fix: Fixing Bug related to the creation of service to service authorization, while using the existing bastion node (#176)

Co-authored-by: Nupur Goyal <nupurgoyal@Nupurs-MacBook-Pro.local>

Author: nupurg-ibm

.gitignore

@@ -55,3 +55,6 @@ terraform.rc
 
 # tweaks used locally
 localtweak__*.tf
+
+# tests folder log file
+*.log

.tekton/scripts/ssh_create_delete.sh

@@ -6,7 +6,7 @@ CICD_SSH_KEY=$(echo $CICD_SSH_KEY-"$REVISION")
 elif [ "${PR_REVISION}" ] && [ -z "${REVISION}" ]; then
 CICD_SSH_KEY=$(echo $CICD_SSH_KEY-"$PR_REVISION")
 else
-resource_group=$CICD_SSH_KEY-tekton
+CICD_SSH_KEY=$CICD_SSH_KEY-tekton
 fi
 
 ssh_key_create() {
@@ -35,7 +35,7 @@ for region in "${REGIONS[@]}";
         check_key=$(eval "ibmcloud is keys | grep $CICD_SSH_KEY | awk '{print $2}'")
         if [[ -z "$check_key" ]]; then
             echo "$CICD_SSH_KEY creating in $region"
-            ssh_key_create=$(eval "ibmcloud is key-create $CICD_SSH_KEY @/artifacts/.ssh/id_rsa.pub  --resource-group-name $resource_group")
+            ssh_key_create=$(eval "ibmcloud is key-create $CICD_SSH_KEY @/artifacts/.ssh/id_rsa.pub  --resource-group-name ${resource_group:?}")
             if [[ $ssh_key_create = *Created* ]]; then
             echo "$CICD_SSH_KEY created in $region"
             else

.tekton/scripts/suites.sh

@@ -133,7 +133,7 @@ ubuntu_suite_3() {
 # regions based suite on regions-suite
 regions_suite() {
     suite=regions-suite
-    test_cases="TestRunInUsEastRegion,TestRunInEuDeRegion,TestRunInUSSouthRegion,TestRunCIDRsAsNonDefault,TestRunExistingPACEnvironment"
+    test_cases="TestRunInUsEastRegion,TestRunInEuDeRegion,TestRunInUSSouthRegion,TestRunCIDRsAsNonDefault"
     new_line="${test_cases//,/$'\n'}"
     echo "************** Going to run ${suite} ${new_line} **************"
     common_suite "${test_cases}" "${suite}" "${compute_image_name_rhel:?}"

modules/landing_zone_vsi/main.tf

@@ -123,7 +123,8 @@ module "login_vsi" {
   vpc_id                        = var.vpc_id
   kms_encryption_enabled        = var.kms_encryption_enabled
   boot_volume_encryption_key    = var.boot_volume_encryption_key
-  skip_iam_authorization_policy = local.skip_iam_authorization_policy
+  skip_iam_authorization_policy = var.bastion_instance_name != null ? false : local.skip_iam_authorization_policy
+  existing_kms_instance_guid    = var.existing_kms_instance_guid
 }
 
 module "ldap_vsi" {

modules/landing_zone_vsi/variables.tf

@@ -409,3 +409,9 @@ variable "ce_project_guid" {
   description = "The GUID of the Code Engine Project associated to this cluster Reservation"
   type        = string
 }
+
+variable "existing_kms_instance_guid" {
+  type        = string
+  default     = null
+  description = "GUID of boot volume encryption key"
+}

solutions/hpc/main.tf

@@ -128,6 +128,7 @@ module "landing_zone_vsi" {
   cloud_monitoring_prws_url                        = var.observability_monitoring_enable ? module.cloud_monitoring_instance_creation.cloud_monitoring_prws_url : ""
   bastion_instance_name                            = var.bastion_instance_name
   ce_project_guid                                  = module.ce_project.guid
+  existing_kms_instance_guid                       = local.existing_kms_instance_guid
   depends_on = [
     module.validate_ldap_server_connection
   ]

tests/README.md

@@ -57,6 +57,7 @@ type Config struct {
 	USSouthClusterID           string `yaml:"us_south_cluster_id"`
 	USSouthReservationID       string `yaml:"us_south_reservation_id"`
 	SSHFilePath                string `yaml:"ssh_file_path"`
+	SSHFilePathTwo             string `yaml:"ssh_file_path_two"`
 }
 
 // GetConfigFromYAML reads configuration from a YAML file and sets environment variables based on the configuration.
@@ -148,6 +149,7 @@ func setEnvFromConfig(config *Config) error {
 		"US_SOUTH_RESERVATION_ID":       config.USSouthReservationID,
 		"US_SOUTH_CLUSTER_ID":           config.USSouthClusterID,
 		"SSH_FILE_PATH":                 config.SSHFilePath,
+		"SSH_FILE_PATH_TWO":             config.SSHFilePathTwo,
 	}
 
 	for key, value := range envVars {

tests/common_utils/deploy_utils.go

@@ -167,73 +167,6 @@ func ConnectionE(t *testing.T, publicHostName, publicHostIP, privateHostName, pr
 	return output, err
 }
 
-// connectToHostsWithMultipleUsers establishes SSH connections to a host using multiple user credentials.
-// It takes the public and private IP addresses and host names for two different users.
-// Returns two SSH clients for the respective users, along with any errors encountered during the process.
-func ConnectToHostsWithMultipleUsers(publicHostName, publicHostIP, privateHostName, privateHostIP string) (*ssh.Client, *ssh.Client, error, error) {
-	// Get the SSH private key file path for the first user from the environment variable
-	sshKeyFilePathUserOne := os.Getenv("SSHFILEPATH")
-	// Check if the file exists
-	if _, err := os.Stat(sshKeyFilePathUserOne); os.IsNotExist(err) {
-		return nil, nil, fmt.Errorf("SSH private key file '%s' does not exist", sshKeyFilePathUserOne), nil
-	} else if err != nil {
-		return nil, nil, fmt.Errorf("error checking SSH private key file: %v", err), nil
-	}
-	sshKeyUserOne, errUserOne := getSshKeyFile(sshKeyFilePathUserOne)
-	if errUserOne != nil {
-		return nil, nil, fmt.Errorf("failed to get SSH key for user one: %w", errUserOne), nil
-	}
-
-	// Get the SSH private key file path for the second user from the environment variable
-	sshKeyFilePathUserTwo := os.Getenv("SSHFILEPATHTWO")
-	// Check if the file exists
-	if _, err := os.Stat(sshKeyFilePathUserTwo); os.IsNotExist(err) {
-		return nil, nil, nil, fmt.Errorf("SSH private key file '%s' does not exist", sshKeyFilePathUserTwo)
-	} else if err != nil {
-		return nil, nil, nil, fmt.Errorf("error checking SSH private key file: %v", err)
-	}
-	sshKeyUserTwo, errUserTwo := getSshKeyFile(sshKeyFilePathUserTwo)
-	if errUserTwo != nil {
-		return nil, nil, nil, fmt.Errorf("failed to get SSH key for user two: %w", errUserTwo)
-	}
-
-	// Combine errors for better readability
-	var combinedErrUserOne error
-	if errUserOne != nil {
-		combinedErrUserOne = fmt.Errorf("user one SSH key error: %v", errUserOne)
-	}
-	var combinedErrUserTwo error
-	if errUserTwo != nil {
-		combinedErrUserTwo = fmt.Errorf("user two SSH key error: %v", errUserTwo)
-	}
-
-	if combinedErrUserOne != nil && combinedErrUserTwo != nil {
-		return nil, nil, combinedErrUserOne, combinedErrUserTwo
-	}
-
-	// Create SSH configurations for each user and host combination
-	sshConfigUserOnePrivate := getSshConfig(sshKeyUserOne, privateHostName)
-	sshConfigUserOnePublic := getSshConfig(sshKeyUserOne, publicHostName)
-	sshConfigUserTwoPrivate := getSshConfig(sshKeyUserTwo, privateHostName)
-	sshConfigUserTwoPublic := getSshConfig(sshKeyUserTwo, publicHostName)
-
-	// Establish SSH connections for each user to the host
-	clientUserOne, errUserOne := sshClientJumpHost(sshConfigUserOnePrivate, sshConfigUserOnePublic, publicHostIP+":22", privateHostIP+":22")
-	clientUserTwo, errUserTwo := sshClientJumpHost(sshConfigUserTwoPrivate, sshConfigUserTwoPublic, publicHostIP+":22", privateHostIP+":22")
-
-	// Combine errors for better readability
-	var combinedErrClientUserOne error
-	if errUserOne != nil {
-		combinedErrClientUserOne = fmt.Errorf("user one unable to log in to the node: %v", errUserOne)
-	}
-	var combinedErrClientUserTwo error
-	if errUserTwo != nil {
-		combinedErrClientUserTwo = fmt.Errorf("user two unable to log in to the node: %v", errUserTwo)
-	}
-
-	return clientUserOne, clientUserTwo, combinedErrClientUserOne, combinedErrClientUserTwo
-}
-
 func ConnectToHostAsLDAPUser(publicHostName, publicHostIP, privateHostIP, ldapUser, ldapPassword string) (*ssh.Client, error) {
 
 	sshFilePath := os.Getenv("SSH_FILE_PATH")
@@ -267,3 +200,65 @@ func ConnectToHostAsLDAPUser(publicHostName, publicHostIP, privateHostIP, ldapUs
 	}
 	return sClient, nil
 }
+
+// ConnectToHostsWithMultipleUsers establishes SSH connections to a host using multiple user credentials.
+// It takes the public and private IP addresses and host names for two different users.
+// Returns two SSH clients for the respective users, along with any errors encountered during the process.
+func ConnectToHostsWithMultipleUsers(publicHostName, publicHostIP, privateHostName, privateHostIP string) (*ssh.Client, *ssh.Client, error, error) {
+
+	// Get the SSH private key file path for the first user from the environment variable
+	sshFilePath := os.Getenv("SSH_FILE_PATH")
+
+	// Check if the file exists
+	_, err := os.Stat(sshFilePath)
+	if os.IsNotExist(err) {
+		return nil, nil, nil, fmt.Errorf("SSH private key file '%s' does not exist", sshFilePath)
+	} else if err != nil {
+		return nil, nil, nil, fmt.Errorf("error checking SSH private key file: %v", err)
+	}
+
+	// Get the SSH key for the first user
+	key, err := getSshKeyFile(sshFilePath)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to get SSH key: %w", err)
+	}
+
+	// Create SSH configurations for the first user
+	sshConfigUserOnePrivate := getSshConfig(key, publicHostName)
+	sshConfigUserOnePublic := getSshConfig(key, privateHostName)
+
+	// Establish SSH connection for the first user
+	clientUserOne, combinedErrClientUserOne := sshClientJumpHost(sshConfigUserOnePrivate, sshConfigUserOnePublic, publicHostIP+":22", privateHostIP+":22")
+	if combinedErrClientUserOne != nil {
+		return nil, nil, nil, fmt.Errorf("unable to log in to the node: %w", combinedErrClientUserOne)
+	}
+
+	// Get the SSH private key file path for the second user from the environment variable
+	sshFilePathTwo := os.Getenv("SSH_FILE_PATH_TWO")
+
+	// Check if the file exists
+	_, err = os.Stat(sshFilePathTwo)
+	if os.IsNotExist(err) {
+		return nil, nil, nil, fmt.Errorf("SSH private key file '%s' does not exist", sshFilePathTwo)
+	} else if err != nil {
+		return nil, nil, nil, fmt.Errorf("error checking SSH private key file: %v", err)
+	}
+
+	// Get the SSH key for the second user
+	key2, err2 := getSshKeyFile(sshFilePathTwo)
+	if err2 != nil {
+		return nil, nil, nil, fmt.Errorf("failed to get SSH key: %w", err2)
+	}
+
+	// Create SSH configurations for the second user
+	sshConfigUserTwoPrivate := getSshConfig(key2, publicHostName)
+	sshConfigUserTwoPublic := getSshConfig(key2, privateHostName)
+
+	// Establish SSH connection for the second user
+	clientUserTwo, combinedErrClientUserTwo := sshClientJumpHost(sshConfigUserTwoPrivate, sshConfigUserTwoPublic, publicHostIP+":22", privateHostIP+":22")
+	if combinedErrClientUserTwo != nil {
+		return nil, nil, nil, fmt.Errorf("unable to log in to the node: %w", combinedErrClientUserTwo)
+	}
+
+	return clientUserOne, clientUserTwo, combinedErrClientUserOne, combinedErrClientUserTwo
+}