From 97460497100b94339f2f661be3a9732899120929 Mon Sep 17 00:00:00 2001 From: Adrian Stobbe Date: Mon, 27 Nov 2023 13:01:15 +0100 Subject: [PATCH] integrate aws snp --- .../docs/data-sources/attestation.md | 10 ++-- .../constellation_attestation/data-source.tf | 4 +- .../provider/attestation_data_source.go | 49 +++++++++++-------- .../provider/attestation_data_source_test.go | 21 +++++--- 4 files changed, 50 insertions(+), 34 deletions(-) diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md index e5e8bc8f92..1887100471 100644 --- a/terraform-provider-constellation/docs/data-sources/attestation.md +++ b/terraform-provider-constellation/docs/data-sources/attestation.md @@ -25,8 +25,8 @@ provider "constellation" { } data "constellation_attestation" "test" { - csp = "azure" - attestation_variant = "azure-sev-snp" + csp = "aws" + attestation_variant = "aws-sev-snp" image_version = "v2.13.0" } @@ -69,14 +69,14 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview Read-Only: - `amd_root_key` (String) +- `azure_firmware_signer_config` (Attributes) (see [below for nested schema](#nestedatt--attestation--azure_firmware_signer_config)) - `bootloader_version` (Number) -- `firmware_signer_config` (Attributes) (see [below for nested schema](#nestedatt--attestation--firmware_signer_config)) - `microcode_version` (Number) - `snp_version` (Number) - `tee_version` (Number) - -### Nested Schema for `attestation.firmware_signer_config` + +### Nested Schema for `attestation.azure_firmware_signer_config` Read-Only: diff --git a/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf b/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf index 8308418e65..46241d0ad9 100644 --- a/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf +++ b/terraform-provider-constellation/examples/data-sources/constellation_attestation/data-source.tf @@ -10,8 +10,8 @@ provider "constellation" { } data "constellation_attestation" "test" { - csp = "azure" - attestation_variant = "azure-sev-snp" + csp = "aws" + attestation_variant = "aws-sev-snp" image_version = "v2.13.0" } diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go index 55c1914490..de2e12995c 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source.go @@ -134,7 +134,7 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq "microcode_version": schema.Int64Attribute{ Computed: true, }, - "firmware_signer_config": schema.SingleNestedAttribute{ + "azure_firmware_signer_config": schema.SingleNestedAttribute{ Computed: true, Attributes: map[string]schema.Attribute{ "accepted_key_digests": schema.ListAttribute{ @@ -186,7 +186,7 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq resp.Diagnostics.AddError("Fetching SNP Version numbers", err.Error()) return } - tfSnpVersions := convertSNPAttestationTfStateCompatible(resp, snpVersions) + tfSnpVersions := convertSNPAttestationTfStateCompatible(resp, attestationVariant, snpVersions) diags := resp.State.SetAttribute(ctx, path.Root("attestation"), tfSnpVersions) resp.Diagnostics.Append(diags...) if resp.Diagnostics.HasError() { @@ -220,30 +220,39 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq tflog.Trace(ctx, "read constellation attestation data source") } -func convertSNPAttestationTfStateCompatible(resp *datasource.ReadResponse, +func convertSNPAttestationTfStateCompatible(resp *datasource.ReadResponse, attestationVariant variant.Variant, snpVersions attestationconfigapi.SEVSNPVersionAPI, ) sevSnpAttestation { - cert, err := config.DefaultForAzureSEVSNP().AMDRootKey.MarshalJSON() - if err != nil { - resp.Diagnostics.AddError("Marshalling AMD Root Key", err.Error()) + var cert config.Certificate + switch attestationVariant.(type) { + case variant.AWSSEVSNP: + cert = config.DefaultForAWSSEVSNP().AMDRootKey + case variant.AzureSEVSNP: + cert = config.DefaultForAzureSEVSNP().AMDRootKey } - firmwareCfg := config.DefaultForAzureSEVSNP().FirmwareSignerConfig - keyDigestAny, err := firmwareCfg.AcceptedKeyDigests.MarshalYAML() + certBytes, err := cert.MarshalJSON() if err != nil { - resp.Diagnostics.AddError("Marshalling Accepted Key Digests", err.Error()) + resp.Diagnostics.AddError("Marshalling AMD Root Key", err.Error()) } - keyDigest := keyDigestAny.([]string) tfSnpVersions := sevSnpAttestation{ BootloaderVersion: snpVersions.Bootloader, TEEVersion: snpVersions.TEE, SNPVersion: snpVersions.SNP, MicrocodeVersion: snpVersions.Microcode, - AMDRootKey: string(cert), - SNPFirmwareSignerConfig: snpFirmwareSignerConfig{ + AMDRootKey: string(certBytes), + } + if attestationVariant.Equal(variant.AzureSEVSNP{}) { + firmwareCfg := config.DefaultForAzureSEVSNP().FirmwareSignerConfig + keyDigestAny, err := firmwareCfg.AcceptedKeyDigests.MarshalYAML() + keyDigest := keyDigestAny.([]string) + if err != nil { + resp.Diagnostics.AddError("Marshalling Accepted Key Digests", err.Error()) + } + tfSnpVersions.AzureSNPFirmwareSignerConfig = azureSnpFirmwareSignerConfig{ AcceptedKeyDigests: keyDigest, EnforcementPolicy: firmwareCfg.EnforcementPolicy.String(), MAAURL: firmwareCfg.MAAURL, - }, + } } return tfSnpVersions } @@ -266,15 +275,15 @@ type measurement struct { } type sevSnpAttestation struct { - BootloaderVersion uint8 `tfsdk:"bootloader_version"` - TEEVersion uint8 `tfsdk:"tee_version"` - SNPVersion uint8 `tfsdk:"snp_version"` - MicrocodeVersion uint8 `tfsdk:"microcode_version"` - AMDRootKey string `tfsdk:"amd_root_key"` - SNPFirmwareSignerConfig snpFirmwareSignerConfig `tfsdk:"firmware_signer_config"` + BootloaderVersion uint8 `tfsdk:"bootloader_version"` + TEEVersion uint8 `tfsdk:"tee_version"` + SNPVersion uint8 `tfsdk:"snp_version"` + MicrocodeVersion uint8 `tfsdk:"microcode_version"` + AMDRootKey string `tfsdk:"amd_root_key"` + AzureSNPFirmwareSignerConfig azureSnpFirmwareSignerConfig `tfsdk:"azure_firmware_signer_config"` } -type snpFirmwareSignerConfig struct { +type azureSnpFirmwareSignerConfig struct { AcceptedKeyDigests []string `tfsdk:"accepted_key_digests"` EnforcementPolicy string `tfsdk:"enforcement_policy"` MAAURL string `tfsdk:"maa_url"` diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go index 2a738d0f45..21341c0ed4 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go @@ -23,17 +23,21 @@ func TestAccAttestationSource(t *testing.T) { Steps: []resource.TestStep{ { Config: testingConfig + ` - data "constellation_attestation" "aws_test" { + data "constellation_attestation" "test" { csp = "aws" attestation_variant = "aws-sev-snp" image_version = "v2.13.0" } `, Check: resource.ComposeAggregateTestCheckFunc( - resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "measurements.0.expected", "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"), - resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "measurements.0.warn_only", "true"), - resource.TestCheckResourceAttr("data.constellation_attestation.aws_test", "attestation.bootloader", "true"), - // TODO(elchead): waiting for attestation from PR. + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.bootloader_version", "3"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.microcode_version", "209"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.snp_version", "20"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.tee_version", "0"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.amd_root_key", "\"-----BEGIN CERTIFICATE-----\\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\\nAFZEAwoKCQ==\\n-----END CERTIFICATE-----\\n\""), + + resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.0.expected", "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.0.warn_only", "true"), ), }, }, @@ -55,9 +59,12 @@ func TestAccAttestationSource(t *testing.T) { resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.microcode_version", "115"), resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.snp_version", "8"), resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.tee_version", "0"), - resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.firmware_signer_config.accepted_key_digests.0", "0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3"), - resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.firmware_signer_config.enforcement_policy", "MAAFallback"), + + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.azure_firmware_signer_config.accepted_key_digests.0", "0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.azure_firmware_signer_config.enforcement_policy", "MAAFallback"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.amd_root_key", "\"-----BEGIN CERTIFICATE-----\\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\\nAFZEAwoKCQ==\\n-----END CERTIFICATE-----\\n\""), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.1.expected", "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"), resource.TestCheckResourceAttr("data.constellation_attestation.test", "measurements.1.warn_only", "true"), ),