diff --git a/bazel/ci/terraform.sh.in b/bazel/ci/terraform.sh.in
index 456e312c4..777049106 100644
--- a/bazel/ci/terraform.sh.in
+++ b/bazel/ci/terraform.sh.in
@@ -46,7 +46,6 @@ excludeDirs=(
excludeLockDirs=(
"build"
"terraform-provider-constellation"
- "terraform/legacy-module"
)
excludeCheckDirs=(
diff --git a/terraform/legacy-module/README.md b/terraform/legacy-module/README.md
deleted file mode 100644
index c755b0a54..000000000
--- a/terraform/legacy-module/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-## Constellation Terraform Modules
-
-> [!WARNING]
-> The Constellation Terraform modules are deprecated, and support will be discontinued in v2.15.0.
-> To continue managing Constellation clusters through Terraform, you can use the [Constellation Terraform provider](https://docs.edgeless.systems/constellation/workflows/terraform-provider).
-> Clusters created through the Constellation Terraform modules can also be [imported](https://registry.terraform.io/providers/edgelesssys/constellation/latest/docs/resources/cluster#import) to the Constellation Terraform provider.
diff --git a/terraform/legacy-module/aws-constellation/main.tf b/terraform/legacy-module/aws-constellation/main.tf
deleted file mode 100644
index 83c92528a..000000000
--- a/terraform/legacy-module/aws-constellation/main.tf
+++ /dev/null
@@ -1,68 +0,0 @@
-locals {
- region = substr(var.zone, 0, length(var.zone) - 1)
-}
-
-module "aws_iam" {
- source = "../../infrastructure/iam/aws"
- name_prefix = var.name_prefix
- region = local.region
-}
-
-resource "null_resource" "ensure_yq" {
- provisioner "local-exec" {
- command = <<EOT
- ../common/install-yq.sh
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
-}
-
-module "fetch_image" {
- source = "../common/fetch-image"
- csp = "aws"
- attestation_variant = var.enable_snp ? "aws-sev-snp" : "aws-nitro-tpm"
- region = local.region
- image = var.image
- depends_on = [module.aws_iam, null_resource.ensure_yq]
-}
-
-module "aws" {
- source = "../../infrastructure/aws"
- name = var.name
- node_groups = var.node_groups
- iam_instance_profile_name_worker_nodes = module.aws_iam.iam_instance_profile_name_worker_nodes
- iam_instance_profile_name_control_plane = module.aws_iam.iam_instance_profile_name_control_plane
- image_id = module.fetch_image.image
- region = local.region
- zone = var.zone
- debug = var.debug
- enable_snp = var.enable_snp
- custom_endpoint = var.custom_endpoint
- additional_tags = var.additional_tags
-}
-
-module "constellation" {
- source = "../constellation-cluster"
- csp = "aws"
- debug = var.debug
- name = var.name
- image = var.image
- microservice_version = var.microservice_version
- kubernetes_version = var.kubernetes_version
- uid = module.aws.uid
- clusterEndpoint = module.aws.out_of_cluster_endpoint
- inClusterEndpoint = module.aws.in_cluster_endpoint
- initSecretHash = module.aws.init_secret
- ipCidrNode = module.aws.ip_cidr_node
- apiServerCertSANs = module.aws.api_server_cert_sans
- node_groups = var.node_groups
- aws_config = {
- region = local.region
- zone = var.zone
- iam_instance_profile_name_worker_nodes = module.aws_iam.iam_instance_profile_name_worker_nodes
- iam_instance_profile_name_control_plane = module.aws_iam.iam_instance_profile_name_control_plane
- }
- depends_on = [module.aws, null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/aws-constellation/variables.tf b/terraform/legacy-module/aws-constellation/variables.tf
deleted file mode 100644
index d0b181577..000000000
--- a/terraform/legacy-module/aws-constellation/variables.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-variable "name" {
- type = string
- description = "Name of the Constellation cluster."
-}
-
-variable "image" {
- type = string
- description = "Node image reference or semantic release version. When not set, the latest default version will be used."
- default = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
- type = string
- description = "Microservice version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "kubernetes_version" {
- type = string
- description = "Kubernetes version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "node_groups" {
- type = map(object({
- role = string
- initial_count = optional(number)
- instance_type = string
- disk_size = number
- disk_type = string
- zone = string
- }))
- description = "A map of node group names to node group configurations."
- validation {
- condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
- error_message = "The role has to be 'control-plane' or 'worker'."
- }
-}
-
-variable "zone" {
- type = string
- description = "The AWS availability zone name to create the cluster in."
-}
-
-variable "debug" {
- type = bool
- default = false
- description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-variable "enable_snp" {
- type = bool
- default = true
- description = "Enable AMD SEV-SNP."
-}
-
-variable "custom_endpoint" {
- type = string
- default = ""
- description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
- type = bool
- default = false
- description = "Use an internal load balancer."
-}
-
-variable "name_prefix" {
- type = string
- description = "Prefix for all resources."
-}
-
-variable "additional_tags" {
- type = map(any)
- description = "Additional tags that should be applied to created resources."
-}
diff --git a/terraform/legacy-module/azure-constellation/main.tf b/terraform/legacy-module/azure-constellation/main.tf
deleted file mode 100644
index 9d5da0a08..000000000
--- a/terraform/legacy-module/azure-constellation/main.tf
+++ /dev/null
@@ -1,68 +0,0 @@
-resource "null_resource" "ensure_yq" {
- provisioner "local-exec" {
- command = <<EOT
- ../common/install-yq.sh
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
-}
-
-module "fetch_image" {
- source = "../common/fetch-image"
- csp = "azure"
- attestation_variant = "azure-sev-snp"
- image = var.image
- depends_on = [null_resource.ensure_yq]
-}
-
-module "azure_iam" {
- source = "../../infrastructure/iam/azure"
- location = var.location
- service_principal_name = var.service_principal_name
- resource_group_name = var.resource_group_name
-}
-
-module "azure" {
- source = "../../infrastructure/azure"
- name = var.name
- user_assigned_identity = module.azure_iam.uami_id
- node_groups = var.node_groups
- location = var.location
- image_id = module.fetch_image.image
- debug = var.debug
- resource_group = module.azure_iam.base_resource_group
- create_maa = var.create_maa
- additional_tags = var.additional_tags
-}
-
-module "constellation" {
- source = "../constellation-cluster"
- csp = "azure"
- debug = var.debug
- name = var.name
- image = var.image
- microservice_version = var.microservice_version
- kubernetes_version = var.kubernetes_version
- uid = module.azure.uid
- clusterEndpoint = module.azure.out_of_cluster_endpoint
- inClusterEndpoint = module.azure.in_cluster_endpoint
- initSecretHash = module.azure.init_secret
- ipCidrNode = module.azure.ip_cidr_node
- apiServerCertSANs = module.azure.api_server_cert_sans
- node_groups = var.node_groups
- azure_config = {
- subscription = module.azure_iam.subscription_id
- tenant = module.azure_iam.tenant_id
- location = var.location
- resourceGroup = module.azure.resource_group
- userAssignedIdentity = module.azure_iam.uami_id
- deployCSIDriver = var.deploy_csi_driver
- secureBoot = var.secure_boot
- maaURL = module.azure.attestation_url
- networkSecurityGroupName = module.azure.network_security_group_name
- loadBalancerName = module.azure.loadbalancer_name
- }
- depends_on = [null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/azure-constellation/variables.tf b/terraform/legacy-module/azure-constellation/variables.tf
deleted file mode 100644
index 22d134fd5..000000000
--- a/terraform/legacy-module/azure-constellation/variables.tf
+++ /dev/null
@@ -1,94 +0,0 @@
-variable "name" {
- type = string
- description = "Name of the Constellation cluster."
-}
-
-variable "image" {
- type = string
- description = "Node image reference or semantic release version. When not set, the latest default version will be used."
- default = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
- type = string
- description = "Microservice version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "kubernetes_version" {
- type = string
- description = "Kubernetes version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "debug" {
- type = bool
- default = false
- description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-variable "custom_endpoint" {
- type = string
- default = ""
- description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
- type = bool
- default = false
- description = "Use an internal load balancer."
-}
-
-variable "node_groups" {
- type = map(object({
- role = string
- initial_count = optional(number)
- instance_type = string
- disk_size = number
- disk_type = string
- zones = optional(list(string))
- }))
- description = "A map of node group names to node group configurations."
- validation {
- condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
- error_message = "The role has to be 'control-plane' or 'worker'."
- }
-}
-
-variable "service_principal_name" {
- type = string
- description = "Name of the service principal used to create the cluster."
-}
-
-variable "resource_group_name" {
- type = string
- description = "Name of the resource group the cluster's resources are created in."
-}
-
-variable "location" {
- type = string
- description = "Azure datacenter region the cluster will be deployed in."
-}
-
-variable "deploy_csi_driver" {
- type = bool
- default = true
- description = "Deploy the Azure Disk CSI driver with on-node encryption into the cluster."
-}
-
-variable "secure_boot" {
- type = bool
- default = false
- description = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
-}
-
-variable "create_maa" {
- type = bool
- default = true
- description = "Create an MAA for attestation."
-}
-
-variable "additional_tags" {
- type = map(any)
- description = "Additional tags that should be applied to created resources."
-}
diff --git a/terraform/legacy-module/common/fetch-image/main.tf b/terraform/legacy-module/common/fetch-image/main.tf
deleted file mode 100644
index dd32b88be..000000000
--- a/terraform/legacy-module/common/fetch-image/main.tf
+++ /dev/null
@@ -1,38 +0,0 @@
-locals {
- image_ref = startswith(var.image, "v") ? "ref/-/stream/stable/${var.image}" : var.image
- region_filter = var.region != "" ? " and .region == \"${var.region}\"" : "" # apply region filter only if region field exists for the CSP
-
- fetch_image_command = <<EOT
- curl -s https://cdn.confidential.cloud/constellation/v2/${local.image_ref}/image/info.json | \
- ./yq eval '.list[] | select(.csp == "${var.csp}" and .attestationVariant == "${var.attestation_variant}"${local.region_filter}) | .reference' - | tr -d '\n' > "image.txt"
-
- if [ '${var.csp}' = 'azure' ]; then
- sed -i 's/CommunityGalleries/communityGalleries/g' image.txt
- sed -i 's/Images/images/g' image.txt
- sed -i 's/Versions/versions/g' image.txt
- fi
- EOT
-}
-
-
-resource "null_resource" "fetch_image" {
- provisioner "local-exec" {
- command = local.fetch_image_command
-
- environment = {
- attestation_variant = var.attestation_variant
- }
- }
- provisioner "local-exec" {
- when = destroy
- command = "rm image.txt"
- }
- triggers = {
- always_run = "${timestamp()}"
- }
-}
-
-data "local_file" "image" {
- filename = "image.txt"
- depends_on = [null_resource.fetch_image]
-}
diff --git a/terraform/legacy-module/common/fetch-image/output.tf b/terraform/legacy-module/common/fetch-image/output.tf
deleted file mode 100644
index 8fcdc030f..000000000
--- a/terraform/legacy-module/common/fetch-image/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "image" {
- description = "The resolved image ID of the CSP."
- value = data.local_file.image.content
-}
diff --git a/terraform/legacy-module/common/fetch-image/variables.tf b/terraform/legacy-module/common/fetch-image/variables.tf
deleted file mode 100644
index 25b88bd1b..000000000
--- a/terraform/legacy-module/common/fetch-image/variables.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-variable "csp" {
- description = "The cloud service provider to fetch image data for."
- type = string
-}
-
-variable "attestation_variant" {
- description = "The attestation variant to fetch image data for."
- type = string
-}
-
-variable "region" {
- description = "The region to fetch image data for."
- type = string
- default = ""
-}
-
-variable "image" {
- description = "The image reference or semantical release version to fetch image data for."
- type = string
-}
diff --git a/terraform/legacy-module/common/install-yq.sh b/terraform/legacy-module/common/install-yq.sh
deleted file mode 100755
index 14c375fd9..000000000
--- a/terraform/legacy-module/common/install-yq.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env bash
-version="v4.35.2"
-if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then
- echo "yq is already available and up to date."
- exit 0
-fi
-if [[ -f ./yq ]]; then
- echo "yq is already available but not at the required version. Replacing with ${version}."
- rm -f yq
-fi
-
-echo "Fetching yq ${version}"
-os=$(uname -s)
-arch=$(uname -m)
-url=""
-
-if [[ ${os} == "Darwin" ]]; then
- if [[ ${arch} == "arm64" ]]; then
- url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64"
- elif [[ ${arch} == "x86_64" ]]; then
- url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64"
- fi
-elif [[ ${os} == "Linux" ]]; then
- if [[ ${arch} == "x86_64" ]]; then
- url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64"
- elif [[ ${arch} == "arm64" ]]; then
- url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64"
- fi
-fi
-
-if [[ -z ${url} ]]; then
- echo "os \"${os}\" and/or architecture \"${arch}\" is not supported."
- exit 1
-else
- echo "Downloading yq from ${url}"
- curl -o yq -L "${url}"
- chmod +x ./yq
- ./yq --version
- if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly
- echo "Version is incorrect"
- exit 1
- fi
-fi
diff --git a/terraform/legacy-module/constellation-cluster/install-constellation.sh b/terraform/legacy-module/constellation-cluster/install-constellation.sh
deleted file mode 100755
index b056db21a..000000000
--- a/terraform/legacy-module/constellation-cluster/install-constellation.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-if [[ -f ./constellation ]]; then
- echo "constellation CLI is already available."
- exit 0
-fi
-
-os=$(uname -s)
-arch=$(uname -m)
-version=$1
-url=""
-
-echo "Fetching constellation ${version}"
-
-if [[ ${os} == "Darwin" ]]; then
- if [[ ${arch} == "arm64" ]]; then
- url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-arm64"
- elif [[ ${arch} == "x86_64" ]]; then
- url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-amd64"
- fi
-elif [[ ${os} == "Linux" ]]; then
- if [[ ${arch} == "x86_64" ]]; then
- url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-amd64"
- elif [[ ${arch} == "arm64" ]]; then
- url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-arm64"
- fi
-fi
-
-if [[ -z ${url} ]]; then
- echo "os \"${os}\" and/or architecture \"${arch}\" is not supported."
- exit 1
-else
- curl -o constellation -L "${url}"
- chmod +x constellation
-fi
diff --git a/terraform/legacy-module/constellation-cluster/main.tf b/terraform/legacy-module/constellation-cluster/main.tf
deleted file mode 100644
index f84406f16..000000000
--- a/terraform/legacy-module/constellation-cluster/main.tf
+++ /dev/null
@@ -1,191 +0,0 @@
-locals {
- yq_node_groups = join("\n", flatten([
- for name, group in var.node_groups : [
- "./yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml",
- "./yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml",
- "./yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml",
- "./yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml",
- "./yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml",
- "./yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml"
- ]
- ]))
- gcp_sa_file_path = "service_account_file.json"
-}
-
-resource "null_resource" "ensure_cli" {
- provisioner "local-exec" {
- command = <<EOT
- ${path.module}/install-constellation.sh ${var.constellation_version}
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
-}
-
-// terraform_data resource so that it is run only once
-resource "terraform_data" "config_generate" {
- provisioner "local-exec" {
- command = <<EOT
- ./constellation config generate ${var.csp}
- EOT
- }
- depends_on = [
- null_resource.ensure_cli
- ]
-}
-
-resource "null_resource" "aws_config" {
- count = var.aws_config != null ? 1 : 0
- provisioner "local-exec" {
- command = <<EOT
- ./yq eval '.provider.aws.region = "${var.aws_config.region}"' -i constellation-conf.yaml
- ./yq eval '.provider.aws.zone = "${var.aws_config.zone}"' -i constellation-conf.yaml
- ./yq eval '.provider.aws.iamProfileControlPlane = "${var.aws_config.iam_instance_profile_name_control_plane}"' -i constellation-conf.yaml
- ./yq eval '.provider.aws.iamProfileWorkerNodes = "${var.aws_config.iam_instance_profile_name_worker_nodes}"' -i constellation-conf.yaml
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
- depends_on = [
- terraform_data.config_generate
- ]
-}
-
-resource "null_resource" "azure_config" {
- count = var.azure_config != null ? 1 : 0
- provisioner "local-exec" {
- command = <<EOT
- ./yq eval '.provider.azure.subscription = "${var.azure_config.subscription}"' -i constellation-conf.yaml
- ./yq eval '.provider.azure.tenant = "${var.azure_config.tenant}"' -i constellation-conf.yaml
- ./yq eval '.provider.azure.location = "${var.azure_config.location}"' -i constellation-conf.yaml
- ./yq eval '.provider.azure.resourceGroup = "${var.azure_config.resourceGroup}"' -i constellation-conf.yaml
- ./yq eval '.provider.azure.userAssignedIdentity = "${var.azure_config.userAssignedIdentity}"' -i constellation-conf.yaml
- ./yq eval '.provider.azure.deployCSIDriver = ${var.azure_config.deployCSIDriver}' -i constellation-conf.yaml
- ./yq eval '.provider.azure.secureBoot = ${var.azure_config.secureBoot}' -i constellation-conf.yaml
- ./yq eval '.infrastructure.azure.resourceGroup = "${var.azure_config.resourceGroup}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.azure.subscriptionID = "${var.azure_config.subscription}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.azure.networkSecurityGroupName = "${var.azure_config.networkSecurityGroupName}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.azure.loadBalancerName = "${var.azure_config.loadBalancerName}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.azure.userAssignedIdentity = "${var.azure_config.userAssignedIdentity}"' -i constellation-state.yaml
- if [ '${var.azure_config.maaURL}' != '' ]; then
- ./yq eval '.infrastructure.azure.attestationURL = "${var.azure_config.maaURL}"' -i constellation-state.yaml
- ./constellation maa-patch ${var.azure_config.maaURL}
- fi
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
- depends_on = [
- terraform_data.config_generate
- ]
-}
-
-resource "null_resource" "service_account_file" {
- count = var.gcp_config != null ? 1 : 0
- provisioner "local-exec" {
- command = <<EOT
- echo ${var.gcp_config.serviceAccountKey} | base64 -d > "${local.gcp_sa_file_path}"
- EOT
- }
- provisioner "local-exec" {
- when = destroy
- command = "rm ${self.triggers.file_path}"
- }
- triggers = {
- always_run = timestamp()
- file_path = local.gcp_sa_file_path
- }
-}
-
-resource "null_resource" "gcp_config" {
- count = var.gcp_config != null ? 1 : 0
- provisioner "local-exec" {
- command = <<EOT
- ./yq eval '.provider.gcp.project = "${var.gcp_config.project}"' -i constellation-conf.yaml
- ./yq eval '.provider.gcp.region = "${var.gcp_config.region}"' -i constellation-conf.yaml
- ./yq eval '.provider.gcp.zone = "${var.gcp_config.zone}"' -i constellation-conf.yaml
- ./yq eval '.provider.gcp.serviceAccountKeyPath = "${local.gcp_sa_file_path}"' -i constellation-conf.yaml
- ./yq eval '.infrastructure.gcp.projectID = "${var.gcp_config.project}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.gcp.ipCidrPod = "${var.gcp_config.ipCidrPod}"' -i constellation-state.yaml
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
- depends_on = [
- terraform_data.config_generate, null_resource.service_account_file
- ]
-}
-
-resource "null_resource" "config" {
- provisioner "local-exec" {
- command = <<EOT
- ./yq eval '.name = "${var.name}"' -i constellation-conf.yaml
- if [ "${var.image}" != "" ]; then
- ./yq eval '.image = "${var.image}"' -i constellation-conf.yaml
- fi
- if [ "${var.kubernetes_version}" != "" ]; then
- ./yq eval '.kubernetesVersion = "${var.kubernetes_version}"' -i constellation-conf.yaml
- fi
- if [ "${var.microservice_version}" != "" ]; then
- ./yq eval '.microserviceVersion = "${var.microservice_version}"' -i constellation-conf.yaml
- fi
- if [ "${var.serviceCidr}" != "" ]; then
- ./yq eval '.serviceCIDR = "${var.serviceCidr}"' -i constellation-conf.yaml
- fi
- ${local.yq_node_groups}
- ./constellation config fetch-measurements ${var.debug == true ? "--insecure" : ""}
- EOT
- }
-
- depends_on = [
- null_resource.aws_config, null_resource.gcp_config, null_resource.azure_config
- ]
-
- triggers = {
- always_run = timestamp()
- }
-}
-
-
-resource "null_resource" "infra_state" {
- provisioner "local-exec" {
- command = <<EOT
- ./yq eval '.infrastructure.uid = "${var.uid}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.inClusterEndpoint = "${var.inClusterEndpoint}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.clusterEndpoint = "${var.clusterEndpoint}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.initSecret = "'"$(echo "${var.initSecretHash}" | tr -d '\n' | hexdump -ve '/1 "%02x"')"'"' -i constellation-state.yaml
- ./yq eval '.infrastructure.apiServerCertSANs = ${jsonencode(var.apiServerCertSANs)}' -i constellation-state.yaml
- ./yq eval '.infrastructure.name = "${var.name}"' -i constellation-state.yaml
- ./yq eval '.infrastructure.ipCidrNode = "${var.ipCidrNode}"' -i constellation-state.yaml
- EOT
- }
- depends_on = [
- terraform_data.config_generate
- ]
- triggers = {
- always_run = timestamp()
- }
-}
-
-
-resource "null_resource" "apply" {
- provisioner "local-exec" {
- command = "./constellation apply --debug --yes --skip-phases infrastructure"
- }
-
- provisioner "local-exec" {
- when = destroy
- command = "./constellation terminate --yes && rm constellation-conf.yaml constellation-mastersecret.json && rm -r constellation-upgrade"
- }
-
- depends_on = [
- null_resource.infra_state, null_resource.config, null_resource.ensure_cli
- ]
- triggers = {
- always_run = timestamp()
- }
-}
diff --git a/terraform/legacy-module/constellation-cluster/variables.tf b/terraform/legacy-module/constellation-cluster/variables.tf
deleted file mode 100644
index 7eb70169c..000000000
--- a/terraform/legacy-module/constellation-cluster/variables.tf
+++ /dev/null
@@ -1,133 +0,0 @@
-variable "constellation_version" {
- type = string
- description = "Constellation CLI version to use."
- default = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "image" {
- type = string
- description = "The node image reference or semantic release version."
-}
-
-variable "csp" {
- type = string
- description = "The cloud service provider to use."
- validation {
- condition = var.csp == "aws" || var.csp == "gcp" || var.csp == "azure"
- error_message = "The cloud service provider to use."
- }
-}
-
-variable "node_groups" {
- type = map(object({
- role = string
- initial_count = optional(number)
- instance_type = string
- disk_size = number
- disk_type = string
- zone = optional(string, "") # For AWS, GCP
- zones = optional(list(string), []) # For Azure
- }))
- description = "A map of node group names to node group configurations."
- validation {
- condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
- error_message = "The role has to be 'control-plane' or 'worker'."
- }
-}
-
-variable "name" {
- type = string
- description = "Name used in the cluster's named resources / cluster name."
-}
-
-variable "uid" {
- type = string
- description = "The UID of the Constellation."
-}
-
-variable "clusterEndpoint" {
- type = string
- description = "Endpoint of the cluster."
-}
-
-variable "inClusterEndpoint" {
- type = string
- description = "The endpoint the cluster uses to reach itself. This might differ from the ClusterEndpoint in case e.g. an internal load balancer is used."
-}
-
-variable "initSecretHash" {
- type = string
- description = "Init secret hash."
-}
-
-variable "ipCidrNode" {
- type = string
- description = "Node IP CIDR."
-}
-
-variable "serviceCidr" {
- type = string
- default = ""
- description = "Kubernetes service CIDR. This is only used during first initialization of Constellation."
-}
-
-variable "apiServerCertSANs" {
- type = list(string)
- description = "List of additional SANs (Subject Alternative Names) for the Kubernetes API server certificate."
-}
-
-variable "aws_config" {
- type = object({
- region = string
- zone = string
- iam_instance_profile_name_worker_nodes = string
- iam_instance_profile_name_control_plane = string
- })
- description = "The cluster config for AWS."
- default = null
-}
-
-variable "azure_config" {
- type = object({
- subscription = string
- tenant = string
- location = string
- resourceGroup = string
- userAssignedIdentity = string
- deployCSIDriver = bool
- secureBoot = bool
- maaURL = string
- networkSecurityGroupName = string
- loadBalancerName = string
- })
- description = "The cluster config for Azure."
- default = null
-}
-
-variable "gcp_config" {
- type = object({
- region = string
- zone = string
- project = string
- ipCidrPod = string
- serviceAccountKey = string
- })
- description = "The cluster config for GCP."
- default = null
-}
-
-variable "kubernetes_version" {
- type = string
- description = "Kubernetes version."
-}
-
-variable "microservice_version" {
- type = string
- description = "Microservice version."
-}
-
-variable "debug" {
- type = bool
- default = false
- description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
diff --git a/terraform/legacy-module/gcp-constellation/main.tf b/terraform/legacy-module/gcp-constellation/main.tf
deleted file mode 100644
index 879f6b69b..000000000
--- a/terraform/legacy-module/gcp-constellation/main.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-locals {
- region = substr(var.zone, 0, length(var.zone) - 2)
-}
-
-module "gcp_iam" {
- source = "../../infrastructure/iam/gcp"
- project_id = var.project
- service_account_id = var.service_account_id
- region = local.region
- zone = var.zone
-}
-
-
-resource "null_resource" "ensure_yq" {
- provisioner "local-exec" {
- command = <<EOT
- ../common/install-yq.sh
- EOT
- }
- triggers = {
- always_run = timestamp()
- }
-}
-
-module "fetch_image" {
- source = "../common/fetch-image"
- csp = "gcp"
- attestation_variant = "gcp-sev-es"
- image = var.image
- depends_on = [null_resource.ensure_yq]
-}
-
-
-module "gcp" {
- source = "../../infrastructure/gcp"
- project = var.project
- image_id = module.fetch_image.image
- name = var.name
- node_groups = var.node_groups
- region = local.region
- zone = var.zone
- debug = var.debug
- custom_endpoint = var.custom_endpoint
- cc_technology = var.cc_technology
- additional_labels = var.additional_labels
-}
-
-module "constellation" {
- source = "../constellation-cluster"
- csp = "gcp"
- debug = var.debug
- name = var.name
- image = var.image
- microservice_version = var.microservice_version
- kubernetes_version = var.kubernetes_version
- uid = module.gcp.uid
- clusterEndpoint = module.gcp.out_of_cluster_endpoint
- inClusterEndpoint = module.gcp.in_cluster_endpoint
- initSecretHash = module.gcp.init_secret
- ipCidrNode = module.gcp.ip_cidr_node
- apiServerCertSANs = module.gcp.api_server_cert_sans
- node_groups = var.node_groups
- gcp_config = {
- region = local.region
- zone = var.zone
- project = var.project
- ipCidrPod = module.gcp.ip_cidr_pod
- serviceAccountKey = module.gcp_iam.service_account_key
- }
- depends_on = [module.gcp, null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/gcp-constellation/variables.tf b/terraform/legacy-module/gcp-constellation/variables.tf
deleted file mode 100644
index 8ddca125d..000000000
--- a/terraform/legacy-module/gcp-constellation/variables.tf
+++ /dev/null
@@ -1,86 +0,0 @@
-variable "name" {
- type = string
- description = "Name of the Constellation cluster."
-}
-
-variable "project" {
- type = string
- description = "The project ID to deploy the cluster to."
-}
-
-variable "service_account_id" {
- type = string
- description = "The service account ID to use for the cluster."
-}
-
-variable "image" {
- type = string
- description = "Node image reference or semantic release version. When not set, the latest default version will be used."
- default = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
- type = string
- description = "Microservice version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "kubernetes_version" {
- type = string
- description = "Kubernetes version. When not set, the latest default version will be used."
- default = ""
-}
-
-variable "node_groups" {
- type = map(object({
- role = string
- initial_count = optional(number)
- instance_type = string
- disk_size = number
- disk_type = string
- zone = string
- }))
- description = "A map of node group names to node group configurations."
- validation {
- condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
- error_message = "The role has to be 'control-plane' or 'worker'."
- }
-}
-
-variable "zone" {
- type = string
- description = "The availability zone name to create the cluster in."
-}
-
-variable "debug" {
- type = bool
- default = false
- description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-
-variable "custom_endpoint" {
- type = string
- default = ""
- description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
- type = bool
- default = false
- description = "Use an internal load balancer."
-}
-
-variable "cc_technology" {
- type = string
- description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`."
- validation {
- condition = contains(["SEV", "SEV_SNP"], var.cc_technology)
- error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
- }
-}
-
-variable "additional_labels" {
- type = map(any)
- description = "Additional labels that should be given to created recources."
-}