Quickstart: Create an Azure Attestation provider by using Terraform

Microsoft Azure Attestation is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of creating a Microsoft Azure Attestation policy using Terraform.

In this article, you learn how to:

Prerequisites

  • Install and configure Terraform

  • Policy Signing Certificate: You need to upload an X.509 certificate, which is used by the attestation provider to validate signed policies. This certificate is either signed by a certificate authority or self-signed. Supported file extensions include pem, txt, and cer. This article assumes that you already have a valid X.509 certificate.

Implement the Terraform code

Note

The sample code for this article is located in the Azure Terraform GitHub repo. You can view the log file containing the test results from current and previous versions of Terraform.

See more articles and sample code showing how to use Terraform to manage Azure resources

  1. Create a directory in which to test the sample Terraform code and make it the current directory.

  2. Create a file named providers.tf and insert the following code:

    terraform {
      required_version = ">=0.12"
    
      required_providers {
        azurerm = {
          source  = "hashicorp/azurerm"
          version = "~>3.0"
        }
        random = {
          source  = "hashicorp/random"
          version = "~>3.0"
        }
        tls = {
          source  = "hashicorp/tls"
          version = "4.0.4"
        }
      }
    }
    
    provider "azurerm" {
      features {}
    }
    
  3. Create a file named main.tf and insert the following code:

    resource "random_pet" "rg_name" {
      prefix = var.resource_group_name_prefix
    }
    
    resource "azurerm_resource_group" "rg" {
      location = var.resource_group_location
      name     = random_pet.rg_name.id
    }
    
    locals {
      create_signing_cert = try(!fileexists(var.cert_path), true)
    }
    
    resource "tls_private_key" "signing_cert" {
      count = local.create_signing_cert ? 1 : 0
    
      algorithm = "RSA"
      rsa_bits  = 4096
    }
    
    resource "tls_self_signed_cert" "attestation" {
      count = local.create_signing_cert ? 1 : 0
    
      private_key_pem       = tls_private_key.signing_cert[0].private_key_pem
      validity_period_hours = 12
      allowed_uses = [
        "cert_signing",
      ]
    }
    
    resource "random_string" "attestation_suffix" {
      length  = 8
      numeric = false
      special = false
      upper   = false
    }
    
    resource "azurerm_attestation_provider" "corp_attestation" {
      location                        = azurerm_resource_group.rg.location
      name                            = "${var.attestation_provider_name}${random_string.attestation_suffix.result}"
      resource_group_name             = azurerm_resource_group.rg.name
      policy_signing_certificate_data = try(tls_self_signed_cert.attestation[0].cert_pem, file(var.cert_path))
      #https://github.com/hashicorp/terraform-provider-azurerm/issues/21998#issuecomment-1573312297
      lifecycle {
        ignore_changes = [
          "open_enclave_policy_base64",
          "sev_snp_policy_base64",
          "sgx_enclave_policy_base64",
          "tpm_policy_base64",
        ]
      }
    }
    
  4. Create a file named variables.tf and insert the following code:

    variable "attestation_provider_name" {
      default = "attestation"
    }
    
    variable "cert_path" {
      default = "~/.certs/cert.pem"
    }
    
    variable "resource_group_location" {
      default     = "eastus"
      description = "Location of the resource group."
    }
    
    variable "resource_group_name_prefix" {
      default     = "rg"
      description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
    }
    

    Key points:

    • Adjust the policy_file field as needed to point to your PEM file.
  5. Create a file named outputs.tf and insert the following code:

    output "resource_group_name" {
      value = azurerm_resource_group.rg.name
    }
    

Initialize Terraform

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.

terraform init -upgrade

Key points:

  • The -upgrade parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.

Create a Terraform execution plan

Run terraform plan to create an execution plan.

terraform plan -out main.tfplan

Key points:

  • The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
  • The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.

Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply main.tfplan

Key points:

  • The example terraform apply command assumes you previously ran terraform plan -out main.tfplan.
  • If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
  • If you didn't use the -out parameter, call terraform apply without any parameters.

6. Verify the results

  1. Get the Azure resource group name.

    resource_group_name=$(terraform output -raw resource_group_name)
    
  2. Run az attestation list to list the providers for the specified resource group name.

    az attestation list --resource-group $resource_group_name
    

Clean up resources

When you no longer need the resources created via Terraform, do the following steps:

  1. Run terraform plan and specify the destroy flag.

    terraform plan -destroy -out main.destroy.tfplan
    

    Key points:

    • The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
    • The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
  2. Run terraform apply to apply the execution plan.

    terraform apply main.destroy.tfplan
    

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps