From 368b52a4dd82437d0ba57d336b202730b9311c0d Mon Sep 17 00:00:00 2001
From: 3u13r <lc@edgeless.systems>
Date: Mon, 10 Mar 2025 13:21:19 +0100
Subject: [PATCH] terraform: remove legacy infrastructure modules (#3691)

---
 bazel/ci/terraform.sh.in                      |   1 -
 terraform/legacy-module/README.md             |   6 -
 .../legacy-module/aws-constellation/main.tf   |  68 -------
 .../aws-constellation/variables.tf            |  77 -------
 .../legacy-module/azure-constellation/main.tf |  68 -------
 .../azure-constellation/variables.tf          |  94 ---------
 .../legacy-module/common/fetch-image/main.tf  |  38 ----
 .../common/fetch-image/output.tf              |   4 -
 .../common/fetch-image/variables.tf           |  20 --
 terraform/legacy-module/common/install-yq.sh  |  43 ----
 .../install-constellation.sh                  |  34 ----
 .../constellation-cluster/main.tf             | 191 ------------------
 .../constellation-cluster/variables.tf        | 133 ------------
 .../legacy-module/gcp-constellation/main.tf   |  71 -------
 .../gcp-constellation/variables.tf            |  86 --------
 15 files changed, 934 deletions(-)
 delete mode 100644 terraform/legacy-module/README.md
 delete mode 100644 terraform/legacy-module/aws-constellation/main.tf
 delete mode 100644 terraform/legacy-module/aws-constellation/variables.tf
 delete mode 100644 terraform/legacy-module/azure-constellation/main.tf
 delete mode 100644 terraform/legacy-module/azure-constellation/variables.tf
 delete mode 100644 terraform/legacy-module/common/fetch-image/main.tf
 delete mode 100644 terraform/legacy-module/common/fetch-image/output.tf
 delete mode 100644 terraform/legacy-module/common/fetch-image/variables.tf
 delete mode 100755 terraform/legacy-module/common/install-yq.sh
 delete mode 100755 terraform/legacy-module/constellation-cluster/install-constellation.sh
 delete mode 100644 terraform/legacy-module/constellation-cluster/main.tf
 delete mode 100644 terraform/legacy-module/constellation-cluster/variables.tf
 delete mode 100644 terraform/legacy-module/gcp-constellation/main.tf
 delete mode 100644 terraform/legacy-module/gcp-constellation/variables.tf

diff --git a/bazel/ci/terraform.sh.in b/bazel/ci/terraform.sh.in
index 456e312c4..777049106 100644
--- a/bazel/ci/terraform.sh.in
+++ b/bazel/ci/terraform.sh.in
@@ -46,7 +46,6 @@ excludeDirs=(
 excludeLockDirs=(
   "build"
   "terraform-provider-constellation"
-  "terraform/legacy-module"
 )
 
 excludeCheckDirs=(
diff --git a/terraform/legacy-module/README.md b/terraform/legacy-module/README.md
deleted file mode 100644
index c755b0a54..000000000
--- a/terraform/legacy-module/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-## Constellation Terraform Modules
-
-> [!WARNING]
-> The Constellation Terraform modules are deprecated, and support will be discontinued in v2.15.0.
-> To continue managing Constellation clusters through Terraform, you can use the [Constellation Terraform provider](https://docs.edgeless.systems/constellation/workflows/terraform-provider).
-> Clusters created through the Constellation Terraform modules can also be [imported](https://registry.terraform.io/providers/edgelesssys/constellation/latest/docs/resources/cluster#import) to the Constellation Terraform provider.
diff --git a/terraform/legacy-module/aws-constellation/main.tf b/terraform/legacy-module/aws-constellation/main.tf
deleted file mode 100644
index 83c92528a..000000000
--- a/terraform/legacy-module/aws-constellation/main.tf
+++ /dev/null
@@ -1,68 +0,0 @@
-locals {
-  region = substr(var.zone, 0, length(var.zone) - 1)
-}
-
-module "aws_iam" {
-  source      = "../../infrastructure/iam/aws"
-  name_prefix = var.name_prefix
-  region      = local.region
-}
-
-resource "null_resource" "ensure_yq" {
-  provisioner "local-exec" {
-    command = <<EOT
-         ../common/install-yq.sh
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-module "fetch_image" {
-  source              = "../common/fetch-image"
-  csp                 = "aws"
-  attestation_variant = var.enable_snp ? "aws-sev-snp" : "aws-nitro-tpm"
-  region              = local.region
-  image               = var.image
-  depends_on          = [module.aws_iam, null_resource.ensure_yq]
-}
-
-module "aws" {
-  source                                  = "../../infrastructure/aws"
-  name                                    = var.name
-  node_groups                             = var.node_groups
-  iam_instance_profile_name_worker_nodes  = module.aws_iam.iam_instance_profile_name_worker_nodes
-  iam_instance_profile_name_control_plane = module.aws_iam.iam_instance_profile_name_control_plane
-  image_id                                = module.fetch_image.image
-  region                                  = local.region
-  zone                                    = var.zone
-  debug                                   = var.debug
-  enable_snp                              = var.enable_snp
-  custom_endpoint                         = var.custom_endpoint
-  additional_tags                         = var.additional_tags
-}
-
-module "constellation" {
-  source               = "../constellation-cluster"
-  csp                  = "aws"
-  debug                = var.debug
-  name                 = var.name
-  image                = var.image
-  microservice_version = var.microservice_version
-  kubernetes_version   = var.kubernetes_version
-  uid                  = module.aws.uid
-  clusterEndpoint      = module.aws.out_of_cluster_endpoint
-  inClusterEndpoint    = module.aws.in_cluster_endpoint
-  initSecretHash       = module.aws.init_secret
-  ipCidrNode           = module.aws.ip_cidr_node
-  apiServerCertSANs    = module.aws.api_server_cert_sans
-  node_groups          = var.node_groups
-  aws_config = {
-    region                                  = local.region
-    zone                                    = var.zone
-    iam_instance_profile_name_worker_nodes  = module.aws_iam.iam_instance_profile_name_worker_nodes
-    iam_instance_profile_name_control_plane = module.aws_iam.iam_instance_profile_name_control_plane
-  }
-  depends_on = [module.aws, null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/aws-constellation/variables.tf b/terraform/legacy-module/aws-constellation/variables.tf
deleted file mode 100644
index d0b181577..000000000
--- a/terraform/legacy-module/aws-constellation/variables.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-variable "name" {
-  type        = string
-  description = "Name of the Constellation cluster."
-}
-
-variable "image" {
-  type        = string
-  description = "Node image reference or semantic release version. When not set, the latest default version will be used."
-  default     = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
-  type        = string
-  description = "Microservice version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "kubernetes_version" {
-  type        = string
-  description = "Kubernetes version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "node_groups" {
-  type = map(object({
-    role          = string
-    initial_count = optional(number)
-    instance_type = string
-    disk_size     = number
-    disk_type     = string
-    zone          = string
-  }))
-  description = "A map of node group names to node group configurations."
-  validation {
-    condition     = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
-    error_message = "The role has to be 'control-plane' or 'worker'."
-  }
-}
-
-variable "zone" {
-  type        = string
-  description = "The AWS availability zone name to create the cluster in."
-}
-
-variable "debug" {
-  type        = bool
-  default     = false
-  description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-variable "enable_snp" {
-  type        = bool
-  default     = true
-  description = "Enable AMD SEV-SNP."
-}
-
-variable "custom_endpoint" {
-  type        = string
-  default     = ""
-  description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
-  type        = bool
-  default     = false
-  description = "Use an internal load balancer."
-}
-
-variable "name_prefix" {
-  type        = string
-  description = "Prefix for all resources."
-}
-
-variable "additional_tags" {
-  type        = map(any)
-  description = "Additional tags that should be applied to created resources."
-}
diff --git a/terraform/legacy-module/azure-constellation/main.tf b/terraform/legacy-module/azure-constellation/main.tf
deleted file mode 100644
index 9d5da0a08..000000000
--- a/terraform/legacy-module/azure-constellation/main.tf
+++ /dev/null
@@ -1,68 +0,0 @@
-resource "null_resource" "ensure_yq" {
-  provisioner "local-exec" {
-    command = <<EOT
-         ../common/install-yq.sh
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-module "fetch_image" {
-  source              = "../common/fetch-image"
-  csp                 = "azure"
-  attestation_variant = "azure-sev-snp"
-  image               = var.image
-  depends_on          = [null_resource.ensure_yq]
-}
-
-module "azure_iam" {
-  source                 = "../../infrastructure/iam/azure"
-  location               = var.location
-  service_principal_name = var.service_principal_name
-  resource_group_name    = var.resource_group_name
-}
-
-module "azure" {
-  source                 = "../../infrastructure/azure"
-  name                   = var.name
-  user_assigned_identity = module.azure_iam.uami_id
-  node_groups            = var.node_groups
-  location               = var.location
-  image_id               = module.fetch_image.image
-  debug                  = var.debug
-  resource_group         = module.azure_iam.base_resource_group
-  create_maa             = var.create_maa
-  additional_tags        = var.additional_tags
-}
-
-module "constellation" {
-  source               = "../constellation-cluster"
-  csp                  = "azure"
-  debug                = var.debug
-  name                 = var.name
-  image                = var.image
-  microservice_version = var.microservice_version
-  kubernetes_version   = var.kubernetes_version
-  uid                  = module.azure.uid
-  clusterEndpoint      = module.azure.out_of_cluster_endpoint
-  inClusterEndpoint    = module.azure.in_cluster_endpoint
-  initSecretHash       = module.azure.init_secret
-  ipCidrNode           = module.azure.ip_cidr_node
-  apiServerCertSANs    = module.azure.api_server_cert_sans
-  node_groups          = var.node_groups
-  azure_config = {
-    subscription             = module.azure_iam.subscription_id
-    tenant                   = module.azure_iam.tenant_id
-    location                 = var.location
-    resourceGroup            = module.azure.resource_group
-    userAssignedIdentity     = module.azure_iam.uami_id
-    deployCSIDriver          = var.deploy_csi_driver
-    secureBoot               = var.secure_boot
-    maaURL                   = module.azure.attestation_url
-    networkSecurityGroupName = module.azure.network_security_group_name
-    loadBalancerName         = module.azure.loadbalancer_name
-  }
-  depends_on = [null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/azure-constellation/variables.tf b/terraform/legacy-module/azure-constellation/variables.tf
deleted file mode 100644
index 22d134fd5..000000000
--- a/terraform/legacy-module/azure-constellation/variables.tf
+++ /dev/null
@@ -1,94 +0,0 @@
-variable "name" {
-  type        = string
-  description = "Name of the Constellation cluster."
-}
-
-variable "image" {
-  type        = string
-  description = "Node image reference or semantic release version. When not set, the latest default version will be used."
-  default     = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
-  type        = string
-  description = "Microservice version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "kubernetes_version" {
-  type        = string
-  description = "Kubernetes version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "debug" {
-  type        = bool
-  default     = false
-  description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-variable "custom_endpoint" {
-  type        = string
-  default     = ""
-  description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
-  type        = bool
-  default     = false
-  description = "Use an internal load balancer."
-}
-
-variable "node_groups" {
-  type = map(object({
-    role          = string
-    initial_count = optional(number)
-    instance_type = string
-    disk_size     = number
-    disk_type     = string
-    zones         = optional(list(string))
-  }))
-  description = "A map of node group names to node group configurations."
-  validation {
-    condition     = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
-    error_message = "The role has to be 'control-plane' or 'worker'."
-  }
-}
-
-variable "service_principal_name" {
-  type        = string
-  description = "Name of the service principal used to create the cluster."
-}
-
-variable "resource_group_name" {
-  type        = string
-  description = "Name of the resource group the cluster's resources are created in."
-}
-
-variable "location" {
-  type        = string
-  description = "Azure datacenter region the cluster will be deployed in."
-}
-
-variable "deploy_csi_driver" {
-  type        = bool
-  default     = true
-  description = "Deploy the Azure Disk CSI driver with on-node encryption into the cluster."
-}
-
-variable "secure_boot" {
-  type        = bool
-  default     = false
-  description = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
-}
-
-variable "create_maa" {
-  type        = bool
-  default     = true
-  description = "Create an MAA for attestation."
-}
-
-variable "additional_tags" {
-  type        = map(any)
-  description = "Additional tags that should be applied to created resources."
-}
diff --git a/terraform/legacy-module/common/fetch-image/main.tf b/terraform/legacy-module/common/fetch-image/main.tf
deleted file mode 100644
index dd32b88be..000000000
--- a/terraform/legacy-module/common/fetch-image/main.tf
+++ /dev/null
@@ -1,38 +0,0 @@
-locals {
-  image_ref     = startswith(var.image, "v") ? "ref/-/stream/stable/${var.image}" : var.image
-  region_filter = var.region != "" ? " and .region == \"${var.region}\"" : "" # apply region filter only if region field exists for the CSP
-
-  fetch_image_command = <<EOT
-    curl -s https://cdn.confidential.cloud/constellation/v2/${local.image_ref}/image/info.json | \
-    ./yq eval '.list[] | select(.csp == "${var.csp}" and .attestationVariant == "${var.attestation_variant}"${local.region_filter}) | .reference' - | tr -d '\n' > "image.txt"
-
-    if [ '${var.csp}' = 'azure' ]; then
-      sed -i 's/CommunityGalleries/communityGalleries/g' image.txt
-      sed -i 's/Images/images/g' image.txt
-      sed -i 's/Versions/versions/g' image.txt
-    fi
-  EOT
-}
-
-
-resource "null_resource" "fetch_image" {
-  provisioner "local-exec" {
-    command = local.fetch_image_command
-
-    environment = {
-      attestation_variant = var.attestation_variant
-    }
-  }
-  provisioner "local-exec" {
-    when    = destroy
-    command = "rm image.txt"
-  }
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-}
-
-data "local_file" "image" {
-  filename   = "image.txt"
-  depends_on = [null_resource.fetch_image]
-}
diff --git a/terraform/legacy-module/common/fetch-image/output.tf b/terraform/legacy-module/common/fetch-image/output.tf
deleted file mode 100644
index 8fcdc030f..000000000
--- a/terraform/legacy-module/common/fetch-image/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "image" {
-  description = "The resolved image ID of the CSP."
-  value       = data.local_file.image.content
-}
diff --git a/terraform/legacy-module/common/fetch-image/variables.tf b/terraform/legacy-module/common/fetch-image/variables.tf
deleted file mode 100644
index 25b88bd1b..000000000
--- a/terraform/legacy-module/common/fetch-image/variables.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-variable "csp" {
-  description = "The cloud service provider to fetch image data for."
-  type        = string
-}
-
-variable "attestation_variant" {
-  description = "The attestation variant to fetch image data for."
-  type        = string
-}
-
-variable "region" {
-  description = "The region to fetch image data for."
-  type        = string
-  default     = ""
-}
-
-variable "image" {
-  description = "The image reference or semantical release version to fetch image data for."
-  type        = string
-}
diff --git a/terraform/legacy-module/common/install-yq.sh b/terraform/legacy-module/common/install-yq.sh
deleted file mode 100755
index 14c375fd9..000000000
--- a/terraform/legacy-module/common/install-yq.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env bash
-version="v4.35.2"
-if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then
-  echo "yq is already available and up to date."
-  exit 0
-fi
-if [[ -f ./yq ]]; then
-  echo "yq is already available but not at the required version. Replacing with ${version}."
-  rm -f yq
-fi
-
-echo "Fetching yq ${version}"
-os=$(uname -s)
-arch=$(uname -m)
-url=""
-
-if [[ ${os} == "Darwin" ]]; then
-  if [[ ${arch} == "arm64" ]]; then
-    url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64"
-  elif [[ ${arch} == "x86_64" ]]; then
-    url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64"
-  fi
-elif [[ ${os} == "Linux" ]]; then
-  if [[ ${arch} == "x86_64" ]]; then
-    url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64"
-  elif [[ ${arch} == "arm64" ]]; then
-    url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64"
-  fi
-fi
-
-if [[ -z ${url} ]]; then
-  echo "os \"${os}\" and/or architecture \"${arch}\" is not supported."
-  exit 1
-else
-  echo "Downloading yq from ${url}"
-  curl -o yq -L "${url}"
-  chmod +x ./yq
-  ./yq --version
-  if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly
-    echo "Version is incorrect"
-    exit 1
-  fi
-fi
diff --git a/terraform/legacy-module/constellation-cluster/install-constellation.sh b/terraform/legacy-module/constellation-cluster/install-constellation.sh
deleted file mode 100755
index b056db21a..000000000
--- a/terraform/legacy-module/constellation-cluster/install-constellation.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-if [[ -f ./constellation ]]; then
-  echo "constellation CLI is already available."
-  exit 0
-fi
-
-os=$(uname -s)
-arch=$(uname -m)
-version=$1
-url=""
-
-echo "Fetching constellation ${version}"
-
-if [[ ${os} == "Darwin" ]]; then
-  if [[ ${arch} == "arm64" ]]; then
-    url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-arm64"
-  elif [[ ${arch} == "x86_64" ]]; then
-    url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-amd64"
-  fi
-elif [[ ${os} == "Linux" ]]; then
-  if [[ ${arch} == "x86_64" ]]; then
-    url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-amd64"
-  elif [[ ${arch} == "arm64" ]]; then
-    url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-arm64"
-  fi
-fi
-
-if [[ -z ${url} ]]; then
-  echo "os \"${os}\" and/or architecture \"${arch}\" is not supported."
-  exit 1
-else
-  curl -o constellation -L "${url}"
-  chmod +x constellation
-fi
diff --git a/terraform/legacy-module/constellation-cluster/main.tf b/terraform/legacy-module/constellation-cluster/main.tf
deleted file mode 100644
index f84406f16..000000000
--- a/terraform/legacy-module/constellation-cluster/main.tf
+++ /dev/null
@@ -1,191 +0,0 @@
-locals {
-  yq_node_groups = join("\n", flatten([
-    for name, group in var.node_groups : [
-      "./yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml",
-      "./yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml",
-      "./yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml",
-      "./yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml",
-      "./yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml",
-      "./yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml"
-    ]
-  ]))
-  gcp_sa_file_path = "service_account_file.json"
-}
-
-resource "null_resource" "ensure_cli" {
-  provisioner "local-exec" {
-    command = <<EOT
-         ${path.module}/install-constellation.sh ${var.constellation_version}
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-// terraform_data resource so that it is run only once
-resource "terraform_data" "config_generate" {
-  provisioner "local-exec" {
-    command = <<EOT
-         ./constellation config generate ${var.csp}
-    EOT
-  }
-  depends_on = [
-    null_resource.ensure_cli
-  ]
-}
-
-resource "null_resource" "aws_config" {
-  count = var.aws_config != null ? 1 : 0
-  provisioner "local-exec" {
-    command = <<EOT
-      ./yq eval '.provider.aws.region = "${var.aws_config.region}"' -i constellation-conf.yaml
-      ./yq eval '.provider.aws.zone = "${var.aws_config.zone}"' -i constellation-conf.yaml
-      ./yq eval '.provider.aws.iamProfileControlPlane = "${var.aws_config.iam_instance_profile_name_control_plane}"' -i constellation-conf.yaml
-      ./yq eval '.provider.aws.iamProfileWorkerNodes = "${var.aws_config.iam_instance_profile_name_worker_nodes}"' -i constellation-conf.yaml
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-  depends_on = [
-    terraform_data.config_generate
-  ]
-}
-
-resource "null_resource" "azure_config" {
-  count = var.azure_config != null ? 1 : 0
-  provisioner "local-exec" {
-    command = <<EOT
-      ./yq eval '.provider.azure.subscription = "${var.azure_config.subscription}"' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.tenant = "${var.azure_config.tenant}"' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.location = "${var.azure_config.location}"' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.resourceGroup = "${var.azure_config.resourceGroup}"' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.userAssignedIdentity = "${var.azure_config.userAssignedIdentity}"' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.deployCSIDriver = ${var.azure_config.deployCSIDriver}' -i constellation-conf.yaml
-      ./yq eval '.provider.azure.secureBoot = ${var.azure_config.secureBoot}' -i constellation-conf.yaml
-      ./yq eval '.infrastructure.azure.resourceGroup = "${var.azure_config.resourceGroup}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.azure.subscriptionID = "${var.azure_config.subscription}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.azure.networkSecurityGroupName = "${var.azure_config.networkSecurityGroupName}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.azure.loadBalancerName = "${var.azure_config.loadBalancerName}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.azure.userAssignedIdentity = "${var.azure_config.userAssignedIdentity}"' -i constellation-state.yaml
-      if [ '${var.azure_config.maaURL}' != '' ]; then
-        ./yq eval '.infrastructure.azure.attestationURL = "${var.azure_config.maaURL}"' -i constellation-state.yaml
-        ./constellation maa-patch ${var.azure_config.maaURL}
-      fi
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-  depends_on = [
-    terraform_data.config_generate
-  ]
-}
-
-resource "null_resource" "service_account_file" {
-  count = var.gcp_config != null ? 1 : 0
-  provisioner "local-exec" {
-    command = <<EOT
-          echo ${var.gcp_config.serviceAccountKey} | base64 -d > "${local.gcp_sa_file_path}"
-    EOT
-  }
-  provisioner "local-exec" {
-    when    = destroy
-    command = "rm ${self.triggers.file_path}"
-  }
-  triggers = {
-    always_run = timestamp()
-    file_path  = local.gcp_sa_file_path
-  }
-}
-
-resource "null_resource" "gcp_config" {
-  count = var.gcp_config != null ? 1 : 0
-  provisioner "local-exec" {
-    command = <<EOT
-      ./yq eval '.provider.gcp.project = "${var.gcp_config.project}"' -i constellation-conf.yaml
-      ./yq eval '.provider.gcp.region = "${var.gcp_config.region}"' -i constellation-conf.yaml
-      ./yq eval '.provider.gcp.zone = "${var.gcp_config.zone}"' -i constellation-conf.yaml
-      ./yq eval '.provider.gcp.serviceAccountKeyPath = "${local.gcp_sa_file_path}"' -i constellation-conf.yaml
-      ./yq eval '.infrastructure.gcp.projectID = "${var.gcp_config.project}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.gcp.ipCidrPod = "${var.gcp_config.ipCidrPod}"' -i constellation-state.yaml
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-  depends_on = [
-    terraform_data.config_generate, null_resource.service_account_file
-  ]
-}
-
-resource "null_resource" "config" {
-  provisioner "local-exec" {
-    command = <<EOT
-      ./yq eval '.name = "${var.name}"' -i constellation-conf.yaml
-      if [ "${var.image}" != "" ]; then
-        ./yq eval '.image = "${var.image}"' -i constellation-conf.yaml
-      fi
-      if [ "${var.kubernetes_version}" != "" ]; then
-        ./yq eval '.kubernetesVersion = "${var.kubernetes_version}"' -i constellation-conf.yaml
-      fi
-      if [ "${var.microservice_version}" != "" ]; then
-        ./yq eval '.microserviceVersion = "${var.microservice_version}"' -i constellation-conf.yaml
-      fi
-      if [ "${var.serviceCidr}" != "" ]; then
-        ./yq eval '.serviceCIDR = "${var.serviceCidr}"' -i constellation-conf.yaml
-      fi
-      ${local.yq_node_groups}
-      ./constellation config fetch-measurements ${var.debug == true ? "--insecure" : ""}
-    EOT
-  }
-
-  depends_on = [
-    null_resource.aws_config, null_resource.gcp_config, null_resource.azure_config
-  ]
-
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-
-resource "null_resource" "infra_state" {
-  provisioner "local-exec" {
-    command = <<EOT
-      ./yq eval '.infrastructure.uid = "${var.uid}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.inClusterEndpoint = "${var.inClusterEndpoint}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.clusterEndpoint = "${var.clusterEndpoint}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.initSecret = "'"$(echo "${var.initSecretHash}" | tr -d '\n' | hexdump -ve '/1 "%02x"')"'"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.apiServerCertSANs = ${jsonencode(var.apiServerCertSANs)}' -i constellation-state.yaml
-      ./yq eval '.infrastructure.name = "${var.name}"' -i constellation-state.yaml
-      ./yq eval '.infrastructure.ipCidrNode = "${var.ipCidrNode}"' -i constellation-state.yaml
-    EOT
-  }
-  depends_on = [
-    terraform_data.config_generate
-  ]
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-
-resource "null_resource" "apply" {
-  provisioner "local-exec" {
-    command = "./constellation apply --debug --yes --skip-phases infrastructure"
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = "./constellation terminate --yes && rm constellation-conf.yaml constellation-mastersecret.json && rm -r constellation-upgrade"
-  }
-
-  depends_on = [
-    null_resource.infra_state, null_resource.config, null_resource.ensure_cli
-  ]
-  triggers = {
-    always_run = timestamp()
-  }
-}
diff --git a/terraform/legacy-module/constellation-cluster/variables.tf b/terraform/legacy-module/constellation-cluster/variables.tf
deleted file mode 100644
index 7eb70169c..000000000
--- a/terraform/legacy-module/constellation-cluster/variables.tf
+++ /dev/null
@@ -1,133 +0,0 @@
-variable "constellation_version" {
-  type        = string
-  description = "Constellation CLI version to use."
-  default     = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "image" {
-  type        = string
-  description = "The node image reference or semantic release version."
-}
-
-variable "csp" {
-  type        = string
-  description = "The cloud service provider to use."
-  validation {
-    condition     = var.csp == "aws" || var.csp == "gcp" || var.csp == "azure"
-    error_message = "The cloud service provider to use."
-  }
-}
-
-variable "node_groups" {
-  type = map(object({
-    role          = string
-    initial_count = optional(number)
-    instance_type = string
-    disk_size     = number
-    disk_type     = string
-    zone          = optional(string, "")       # For AWS, GCP
-    zones         = optional(list(string), []) # For Azure
-  }))
-  description = "A map of node group names to node group configurations."
-  validation {
-    condition     = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
-    error_message = "The role has to be 'control-plane' or 'worker'."
-  }
-}
-
-variable "name" {
-  type        = string
-  description = "Name used in the cluster's named resources / cluster name."
-}
-
-variable "uid" {
-  type        = string
-  description = "The UID of the Constellation."
-}
-
-variable "clusterEndpoint" {
-  type        = string
-  description = "Endpoint of the cluster."
-}
-
-variable "inClusterEndpoint" {
-  type        = string
-  description = "The endpoint the cluster uses to reach itself. This might differ from the ClusterEndpoint in case e.g. an internal load balancer is used."
-}
-
-variable "initSecretHash" {
-  type        = string
-  description = "Init secret hash."
-}
-
-variable "ipCidrNode" {
-  type        = string
-  description = "Node IP CIDR."
-}
-
-variable "serviceCidr" {
-  type        = string
-  default     = ""
-  description = "Kubernetes service CIDR. This is only used during first initialization of Constellation."
-}
-
-variable "apiServerCertSANs" {
-  type        = list(string)
-  description = "List of additional SANs (Subject Alternative Names) for the Kubernetes API server certificate."
-}
-
-variable "aws_config" {
-  type = object({
-    region                                  = string
-    zone                                    = string
-    iam_instance_profile_name_worker_nodes  = string
-    iam_instance_profile_name_control_plane = string
-  })
-  description = "The cluster config for AWS."
-  default     = null
-}
-
-variable "azure_config" {
-  type = object({
-    subscription             = string
-    tenant                   = string
-    location                 = string
-    resourceGroup            = string
-    userAssignedIdentity     = string
-    deployCSIDriver          = bool
-    secureBoot               = bool
-    maaURL                   = string
-    networkSecurityGroupName = string
-    loadBalancerName         = string
-  })
-  description = "The cluster config for Azure."
-  default     = null
-}
-
-variable "gcp_config" {
-  type = object({
-    region            = string
-    zone              = string
-    project           = string
-    ipCidrPod         = string
-    serviceAccountKey = string
-  })
-  description = "The cluster config for GCP."
-  default     = null
-}
-
-variable "kubernetes_version" {
-  type        = string
-  description = "Kubernetes version."
-}
-
-variable "microservice_version" {
-  type        = string
-  description = "Microservice version."
-}
-
-variable "debug" {
-  type        = bool
-  default     = false
-  description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
diff --git a/terraform/legacy-module/gcp-constellation/main.tf b/terraform/legacy-module/gcp-constellation/main.tf
deleted file mode 100644
index 879f6b69b..000000000
--- a/terraform/legacy-module/gcp-constellation/main.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-locals {
-  region = substr(var.zone, 0, length(var.zone) - 2)
-}
-
-module "gcp_iam" {
-  source             = "../../infrastructure/iam/gcp"
-  project_id         = var.project
-  service_account_id = var.service_account_id
-  region             = local.region
-  zone               = var.zone
-}
-
-
-resource "null_resource" "ensure_yq" {
-  provisioner "local-exec" {
-    command = <<EOT
-         ../common/install-yq.sh
-    EOT
-  }
-  triggers = {
-    always_run = timestamp()
-  }
-}
-
-module "fetch_image" {
-  source              = "../common/fetch-image"
-  csp                 = "gcp"
-  attestation_variant = "gcp-sev-es"
-  image               = var.image
-  depends_on          = [null_resource.ensure_yq]
-}
-
-
-module "gcp" {
-  source            = "../../infrastructure/gcp"
-  project           = var.project
-  image_id          = module.fetch_image.image
-  name              = var.name
-  node_groups       = var.node_groups
-  region            = local.region
-  zone              = var.zone
-  debug             = var.debug
-  custom_endpoint   = var.custom_endpoint
-  cc_technology     = var.cc_technology
-  additional_labels = var.additional_labels
-}
-
-module "constellation" {
-  source               = "../constellation-cluster"
-  csp                  = "gcp"
-  debug                = var.debug
-  name                 = var.name
-  image                = var.image
-  microservice_version = var.microservice_version
-  kubernetes_version   = var.kubernetes_version
-  uid                  = module.gcp.uid
-  clusterEndpoint      = module.gcp.out_of_cluster_endpoint
-  inClusterEndpoint    = module.gcp.in_cluster_endpoint
-  initSecretHash       = module.gcp.init_secret
-  ipCidrNode           = module.gcp.ip_cidr_node
-  apiServerCertSANs    = module.gcp.api_server_cert_sans
-  node_groups          = var.node_groups
-  gcp_config = {
-    region            = local.region
-    zone              = var.zone
-    project           = var.project
-    ipCidrPod         = module.gcp.ip_cidr_pod
-    serviceAccountKey = module.gcp_iam.service_account_key
-  }
-  depends_on = [module.gcp, null_resource.ensure_yq]
-}
diff --git a/terraform/legacy-module/gcp-constellation/variables.tf b/terraform/legacy-module/gcp-constellation/variables.tf
deleted file mode 100644
index 8ddca125d..000000000
--- a/terraform/legacy-module/gcp-constellation/variables.tf
+++ /dev/null
@@ -1,86 +0,0 @@
-variable "name" {
-  type        = string
-  description = "Name of the Constellation cluster."
-}
-
-variable "project" {
-  type        = string
-  description = "The project ID to deploy the cluster to."
-}
-
-variable "service_account_id" {
-  type        = string
-  description = "The service account ID to use for the cluster."
-}
-
-variable "image" {
-  type        = string
-  description = "Node image reference or semantic release version. When not set, the latest default version will be used."
-  default     = "@@CONSTELLATION_VERSION@@"
-}
-
-variable "microservice_version" {
-  type        = string
-  description = "Microservice version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "kubernetes_version" {
-  type        = string
-  description = "Kubernetes version. When not set, the latest default version will be used."
-  default     = ""
-}
-
-variable "node_groups" {
-  type = map(object({
-    role          = string
-    initial_count = optional(number)
-    instance_type = string
-    disk_size     = number
-    disk_type     = string
-    zone          = string
-  }))
-  description = "A map of node group names to node group configurations."
-  validation {
-    condition     = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"])
-    error_message = "The role has to be 'control-plane' or 'worker'."
-  }
-}
-
-variable "zone" {
-  type        = string
-  description = "The availability zone name to create the cluster in."
-}
-
-variable "debug" {
-  type        = bool
-  default     = false
-  description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images."
-}
-
-
-variable "custom_endpoint" {
-  type        = string
-  default     = ""
-  description = "Custom endpoint (DNS Name) to use for the Constellation API server. If not set, the default endpoint will be used."
-}
-
-variable "internal_load_balancer" {
-  type        = bool
-  default     = false
-  description = "Use an internal load balancer."
-}
-
-variable "cc_technology" {
-  type        = string
-  description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`."
-  validation {
-    condition     = contains(["SEV", "SEV_SNP"], var.cc_technology)
-    error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
-  }
-}
-
-variable "additional_labels" {
-  type        = map(any)
-  description = "Additional labels that should be given to created recources."
-}