Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-19 12:34:44 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: adjust creation on Azure and link to examples

Browse source
This commit is contained in:
Moritz Sanft 2023-12-15 11:21:22 +01:00
parent b889549500
commit 8f1f4eaf12
No known key found for this signature in database
GPG key ID: 335D28368B1DA615
3 changed files with 45 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/docs/workflows/create.md
View file

@ -45,7 +45,7 @@ It's recommended to use Terraform for infrastructure management, but you can use
:::info
When using Terraform, you can use the [Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle.
When using Terraform, you can use the [Constellation Terraform provider](./terraform-provider.md) to manage the entire Constellation cluster lifecycle.
:::

60
docs/docs/workflows/terraform-provider.md
View file

@ -20,30 +20,48 @@ This example shows how to set up a Constellation cluster with the reference IAM
cd constellation-workspace
```
1. Create a `main.tf` file.
<!--TODO(elchead): AB#3607 put correct examples, with follow up PR with #2713 examples
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
</tabItem>
<tabItem value="aws" label="AWS">
</tabItem>
<tabItem value="gcp" label="GCP">
</tabItem>
</tabs>-->
1. Initialize and apply the file.
2. Use one of the [examplary configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes.
3. When creating a cluster on AWS or GCP, Initialize the providers and apply the configuration.
```bash
terraform init
terraform apply
```
When creating a cluster on Azure, you will need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature is not yet available in Azure's Terraform provider. The Constellation CLI provides a utility for patching, but it
can also be done manually.
```bash
terraform init
terraform apply -target module.azure_iam # adjust resource path if not using the examplary configuration
terraform apply -target module.azure_infrastructure # adjust resource path if not using the examplary configuration
constellation maa-patch $(terraform output maa_url) # adjust output path / input if not using the examplary configuration or manually patch the resource
terraform apply -target constellation_cluster.azure_example # adjust resource path if not using the examplary configuration
```
Use the following policy if manually performing the patch.
```
version= 1.0;
authorizationrules
{
[type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny();
[type=="x-ms-azurevm-debuggersdisabled", value==false] => deny();
// The line below was edited to use the MAA provider within Constellation. Do not edit manually.
//[type=="secureboot", value==false] => deny();
[type=="x-ms-azurevm-signingdisabled", value==false] => deny();
[type=="x-ms-azurevm-dbvalidated", value==false] => deny();
[type=="x-ms-azurevm-dbxvalidated", value==false] => deny();
=> permit();
};
issuancerules
{
};
```
## Bringing your own infrastructure
If you need a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify / extend the modules, per your requirements, while keeping the basic functionality intact.
If you need a custom infrastructure setup, you can download the infrastructure / IAM Terraform modules for the respective CSP from the Constellation [GitHub releases](https://github.com/edgelesssys/constellation/releases). You can modify and extend the modules per your requirements, while keeping the basic functionality intact.
The module contains:
- `{csp}`: cloud resources the cluster runs on
@ -54,16 +72,16 @@ When upgrading your cluster, make sure to check the Constellation release notes
## Cluster upgrades
:::tip
For general information on cluster upgrades, see the [dedicated upgrade page](./upgrade.md).
Also see the [general documentation on cluster upgrades](./upgrade.md).
:::
The steps for applying the upgrade are as follows:
1. Update the version constraint of the Constellation Terraform provider in the `required_providers` block in your Terraform configuration.
2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to the [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported.
3. Update the IAM / infrastructure modules.
- For [remote address as module source](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infra / IAM module to the target version.
- For [local paths as module source](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure configuration accordingly.
2. If you explicitly set any of the version attributes of the provider's resources and data sources (e.g. `image_version` or `constellation_microservice_version`), make sure to update them too. Refer to Constellation's [version support policy](https://github.com/edgelesssys/constellation/blob/main/dev-docs/workflows/versions-support.md) for more information on how each Constellation version and its dependencies are supported.
3. Update the IAM / infrastructure configuration.
- For [remote addresses as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#fetching-archives-over-http), update the version number inside the address of the `source` field of the infrastructure / IAM module to the target version.
- For [local paths as module sources](https://developer.hashicorp.com/terraform/language/modules/sources#local-paths) or when [providing your own infrastructure](#bringing-your-own-infrastructure), see the changes made in the reference modules since the upgrade's origin version and adjust your infrastructure / IAM configuration accordingly.
4. Upgrade the Terraform module and provider dependencies and apply the targeted configuration.
```bash

5
terraform-provider-constellation/examples/full/azure_cluster.tf
View file

@ -112,3 +112,8 @@ resource "constellation_cluster" "azure_example" {
ip_cidr_service = "10.96.0.0/12"
}
}
output "maa_url" {
value = module.azure_infrastructure.attestation_url
description = "URL of the MAA provider, required for manual patching."
}