mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-05 12:51:03 -05:00
913b09aeb8
* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
209 lines
7.5 KiB
Go
209 lines
7.5 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package provider
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
|
"github.com/edgelesssys/constellation/v2/terraform-provider-constellation/internal/data"
|
|
"github.com/hashicorp/terraform-plugin-framework/datasource"
|
|
"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
|
|
"github.com/hashicorp/terraform-plugin-framework/path"
|
|
"github.com/hashicorp/terraform-plugin-framework/types"
|
|
"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
|
|
"github.com/hashicorp/terraform-plugin-log/tflog"
|
|
)
|
|
|
|
var (
|
|
// Ensure provider defined types fully satisfy framework interfaces.
|
|
_ datasource.DataSource = &AttestationDataSource{}
|
|
_ datasource.DataSourceWithValidateConfig = &AttestationDataSource{}
|
|
_ datasource.DataSourceWithConfigure = &AttestationDataSource{}
|
|
)
|
|
|
|
// NewAttestationDataSource creates a new attestation data source.
|
|
func NewAttestationDataSource() datasource.DataSource {
|
|
return &AttestationDataSource{}
|
|
}
|
|
|
|
// AttestationDataSource defines the data source implementation.
|
|
type AttestationDataSource struct {
|
|
client *http.Client
|
|
fetcher attestationconfigapi.Fetcher
|
|
rekor *sigstore.Rekor
|
|
version string
|
|
}
|
|
|
|
// AttestationDataSourceModel describes the data source data model.
|
|
type AttestationDataSourceModel struct {
|
|
CSP types.String `tfsdk:"csp"`
|
|
AttestationVariant types.String `tfsdk:"attestation_variant"`
|
|
Image types.Object `tfsdk:"image"`
|
|
MaaURL types.String `tfsdk:"maa_url"`
|
|
Insecure types.Bool `tfsdk:"insecure"`
|
|
Attestation types.Object `tfsdk:"attestation"`
|
|
}
|
|
|
|
// Configure configures the data source.
|
|
func (d *AttestationDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
|
|
// Prevent panic if the provider has not been configured. is necessary!
|
|
if req.ProviderData == nil {
|
|
return
|
|
}
|
|
providerData, ok := req.ProviderData.(data.ProviderData)
|
|
if !ok {
|
|
resp.Diagnostics.AddError(
|
|
"Unexpected Data Source Configure Type",
|
|
fmt.Sprintf("Expected data.ProviderData, got: %T. Please report this issue to the provider developers.", req.ProviderData),
|
|
)
|
|
return
|
|
}
|
|
d.version = providerData.Version.String()
|
|
|
|
d.client = http.DefaultClient
|
|
d.fetcher = attestationconfigapi.NewFetcher()
|
|
rekor, err := sigstore.NewRekor()
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("constructing rekor client", err.Error())
|
|
return
|
|
}
|
|
d.rekor = rekor
|
|
}
|
|
|
|
// Metadata returns the metadata for the data source.
|
|
func (d *AttestationDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
|
|
resp.TypeName = req.ProviderTypeName + "_attestation"
|
|
}
|
|
|
|
// Schema returns the schema for the data source.
|
|
func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
|
|
resp.Schema = schema.Schema{
|
|
Description: "Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.",
|
|
MarkdownDescription: "Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.",
|
|
|
|
Attributes: map[string]schema.Attribute{
|
|
"csp": newCSPAttributeSchema(),
|
|
"attestation_variant": newAttestationVariantAttributeSchema(attributeInput),
|
|
"image": newImageAttributeSchema(attributeInput),
|
|
"maa_url": schema.StringAttribute{
|
|
MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service",
|
|
Optional: true,
|
|
},
|
|
"insecure": schema.BoolAttribute{
|
|
MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.",
|
|
Optional: true,
|
|
},
|
|
"attestation": newAttestationConfigAttributeSchema(attributeOutput),
|
|
},
|
|
}
|
|
}
|
|
|
|
// ValidateConfig validates the configuration for the image data source.
|
|
func (d *AttestationDataSource) ValidateConfig(ctx context.Context, req datasource.ValidateConfigRequest, resp *datasource.ValidateConfigResponse) {
|
|
var data AttestationDataSourceModel
|
|
resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
if !data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && !data.MaaURL.IsNull() {
|
|
resp.Diagnostics.AddAttributeWarning(
|
|
path.Root("maa_url"),
|
|
"MAA URL should only be set for Azure SEV-SNP", "Only when attestation_variant is set to 'azure-sev-snp', 'maa_url' should be specified.",
|
|
)
|
|
return
|
|
}
|
|
if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() {
|
|
tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable")
|
|
}
|
|
}
|
|
|
|
// Read reads from the data source.
|
|
func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
|
|
var data AttestationDataSourceModel
|
|
|
|
// Read Terraform configuration data into the model
|
|
resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
|
|
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
csp := cloudprovider.FromString(data.CSP.ValueString())
|
|
if csp == cloudprovider.Unknown {
|
|
resp.Diagnostics.AddAttributeError(
|
|
path.Root("csp"),
|
|
"Invalid CSP",
|
|
fmt.Sprintf("Invalid CSP: %s", data.CSP.ValueString()),
|
|
)
|
|
return
|
|
}
|
|
attestationVariant, err := variant.FromString(data.AttestationVariant.ValueString())
|
|
if err != nil {
|
|
resp.Diagnostics.AddAttributeError(
|
|
path.Root("attestation_variant"),
|
|
"Invalid Attestation Variant",
|
|
fmt.Sprintf("Invalid attestation variant: %s", data.AttestationVariant.ValueString()),
|
|
)
|
|
return
|
|
}
|
|
|
|
insecureFetch := data.Insecure.ValueBool()
|
|
|
|
snpVersions := attestationconfigapi.SEVSNPVersionAPI{}
|
|
if attestationVariant.Equal(variant.AzureSEVSNP{}) ||
|
|
attestationVariant.Equal(variant.AWSSEVSNP{}) ||
|
|
attestationVariant.Equal(variant.GCPSEVSNP{}) {
|
|
snpVersions, err = d.fetcher.FetchSEVSNPVersionLatest(ctx, attestationVariant)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("Fetching SNP Version numbers", err.Error())
|
|
return
|
|
}
|
|
}
|
|
tfAttestation, err := convertToTfAttestation(attestationVariant, snpVersions)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("Converting attestation", err.Error())
|
|
}
|
|
verifyFetcher := measurements.NewVerifyFetcher(sigstore.NewCosignVerifier, d.rekor, d.client)
|
|
|
|
// parse OS image version
|
|
var image imageAttribute
|
|
convertDiags := data.Image.As(ctx, &image, basetypes.ObjectAsOptions{})
|
|
resp.Diagnostics.Append(convertDiags...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, image.ShortPath,
|
|
csp, attestationVariant, insecureFetch)
|
|
if err != nil {
|
|
var rekErr *measurements.RekorError
|
|
if errors.As(err, &rekErr) {
|
|
resp.Diagnostics.AddWarning("Ignoring Rekor related error", err.Error())
|
|
} else {
|
|
resp.Diagnostics.AddError("fetching and verifying measurements", err.Error())
|
|
return
|
|
}
|
|
}
|
|
tfAttestation.Measurements = convertToTfMeasurements(fetchedMeasurements)
|
|
|
|
diags := resp.State.SetAttribute(ctx, path.Root("attestation"), tfAttestation)
|
|
resp.Diagnostics.Append(diags...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
tflog.Trace(ctx, "read constellation attestation data source")
|
|
}
|