constellation/terraform-provider-constellation/docs/resources/cluster.md

page_title	subcategory	description
constellation_cluster Resource - constellation		Resource for a Constellation cluster.

constellation_cluster (Resource)

Resource for a Constellation cluster.

Example Usage

data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant

data "constellation_image" "bar" {} # Fill accordingly for the CSP

resource "random_bytes" "master_secret" {
  length = 32
}

resource "random_bytes" "master_secret_salt" {
  length = 32
}

resource "random_bytes" "measurement_salt" {
  length = 32
}

resource "constellation_cluster" "azure_example" {
  csp                                = "azure"
  name                               = "constell"
  uid                                = "..."
  image                              = data.constellation_image.bar.image
  attestation                        = data.constellation_attestation.foo.attestation
  init_secret                        = "..."
  master_secret                      = random_bytes.master_secret.hex
  master_secret_salt                 = random_bytes.master_secret_salt.hex
  measurement_salt                   = random_bytes.measurement_salt.hex
  out_of_cluster_endpoint            = "123.123.123.123"
  kubernetes_version                 = "v1.2.3"
  azure = {
    tenant_id                   = "..."
    subscription_id             = "..."
    uami_client_id              = "..."
    uami_resource_id            = "..."
    location                    = "..."
    resource_group              = "..."
    load_balancer_name          = "..."
    network_security_group_name = "..."
  }
  network_config = {
    ip_cidr_node    = "192.168.176.0/20"
    ip_cidr_service = "10.96.0.0/12"
  }
}

Schema

Required

• attestation (Attributes) Attestation comprises the measurements and CVM specific parameters. The output of the constellation_attestation data source provides sensible defaults. (see below for nested schema)
• constellation_microservice_version (String) The version of Constellation's microservices used within the cluster.
• csp (String) CSP (Cloud Service Provider) to use. (e.g. azure) See the full list of CSPs that Constellation supports.
• image (Attributes) Constellation OS Image to use on the nodes. (see below for nested schema)
• init_secret (String) Secret used for initialization of the cluster.
• kubernetes_version (String) The Kubernetes version to use for the cluster. The supported versions are [v1.28.13 v1.29.8 v1.30.4].
• master_secret (String) Hex-encoded 32-byte master secret for the cluster.
• master_secret_salt (String) Hex-encoded 32-byte master secret salt for the cluster.
• measurement_salt (String) Hex-encoded 32-byte measurement salt for the cluster.
• name (String) Name used in the cluster's named resources / cluster name.
• network_config (Attributes) Configuration for the cluster's network. (see below for nested schema)
• out_of_cluster_endpoint (String) The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.
• uid (String) The UID of the cluster.

Optional

• api_server_cert_sans (List of String) List of Subject Alternative Names (SANs) for the API server certificate. Usually, this will be the out-of-cluster endpoint and the in-cluster endpoint, if existing.
• azure (Attributes) Azure-specific configuration. (see below for nested schema)
• extra_microservices (Attributes) Extra microservice settings. (see below for nested schema)
• gcp (Attributes) GCP-specific configuration. (see below for nested schema)
• in_cluster_endpoint (String) The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.
• license_id (String) Constellation license ID. When not set, the community license is used.
• openstack (Attributes) OpenStack-specific configuration. (see below for nested schema)

Read-Only

• client_certificate (String) The client certificate of the cluster.
• client_key (String, Sensitive) The client key of the cluster.
• cluster_ca_certificate (String) The cluster CA certificate of the cluster.
• cluster_id (String) The cluster ID of the cluster.
• host (String) The host of the cluster.
• kubeconfig (String, Sensitive) The kubeconfig (file) of the cluster.
• owner_id (String) The owner ID of the cluster.

Nested Schema for attestation

Required:

• amd_root_key (String)
• bootloader_version (Number)
• measurements (Attributes Map) (see below for nested schema)
• microcode_version (Number)
• snp_version (Number)
• tee_version (Number)
• variant (String) Attestation variant the image should work with. Can be one of:
  • aws-sev-snp
  • aws-nitro-tpm
  • azure-sev-snp
  • azure-tdx
  • gcp-sev-snp
  • gcp-sev-es
  • qemu-vtpm

Optional:

• azure_firmware_signer_config (Attributes) (see below for nested schema)
• tdx (Attributes) (see below for nested schema)

Nested Schema for attestation.measurements

Required:

• expected (String)
• warn_only (Boolean)

Nested Schema for attestation.azure_firmware_signer_config

Optional:

• accepted_key_digests (List of String)
• enforcement_policy (String)
• maa_url (String)

Nested Schema for attestation.tdx

Optional:

• intel_root_key (String)
• mr_seam (String)
• pce_svn (Number)
• qe_svn (Number)
• qe_vendor_id (String)
• tee_tcb_svn (String)
• xfam (String)

Nested Schema for image

Required:

• reference (String) CSP-specific unique reference to the image. The format differs per CSP.
• short_path (String) CSP-agnostic short path to the image. The format is vX.Y.Z for release images and ref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION for pre-release images.
• $GIT_REF is the git reference (i.e. branch name) the image was built on, e.g. main.
• $STREAM is the stream the image was built on, e.g. nightly.
• $SEMANTIC_VERSION is the semantic version of the image, e.g. vX.Y.Z or vX.Y.Z-pre....
• version (String) Semantic version of the image.

Optional:

• marketplace_image (Boolean) Whether a marketplace image should be used.

Nested Schema for network_config

Required:

• ip_cidr_node (String) CIDR range of the cluster's node network.
• ip_cidr_service (String) CIDR range of the cluster's service network.

Optional:

• ip_cidr_pod (String) CIDR range of the cluster's pod network. Only required for clusters running on GCP.

Nested Schema for azure

Required:

• load_balancer_name (String) Name of the Azure load balancer used by the cluster.
• location (String) Azure Location of the cluster.
• network_security_group_name (String) Name of the Azure network security group used for the cluster.
• resource_group (String) Name of the Azure resource group the cluster resides in.
• subscription_id (String) ID of the Azure subscription the cluster resides in.
• tenant_id (String) Tenant ID of the Azure account.
• uami_client_id (String) Client ID of the User assigned managed identity (UAMI) used within the cluster.
• uami_resource_id (String) Resource ID of the User assigned managed identity (UAMI) used within the cluster.

Nested Schema for extra_microservices

Required:

• csi_driver (Boolean) Enable Constellation's encrypted CSI driver.

Nested Schema for gcp

Required:

• project_id (String) ID of the GCP project the cluster resides in.
• service_account_key (String) Base64-encoded private key JSON object of the service account used within the cluster.

Nested Schema for openstack

Required:

• cloud (String) Name of the cloud in the clouds.yaml file.
• floating_ip_pool_id (String) Floating IP pool to use for the VMs.
• network_id (String) OpenStack network ID to use for the VMs.
• subnet_id (String) OpenStack subnet ID to use for the VMs.

Optional:

• clouds_yaml_path (String) Path to the clouds.yaml file.
• deploy_yawol_load_balancer (Boolean) Whether to deploy a YAWOL load balancer.
• yawol_flavor_id (String) OpenStack flavor used by the yawollet.
• yawol_image_id (String) OpenStack OS image used by the yawollet.

Import

Import is supported using the following syntax:

terraform import constellation_cluster.constellation_cluster constellation-cluster://?kubeConfig=<base64-encoded-kubeconfig>&clusterEndpoint=<cluster-endpoint>&masterSecret=<hex-encoded-mastersecret>&masterSecretSalt=<hex-encoded-mastersecret-salt>