terraform: add Terraform module for Azure (#2566)

* add Azure Terraform module * add maa-patching command to cli * refactor release process * factor out image fetching to own action * add CI * generate * fix some unnecessary changes Signed-off-by: Moritz Sanft <[email protected]> * use `constellation maa-patch` in ci * insecure flag when using debug image Signed-off-by: Moritz Sanft <[email protected]> * only update maa url if existing Signed-off-by: Moritz Sanft <[email protected]> * make node group zone optional on aws and gcp Signed-off-by: Moritz Sanft <[email protected]> * [remove] register updated workflow Signed-off-by: Moritz Sanft <[email protected]> * Revert "[remove] register updated workflow" This reverts commit e70b951. * create MAA Signed-off-by: Moritz Sanft <[email protected]> * make maa-patching only run on azure Signed-off-by: Moritz Sanft <[email protected]> * add comment Signed-off-by: Moritz Sanft <[email protected]> * require node group zone for GCP and AWS * remove unnecessary bazel action * stamp version to correct file * refer to `maa-patch` command in docs * run Azure test in weekly e2e * comment / naming improvements * remove sa_account resource * disable spellcheck ot use "URL" * `create_maa` variable * don't write maa url to config Signed-off-by: Moritz Sanft <[email protected]> * default to nightly image * use input ref and stream * fix command check * don't set region in weekly e2e call * patch maa if url is not empty Signed-off-by: Moritz Sanft <[email protected]> * remove `create_maa` variable * remove binaries Signed-off-by: Moritz Sanft <[email protected]> * remove undefined input * replace invalid attestation URL error message Co-authored-by: Thomas Tendyck <[email protected]> * fix punctuation Co-authored-by: Thomas Tendyck <[email protected]> * skip hidden commands in clidocgen Signed-off-by: Moritz Sanft <[email protected]> * enable spellcheck before code block * move spellcheck trigger out of info block Signed-off-by: Moritz Sanft <[email protected]> * fix workflow dependencies * let image default to CLI version --------- Signed-off-by: Moritz Sanft <[email protected]> Co-authored-by: Thomas Tendyck <[email protected]>
edgelesssys · Nov 13, 2023 · 8e4feb7 · 8e4feb7
1 parent e8f0c58
commit 8e4feb7
Show file tree

Hide file tree

Showing 34 changed files with 778 additions and 248 deletions.
diff --git a/.github/actions/find_latest_image/action.yml b/.github/actions/find_latest_image/action.yml
@@ -0,0 +1,69 @@
+name: Find latest image
+description: 'Find the latest image reference for a given ref/stream.'
+
+inputs:
+  git-ref:
+    description: 'Git ref to checkout.'
+  imageVersion:
+    description: 'Image version to use. If set, no image will be searched for and the specified image will be returned.'
+  ref:
+    description: 'The ref the image was built on. (e.g. "main")'
+    default: 'main'
+  stream:
+    description: 'The publication stream of the image. (e.g. "debug")'
+    default: 'debug'
+
+outputs:
+  image:
+    description: "Image reference to be used in the cluster."
+    value: ${{ steps.find-latest-image.outputs.output }}${{ steps.check-input.outputs.image }}
+  isDebugImage:
+    description: "Whether the image is a debug image."
+    value: ${{ steps.isDebugImage.outputs.isDebugImage }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout head
+      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      with:
+        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+    - name: Checkout ref
+      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      with:
+        ref: ${{ inputs.git-ref }}
+
+    - name: Login to AWS
+      if: inputs.imageVersion == ''
+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      with:
+        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
+        aws-region: eu-central-1
+
+    - name: Find latest image
+      id: find-latest-image
+      if: inputs.imageVersion == ''
+      uses: ./.github/actions/versionsapi
+      with:
+        command: latest
+        ref: ${{ inputs.ref }}
+        stream: ${{ inputs.stream }}
+
+    - name: Is debug image?
+      id: isDebugImage
+      shell: bash
+      run: |
+        case "${{ inputs.imageVersion }}" in
+          "")
+            echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT"
+            ;;
+          *"/stream/debug/"*)
+            echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT"
+            ;;
+          *)
+            echo "isDebugImage=false" | tee -a "$GITHUB_OUTPUT"
+            ;;
+        esac
diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml
@@ -84,7 +84,7 @@ runs:
       working-directory: ${{ github.workspace }}/e2e-infra
       if: inputs.cloudProvider == 'azure'
       run: |
-        bazel run //hack/maa-patch:maa-patch $(terraform output attestationURL | jq -r)
+        ./constellation maa-patch $(terraform output attestationURL | jq -r)
 
     - name: Write outputs to state file
       shell: bash

diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml
@@ -1,5 +1,10 @@
 name: Upload Terraform module
 description: "Upload the Terraform module as an artifact."
+
+inputs:
+  version:
+    description: "The Constellation CLI version to use in the Terraform Module. Leave empty when a built CLI is already present when applying the module."
+
 runs:
   using: "composite"
   steps:
@@ -9,15 +14,23 @@ runs:
         cp -r terraform terraform-module
         find terraform-module -name "*.go" -type f -delete
         find terraform-module -name "*.bazel" -type f -delete
+
+    - name: Stamp version
+      shell: bash
+      run: |
+        sed -i "s/@@CONSTELLATION_VERSION@@/${{ inputs.version }}/g" terraform-module/constellation-cluster/variables.tf
+
     - name: Zip terraform dir
       shell: bash
       run: |
         zip -r terraform-module.zip terraform-module
+
     - name: Upload artifact
       uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
       with:
         name: terraform-module
         path: terraform-module.zip
+
     - name: Cleanup Terraform module dir
       shell: bash
       run: |

diff --git a/.github/workflows/e2e-test-tf-module.yml b/.github/workflows/e2e-test-tf-module.yml
@@ -6,32 +6,28 @@ on:
       ref:
         type: string
         description: "Git ref to checkout"
-        required: false
       cloudProvider:
         description: "Which cloud provider to use."
         type: choice
         options:
           - "aws"
+          - "azure"
           - "gcp"
         required: true
       regionZone:
         description: "Region or zone to create the cluster in. Leave empty for default region/zone."
         type: string
       image:
-        description: "Node image version of the cluster."
+        description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used."
         type: string
-        required: true
       cliVersion:
         description: "Constellation CLI version to use. Empty value means build from source."
         type: string
-        default: ""
-        required: false
   workflow_call:
     inputs:
       ref:
         type: string
         description: "Git ref to checkout"
-        required: false
       cloudProvider:
         description: "Which cloud provider to use."
         type: string
@@ -40,16 +36,14 @@ on:
         description: "Which zone to use."
         type: string
       image:
-        description: "Node image reference which is compatible with the current dev release version."
+        description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used."
         type: string
-        required: true
       cliVersion:
         description: "Constellation CLI version to use. Empty value means build from source."
         type: string
-        default: ""
-        required: false
+
 jobs:
-  build:
+  tf-module-test:
     runs-on: ubuntu-22.04
     permissions:
       id-token: write
@@ -62,16 +56,30 @@ jobs:
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
-      - name: Upload module
+      - name: Get Latest Image
+        id: find-latest-image
+        uses: ./.github/actions/find_latest_image
+        with:
+          git-ref: ${{ inputs.ref }}
+          imageVersion: ${{ inputs.image }}
+          ref: main
+          stream: nightly
+
+      - name: Upload Terraform module
         uses: ./.github/actions/upload_terraform_module
+        with:
+          version: ${{ inputs.cliVersion }}
 
       - name: Download Terraform module
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: terraform-module
 
       - name: Unzip Terraform module
-        run: unzip terraform-module.zip
+        shell: bash
+        run: |
+          unzip terraform-module.zip -d ${{ github.workspace }}
+          rm terraform-module.zip
 
       - name: Create resource prefix
         id: create-prefix
@@ -83,66 +91,102 @@ jobs:
 
       - name: Create AWS Terraform variable input file
         if: inputs.cloudProvider == 'aws'
-        working-directory: ./terraform-module/aws-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/aws-constellation
+        shell: bash
         run: |
           cat > terraform.tfvars <<EOF
           name = "${{ steps.create-prefix.outputs.prefix }}"
-          image = "${{ inputs.image }}"
+          image = "${{ steps.find-latest-image.outputs.image  }}"
           zone = "${{ inputs.regionZone || 'us-east-2c' }}"
           name_prefix = "${{ steps.create-prefix.outputs.prefix }}"
+          debug = ${{ steps.find-latest-image.outputs.isDebugImage }}
           node_groups = {
             control_plane_default = {
               role          = "control-plane"
-              zone          = "${{ inputs.regionZone || 'us-east-2c' }}"
               instance_type = "m6a.xlarge"
               disk_size     = 30
               disk_type     = "gp3"
               initial_count = 2
+              zone = "${{ inputs.regionZone || 'us-east-2c' }}"
             },
             worker_default = {
               role          = "worker"
-              zone          = "${{ inputs.regionZone || 'us-east-2c' }}"
               instance_type = "m6a.xlarge"
               disk_size     = 30
               disk_type     = "gp3"
               initial_count = 2
+              zone = "${{ inputs.regionZone || 'us-east-2c' }}"
+            }
+          }
+          EOF
+          cat terraform.tfvars
+
+      - name: Create Azure Terraform variable input file
+        if: inputs.cloudProvider == 'azure'
+        working-directory: ${{ github.workspace }}/terraform-module/azure-constellation
+        shell: bash
+        run: |
+          cat > terraform.tfvars <<EOF
+          name = "${{ steps.create-prefix.outputs.prefix }}"
+          image = "${{ steps.find-latest-image.outputs.image }}"
+          location = "${{ inputs.regionZone || 'northeurope' }}"
+          service_principal_name = "${{ steps.create-prefix.outputs.prefix }}-sp"
+          resource_group_name = "${{ steps.create-prefix.outputs.prefix }}-rg"
+          debug = ${{ steps.find-latest-image.outputs.isDebugImage }}
+          node_groups = {
+            control_plane_default = {
+              role          = "control-plane"
+              instance_type = "Standard_DC4as_v5"
+              disk_size     = 30
+              disk_type     = "Premium_LRS"
+              initial_count = 2
+            },
+            worker_default = {
+              role          = "worker"
+              instance_type = "Standard_DC4as_v5"
+              disk_size     = 30
+              disk_type     = "Premium_LRS"
+              initial_count = 2
             }
           }
           EOF
           cat terraform.tfvars
 
       - name: Create GCP Terraform variable input file
         if: inputs.cloudProvider == 'gcp'
-        working-directory: ./terraform-module/gcp-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/gcp-constellation
+        shell: bash
         run: |
           cat > terraform.tfvars <<EOF
           name = "${{ steps.create-prefix.outputs.prefix }}"
           project = "${{ secrets.GCP_E2E_PROJECT }}"
           service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
-          image = "${{ inputs.image }}"
+          image = "${{ steps.find-latest-image.outputs.image }}"
           zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
+          debug = ${{ steps.find-latest-image.outputs.isDebugImage }}
           node_groups = {
             control_plane_default = {
               role          = "control-plane"
-              zone          = "${{ inputs.regionZone || 'europe-west3-b' }}"
               instance_type = "n2d-standard-4"
               disk_size     = 30
               disk_type     = "pd-ssd"
               initial_count = 2
+              zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
             },
             worker_default = {
               role          = "worker"
-              zone          = "${{ inputs.regionZone || 'europe-west3-b' }}"
               instance_type = "n2d-standard-4"
               disk_size     = 30
               disk_type     = "pd-ssd"
               initial_count = 2
+              zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
             }
           }
           EOF
           cat terraform.tfvars
 
       - name: Install dependencies (Terraform)
+        shell: bash
         run: |
           sudo apt update && sudo apt install gpg
           wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
@@ -178,7 +222,7 @@ jobs:
         shell: bash
         run: |
           curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
-          chmod u+x ./constellation
+          chmod u+x constellation
           ./constellation version
           sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
 
@@ -191,6 +235,12 @@ jobs:
           # extend token expiry to 6 hours to ensure constellation can terminate
           role-duration-seconds: 21600
 
+      - name: Login to Azure (IAM + Cluster service principal)
+        if: inputs.cloudProvider == 'azure'
+        uses: ./.github/actions/login_azure
+        with:
+          azure_credentials: ${{ secrets.AZURE_E2E_TF_CREDENTIALS }}
+
       - name: Login to GCP (IAM + Cluster service account)
         if: inputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
@@ -199,22 +249,25 @@ jobs:
 
       - name: Apply Terraform Cluster
         id: apply_terraform
-        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation
+        shell: bash
         run: |
           cp ../../constellation .
           terraform init
           terraform apply -var-file=terraform.tfvars  -auto-approve
 
       - name: Destroy Terraform Cluster
-        # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
+      # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
         if: always() && steps.apply_terraform.outcome != 'skipped'
-        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation
+        shell: bash
         run: |
           terraform init
           terraform destroy -var-file=terraform.tfvars -auto-approve
 
       - name: Verify cleanup
-        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation
+        shell: bash
         run: |
           if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then
             echo "Files  constellation-mastersecret.json or constellation-conf.yaml still exist"

diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
@@ -376,20 +376,14 @@ jobs:
       max-parallel: 5
       matrix:
         include:
-          - test: "GCP"
-            provider: "gcp"
-            regionZone: "europe-west2-a"
-          - test: "AWS"
-            provider: "aws"
-            regionZone: "us-east-2c"
+          - provider: "gcp"
+          - provider: "aws"
+          - provider: "azure"
     permissions:
       id-token: write
       contents: read
       packages: write
-    needs: [find-latest-image]
     secrets: inherit
     uses: ./.github/workflows/e2e-test-tf-module.yml
     with:
       cloudProvider: "${{ matrix.provider }}"
-      regionZone: "${{ matrix.regionZone }}"
-      image: ${{ needs.find-latest-image.outputs.image-main-nightly }}