificate configuration" | tee -a $log_pathname
%{ endif ~}

%{ if redis_ca_certificate_secret_id != null ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure Redis CA cert" | tee -a $log_pathname
redis_ca_certificate_data_b64=$(get_base64_secrets ${redis_ca_certificate_secret_id})
mkdir -p $(dirname ${redis_bootstrap_ca_pathname})
echo $redis_ca_certificate_data_b64 | base64 --decode > ${redis_bootstrap_ca_pathname}
%{ else ~}
echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping Redis CA certificate configuration" | tee -a $log_pathname
%{ endif ~}

if [ -f "$ca_cert_filepath" ]
then
update-ca-certificates
Expand Down
25 changes: 24 additions & 1 deletion modules/tfe_init/variables.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

variable "enable_redis_mtls" {
default = false
type = bool
description = "Should Redis mTLS be enabled? This requires the redis_ca_certificate_secret_id, redis_client_key_secret_id and redis_client_certificate_secret_id variables to be set."
}

variable "ca_certificate_secret_id" {
default = null
type = string
Expand All @@ -13,6 +19,18 @@ variable "certificate_secret_id" {
description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)."
}

variable "redis_ca_certificate_secret_id" {
default = null
type = string
description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate of a certificate authority (CA) to be trusted by the TFE instance(s)."
}

variable "redis_client_certificate_secret_id" {
default = null
type = string
description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)."
}

variable "cloud" {
default = null
type = string
Expand Down Expand Up @@ -89,7 +107,6 @@ variable "key_secret_id" {
description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)."
}


variable "operational_mode" {
default = null
description = "A special string to control the operational mode of Terraform Enterprise. Valid values are: 'external' for External Services mode; 'disk' for Mounted Disk mode; 'active-active' for Active/Active mode."
Expand All @@ -112,6 +129,12 @@ variable "proxy_port" {
description = "Port that the proxy server will use"
}

variable "redis_client_key_secret_id" {
default = null
type = string
description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)."
}

variable "registry" {
default = null
type = string
Expand Down
Loading