mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-23 05:41:19 -05:00
913b09aeb8
* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
129 lines
4.4 KiB
HCL
129 lines
4.4 KiB
HCL
terraform {
|
|
required_providers {
|
|
constellation = {
|
|
source = "edgelesssys/constellation"
|
|
version = "0.0.0" // replace with the version you want to use
|
|
}
|
|
random = {
|
|
source = "hashicorp/random"
|
|
version = "3.6.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
locals {
|
|
name = "constell"
|
|
image_version = "vX.Y.Z"
|
|
kubernetes_version = "vX.Y.Z"
|
|
microservice_version = "vX.Y.Z"
|
|
csp = "gcp"
|
|
attestation_variant = "gcp-sev-es"
|
|
region = "europe-west3"
|
|
zone = "europe-west3-b"
|
|
project_id = "constellation-331613"
|
|
control_plane_count = 3
|
|
worker_count = 2
|
|
instance_type = "n2d-standard-4"
|
|
cc_technology = "SEV"
|
|
|
|
master_secret = random_bytes.master_secret.hex
|
|
master_secret_salt = random_bytes.master_secret_salt.hex
|
|
measurement_salt = random_bytes.measurement_salt.hex
|
|
}
|
|
|
|
resource "random_bytes" "master_secret" {
|
|
length = 32
|
|
}
|
|
|
|
resource "random_bytes" "master_secret_salt" {
|
|
length = 32
|
|
}
|
|
|
|
resource "random_bytes" "measurement_salt" {
|
|
length = 32
|
|
}
|
|
|
|
module "gcp_iam" {
|
|
// replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
|
|
source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp"
|
|
project_id = local.project_id
|
|
service_account_id = "${local.name}-sa"
|
|
zone = local.zone
|
|
region = local.region
|
|
}
|
|
|
|
module "gcp_infrastructure" {
|
|
// replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
|
|
source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/gcp"
|
|
name = local.name
|
|
node_groups = {
|
|
control_plane_default = {
|
|
role = "control-plane"
|
|
instance_type = local.instance_type
|
|
disk_size = 30
|
|
disk_type = "pd-ssd"
|
|
initial_count = local.control_plane_count
|
|
zone = local.zone
|
|
},
|
|
worker_default = {
|
|
role = "worker"
|
|
instance_type = local.instance_type
|
|
disk_size = 30
|
|
disk_type = "pd-ssd"
|
|
initial_count = local.worker_count
|
|
zone = local.zone
|
|
}
|
|
}
|
|
image_id = data.constellation_image.bar.image.reference
|
|
debug = false
|
|
zone = local.zone
|
|
region = local.region
|
|
project = local.project_id
|
|
internal_load_balancer = false
|
|
cc_technology = local.cc_technology
|
|
}
|
|
|
|
data "constellation_attestation" "foo" {
|
|
csp = local.csp
|
|
attestation_variant = local.attestation_variant
|
|
image = data.constellation_image.bar.image
|
|
}
|
|
|
|
data "constellation_image" "bar" {
|
|
csp = local.csp
|
|
attestation_variant = local.attestation_variant
|
|
version = local.image_version
|
|
}
|
|
|
|
resource "constellation_cluster" "gcp_example" {
|
|
csp = local.csp
|
|
name = module.gcp_infrastructure.name
|
|
uid = module.gcp_infrastructure.uid
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
kubernetes_version = local.kubernetes_version
|
|
constellation_microservice_version = local.microservice_version
|
|
init_secret = module.gcp_infrastructure.init_secret
|
|
master_secret = local.master_secret
|
|
master_secret_salt = local.master_secret_salt
|
|
measurement_salt = local.measurement_salt
|
|
out_of_cluster_endpoint = module.gcp_infrastructure.out_of_cluster_endpoint
|
|
in_cluster_endpoint = module.gcp_infrastructure.in_cluster_endpoint
|
|
api_server_cert_sans = module.gcp_infrastructure.api_server_cert_sans
|
|
gcp = {
|
|
project_id = module.gcp_infrastructure.project
|
|
service_account_key = module.gcp_iam.service_account_key
|
|
}
|
|
network_config = {
|
|
ip_cidr_node = module.gcp_infrastructure.ip_cidr_node
|
|
ip_cidr_service = "10.96.0.0/12"
|
|
ip_cidr_pod = module.gcp_infrastructure.ip_cidr_pod
|
|
}
|
|
}
|
|
|
|
output "kubeconfig" {
|
|
value = constellation_cluster.gcp_example.kubeconfig
|
|
sensitive = true
|
|
description = "KubeConfig for the Constellation cluster."
|
|
}
|