cli: support custom attestation policies for maa (#1375)

* create and update maa attestation policy * use interface to allow unit testing * fix test csp * http request for policy patch * go mod tidy * remove hyphen * go mod tidy * wip: adapt to feedback * linting fixes * remove csp from tf call * fix type assertion * Add MAA URL to instance tags (#1409) Signed-off-by: Daniel Weiße <dw@edgeless.systems> * conditionally create maa provider * only set instance tag when maa is created * fix azure unit test * bazel tidy * remove AzureCVM const Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * encode policy at runtime * remove policy arg * fix unit test --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-05-03 06:44:50 -04:00 · 2023-03-20 13:33:04 +01:00 · 2023-03-20 13:33:04 +01:00 · f2ce9518a3
commit f2ce9518a3
parent 119bf02435
15 changed files with 329 additions and 39 deletions
--- a/cli/internal/cloudcmd/create_test.go
+++ b/cli/internal/cloudcmd/create_test.go
@ -30,6 +30,7 @@ func TestCreator(t *testing.T) {
 		libvirt               *stubLibvirtRunner
 		provider              cloudprovider.Provider
 		config                *config.Config
+		policyPatcher         *stubPolicyPatcher
 		wantErr               bool
 		wantRollback          bool // Use only together with stubClients.
 		wantTerraformRollback bool // When libvirt fails, don't call into Terraform.
@ -53,6 +54,35 @@ func TestCreator(t *testing.T) {
 			wantRollback:          true,
 			wantTerraformRollback: true,
 		},
+		"azure": {
+			tfClient:      &stubTerraformClient{ip: ip},
+			provider:      cloudprovider.Azure,
+			config:        config.Default(),
+			policyPatcher: &stubPolicyPatcher{},
+		},
+		"azure new policy patch error": {
+			tfClient:      &stubTerraformClient{ip: ip},
+			provider:      cloudprovider.Azure,
+			config:        config.Default(),
+			policyPatcher: &stubPolicyPatcher{someErr},
+			wantErr:       true,
+		},
+		"azure newTerraformClient error": {
+			newTfClientErr: someErr,
+			provider:       cloudprovider.Azure,
+			config:         config.Default(),
+			policyPatcher:  &stubPolicyPatcher{},
+			wantErr:        true,
+		},
+		"azure create cluster error": {
+			tfClient:              &stubTerraformClient{createClusterErr: someErr},
+			provider:              cloudprovider.Azure,
+			config:                config.Default(),
+			policyPatcher:         &stubPolicyPatcher{},
+			wantErr:               true,
+			wantRollback:          true,
+			wantTerraformRollback: true,
+		},
 		"qemu": {
 			tfClient: &stubTerraformClient{ip: ip},
 			libvirt:  &stubLibvirtRunner{},
@ -112,6 +142,7 @@ func TestCreator(t *testing.T) {
 						destination: "some-destination",
 					}
 				},
+				policyPatcher: tc.policyPatcher,
 			}

 			idFile, err := creator.Create(context.Background(), tc.provider, tc.config, "type", 2, 3)
@ -137,6 +168,14 @@ func TestCreator(t *testing.T) {
 	}
 }

+type stubPolicyPatcher struct {
+	patchErr error
+}
+
+func (s stubPolicyPatcher) Patch(ctx context.Context, attestationURL string) error {
+	return s.patchErr
+}
+
 func TestNormalizeAzureURIs(t *testing.T) {
 	testCases := map[string]struct {
 		in   terraform.AzureClusterVariables