terraform: add Terraform module for Azure (#2566)

* add Azure Terraform module

* add maa-patching command to cli

* refactor release process

* factor out image fetching to own action

* add CI

* generate

* fix some unnecessary changes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `constellation maa-patch` in ci

* insecure flag when using debug image

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only update maa url if existing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make node group zone optional on aws and gcp

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register updated workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Revert "[remove] register updated workflow"

This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.

* create MAA

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make maa-patching only run on azure

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* require node group zone for GCP and AWS

* remove unnecessary bazel action

* stamp version to correct file

* refer to `maa-patch` command in docs

* run Azure test in weekly e2e

* comment / naming improvements

* remove sa_account resource

* disable spellcheck ot use "URL"

* `create_maa` variable

* don't write maa url to config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to nightly image

* use input ref and stream

* fix command check

* don't set region in weekly e2e call

* patch maa if url is not empty

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove `create_maa` variable

* remove binaries

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove undefined input

* replace invalid attestation URL error message

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* fix punctuation

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* skip hidden commands in clidocgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* enable spellcheck before code block

* move spellcheck trigger out of info block

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix workflow dependencies

* let image default to CLI version

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
This commit is contained in:
Moritz Sanft 2023-11-13 18:46:20 +01:00 committed by GitHub
parent e8f0c58558
commit 8e4feb7e2a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 778 additions and 248 deletions

View file

@ -0,0 +1,48 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/local" {
version = "2.4.0"
hashes = [
"h1:7RnIbO3CFakblTJs7o0mUiY44dc9xGYsLhSNFSNS1Ds=",
"h1:Bs7LAkV/iQTLv72j+cTMrvx2U3KyXrcVHaGbdns1NcE=",
"h1:OMqURhlP2IgLEgUCzSlaKXyb/IbnKForgDSjZF/NY4Y=",
"h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=",
"h1:ZUEYUmm2t4vxwzxy1BvN1wL6SDWrDxfH7pxtzX8c6d0=",
"zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9",
"zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf",
"zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35",
"zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04",
"zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406",
"zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6",
"zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7",
"zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2",
"zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc",
"zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce",
]
}
provider "registry.terraform.io/hashicorp/null" {
version = "3.2.1"
hashes = [
"h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
"h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
"h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=",
"h1:wqgRvlyVIbkCeCQs+5jj6zVuQL0KDxZZtNofGqqlSdI=",
"h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
"zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
"zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
"zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
"zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
"zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
"zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
"zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
"zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
"zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
"zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
]
}

View file

@ -0,0 +1,38 @@
locals {
image_ref = startswith(var.image, "v") ? "ref/-/stream/stable/${var.image}" : var.image
region_filter = var.region != "" ? " and .region == \"${var.region}\"" : "" # apply region filter only if region field exists for the CSP
fetch_image_command = <<EOT
curl -s https://cdn.confidential.cloud/constellation/v2/${local.image_ref}/image/info.json | \
./yq eval '.list[] | select(.csp == "${var.csp}" and .attestationVariant == "${var.attestation_variant}"${local.region_filter}) | .reference' - | tr -d '\n' > "image.txt"
if [ '${var.csp}' = 'azure' ]; then
sed -i 's/CommunityGalleries/communityGalleries/g' image.txt
sed -i 's/Images/images/g' image.txt
sed -i 's/Versions/versions/g' image.txt
fi
EOT
}
resource "null_resource" "fetch_image" {
provisioner "local-exec" {
command = local.fetch_image_command
environment = {
attestation_variant = var.attestation_variant
}
}
provisioner "local-exec" {
when = destroy
command = "rm image.txt"
}
triggers = {
always_run = "${timestamp()}"
}
}
data "local_file" "image" {
filename = "image.txt"
depends_on = [null_resource.fetch_image]
}

View file

@ -0,0 +1,4 @@
output "image" {
description = "The resolved image ID of the CSP."
value = data.local_file.image.content
}

View file

@ -0,0 +1,20 @@
variable "csp" {
description = "The cloud service provider to fetch image data for."
type = string
}
variable "attestation_variant" {
description = "The attestation variant to fetch image data for."
type = string
}
variable "region" {
description = "The region to fetch image data for."
type = string
default = ""
}
variable "image" {
description = "The image reference or semantical release version to fetch image data for."
type = string
}

43
terraform/common/install-yq.sh Executable file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env bash
version="v4.35.2"
if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then
echo "yq is already available and up to date."
exit 0
fi
if [[ -f ./yq ]]; then
echo "yq is already available but not at the required version. Replacing with ${version}."
rm -f yq
fi
echo "Fetching yq ${version}"
os=$(uname -s)
arch=$(uname -m)
url=""
if [[ ${os} == "Darwin" ]]; then
if [[ ${arch} == "arm64" ]]; then
url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64"
elif [[ ${arch} == "x86_64" ]]; then
url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64"
fi
elif [[ ${os} == "Linux" ]]; then
if [[ ${arch} == "x86_64" ]]; then
url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64"
elif [[ ${arch} == "arm64" ]]; then
url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64"
fi
fi
if [[ -z ${url} ]]; then
echo "os \"${os}\" and/or architecture \"${arch}\" is not supported."
exit 1
else
echo "Downloading yq from ${url}"
curl -o yq -L "${url}"
chmod +x ./yq
./yq --version
if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly
echo "Version is incorrect"
exit 1
fi
fi