Backport enos(ldap): always verify base DN connection before setup into ce/main

Refactor our connection checking into a new LDAP module that is capable
of running a search and waiting for success. We now call this module
while setting up the integration host and before enabling the LDAP
secrets engine.

We also fix two race conditions in the Agent and HA Seal scenarios where
we might attempt to verify and/or test LDAP before the integration host
has been set up.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: LT Carbonell <lt.carbonell@hashicorp.com>

Author: 3 people

enos/enos-scenario-agent.hcl

@@ -517,7 +517,8 @@ scenario "agent" {
     module      = module.vault_verify_secrets_engines_create
     depends_on = [
       step.verify_vault_unsealed,
-      step.get_vault_cluster_ips
+      step.get_vault_cluster_ips,
+      step.set_up_external_integration_target,
     ]
 
     providers = {

enos/enos-scenario-seal-ha.hcl

@@ -472,7 +472,8 @@ scenario "seal_ha" {
     depends_on = [
       step.create_vault_cluster,
       step.get_vault_cluster_ips,
-      step.verify_vault_unsealed
+      step.verify_vault_unsealed,
+      step.set_up_external_integration_target,
     ]
 
     providers = {
@@ -862,34 +863,6 @@ scenario "seal_ha" {
     }
   }
 
-  step "verify_log_secrets" {
-    skip_step = !var.vault_enable_audit_devices || !var.verify_log_secrets
-
-    description = global.description.verify_log_secrets
-    module      = module.verify_log_secrets
-    depends_on = [
-      step.verify_secrets_engines_read,
-    ]
-
-    providers = {
-      enos = local.enos_provider[matrix.distro]
-    }
-
-    verifies = [
-      quality.vault_audit_log_secrets,
-      quality.vault_journal_secrets,
-      quality.vault_radar_index_create,
-      quality.vault_radar_scan_file,
-    ]
-
-    variables {
-      audit_log_file_path = step.create_vault_cluster.audit_device_file_path
-      leader_host         = step.get_updated_cluster_ips.leader_host
-      vault_addr          = step.create_vault_cluster.api_addr_localhost
-      vault_root_token    = step.create_vault_cluster.root_token
-    }
-  }
-
   step "verify_ui" {
     description = global.description.verify_ui
     module      = module.vault_verify_ui
@@ -937,7 +910,6 @@ scenario "seal_ha" {
     depends_on = [
       step.wait_for_seal_rewrap,
       step.verify_secrets_engines_read,
-      step.verify_log_secrets,
     ]
 
     providers = {
@@ -1140,6 +1112,34 @@ scenario "seal_ha" {
     }
   }
 
+  step "verify_log_secrets" {
+    skip_step = !var.vault_enable_audit_devices || !var.verify_log_secrets
+
+    description = global.description.verify_log_secrets
+    module      = module.verify_log_secrets
+    depends_on = [
+      step.verify_secrets_engines_read_after_migration
+    ]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_audit_log_secrets,
+      quality.vault_journal_secrets,
+      quality.vault_radar_index_create,
+      quality.vault_radar_scan_file,
+    ]
+
+    variables {
+      audit_log_file_path = step.create_vault_cluster.audit_device_file_path
+      leader_host         = step.get_updated_cluster_ips.leader_host
+      vault_addr          = step.create_vault_cluster.api_addr_localhost
+      vault_root_token    = step.create_vault_cluster.root_token
+    }
+  }
+
   output "audit_device_file_path" {
     description = "The file path for the file audit device, if enabled"
     value       = step.create_vault_cluster.audit_device_file_path

enos/modules/ldap_wait_for_search/main.tf

@@ -0,0 +1,89 @@
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+variable "hosts" {
+  description = "The target machines to run the test query from"
+  type = map(object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  }))
+}
+
+variable "ldap_base_dn" {
+  type        = string
+  description = "The LDAP base dn to search from"
+}
+
+variable "ldap_bind_dn" {
+  type        = string
+  description = "The LDAP bind dn"
+}
+
+variable "ldap_host" {
+  type = object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  })
+  description = "The LDAP host"
+}
+
+variable "ldap_password" {
+  type        = string
+  description = "The LDAP password"
+}
+
+variable "ldap_port" {
+  type        = string
+  description = "The LDAP port"
+}
+
+variable "ldap_query" {
+  type        = string
+  description = "The LDAP query to use when testing the connection"
+  default     = null
+}
+
+variable "retry_interval" {
+  type        = number
+  description = "How many seconds to wait between each retry"
+  default     = 2
+}
+
+variable "timeout" {
+  type        = number
+  description = "The max number of seconds to wait before timing out"
+  default     = 60
+}
+
+# Wait for the search to succeed
+resource "enos_remote_exec" "wait_for_search" {
+  for_each = var.hosts
+
+  environment = {
+    LDAP_BASE_DN    = var.ldap_base_dn
+    LDAP_BIND_DN    = var.ldap_bind_dn
+    LDAP_HOST       = var.ldap_host.public_ip
+    LDAP_PASSWORD   = var.ldap_password
+    LDAP_PORT       = var.ldap_port
+    LDAP_QUERY      = var.ldap_query == null ? "" : var.ldap_query
+    RETRY_INTERVAL  = var.retry_interval
+    TIMEOUT_SECONDS = var.timeout
+  }
+  scripts = [abspath("${path.module}/scripts/wait-for-search.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}

enos/modules/ldap_wait_for_search/scripts/wait-for-search.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$LDAP_BASE_DN" ]] && fail "LDAP_BASE_DN env variable has not been set"
+[[ -z "$LDAP_BIND_DN" ]] && fail "LDAP_BIND_DN env variable has not been set"
+[[ -z "$LDAP_HOST" ]] && fail "LDAP_HOST env variable has not been set"
+[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
+[[ -z "$LDAP_PASSWORD" ]] && fail "LDAP_PASSWORD env variable has not been set"
+[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
+[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
+
+# NOTE: An LDAP_QUERY is not technically required here as long as we have a base
+# DN and bind DN to search and bind to.
+
+search="ldap://${LDAP_HOST}:${LDAP_PORT} -b ${LDAP_BASE_DN} -D ${LDAP_BIND_DN} -w ${LDAP_PASSWORD} -s base ${LDAP_QUERY}"
+safe_search="ldap://${LDAP_HOST}:${LDAP_PORT} -b ${LDAP_BASE_DN} -D ${LDAP_BIND_DN} -s base ${LDAP_QUERY}"
+echo "Running test search: ${safe_search}"
+
+begin_time=$(date +%s)
+end_time=$((begin_time + TIMEOUT_SECONDS))
+test_search_out=""
+test_search_res=""
+declare -i tries=0
+while [ "$(date +%s)" -lt "$end_time" ]; do
+  tries+=1
+  if test_search_out=$(eval "ldapsearch -x -H ${search}" 2>&1); then
+    test_search_res=0
+    break
+  fi
+
+  test_search_res=$?
+  echo "Test search failed!, search: ${safe_search}, attempt: ${tries}, exit code: ${test_search_res}, error: ${test_search_out}, retrying..."
+  sleep "$RETRY_INTERVAL"
+done
+
+if [ "$test_search_res" -ne 0 ]; then
+  echo "Timed out waiting for search!, search: ${safe_search}, attempt: ${tries}, exit code: ${test_search_res}, error: ${test_search_out}" 2>&1
+  # Exit with the ldapsearch exit code so we bubble that up to error diagnostic
+  exit "$test_search_res"
+fi

enos/modules/set_up_external_integration_target/main.tf

@@ -11,8 +11,10 @@ terraform {
 
 locals {
   test_server_address = var.ip_version == "6" ? var.hosts[0].ipv6 : var.hosts[0].public_ip
+  ldap_base_dn        = join(",", formatlist("dc=%s", split(".", var.ldap_domain)))
   ldap_server = {
-    domain      = "enos.com"
+    domain      = var.ldap_domain
+    base_dn     = local.ldap_base_dn
     org         = "hashicorp"
     admin_pw    = "password1"
     version     = var.ldap_version
@@ -66,19 +68,30 @@ resource "enos_remote_exec" "setup_openldap" {
   }
 }
 
+// Wait for the base DN to be available before we populate it
+module "wait_for_ldap_base_dn" {
+  depends_on = [enos_remote_exec.setup_openldap]
+  source     = "../ldap_wait_for_search"
+
+  hosts         = var.hosts
+  ldap_base_dn  = local.ldap_base_dn
+  ldap_bind_dn  = "cn=admin,${local.ldap_base_dn}"
+  ldap_host     = local.ldap_server.host
+  ldap_password = local.ldap_server.admin_pw
+  ldap_port     = local.ldap_server.port
+}
+
 # Populate LDAP server with required users and organizational units
 resource "enos_remote_exec" "populate_ldap" {
-  depends_on = [enos_remote_exec.setup_openldap]
+  depends_on = [module.wait_for_ldap_base_dn]
 
   scripts = [abspath("${path.module}/scripts/populate-ldap.sh")]
 
   environment = {
-    LDAP_SERVER     = local.ldap_server.host.private_ip
-    LDAP_PORT       = local.ldap_server.port
-    LDAP_ADMIN_PW   = local.ldap_server.admin_pw
-    LDAP_DOMAIN     = local.ldap_server.domain
-    RETRY_INTERVAL  = var.retry_interval
-    TIMEOUT_SECONDS = var.timeout
+    LDAP_SERVER   = local.ldap_server.host.private_ip
+    LDAP_PORT     = local.ldap_server.port
+    LDAP_ADMIN_PW = local.ldap_server.admin_pw
+    LDAP_BASE_DN  = local.ldap_server.base_dn
   }
 
   transport = {