cli: support custom attestation policies for maa (#1375)

* create and update maa attestation policy * use interface to allow unit testing * fix test csp * http request for policy patch * go mod tidy * remove hyphen * go mod tidy * wip: adapt to feedback * linting fixes * remove csp from tf call * fix type assertion * Add MAA URL to instance tags (#1409) Signed-off-by: Daniel Weiße <dw@edgeless.systems> * conditionally create maa provider * only set instance tag when maa is created * fix azure unit test * bazel tidy * remove AzureCVM const Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * encode policy at runtime * remove policy arg * fix unit test --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-05-02 22:34:56 -04:00 · 2023-03-20 13:33:04 +01:00 · 2023-03-20 13:33:04 +01:00 · f2ce9518a3
commit f2ce9518a3
parent 119bf02435
15 changed files with 329 additions and 39 deletions
--- a/cli/internal/terraform/terraform_test.go
+++ b/cli/internal/terraform/terraform_test.go
@ -203,7 +203,7 @@ func TestPrepareIAM(t *testing.T) {

 func TestCreateCluster(t *testing.T) {
 	someErr := errors.New("failed")
-	newTestState := func() *tfjson.State {
+	newQEMUState := func() *tfjson.State {
 		workingState := tfjson.State{
 			Values: &tfjson.StateValues{
 				Outputs: map[string]*tfjson.StateOutput{
@ -221,6 +221,27 @@ func TestCreateCluster(t *testing.T) {
 		}
 		return &workingState
 	}
+	newAzureState := func() *tfjson.State {
+		workingState := tfjson.State{
+			Values: &tfjson.StateValues{
+				Outputs: map[string]*tfjson.StateOutput{
+					"ip": {
+						Value: "192.0.2.100",
+					},
+					"initSecret": {
+						Value: "initSecret",
+					},
+					"uid": {
+						Value: "12345abc",
+					},
+					"attestationURL": {
+						Value: "https://12345.neu.attest.azure.net",
+					},
+				},
+			},
+		}
+		return &workingState
+	}
 	qemuVars := &QEMUVariables{
 		CommonVariables: CommonVariables{
 			Name:               "name",
@ -241,13 +262,17 @@ func TestCreateCluster(t *testing.T) {
 		vars     Variables
 		tf       *stubTerraform
 		fs       afero.Fs
-		wantErr  bool
+		// expectedAttestationURL is the expected attestation URL to be returned by
+		// the Terraform client. It is declared in the test case because it is
+		// provider-specific.
+		expectedAttestationURL string
+		wantErr                bool
 	}{
 		"works": {
 			pathBase: "terraform",
 			provider: cloudprovider.QEMU,
 			vars:     qemuVars,
-			tf:       &stubTerraform{showState: newTestState()},
+			tf:       &stubTerraform{showState: newQEMUState()},
 			fs:       afero.NewMemMapFs(),
 		},
 		"init fails": {
@ -330,6 +355,42 @@ func TestCreateCluster(t *testing.T) {
 			fs:      afero.NewMemMapFs(),
 			wantErr: true,
 		},
+		"working attestation url": {
+			pathBase:               "terraform",
+			provider:               cloudprovider.Azure,
+			vars:                   qemuVars, // works for mocking azure vars
+			tf:                     &stubTerraform{showState: newAzureState()},
+			fs:                     afero.NewMemMapFs(),
+			expectedAttestationURL: "https://12345.neu.attest.azure.net",
+		},
+		"no attestation url": {
+			pathBase: "terraform",
+			provider: cloudprovider.Azure,
+			vars:     qemuVars, // works for mocking azure vars
+			tf: &stubTerraform{
+				showState: &tfjson.State{
+					Values: &tfjson.StateValues{
+						Outputs: map[string]*tfjson.StateOutput{},
+					},
+				},
+			},
+			fs:      afero.NewMemMapFs(),
+			wantErr: true,
+		},
+		"attestation url has wrong type": {
+			pathBase: "terraform",
+			provider: cloudprovider.Azure,
+			vars:     qemuVars, // works for mocking azure vars
+			tf: &stubTerraform{
+				showState: &tfjson.State{
+					Values: &tfjson.StateValues{
+						Outputs: map[string]*tfjson.StateOutput{"attestationURL": {Value: 42}},
+					},
+				},
+			},
+			fs:      afero.NewMemMapFs(),
+			wantErr: true,
+		},
 	}

 	for name, tc := range testCases {
@ -355,6 +416,7 @@ func TestCreateCluster(t *testing.T) {
 			assert.Equal("192.0.2.100", tfOutput.IP)
 			assert.Equal("initSecret", tfOutput.Secret)
 			assert.Equal("12345abc", tfOutput.UID)
+			assert.Equal(tc.expectedAttestationURL, tfOutput.AttestationURL)
 		})
 	}
 }