constellation/.github/actions/self_managed_create/action.yml

name: Self-managed infrastructure creation
description: "Create the required infrastructure for a Constellation cluster manually."

inputs:
  cloudProvider:
    description: "The cloud provider the test runs on."
    required: true

runs:
  using: "composite"
  steps:
    - name: Copy Terraform configuration and Constellation config
      shell: bash
      working-directory:
      run: |
        cp -r ${{ github.workspace }}/terraform/infrastructure/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra
        cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra

    - name: Get CSP image reference
      id: get_image
      shell: bash
      working-directory: ${{ github.workspace }}/e2e-infra
      run: |
        echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT

    - name: Write Terraform variables
      shell: bash
      working-directory: ${{ github.workspace }}/e2e-infra
      run: |
        echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars
        echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars
        echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars
        echo "image_id = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars
        echo "node_groups = {
          control_plane_default = {
            role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\"
            zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\"
            instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\"
            disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\"
            disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\"
            initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\"
          }
          worker_default = {
            role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\"
            zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\"
            instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\"
            disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\"
            disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\"
            initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\"
          }
        }" >> terraform.tfvars
        if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then
          echo "iam_instance_profile_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "ami = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars
          echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
        elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
          echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "create_maa = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
          echo "confidential_vm = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
          echo "secure_boot = $(yq '.provider.azure.secureBoot' constellation-conf.yaml)" >> terraform.tfvars
          echo "resource_group = \"$(yq '.provider.azure.resourceGroup' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "user_assigned_identity = \"$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)\"" >> terraform.tfvars
        elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
          echo "project = \"$(yq '.provider.gcp.project' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "region = \"$(yq '.provider.gcp.region' constellation-conf.yaml)\"" >> terraform.tfvars
          echo "zone = \"$(yq '.provider.gcp.zone' constellation-conf.yaml)\"" >> terraform.tfvars
        fi
        terraform fmt terraform.tfvars
        echo "Using Terraform variables:"
        cat terraform.tfvars

    - name: Apply Terraform configuration
      shell: bash
      working-directory: ${{ github.workspace }}/e2e-infra
      run: |
        terraform init
        terraform apply -auto-approve

    - name: Patch MAA Policy
      shell: bash
      working-directory: ${{ github.workspace }}/e2e-infra
      if: inputs.cloudProvider == 'azure'
      run: |
        ./constellation maa-patch $(terraform output attestationURL | jq -r)

    - name: Write outputs to state file
      shell: bash
      working-directory: ${{ github.workspace }}/e2e-infra
      run: |
        yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_nodes | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        yq eval ".infrastructure.apiServerCertSANs =$(terraform output -json api_server_cert_sans)" --inplace ${{ github.workspace }}/constellation-state.yaml
        if [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
          yq eval ".infrastructure.azure.resourceGroup =\"$(terraform output resource_group | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.azure.subscriptionID =\"$(terraform output subscription_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.azure.networkSecurityGroupName =\"$(terraform output network_security_group_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.azure.loadBalancerName =\"$(terraform output loadbalancer_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.azure.userAssignedIdentity =\"$(terraform output user_assigned_identity_client_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestationURL | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
          yq eval ".infrastructure.gcp.projectID =\"$(terraform output project | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
          yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pods | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
        fi