keyring: infrastructure for E2E testing of external KMS

In #23580 we're implementing support for encrypting Nomad's key material with external KMS providers or Vault Transit. This changeset breaks out the E2E infrastructure and testing from that PR to keep the review manageable. Ref: https://hashicorp.atlassian.net/browse/NET-10334 Ref: #14852 Ref: #23580
hashicorp · Jul 17, 2024 · c178ddd · c178ddd
1 parent 0f2ca08
commit c178ddd
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 1 deletion.
diff --git a/e2e/terraform/etc/nomad.d/server-linux.hcl b/e2e/terraform/etc/nomad.d/server-linux.hcl
@@ -5,3 +5,13 @@ server {
   enabled          = true
   bootstrap_expect = 3
 }
+
+keyring "awskms" {
+  active     = true
+  region     = "${aws_region}"
+  kms_key_id = "${aws_kms_key_id}"
+}
+
+keyring "aead" {
+  active = false
+}
diff --git a/e2e/terraform/main.tf b/e2e/terraform/main.tf
@@ -28,3 +28,7 @@ module "keys" {
   source  = "mitchellh/dynamic-keys/aws"
   version = "v2.0.0"
 }
+
+data "aws_kms_alias" "e2e" {
+  name = "alias/${var.aws_kms_alias}"
+}
diff --git a/e2e/terraform/nomad.tf b/e2e/terraform/nomad.tf
@@ -18,6 +18,9 @@ module "nomad_server" {
   tls_ca_key    = tls_private_key.ca.private_key_pem
   tls_ca_cert   = tls_self_signed_cert.ca.cert_pem
 
+  aws_region     = var.region
+  aws_kms_key_id = data.aws_kms_alias.e2e.target_key_id
+
   connection = {
     type        = "ssh"
     user        = "ubuntu"

diff --git a/e2e/terraform/provision-nomad/main.tf b/e2e/terraform/provision-nomad/main.tf
@@ -26,7 +26,10 @@ resource "local_sensitive_file" "nomad_base_config" {
 }
 
 resource "local_sensitive_file" "nomad_role_config" {
-  content         = templatefile("etc/nomad.d/${var.role}-${var.platform}.hcl", {})
+  content = templatefile("etc/nomad.d/${var.role}-${var.platform}.hcl", {
+    aws_region     = var.aws_region
+    aws_kms_key_id = var.aws_kms_key_id
+  })
   filename        = "${local.upload_dir}/nomad.d/${var.role}.hcl"
   file_permission = "0600"
 }

diff --git a/e2e/terraform/provision-nomad/variables.tf b/e2e/terraform/provision-nomad/variables.tf
@@ -73,3 +73,14 @@ variable "connection" {
   })
   description = "ssh connection information for remote target"
 }
+
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "aws_kms_key_id" {
+  type        = string
+  description = "AWS KMS key ID for encrypting and decrypting the Nomad keyring"
+  default     = ""
+}
diff --git a/e2e/terraform/variables.tf b/e2e/terraform/variables.tf
@@ -87,6 +87,12 @@ variable "hcp_vault_namespace" {
   default     = "admin"
 }
 
+variable "aws_kms_alias" {
+  description = "The alias for the AWS KMS key ID"
+  type        = string
+  default     = "kms-nomad-keyring"
+}
+
 # ----------------------------------------
 # If you want to deploy multiple versions you can use these variables to
 # provide a list of builds to override the values of nomad_sha, nomad_version,