Commit Graph

171 Commits

Author SHA1 Message Date
3u13r
cf9970c051
terraform: allow for multiple instance groups (#1471) 2023-03-21 22:56:03 +01:00
renovate[bot]
02a389e8c0
deps: update Terraform openstack to v1.51.1 (#1424)
* deps: update Terraform openstack to v1.51.1
* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-03-21 13:36:49 +01:00
Paul Meyer
f638812143
terraform: unique Azure attestation provider name (#1472)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 10:41:48 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration (#1334)
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
Paul Meyer
05f6d1dc65
terraform: valid Azure attestation provider name (#1465)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 17:53:00 +01:00
Paul Meyer
658cac046f go: remove redundant if-err check
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Moritz Sanft
f2ce9518a3
cli: support custom attestation policies for maa (#1375)
* create and update maa attestation policy

* use interface to allow unit testing

* fix test csp

* http request for policy patch

* go mod tidy

* remove hyphen

* go mod tidy

* wip: adapt to feedback

* linting fixes

* remove csp from tf call

* fix type assertion

* Add MAA URL to instance tags (#1409)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* conditionally create maa provider

* only set instance tag when maa is created

* fix azure unit test

* bazel tidy

* remove AzureCVM const

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* encode policy at runtime

* remove policy arg

* fix unit test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-20 13:33:04 +01:00
renovate[bot]
b03ead589f
deps: update Terraform azuread to v2.36.0 (#1421)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 14:30:17 +01:00
renovate[bot]
03d2232321
deps: update Terraform google-beta to v4.57.0 (#1423)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:43 +01:00
renovate[bot]
f8f3f00595
deps: update Terraform azurerm to v3.47.0 (#1422)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:08 +01:00
renovate[bot]
95d6618b9d
deps: update Terraform google to v4.57.0 (#1420)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 12:06:53 +01:00
renovate[bot]
0db034db5b
deps: update Terraform aws to v4.58.0 (#1419)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 11:43:52 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Paul Meyer
630016d1b3 openstack: use password to authenticate in cluster
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Malte Poll
8aa42e30ad
cli: set OpenStack service account credentials (#1328) 2023-03-03 10:10:36 +01:00
Malte Poll
4e202fa483
cli: set constellation uid and role as instance metadata of OpenStack instances (#1311) 2023-03-01 08:48:17 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
renovate[bot]
66022fa441
deps: update Terraform aws to v4.55.0 (#1195)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:27:11 +01:00
miampf
5137e9fa57
cli: iam destroy (#946) 2023-02-24 11:36:41 +01:00
Otto Bittner
c4fd70684f
Revert "deps: update Terraform azurerm to v3.44.1 (#1197)" (#1255)
This reverts commit 253f833f6c.
2023-02-22 11:16:05 +01:00
3u13r
ce09b9dae5
iam: assign uami role to base resource group (#1247)
* iam: assign uami role to base resource group

* fixup: also change app registration
2023-02-22 09:29:24 +01:00
renovate[bot]
477d667360
deps: update Terraform azuread to v2.34.1 (#1196)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 13:53:18 +01:00
renovate[bot]
253f833f6c
deps: update Terraform azurerm to v3.44.1 (#1197)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 10:41:04 +01:00
renovate[bot]
3a1e75837f
deps: update Terraform google-beta to v4.53.1 (#1199)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:22:16 +01:00
renovate[bot]
9a5a7d6852
deps: update Terraform google to v4.53.1 (#1198)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:21:12 +01:00
Paul Meyer
12c866bcb9 deps: replace multierr with native errors.Join
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Moritz Sanft
7410cf8038
cli: fix iam rollback (#1148)
* AB#2897 rename DestroyCluster

* #AB2897 error if terraform dir exists

* AB#2897 reword DestroyResources
2023-02-13 08:42:54 +01:00
Nils Hanke
0331e2dc78 cli: enable jumbo frames for GCP VPCs 2023-02-06 11:07:45 +01:00
renovate[bot]
a85ba96ac4
deps: update Terraform azurerm to v3.41.0 (#1097)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:33:32 +01:00
renovate[bot]
38e9ab8254
deps: update Terraform aws to v4.52.0 (#1096)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:14:17 +01:00
renovate[bot]
b47a2f81a2
deps: update Terraform google to v4.50.0 (#1098)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:13:44 +01:00
3u13r
6ea6e42519
terraform: make control-planes stateful on gcp (#1087)
* terraform: make control-planes stateful on gcp

* terraform: lock google-beta provider
2023-01-27 12:59:25 +01:00
Malte Poll
2d326ea3f0
cli: set placeholder uid for QEMU / MiniConstellation (#1069) 2023-01-25 14:42:52 +01:00
3u13r
03154c6e64
docs: document terraform support (#1037) 2023-01-23 10:37:28 +01:00
Moritz Sanft
b8648261e3
cli: fix Terraform resource group dependencies (#1048) 2023-01-20 18:59:59 +01:00
renovate[bot]
d4722b434e
Update Terraform aws to v4.50.0 (#1015)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-19 17:09:01 +01:00
Daniel Weiße
690b50b29d
dev-docs: Go package docs (#958)
* Remove unused package

* Add Go package docs to most packages

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 15:57:50 +01:00
Moritz Sanft
ae2db08f3a
ci: add e2e test for constellation recover (#845)
* AB#2256 Add recover e2e test

* AB#2256 move test & fix minor objections

* AB#2256 fix path

* AB#2256 rename hacky filename
2023-01-19 10:41:07 +01:00
renovate[bot]
4577a5886f
Update Terraform google to v4.48.0 (#929)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 16:01:02 +01:00
Malte Poll
7902dc470f
cli: use non-authoritative methods to manage iam policy memberships (#989)
- google_project_iam_binding -> google_project_iam_member
2023-01-16 18:08:57 +01:00
Nils Hanke
b3c3c2fa8c
qemu: remove registry_auth for Docker Terraform module (#957) 2023-01-12 15:47:50 +01:00
Paul Meyer
fa85150f3e hack: move terraform readmes into cli
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-09 11:49:00 +01:00
renovate[bot]
3d6b11e7cb
Update Terraform azurerm to v3.38.0 (#895)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:28:04 +01:00
renovate[bot]
19b3d68c8a
Update Terraform aws to v4.49.0 (#894)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:27:40 +01:00
renovate[bot]
ab626ca311
Update Terraform docker to v2.25.0 (#880)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 15:18:38 +01:00
renovate[bot]
7c017e2b67
Update Terraform azurerm to v3.37.0 (#849)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-03 14:47:44 +01:00
renovate[bot]
d88f144806
Update Terraform libvirt to v0.7.1 (#830)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:24:54 +01:00
renovate[bot]
cbc34b73ec
Update Terraform google to v4.47.0 (#843)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:04:00 +01:00
renovate[bot]
320c24e778
Update Terraform aws to v4.48.0 (#842)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:02:44 +01:00
renovate[bot]
fd640afe96
Update Terraform google to v4.46.0 (#798)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-14 19:15:51 +01:00
renovate[bot]
85f9d62a9f
Update Terraform azurerm to v3.35.0 (#768)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:21:13 +01:00
renovate[bot]
4ec2fceeef
Update Terraform aws to v4.46.0 (#767)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:13:09 +01:00
renovate[bot]
9d0d561726
Update Terraform google to v4.45.0 (#742)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-08 15:59:15 +01:00
Moritz Sanft
286803fb97
AB#2579 Add constellation iam create command (#624) 2022-12-07 11:48:54 +01:00
renovate[bot]
364db78420
Update Terraform azurerm to v3.34.0 (#726)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-06 13:42:49 +01:00
renovate[bot]
59076b0664
Update Terraform aws to v4.45.0 (#710)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-05 16:35:38 +01:00
renovate[bot]
68bf23b760
Update Terraform aws to v4.44.0 (#702)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-01 18:46:31 +01:00
Paul Meyer
b93b24e058 debugd: add logcollector
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
renovate[bot]
fe74c937b9
Update Terraform azurerm to v3.33.0 (#678)
* Update Terraform azurerm to v3.33.0
* [bot] Update HCL lock files

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-30 11:41:31 +01:00
renovate[bot]
7c744c0837
Update Terraform aws to v4.43.0 (#672)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 11:22:09 +01:00
renovate[bot]
fffd2b79f2
Update Terraform google to v4.44.1 (#666)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-29 14:45:07 +01:00
renovate[bot]
9d6d9f0a40
Update Terraform docker to v2.23.1 (#645)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-29 13:06:36 +01:00
Leonard Cohnen
3b6bc3b28f initserver: add client verification 2022-11-28 19:34:02 +01:00
renovate[bot]
d8c553207b
Update Terraform google to v4.44.0 (#622)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-22 14:30:40 +01:00
renovate[bot]
54ef6d21f4
Update Terraform aws to v4.40.0 (#586)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-18 15:41:02 +01:00
renovate[bot]
86b03bf08e
Update Terraform azurerm to v3.32.0 (#588)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-18 14:57:34 +01:00
renovate[bot]
b7852665f3
Update Terraform google to v4.43.1 (#576)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 16:44:33 +01:00
Nils Hanke
6e5895f200 User-friendlier errors 2022-11-17 13:49:34 +01:00
Nils Hanke
e1d8926395 Terraform: Only rollback after we fully created the workspace 2022-11-17 13:49:34 +01:00
Nils Hanke
158dfe0e2b Remove unused name parameter in CreateCluster 2022-11-17 13:49:34 +01:00
Nils Hanke
b9b618a1f0 Terraform: Try to init before destroy 2022-11-17 13:49:34 +01:00
Nils Hanke
f27af5b588 Terraform: Make variables writing retryable 2022-11-17 13:49:34 +01:00
Nils Hanke
e93527144e Terraform: Try to use existing files on partially unpacked workspace 2022-11-17 13:49:34 +01:00
Nils Hanke
4a2cba988c Create separate Terraform workspace directory 2022-11-17 13:49:34 +01:00
Malte Poll
df0cd43f92
Terraform GCP: Always use local account for resource creation (#571)
* Terraform GCP: Always use local account for resource creation
* Update CHANGELOG
2022-11-17 10:33:36 +01:00
renovate[bot]
5009de823f
Update Terraform aws to v4.39.0 (#538)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-14 10:35:26 +01:00
renovate[bot]
7bcd4b2f73
Update Terraform azurerm to v3.31.0 (#539)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-14 10:34:54 +01:00
Fabian Kammel
0d12e37c96
Document exported funcs,types,interfaces and enable check. (#475)
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2022-11-09 15:57:54 +01:00
Malte Poll
97bb0f4a91
Update terraform lock files to include hashes for all platforms (#499)
- linux_arm64
- linux_amd64
- darwin_arm64
- darwin_amd64
- windows_amd64
2022-11-09 14:23:51 +01:00
renovate[bot]
9191f8ac61
Update Terraform docker to v2.23.0 (#495)
* Update Terraform docker to v2.23.0
* Readd removed terraform lock hashes

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-11-09 13:35:17 +01:00
renovate[bot]
0e34d35404
Update Terraform google to v4.43.0 (#484)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-09 10:30:02 +01:00
renovate[bot]
b8acb5e448
Update Terraform aws to v4.38.0 (#464)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-08 18:34:45 +01:00
Nils Hanke
ee55584b90 AWS: Apply security group to worker nodes 2022-11-08 11:22:06 +01:00
Malte Poll
41668d50c2 Add recovery loadbalancer on AWS 2022-11-08 00:07:04 +01:00
Nils Hanke
759c626e0f AWS: Don't expose SSH debugging ports on the LB 2022-11-07 13:57:22 +01:00
Malte Poll
fa6dfdff4f
Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime (#442)
* Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime
* Use correct field for nat gateway

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-07 11:04:10 +01:00
renovate[bot]
b89fae8062
Update Terraform azurerm to v3.30.0 (#452)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 12:34:03 +01:00
renovate[bot]
f71073a77f
Update Terraform google to v4.42.1 (#434)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 10:14:13 +01:00
Leonard Cohnen
0d0191ba4d aws: make CCM work 2022-11-02 23:29:04 +01:00
Leonard Cohnen
be2b38f2ac terraform: use HTTPS health check for AWS 2022-11-02 23:29:04 +01:00
Leonard Cohnen
7e385c4c86 terraform: use AWS launch templates 2022-11-02 23:29:04 +01:00
Leonard Cohnen
741684843c terraform: fix azure password constraints 2022-11-02 09:57:54 +01:00
renovate[bot]
c9e6b4c5b6
Update Terraform azurerm to v3.29.1 (#405)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-31 10:45:56 +01:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails (#360)
* Dont clean up workspace if rollback fails

* Remove dependency on CSP from terminate

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-26 15:57:00 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any (#370) 2022-10-25 15:51:23 +02:00
Malte Poll
52f140a968
Pin terraform provider hashes (#361) 2022-10-25 10:10:46 +02:00
Daniel Weiße
b35b74b772
Use tags for UID and role parsing (#242)
* Apply tags to all applicable GCP resources

* Move GCP UID and role from VM metadata to labels

* Adjust Azure tags to be in line with GCP and AWS

* Dont rely on resource name to find resources

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-24 16:58:21 +02:00
Nils Hanke
04c4cff9f6
AB#2436: Initial support for create/terminate AWS NitroTPM instances
* Add .DS_Store to .gitignore

* Add AWS to config / supported instance types

* Move AWS terraform skeleton to cli/internal/terraform

* Move currently unused IAM to hack/terraform/aws

* Print supported AWS instance types when AWS dev flag is set

* Block everything aTLS related (e.g. init, verify) until AWS attestation is available

* Create/Terminate AWS dev cluster when dev flag is set

* Restrict Nitro instances to NitroTPM supported specifically

* Pin zone for subnets

This is not great for HA, but for now we need to avoid the two subnets
ending up in different zones, causing the load balancer to not be able
to connect to the targets.

Should be replaced later with a better implementation that just uses
multiple subnets within the same region dynamically
based on # of nodes or similar.

* Add AWS/GCP to Terraform TestLoader unit test

* Add uid tag and create log group

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-10-21 12:24:18 +02:00
Malte Poll
f3d78a573f Disable Azure VM agent and report VM as ready 2022-10-21 11:04:25 +02:00
Malte Poll
ed9acef9d4 Upgrade terraform azure provider to 3.28.0 2022-10-21 11:04:25 +02:00