attestation: add awsSEVSNP as new variant (#1900)

* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.

cli/internal/terraform/terraform/aws/main.tf

@@ -237,6 +237,7 @@ module "instance_group_control_plane" {
   security_groups      = [aws_security_group.security_group.id]
   subnetwork           = module.public_private_subnet.private_subnet_id
   iam_instance_profile = var.iam_instance_profile_control_plane
+  enable_snp           = var.enable_snp
   tags = merge(
     local.tags,
     { Name = local.name },
@@ -261,6 +262,7 @@ module "instance_group_worker_nodes" {
   target_group_arns    = []
   security_groups      = [aws_security_group.security_group.id]
   iam_instance_profile = var.iam_instance_profile_worker_nodes
+  enable_snp           = var.enable_snp
   tags = merge(
     local.tags,
     { Name = local.name },

cli/internal/terraform/terraform/aws/modules/instance_group/main.tf

@@ -44,6 +44,11 @@ resource "aws_launch_template" "launch_template" {
       image_id,        # required. update procedure modifies the image id externally
     ]
   }
+
+  # See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#cpu-options
+  cpu_options {
+    amd_sev_snp = var.enable_snp ? "enabled" : "disabled"
+  }
 }
 
 resource "aws_autoscaling_group" "autoscaling_group" {

cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf

@@ -62,3 +62,9 @@ variable "tags" {
   type        = map(string)
   description = "The tags to add to the instance group."
 }
+
+variable "enable_snp" {
+  type        = bool
+  default     = true
+  description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable."
+}

cli/internal/terraform/terraform/aws/variables.tf

@@ -69,3 +69,9 @@ variable "debug" {
   default     = false
   description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper."
 }
+
+variable "enable_snp" {
+  type        = bool
+  default     = true
+  description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable."
+}

cli/internal/terraform/variables.go

@@ -39,7 +39,7 @@ func (v *CommonVariables) String() string {
 	return b.String()
 }
 
-// AWSClusterVariables is user configuration for creating a cluster with Terraform on GCP.
+// AWSClusterVariables is user configuration for creating a cluster with Terraform on AWS.
 type AWSClusterVariables struct {
 	// CommonVariables contains common variables.
 	CommonVariables
@@ -59,6 +59,8 @@ type AWSClusterVariables struct {
 	IAMProfileWorkerNodes string
 	// Debug is true if debug mode is enabled.
 	Debug bool
+	// EnableSNP controls enablement of the EC2 cpu-option "AmdSevSnp".
+	EnableSNP bool
 }
 
 func (v *AWSClusterVariables) String() string {
@@ -72,6 +74,7 @@ func (v *AWSClusterVariables) String() string {
 	writeLinef(b, "iam_instance_profile_control_plane = %q", v.IAMProfileControlPlane)
 	writeLinef(b, "iam_instance_profile_worker_nodes = %q", v.IAMProfileWorkerNodes)
 	writeLinef(b, "debug = %t", v.Debug)
+	writeLinef(b, "enable_snp = %t", v.EnableSNP)
 
 	return b.String()
 }