terraform-provider: add usage examples (#2713)

* terraform-provider: add usage example for Azure * terraform-provider: add usage example for AWS * terraform-provider: add usage example for GCP * terraform-provider: update usage example for Azure * terraform-provider: update generated documentation * docs: adjust creation on Azure and link to examples * terraform-provider: unify image in-/output (#2725) * terraform-provider: check for returned error when converting microservices * terraform-provider: use state values for outputs after creation * terraform-provider: ignore invalid upgrades (#2728) --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-11-13 09:00:38 -05:00 · 2023-12-18 10:15:54 +01:00 · 2023-12-18 10:15:54 +01:00 · af791bd221
commit af791bd221
parent 88d626d302
21 changed files with 797 additions and 204 deletions
--- a/terraform-provider-constellation/docs/data-sources/attestation.md
+++ b/terraform-provider-constellation/docs/data-sources/attestation.md
@ -3,12 +3,12 @@
 page_title: "constellation_attestation Data Source - constellation"
 subcategory: ""
 description: |-
-  The data source to fetch measurements from a configured cloud provider and image.
+  Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.
 ---

 # constellation_attestation (Data Source)

-The data source to fetch measurements from a configured cloud provider and image.
+Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.

 ## Example Usage

@ -32,10 +32,10 @@ data "constellation_attestation" "test" {
  * `gcp-sev-es`
 - `csp` (String) CSP (Cloud Service Provider) to use. (e.g. `azure`)
 See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports.
+- `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image))

 ### Optional

- `image_version` (String) The image version to use. If not set, the provider version value is used.
 - `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
 - `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service

@ -43,6 +43,19 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview

 - `attestation` (Attributes) Attestation comprises the measurements and SEV-SNP specific parameters. (see [below for nested schema](#nestedatt--attestation))

+<a id="nestedatt--image"></a>
+### Nested Schema for `image`
+
+Required:
+
+- `reference` (String) CSP-specific unique reference to the image. The format differs per CSP.
+- `short_path` (String) CSP-agnostic short path to the image. The format is `vX.Y.Z` for release images and `ref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION` for pre-release images.
+- `$GIT_REF` is the git reference (i.e. branch name) the image was built on, e.g. `main`.
+- `$STREAM` is the stream the image was built on, e.g. `nightly`.
+- `$SEMANTIC_VERSION` is the semantic version of the image, e.g. `vX.Y.Z` or `vX.Y.Z-pre...`.
+- `version` (String) Semantic version of the image.
+
+
 <a id="nestedatt--attestation"></a>
 ### Nested Schema for `attestation`

--- a/terraform-provider-constellation/docs/data-sources/image.md
+++ b/terraform-provider-constellation/docs/data-sources/image.md
@ -36,11 +36,23 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview

 ### Optional

- `image_version` (String) Version of the Constellation OS image to use. (e.g. `v2.13.0`). If not set, the provider version value is used.
 - `marketplace_image` (Boolean) Whether a marketplace image should be used. Currently only supported for Azure.
 - `region` (String) Region to retrieve the image for. Only required for AWS.
 The Constellation OS image must be [replicated to the region](https://docs.edgeless.systems/constellation/workflows/config),and the region must [support AMD SEV-SNP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-requirements.html), if it is used for Attestation.
+- `version` (String) Version of the Constellation OS image to use. (e.g. `v2.13.0`). If not set, the provider version value is used.

 ### Read-Only

- `reference` (String) CSP-specific reference to the image.
+- `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image))
+
+<a id="nestedatt--image"></a>
+### Nested Schema for `image`
+
+Read-Only:
+
+- `reference` (String) CSP-specific unique reference to the image. The format differs per CSP.
+- `short_path` (String) CSP-agnostic short path to the image. The format is `vX.Y.Z` for release images and `ref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION` for pre-release images.
+- `$GIT_REF` is the git reference (i.e. branch name) the image was built on, e.g. `main`.
+- `$STREAM` is the stream the image was built on, e.g. `nightly`.
+- `$SEMANTIC_VERSION` is the semantic version of the image, e.g. `vX.Y.Z` or `vX.Y.Z-pre...`.
+- `version` (String) Semantic version of the image.
--- a/terraform-provider-constellation/docs/resources/cluster.md
+++ b/terraform-provider-constellation/docs/resources/cluster.md
@ -13,23 +13,44 @@ Resource for a Constellation cluster.
 ## Example Usage

 ```terraform
-// Not up-to-date
-
 data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant

 data "constellation_image" "bar" {} # Fill accordingly for the CSP

-resource "constellation_cluster" "aws_example" {
-  csp                                = "aws"
+resource "random_bytes" "master_secret" {
+  length = 32
+}
+
+resource "random_bytes" "master_secret_salt" {
+  length = 32
+}
+
+resource "random_bytes" "measurement_salt" {
+  length = 32
+}
+
+resource "constellation_cluster" "azure_example" {
+  csp                                = "azure"
+  constellation_microservice_version = "vX.Y.Z"
  name                               = "constell"
-  uid                                = "deadbeef"
-  constellation_microservice_version = "vx.y.z"
+  uid                                = "..."
  image                              = data.constellation_image.bar.image
  attestation                        = data.constellation_attestation.foo.attestation
-  init_secret                        = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
-  master_secret                      = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
-  master_secret_salt                 = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  init_secret                        = "..."
+  master_secret                      = random_bytes.master_secret.hex
+  master_secret_salt                 = random_bytes.master_secret_salt.hex
+  measurement_salt                   = random_bytes.measurement_salt.hex
  out_of_cluster_endpoint            = "123.123.123.123"
+  azure = {
+    tenant_id                   = "..."
+    subscription_id             = "..."
+    uami_client_id              = "..."
+    uami_resource_id            = "..."
+    location                    = "..."
+    resource_group              = "..."
+    load_balancer_name          = "..."
+    network_security_group_name = "..."
+  }
  network_config = {
    ip_cidr_node    = "192.168.176.0/20"
    ip_cidr_service = "10.96.0.0/12"
@ -44,8 +65,7 @@ resource "constellation_cluster" "aws_example" {

 - `attestation` (Attributes) Attestation comprises the measurements and SEV-SNP specific parameters. The output of the [constellation_attestation](../data-sources/attestation.md) data source provides sensible defaults. (see [below for nested schema](#nestedatt--attestation))
 - `csp` (String) The Cloud Service Provider (CSP) the cluster should run on.
- `image_reference` (String) Constellation OS image reference to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image reference for your CSP.
- `image_version` (String) Constellation OS image version to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image version for your CSP.
+- `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image))
 - `init_secret` (String) Secret used for initialization of the cluster.
 - `master_secret` (String) Hex-encoded 32-byte master secret for the cluster.
 - `master_secret_salt` (String) Hex-encoded 32-byte master secret salt for the cluster.
@ -68,7 +88,7 @@ resource "constellation_cluster" "aws_example" {
 ### Read-Only

 - `cluster_id` (String) The cluster ID of the cluster.
- `kubeconfig` (String) The kubeconfig of the cluster.
+- `kubeconfig` (String, Sensitive) The kubeconfig of the cluster.
 - `owner_id` (String) The owner ID of the cluster.

 <a id="nestedatt--attestation"></a>
@ -112,6 +132,19 @@ Optional:



+<a id="nestedatt--image"></a>
+### Nested Schema for `image`
+
+Required:
+
+- `reference` (String) CSP-specific unique reference to the image. The format differs per CSP.
+- `short_path` (String) CSP-agnostic short path to the image. The format is `vX.Y.Z` for release images and `ref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION` for pre-release images.
+- `$GIT_REF` is the git reference (i.e. branch name) the image was built on, e.g. `main`.
+- `$STREAM` is the stream the image was built on, e.g. `nightly`.
+- `$SEMANTIC_VERSION` is the semantic version of the image, e.g. `vX.Y.Z` or `vX.Y.Z-pre...`.
+- `version` (String) Semantic version of the image.
+
+
 <a id="nestedatt--network_config"></a>
 ### Nested Schema for `network_config`