mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-04 20:30:59 -05:00
913b09aeb8
* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
3.8 KiB
3.8 KiB
page_title | subcategory | description |
---|---|---|
constellation_attestation Data Source - constellation | Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image. |
constellation_attestation (Data Source)
Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.
Example Usage
data "constellation_image" "example" {} # Fill accordingly for the CSP
data "constellation_attestation" "test" {
csp = "aws"
attestation_variant = "aws-sev-snp"
image = data.constellation_image.example.image
}
Schema
Required
attestation_variant
(String) Attestation variant the image should work with. Can be one of:aws-sev-snp
aws-nitro-tpm
azure-sev-snp
azure-tdx
gcp-sev-es
gcp-sev-snp
qemu-vtpm
csp
(String) CSP (Cloud Service Provider) to use. (e.g.azure
) See the full list of CSPs that Constellation supports.image
(Attributes) Constellation OS Image to use on the nodes. (see below for nested schema)
Optional
insecure
(Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.maa_url
(String) For Azure only, the URL of the Microsoft Azure Attestation service
Read-Only
attestation
(Attributes) Attestation comprises the measurements and CVM specific parameters. (see below for nested schema)
Nested Schema for image
Required:
reference
(String) CSP-specific unique reference to the image. The format differs per CSP.short_path
(String) CSP-agnostic short path to the image. The format isvX.Y.Z
for release images andref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION
for pre-release images.$GIT_REF
is the git reference (i.e. branch name) the image was built on, e.g.main
.$STREAM
is the stream the image was built on, e.g.nightly
.$SEMANTIC_VERSION
is the semantic version of the image, e.g.vX.Y.Z
orvX.Y.Z-pre...
.version
(String) Semantic version of the image.
Optional:
marketplace_image
(Boolean) Whether a marketplace image should be used.
Nested Schema for attestation
Read-Only:
amd_root_key
(String)azure_firmware_signer_config
(Attributes) (see below for nested schema)bootloader_version
(Number)measurements
(Attributes Map) (see below for nested schema)microcode_version
(Number)snp_version
(Number)tdx
(Attributes) (see below for nested schema)tee_version
(Number)variant
(String) Attestation variant the image should work with. Can be one of:aws-sev-snp
aws-nitro-tpm
azure-sev-snp
azure-tdx
gcp-sev-es
gcp-sev-snp
qemu-vtpm
Nested Schema for attestation.azure_firmware_signer_config
Read-Only:
accepted_key_digests
(List of String)enforcement_policy
(String)maa_url
(String)
Nested Schema for attestation.measurements
Read-Only:
expected
(String)warn_only
(Boolean)
Nested Schema for attestation.tdx
Read-Only:
intel_root_key
(String)mr_seam
(String)pce_svn
(Number)qe_svn
(Number)qe_vendor_id
(String)tee_tcb_svn
(String)xfam
(String)