hashicorp · HamzaShili65 · Aug 13, 2025 · Aug 13, 2025 · Aug 15, 2025 · Aug 15, 2025
@@ -0,0 +1,58 @@
+---
+name: test
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}-test
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    outputs:
+      linux-amd64-artifact: ${{ steps.outputs.outputs.linux-amd64-artifact }}
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: go.mod
+      - id: build
+        run: |
+          GOOS=linux GOARCH=amd64 make dev
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: vault-plugin-secrets-openldap_linux_amd64
+          path: bin/vault-plugin-secrets-openldap
+          if-no-files-found: error
+          retention-days: 1
+      - id: outputs
+        run: |
+          echo "linux-amd64-artifact=vault-plugin-secrets-openldap_linux_amd64" | tee -a "$GITHUB_OUTPUT"
+
+  scenarios:
+    name: enos scenario
+    needs: build
+    uses: ./.github/workflows/run-sample.yml
+    secrets: inherit
+    with:
+      sample-name: build_ent_linux_amd64_deb
+      download: ${{ needs.build.outputs.linux-amd64-artifact }}
+      max: 1
+
+  completed-successfully:
+    if: always()
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - scenarios
+    steps:
+      - id: status
+        name: Determine status
+        run: |
+          results=$(tr -d '\n' <<< '${{ toJSON(needs.*.result) }}')
+          if ! grep -q -v -E '(failure|cancelled)' <<< "$results"; then
+            exit 1
+          fi
@@ -0,0 +1,69 @@
+---
+name: run-samples
+
+on:
+  workflow_dispatch:
+    inputs:
+      max:
+        description: The maximum number of scenarios to sample
+        type: number
+        default: 8
+      min:
+        description: The minimum number of scenarios to sample
+        type: number
+        default: 1
+      sample-name:
+        description: The sample name
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      download:
+        description: The name of the artifact to download
+        type: string
+        required: true
+      max:
+        description: The maximum number of scenarios to sample
+        type: number
+        default: 8
+      min:
+        description: The minimum number of scenarios to sample
+        type: number
+        default: 1
+      sample-name:
+        description: The sample name
+        required: true
+        type: string
+
+jobs:
+  sample:
+    name: sample observe
+    runs-on: ubuntu-latest
+    outputs:
+      sample: ${{ steps.metadata.outputs.sample }}
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: hashicorp/action-setup-enos@v1
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - id: metadata
+        run: |
+          sample_seed=$(date +%s%N)
+          sample=$(enos scenario sample observe ${{ inputs.sample-name }} --chdir ./enos --min ${{ inputs.min }} --max ${{ inputs.max }} --seed "${sample_seed}" --format json | jq -c ".observation.elements")
+          {
+            echo "sample=${sample}"
+            echo "sample-seed=${sample_seed}" # This isn't used outside of here but is nice to know for duplicating observations
+          } | tee -a "$GITHUB_OUTPUT"
+
+  run:
+    needs: sample
+    name: run ${{ matrix.scenario.id.filter }}
+    strategy:
+      fail-fast: false # don't fail as that can skip required cleanup steps for jobs
+      matrix:
+        include: ${{ fromJSON(needs.sample.outputs.sample) }}
+    uses: ./.github/workflows/run-scenario.yml
+    secrets: inherit
+    with:
+      scenario-filter: ${{ matrix.scenario.id.filter }}
+      download: ${{ inputs.download }}
@@ -0,0 +1,127 @@
+---
+name: run-scenario
+
+on:
+  workflow_dispatch:
+    inputs:
+      scenario-filter:
+        description: The filter of the scenario to run
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      download:
+        type: string
+        required: false
+      scenario-filter:
+        required: true
+        type: string
+
+jobs:
+  run:
+    name: ${{ inputs.scenario-filter }}
+    runs-on: ubuntu-latest
+    env:
+      ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos/logs
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          # The github actions service user creds for this account managed in hashicorp/enos-ci
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: "us-east-1"
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-skip-session-tagging: true
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          # the terraform wrapper will break terraform execution in enos because
+          # it changes the output to text when we expect it to be JSON.
+          terraform_wrapper: false
+      - uses: hashicorp/action-setup-enos@v1
+        with:
+          github-token:
+            ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Set up support files
+        run: |
+          mkdir -p enos/support
+          mkdir -p enos/support/vault-plugins
+          echo "${{ secrets.ENOS_CI_SSH_KEY }}" > enos/support/enos-ci-ssh-key.pem
+          echo "${{ secrets.VAULT_LICENSE }}" > enos/support/vault.hclic
+          chmod 600 enos/support/enos-ci-ssh-key.pem
+          chmod 600 enos/support/vault.hclic
+      - name: Download plugin artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          path: dist
+          name: ${{ inputs.download }}
+      - run: chmod +x ./dist/*
+      - name: Export OpenLDAP plugin vars
+        run: |
+          # Configure input environment variables.
+          {
+            echo "GITHUB_TOKEN=${ { steps.secrets.outputs.github-token } }"
+            echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
+            echo "ENOS_VAR_artifactory_token=${ { steps.secrets.outputs.artifactory-token } }"
+            echo "ENOS_VAR_artifactory_host=https://artifactory.hashicorp.engineering/artifactory"
+            echo "ENOS_VAR_artifactory_repo=hashicorp-crt-stable-local*"
+            echo "ENOS_VAR_aws_region="us-east-1"
+            echo "ENOS_VAR_aws_ssh_keypair_name=${ { inputs.ssh-key-name } }"
+            echo "ENOS_VAR_aws_ssh_private_key_path=./support/private_key.pem"
+            echo "ENOS_VAR_project_name=vault-openldap-se-enos-integration"
+            echo "ENOS_VAR_backend_license_path=./support/vault.hclic"
+            echo "ENOS_VAR_distro_version_amzn=2"
+            echo "ENOS_VAR_distro_version_ubuntu=22.04"
+            echo "ENOS_VAR_tags={\"Project Name\":\"Vault\",\"Something Cool\":\"Value\"}"
+            echo "ENOS_VAR_terraform_plugin_cache_dir=./support/terraform-plugin-cache"
+            echo "ENOS_VAR_vault_artifact_path=./support/downloads/${ { inputs.build-artifact-name } }"
+            echo "ENOS_VAR_vault_artifact_type=bundle"
+            echo "ENOS_VAR_vault_build_date=${ { needs.metadata.outputs.build-date } }"
+            echo "ENOS_VAR_vault_license_path=./support/vault.hclic"
+            echo "ENOS_VAR_vault_product_version=${ { needs.metadata.outputs.vault-version } }"
+            echo "ENOS_VAR_vault_revision=${ { inputs.vault-revision } }"
+            echo "ENOS_VAR_vault_enable_audit_devices=true"
+            echo "ENOS_VAR_vault_install_dir=/opt/vault/bin"
+            echo "ENOS_VAR_vault_instance_type=t3.small"
+            echo "ENOS_VAR_vault_log_level=trace"
+            echo "ENOS_VAR_verify_aws_secrets_engine=false"
+            echo "ENOS_VAR_verify_log_secrets=true"
+
+            # Default LDAP settings from enos.vars.hcl
+            echo "ENOS_VAR_plugin_name=vault-plugin-secrets-openldap"
+            echo "ENOS_VAR_plugin_dest_dir=$(pwd)/enos/support/vault-plugins"
+            echo "ENOS_VAR_ldap_artifact_path=$(pwd)/dist/${{ inputs.download }}"
+            echo "ENOS_VAR_makefile_dir=$(pwd)"
+            echo "ENOS_VAR_plugin_dir_vault=/etc/vault/plugins"
+            echo "ENOS_VAR_plugin_mount_path=local-secrets-ldap"
+            echo "ENOS_VAR_ldap_bind_dn=cn=admin,dc=example,dc=com"
+            echo "ENOS_VAR_ldap_bind_pass=adminpassword"
+            echo "ENOS_VAR_ldap_user_dn=ou=users,dc=example,dc=com"
+            echo "ENOS_VAR_ldap_schema=openldap"
+            echo "ENOS_VAR_ldap_tag=${ { inputs.ldap-tag } }"
+            echo "ENOS_VAR_ldap_revision=${ { inputs.ldap-revision } }"
+            echo "ENOS_VAR_ldap_artifactory_repo=hashicorp-vault-ecosystem-staging-local"
+            echo "ENOS_VAR_ldap_plugin_version=${ { inputs.ldap-plugin-version } }"
+            echo "ENOS_VAR_ldap_base_dn=dc=example,dc=com"
+            echo "ENOS_VAR_ldap_user_role_name=mary"
+            echo "ENOS_VAR_ldap_username=mary.smith"
+            echo "ENOS_VAR_ldap_user_old_password=defaultpassword"
+            echo "ENOS_VAR_ldap_dynamic_user_role_name=adam"
+            echo "ENOS_VAR_dynamic_role_ldif_templates_path=/tmp"
+            echo "ENOS_VAR_library_set_name=dev-team"
+            echo "ENOS_VAR_service_account_names=[ \"staticuser\",\"bob.johnson\",\"mary.smith\" ]"
+            echo "ENOS_VAR_ldap_rotation_period=10"
+            echo "ENOS_VAR_ldap_rotation_window=3600"
+          } | tee -a "$GITHUB_ENV"
+      - run: enos scenario run ${{ inputs.scenario-filter }}
+        working-directory: enos
+      - if: ${{ always() }}
+        run: enos scenario destroy ${{ inputs.scenario-filter }}
+        working-directory: enos
+      - name: Remove enos runtime directories
+        if: ${{ always() }}
+        run: |
+          rm -rf /tmp/enos*
+          rm -rf enos/support
+          rm -rf enos/.enos
+          rm -rf "$HOME/.terraform.d"
@@ -109,6 +109,10 @@ globals {
       Build, register, and enable the Vault plugin.
     EOF
 
+    ldap_config_root_rotation = <<-EOF
+      Test the LDAP secrets engine's config endpoint root rotation functionality.
+    EOF
+
     unseal_vault = <<-EOF
         Unseal the Vault cluster using the configured seal mechanism.
     EOF

@@ -2,12 +2,13 @@
 // SPDX-License-Identifier: MPL-2.0
 
 globals {
-  archs                 = ["amd64", "arm64"]
-  artifact_sources      = ["local", "crt", "artifactory"]
-  ldap_artifact_sources = ["local", "releases", "artifactory"]
-  artifact_types        = ["bundle", "package"]
-  backends              = ["raft"]
-  backend_tag_key       = "VaultStorage"
+  archs                             = ["amd64", "arm64"]
+  artifact_sources                  = ["local", "crt", "artifactory"]
+  ldap_artifact_sources             = ["local", "releases", "artifactory"]
+  ldap_config_root_rotation_methods = ["period", "schedule", "manual"]
+  artifact_types                    = ["bundle", "package"]
+  backends                          = ["raft"]
+  backend_tag_key                   = "VaultStorage"
   build_tags = {
     "ce"               = ["ui"]
     "ent"              = ["ui", "enterprise", "ent"]
@@ -16,26 +17,13 @@ globals {
     "ent.hsm.fips1403" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_3", "ent.hsm.fips1403"]
   }
   config_modes = ["env", "file"]
-  distros      = ["amzn", "leap", "rhel", "sles", "ubuntu"]
+  distros      = ["amzn", "ubuntu"]
   // Different distros may require different packages, or use different aliases for the same package
   distro_packages = {
     amzn = {
       "2"    = ["nc"]
       "2023" = ["nc"]
     }
-    leap = {
-      "15.6" = ["netcat", "openssl"]
-    }
-    rhel = {
-      "8.10" = ["nc"]
-      "9.5"  = ["nc"]
-    }
-    sles = {
-      // When installing Vault RPM packages on a SLES AMI, the openssl package provided
-      // isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
-      // "correctly" named one in our package installation before installing Vault.
-      "15.6" = ["netcat-openbsd", "openssl"]
-    }
     ubuntu = {
       "20.04" = ["netcat"]
       "22.04" = ["netcat"]
@@ -44,19 +32,13 @@ globals {
   }
   distro_version = {
     amzn   = var.distro_version_amzn
-    leap   = var.distro_version_leap
-    rhel   = var.distro_version_rhel
-    sles   = var.distro_version_sles
     ubuntu = var.distro_version_ubuntu
   }
   editions            = ["ce", "ent", "ent.fips1403", "ent.hsm", "ent.hsm.fips1403"]
   enterprise_editions = [for e in global.editions : e if e != "ce"]
   ip_versions         = ["4", "6"]
   package_manager = {
     "amzn"   = "yum"
-    "leap"   = "zypper"
-    "rhel"   = "yum"
-    "sles"   = "zypper"
     "ubuntu" = "apt"
   }
   packages = ["jq"]

@@ -90,6 +90,18 @@ module "restart_vault" {
   vault_install_dir = var.vault_install_dir
 }
 
+module "root_rotation_period" {
+  source = "./modules/root_rotation_period"
+}
+
+module "root_rotation_schedule" {
+  source = "./modules/root_rotation_schedule"
+}
+
+module "root_rotation_manual" {
+  source = "./modules/root_rotation_manual"
+}
+
 module "seal_awskms" {
   source = "git::https://github.com/hashicorp/vault.git//enos/modules/seal_awskms?ref=${var.vault_repo_ref}"
 

@@ -260,7 +260,7 @@ scenario "openldap_leader_change" {
     description = global.description.wait_for_cluster_to_have_leader
     module      = module.vault_wait_for_leader
     depends_on = [step.create_vault_cluster,
-      step.bootstrap_vault_cluster_targets]
+    step.bootstrap_vault_cluster_targets]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -597,7 +597,7 @@ scenario "openldap_leader_change" {
   step "vault_leader_step_down" {
     description = global.description.vault_leader_step_down
     module      = module.vault_step_down
-    depends_on  = [
+    depends_on = [
       step.get_vault_cluster_ips,
       step.test_static_role_crud_api,
       step.test_dynamic_role_crud_api,