diff --git a/.github/actions/constellation_iam_create/action.yml b/.github/actions/constellation_iam_create/action.yml index eac3d0d76f2..3bb062dc130 100644 --- a/.github/actions/constellation_iam_create/action.yml +++ b/.github/actions/constellation_iam_create/action.yml @@ -27,6 +27,9 @@ inputs: # # Azure specific inputs # + azureSubscriptionID: + description: "Azure subscription ID to deploy Constellation in." + required: true azureRegion: description: "Azure region to deploy Constellation in." required: false @@ -77,6 +80,7 @@ runs: if: inputs.cloudProvider == 'azure' run: | constellation iam create azure \ + --subscriptionID="${{ inputs.azureSubscriptionID }}" \ --region="${{ inputs.azureRegion }}" \ --resourceGroup="${{ inputs.namePrefix }}-rg" \ --servicePrincipal="${{ inputs.namePrefix }}-sp" \ diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index bcd315cbd68..c2cca982d9d 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -46,6 +46,9 @@ inputs: description: "AWS OpenSearch User to upload the benchmark results." awsOpenSearchPwd: description: "AWS OpenSearch Password to upload the benchmark results." + azureSubscriptionID: + description: "Azure subscription ID to deploy Constellation in." + required: true azureClusterCreateCredentials: description: "Azure credentials authorized to create a Constellation cluster." required: true @@ -249,6 +252,7 @@ runs: attestationVariant: ${{ inputs.attestationVariant }} namePrefix: ${{ steps.create-prefix.outputs.prefix }} awsZone: ${{ inputs.regionZone || 'us-east-2c' }} + azureSubscriptionID: ${{ inputs.azureSubscriptionID }} azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }} gcpProjectID: ${{ inputs.gcpProject }} gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }} diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 55e9ccb1f90..ccac30e5c16 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -90,6 +90,7 @@ jobs: gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" kubernetesVersion: ${{ matrix.kubernetesVersion }} test: ${{ matrix.test }} + azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} registry: ghcr.io diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml index 592492f8477..e46c4a4467e 100644 --- a/.github/workflows/e2e-test-provider-example.yml +++ b/.github/workflows/e2e-test-provider-example.yml @@ -307,6 +307,22 @@ jobs: locals { instance_type = "Standard_DC4es_v5" } + + provider "azurerm" { + subscription_id = "$(az account show --query id --output tsv)" + } + EOF + cat _override.tf + + - name: Create Azure SEV-SNP Terraform overrides + if: inputs.attestationVariant == 'azure-sev-snp' + working-directory: ${{ github.workspace }}/cluster + shell: bash + run: | + cat >> _override.tf < ```bash - constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config + constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config ``` This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in. diff --git a/docs/docs/reference/cli.md b/docs/docs/reference/cli.md index 6a911034eba..fa26803b3e1 100644 --- a/docs/docs/reference/cli.md +++ b/docs/docs/reference/cli.md @@ -655,6 +655,7 @@ constellation iam create azure [flags] --region string region the resources will be created in, e.g., westus (required) --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) --servicePrincipal string name of the service principal that will be created (required) + --subscriptionID string subscription ID of the Azure account (required) ``` ### Options inherited from parent commands diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index 120bf8ed726..95f791acd77 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -184,7 +184,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash -constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest +constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest ``` This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. diff --git a/e2e/miniconstellation/main.tf b/e2e/miniconstellation/main.tf index 41d7baa549b..f389fa3f831 100644 --- a/e2e/miniconstellation/main.tf +++ b/e2e/miniconstellation/main.tf @@ -22,6 +22,9 @@ terraform { provider "azurerm" { use_oidc = true features {} + # This enables all resource providers. + # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need. + resource_provider_registrations = "all" } provider "tls" {} diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 91a3f8dd798..bb83ba82c6c 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -17,6 +17,10 @@ provider "azurerm" { prevent_deletion_if_contains_resources = false } } + subscription_id = var.subscription_id + # This enables all resource providers. + # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need. + resource_provider_registrations = "all" } locals { @@ -266,8 +270,8 @@ module "scale_set_group" { marketplace_image = var.marketplace_image # We still depend on the backends, since we are not sure if the VMs inside the VMSS have been - # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not - # our Constellation update). + # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not + # our Constellation update). # TODO(@3u13r): Remove this dependency after v2.18.0 has been released. depends_on = [module.loadbalancer_backend_worker, azurerm_lb_backend_address_pool.all] } diff --git a/terraform/infrastructure/azure/modules/scale_set/main.tf b/terraform/infrastructure/azure/modules/scale_set/main.tf index 5482b10a2e7..058cdee88b2 100644 --- a/terraform/infrastructure/azure/modules/scale_set/main.tf +++ b/terraform/infrastructure/azure/modules/scale_set/main.tf @@ -45,6 +45,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" { provision_vm_agent = false vtpm_enabled = true disable_password_authentication = false + extension_operations_enabled = false upgrade_mode = "Manual" secure_boot_enabled = var.secure_boot # specify the image id only if a non-marketplace image is used diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index 577cdd4f0be..a3ab1fd0b52 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -46,6 +46,12 @@ variable "internal_load_balancer" { # Azure-specific variables +variable "subscription_id" { + type = string + description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id" + default = "" +} + variable "location" { type = string description = "Azure location to deploy the cluster in." diff --git a/terraform/infrastructure/iam/azure/main.tf b/terraform/infrastructure/iam/azure/main.tf index 59201297551..0518e795e26 100644 --- a/terraform/infrastructure/iam/azure/main.tf +++ b/terraform/infrastructure/iam/azure/main.tf @@ -18,6 +18,10 @@ provider "azurerm" { prevent_deletion_if_contains_resources = false } } + subscription_id = var.subscription_id + # This enables all resource providers. + # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need. + resource_provider_registrations = "all" } # Configure Azure active directory provider diff --git a/terraform/infrastructure/iam/azure/variables.tf b/terraform/infrastructure/iam/azure/variables.tf index 4a63ba60964..28c75e84066 100644 --- a/terraform/infrastructure/iam/azure/variables.tf +++ b/terraform/infrastructure/iam/azure/variables.tf @@ -1,3 +1,9 @@ +variable "subscription_id" { + type = string + description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id" + default = "" +} + variable "resource_group_name" { type = string description = "Name for the resource group the cluster should reside in."