cli: support to declaratively set attestation policy

[msanft]

Context

Until now, we used a hacky patching mechanism to update the attestation policy of the MAA to disable secure boot checking. With my PR to the Azure Terraform provider, this can be replaced with using a corresponding field in the Terraform resource.

Proposed change(s)

• Replace the policy patching by directly specifying the attestation policy when creating / migrating a cluster.

Related issue

• Support for trusted launch and SEV-SNP attestation policy management hashicorp/terraform-provider-azurerm#21918
• azurerm_attestation_provider - add AzureVM and SEV-SNP attestation types hashicorp/terraform-provider-azurerm#22229

Additional info

To test:

1. Clone my fork of the Azure Terraform provider
2. Build the provider binary with make build
3. Add the following to ~/.terraformrc:

provider_installation {

 # Use /home/developer/go/bin as an overridden package directory
 # for the hashicorp/azurerm provider. This disables the version and checksum
 # verifications for this provider and forces Terraform to look for the
 # azurerm provider plugin in the given directory.
 dev_overrides {
   "hashicorp/azurerm" = "/home/developer/go/bin" 
   # Or whatever other path theTerraform provider binary you've built in step 2 lives in. (usually $GOBIN)
 }

 # For all other providers, install them directly from their origin provider
 # registries as normal. If you omit this, Terraform will _only_ use
 # the dev_overrides block, and so no other providers will be available.
 direct {}
}

4. Check out this branch in your Constellation workspace and create a cluster on Azure.
5. Remember to revert the changes to ~/.terraformrc when you're done testing.

Checklist

• Add labels (e.g., for changelog category)
• Is PR title adequate for changelog?
• Link to Milestone

[netlify]

✅ Deploy Preview for constellation-docs canceled.

Name	Link
🔨 Latest commit	286ff81
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/6492cd4232dab70008148164

[daniel-weisse]

@msanft The PR and issue were merged/fixed yesterday.
Judging by the schedule of their past releases, we should hopefully see a release with your changes in the next 3-4 days.

[msanft]

@msanft The PR and issue were merged/fixed yesterday. Judging by the schedule of their past releases, we should hopefully see a release with your changes in the next 3-4 days.

Yes, unfortunately they only merged support for the SEV-SNP attestation type though, we need to wait for Azure/azure-rest-api-specs#24635 to get merged before then again suggesting a change to the Terraform provider.. :(
If better suited, I can convert this to a draft until then

[elchead]

@msanft The PR and issue were merged/fixed yesterday. Judging by the schedule of their past releases, we should hopefully see a release with your changes in the next 3-4 days.

Yes, unfortunately they only merged support for the SEV-SNP attestation type though, we need to wait for Azure/azure-rest-api-specs#24635 to get merged before then again suggesting a change to the Terraform provider.. :( If better suited, I can convert this to a draft until then

This issue is still open, so I think this is still blocked? (Asking since I was requested for review)