mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
220 lines
8.2 KiB
Go
220 lines
8.2 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package provider
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
|
"github.com/edgelesssys/constellation/v2/terraform-provider-constellation/internal/data"
|
|
"github.com/hashicorp/terraform-plugin-framework/datasource"
|
|
"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
|
|
"github.com/hashicorp/terraform-plugin-framework/path"
|
|
"github.com/hashicorp/terraform-plugin-framework/types"
|
|
"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
|
|
"github.com/hashicorp/terraform-plugin-log/tflog"
|
|
)
|
|
|
|
var (
|
|
// Ensure provider defined types fully satisfy framework interfaces.
|
|
_ datasource.DataSource = &AttestationDataSource{}
|
|
_ datasource.DataSourceWithValidateConfig = &AttestationDataSource{}
|
|
_ datasource.DataSourceWithConfigure = &AttestationDataSource{}
|
|
)
|
|
|
|
// NewAttestationDataSource creates a new attestation data source.
|
|
func NewAttestationDataSource() datasource.DataSource {
|
|
return &AttestationDataSource{}
|
|
}
|
|
|
|
// AttestationDataSource defines the data source implementation.
|
|
type AttestationDataSource struct {
|
|
client *http.Client
|
|
fetcher attestationconfigapi.Fetcher
|
|
rekor *sigstore.Rekor
|
|
version string
|
|
}
|
|
|
|
// AttestationDataSourceModel describes the data source data model.
|
|
type AttestationDataSourceModel struct {
|
|
CSP types.String `tfsdk:"csp"`
|
|
AttestationVariant types.String `tfsdk:"attestation_variant"`
|
|
Image types.Object `tfsdk:"image"`
|
|
MaaURL types.String `tfsdk:"maa_url"`
|
|
Insecure types.Bool `tfsdk:"insecure"`
|
|
Attestation types.Object `tfsdk:"attestation"`
|
|
}
|
|
|
|
// Configure configures the data source.
|
|
func (d *AttestationDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
|
|
// Prevent panic if the provider has not been configured. is necessary!
|
|
if req.ProviderData == nil {
|
|
return
|
|
}
|
|
providerData, ok := req.ProviderData.(data.ProviderData)
|
|
if !ok {
|
|
resp.Diagnostics.AddError(
|
|
"Unexpected Data Source Configure Type",
|
|
fmt.Sprintf("Expected data.ProviderData, got: %T. Please report this issue to the provider developers.", req.ProviderData),
|
|
)
|
|
return
|
|
}
|
|
d.version = providerData.Version.String()
|
|
|
|
d.client = http.DefaultClient
|
|
d.fetcher = attestationconfigapi.NewFetcher()
|
|
rekor, err := sigstore.NewRekor()
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("constructing rekor client", err.Error())
|
|
return
|
|
}
|
|
d.rekor = rekor
|
|
}
|
|
|
|
// Metadata returns the metadata for the data source.
|
|
func (d *AttestationDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
|
|
resp.TypeName = req.ProviderTypeName + "_attestation"
|
|
}
|
|
|
|
// Schema returns the schema for the data source.
|
|
func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
|
|
resp.Schema = schema.Schema{
|
|
Description: "Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.",
|
|
MarkdownDescription: "Data source to fetch an attestation configuration for a given cloud service provider, attestation variant, and OS image.",
|
|
|
|
Attributes: map[string]schema.Attribute{
|
|
"csp": newCSPAttributeSchema(),
|
|
"attestation_variant": newAttestationVariantAttributeSchema(attributeInput),
|
|
"image": newImageAttributeSchema(attributeInput),
|
|
"maa_url": schema.StringAttribute{
|
|
MarkdownDescription: `For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
|
|
See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.`,
|
|
Optional: true,
|
|
},
|
|
"insecure": schema.BoolAttribute{
|
|
MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.",
|
|
Optional: true,
|
|
},
|
|
"attestation": newAttestationConfigAttributeSchema(attributeOutput),
|
|
},
|
|
}
|
|
}
|
|
|
|
// ValidateConfig validates the configuration for the image data source.
|
|
func (d *AttestationDataSource) ValidateConfig(ctx context.Context, req datasource.ValidateConfigRequest, resp *datasource.ValidateConfigResponse) {
|
|
var data AttestationDataSourceModel
|
|
resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
if !data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && !data.MaaURL.IsNull() {
|
|
resp.Diagnostics.AddAttributeWarning(
|
|
path.Root("maa_url"),
|
|
"MAA URL should only be set for Azure SEV-SNP", "Only when attestation_variant is set to 'azure-sev-snp', 'maa_url' should be specified.",
|
|
)
|
|
return
|
|
}
|
|
|
|
if !data.MaaURL.IsNull() {
|
|
resp.Diagnostics.AddAttributeWarning(
|
|
path.Root("maa_url"),
|
|
"Ensure that the MAA's policy is patched", "When MAA is used, please ensure the MAA's policy is patche properly for use within Constellation. See https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup for more information.",
|
|
)
|
|
return
|
|
}
|
|
|
|
if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() {
|
|
tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable")
|
|
}
|
|
}
|
|
|
|
// Read reads from the data source.
|
|
func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
|
|
var data AttestationDataSourceModel
|
|
|
|
// Read Terraform configuration data into the model
|
|
resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
|
|
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
csp := cloudprovider.FromString(data.CSP.ValueString())
|
|
if csp == cloudprovider.Unknown {
|
|
resp.Diagnostics.AddAttributeError(
|
|
path.Root("csp"),
|
|
"Invalid CSP",
|
|
fmt.Sprintf("Invalid CSP: %s", data.CSP.ValueString()),
|
|
)
|
|
return
|
|
}
|
|
attestationVariant, err := variant.FromString(data.AttestationVariant.ValueString())
|
|
if err != nil {
|
|
resp.Diagnostics.AddAttributeError(
|
|
path.Root("attestation_variant"),
|
|
"Invalid Attestation Variant",
|
|
fmt.Sprintf("Invalid attestation variant: %s", data.AttestationVariant.ValueString()),
|
|
)
|
|
return
|
|
}
|
|
|
|
insecureFetch := data.Insecure.ValueBool()
|
|
|
|
latestVersions := attestationconfigapi.Entry{}
|
|
if attestationVariant.Equal(variant.AWSSEVSNP{}) ||
|
|
attestationVariant.Equal(variant.AzureSEVSNP{}) ||
|
|
attestationVariant.Equal(variant.AzureTDX{}) ||
|
|
attestationVariant.Equal(variant.GCPSEVSNP{}) {
|
|
latestVersions, err = d.fetcher.FetchLatestVersion(ctx, attestationVariant)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("Fetching SNP Version numbers", err.Error())
|
|
return
|
|
}
|
|
}
|
|
tfAttestation, err := convertToTfAttestation(attestationVariant, latestVersions)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("Converting attestation", err.Error())
|
|
}
|
|
verifyFetcher := measurements.NewVerifyFetcher(sigstore.NewCosignVerifier, d.rekor, d.client)
|
|
|
|
// parse OS image version
|
|
var image imageAttribute
|
|
convertDiags := data.Image.As(ctx, &image, basetypes.ObjectAsOptions{})
|
|
resp.Diagnostics.Append(convertDiags...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, image.ShortPath,
|
|
csp, attestationVariant, insecureFetch)
|
|
if err != nil {
|
|
var rekErr *measurements.RekorError
|
|
if errors.As(err, &rekErr) {
|
|
resp.Diagnostics.AddWarning("Ignoring Rekor related error", err.Error())
|
|
} else {
|
|
resp.Diagnostics.AddError("fetching and verifying measurements", err.Error())
|
|
return
|
|
}
|
|
}
|
|
tfAttestation.Measurements = convertToTfMeasurements(fetchedMeasurements)
|
|
|
|
diags := resp.State.SetAttribute(ctx, path.Root("attestation"), tfAttestation)
|
|
resp.Diagnostics.Append(diags...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
tflog.Trace(ctx, "read constellation attestation data source")
|
|
}
|