Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-06-18 03:09:32 -04:00
Code Issues Projects Releases Packages Wiki Activity

terraform-provider: document MAA patching more prominently (#3330)

Browse source
This commit is contained in:
Moritz Sanft 2024-08-29 15:50:26 +02:00 committed by GitHub
parent c11631ec11
commit 8555bd00a9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
terraform-provider-constellation/docs/data-sources/attestation.md
View file

@ -42,7 +42,8 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview
### Optional ### Optional
- `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image. - `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service - `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.
### Read-Only ### Read-Only

2
terraform-provider-constellation/examples/full/azure/main.tf
View file

@ -80,6 +80,8 @@ data "constellation_attestation" "foo" {
csp = local.csp csp = local.csp
attestation_variant = local.attestation_variant attestation_variant = local.attestation_variant
image = data.constellation_image.bar.image image = data.constellation_image.bar.image
# Needs to be patched manually, see:
# https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup
maa_url = module.azure_infrastructure.attestation_url maa_url = module.azure_infrastructure.attestation_url
} }

12
terraform-provider-constellation/internal/provider/attestation_data_source.go
View file

@ -98,7 +98,8 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq
"attestation_variant": newAttestationVariantAttributeSchema(attributeInput), "attestation_variant": newAttestationVariantAttributeSchema(attributeInput),
"image": newImageAttributeSchema(attributeInput), "image": newImageAttributeSchema(attributeInput),
"maa_url": schema.StringAttribute{ "maa_url": schema.StringAttribute{
MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service", MarkdownDescription: `For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.`,
Optional: true, Optional: true,
}, },
"insecure": schema.BoolAttribute{ "insecure": schema.BoolAttribute{
@ -125,6 +126,15 @@ func (d *AttestationDataSource) ValidateConfig(ctx context.Context, req datasour
) )
return return
} }
if !data.MaaURL.IsNull() {
resp.Diagnostics.AddAttributeWarning(
path.Root("maa_url"),
"Ensure that the MAA's policy is patched", "When MAA is used, please ensure the MAA's policy is patche properly for use within Constellation. See https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup for more information.",
)
return
}
if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() { if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() {
tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable") tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable")
} }