constellation/cli/internal/cmd/create.go
Otto Bittner 8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00

290 lines
11 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package cmd
import (
"errors"
"fmt"
"io/fs"
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/spf13/afero"
"github.com/spf13/cobra"
)
// NewCreateCmd returns a new cobra.Command for the create command.
func NewCreateCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "create",
Short: "Create instances on a cloud platform for your Constellation cluster",
Long: "Create instances on a cloud platform for your Constellation cluster.",
Args: cobra.ExactArgs(0),
RunE: runCreate,
}
cmd.Flags().BoolP("yes", "y", false, "create the cluster without further confirmation")
cmd.Flags().IntP("control-plane-nodes", "c", 0, "number of control-plane nodes (required)")
must(cobra.MarkFlagRequired(cmd.Flags(), "control-plane-nodes"))
cmd.Flags().IntP("worker-nodes", "w", 0, "number of worker nodes (required)")
must(cobra.MarkFlagRequired(cmd.Flags(), "worker-nodes"))
return cmd
}
type createCmd struct {
log debugLog
}
func runCreate(cmd *cobra.Command, _ []string) error {
log, err := newCLILogger(cmd)
if err != nil {
return fmt.Errorf("creating logger: %w", err)
}
defer log.Sync()
spinner, err := newSpinnerOrStderr(cmd)
if err != nil {
return fmt.Errorf("creating spinner: %w", err)
}
defer spinner.Stop()
fileHandler := file.NewHandler(afero.NewOsFs())
creator := cloudcmd.NewCreator(spinner)
c := &createCmd{log: log}
fetcher := attestationconfigapi.NewFetcher()
return c.create(cmd, creator, fileHandler, spinner, fetcher)
}
func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, spinner spinnerInterf, fetcher attestationconfigapi.Fetcher) (retErr error) {
flags, err := c.parseCreateFlags(cmd)
if err != nil {
return err
}
c.log.Debugf("Using flags: %+v", flags)
if err := c.checkDirClean(fileHandler); err != nil {
return err
}
c.log.Debugf("Loading configuration file from %q", flags.configPath)
conf, err := config.New(fileHandler, flags.configPath, fetcher, flags.force)
c.log.Debugf("Configuration file loaded: %+v", conf)
var configValidationErr *config.ValidationError
if errors.As(err, &configValidationErr) {
cmd.PrintErrln(configValidationErr.LongMessage())
}
if err != nil {
return err
}
c.log.Debugf("Checking configuration for warnings")
var printedAWarning bool
if !conf.IsReleaseImage() {
cmd.PrintErrln("Configured image doesn't look like a released production image. Double check image before deploying to production.")
printedAWarning = true
}
if conf.IsDebugCluster() {
cmd.PrintErrln("WARNING: Creating a debug cluster. This cluster is not secure and should only be used for debugging purposes.")
cmd.PrintErrln("DO NOT USE THIS CLUSTER IN PRODUCTION.")
printedAWarning = true
}
if conf.GetAttestationConfig().GetVariant().Equal(variant.AzureTrustedLaunch{}) {
cmd.PrintErrln("Disabling Confidential VMs is insecure. Use only for evaluation purposes.")
printedAWarning = true
}
// Print an extra new line later to separate warnings from the prompt message of the create command
if printedAWarning {
cmd.PrintErrln("")
}
provider := conf.GetProvider()
var instanceType string
switch provider {
case cloudprovider.AWS:
c.log.Debugf("Configuring instance type for AWS")
instanceType = conf.Provider.AWS.InstanceType
case cloudprovider.Azure:
c.log.Debugf("Configuring instance type for Azure")
instanceType = conf.Provider.Azure.InstanceType
case cloudprovider.GCP:
c.log.Debugf("Configuring instance type for GCP")
instanceType = conf.Provider.GCP.InstanceType
case cloudprovider.OpenStack:
c.log.Debugf("Configuring instance type for OpenStack")
instanceType = conf.Provider.OpenStack.FlavorID
case cloudprovider.QEMU:
c.log.Debugf("Configuring instance type for QEMU")
cpus := conf.Provider.QEMU.VCPUs
instanceType = fmt.Sprintf("%d-vCPU", cpus)
}
c.log.Debugf("Configured with instance type %q", instanceType)
if !flags.yes {
// Ask user to confirm action.
cmd.Printf("The following Constellation cluster will be created:\n")
cmd.Printf("%d control-plane node%s of type %s will be created.\n", flags.controllerCount, isPlural(flags.controllerCount), instanceType)
cmd.Printf("%d worker node%s of type %s will be created.\n", flags.workerCount, isPlural(flags.workerCount), instanceType)
ok, err := askToConfirm(cmd, "Do you want to create this cluster?")
if err != nil {
return err
}
if !ok {
cmd.Println("The creation of the cluster was aborted.")
return nil
}
}
spinner.Start("Creating", false)
opts := cloudcmd.CreateOptions{
Provider: provider,
Config: conf,
InsType: instanceType,
ControlPlaneCount: flags.controllerCount,
WorkerCount: flags.workerCount,
TFLogLevel: flags.tfLogLevel,
}
idFile, err := creator.Create(cmd.Context(), opts)
spinner.Stop()
if err != nil {
return translateCreateErrors(cmd, err)
}
c.log.Debugf("Successfully created the cloud resources for the cluster")
if err := fileHandler.WriteJSON(constants.ClusterIDsFileName, idFile, file.OptNone); err != nil {
return err
}
cmd.Println("Your Constellation cluster was created successfully.")
return nil
}
// parseCreateFlags parses the flags of the create command.
func (c *createCmd) parseCreateFlags(cmd *cobra.Command) (createFlags, error) {
controllerCount, err := cmd.Flags().GetInt("control-plane-nodes")
if err != nil {
return createFlags{}, fmt.Errorf("parsing number of control-plane nodes: %w", err)
}
c.log.Debugf("Control-plane nodes flag is %d", controllerCount)
if controllerCount < constants.MinControllerCount {
return createFlags{}, fmt.Errorf("number of control-plane nodes must be at least %d", constants.MinControllerCount)
}
workerCount, err := cmd.Flags().GetInt("worker-nodes")
if err != nil {
return createFlags{}, fmt.Errorf("parsing number of worker nodes: %w", err)
}
c.log.Debugf("Worker nodes flag is %d", workerCount)
if workerCount < constants.MinWorkerCount {
return createFlags{}, fmt.Errorf("number of worker nodes must be at least %d", constants.MinWorkerCount)
}
yes, err := cmd.Flags().GetBool("yes")
if err != nil {
return createFlags{}, fmt.Errorf("parsing yes bool: %w", err)
}
c.log.Debugf("Yes flag is %t", yes)
configPath, err := cmd.Flags().GetString("config")
if err != nil {
return createFlags{}, fmt.Errorf("parsing config path argument: %w", err)
}
c.log.Debugf("Configuration path flag is %q", configPath)
force, err := cmd.Flags().GetBool("force")
if err != nil {
return createFlags{}, fmt.Errorf("parsing force argument: %w", err)
}
c.log.Debugf("force flag is %t", force)
logLevelString, err := cmd.Flags().GetString("tf-log")
if err != nil {
return createFlags{}, fmt.Errorf("parsing tf-log string: %w", err)
}
logLevel, err := terraform.ParseLogLevel(logLevelString)
if err != nil {
return createFlags{}, fmt.Errorf("parsing Terraform log level %s: %w", logLevelString, err)
}
c.log.Debugf("Terraform logs will be written into %s at level %s", constants.TerraformLogFile, logLevel.String())
return createFlags{
controllerCount: controllerCount,
workerCount: workerCount,
configPath: configPath,
tfLogLevel: logLevel,
force: force,
yes: yes,
}, nil
}
// createFlags contains the parsed flags of the create command.
type createFlags struct {
controllerCount int
workerCount int
configPath string
tfLogLevel terraform.LogLevel
force bool
yes bool
}
// checkDirClean checks if files of a previous Constellation are left in the current working dir.
func (c *createCmd) checkDirClean(fileHandler file.Handler) error {
c.log.Debugf("Checking admin configuration file")
if _, err := fileHandler.Stat(constants.AdminConfFilename); !errors.Is(err, fs.ErrNotExist) {
return fmt.Errorf("file '%s' already exists in working directory, run 'constellation terminate' before creating a new one", constants.AdminConfFilename)
}
c.log.Debugf("Checking master secrets file")
if _, err := fileHandler.Stat(constants.MasterSecretFilename); !errors.Is(err, fs.ErrNotExist) {
return fmt.Errorf("file '%s' already exists in working directory. Constellation won't overwrite previous master secrets. Move it somewhere or delete it before creating a new cluster", constants.MasterSecretFilename)
}
c.log.Debugf("Checking cluster IDs file")
if _, err := fileHandler.Stat(constants.ClusterIDsFileName); !errors.Is(err, fs.ErrNotExist) {
return fmt.Errorf("file '%s' already exists in working directory. Constellation won't overwrite previous cluster IDs. Move it somewhere or delete it before creating a new cluster", constants.ClusterIDsFileName)
}
return nil
}
func translateCreateErrors(cmd *cobra.Command, err error) error {
switch {
case errors.Is(err, terraform.ErrTerraformWorkspaceDifferentFiles):
cmd.PrintErrln("\nYour current working directory contains an existing Terraform workspace which does not match the expected state.")
cmd.PrintErrln("This can be due to a mix up between providers, versions or an otherwise corrupted workspace.")
cmd.PrintErrln("Before creating a new cluster, try \"constellation terminate\".")
cmd.PrintErrf("If this does not work, either move or delete the directory %q.\n", constants.TerraformWorkingDir)
cmd.PrintErrln("Please only delete the directory if you made sure that all created cloud resources have been terminated.")
return err
case errors.Is(err, terraform.ErrTerraformWorkspaceExistsWithDifferentVariables):
cmd.PrintErrln("\nYour current working directory contains an existing Terraform workspace which was initiated with different input variables.")
cmd.PrintErrln("This can be the case if you have tried to create a cluster before with different options which did not complete, or the workspace is corrupted.")
cmd.PrintErrln("Before creating a new cluster, try \"constellation terminate\".")
cmd.PrintErrf("If this does not work, either move or delete the directory %q.\n", constants.TerraformWorkingDir)
cmd.PrintErrln("Please only delete the directory if you made sure that all created cloud resources have been terminated.")
return err
default:
return err
}
}
func isPlural(count int) string {
if count == 1 {
return ""
}
return "s"
}
func must(err error) {
if err != nil {
panic(err)
}
}