cli: support custom attestation policies for maa (#1375)

* create and update maa attestation policy

* use interface to allow unit testing

* fix test csp

* http request for policy patch

* go mod tidy

* remove hyphen

* go mod tidy

* wip: adapt to feedback

* linting fixes

* remove csp from tf call

* fix type assertion

* Add MAA URL to instance tags (#1409)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* conditionally create maa provider

* only set instance tag when maa is created

* fix azure unit test

* bazel tidy

* remove AzureCVM const

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* encode policy at runtime

* remove policy arg

* fix unit test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

cli/internal/terraform/terraform.go

@@ -128,10 +128,18 @@ func (c *Client) CreateCluster(ctx context.Context) (CreateOutput, error) {
 		return CreateOutput{}, errors.New("invalid type in uid output: not a string")
 	}
 
+	var attestationURL string
+	if attestationURLOutput, ok := tfState.Values.Outputs["attestationURL"]; ok {
+		if attestationURLString, ok := attestationURLOutput.Value.(string); ok {
+			attestationURL = attestationURLString
+		}
+	}
+
 	return CreateOutput{
-		IP:     ip,
-		Secret: secret,
-		UID:    uid,
+		IP:             ip,
+		Secret:         secret,
+		UID:            uid,
+		AttestationURL: attestationURL,
 	}, nil
 }
 
@@ -140,6 +148,9 @@ type CreateOutput struct {
 	IP     string
 	Secret string
 	UID    string
+	// AttestationURL is the URL of the attestation provider.
+	// It is only set if the cluster is created on Azure.
+	AttestationURL string
 }
 
 // IAMOutput contains the output information of the Terraform IAM operations.

cli/internal/terraform/terraform/azure/main.tf

@@ -41,6 +41,13 @@ resource "random_password" "initSecret" {
   override_special = "_%@"
 }
 
+resource "azurerm_attestation_provider" "attestation_provider" {
+  count               = var.create_maa ? 1 : 0
+  name                = format("%sap", var.name)
+  resource_group_name = var.resource_group
+  location            = var.location
+}
+
 resource "azurerm_application_insights" "insights" {
   name                = local.name
   location            = var.location
@@ -192,16 +199,21 @@ resource "azurerm_network_security_group" "security_group" {
 module "scale_set_control_plane" {
   source = "./modules/scale_set"
 
-  name                      = "${local.name}-control-plane"
-  instance_count            = var.control_plane_count
-  state_disk_size           = var.state_disk_size
-  state_disk_type           = var.state_disk_type
-  resource_group            = var.resource_group
-  location                  = var.location
-  instance_type             = var.instance_type
-  confidential_vm           = var.confidential_vm
-  secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { constellation-role = "control-plane" }, { constellation-init-secret-hash = local.initSecretHash })
+  name            = "${local.name}-control-plane"
+  instance_count  = var.control_plane_count
+  state_disk_size = var.state_disk_size
+  state_disk_type = var.state_disk_type
+  resource_group  = var.resource_group
+  location        = var.location
+  instance_type   = var.instance_type
+  confidential_vm = var.confidential_vm
+  secure_boot     = var.secure_boot
+  tags = merge(
+    local.tags,
+    { constellation-role = "control-plane" },
+    { constellation-init-secret-hash = local.initSecretHash },
+    { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
+  )
   image_id                  = var.image_id
   user_assigned_identity    = var.user_assigned_identity
   network_security_group_id = azurerm_network_security_group.security_group.id
@@ -215,16 +227,21 @@ module "scale_set_control_plane" {
 module "scale_set_worker" {
   source = "./modules/scale_set"
 
-  name                      = "${local.name}-worker"
-  instance_count            = var.worker_count
-  state_disk_size           = var.state_disk_size
-  state_disk_type           = var.state_disk_type
-  resource_group            = var.resource_group
-  location                  = var.location
-  instance_type             = var.instance_type
-  confidential_vm           = var.confidential_vm
-  secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { constellation-role = "worker" }, { constellation-init-secret-hash = local.initSecretHash })
+  name            = "${local.name}-worker"
+  instance_count  = var.worker_count
+  state_disk_size = var.state_disk_size
+  state_disk_type = var.state_disk_type
+  resource_group  = var.resource_group
+  location        = var.location
+  instance_type   = var.instance_type
+  confidential_vm = var.confidential_vm
+  secure_boot     = var.secure_boot
+  tags = merge(
+    local.tags,
+    { constellation-role = "worker" },
+    { constellation-init-secret-hash = local.initSecretHash },
+    { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
+  )
   image_id                  = var.image_id
   user_assigned_identity    = var.user_assigned_identity
   network_security_group_id = azurerm_network_security_group.security_group.id

cli/internal/terraform/terraform/azure/outputs.tf

@@ -10,3 +10,7 @@ output "initSecret" {
   value     = random_password.initSecret.result
   sensitive = true
 }
+
+output "attestationURL" {
+  value = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : ""
+}

cli/internal/terraform/terraform/azure/variables.tf

@@ -63,6 +63,12 @@ variable "secure_boot" {
   description = "Whether to deploy the cluster nodes with secure boot."
 }
 
+variable "create_maa" {
+  type        = bool
+  default     = false
+  description = "Whether to create a Microsoft Azure attestation provider."
+}
+
 variable "debug" {
   type        = bool
   default     = false

cli/internal/terraform/terraform_test.go

@@ -203,7 +203,7 @@ func TestPrepareIAM(t *testing.T) {
 
 func TestCreateCluster(t *testing.T) {
 	someErr := errors.New("failed")
-	newTestState := func() *tfjson.State {
+	newQEMUState := func() *tfjson.State {
 		workingState := tfjson.State{
 			Values: &tfjson.StateValues{
 				Outputs: map[string]*tfjson.StateOutput{
@@ -221,6 +221,27 @@ func TestCreateCluster(t *testing.T) {
 		}
 		return &workingState
 	}
+	newAzureState := func() *tfjson.State {
+		workingState := tfjson.State{
+			Values: &tfjson.StateValues{
+				Outputs: map[string]*tfjson.StateOutput{
+					"ip": {
+						Value: "192.0.2.100",
+					},
+					"initSecret": {
+						Value: "initSecret",
+					},
+					"uid": {
+						Value: "12345abc",
+					},
+					"attestationURL": {
+						Value: "https://12345.neu.attest.azure.net",
+					},
+				},
+			},
+		}
+		return &workingState
+	}
 	qemuVars := &QEMUVariables{
 		CommonVariables: CommonVariables{
 			Name:               "name",
@@ -241,13 +262,17 @@ func TestCreateCluster(t *testing.T) {
 		vars     Variables
 		tf       *stubTerraform
 		fs       afero.Fs
-		wantErr  bool
+		// expectedAttestationURL is the expected attestation URL to be returned by
+		// the Terraform client. It is declared in the test case because it is
+		// provider-specific.
+		expectedAttestationURL string
+		wantErr                bool
 	}{
 		"works": {
 			pathBase: "terraform",
 			provider: cloudprovider.QEMU,
 			vars:     qemuVars,
-			tf:       &stubTerraform{showState: newTestState()},
+			tf:       &stubTerraform{showState: newQEMUState()},
 			fs:       afero.NewMemMapFs(),
 		},
 		"init fails": {
@@ -330,6 +355,42 @@ func TestCreateCluster(t *testing.T) {
 			fs:      afero.NewMemMapFs(),
 			wantErr: true,
 		},
+		"working attestation url": {
+			pathBase:               "terraform",
+			provider:               cloudprovider.Azure,
+			vars:                   qemuVars, // works for mocking azure vars
+			tf:                     &stubTerraform{showState: newAzureState()},
+			fs:                     afero.NewMemMapFs(),
+			expectedAttestationURL: "https://12345.neu.attest.azure.net",
+		},
+		"no attestation url": {
+			pathBase: "terraform",
+			provider: cloudprovider.Azure,
+			vars:     qemuVars, // works for mocking azure vars
+			tf: &stubTerraform{
+				showState: &tfjson.State{
+					Values: &tfjson.StateValues{
+						Outputs: map[string]*tfjson.StateOutput{},
+					},
+				},
+			},
+			fs:      afero.NewMemMapFs(),
+			wantErr: true,
+		},
+		"attestation url has wrong type": {
+			pathBase: "terraform",
+			provider: cloudprovider.Azure,
+			vars:     qemuVars, // works for mocking azure vars
+			tf: &stubTerraform{
+				showState: &tfjson.State{
+					Values: &tfjson.StateValues{
+						Outputs: map[string]*tfjson.StateOutput{"attestationURL": {Value: 42}},
+					},
+				},
+			},
+			fs:      afero.NewMemMapFs(),
+			wantErr: true,
+		},
 	}
 
 	for name, tc := range testCases {
@@ -355,6 +416,7 @@ func TestCreateCluster(t *testing.T) {
 			assert.Equal("192.0.2.100", tfOutput.IP)
 			assert.Equal("initSecret", tfOutput.Secret)
 			assert.Equal("12345abc", tfOutput.UID)
+			assert.Equal(tc.expectedAttestationURL, tfOutput.AttestationURL)
 		})
 	}
 }

cli/internal/terraform/variables.go

@@ -175,6 +175,8 @@ type AzureClusterVariables struct {
 	ConfidentialVM bool
 	// SecureBoot sets the VM to use secure boot.
 	SecureBoot bool
+	// CreateMAA sets whether a Microsoft Azure attestation provider should be created.
+	CreateMAA bool
 	// Debug is true if debug mode is enabled.
 	Debug bool
 }
@@ -191,6 +193,7 @@ func (v *AzureClusterVariables) String() string {
 	writeLinef(b, "image_id = %q", v.ImageID)
 	writeLinef(b, "confidential_vm = %t", v.ConfidentialVM)
 	writeLinef(b, "secure_boot = %t", v.SecureBoot)
+	writeLinef(b, "create_maa = %t", v.CreateMAA)
 	writeLinef(b, "debug = %t", v.Debug)
 
 	return b.String()