aws: reintroduce SNP-based attestation

.github/actions/constellation_destroy/action.yml

@@ -8,6 +8,15 @@ inputs:
   selfManagedInfra:
     description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
     required: true
+  gcpClusterDeleteServiceAccount:
+    description: "Service account with permissions to delete a Constellation cluster on GCP."
+    required: true
+  azureClusterDeleteCredentials:
+    description: "Azure credentials authorized to delete a Constellation cluster."
+    required: true
+  cloudProvider:
+    description: "Either 'aws', 'azure' or 'gcp'."
+    required: true
 
 runs:
   using: "composite"
@@ -41,6 +50,27 @@ runs:
         fi
         echo "::endgroup::"
 
+    - name: Login to GCP (Cluster service account)
+      if: inputs.cloudProvider == 'gcp'
+      uses: ./.github/actions/login_gcp
+      with:
+        service_account: ${{ inputs.gcpClusterDeleteServiceAccount }}
+
+    - name: Login to AWS (Cluster role)
+      if: inputs.cloudProvider == 'aws'
+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
+        aws-region: eu-central-1
+        # extend token expiry to 6 hours to ensure constellation can terminate
+        role-duration-seconds: 21600
+
+    - name: Login to Azure (Cluster service principal)
+      if: inputs.cloudProvider == 'azure'
+      uses: ./.github/actions/login_azure
+      with:
+        azure_credentials: ${{ inputs.azureClusterDeleteCredentials }}
+
     - name: Constellation terminate
       if: inputs.selfManagedInfra != 'true'
       shell: bash

.github/actions/e2e_attestationconfigapi/action.yml

@@ -2,6 +2,9 @@ name: E2E Attestationconfig API Test
 description: "Test the attestationconfig CLI is functional."
 
 inputs:
+  csp:
+    description: "Cloud provider to run tests against"
+    default: "azure"
   buildBuddyApiKey:
     description: "BuildBuddy API key for caching Bazel artifacts"
     required: true
@@ -33,4 +36,4 @@ runs:
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
       run: |
-        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test
+        bazel run //internal/api/attestationconfigapi/cli:cli_e2e_test -- ${{ inputs.csp }}

.github/actions/e2e_verify/action.yml

@@ -66,8 +66,8 @@ runs:
           forwarderPID=$!
           sleep 5
 
-          if [[ ${{ inputs.cloudProvider }} == "azure" ]]; then
-            echo "Extracting Azure TCB versions for API update"
+          if [[ ${{ inputs.cloudProvider }} == "azure" || ${{ inputs.cloudProvider }} == "aws" ]]; then
+            echo "Extracting TCB versions for API update"
             constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
           else
             constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
@@ -84,14 +84,19 @@ runs:
         aws-region: eu-central-1
 
     - name: Upload extracted TCBs
-      if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'
+      if: github.ref_name == 'main' && (inputs.cloudProvider == 'azure' || inputs.cloudProvider == 'aws')
       shell: bash
       env:
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
       run: |
-        for file in $(ls snp-report-*.json); do
+        reports=(snp-report-*.json)
+        if [ -z ${#reports[@]} ]; then
+            exit 1
+        fi
+
+        for file in "${reports[@]}"; do
           path=$(realpath "${file}")
           cat "${path}"
-          bazel run //internal/api/attestationconfigapi/cli -- --snp-report-path "${path}"
+          bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.cloudProvider }} snp-report "${path}"
         done

.github/workflows/e2e-attestationconfigapi.yml

@@ -16,6 +16,11 @@ on:
 
 jobs:
   e2e-api:
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        csp: ["azure", "aws"]
     runs-on: ubuntu-22.04
     permissions:
       id-token: write
@@ -35,3 +40,4 @@ jobs:
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           cosignPrivateKey: ${{ secrets.COSIGN_DEV_PRIVATE_KEY }}
           cosignPassword: ${{ secrets.COSIGN_DEV_PASSWORD }}
+          csp: ${{ matrix.csp }}

.github/workflows/e2e-test-daily.yml

@@ -99,6 +99,9 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           selfManagedInfra: "false"
+          cloudProvider: ${{ matrix.provider }}
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
 
       - name: Always delete IAM configuration
         if: always()

.github/workflows/e2e-test-release.yml

@@ -248,6 +248,9 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
+          cloudProvider: ${{ matrix.provider }}
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
 
       - name: Always delete IAM configuration
         if: always()

.github/workflows/e2e-test-weekly.yml

@@ -267,6 +267,9 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
+          cloudProvider: ${{ matrix.provider }}
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
 
       - name: Always delete IAM configuration
         if: always()

.github/workflows/e2e-test.yml

@@ -165,7 +165,7 @@ jobs:
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           ref: ${{ inputs.git-ref }}
-          
+
       - name: Get Latest Image
         id: find-latest-image
         uses: ./.github/actions/find_latest_image
@@ -246,6 +246,9 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           selfManagedInfra: ${{ inputs.selfManagedInfra }}
+          cloudProvider: ${{ inputs.cloudProvider }}
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
 
       - name: Always delete IAM configuration
         if: always()

.github/workflows/e2e-upgrade.yml

@@ -290,6 +290,9 @@ jobs:
         with:
           kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
           selfManagedInfra: "false"
+          cloudProvider: ${{ inputs.cloudProvider }}
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
 
       - name: Always delete IAM configuration
         if: always()

cli/internal/cmd/BUILD.bazel

@@ -58,6 +58,7 @@ go_library(
         "//internal/api/versionsapi",
         "//internal/atls",
         "//internal/attestation/measurements",
+        "//internal/attestation/snp",
         "//internal/attestation/variant",
         "//internal/attestation/vtpm",
         "//internal/cloud/cloudprovider",
@@ -87,9 +88,6 @@ go_library(
         "//internal/verify",
         "//internal/versions",
         "//verify/verifyproto",
-        "@com_github_golang_jwt_jwt_v5//:jwt",
-        "@com_github_google_go_sev_guest//abi",
-        "@com_github_google_go_sev_guest//kds",
         "@com_github_google_go_tpm_tools//proto/tpm",
         "@com_github_google_uuid//:uuid",
         "@com_github_mattn_go_isatty//:go-isatty",

cli/internal/cmd/configfetchmeasurements_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -294,25 +295,23 @@ func TestConfigFetchMeasurements(t *testing.T) {
 
 type stubAttestationFetcher struct{}
 
-func (f stubAttestationFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ attestationconfigapi.AzureSEVSNPVersionList) (attestationconfigapi.AzureSEVSNPVersionList, error) {
-	return attestationconfigapi.AzureSEVSNPVersionList(
-		[]string{},
-	), nil
+func (f stubAttestationFetcher) FetchSEVSNPVersionList(_ context.Context, _ attestationconfigapi.SEVSNPVersionList) (attestationconfigapi.SEVSNPVersionList, error) {
+	return attestationconfigapi.SEVSNPVersionList{}, nil
 }
 
-func (f stubAttestationFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ attestationconfigapi.AzureSEVSNPVersionAPI) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
-	return attestationconfigapi.AzureSEVSNPVersionAPI{
-		AzureSEVSNPVersion: testCfg,
+func (f stubAttestationFetcher) FetchSEVSNPVersion(_ context.Context, _ attestationconfigapi.SEVSNPVersionAPI) (attestationconfigapi.SEVSNPVersionAPI, error) {
+	return attestationconfigapi.SEVSNPVersionAPI{
+		SEVSNPVersion: testCfg,
 	}, nil
 }
 
-func (f stubAttestationFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
-	return attestationconfigapi.AzureSEVSNPVersionAPI{
-		AzureSEVSNPVersion: testCfg,
+func (f stubAttestationFetcher) FetchSEVSNPVersionLatest(_ context.Context, _ variant.Variant) (attestationconfigapi.SEVSNPVersionAPI, error) {
+	return attestationconfigapi.SEVSNPVersionAPI{
+		SEVSNPVersion: testCfg,
 	}, nil
 }
 
-var testCfg = attestationconfigapi.AzureSEVSNPVersion{
+var testCfg = attestationconfigapi.SEVSNPVersion{
 	Microcode:  93,
 	TEE:        0,
 	SNP:        6,

cli/internal/cmd/iamupgradeapply_test.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -170,14 +171,14 @@ type stubConfigFetcher struct {
 	fetchLatestErr error
 }
 
-func (s *stubConfigFetcher) FetchAzureSEVSNPVersion(context.Context, attestationconfigapi.AzureSEVSNPVersionAPI) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
+func (s *stubConfigFetcher) FetchSEVSNPVersion(context.Context, attestationconfigapi.SEVSNPVersionAPI) (attestationconfigapi.SEVSNPVersionAPI, error) {
 	panic("not implemented")
 }
 
-func (s *stubConfigFetcher) FetchAzureSEVSNPVersionList(context.Context, attestationconfigapi.AzureSEVSNPVersionList) (attestationconfigapi.AzureSEVSNPVersionList, error) {
+func (s *stubConfigFetcher) FetchSEVSNPVersionList(context.Context, attestationconfigapi.SEVSNPVersionList) (attestationconfigapi.SEVSNPVersionList, error) {
 	panic("not implemented")
 }
 
-func (s *stubConfigFetcher) FetchAzureSEVSNPVersionLatest(context.Context) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
-	return attestationconfigapi.AzureSEVSNPVersionAPI{}, s.fetchLatestErr
+func (s *stubConfigFetcher) FetchSEVSNPVersionLatest(context.Context, variant.Variant) (attestationconfigapi.SEVSNPVersionAPI, error) {
+	return attestationconfigapi.SEVSNPVersionAPI{}, s.fetchLatestErr
 }