edgelesssys · msanft · Dec 15, 2023 · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml
@@ -50,11 +50,10 @@ runs:
           }
         }" >> terraform.tfvars
         if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then
-          echo "iam_instance_profile_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars
+          echo "iam_instance_profile_name_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars
+          echo "iam_instance_profile_name_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars
           echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars
           echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars
-          echo "ami = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars
           echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
         elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
           echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars
@@ -84,17 +83,17 @@ runs:
       working-directory: ${{ github.workspace }}/e2e-infra
       if: inputs.cloudProvider == 'azure'
       run: |
-        constellation maa-patch $(terraform output attestationURL | jq -r)
+        constellation maa-patch $(terraform output attestation_url | jq -r)
 
     - name: Write outputs to state file
       shell: bash
       working-directory: ${{ github.workspace }}/e2e-infra
       run: |
         yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml
+        yq eval ".infrastructure.initSecret =\"$(terraform output init_secret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-        yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_nodes | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
+        yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_node | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         yq eval ".infrastructure.apiServerCertSANs =$(terraform output -json api_server_cert_sans)" --inplace ${{ github.workspace }}/constellation-state.yaml
@@ -104,8 +103,8 @@ runs:
           yq eval ".infrastructure.azure.networkSecurityGroupName =\"$(terraform output network_security_group_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
           yq eval ".infrastructure.azure.loadBalancerName =\"$(terraform output loadbalancer_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
           yq eval ".infrastructure.azure.userAssignedIdentity =\"$(terraform output user_assigned_identity_client_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestationURL | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
+          yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestation_url | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
           yq eval ".infrastructure.gcp.projectID =\"$(terraform output project | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
-          yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pods | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
+          yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pod | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
         fi
@@ -31,7 +31,7 @@ func NewIAMDestroyer() *IAMDestroyer {
 	return &IAMDestroyer{newTerraformClient: newTerraformIAMClient}
 }
 
-// GetTfStateServiceAccountKey returns the sa_key output from the terraform state.
+// GetTfStateServiceAccountKey returns the service_account_key output from the terraform state.
 func (d *IAMDestroyer) GetTfStateServiceAccountKey(ctx context.Context, tfWorkspace string) (gcpshared.ServiceAccountKey, error) {
 	client, err := d.newTerraformClient(ctx, tfWorkspace)
 	if err != nil {
@@ -95,7 +95,7 @@ type GCPIAMConfig struct {
 
 // AzureIAMConfig holds the necessary values for Azure IAM configuration.
 type AzureIAMConfig struct {
-	Region           string
+	Location         string
 	ServicePrincipal string
 	ResourceGroup    string
 }
@@ -167,7 +167,7 @@ func (c *IAMCreator) createAzure(ctx context.Context, cl tfIAMClient, opts *IAMC
 	defer rollbackOnError(c.out, &retErr, &rollbackerTerraform{client: cl}, opts.TFLogLevel)
 
 	vars := terraform.AzureIAMVariables{
-		Region:           opts.Azure.Region,
+		Location:         opts.Azure.Location,
 		ResourceGroup:    opts.Azure.ResourceGroup,
 		ServicePrincipal: opts.Azure.ServicePrincipal,
 	}

@@ -40,7 +40,7 @@ func TestIAMCreator(t *testing.T) {
 	}
 
 	validAzureIAMConfig := AzureIAMConfig{
-		Region:           "westus",
+		Location:         "westus",
 		ServicePrincipal: "constell-test",
 		ResourceGroup:    "constell-test",
 	}

@@ -64,6 +64,14 @@ func TerraformIAMUpgradeVars(conf *config.Config, fileHandler file.Handler) (ter
 		if err := terraform.VariablesFromBytes(oldVarBytes, &oldVars); err != nil {
 			return nil, fmt.Errorf("parsing existing IAM workspace: %w", err)
 		}
+
+		// Migration from the "region" to the "location" field na.
+		// TODO(msanft): Remove after v2.14.0 is released.
+		if oldVars.Region != nil && *oldVars.Region != "" && oldVars.Location == "" {
+			oldVars.Location = *oldVars.Region
+			oldVars.Region = nil
+		}
+
 		vars = azureTerraformIAMVars(conf, oldVars)
 	case cloudprovider.GCP:
 		var oldVars terraform.GCPIAMVariables
@@ -96,7 +104,7 @@ func awsTerraformVars(conf *config.Config, imageRef string) *terraform.AWSCluste
 		NodeGroups:             nodeGroups,
 		Region:                 conf.Provider.AWS.Region,
 		Zone:                   conf.Provider.AWS.Zone,
-		AMIImageID:             imageRef,
+		ImageID:                imageRef,
 		IAMProfileControlPlane: conf.Provider.AWS.IAMProfileControlPlane,
 		IAMProfileWorkerNodes:  conf.Provider.AWS.IAMProfileWorkerNodes,
 		Debug:                  conf.IsDebugCluster(),
@@ -188,7 +196,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 
 func azureTerraformIAMVars(conf *config.Config, oldVars terraform.AzureIAMVariables) *terraform.AzureIAMVariables {
 	return &terraform.AzureIAMVariables{
-		Region:           conf.Provider.Azure.Location,
+		Location:         conf.Provider.Azure.Location,
 		ServicePrincipal: oldVars.ServicePrincipal,
 		ResourceGroup:    conf.Provider.Azure.ResourceGroup,
 	}

diff --git a/cli/internal/cmd/iamcreate_test.go b/cli/internal/cmd/iamcreate_test.go
@@ -75,7 +75,7 @@ func TestIAMCreateAWS(t *testing.T) {
 		CloudProvider: cloudprovider.AWS,
 		AWSOutput: cloudcmd.AWSIAMOutput{
 			ControlPlaneInstanceProfile: "test_control_plane_instance_profile",
-			WorkerNodeInstanceProfile:   "test_worker_nodes_instance_profile",
+			WorkerNodeInstanceProfile:   "test_worker_nodes_instance_profile_name",
 		},
 	}
 

diff --git a/cli/internal/cmd/iamcreateazure.go b/cli/internal/cmd/iamcreateazure.go
@@ -75,7 +75,7 @@ type azureIAMCreator struct {
 func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 	return &cloudcmd.IAMConfigOptions{
 		Azure: cloudcmd.AzureIAMConfig{
-			Region:           c.flags.region,
+			Location:         c.flags.region,
 			ResourceGroup:    c.flags.resourceGroup,
 			ServicePrincipal: c.flags.servicePrincipal,
 		},

diff --git a/cli/internal/cmd/iamupgradeapply_test.go b/cli/internal/cmd/iamupgradeapply_test.go
@@ -37,7 +37,7 @@ func TestIamUpgradeApply(t *testing.T) {
 			require.NoError(t, fh.Write(
 				filepath.Join(constants.TerraformIAMWorkingDir, "terraform.tfvars"),
 				[]byte(
-					"region = \"foo\"\n"+
+					"location = \"foo\"\n"+
 						"resource_group_name = \"bar\"\n"+
 						"service_principal_name = \"baz\"\n",
 				),

@@ -95,13 +95,13 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) (
 
 	switch provider {
 	case cloudprovider.GCP:
-		saKeyOutputRaw, ok := tfState.Values.Outputs["sa_key"]
+		saKeyOutputRaw, ok := tfState.Values.Outputs["service_account_key"]
 		if !ok {
-			return IAMOutput{}, errors.New("no service account key output found")
+			return IAMOutput{}, errors.New("no service_account_key output found")
 		}
 		saKeyOutput, ok := saKeyOutputRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in service account key output: not a string")
+			return IAMOutput{}, errors.New("invalid type in service_account_key output: not a string")
 		}
 		return IAMOutput{
 			GCP: GCPIAMOutput{
@@ -111,27 +111,27 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) (
 	case cloudprovider.Azure:
 		subscriptionIDRaw, ok := tfState.Values.Outputs["subscription_id"]
 		if !ok {
-			return IAMOutput{}, errors.New("no subscription id output found")
+			return IAMOutput{}, errors.New("no subscription_id output found")
 		}
 		subscriptionIDOutput, ok := subscriptionIDRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in subscription id output: not a string")
+			return IAMOutput{}, errors.New("invalid type in subscription_id output: not a string")
 		}
 		tenantIDRaw, ok := tfState.Values.Outputs["tenant_id"]
 		if !ok {
-			return IAMOutput{}, errors.New("no tenant id output found")
+			return IAMOutput{}, errors.New("no tenant_id output found")
 		}
 		tenantIDOutput, ok := tenantIDRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in tenant id output: not a string")
+			return IAMOutput{}, errors.New("invalid type in tenant_id output: not a string")
 		}
 		uamiIDRaw, ok := tfState.Values.Outputs["uami_id"]
 		if !ok {
-			return IAMOutput{}, errors.New("no UAMI id output found")
+			return IAMOutput{}, errors.New("no uami_id output found")
 		}
 		uamiIDOutput, ok := uamiIDRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in UAMI id output: not a string")
+			return IAMOutput{}, errors.New("invalid type in uami_id output: not a string")
 		}
 		return IAMOutput{
 			Azure: AzureIAMOutput{
@@ -141,21 +141,21 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) (
 			},
 		}, nil
 	case cloudprovider.AWS:
-		controlPlaneProfileRaw, ok := tfState.Values.Outputs["control_plane_instance_profile"]
+		controlPlaneProfileRaw, ok := tfState.Values.Outputs["iam_instance_profile_name_control_plane"]
 		if !ok {
-			return IAMOutput{}, errors.New("no control plane instance profile output found")
+			return IAMOutput{}, errors.New("no iam_instance_profile_name_control_plane output found")
 		}
 		controlPlaneProfileOutput, ok := controlPlaneProfileRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in control plane instance profile output: not a string")
+			return IAMOutput{}, errors.New("invalid type in iam_instance_profile_name_control_plane output: not a string")
 		}
-		workerNodeProfileRaw, ok := tfState.Values.Outputs["worker_nodes_instance_profile"]
+		workerNodeProfileRaw, ok := tfState.Values.Outputs["iam_instance_profile_name_worker_nodes"]
 		if !ok {
-			return IAMOutput{}, errors.New("no worker node instance profile output found")
+			return IAMOutput{}, errors.New("no iam_instance_profile_name_worker_nodes output found")
 		}
 		workerNodeProfileOutput, ok := workerNodeProfileRaw.Value.(string)
 		if !ok {
-			return IAMOutput{}, errors.New("invalid type in worker node instance profile output: not a string")
+			return IAMOutput{}, errors.New("invalid type in iam_instance_profile_name_worker_nodes output: not a string")
 		}
 		return IAMOutput{
 			AWS: AWSIAMOutput{
@@ -209,13 +209,13 @@ func (c *Client) ShowInfrastructure(ctx context.Context, provider cloudprovider.
 		return state.Infrastructure{}, fmt.Errorf("convert api_server_cert_sans output: %w", err)
 	}
 
-	secretOutput, ok := tfState.Values.Outputs["initSecret"]
+	secretOutput, ok := tfState.Values.Outputs["init_secret"]
 	if !ok {
-		return state.Infrastructure{}, errors.New("no initSecret output found")
+		return state.Infrastructure{}, errors.New("no init_secret output found")
 	}
 	secret, ok := secretOutput.Value.(string)
 	if !ok {
-		return state.Infrastructure{}, errors.New("invalid type in initSecret output: not a string")
+		return state.Infrastructure{}, errors.New("invalid type in init_Secret output: not a string")
 	}
 
 	uidOutput, ok := tfState.Values.Outputs["uid"]
@@ -236,13 +236,13 @@ func (c *Client) ShowInfrastructure(ctx context.Context, provider cloudprovider.
 		return state.Infrastructure{}, errors.New("invalid type in name output: not a string")
 	}
 
-	cidrNodesOutput, ok := tfState.Values.Outputs["ip_cidr_nodes"]
+	cidrNodesOutput, ok := tfState.Values.Outputs["ip_cidr_node"]
 	if !ok {
-		return state.Infrastructure{}, errors.New("no ip_cidr_nodes output found")
+		return state.Infrastructure{}, errors.New("no ip_cidr_node output found")
 	}
 	cidrNodes, ok := cidrNodesOutput.Value.(string)
 	if !ok {
-		return state.Infrastructure{}, errors.New("invalid type in ip_cidr_nodes output: not a string")
+		return state.Infrastructure{}, errors.New("invalid type in ip_cidr_node output: not a string")
 	}
 
 	res := state.Infrastructure{
@@ -266,27 +266,27 @@ func (c *Client) ShowInfrastructure(ctx context.Context, provider cloudprovider.
 			return state.Infrastructure{}, errors.New("invalid type in project output: not a string")
 		}
 
-		cidrPodsOutput, ok := tfState.Values.Outputs["ip_cidr_pods"]
+		cidrPodsOutput, ok := tfState.Values.Outputs["ip_cidr_pod"]
 		if !ok {
-			return state.Infrastructure{}, errors.New("no ip_cidr_pods output found")
+			return state.Infrastructure{}, errors.New("no ip_cidr_pod output found")
 		}
 		cidrPods, ok := cidrPodsOutput.Value.(string)
 		if !ok {
-			return state.Infrastructure{}, errors.New("invalid type in ip_cidr_pods output: not a string")
+			return state.Infrastructure{}, errors.New("invalid type in ip_cidr_pod output: not a string")
 		}
 
 		res.GCP = &state.GCP{
 			ProjectID: gcpProject,
 			IPCidrPod: cidrPods,
 		}
 	case cloudprovider.Azure:
-		attestationURLOutput, ok := tfState.Values.Outputs["attestationURL"]
+		attestationURLOutput, ok := tfState.Values.Outputs["attestation_url"]
 		if !ok {
-			return state.Infrastructure{}, errors.New("no attestationURL output found")
+			return state.Infrastructure{}, errors.New("no attestation_url output found")
 		}
 		attestationURL, ok := attestationURLOutput.Value.(string)
 		if !ok {
-			return state.Infrastructure{}, errors.New("invalid type in attestationURL output: not a string")
+			return state.Infrastructure{}, errors.New("invalid type in attestation_url output: not a string")
 		}
 
 		azureUAMIOutput, ok := tfState.Values.Outputs["user_assigned_identity_client_id"]