constellation icon indicating copy to clipboard operation
constellation copied to clipboard

Published 20 hours ago verified publisher icon edgelesssys

cli: support to declaratively set attestation policy

Open msanft opened this issue 1 year ago • 3 comments

Context

Until now, we used a hacky patching mechanism to update the attestation policy of the MAA to disable secure boot checking. With my PR to the Azure Terraform provider, this can be replaced with using a corresponding field in the Terraform resource.

Proposed change(s)

  • Replace the policy patching by directly specifying the attestation policy when creating / migrating a cluster.

Related issue

  • https://github.com/hashicorp/terraform-provider-azurerm/issues/21918
  • https://github.com/hashicorp/terraform-provider-azurerm/pull/22229

Additional info

To test:

  1. Clone my fork of the Azure Terraform provider
  2. Build the provider binary with make build
  3. Add the following to ~/.terraformrc:
provider_installation {

 # Use /home/developer/go/bin as an overridden package directory
 # for the hashicorp/azurerm provider. This disables the version and checksum
 # verifications for this provider and forces Terraform to look for the
 # azurerm provider plugin in the given directory.
 dev_overrides {
   "hashicorp/azurerm" = "/home/developer/go/bin" 
   # Or whatever other path theTerraform provider binary you've built in step 2 lives in. (usually $GOBIN)
 }

 # For all other providers, install them directly from their origin provider
 # registries as normal. If you omit this, Terraform will _only_ use
 # the dev_overrides block, and so no other providers will be available.
 direct {}
}
  1. Check out this branch in your Constellation workspace and create a cluster on Azure.
  2. Remember to revert the changes to ~/.terraformrc when you're done testing.

Checklist

  • [x] Add labels (e.g., for changelog category)
  • [x] Is PR title adequate for changelog?
  • [x] Link to Milestone

msanft avatar Jun 21 '23 09:06 msanft

Deploy Preview for constellation-docs canceled.

Name Link
Latest commit 286ff812c3856e9f5330baa6a0c0e5582fc81cbe
Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6492cd4232dab70008148164

netlify[bot] avatar Jun 21 '23 09:06 netlify[bot]

@msanft The PR and issue were merged/fixed yesterday. Judging by the schedule of their past releases, we should hopefully see a release with your changes in the next 3-4 days.

daniel-weisse avatar Jul 04 '23 09:07 daniel-weisse

@msanft The PR and issue were merged/fixed yesterday. Judging by the schedule of their past releases, we should hopefully see a release with your changes in the next 3-4 days.

Yes, unfortunately they only merged support for the SEV-SNP attestation type though, we need to wait for https://github.com/Azure/azure-rest-api-specs/issues/24635 to get merged before then again suggesting a change to the Terraform provider.. :( If better suited, I can convert this to a draft until then

msanft avatar Jul 04 '23 16:07 msanft