AB#2436: Initial support for create/terminate AWS NitroTPM instances

* Add .DS_Store to .gitignore * Add AWS to config / supported instance types * Move AWS terraform skeleton to cli/internal/terraform * Move currently unused IAM to hack/terraform/aws * Print supported AWS instance types when AWS dev flag is set * Block everything aTLS related (e.g. init, verify) until AWS attestation is available * Create/Terminate AWS dev cluster when dev flag is set * Restrict Nitro instances to NitroTPM supported specifically * Pin zone for subnets This is not great for HA, but for now we need to avoid the two subnets ending up in different zones, causing the load balancer to not be able to connect to the targets. Should be replaced later with a better implementation that just uses multiple subnets within the same region dynamically based on # of nodes or similar. * Add AWS/GCP to Terraform TestLoader unit test * Add uid tag and create log group Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Malte Poll <mp@edgeless.systems>
2025-05-02 22:34:56 -04:00 · 2022-10-21 12:24:18 +02:00 · 2022-10-21 12:24:18 +02:00 · 04c4cff9f6
commit 04c4cff9f6
parent 07f02a442c
31 changed files with 940 additions and 314 deletions
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@ -36,6 +36,10 @@ type Validator struct {

 func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Validator, error) {
 	v := Validator{}
+	if provider == cloudprovider.AWS {
+		// TODO: Implement AWS validator
+		return nil, errors.New("no validator for AWS available yet")
+	}
 	if provider == cloudprovider.Unknown {
 		return nil, errors.New("unknown cloud provider")
 	}
@ -100,14 +104,14 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {

 func (v *Validator) setPCRs(config *config.Config) error {
 	switch v.provider {
-	case cloudprovider.GCP:
-		gcpPCRs := config.Provider.GCP.Measurements
-		enforcedPCRs := config.Provider.GCP.EnforcedMeasurements
-		if err := v.checkPCRs(gcpPCRs, enforcedPCRs); err != nil {
+	case cloudprovider.AWS:
+		awsPCRs := config.Provider.AWS.Measurements
+		enforcedPCRs := config.Provider.AWS.EnforcedMeasurements
+		if err := v.checkPCRs(awsPCRs, enforcedPCRs); err != nil {
 			return err
 		}
 		v.enforcedPCRs = enforcedPCRs
-		v.pcrs = gcpPCRs
+		v.pcrs = awsPCRs
 	case cloudprovider.Azure:
 		azurePCRs := config.Provider.Azure.Measurements
 		enforcedPCRs := config.Provider.Azure.EnforcedMeasurements
@ -116,6 +120,14 @@ func (v *Validator) setPCRs(config *config.Config) error {
 		}
 		v.enforcedPCRs = enforcedPCRs
 		v.pcrs = azurePCRs
+	case cloudprovider.GCP:
+		gcpPCRs := config.Provider.GCP.Measurements
+		enforcedPCRs := config.Provider.GCP.EnforcedMeasurements
+		if err := v.checkPCRs(gcpPCRs, enforcedPCRs); err != nil {
+			return err
+		}
+		v.enforcedPCRs = enforcedPCRs
+		v.pcrs = gcpPCRs
 	case cloudprovider.QEMU:
 		qemuPCRs := config.Provider.QEMU.Measurements
 		enforcedPCRs := config.Provider.QEMU.EnforcedMeasurements