Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream tag v1.13.2 (revision b9b773f16) #47

Closed
wants to merge 231 commits into from

Conversation

fopina-ci
Copy link
Collaborator

Integrating latest changes from hashicorp/vault tag v1.13.2

b9b773f backport of commit 1889032 (hashicorp#20352)
9037c26 backport of commit 8856cc1 (hashicorp#20348)
d63cc54 backport of commit 464b9de (hashicorp#20344)
2b244b4 backport of commit a2a3c49 (hashicorp#20345)
4d8b6c8 backport of commit 1c9b5d4 (hashicorp#20339)
3ca228b Backport of enos: always use the initial release during upgrades into release/1.13.x (hashicorp#20329)
71c3a46 backport of commit 788f337 (hashicorp#20325)
02d5fa1 Backport of Add guidelines for agent/server version compatibility into release/1.13.x (hashicorp#20319)
6452228 backport of commit 9ff6ee5 (hashicorp#20313)
e55c713 backport of commit 666ad87 (hashicorp#20311)
05ca6d0 Backport of [QT-525] and [QT-530] into release/1.13.x (hashicorp#20158)
5b6b8fa backport of commit 7baf241 (hashicorp#20297)
cbf312b backport of commit ca70274 (hashicorp#20175)
a764186 backport of commit 33cd7f4 (hashicorp#20298)
9ad11f8 backport of commit 816e182 (hashicorp#20295)
9b2902e backport of commit 166f270 (hashicorp#20292)
ffe7a80 backport of commit 3e663fc (hashicorp#19421)
6a6444e backport of commit b0289d4 (hashicorp#20288)
eece05f backport of commit a9e17c2 (hashicorp#19344)
fc1bbf4 Backport of Add Configurable LDAP Max Page Size into release/1.13.x (hashicorp#20283)
7dcb2ba auth/jwt: update plugin version (hashicorp#20280)
be47e9d backport of UI: OIDC provider logo fix (hashicorp#20269)
5ab43f1 backport of commit 6079166 (hashicorp#20258)
676f8be Backport UI: Remove usage of htmlSafe into release/1.13.x (hashicorp#20256)
758cf75 backport of commit 98786d9 (hashicorp#20250)
51e95bb backport of commit 1ed642d (hashicorp#20242)
ebd2b08 backport of commit eb64287 (hashicorp#20240)
e3705c0 backport of commit ee1bfd2 (hashicorp#20239)
93a62a4 backport of commit b930010 (hashicorp#20236)
6b72596 backport of commit 3faba5d (hashicorp#20233)
a75b190 Disabling License Banners (hashicorp#19116) (hashicorp#20226)
73f8213 Minor follow-ups to hashicorp#16865 (hashicorp#20220) (hashicorp#20222)
d8cf0fe backport of commit d5584b6 (hashicorp#20215)
8a3c372 sdk/ldaputil: add connection_timeout configurable (hashicorp#20144) (hashicorp#20148)
8fc7490 backport of commit 88cbf25 (hashicorp#19900)
004abbf backport of commit ccf9492 (hashicorp#20204)
d7c9d2b backport of commit 249c472 (hashicorp#20203)
b8997a7 backport of commit 17a2827 (hashicorp#20199)
242d8f3 backport of commit b2e1ff5 (hashicorp#20157)
36559a7 backport of commit 8fa5605 (hashicorp#20178)
5846865 Update Go version to 1.20.3 for v1.13.2 (hashicorp#20170)
3ede6c5 backport of commit c95d4fb (hashicorp#20136)
0966c2b backport of commit e78d9a3 (hashicorp#20153)
624ca9b backport of commit fc21d35 (hashicorp#20155)
7cec617 Revert "backport of commit e3c5977 (hashicorp#19629)" (hashicorp#20145)
5d13255 Revert "backport of commit b4fab6a (hashicorp#20117)" (hashicorp#20142)
4fa8fac Revert "backport of commit 4b6ec40 (hashicorp#20118)" (hashicorp#20143)
c110d97 backport of commit bde372d (hashicorp#20133)
a35fd50 Backport of Potentially Malicious Link into release/1.13.x (hashicorp#20124)
209bbd8 backport of commit 5a4a763 (hashicorp#20075)
850872e backport of commit fc783b0 (hashicorp#20120)
ac3b4e4 Backport of UI: fix browser console formatting into release/1.13.x (hashicorp#20088)
4c89e21 Update the HTTP verb for consistency (hashicorp#20056) (hashicorp#20102)
a9d2962 backport of commit 4b6ec40 (hashicorp#20118)
57086ad backport of commit b4fab6a (hashicorp#20117)
8f5ef7c backport of commit 2a3e899 (hashicorp#20106)
1c92321 backport of commit 4b843dc (hashicorp#20093)
0994129 backport of commit ae6f61d (hashicorp#20084)
6108bd1 backport of commit 45d960f (hashicorp#20095)
3d84957 backport of commit 5f8e67d (hashicorp#20090)
f980e0b backport of commit 044efbc (hashicorp#20077)
5eae4ca backport of commit ee40ffc (hashicorp#20074)
e87f04f backport of commit d70c17f (hashicorp#20018)
9bfc9f3 backport of commit 4aca4e8 (hashicorp#20071)
e910f37 Updated the example config with api_addr parameter (hashicorp#19985) (hashicorp#20068)
72e29c2 Update create.mdx (hashicorp#19981) (hashicorp#20061)
4782396 backport of commit 7b40f73 (hashicorp#19832)
95af348 backport of commit 871bf52 (hashicorp#20063)
4308cb2 backport of commit 211fd80 (hashicorp#20060)
d881a2c backport of commit d697b08 (hashicorp#20052)
3dff0ae backport of commit 277600b (hashicorp#20047)
c626b64 UI: Namespace area fixes (hashicorp#19799) (hashicorp#20024)
5f71b23 backport of commit bc9535e (hashicorp#20046)
86dec7d backport of commit 793a0c6 (hashicorp#20045)
8cb2715 backport of commit 3c2faf2 (hashicorp#20040)
38affc2 backport of commit 53da536 (hashicorp#20029)
8a64b17 add workflow_dispatch trigger to ci.yml workflow (hashicorp#19979) (hashicorp#19994)
ed11a49 backport of commit ef901b1 (hashicorp#20008)
da09f60 backport of commit fa5f0e6 (hashicorp#20003)
4b0296b backport of commit de2bb8c (hashicorp#19996)
6f2761e backport of commit 1fa3f7c (hashicorp#19989)
1df807c backport of commit 2c4fc91 (hashicorp#19984)
9540d75 backport of commit e7e6ab9 (hashicorp#19965)
f88e683 backport of commit 2145f95 (hashicorp#19972)
b5c37a9 backport of commit 204aefc (hashicorp#19957)
a7feba6 backport of commit de381c3 (hashicorp#19968)
ac72136 backport of commit ea130fd (hashicorp#19919)
8fb3860 Update TestDebugCommand_NoConnection to work when run in an environment with working Vault (hashicorp#19942)
19b43e6 backport of commit 1cef47d (hashicorp#19947)
26d9978 backport of commit 9963bc2 (hashicorp#19940)
e3f471c Backport of Update the if conditions for test-go jobs in CI into release/1.13.x (hashicorp#19872)
36535f8 backport of commit 45f349d (hashicorp#19911)
00aacaa backport of commit 1eff6d8 (hashicorp#19927)
cbe8831 backport of commit 1239875 (hashicorp#19922)
4348f82 backport of commit 6ae4399 (hashicorp#19790)
c378bca backport of commit 547c624 (hashicorp#19883)
da9dbd1 backport of commit 5d6be05 (hashicorp#19909)
aea8adf backport of commit 57791de (hashicorp#19882)
d769d20 backport of commit fc63170 (hashicorp#19904)
8295328 backport of commit b3d333b (hashicorp#19885)
e842f39 backport of commit 550277d (hashicorp#19895)
6c9b4e1 backport of commit 35eb2dd (hashicorp#19813)
db94348 backport of commit 525bce0 (hashicorp#19869)
2ec4fbf backport of commit 9b379ae (hashicorp#19865)
8530990 Backport of Add a new category of runners to the CI workflow; use new, dedicated … into release/1.13.x (hashicorp#19855)
4c2c88f backport of commit e8a8fb0 (hashicorp#19853)
37145a7 backport of commit 670c952 (hashicorp#19605)
b500045 Backport all GHA Migration Changes to release/1.13.x Branch (hashicorp#19767)
2efa2f5 backport of commit 2054fe2 (hashicorp#19825)
7854421 Update version to 1.13.2 (hashicorp#19843)
a91293c backport of commit 262b043 (hashicorp#19842)
defccc0 Backport of docs/vault-secrets-operator: update for beta install into release/1.13.x (hashicorp#19838)
12002fb backport of commit 2593412 (hashicorp#19836)
ebfff04 backport of commit 2834ac2 (hashicorp#19824)
0dfb8df backport of commit 3026f87 (hashicorp#19801)
4be90be backport of commit 34e2b65 (hashicorp#19774)
d622e81 backport of commit e439289 (hashicorp#19746)
318ac8b backport of commit 14eda8a (hashicorp#19740)
fea2b7f backport of commit 5b35ae4 (hashicorp#19737)
eb4b543 backport of commit c314197 (hashicorp#19736)
ac5a00d ci: unpin terraform in CICD (hashicorp#19665) (hashicorp#19730)
4472e4a backport of commit 85c3eab (hashicorp#19716)
cf51afa Backport of Add tests for PKI endpoint authentication via OpenAPI into release/1.13.x (hashicorp#19713)
487fd7e backport of commit 0c69cf1 (hashicorp#19710)
ed85df3 Backport of Allow overriding gRPC's connection timeout with VAULT_GRPC_MIN_CONNECT_TIMEOUT into release/1.13.x (hashicorp#19680)
36dddc3 Regression bug fix OIDC namespace (hashicorp#19460) (hashicorp#19696)
996dc56 Backport 1.13.x: UI/update auth form to fetchRoles after a namespace is inputted, prior to OIDC auth hashicorp#19541 (hashicorp#19661)
9ab8152 backport of commit 449482d (hashicorp#19692)
217d7a9 backport of commit 3dbe946 (hashicorp#19675)
96a97d6 backport of commit 6d8ed36 (hashicorp#19674)
ba46ad7 backport of commit 3926057 (hashicorp#19657)
838b5a3 backport of commit 29b1e55 (hashicorp#19655)
1e7c7b3 backport of commit fd422cb (hashicorp#19639)
765c159 backport of commit dae3e9d (hashicorp#19654)
10929a4 backport of commit e9d6dbc (hashicorp#19653)
c7e83ef backport of commit 94a6dca (hashicorp#19648)
96b884b backport of commit 09d58d1 (hashicorp#19636)
4f531fd backport of commit 28b0037 (hashicorp#19645)
9f78d2a backport of commit c5bc176 (hashicorp#19643)
0193a29 backport of commit 116a6a4 (hashicorp#19633)
0b01f09 Forward PKI revocation requests received by standby nodes to active node (hashicorp#19624) (hashicorp#19630)
acb9d7c backport of commit e3c5977 (hashicorp#19629)
e257377 backport of commit 3e72c76 (hashicorp#19622)
435824c backport of commit e6427b2 (hashicorp#19620)
4285eb5 backport of commit 77e80a8 (hashicorp#19617)
f233eed backport of commit 98f4d1f (hashicorp#19613)
a584e67 backport of commit 5d706c4 (hashicorp#19598)
8b85000 backport of commit f15715f (hashicorp#19610)
99e4d5c backport of commit b48e826 (hashicorp#19590)
b7b5296 backport of commit fbd27ff (hashicorp#19574)
b47e92f backport of commit 122e958 (hashicorp#19565)
beb8a65 backport of commit 1fb765d (hashicorp#19559)
712934a backport of commit 3b15352 (hashicorp#19553)
e0c4fa0 backport of commit c4f9648 (hashicorp#19549)
408a996 backport of commit ed08e45 (hashicorp#19527)
94cb988 backport of commit 55bf601 (hashicorp#19522)
bfe328e backport of commit 5299707 (hashicorp#19465)
f82e51f backport of commit 5d20d59 (hashicorp#19506)
48aadc6 backport of commit 7f14a9e (hashicorp#19504)
ab59edb backport of commit 115ed11 (hashicorp#19500)
dd63028 backport of commit 9f8d831 (hashicorp#19492)
101e535 backport of commit 7071eb2 (hashicorp#19478)
03cf4dc backport of commit 75efaf0 (hashicorp#19484)
97528fe backport of commit 401b338 (hashicorp#19466)
174c5d4 backport of commit fbe0916 (hashicorp#19457)
fa204b5 backport of commit 3e4262f (hashicorp#19455)
b317bbf backport of commit c5d99ed (hashicorp#19453)
90d3dc6 backport of commit 16e9c14 (hashicorp#19442)
9f545bd backport of commit 7ef7297 (hashicorp#19423)
78c25fd update version 1.13.1 (hashicorp#19440)
27c8b3c backport of commit 94406d1 (hashicorp#19427)
3167443 backport of commit 0d52c0e (hashicorp#19420)
a4cf0dc Remove rc1 prerelease tag. (hashicorp#19417)
0a42f2a backport of commit 9bb8321 (hashicorp#19409)
75f1ea2 backport of commit eb70bfd (hashicorp#19407)
20e201b backport of commit da31528 (hashicorp#19405)
7383b52 backport of commit 52bbf65 (hashicorp#19397)
b3dc15f backport of commit ba01391 (hashicorp#19396)
1240c8c backport of commit 538bb79 (hashicorp#19381)
478b6f1 backport of commit 7b2ff1f (hashicorp#19382)
a5edc66 backport of commit d35be2d (hashicorp#19375)
a0beacd Backport of add nil check for secret id entry on delete via accessor into release/1.13.x (hashicorp#19351)
c6c35dc Revert "updated raft-autopilot to v0.2.0 (hashicorp#17848)" (hashicorp#19362)
3804125 Update Go to 1.20.1 for 1.13.0 (hashicorp#19357)
c496011 backport of commit d08bf56 (hashicorp#19347)
8545876 backport of commit 3adb416 (hashicorp#19352)
9063cfe backport of commit 431b424 (hashicorp#19335)
01ed889 backport of commit 794eb8b (hashicorp#19333)
4406c2b backport of commit f2a47b0 (hashicorp#19328)
9789259 backport of commit 72bc820 (hashicorp#19322)
6a73f37 backport of commit 20b347e (hashicorp#19315)
62eeda8 backport of commit f4f1762 (hashicorp#19317)
d21564e backport of commit 7d52daf (hashicorp#19308)
5b2f609 backport of commit 34a93f1 (hashicorp#19309)
b12fcad UI: fixes validation bug in sign certificate form (hashicorp#19280) (hashicorp#19293)
41e384f backport of commit 7193916 (hashicorp#19298)
5176a3c Backport of Update x/net and x/crypto/ssh into release/1.13.x (hashicorp#19285)
6d1b7ba backport of UI: Remove Wizard (hashicorp#19239)
871dd06 backport of commit fe7eeda (hashicorp#19286)
8cad3a3 backport of commit 1b33b99 (hashicorp#19275)
88e9f55 backport of commit 9c4e659 (hashicorp#19273)
4bb0139 Brute force changelog entry (hashicorp#19230)
2c6e899 backport of commit 88dcb04 (hashicorp#19272)
d11b31d backport of commit 46dd007 (hashicorp#19270)
8ffa334 backport of commit 4ea5c58 (hashicorp#19268)
e53ac26 backport of commit 100ec9a (hashicorp#19203)
6e323b6 backport of commit 4c11d09 (hashicorp#19262)
6ae50fe backport of commit add3659 (hashicorp#19242)
c9eb3c7 events: WS protobuf messages should be binary (hashicorp#19232) (hashicorp#19256)
1ec3397 backport of commit 0c2fadc (hashicorp#19251)
fe4d56c backport of commit b08ecd7 (hashicorp#19241)
fcfc583 backport of commit 6984f23 (hashicorp#19233)
1e3dcee backport of commit 184939e (hashicorp#19234)
eb2d03e backport of commit 8f36d0d (hashicorp#19222)
9a3c8f4 backport of commit b3bc654 (hashicorp#19236)
6c84c14 backport of commit 6946556 (hashicorp#19225)
0490c4c backport of commit ba832de (hashicorp#19212)
48a7feb backport of commit db822c0 (hashicorp#19204)
a41a24b backport of commit 7143c56 (hashicorp#19202)
8820388 backport of commit 8fd34ca (hashicorp#19197)
105881d backport of commit 93f7b4f (hashicorp#19189)
02bc254 Trap errors related to vault pki list-intermediate issuer reading (hashicorp#19165) (hashicorp#19177)
3e4710d backport of commit d08de3e (hashicorp#19178)
dbdbe95 backport of commit 063a782 (hashicorp#19169)
ef9f9c0 Update version prerelease to rc1 (hashicorp#19164)
32be0a9 backport of commit 68f219c (hashicorp#19161)
4d1ef8d backport of commit 9acd846 (hashicorp#19154)
9807544 backport of commit c90a024 (hashicorp#19152)
13313d0 backport of commit 5ff44bd (hashicorp#19144)
cfb8f08 backport of commit ef765d3 (hashicorp#19137)
af66575 backport of commit 34b3d04 (hashicorp#19136)

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
…shicorp#19165) (hashicorp#19177)

* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
…icorp#19256)

The [WebSockets spec](https://www.rfc-editor.org/rfc/rfc6455) states
that text messages must be valid UTF-8 encoded strings, which protobuf
messages virtually never are. This now correctly sends the protobuf events
as binary messages.

We change the format to correspond to CloudEvents, as originally intended,
and remove a redundant timestamp and newline.

We also bump the eventlogger to fix a race condition that this code triggers.

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* add changelog

* rename changelog file

* edit description

* change changelog entry name

* add new feature name
Co-authored-by: Nathan Handler <nhandler@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
…20256)

Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Hugo Puntos <hugo.puntos@gmail.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
…ashicorp#20283)

* Add Configurable LDAP Max Page Size (hashicorp#19032)

* Add config flag for LDAP max page size

* Add changelog

* move changelog to correct file

* cleanup

* Default to non-paged searching for with -1

* Update website/content/api-docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update tests

---------

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* remove

---------

Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Jaymala <jaymala@hashicorp.com>
Co-authored-by: melmus <melmus.konspirator@gmail.com>
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: John Children <32305209+johnchildren@users.noreply.github.com>
* [QT-525] enos: use spot instances for Vault targets (hashicorp#20037)

The previous strategy for provisioning infrastructure targets was to use
the cheapest instances that could reliably perform as Vault cluster
nodes. With this change we introduce a new model for target node
infrastructure. We've replaced on-demand instances for a spot
fleet. While the spot price fluctuates based on dynamic pricing, 
capacity, region, instance type, and platform, cost savings for our
most common combinations range between 20-70%.

This change only includes spot fleet targets for Vault clusters.
We'll be updating our Consul backend bidding in another PR.

* Create a new `vault_cluster` module that handles installation,
  configuration, initializing, and unsealing Vault clusters.
* Create a `target_ec2_instances` module that can provision a group of
  instances on-demand.
* Create a `target_ec2_spot_fleet` module that can bid on a fleet of
  spot instances.
* Extend every Enos scenario to utilize the spot fleet target acquisition
  strategy and the `vault_cluster` module.
* Update our Enos CI modules to handle both the `aws-nuke` permissions
  and also the privileges to provision spot fleets.
* Only use us-east-1 and us-west-2 in our scenario matrices as costs are
  lower than us-west-1.

Signed-off-by: Ryan Cragun <me@ryan.ec>

* [QT-530] enos: allow-list all public IP addresses (hashicorp#20304)

The security groups that allow access to remote machines in Enos
scenarios have been configured to only allow port 22 (SSH) from the
public IP address of machine executing the Enos scenario. To achieve
this we previously utilized the `enos_environment.public_ip_address`
attribute. Sometime in mid March we started seeing sporadic SSH i/o
timeout errors when attempting to execute Enos resources against SSH
transport targets. We've only ever seen this when communicating from
Azure hosted runners to AWS hosted machines.

While testing we were able to confirm that in some cases the public IP
address resolved using DNS over UDP4 to Google and OpenDNS name servers
did not match what was resolved when using the HTTPS/TCP IP address
service hosted by AWS. The Enos data source was implemented in a way
that we'd attempt resolution of a single name server and only attempt
resolving from the next if previous name server could not get a result.
We'd then allow-list that single IP address. That's a problem if we can
resolve two different public IP addresses depending our endpoint address.

This change utlizes the new `enos_environment.public_ip_addresses`
attribute and subsequent behavior change. Now the data source will
attempt to resolve our public IP address via name servers hosted by
Google, OpenDNS, Cloudflare, and AWS. We then return a unique set of
these IP addresses and allow-list all of them in our security group. It
is our hope that this resolves these i/o timeout errors that seem like
they're caused by the security group black-holing our attempted access
because the IP we resolved does not match what we're actually exiting
with.

Signed-off-by: Ryan Cragun <me@ryan.ec>

---------

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: Braulio Gomes Rodrigues <brauliogr@gmail.com>
Co-authored-by: Jaymala <jaymala@hashicorp.com>
… release/1.13.x (hashicorp#20329)

* backport of commit cddbc3f
* enos: use artifactory release for auto-pilot upgrade

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Bryce Kalow <bkalow@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Braulio Gomes Rodrigues <brauliogr@gmail.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
@fopina-ci fopina-ci closed this Jun 8, 2023
@fopina-ci fopina-ci deleted the upstream-to-pr/rev-b9b773f16 branch June 8, 2023 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.