mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-14 02:14:21 -05:00
7.6 KiB
7.6 KiB
page_title | subcategory | description |
---|---|---|
constellation_cluster Resource - constellation | Resource for a Constellation cluster. |
constellation_cluster (Resource)
Resource for a Constellation cluster.
Example Usage
data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant
data "constellation_image" "bar" {} # Fill accordingly for the CSP
resource "random_bytes" "master_secret" {
length = 32
}
resource "random_bytes" "master_secret_salt" {
length = 32
}
resource "random_bytes" "measurement_salt" {
length = 32
}
resource "constellation_cluster" "azure_example" {
csp = "azure"
name = "constell"
uid = "..."
image = data.constellation_image.bar.image
attestation = data.constellation_attestation.foo.attestation
init_secret = "..."
master_secret = random_bytes.master_secret.hex
master_secret_salt = random_bytes.master_secret_salt.hex
measurement_salt = random_bytes.measurement_salt.hex
out_of_cluster_endpoint = "123.123.123.123"
azure = {
tenant_id = "..."
subscription_id = "..."
uami_client_id = "..."
uami_resource_id = "..."
location = "..."
resource_group = "..."
load_balancer_name = "..."
network_security_group_name = "..."
}
network_config = {
ip_cidr_node = "192.168.176.0/20"
ip_cidr_service = "10.96.0.0/12"
}
}
Schema
Required
attestation
(Attributes) Attestation comprises the measurements and SEV-SNP specific parameters. The output of the constellation_attestation data source provides sensible defaults. (see below for nested schema)csp
(String) The Cloud Service Provider (CSP) the cluster should run on.image
(Attributes) Constellation OS Image to use on the nodes. (see below for nested schema)init_secret
(String) Secret used for initialization of the cluster.master_secret
(String) Hex-encoded 32-byte master secret for the cluster.master_secret_salt
(String) Hex-encoded 32-byte master secret salt for the cluster.measurement_salt
(String) Hex-encoded 32-byte measurement salt for the cluster.name
(String) Name used in the cluster's named resources / cluster name.network_config
(Attributes) Configuration for the cluster's network. (see below for nested schema)out_of_cluster_endpoint
(String) The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.uid
(String) The UID of the cluster.
Optional
api_server_cert_sans
(List of String) List of Subject Alternative Names (SANs) for the API server certificate. Usually, this will be the out-of-cluster endpoint and the in-cluster endpoint, if existing.azure
(Attributes) Azure-specific configuration. (see below for nested schema)constellation_microservice_version
(String) The version of Constellation's microservices used within the cluster. When not set, the provider version is used.extra_microservices
(Attributes) Extra microservice settings. (see below for nested schema)gcp
(Attributes) GCP-specific configuration. (see below for nested schema)in_cluster_endpoint
(String) The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.kubernetes_version
(String) The Kubernetes version to use for the cluster. When not set, version v1.27.8 is used. The supported versions are [v1.26.11 v1.27.8 v1.28.4].
Read-Only
cluster_id
(String) The cluster ID of the cluster.kubeconfig
(String, Sensitive) The kubeconfig of the cluster.owner_id
(String) The owner ID of the cluster.
Nested Schema for attestation
Required:
amd_root_key
(String)bootloader_version
(Number)measurements
(Attributes Map) (see below for nested schema)microcode_version
(Number)snp_version
(Number)tee_version
(Number)variant
(String) Attestation variant the image should work with. Can be one of:aws-sev-snp
aws-nitro-tpm
azure-sev-snp
gcp-sev-es
Optional:
azure_firmware_signer_config
(Attributes) (see below for nested schema)
Nested Schema for attestation.measurements
Required:
expected
(String)warn_only
(Boolean)
Nested Schema for attestation.azure_firmware_signer_config
Optional:
accepted_key_digests
(List of String)enforcement_policy
(String)maa_url
(String)
Nested Schema for image
Required:
reference
(String) CSP-specific unique reference to the image. The format differs per CSP.short_path
(String) CSP-agnostic short path to the image. The format isvX.Y.Z
for release images andref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSION
for pre-release images.$GIT_REF
is the git reference (i.e. branch name) the image was built on, e.g.main
.$STREAM
is the stream the image was built on, e.g.nightly
.$SEMANTIC_VERSION
is the semantic version of the image, e.g.vX.Y.Z
orvX.Y.Z-pre...
.version
(String) Semantic version of the image.
Nested Schema for network_config
Required:
ip_cidr_node
(String) CIDR range of the cluster's node network.ip_cidr_service
(String) CIDR range of the cluster's service network.
Optional:
ip_cidr_pod
(String) CIDR range of the cluster's pod network. Only required for clusters running on GCP.
Nested Schema for azure
Required:
load_balancer_name
(String) Name of the Azure load balancer used by the cluster.location
(String) Azure Location of the cluster.network_security_group_name
(String) Name of the Azure network security group used for the cluster.resource_group
(String) Name of the Azure resource group the cluster resides in.subscription_id
(String) ID of the Azure subscription the cluster resides in.tenant_id
(String) Tenant ID of the Azure account.uami_client_id
(String) Client ID of the User assigned managed identity (UAMI) used within the cluster.uami_resource_id
(String) Resource ID of the User assigned managed identity (UAMI) used within the cluster.
Nested Schema for extra_microservices
Required:
csi_driver
(Boolean) Enable Constellation's encrypted CSI driver.
Nested Schema for gcp
Required:
project_id
(String) ID of the GCP project the cluster resides in.service_account_key
(String) Base64-encoded private key JSON object of the service account used within the cluster.
Import
Import is supported using the following syntax:
terraform import constellation_cluster.constellation_cluster constellation-cluster://?kubeConfig=<base64-encoded-kubeconfig>&clusterEndpoint=<cluster-endpoint>&masterSecret=<hex-encoded-mastersecret>&masterSecretSalt=<hex-encoded-mastersecret-salt>