Merge remote-tracking branch 'remotes/from/ce/main'

Author: hc-github-team-secure-vault-core

enos/enos-modules.hcl

@@ -361,6 +361,7 @@ module "vault_verify_secrets_engines_read" {
 module "vault_verify_secrets_engines_delete" {
   source = "./modules/verify_secrets_engines/modules/delete"
 
+  ldap_enabled      = var.verify_ldap_secrets_engine
   vault_install_dir = var.vault_install_dir
 }
 

enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf

@@ -118,3 +118,163 @@ resource "enos_remote_exec" "ldap_setup" {
     }
   }
 }
+
+# Configure LDAP secrets engine (separate from auth backend)
+resource "enos_remote_exec" "ldap_secrets_config" {
+  depends_on = [
+    enos_remote_exec.secrets_enable_ldap_secret,
+    enos_remote_exec.ldap_setup,
+  ]
+
+  environment = {
+    MOUNT             = local.ldap_output.ldap_mount
+    LDAP_SERVER       = local.ldap_output.host.private_ip
+    LDAP_PORT         = local.ldap_output.port
+    LDAP_USERNAME     = local.ldap_output.username
+    LDAP_ADMIN_PW     = local.ldap_output.pw
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-secrets-config.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Create a new Library set of service accounts
+# Test Case: Service Account Library - Create a new Library set of service accounts
+resource "enos_remote_exec" "ldap_library_set_create" {
+  depends_on = [
+    enos_remote_exec.ldap_secrets_config,
+  ]
+
+  environment = {
+    REQPATH = "${local.ldap_output.ldap_mount}/library/test-set"
+    PAYLOAD = jsonencode({
+      service_account_names        = "fizz"
+      ttl                          = "10h"
+      max_ttl                      = "20h"
+      disable_check_in_enforcement = false
+    })
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Update Library configuration
+# Test Case: Modify library settings and accounts - Update library configuration and associated service accounts
+resource "enos_remote_exec" "ldap_library_set_update" {
+  depends_on = [
+    enos_remote_exec.ldap_library_set_create,
+  ]
+
+  environment = {
+    REQPATH = "${local.ldap_output.ldap_mount}/library/test-set"
+    PAYLOAD = jsonencode({
+      service_account_names        = "fizz,buzz"
+      ttl                          = "12h"
+      max_ttl                      = "15h"
+      disable_check_in_enforcement = true
+    })
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Check-out Service Account
+# Test Case: Check-out Service Account - Borrow service accounts for temporary use
+resource "enos_remote_exec" "ldap_library_checkout_default_ttl" {
+  depends_on = [
+    enos_remote_exec.ldap_library_set_update,
+  ]
+
+  environment = {
+    REQPATH           = "${local.ldap_output.ldap_mount}/library/test-set/check-out"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Check-out with Custom TTL
+# Test Case: Check-out with Custom TTL - Borrow with specific lease duration
+resource "enos_remote_exec" "ldap_library_checkout_custom_ttl" {
+  depends_on = [
+    enos_remote_exec.ldap_library_checkout_default_ttl,
+  ]
+
+  environment = {
+    REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-out"
+    PAYLOAD = jsonencode({
+      ttl = "2h"
+    })
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Self Check-in (Explicit)
+# Test Case: Self Check-in (Explicit) - Return your checked-out account
+resource "enos_remote_exec" "ldap_library_self_checkin" {
+  depends_on = [
+    enos_remote_exec.ldap_library_checkout_custom_ttl,
+  ]
+
+  environment = {
+    REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-in"
+    PAYLOAD = jsonencode({
+      service_account_names = "fizz,buzz"
+    })
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}

enos/modules/verify_secrets_engines/modules/delete/ldap.tf

@@ -0,0 +1,25 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+// Delete LDAP library set
+// Test Case: Delete Library Set - Delete a library & all associated service accounts
+resource "enos_remote_exec" "ldap_library_set_delete" {
+  count = var.ldap_enabled ? 1 : 0
+
+  environment = {
+    REQPATH           = "${try(var.create_state.ldap, null) != null ? var.create_state.ldap.ldap_mount : "ldap"}/library/test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_TOKEN       = var.vault_root_token
+    VAULT_INSTALL_DIR = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/delete.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+

enos/modules/verify_secrets_engines/modules/delete/main.tf

@@ -53,3 +53,9 @@ variable "verify_ssh_secrets" {
   description = "Flag to verify SSH secrets"
   default     = true
 }
+
+variable "ldap_enabled" {
+  type        = bool
+  description = "Whether or not we'll verify the LDAP secrets engine"
+  default     = false
+}

enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf

@@ -74,6 +74,12 @@ variable "enable_auth_verification" {
   default     = true
 }
 
+variable "enable_rollback_verification" {
+  type        = bool
+  description = "Enable LDAP secrets engine rollback verification"
+  default     = true
+}
+
 resource "enos_remote_exec" "ldap_verify_auth" {
   count = var.enable_auth_verification ? 1 : 0
   environment = {
@@ -147,12 +153,6 @@ resource "enos_remote_exec" "ldap_verify_rotation" {
   }
 }
 
-variable "enable_rollback_verification" {
-  type        = bool
-  description = "Enable LDAP secrets engine rollback verification"
-  default     = true
-}
-
 # Configure and verify LDAP secrets engine rollback behavior
 resource "enos_remote_exec" "ldap_verify_rollback" {
   count = var.enable_rollback_verification ? 1 : 0
@@ -185,4 +185,119 @@ resource "enos_remote_exec" "ldap_verify_rollback" {
   }
 }
 
+# Read Library configuration
+# Test Case: Read Library configuration - Read the library set details
+resource "enos_remote_exec" "ldap_library_set_read" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library/test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/read.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# List all library sets
+# Test Case #5: List all library sets - List all the service account library sets
+resource "enos_remote_exec" "ldap_library_list_all" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/list.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# List library set by name
+# Test Case #6: List library sets by account name - List account details for the given service account set
+resource "enos_remote_exec" "ldap_library_list_set" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library/test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/list.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# List library sets by account name
+# Test Case #7: List library sets by account name - List account details for the given service account
+resource "enos_remote_exec" "ldap_library_list_by_account" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    # Using the service account name from test case #1 (uid=fizz)
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library/fizz"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/list.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Renew Check-out Lease
+# Test Case #10: Renew Check-out Lease - Renew the lease for a checked-out account
+resource "enos_remote_exec" "ldap_library_checkout_lease_renew" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
 
+  environment = {
+    # LEASE_ID will be provided via create_state.ldap from the create module after checkout
+    LEASE_ID          = try(var.create_state.ldap.data.checkout_custom.lease_id, "")
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-lease-renew.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}

enos/modules/verify_secrets_engines/scripts/delete.sh

@@ -18,8 +18,25 @@ binpath="${VAULT_INSTALL_DIR}/vault"
 test -x "$binpath" || fail "unable to locate vault binary at $binpath"
 
 export VAULT_FORMAT=json
-if output=$("$binpath" delete "$REQPATH" 2>&1); then
+
+echo "Vault DELETE request to path: $REQPATH"
+
+set +e
+output=$("$binpath" delete "$REQPATH" 2>&1)
+exit_code=$?
+set -e
+
+# Always print output
+if [ "$exit_code" -eq 0 ]; then
   printf "%s\n" "$output"
 else
-  fail "failed to delete path: $REQPATH out=$output"
+  printf "%s\n" "$output" >&2
+  # Handle expected errors gracefully (idempotent delete)
+  # Exit code 2 typically means "not found" - acceptable for idempotent cleanup
+  if [ "$exit_code" -eq 2 ]; then
+    echo "Note: Path not found (exit code 2), treating as successful cleanup: $REQPATH" >&2
+    exit 0
+  fi
+  # For other errors, fail the test
+  fail "failed to delete path: $REQPATH exit_code=${exit_code}"
 fi