Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 00:06:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
9159b60331
constellation/terraform-provider-constellation/docs/data-sources/attestation.md
Moritz Sanft 913b09aeb8
Support SEV-SNP on GCP (#3011) 
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00

3.8 KiB
Raw Blame History

page_title subcategory description
constellation_attestation Data Source - constellation Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.

constellation_attestation (Data Source)

Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.

Example Usage

data "constellation_image" "example" {} # Fill accordingly for the CSP

data "constellation_attestation" "test" {
  csp                 = "aws"
  attestation_variant = "aws-sev-snp"
  image               = data.constellation_image.example.image
}

Schema

Required

  • attestation_variant (String) Attestation variant the image should work with. Can be one of:
    • aws-sev-snp
    • aws-nitro-tpm
    • azure-sev-snp
    • azure-tdx
    • gcp-sev-es
    • gcp-sev-snp
    • qemu-vtpm
  • csp (String) CSP (Cloud Service Provider) to use. (e.g. azure) See the full list of CSPs that Constellation supports.
  • image (Attributes) Constellation OS Image to use on the nodes. (see below for nested schema)

Optional

  • insecure (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
  • maa_url (String) For Azure only, the URL of the Microsoft Azure Attestation service

Read-Only

  • attestation (Attributes) Attestation comprises the measurements and CVM specific parameters. (see below for nested schema)

Nested Schema for image

Required:

  • reference (String) CSP-specific unique reference to the image. The format differs per CSP.
  • short_path (String) CSP-agnostic short path to the image. The format is vX.Y.Z for release images and ref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION for pre-release images.
  • $GIT_REF is the git reference (i.e. branch name) the image was built on, e.g. main.
  • $STREAM is the stream the image was built on, e.g. nightly.
  • $SEMANTIC_VERSION is the semantic version of the image, e.g. vX.Y.Z or vX.Y.Z-pre....
  • version (String) Semantic version of the image.

Optional:

  • marketplace_image (Boolean) Whether a marketplace image should be used.

Nested Schema for attestation

Read-Only:

  • amd_root_key (String)
  • azure_firmware_signer_config (Attributes) (see below for nested schema)
  • bootloader_version (Number)
  • measurements (Attributes Map) (see below for nested schema)
  • microcode_version (Number)
  • snp_version (Number)
  • tdx (Attributes) (see below for nested schema)
  • tee_version (Number)
  • variant (String) Attestation variant the image should work with. Can be one of:
    • aws-sev-snp
    • aws-nitro-tpm
    • azure-sev-snp
    • azure-tdx
    • gcp-sev-es
    • gcp-sev-snp
    • qemu-vtpm

Nested Schema for attestation.azure_firmware_signer_config

Read-Only:

  • accepted_key_digests (List of String)
  • enforcement_policy (String)
  • maa_url (String)

Nested Schema for attestation.measurements

Read-Only:

  • expected (String)
  • warn_only (Boolean)

Nested Schema for attestation.tdx

Read-Only:

  • intel_root_key (String)
  • mr_seam (String)
  • pce_svn (Number)
  • qe_svn (Number)
  • qe_vendor_id (String)
  • tee_tcb_svn (String)
  • xfam (String)