165 lines
6.9 KiB
YAML
Raw Normal View History

name: Terraform provider apply
description: "Create/Apply a Constellation cluster using the Terraform provider."
inputs:
cloudProvider:
description: "The cloud provider the test runs on."
required: true
runs:
using: "composite"
steps:
- name: Create Terraform file
shell: bash
run: |
attestationVariant=""
case "$(yq '.attestation | keys | .[0]' constellation-conf.yaml)" in
"awsSEVSNP")
attestationVariant="aws-sev-snp"
;;
"azureSEVSNP")
attestationVariant="azure-sev-snp"
;;
"azureTDX")
attestationVariant="azure-tdx"
;;
"gcpSEVES")
attestationVariant="gcp-sev-es"
;;
# TODO(msanft): Enable once stable GCP SEV-SNP images exist.
# "gcpSEVSNP")
# attestationVariant="gcp-sev-snp"
# ;;
*)
echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
exit 1
;;
esac
cat << EOF > main.tf
terraform {
required_providers {
constellation = {
source = "edgelesssys/constellation"
version = "$(yq '.microserviceVersion' constellation-conf.yaml | sed 's/^v//')"
}
random = {
source = "hashicorp/random"
version = "3.6.0"
}
}
}
resource "random_bytes" "master_secret" {
length = 32
}
resource "random_bytes" "master_secret_salt" {
length = 32
}
resource "random_bytes" "measurement_salt" {
length = 32
}
data "constellation_attestation" "con_attestation" {
csp = "${{ inputs.cloudProvider }}"
attestation_variant = "${attestationVariant}"
image = data.constellation_image.con_image.image
maa_url = "$(yq '.infrastructure.azure.attestationURL' constellation-state.yaml)"
insecure = true
}
data "constellation_image" "con_image" {
version = "$(yq '.image' constellation-conf.yaml)"
attestation_variant = "${attestationVariant}"
csp = "${{ inputs.cloudProvider }}"
region = "$(yq '.provider.aws.region' constellation-conf.yaml)"
}
resource "constellation_cluster" "cluster" {
csp = "${{ inputs.cloudProvider }}"
constellation_microservice_version = "$(yq '.microserviceVersion' constellation-conf.yaml)"
name = "$(yq '.name' constellation-conf.yaml)"
uid = "$(yq '.infrastructure.uid' constellation-state.yaml)"
image = data.constellation_image.con_image.image
attestation = data.constellation_attestation.con_attestation.attestation
init_secret = "$(yq '.infrastructure.initSecret' constellation-state.yaml | xxd -r -p)"
master_secret = random_bytes.master_secret.hex
master_secret_salt = random_bytes.master_secret_salt.hex
measurement_salt = random_bytes.measurement_salt.hex
out_of_cluster_endpoint = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)"
in_cluster_endpoint = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)"
kubernetes_version = "$(yq '.kubernetesVersion' constellation-conf.yaml)"
azure = {
count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0
tenant_id = "$(yq '.provider.azure.tenant' constellation-conf.yaml)"
subscription_id = "$(yq '.infrastructure.azure.subscriptionID' constellation-state.yaml)"
uami_client_id = "$(yq '.infrastructure.azure.userAssignedIdentity' constellation-state.yaml)"
uami_resource_id = "$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)"
location = "$(yq '.provider.azure.location' constellation-conf.yaml)"
resource_group = "$(yq '.infrastructure.azure.resourceGroup' constellation-state.yaml)"
load_balancer_name = "$(yq '.infrastructure.azure.loadBalancerName' constellation-state.yaml)"
network_security_group_name = "$(yq '.infrastructure.azure.networkSecurityGroupName' constellation-state.yaml)"
}
gcp = {
count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "gcp" ? 1 : 0
project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
}
network_config = {
ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
ip_cidr_pod = "$(yq '.infrastructure.gcp.ipCidrPod' constellation-state.yaml)" # This is null for everything but GCP
}
}
output "master_secret" {
value = random_bytes.master_secret.base64
sensitive = true
}
output "master_secret_salt" {
value = random_bytes.master_secret_salt.base64
sensitive = true
}
output "measurement_salt" {
value = random_bytes.measurement_salt.hex
sensitive = true
}
output "cluster_id" {
value = constellation_cluster.cluster.cluster_id
}
output "owner_id" {
value = constellation_cluster.cluster.owner_id
}
output "kubeconfig" {
value = constellation_cluster.cluster.kubeconfig
sensitive = true
}
EOF
- name: Apply Terraform configuration
shell: bash
run: |
terraform init
terraform apply -auto-approve
- name: Write output
shell: bash
run: |
terraform output -raw kubeconfig > "$(pwd)/constellation-admin.conf"
yq -i ".clusterValues.measurementSalt = $(terraform output measurement_salt)" constellation-state.yaml
yq -i ".clusterValues.clusterID = $(terraform output cluster_id)" constellation-state.yaml
yq -i ".clusterValues.ownerID = $(terraform output owner_id)" constellation-state.yaml
cat << EOF > constellation-mastersecret.json
{
"key": "$(terraform output -raw master_secret)",
"salt": "$(terraform output -raw master_secret_salt)"
}
EOF