Quickstart: Create an Azure Attestation provider by using Terraform
Microsoft Azure Attestation is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of creating a Microsoft Azure Attestation policy using Terraform.
In this article, you learn how to:
- Create a random value for the Azure resource group name using random_pet.
- Create an Azure resource group using azurerm_resource_group.
- Create an Azure Attestation provider using azurerm_attestation_provider.
Prerequisites
Policy Signing Certificate: You need to upload an X.509 certificate, which is used by the attestation provider to validate signed policies. This certificate is either signed by a certificate authority or self-signed. Supported file extensions include
pem,txt, andcer. This article assumes that you already have a valid X.509 certificate.
Implement the Terraform code
Note
The sample code for this article is located in the Azure Terraform GitHub repo. You can view the log file containing the test results from current and previous versions of Terraform.
See more articles and sample code showing how to use Terraform to manage Azure resources
Create a directory in which to test the sample Terraform code and make it the current directory.
Create a file named
providers.tfand insert the following code:terraform { required_version = ">=0.12" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~>3.0" } random = { source = "hashicorp/random" version = "~>3.0" } tls = { source = "hashicorp/tls" version = "4.0.4" } } } provider "azurerm" { features {} }Create a file named
main.tfand insert the following code:resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } resource "azurerm_resource_group" "rg" { location = var.resource_group_location name = random_pet.rg_name.id } locals { create_signing_cert = try(!fileexists(var.cert_path), true) } resource "tls_private_key" "signing_cert" { count = local.create_signing_cert ? 1 : 0 algorithm = "RSA" rsa_bits = 4096 } resource "tls_self_signed_cert" "attestation" { count = local.create_signing_cert ? 1 : 0 private_key_pem = tls_private_key.signing_cert[0].private_key_pem validity_period_hours = 12 allowed_uses = [ "cert_signing", ] } resource "random_string" "attestation_suffix" { length = 8 numeric = false special = false upper = false } resource "azurerm_attestation_provider" "corp_attestation" { location = azurerm_resource_group.rg.location name = "${var.attestation_provider_name}${random_string.attestation_suffix.result}" resource_group_name = azurerm_resource_group.rg.name policy_signing_certificate_data = try(tls_self_signed_cert.attestation[0].cert_pem, file(var.cert_path)) #https://github.com/hashicorp/terraform-provider-azurerm/issues/21998#issuecomment-1573312297 lifecycle { ignore_changes = [ "open_enclave_policy_base64", "sev_snp_policy_base64", "sgx_enclave_policy_base64", "tpm_policy_base64", ] } }Create a file named
variables.tfand insert the following code:variable "attestation_provider_name" { default = "attestation" } variable "cert_path" { default = "~/.certs/cert.pem" } variable "resource_group_location" { default = "eastus" description = "Location of the resource group." } variable "resource_group_name_prefix" { default = "rg" description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." }Key points:
- Adjust the
policy_filefield as needed to point to your PEM file.
- Adjust the
Create a file named
outputs.tfand insert the following code:output "resource_group_name" { value = azurerm_resource_group.rg.name }
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
terraform init -upgrade
Key points:
- The
-upgradeparameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
Create a Terraform execution plan
Run terraform plan to create an execution plan.
terraform plan -out main.tfplan
Key points:
- The
terraform plancommand creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-outparameter allows you to specify an output file for the plan. Using the-outparameter ensures that the plan you reviewed is exactly what is applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.
terraform apply main.tfplan
Key points:
- The example
terraform applycommand assumes you previously ranterraform plan -out main.tfplan. - If you specified a different filename for the
-outparameter, use that same filename in the call toterraform apply. - If you didn't use the
-outparameter, callterraform applywithout any parameters.
6. Verify the results
Get the Azure resource group name.
resource_group_name=$(terraform output -raw resource_group_name)Run az attestation list to list the providers for the specified resource group name.
az attestation list --resource-group $resource_group_name
Clean up resources
When you no longer need the resources created via Terraform, do the following steps:
Run terraform plan and specify the
destroyflag.terraform plan -destroy -out main.destroy.tfplanKey points:
- The
terraform plancommand creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-outparameter allows you to specify an output file for the plan. Using the-outparameter ensures that the plan you reviewed is exactly what is applied.
- The
Run terraform apply to apply the execution plan.
terraform apply main.destroy.tfplan
Troubleshoot Terraform on Azure
Troubleshoot common problems when using Terraform on Azure