cli: Terraform upgrades maa patching (#1821)

* patch maa after upgrade * buildfiles * reword comment * remove whitespace * temp: log measurements URL * temp: update import * ignore changes to attestation policies * add issue URL * separate output in e2e upgrade test * use enterprise CLI for e2e test * remove measurements print * add license headers
2025-07-21 06:21:43 -04:00 · 2023-06-02 10:47:44 +02:00 · 2023-06-02 10:47:44 +02:00 · 8c3b963a3f
commit 8c3b963a3f
parent 7ef7f09dda
10 changed files with 236 additions and 109 deletions
--- a/cli/internal/upgrade/terraform.go
+++ b/cli/internal/upgrade/terraform.go
@ -14,6 +14,7 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@ -24,15 +25,17 @@ import (
 // NewTerraformUpgrader returns a new TerraformUpgrader.
 func NewTerraformUpgrader(tfClient tfClient, outWriter io.Writer) (*TerraformUpgrader, error) {
 	return &TerraformUpgrader{
-		tf:        tfClient,
-		outWriter: outWriter,
+		tf:            tfClient,
+		policyPatcher: cloudcmd.NewAzurePolicyPatcher(),
+		outWriter:     outWriter,
 	}, nil
 }

 // TerraformUpgrader is responsible for performing Terraform migrations on cluster upgrades.
 type TerraformUpgrader struct {
-	tf        tfClient
-	outWriter io.Writer
+	tf            tfClient
+	policyPatcher policyPatcher
+	outWriter     io.Writer
 }

 // TerraformUpgradeOptions are the options used for the Terraform upgrade.
@ -139,6 +142,13 @@ func (u *TerraformUpgrader) ApplyTerraformMigrations(ctx context.Context, fileHa
 		return fmt.Errorf("terraform apply: %w", err)
 	}

+	// AttestationURL is only set for Azure.
+	if tfOutput.AttestationURL != "" {
+		if err := u.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil {
+			return fmt.Errorf("patching policies: %w", err)
+		}
+	}
+
 	outputFileContents := clusterid.File{
 		CloudProvider:  opts.CSP,
 		InitSecret:     []byte(tfOutput.Secret),
@ -173,3 +183,8 @@ type tfClient interface {
 	Plan(ctx context.Context, logLevel terraform.LogLevel, planFile string, targets ...string) (bool, error)
 	CreateCluster(ctx context.Context, logLevel terraform.LogLevel, targets ...string) (terraform.CreateOutput, error)
 }
+
+// policyPatcher interacts with the CSP (currently only applies for Azure) to update the attestation policy.
+type policyPatcher interface {
+	Patch(ctx context.Context, attestationURL string) error
+}