docs: adjust MAA updating (#3152)

* docs: adjust MAA updating

* versioned-docs: backport fix
This commit is contained in:
Moritz Sanft 2024-06-07 13:56:10 +02:00 committed by GitHub
parent 94cf85c65a
commit 7d4e7eff65
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
16 changed files with 26 additions and 48 deletions

View File

@ -188,7 +188,7 @@ Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -208,7 +208,7 @@ The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -226,8 +226,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
:::info
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
On Azure, a manual update to the MAA provider's policy is necessary.
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
```bash

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -55,7 +55,7 @@ management tooling of your choice. You need to keep the essential functionality
:::info
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
On Azure, a manual update to the MAA provider's policy is necessary.
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestationURL | jq -r)`, when using the minimal Terraform configuration).
```bash

View File

@ -114,7 +114,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -134,7 +134,7 @@ The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -152,8 +152,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
:::info
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
On Azure, a manual update to the MAA provider's policy is necessary.
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
```bash

View File

@ -114,7 +114,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -134,7 +134,7 @@ The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -152,8 +152,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
:::info
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
On Azure, a manual update to the MAA provider's policy is necessary.
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
```bash

View File

@ -188,7 +188,7 @@ Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -208,7 +208,7 @@ The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -226,8 +226,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
:::info
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
On Azure, a manual update to the MAA provider's policy is necessary.
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
```bash

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can try [MiniConstellation](first-st
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -144,8 +144,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">

View File

@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
<tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
</tabItem>
<tabItem value="gcp" label="GCP">