Adjust usage of GCP SEV-SNP throughout codebase

2025-04-21 23:59:09 -04:00 · 2024-04-04 16:35:36 +02:00 · 2024-04-04 16:35:36 +02:00 · 78a723aa31
commit 78a723aa31
parent baa22d464f
7 changed files with 35 additions and 3 deletions
--- a/.github/actions/terraform_apply/action.yml
+++ b/.github/actions/terraform_apply/action.yml
@ -26,6 +26,9 @@ runs:
          "gcpSEVES")
            attestationVariant="gcp-sev-es"
            ;;
+          "gcpSEVSNP")
+            attestationVariant="gcp-sev-snp"
+            ;;
          *)
            echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
            exit 1
--- a/cli/internal/cloudcmd/tfvars.go
+++ b/cli/internal/cloudcmd/tfvars.go
@ -209,6 +209,12 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
 			DiskType:        group.StateDiskType,
 		}
 	}
+
+	ccTech := "SEV"
+	if conf.GetAttestationConfig().GetVariant().Equal(variant.GCPSEVSNP{}) {
+		ccTech = "SEV_SNP"
+	}
+
 	return &terraform.GCPClusterVariables{
 		Name:                 conf.Name,
 		NodeGroups:           nodeGroups,
@ -219,6 +225,7 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
 		Debug:                conf.IsDebugCluster(),
 		CustomEndpoint:       conf.CustomEndpoint,
 		InternalLoadBalancer: conf.InternalLoadBalancer,
+		CCTechnology:         ccTech,
 	}
 }

--- a/cli/internal/cmd/configgenerate_test.go
+++ b/cli/internal/cmd/configgenerate_test.go
@ -235,6 +235,11 @@ func TestValidProviderAttestationCombination(t *testing.T) {
 			variant.GCPSEVES{},
 			config.AttestationConfig{GCPSEVES: defaultAttestation.GCPSEVES},
 		},
+		{
+			cloudprovider.GCP,
+			variant.GCPSEVSNP{},
+			config.AttestationConfig{GCPSEVSNP: defaultAttestation.GCPSEVSNP},
+		},
 		{
 			cloudprovider.QEMU,
 			variant.QEMUVTPM{},
@ -286,6 +291,10 @@ func TestParseAttestationFlag(t *testing.T) {
 			attestationFlag: "gcp-sev-es",
 			wantVariant:     variant.GCPSEVES{},
 		},
+		"GCPSEVSNP": {
+			attestationFlag: "gcp-sev-snp",
+			wantVariant:     variant.GCPSEVSNP{},
+		},
 		"QEMUVTPM": {
 			attestationFlag: "qemu-vtpm",
 			wantVariant:     variant.QEMUVTPM{},
--- a/cli/internal/terraform/variables_test.go
+++ b/cli/internal/terraform/variables_test.go
@ -122,6 +122,7 @@ func TestGCPClusterVariables(t *testing.T) {
 			},
 		},
 		CustomEndpoint: "example.com",
+		CCTechnology:   "SEV_SNP",
 	}

 	// test that the variables are correctly rendered
@ -151,6 +152,7 @@ node_groups = {
 }
 custom_endpoint        = "example.com"
 internal_load_balancer = false
+cc_technology          = "SEV_SNP"
 `
 	got := vars.String()
 	assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences
--- a/docs/docs/reference/cli.md
+++ b/docs/docs/reference/cli.md
@ -78,7 +78,7 @@ constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]
 ### Options

 ```
-  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
+  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
  -h, --help                 help for generate
  -k, --kubernetes string    Kubernetes version to use in format MAJOR.MINOR (default "v1.28")
 ```
--- a/internal/constellation/state/state.go
+++ b/internal/constellation/state/state.go
@ -383,7 +383,7 @@ func (s *State) preInitConstraints(attestation variant.Variant) func() []*valida
 					),
 				)
 			}
-		case variant.GCPSEVES{}:
+		case variant.GCPSEVES{}, variant.GCPSEVSNP{}:
 			// GCP values need to be valid after infrastructure creation.
 			constraints = append(constraints,
 				// Azure values need to be nil or empty.
@ -514,7 +514,7 @@ func (s *State) postInitConstraints(attestation variant.Variant) func() []*valid
 					),
 				)
 			}
-		case variant.GCPSEVES{}:
+		case variant.GCPSEVES{}, variant.GCPSEVSNP{}:
 			constraints = append(constraints,
 				// Azure values need to be nil or empty.
 				validation.Or(
--- a/terraform-provider-constellation/internal/provider/convert.go
+++ b/terraform-provider-constellation/internal/provider/convert.go
@ -122,6 +122,10 @@ func convertFromTfAttestationCfg(tfAttestation attestationAttribute, attestation
 		attestationConfig = &config.GCPSEVES{
 			Measurements: c11nMeasurements,
 		}
+	case variant.GCPSEVSNP{}:
+		attestationConfig = &config.GCPSEVSNP{
+			Measurements: c11nMeasurements,
+		}
 	case variant.QEMUVTPM{}:
 		attestationConfig = &config.QEMUVTPM{
 			Measurements: c11nMeasurements,
@ -150,6 +154,13 @@ func convertToTfAttestation(attVar variant.Variant, snpVersions attestationconfi
 		}
 		tfAttestation.AMDRootKey = certStr

+	case variant.GCPSEVSNP{}:
+		certStr, err := certAsString(config.DefaultForGCPSEVSNP().AMDRootKey)
+		if err != nil {
+			return tfAttestation, err
+		}
+		tfAttestation.AMDRootKey = certStr
+
 	case variant.AzureSEVSNP{}:
 		certStr, err := certAsString(config.DefaultForAzureSEVSNP().AMDRootKey)
 		if err != nil {