Skip to content

Commit

Permalink
tests: make postgres rootless tests run in CI (#2362)
Browse files Browse the repository at this point in the history
  • Loading branch information
fairclothjm committed Nov 18, 2024
1 parent 9e0f200 commit 4190748
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 100 deletions.
13 changes: 10 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,9 @@ jobs:
image:
- "vault-enterprise:1.14.13-ent"
- "vault-enterprise:1.15.16-ent"
- "vault-enterprise:1.16.11-ent"
- "vault-enterprise:1.17.7-ent"
- "vault-enterprise:1.18.0-ent"
- "vault-enterprise:1.16.12-ent"
- "vault-enterprise:1.17.8-ent"
- "vault-enterprise:1.18.1-ent"
- "vault:latest"
services:
vault:
Expand Down Expand Up @@ -205,7 +205,14 @@ jobs:
MYSQL_CONNECTION_PASSWORD: "mysql"
MONGODB_URL: "mongodb://root:mongodb@mongo:27017/admin?ssl=false"
MSSQL_URL: "sqlserver://sa:${{ secrets.MSSQL_SA_PASSWORD }}@mssql:1433"
# POSTGRES_URL is the standard root conn URL for Vault
POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable"
# POSTGRES_URL_TEST is used by the TFVP test to connect directly to
# the postgres container. Note: the host is "localhost" because the
# TFVP tests do not run in the same docker network.
POSTGRES_URL_TEST: "postgres://postgres:secret@localhost:5432/database?sslmode=disable"
# POSTGRES_URL_ROOTLESS is used by Vault to connect to the postgres container.
POSTGRES_URL_ROOTLESS: "postgres://{{username}}:{{password}}@postgres:5432/database?sslmode=disable"
COUCHBASE_HOST: couchbase
COUCHBASE_USERNAME: Administrator
COUCHBASE_PASSWORD: password
Expand Down
2 changes: 1 addition & 1 deletion .go-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.22.3
1.22.9
8 changes: 7 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
## Unreleased

## 4.4.0 (Aug 7, 2024)

FEATURES:

* Update `vault_database_secret_backend_connection` to support inline TLS config for PostgreSQL ([#2339](https://github.com/hashicorp/terraform-provider-vault/pull/2339))
* Update `vault_database_secret_backend_connection` to support skip_verification config for Cassandra ([#2346](https://github.com/hashicorp/terraform-provider-vault/pull/2346))
* Update `vault_approle_auth_backend_role_secret_id` to support `num_uses` and `ttl` fields ([#2345](https://github.com/hashicorp/terraform-provider-vault/pull/2345))
* Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2206](https://github.com/hashicorp/terraform-provider-vault/pull/2206))
* Add support for `allow_empty_principals` field for the `vault_ssh_secret_backend_role` resource ([#2354](https://github.com/hashicorp/terraform-provider-vault/pull/2354))
* Update `vault_gcp_secret_impersonated_account` to support setting `ttl` ([#2318](https://github.com/hashicorp/terraform-provider-vault/pull/2318))
* Add support for `connection_timeout` field for the `vault_ldap_auth_backend` resource ([#2358](https://github.com/hashicorp/terraform-provider-vault/pull/2358))
* Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341))
* Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2226](https://github.com/hashicorp/terraform-provider-vault/pull/2226))

BUGS:

* Remove consul secret backend role from state if not found on vault: ([#2321](https://github.com/hashicorp/terraform-provider-vault/pull/2321))

## 4.4.0 (Aug 7, 2024)

Expand Down
84 changes: 2 additions & 82 deletions testutil/postgresqlhelper.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,42 +6,13 @@ package testutil
import (
"context"
"database/sql"
"fmt"
"github.com/hashicorp/vault/sdk/helper/dbtxn"
"github.com/hashicorp/vault/sdk/helper/docker"
"net/url"
"os"
"testing"

_ "github.com/jackc/pgx/v4/stdlib"
)
"github.com/hashicorp/vault/sdk/helper/dbtxn"

const (
defaultPGImage = "docker.mirror.hashicorp.services/postgres"
defaultPGVersion = "13.4-buster"
defaultPGPass = "secret"
_ "github.com/jackc/pgx/v4/stdlib"
)

func defaultRunOpts(t *testing.T) docker.RunOptions {
return docker.RunOptions{
ContainerName: "postgres",
ImageRepo: defaultPGImage,
ImageTag: defaultPGVersion,
Env: []string{
"POSTGRES_PASSWORD=" + defaultPGPass,
"POSTGRES_DB=database",
},
Ports: []string{"5432/tcp"},
DoNotAutoRemove: false,
OmitLogTimestamps: true,
LogConsumer: func(s string) {
if t.Failed() {
t.Logf("container logs: %s", s)
}
},
}
}

func CreateTestPGUser(t *testing.T, connURL string, username, password, query string) {
t.Helper()
t.Logf("[TRACE] Creating test user")
Expand Down Expand Up @@ -74,54 +45,3 @@ func CreateTestPGUser(t *testing.T, connURL string, username, password, query st
t.Fatal(err)
}
}

func PrepareTestContainerSelfManaged(t *testing.T) (func(), *url.URL) {
return prepareTestContainerSelfManaged(t, defaultRunOpts(t), defaultPGPass, true, false, false)
}

func prepareTestContainerSelfManaged(t *testing.T, runOpts docker.RunOptions, password string, addSuffix, forceLocalAddr, useFallback bool,
) (func(), *url.URL) {
if os.Getenv("PG_URL") != "" {
return func() {}, nil
}

runner, err := docker.NewServiceRunner(runOpts)
if err != nil {
t.Fatalf("Could not start docker Postgres: %s", err)
}

svc, _, err := runner.StartNewService(context.Background(), addSuffix, forceLocalAddr, connectPostgres(password, runOpts.ImageRepo, useFallback))
if err != nil {
t.Fatalf("Could not start docker Postgres: %s", err)
}

return svc.Cleanup, svc.Config.URL()
}

func connectPostgres(password, repo string, useFallback bool) docker.ServiceAdapter {
return func(ctx context.Context, host string, port int) (docker.ServiceConfig, error) {
hostAddr := fmt.Sprintf("%s:%d", host, port)
if useFallback {
// set the first host to a bad address so we can test the fallback logic
hostAddr = "localhost:55," + hostAddr
}
u := url.URL{
Scheme: "postgres",
User: url.UserPassword("postgres", password),
Host: hostAddr,
Path: "postgres",
RawQuery: "sslmode=disable",
}

db, err := sql.Open("pgx", u.String())
if err != nil {
return nil, err
}
defer db.Close()

if err = db.Ping(); err != nil {
return nil, err
}
return docker.NewServiceURL(u), nil
}
}
21 changes: 8 additions & 13 deletions vault/resource_database_secret_backend_static_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@ import (
"context"
"database/sql"
"fmt"
"github.com/hashicorp/terraform-provider-vault/internal/consts"
"os"
"testing"

"github.com/hashicorp/terraform-provider-vault/internal/consts"

_ "github.com/go-sql-driver/mysql"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
Expand Down Expand Up @@ -152,13 +153,12 @@ func TestAccDatabaseSecretBackendStaticRole_rotationSchedule(t *testing.T) {

// TestAccDatabaseSecretBackendStaticRole_Rootless tests the
// Rootless Config and Rotation flow for Static Roles.
// This test sets up a PGX container and creates static users
// in the DB to test the workflow.
// Currently only runs locally; Vault CI is unable to talk
// to the PGX Docker container due to network issues.
// To run locally you will need to set the following env vars:
// - POSTGRES_URL_TEST
// - POSTGRES_URL_ROOTLESS
func TestAccDatabaseSecretBackendStaticRole_Rootless(t *testing.T) {
// TODO enable test to run in CI
testutil.SkipTestEnvUnset(t, "PGX_ROOTLESS_ROTATION")
connURLTestRoot := testutil.SkipTestEnvUnset(t, "POSTGRES_URL_TEST")[0]
connURL := testutil.SkipTestEnvUnset(t, "POSTGRES_URL_ROOTLESS")[0]

backend := acctest.RandomWithPrefix("tf-test-db")
username := acctest.RandomWithPrefix("user")
Expand All @@ -172,13 +172,8 @@ CREATE ROLE "{{name}}" WITH
PASSWORD '{{password}}';
`

cleanup, pgxURL := testutil.PrepareTestContainerSelfManaged(t)
defer cleanup()

connURL := fmt.Sprintf("postgresql://{{username}}:{{password}}@%s/postgres?sslmode=disable", pgxURL.Host)

// create static database user
testutil.CreateTestPGUser(t, pgxURL.String(), username, "testpassword", testRoleStaticCreate)
testutil.CreateTestPGUser(t, connURLTestRoot, username, "testpassword", testRoleStaticCreate)

resource.Test(t, resource.TestCase{
ProviderFactories: providerFactories,
Expand Down

0 comments on commit 4190748

Please sign in to comment.