From dbc495f1642eb41845f2fdba82483f6bb3ceecec Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 21 Jun 2023 11:45:13 +0200 Subject: [PATCH] support to declaratively set attestation policy --- cli/internal/cloudcmd/BUILD.bazel | 7 +- cli/internal/cloudcmd/attestationpolicy.go | 54 +++++++++++ ...atch_test.go => attestationpolicy_test.go} | 6 +- cli/internal/cloudcmd/create.go | 15 +-- cli/internal/cloudcmd/create_test.go | 27 +----- cli/internal/cloudcmd/patch.go | 94 ------------------- cli/internal/cmd/upgradeapply.go | 2 + .../terraform/terraform/azure/main.tf | 9 +- .../terraform/terraform/azure/variables.tf | 5 + cli/internal/terraform/variables.go | 3 + cli/internal/upgrade/BUILD.bazel | 1 - cli/internal/upgrade/terraform.go | 20 +--- go.mod | 2 +- hack/go.mod | 8 -- hack/go.sum | 17 ---- 15 files changed, 82 insertions(+), 188 deletions(-) create mode 100644 cli/internal/cloudcmd/attestationpolicy.go rename cli/internal/cloudcmd/{patch_test.go => attestationpolicy_test.go} (93%) delete mode 100644 cli/internal/cloudcmd/patch.go diff --git a/cli/internal/cloudcmd/BUILD.bazel b/cli/internal/cloudcmd/BUILD.bazel index d21a3796a..4cd79fdaf 100644 --- a/cli/internal/cloudcmd/BUILD.bazel +++ b/cli/internal/cloudcmd/BUILD.bazel @@ -4,11 +4,11 @@ load("//bazel/go:go_test.bzl", "go_test") go_library( name = "cloudcmd", srcs = [ + "attestationpolicy.go", "clients.go", "cloudcmd.go", "create.go", "iam.go", - "patch.go", "rollback.go", "terminate.go", "validators.go", @@ -29,9 +29,6 @@ go_library( "//internal/config", "//internal/constants", "//internal/imagefetcher", - "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation", - "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy", - "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity", "@com_github_hashicorp_terraform_json//:terraform-json", "@com_github_spf13_cobra//:cobra", ], @@ -40,10 +37,10 @@ go_library( go_test( name = "cloudcmd_test", srcs = [ + "attestationpolicy_test.go", "clients_test.go", "create_test.go", "iam_test.go", - "patch_test.go", "rollback_test.go", "terminate_test.go", "validators_test.go", diff --git a/cli/internal/cloudcmd/attestationpolicy.go b/cli/internal/cloudcmd/attestationpolicy.go new file mode 100644 index 000000000..084484060 --- /dev/null +++ b/cli/internal/cloudcmd/attestationpolicy.go @@ -0,0 +1,54 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ +package cloudcmd + +import ( + "encoding/base64" + "fmt" +) + +// maaAttestationPolicy is the default attestation policy for Azure VMs on Constellation. +const maaAttestationPolicy = ` + version= 1.0; + authorizationrules + { + [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); + [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); + // The line below was edited by the Constellation CLI. Do not edit manually. + //[type=="secureboot", value==false] => deny(); + [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); + [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); + [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); + => permit(); + }; + issuancerules + { + };` + +// NewAzureMaaAttestationPolicy returns a new AzureAttestationPolicy to use with MAA. +func NewAzureMaaAttestationPolicy() AzureAttestationPolicy { + return AzureAttestationPolicy{ + policy: maaAttestationPolicy, + } +} + +// AzureAttestationPolicy patches attestation policies on Azure. +type AzureAttestationPolicy struct { + policy string +} + +// Encode encodes the base64-encoded attestation policy in the JWS format specified here: +// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#creating-the-policy-file-in-json-web-signature-format +func (p AzureAttestationPolicy) Encode() string { + encodedPolicy := base64.RawURLEncoding.EncodeToString([]byte(p.policy)) + const header = `{"alg":"none"}` + payload := fmt.Sprintf(`{"AttestationPolicy":"%s"}`, encodedPolicy) + + encodedHeader := base64.RawURLEncoding.EncodeToString([]byte(header)) + encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(payload)) + + return fmt.Sprintf("%s.%s.", encodedHeader, encodedPayload) +} diff --git a/cli/internal/cloudcmd/patch_test.go b/cli/internal/cloudcmd/attestationpolicy_test.go similarity index 93% rename from cli/internal/cloudcmd/patch_test.go rename to cli/internal/cloudcmd/attestationpolicy_test.go index 0e824f398..1d1108cbb 100644 --- a/cli/internal/cloudcmd/patch_test.go +++ b/cli/internal/cloudcmd/attestationpolicy_test.go @@ -11,12 +11,12 @@ import ( "github.com/stretchr/testify/assert" ) -func TestEncodeAttestationPolicy(t *testing.T) { +func TestAzureMaaAttestationPolicyEncode(t *testing.T) { assert := assert.New(t) - p := AzurePolicyPatcher{} + p := NewAzureMaaAttestationPolicy() // taken from /providers/Microsoft.Attestation/attestationProviders//mrsg_item2 expected := "eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6IkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCMlpYSnphVzl1UFNBeExqQTdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmhkWFJvYjNKcGVtRjBhVzl1Y25Wc1pYTUtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JiZEhsd1pUMDlJbmd0YlhNdFlYcDFjbVYyYlMxa1pXWmhkV3gwTFhObFkzVnlaV0p2YjNSclpYbHpkbUZzYVdSaGRHVmtJaXdnZG1Gc2RXVTlQV1poYkhObFhTQTlQaUJrWlc1NUtDazdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnVzNSNWNHVTlQU0o0TFcxekxXRjZkWEpsZG0wdFpHVmlkV2RuWlhKelpHbHpZV0pzWldRaUxDQjJZV3gxWlQwOVptRnNjMlZkSUQwLUlHUmxibmtvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQXZMeUJVYUdVZ2JHbHVaU0JpWld4dmR5QjNZWE1nWldScGRHVmtJR0o1SUhSb1pTQkRiMjV6ZEdWc2JHRjBhVzl1SUVOTVNTNGdSRzhnYm05MElHVmthWFFnYldGdWRXRnNiSGt1Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0x5OWJkSGx3WlQwOUluTmxZM1Z5WldKdmIzUWlMQ0IyWVd4MVpUMDlabUZzYzJWZElEMC1JR1JsYm5rb0tUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JiZEhsd1pUMDlJbmd0YlhNdFlYcDFjbVYyYlMxemFXZHVhVzVuWkdsellXSnNaV1FpTENCMllXeDFaVDA5Wm1Gc2MyVmRJRDAtSUdSbGJua29LVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCYmRIbHdaVDA5SW5ndGJYTXRZWHAxY21WMmJTMWtZblpoYkdsa1lYUmxaQ0lzSUhaaGJIVmxQVDFtWVd4elpWMGdQVDRnWkdWdWVTZ3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUZ0MGVYQmxQVDBpZUMxdGN5MWhlblZ5WlhadExXUmllSFpoYkdsa1lYUmxaQ0lzSUhaaGJIVmxQVDFtWVd4elpWMGdQVDRnWkdWdWVTZ3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUQwLUlIQmxjbTFwZENncE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbHpjM1ZoYm1ObGNuVnNaWE1LSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDA3In0." - assert.Equal(expected, p.encodeAttestationPolicy()) + assert.Equal(expected, p.Encode()) } diff --git a/cli/internal/cloudcmd/create.go b/cli/internal/cloudcmd/create.go index 092added0..6c19898bf 100644 --- a/cli/internal/cloudcmd/create.go +++ b/cli/internal/cloudcmd/create.go @@ -35,7 +35,6 @@ type Creator struct { newTerraformClient func(ctx context.Context) (terraformClient, error) newLibvirtRunner func() libvirtRunner newRawDownloader func() rawDownloader - policyPatcher policyPatcher } // NewCreator creates a new creator. @@ -52,7 +51,6 @@ func NewCreator(out io.Writer) *Creator { newRawDownloader: func() rawDownloader { return imagefetcher.NewDownloader() }, - policyPatcher: NewAzurePolicyPatcher(), } } @@ -226,6 +224,7 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea ImageID: opts.image, SecureBoot: *opts.Config.Provider.Azure.SecureBoot, CreateMAA: opts.Config.GetAttestationConfig().GetVariant().Equal(variant.AzureSEVSNP{}), + MAAPolicy: NewAzureMaaAttestationPolicy().Encode(), Debug: opts.Config.IsDebugCluster(), } @@ -243,13 +242,6 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea return clusterid.File{}, err } - if vars.CreateMAA { - // Patch the attestation policy to allow the cluster to boot while having secure boot disabled. - if err := c.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil { - return clusterid.File{}, err - } - } - return clusterid.File{ CloudProvider: cloudprovider.Azure, IP: tfOutput.IP, @@ -259,11 +251,6 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea }, nil } -// policyPatcher interacts with the CSP (currently only applies for Azure) to update the attestation policy. -type policyPatcher interface { - Patch(ctx context.Context, attestationURL string) error -} - // The azurerm Terraform provider enforces its own convention of case sensitivity for Azure URIs which Azure's API itself does not enforce or, even worse, actually returns. // Let's go loco with case insensitive Regexp here and fix the user input here to be compliant with this arbitrary design decision. var ( diff --git a/cli/internal/cloudcmd/create_test.go b/cli/internal/cloudcmd/create_test.go index eded26230..eda4918ed 100644 --- a/cli/internal/cloudcmd/create_test.go +++ b/cli/internal/cloudcmd/create_test.go @@ -33,7 +33,6 @@ func TestCreator(t *testing.T) { libvirt *stubLibvirtRunner provider cloudprovider.Provider config *config.Config - policyPatcher *stubPolicyPatcher wantErr bool wantRollback bool // Use only together with stubClients. wantTerraformRollback bool // When libvirt fails, don't call into Terraform. @@ -65,7 +64,6 @@ func TestCreator(t *testing.T) { cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) return cfg }(), - policyPatcher: &stubPolicyPatcher{}, }, "azure trusted launch": { tfClient: &stubTerraformClient{ip: ip}, @@ -77,18 +75,6 @@ func TestCreator(t *testing.T) { } return cfg }(), - policyPatcher: &stubPolicyPatcher{}, - }, - "azure new policy patch error": { - tfClient: &stubTerraformClient{ip: ip}, - provider: cloudprovider.Azure, - config: func() *config.Config { - cfg := config.Default() - cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) - return cfg - }(), - policyPatcher: &stubPolicyPatcher{someErr}, - wantErr: true, }, "azure newTerraformClient error": { newTfClientErr: someErr, @@ -98,8 +84,7 @@ func TestCreator(t *testing.T) { cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) return cfg }(), - policyPatcher: &stubPolicyPatcher{}, - wantErr: true, + wantErr: true, }, "azure create cluster error": { tfClient: &stubTerraformClient{createClusterErr: someErr}, @@ -109,7 +94,6 @@ func TestCreator(t *testing.T) { cfg.RemoveProviderAndAttestationExcept(cloudprovider.Azure) return cfg }(), - policyPatcher: &stubPolicyPatcher{}, wantErr: true, wantRollback: true, wantTerraformRollback: true, @@ -213,7 +197,6 @@ func TestCreator(t *testing.T) { destination: "some-destination", } }, - policyPatcher: tc.policyPatcher, } opts := CreateOptions{ @@ -247,14 +230,6 @@ func TestCreator(t *testing.T) { } } -type stubPolicyPatcher struct { - patchErr error -} - -func (s stubPolicyPatcher) Patch(_ context.Context, _ string) error { - return s.patchErr -} - func TestNormalizeAzureURIs(t *testing.T) { testCases := map[string]struct { in terraform.AzureClusterVariables diff --git a/cli/internal/cloudcmd/patch.go b/cli/internal/cloudcmd/patch.go deleted file mode 100644 index a18138f07..000000000 --- a/cli/internal/cloudcmd/patch.go +++ /dev/null @@ -1,94 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ -package cloudcmd - -import ( - "context" - "encoding/base64" - "fmt" - "net/http" - - "github.com/Azure/azure-sdk-for-go/profiles/latest/attestation/attestation" - azpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" - "github.com/Azure/azure-sdk-for-go/sdk/azidentity" -) - -// NewAzurePolicyPatcher returns a new AzurePolicyPatcher. -func NewAzurePolicyPatcher() AzurePolicyPatcher { - return AzurePolicyPatcher{} -} - -// AzurePolicyPatcher patches attestation policies on Azure. -type AzurePolicyPatcher struct{} - -// Patch updates the attestation policy to the base64-encoded attestation policy JWT for the given attestation URL. -// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#next-steps -func (p AzurePolicyPatcher) Patch(ctx context.Context, attestationURL string) error { - // hacky way to update the MAA attestation policy. This should be changed as soon as either the Terraform provider supports it - // or the Go SDK gets updated to a recent API version. - // https://github.com/hashicorp/terraform-provider-azurerm/issues/20804 - cred, err := azidentity.NewDefaultAzureCredential(nil) - if err != nil { - return fmt.Errorf("retrieving default Azure credentials: %w", err) - } - token, err := cred.GetToken(ctx, azpolicy.TokenRequestOptions{ - Scopes: []string{"https://attest.azure.net/.default"}, - }) - if err != nil { - return fmt.Errorf("retrieving token from default Azure credentials: %w", err) - } - - client := attestation.NewPolicyClient() - - // azureGuest is the id for the "Azure VM" attestation type. Other types are documented here: - // https://learn.microsoft.com/en-us/rest/api/attestation/policy/set - req, err := client.SetPreparer(ctx, attestationURL, "azureGuest", p.encodeAttestationPolicy()) - req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token.Token)) - if err != nil { - return fmt.Errorf("preparing request: %w", err) - } - - resp, err := client.Send(req) - if err != nil { - return fmt.Errorf("sending request: %w", err) - } - resp.Body.Close() - - if resp.StatusCode != http.StatusOK { - return fmt.Errorf("updating attestation policy: unexpected status code: %s", resp.Status) - } - - return nil -} - -// encodeAttestationPolicy encodes the base64-encoded attestation policy in the JWS format specified here: -// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#creating-the-policy-file-in-json-web-signature-format -func (p AzurePolicyPatcher) encodeAttestationPolicy() string { - const policy = ` - version= 1.0; - authorizationrules - { - [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); - [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); - // The line below was edited by the Constellation CLI. Do not edit manually. - //[type=="secureboot", value==false] => deny(); - [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); - [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); - [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); - => permit(); - }; - issuancerules - { - };` - encodedPolicy := base64.RawURLEncoding.EncodeToString([]byte(policy)) - const header = `{"alg":"none"}` - payload := fmt.Sprintf(`{"AttestationPolicy":"%s"}`, encodedPolicy) - - encodedHeader := base64.RawURLEncoding.EncodeToString([]byte(header)) - encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(payload)) - - return fmt.Sprintf("%s.%s.", encodedHeader, encodedPayload) -} diff --git a/cli/internal/cmd/upgradeapply.go b/cli/internal/cmd/upgradeapply.go index a8d895e65..c93bc52b4 100644 --- a/cli/internal/cmd/upgradeapply.go +++ b/cli/internal/cmd/upgradeapply.go @@ -14,6 +14,7 @@ import ( "strings" "time" + "github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd" "github.com/edgelesssys/constellation/v2/cli/internal/clusterid" "github.com/edgelesssys/constellation/v2/cli/internal/helm" "github.com/edgelesssys/constellation/v2/cli/internal/kubernetes" @@ -253,6 +254,7 @@ func parseTerraformUpgradeVars(cmd *cobra.Command, conf *config.Config, fetcher ImageID: imageRef, SecureBoot: *conf.Provider.Azure.SecureBoot, CreateMAA: conf.GetAttestationConfig().GetVariant().Equal(variant.AzureSEVSNP{}), + MAAPolicy: cloudcmd.NewAzureMaaAttestationPolicy().Encode(), Debug: conf.IsDebugCluster(), } return targets, vars, nil diff --git a/cli/internal/terraform/terraform/azure/main.tf b/cli/internal/terraform/terraform/azure/main.tf index 9e726196d..8fecaee33 100644 --- a/cli/internal/terraform/terraform/azure/main.tf +++ b/cli/internal/terraform/terraform/azure/main.tf @@ -48,9 +48,10 @@ resource "random_password" "initSecret" { resource "azurerm_attestation_provider" "attestation_provider" { count = var.create_maa ? 1 : 0 # name must be between 3 and 24 characters in length and use numbers and lower-case letters only. - name = format("constell%s", local.uid) - resource_group_name = var.resource_group - location = var.location + name = format("constell%s", local.uid) + resource_group_name = var.resource_group + location = var.location + azure_vm_policy_base64 = var.maa_policy lifecycle { # Attestation policies will be set automatically upon creation, even if not specified in the resource, @@ -58,7 +59,7 @@ resource "azurerm_attestation_provider" "attestation_provider" { # To prevent them from being set to null when applying an upgrade, ignore the changes until the issue # is resolved by Azure. # Related issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/21998 - ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64] + ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, azure_vm_policy_base64, sev_snp_policy_base64] } } diff --git a/cli/internal/terraform/terraform/azure/variables.tf b/cli/internal/terraform/terraform/azure/variables.tf index 0d87ba765..902e4c3a4 100644 --- a/cli/internal/terraform/terraform/azure/variables.tf +++ b/cli/internal/terraform/terraform/azure/variables.tf @@ -69,6 +69,11 @@ variable "create_maa" { description = "Whether to create a Microsoft Azure attestation provider." } +variable "maa_policy" { + type = string + description = "Base64-encoded Attestation policy for the Microsoft Azure attestation provider." +} + variable "debug" { type = bool default = false diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index c5759fe44..b3c692cd8 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -183,6 +183,8 @@ type AzureClusterVariables struct { SecureBoot bool // CreateMAA sets whether a Microsoft Azure attestation provider should be created. CreateMAA bool + // MAAPolicy sets the base64-encoded policy for the Microsoft Azure attestation provider. + MAAPolicy string // Debug is true if debug mode is enabled. Debug bool } @@ -200,6 +202,7 @@ func (v *AzureClusterVariables) String() string { writeLinef(b, "confidential_vm = %t", v.ConfidentialVM) writeLinef(b, "secure_boot = %t", v.SecureBoot) writeLinef(b, "create_maa = %t", v.CreateMAA) + writeLinef(b, "maa_policy = %q", v.MAAPolicy) writeLinef(b, "debug = %t", v.Debug) return b.String() diff --git a/cli/internal/upgrade/BUILD.bazel b/cli/internal/upgrade/BUILD.bazel index 82e8e87c9..9e7d2ace6 100644 --- a/cli/internal/upgrade/BUILD.bazel +++ b/cli/internal/upgrade/BUILD.bazel @@ -10,7 +10,6 @@ go_library( importpath = "github.com/edgelesssys/constellation/v2/cli/internal/upgrade", visibility = ["//cli:__subpackages__"], deps = [ - "//cli/internal/cloudcmd", "//cli/internal/clusterid", "//cli/internal/terraform", "//internal/cloud/cloudprovider", diff --git a/cli/internal/upgrade/terraform.go b/cli/internal/upgrade/terraform.go index 75cd0301f..2a0303e7d 100644 --- a/cli/internal/upgrade/terraform.go +++ b/cli/internal/upgrade/terraform.go @@ -14,7 +14,6 @@ import ( "path/filepath" "strings" - "github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd" "github.com/edgelesssys/constellation/v2/cli/internal/clusterid" "github.com/edgelesssys/constellation/v2/cli/internal/terraform" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" @@ -25,17 +24,15 @@ import ( // NewTerraformUpgrader returns a new TerraformUpgrader. func NewTerraformUpgrader(tfClient tfClient, outWriter io.Writer) (*TerraformUpgrader, error) { return &TerraformUpgrader{ - tf: tfClient, - policyPatcher: cloudcmd.NewAzurePolicyPatcher(), - outWriter: outWriter, + tf: tfClient, + outWriter: outWriter, }, nil } // TerraformUpgrader is responsible for performing Terraform migrations on cluster upgrades. type TerraformUpgrader struct { - tf tfClient - policyPatcher policyPatcher - outWriter io.Writer + tf tfClient + outWriter io.Writer } // TerraformUpgradeOptions are the options used for the Terraform upgrade. @@ -132,7 +129,7 @@ func (u *TerraformUpgrader) CleanUpTerraformMigrations(fileHandler file.Handler, return nil } -// ApplyTerraformMigrations applies the migerations planned by PlanTerraformMigrations. +// ApplyTerraformMigrations applies the migrations planned by PlanTerraformMigrations. // If PlanTerraformMigrations has not been executed before, it will return an error. // In case of a successful upgrade, the output will be written to the specified file and the old Terraform directory is replaced // By the new one. @@ -142,13 +139,6 @@ func (u *TerraformUpgrader) ApplyTerraformMigrations(ctx context.Context, fileHa return fmt.Errorf("terraform apply: %w", err) } - // AttestationURL is only set for Azure. - if tfOutput.AttestationURL != "" { - if err := u.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil { - return fmt.Errorf("patching policies: %w", err) - } - } - outputFileContents := clusterid.File{ CloudProvider: opts.CSP, InitSecret: []byte(tfOutput.Secret), diff --git a/go.mod b/go.mod index 44ffd99a3..47114032c 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,6 @@ require ( cloud.google.com/go/logging v1.7.0 cloud.google.com/go/secretmanager v1.10.1 cloud.google.com/go/storage v1.30.1 - github.com/Azure/azure-sdk-for-go v68.0.0+incompatible github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.2 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 @@ -125,6 +124,7 @@ require ( require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect + github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect github.com/agext/levenshtein v1.2.1 // indirect github.com/cloudflare/circl v1.3.3 // indirect diff --git a/hack/go.mod b/hack/go.mod index af9322db9..d23b71821 100644 --- a/hack/go.mod +++ b/hack/go.mod @@ -62,7 +62,6 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect - github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect @@ -70,13 +69,6 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.29 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0 // indirect github.com/BurntSushi/toml v1.2.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect diff --git a/hack/go.sum b/hack/go.sum index 4648cfe20..b09261ab8 100644 --- a/hack/go.sum +++ b/hack/go.sum @@ -83,7 +83,6 @@ github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiU github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= -github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.2 h1:uqM+VoHjVH6zdlkLF2b6O0ZANcHoj3rO0PoQ3jglUJA= @@ -105,23 +104,8 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOEl github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= -github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= -github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc= -github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0 h1:UE9n9rkJF62ArLb1F3DEjRt8O3jLwMWdSoypKV4f3MU= github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= @@ -591,7 +575,6 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=