/* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package cmd import ( "errors" "fmt" "io/fs" "os" "path/filepath" "github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd" "github.com/edgelesssys/constellation/v2/cli/internal/state" "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" "github.com/edgelesssys/constellation/v2/internal/api/versionsapi" "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/semver" "github.com/spf13/afero" "github.com/spf13/cobra" "github.com/spf13/pflag" ) // NewCreateCmd returns a new cobra.Command for the create command. func NewCreateCmd() *cobra.Command { cmd := &cobra.Command{ Use: "create", Short: "Create instances on a cloud platform for your Constellation cluster", Long: "Create instances on a cloud platform for your Constellation cluster.", Args: cobra.ExactArgs(0), RunE: runCreate, } cmd.Flags().BoolP("yes", "y", false, "create the cluster without further confirmation") return cmd } // createFlags contains the parsed flags of the create command. type createFlags struct { rootFlags yes bool } // parse parses the flags of the create command. func (f *createFlags) parse(flags *pflag.FlagSet) error { if err := f.rootFlags.parse(flags); err != nil { return err } yes, err := flags.GetBool("yes") if err != nil { return fmt.Errorf("getting 'yes' flag: %w", err) } f.yes = yes return nil } type createCmd struct { log debugLog flags createFlags } func runCreate(cmd *cobra.Command, _ []string) error { log, err := newCLILogger(cmd) if err != nil { return fmt.Errorf("creating logger: %w", err) } defer log.Sync() spinner, err := newSpinnerOrStderr(cmd) if err != nil { return fmt.Errorf("creating spinner: %w", err) } defer spinner.Stop() fileHandler := file.NewHandler(afero.NewOsFs()) c := &createCmd{log: log} if err := c.flags.parse(cmd.Flags()); err != nil { return err } c.log.Debugf("Using flags: %+v", c.flags) applier, removeInstaller, err := cloudcmd.NewApplier( cmd.Context(), spinner, constants.TerraformWorkingDir, filepath.Join(constants.UpgradeDir, "create"), // Not used by create c.flags.tfLogLevel, fileHandler, ) if err != nil { return err } defer removeInstaller() fetcher := attestationconfigapi.NewFetcher() return c.create(cmd, applier, fileHandler, spinner, fetcher) } func (c *createCmd) create(cmd *cobra.Command, applier cloudApplier, fileHandler file.Handler, spinner spinnerInterf, fetcher attestationconfigapi.Fetcher) (retErr error) { if err := c.checkDirClean(fileHandler); err != nil { return err } c.log.Debugf("Loading configuration file from %q", c.flags.pathPrefixer.PrefixPrintablePath(constants.ConfigFilename)) conf, err := config.New(fileHandler, constants.ConfigFilename, fetcher, c.flags.force) c.log.Debugf("Configuration file loaded: %+v", conf) var configValidationErr *config.ValidationError if errors.As(err, &configValidationErr) { cmd.PrintErrln(configValidationErr.LongMessage()) } if err != nil { return err } if !c.flags.force { if err := validateCLIandConstellationVersionAreEqual(constants.BinaryVersion(), conf.Image, conf.MicroserviceVersion); err != nil { return err } } c.log.Debugf("Checking configuration for warnings") var printedAWarning bool if !conf.IsReleaseImage() { cmd.PrintErrln("Configured image doesn't look like a released production image. Double check image before deploying to production.") printedAWarning = true } if conf.IsNamedLikeDebugImage() && !conf.IsDebugCluster() { cmd.PrintErrln("WARNING: A debug image is used but debugCluster is false.") printedAWarning = true } if conf.IsDebugCluster() { cmd.PrintErrln("WARNING: Creating a debug cluster. This cluster is not secure and should only be used for debugging purposes.") cmd.PrintErrln("DO NOT USE THIS CLUSTER IN PRODUCTION.") printedAWarning = true } if conf.GetAttestationConfig().GetVariant().Equal(variant.AzureTrustedLaunch{}) { cmd.PrintErrln("Disabling Confidential VMs is insecure. Use only for evaluation purposes.") printedAWarning = true } // Print an extra new line later to separate warnings from the prompt message of the create command if printedAWarning { cmd.PrintErrln("") } controlPlaneGroup, ok := conf.NodeGroups[constants.DefaultControlPlaneGroupName] if !ok { return fmt.Errorf("default control-plane node group %q not found in configuration", constants.DefaultControlPlaneGroupName) } workerGroup, ok := conf.NodeGroups[constants.DefaultWorkerGroupName] if !ok { return fmt.Errorf("default worker node group %q not found in configuration", constants.DefaultWorkerGroupName) } otherGroupNames := make([]string, 0, len(conf.NodeGroups)-2) for groupName := range conf.NodeGroups { if groupName != constants.DefaultControlPlaneGroupName && groupName != constants.DefaultWorkerGroupName { otherGroupNames = append(otherGroupNames, groupName) } } if len(otherGroupNames) > 0 { c.log.Debugf("Creating %d additional node groups: %v", len(otherGroupNames), otherGroupNames) } if !c.flags.yes { // Ask user to confirm action. cmd.Printf("The following Constellation cluster will be created:\n") cmd.Printf(" %d control-plane node%s of type %s will be created.\n", controlPlaneGroup.InitialCount, isPlural(controlPlaneGroup.InitialCount), controlPlaneGroup.InstanceType) cmd.Printf(" %d worker node%s of type %s will be created.\n", workerGroup.InitialCount, isPlural(workerGroup.InitialCount), workerGroup.InstanceType) for _, groupName := range otherGroupNames { group := conf.NodeGroups[groupName] cmd.Printf(" group %s with %d node%s of type %s will be created.\n", groupName, group.InitialCount, isPlural(group.InitialCount), group.InstanceType) } ok, err := askToConfirm(cmd, "Do you want to create this cluster?") if err != nil { return err } if !ok { cmd.Println("The creation of the cluster was aborted.") return nil } } spinner.Start("Creating", false) if _, err := applier.Plan(cmd.Context(), conf); err != nil { return fmt.Errorf("planning infrastructure creation: %w", err) } infraState, err := applier.Apply(cmd.Context(), conf.GetProvider(), cloudcmd.WithRollbackOnError) spinner.Stop() if err != nil { return err } c.log.Debugf("Successfully created the cloud resources for the cluster") stateFile, err := state.CreateOrRead(fileHandler, constants.StateFilename) if err != nil { return fmt.Errorf("reading state file: %w", err) } if err := stateFile.Validate(state.PreCreate, conf.GetProvider()); err != nil { return fmt.Errorf("validating state file: %w", err) } stateFile = stateFile.SetInfrastructure(infraState) if err := stateFile.WriteToFile(fileHandler, constants.StateFilename); err != nil { return fmt.Errorf("writing state file: %w", err) } cmd.Println("Your Constellation cluster was created successfully.") return nil } // checkDirClean checks if files of a previous Constellation are left in the current working dir. func (c *createCmd) checkDirClean(fileHandler file.Handler) error { c.log.Debugf("Checking admin configuration file") if _, err := fileHandler.Stat(constants.AdminConfFilename); !errors.Is(err, fs.ErrNotExist) { return fmt.Errorf( "file '%s' already exists in working directory, run 'constellation terminate' before creating a new one", c.flags.pathPrefixer.PrefixPrintablePath(constants.AdminConfFilename), ) } c.log.Debugf("Checking master secrets file") if _, err := fileHandler.Stat(constants.MasterSecretFilename); !errors.Is(err, fs.ErrNotExist) { return fmt.Errorf( "file '%s' already exists in working directory. Constellation won't overwrite previous master secrets. Move it somewhere or delete it before creating a new cluster", c.flags.pathPrefixer.PrefixPrintablePath(constants.MasterSecretFilename), ) } c.log.Debugf("Checking terraform working directory") if clean, err := fileHandler.IsEmpty(constants.TerraformWorkingDir); err != nil && !errors.Is(err, os.ErrNotExist) { return fmt.Errorf("checking if terraform working directory is empty: %w", err) } else if err == nil && !clean { return fmt.Errorf( "directory '%s' already exists and is not empty, run 'constellation terminate' before creating a new one", c.flags.pathPrefixer.PrefixPrintablePath(constants.TerraformWorkingDir), ) } return nil } func isPlural(count int) string { if count == 1 { return "" } return "s" } // validateCLIandConstellationVersionAreEqual checks if the image and microservice version are equal (down to patch level) to the CLI version. func validateCLIandConstellationVersionAreEqual(cliVersion semver.Semver, imageVersion string, microserviceVersion semver.Semver) error { parsedImageVersion, err := versionsapi.NewVersionFromShortPath(imageVersion, versionsapi.VersionKindImage) if err != nil { return fmt.Errorf("parsing image version: %w", err) } semImage, err := semver.New(parsedImageVersion.Version()) if err != nil { return fmt.Errorf("parsing image semantical version: %w", err) } if !cliVersion.MajorMinorEqual(semImage) { return fmt.Errorf("image version %q does not match the major and minor version of the cli version %q", semImage.String(), cliVersion.String()) } if cliVersion.Compare(microserviceVersion) != 0 { return fmt.Errorf("cli version %q does not match microservice version %q", cliVersion.String(), microserviceVersion.String()) } return nil }