terraform-provider: document MAA patching more prominently (#3330)

edgelesssys · Aug 29, 2024 · 8555bd0 · 8555bd0
1 parent c11631e
commit 8555bd0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md
@@ -42,7 +42,8 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview
 ### Optional
 
 - `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
-- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service
+- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
+See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.
 
 ### Read-Only
 

diff --git a/terraform-provider-constellation/examples/full/azure/main.tf b/terraform-provider-constellation/examples/full/azure/main.tf
@@ -80,6 +80,8 @@ data "constellation_attestation" "foo" {
   csp                 = local.csp
   attestation_variant = local.attestation_variant
   image               = data.constellation_image.bar.image
+  # Needs to be patched manually, see:
+  # https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup
   maa_url             = module.azure_infrastructure.attestation_url
 }
 

diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go
@@ -98,8 +98,9 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq
 			"attestation_variant": newAttestationVariantAttributeSchema(attributeInput),
 			"image":               newImageAttributeSchema(attributeInput),
 			"maa_url": schema.StringAttribute{
-				MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service",
-				Optional:            true,
+				MarkdownDescription: `For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
+See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.`,
+				Optional: true,
 			},
 			"insecure": schema.BoolAttribute{
 				MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.",
@@ -125,6 +126,15 @@ func (d *AttestationDataSource) ValidateConfig(ctx context.Context, req datasour
 		)
 		return
 	}
+
+	if !data.MaaURL.IsNull() {
+		resp.Diagnostics.AddAttributeWarning(
+			path.Root("maa_url"),
+			"Ensure that the MAA's policy is patched", "When MAA is used, please ensure the MAA's policy is patche properly for use within Constellation. See https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup for more information.",
+		)
+		return
+	}
+
 	if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() {
 		tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable")
 	}