fix: ensure strong ansible vault password is used (#999)

ludwig-mueller · web-flow · commit 0a8571ab93f8 · 2025-02-14T11:18:54.000+01:00
* chore: ensure strong ansible vault password is used

* chore: limit which characters are allowed in ansible vault password

* fix: upgrade terraform-ibm-modules/powervs-instance to 2.4.1

* fix: default values for projects compatibility

* fix: json format for default value
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -230,7 +230,6 @@
             },
             {
               "key": "vpc_intel_images",
-              "required": true,
               "hidden": true
             },
             {
@@ -773,7 +772,6 @@
             },
             {
               "key": "vpc_intel_images",
-              "required": true,
               "hidden": true
             },
             {
diff --git a/modules/powervs-vpc-landing-zone/submodules/ansible/README.md b/modules/powervs-vpc-landing-zone/submodules/ansible/README.md
@@ -27,7 +27,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ansible_host_or_ip"></a> [ansible\_host\_or\_ip](#input\_ansible\_host\_or\_ip) | Private IP of virtual server instance running RHEL OS on which ansible will be installed and configured to act as central ansible node. | `string` | n/a | yes |
-| <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible variable file for SAP installation. | `string` | `null` | no |
+| <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | `null` | no |
 | <a name="input_bastion_host_ip"></a> [bastion\_host\_ip](#input\_bastion\_host\_ip) | Jump/Bastion server public IP address to reach the ansible host which has private IP. | `string` | n/a | yes |
 | <a name="input_configure_ansible_host"></a> [configure\_ansible\_host](#input\_configure\_ansible\_host) | If set to true, bash script will be executed to install and configure the collections and packages on ansible node. | `bool` | n/a | yes |
 | <a name="input_dst_inventory_file_name"></a> [dst\_inventory\_file\_name](#input\_dst\_inventory\_file\_name) | Name for the inventory file to be generated on the Ansible host. | `string` | n/a | yes |
diff --git a/modules/powervs-vpc-landing-zone/submodules/ansible/variables.tf b/modules/powervs-vpc-landing-zone/submodules/ansible/variables.tf
@@ -60,8 +60,32 @@ variable "inventory_template_vars" {
 }
 
 variable "ansible_vault_password" {
-  description = "Vault password to encrypt ansible variable file for SAP installation."
+  description = "Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]_{|}~."
   type        = string
   sensitive   = true
   default     = null
+  validation {
+    condition     = var.ansible_vault_password == null ? true : (length(var.ansible_vault_password) >= 15 && length(var.ansible_vault_password) <= 100)
+    error_message = "ansible_vault_password needs to be between 15 and 100 characters in length."
+  }
+  validation {
+    condition     = var.ansible_vault_password == null ? true : can(regex("[A-Z]", var.ansible_vault_password))
+    error_message = "ansible_vault_password needs to contain at least one uppercase character (A-Z)."
+  }
+  validation {
+    condition     = var.ansible_vault_password == null ? true : can(regex("[a-z]", var.ansible_vault_password))
+    error_message = "ansible_vault_password needs to contain at least one lowercase character (a-z)."
+  }
+  validation {
+    condition     = var.ansible_vault_password == null ? true : can(regex("[0-9]", var.ansible_vault_password))
+    error_message = "ansible_vault_password needs to contain at least one number (0-9)."
+  }
+  validation {
+    condition     = var.ansible_vault_password == null ? true : can(regex("[!#$%&()*+\\-.:;<=>?@[\\]_{|}~]", var.ansible_vault_password))
+    error_message = "ansible_vault_password needs to contain at least one of the following special characters: !#$%&()*+-.:;<=>?@[]_{|}~"
+  }
+  validation {
+    condition     = var.ansible_vault_password == null ? true : can(regex("^[A-Za-z0-9!#$%&()*+\\-.:;<=>?@[\\]_{|}~]+$", var.ansible_vault_password))
+    error_message = "ansible_vault_password contains illegal characters. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]_{|}~"
+  }
 }
diff --git a/solutions/standard-plus-vsi/README.md b/solutions/standard-plus-vsi/README.md
@@ -54,7 +54,7 @@ This example sets up the following infrastructure:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_powervs_instance"></a> [powervs\_instance](#module\_powervs\_instance) | terraform-ibm-modules/powervs-instance/ibm | 2.4.0 |
+| <a name="module_powervs_instance"></a> [powervs\_instance](#module\_powervs\_instance) | terraform-ibm-modules/powervs-instance/ibm | 2.4.1 |
 | <a name="module_standard"></a> [standard](#module\_standard) | ../../modules/powervs-vpc-landing-zone | n/a |
 
 ### Resources
diff --git a/solutions/standard-plus-vsi/main.tf b/solutions/standard-plus-vsi/main.tf
@@ -40,7 +40,7 @@ module "standard" {
 
 module "powervs_instance" {
   source    = "terraform-ibm-modules/powervs-instance/ibm"
-  version   = "2.4.0"
+  version   = "2.4.1"
   providers = { ibm = ibm.ibm-pi }
 
   pi_workspace_guid      = module.standard.powervs_workspace_guid
diff --git a/solutions/standard-plus-vsi/variables.tf b/solutions/standard-plus-vsi/variables.tf
@@ -75,8 +75,8 @@ variable "vpc_intel_images" {
     sles_image = string
   })
   default = {
-    rhel_image = "ibm-redhat-9-4-amd64-sap-applications-3"
-    sles_image = "ibm-sles-15-5-amd64-sap-applications-4"
+    "rhel_image" : "ibm-redhat-9-4-amd64-sap-applications-3"
+    "sles_image" : "ibm-sles-15-5-amd64-sap-applications-4"
   }
 }
 
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -76,8 +76,8 @@ variable "vpc_intel_images" {
     sles_image = string
   })
   default = {
-    rhel_image = "ibm-redhat-9-4-amd64-sap-applications-3"
-    sles_image = "ibm-sles-15-5-amd64-sap-applications-4"
+    "rhel_image" : "ibm-redhat-9-4-amd64-sap-applications-3"
+    "sles_image" : "ibm-sles-15-5-amd64-sap-applications-4"
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -230,7 +230,6 @@`
`230`	`230`	`},`
`231`	`231`	`{`
`232`	`232`	`"key": "vpc_intel_images",`
`233`		`- "required": true,`
`234`	`233`	`"hidden": true`
`235`	`234`	`},`
`236`	`235`	`{`
`@@ -773,7 +772,6 @@`
`773`	`772`	`},`
`774`	`773`	`{`
`775`	`774`	`"key": "vpc_intel_images",`
`776`		`- "required": true,`
`777`	`775`	`"hidden": true`
`778`	`776`	`},`
`779`	`777`	`{`
Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,8 @@ variable "vpc_intel_images" {`
`75`	`75`	`sles_image = string`
`76`	`76`	`})`
`77`	`77`	`default = {`
`78`		`- rhel_image = "ibm-redhat-9-4-amd64-sap-applications-3"`
`79`		`- sles_image = "ibm-sles-15-5-amd64-sap-applications-4"`
	`78`	`+ "rhel_image" : "ibm-redhat-9-4-amd64-sap-applications-3"`
	`79`	`+ "sles_image" : "ibm-sles-15-5-amd64-sap-applications-4"`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`
Original file line number	Diff line number	Diff line change
`@@ -76,8 +76,8 @@ variable "vpc_intel_images" {`
`76`	`76`	`sles_image = string`
`77`	`77`	`})`
`78`	`78`	`default = {`
`79`		`- rhel_image = "ibm-redhat-9-4-amd64-sap-applications-3"`
`80`		`- sles_image = "ibm-sles-15-5-amd64-sap-applications-4"`
	`79`	`+ "rhel_image" : "ibm-redhat-9-4-amd64-sap-applications-3"`
	`80`	`+ "sles_image" : "ibm-sles-15-5-amd64-sap-applications-4"`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`