diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md
index e5e8bc8f92..1887100471 100644
--- a/terraform-provider-constellation/docs/data-sources/attestation.md
+++ b/terraform-provider-constellation/docs/data-sources/attestation.md
@@ -25,8 +25,8 @@ provider "constellation" {
}
data "constellation_attestation" "test" {
- csp = "azure"
- attestation_variant = "azure-sev-snp"
+ csp = "aws"
+ attestation_variant = "aws-sev-snp"
image_version = "v2.13.0"
}
@@ -69,14 +69,14 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview
Read-Only:
- `amd_root_key` (String)
+- `azure_firmware_signer_config` (Attributes) (see [below for nested schema](#nestedatt--attestation--azure_firmware_signer_config))
- `bootloader_version` (Number)
-- `firmware_signer_config` (Attributes) (see [below for nested schema](#nestedatt--attestation--firmware_signer_config))
- `microcode_version` (Number)
- `snp_version` (Number)
- `tee_version` (Number)
-
-### Nested Schema for `attestation.firmware_signer_config`
+
+### Nested Schema for `attestation.azure_firmware_signer_config`
Read-Only:
diff --git a/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf b/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf
index 8308418e65..46241d0ad9 100644
--- a/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf
+++ b/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf
@@ -10,8 +10,8 @@ provider "constellation" {
}
data "constellation_attestation" "test" {
- csp = "azure"
- attestation_variant = "azure-sev-snp"
+ csp = "aws"
+ attestation_variant = "aws-sev-snp"
image_version = "v2.13.0"
}
diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go
index 55c1914490..de2e12995c 100644
--- a/terraform-provider-constellation/internal/provider/attestation_data_source.go
+++ b/terraform-provider-constellation/internal/provider/attestation_data_source.go
@@ -134,7 +134,7 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq
"microcode_version": schema.Int64Attribute{
Computed: true,
},
- "firmware_signer_config": schema.SingleNestedAttribute{
+ "azure_firmware_signer_config": schema.SingleNestedAttribute{
Computed: true,
Attributes: map[string]schema.Attribute{
"accepted_key_digests": schema.ListAttribute{
@@ -186,7 +186,7 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq
resp.Diagnostics.AddError("Fetching SNP Version numbers", err.Error())
return
}
- tfSnpVersions := convertSNPAttestationTfStateCompatible(resp, snpVersions)
+ tfSnpVersions := convertSNPAttestationTfStateCompatible(resp, attestationVariant, snpVersions)
diags := resp.State.SetAttribute(ctx, path.Root("attestation"), tfSnpVersions)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
@@ -220,30 +220,39 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq
tflog.Trace(ctx, "read constellation attestation data source")
}
-func convertSNPAttestationTfStateCompatible(resp *datasource.ReadResponse,
+func convertSNPAttestationTfStateCompatible(resp *datasource.ReadResponse, attestationVariant variant.Variant,
snpVersions attestationconfigapi.SEVSNPVersionAPI,
) sevSnpAttestation {
- cert, err := config.DefaultForAzureSEVSNP().AMDRootKey.MarshalJSON()
- if err != nil {
- resp.Diagnostics.AddError("Marshalling AMD Root Key", err.Error())
+ var cert config.Certificate
+ switch attestationVariant.(type) {
+ case variant.AWSSEVSNP:
+ cert = config.DefaultForAWSSEVSNP().AMDRootKey
+ case variant.AzureSEVSNP:
+ cert = config.DefaultForAzureSEVSNP().AMDRootKey
}
- firmwareCfg := config.DefaultForAzureSEVSNP().FirmwareSignerConfig
- keyDigestAny, err := firmwareCfg.AcceptedKeyDigests.MarshalYAML()
+ certBytes, err := cert.MarshalJSON()
if err != nil {
- resp.Diagnostics.AddError("Marshalling Accepted Key Digests", err.Error())
+ resp.Diagnostics.AddError("Marshalling AMD Root Key", err.Error())
}
- keyDigest := keyDigestAny.([]string)
tfSnpVersions := sevSnpAttestation{
BootloaderVersion: snpVersions.Bootloader,
TEEVersion: snpVersions.TEE,
SNPVersion: snpVersions.SNP,
MicrocodeVersion: snpVersions.Microcode,
- AMDRootKey: string(cert),
- SNPFirmwareSignerConfig: snpFirmwareSignerConfig{
+ AMDRootKey: string(certBytes),
+ }
+ if attestationVariant.Equal(variant.AzureSEVSNP{}) {
+ firmwareCfg := config.DefaultForAzureSEVSNP().FirmwareSignerConfig
+ keyDigestAny, err := firmwareCfg.AcceptedKeyDigests.MarshalYAML()
+ keyDigest := keyDigestAny.([]string)
+ if err != nil {
+ resp.Diagnostics.AddError("Marshalling Accepted Key Digests", err.Error())
+ }
+ tfSnpVersions.AzureSNPFirmwareSignerConfig = azureSnpFirmwareSignerConfig{
AcceptedKeyDigests: keyDigest,
EnforcementPolicy: firmwareCfg.EnforcementPolicy.String(),
MAAURL: firmwareCfg.MAAURL,
- },
+ }
}
return tfSnpVersions
}
@@ -266,15 +275,15 @@ type measurement struct {
}
type sevSnpAttestation struct {
- BootloaderVersion uint8 `tfsdk:"bootloader_version"`
- TEEVersion uint8 `tfsdk:"tee_version"`
- SNPVersion uint8 `tfsdk:"snp_version"`
- MicrocodeVersion uint8 `tfsdk:"microcode_version"`
- AMDRootKey string `tfsdk:"amd_root_key"`
- SNPFirmwareSignerConfig snpFirmwareSignerConfig `tfsdk:"firmware_signer_config"`
+ BootloaderVersion uint8 `tfsdk:"bootloader_version"`
+ TEEVersion uint8 `tfsdk:"tee_version"`
+ SNPVersion uint8 `tfsdk:"snp_version"`
+ MicrocodeVersion uint8 `tfsdk:"microcode_version"`
+ AMDRootKey string `tfsdk:"amd_root_key"`
+ AzureSNPFirmwareSignerConfig azureSnpFirmwareSignerConfig `tfsdk:"azure_firmware_signer_config"`
}
-type snpFirmwareSignerConfig struct {
+type azureSnpFirmwareSignerConfig struct {
AcceptedKeyDigests []string `tfsdk:"accepted_key_digests"`
EnforcementPolicy string `tfsdk:"enforcement_policy"`
MAAURL string `tfsdk:"maa_url"`
diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go
index 2a738d0f45..21341c0ed4 100644
--- a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go
+++ b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go
@@ -23,17 +23,21 @@ func TestAccAttestationSource(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testingConfig + `
- data "constellation_attestation" "aws_test" {
+ data "constellation_attestation" "test" {
csp = "aws"
attestation_variant = "aws-sev-snp"
image_version = "v2.13.0"
}
`,
Check: resource.ComposeAggregateTestCheckFunc(
- resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "measurements.0.expected", "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"),
- resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "measurements.0.warn_only", "true"),
- resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "attestation.bootloader", "true"),
- // TODO(elchead): waiting for attestation from PR.
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.bootloader_version", "3"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.microcode_version", "209"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.snp_version", "20"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.tee_version", "0"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.amd_root_key", "\"-----BEGIN CERTIFICATE-----\\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\\nAFZEAwoKCQ==\\n-----END CERTIFICATE-----\\n\""),
+
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.0.expected", "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.0.warn_only", "true"),
),
},
},
@@ -55,9 +59,12 @@ func TestAccAttestationSource(t *testing.T) {
resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.microcode_version", "115"),
resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.snp_version", "8"),
resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.tee_version", "0"),
- resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.firmware_signer_config.accepted_key_digests.0", "0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3"),
- resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.firmware_signer_config.enforcement_policy", "MAAFallback"),
+
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.azure_firmware_signer_config.accepted_key_digests.0", "0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3"),
+ resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.azure_firmware_signer_config.enforcement_policy", "MAAFallback"),
+
resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.amd_root_key", "\"-----BEGIN CERTIFICATE-----\\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\\nAFZEAwoKCQ==\\n-----END CERTIFICATE-----\\n\""),
+
resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.1.expected", "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.1.warn_only", "true"),
),