support to declaratively set attestation policy

2025-08-12 08:50:21 -04:00 · 2023-06-21 11:45:13 +02:00 · 2023-06-21 11:45:13 +02:00 · dbc495f164
commit dbc495f164
parent b25228d175
15 changed files with 82 additions and 188 deletions
--- a/cli/internal/terraform/terraform/azure/main.tf
+++ b/cli/internal/terraform/terraform/azure/main.tf
@ -48,9 +48,10 @@ resource "random_password" "initSecret" {
 resource "azurerm_attestation_provider" "attestation_provider" {
  count = var.create_maa ? 1 : 0
  # name must be between 3 and 24 characters in length and use numbers and lower-case letters only.
-  name                = format("constell%s", local.uid)
-  resource_group_name = var.resource_group
-  location            = var.location
+  name                   = format("constell%s", local.uid)
+  resource_group_name    = var.resource_group
+  location               = var.location
+  azure_vm_policy_base64 = var.maa_policy

  lifecycle {
    # Attestation policies will be set automatically upon creation, even if not specified in the resource,
@ -58,7 +59,7 @@ resource "azurerm_attestation_provider" "attestation_provider" {
    # To prevent them from being set to null when applying an upgrade, ignore the changes until the issue
    # is resolved by Azure.
    # Related issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/21998
-    ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64]
+    ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, azure_vm_policy_base64, sev_snp_policy_base64]
  }
 }

--- a/cli/internal/terraform/terraform/azure/variables.tf
+++ b/cli/internal/terraform/terraform/azure/variables.tf
@ -69,6 +69,11 @@ variable "create_maa" {
  description = "Whether to create a Microsoft Azure attestation provider."
 }

+variable "maa_policy" {
+  type        = string
+  description = "Base64-encoded Attestation policy for the Microsoft Azure attestation provider."
+}
+
 variable "debug" {
  type        = bool
  default     = false
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@ -183,6 +183,8 @@ type AzureClusterVariables struct {
 	SecureBoot bool
 	// CreateMAA sets whether a Microsoft Azure attestation provider should be created.
 	CreateMAA bool
+	// MAAPolicy sets the base64-encoded policy for the Microsoft Azure attestation provider.
+	MAAPolicy string
 	// Debug is true if debug mode is enabled.
 	Debug bool
 }
@ -200,6 +202,7 @@ func (v *AzureClusterVariables) String() string {
 	writeLinef(b, "confidential_vm = %t", v.ConfidentialVM)
 	writeLinef(b, "secure_boot = %t", v.SecureBoot)
 	writeLinef(b, "create_maa = %t", v.CreateMAA)
+	writeLinef(b, "maa_policy = %q", v.MAAPolicy)
 	writeLinef(b, "debug = %t", v.Debug)

 	return b.String()