terraform: only set `confidential_instance_type` if `cc_technology` is `SEV_SNP`

edgelesssys / constellation

Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.

GNU Affero General Public License v3.0

906 stars 47 forks source link

Context

Upgrades of existing GCP SEV-ES clusters are failing because setting confidential_instance_type makes Terraform want to re-create the instance templates, which does not work because they are still in use by instances.

Proposed change(s)

Only set confidential_instance_type if cc_technology is SEV_SNP
- When this feature is introduced into the mainline GCP Terraform provider, we will likely have to introduce some form of migration, but I would hold of on that until the provider maintainers decide on how this will look like

Related issue

Fixes https://github.com/edgelesssys/issues/issues/545

Checklist

[x] Run the E2E tests that are relevant to this PR's changes
- [x] GCP SEV-ES upgrade test
- [x] GCP SEV-SNP test

Name	Link
Latest commit	87c3f367cd45f530b709effc9eb7ff4718c625d8
Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/66434d0addcec300089b812d

Name

Link

Latest commit

87c3f367cd45f530b709effc9eb7ff4718c625d8

Latest deploy log

https://app.netlify.com/sites/constellation-docs/deploys/66434d0addcec300089b812d

edgelesssys / constellation