Merge pull request os-autoinst#25031 from grisu48/nitro

mloviska · web-flow · commit ee246ae5e81b · 2026-03-19T14:09:01.000+01:00
Add capability to enable Nitro Enclave
diff --git a/data/publiccloud/terraform/ec2.tf b/data/publiccloud/terraform/ec2.tf
@@ -88,6 +88,10 @@ variable "ssh_public_key" {
   default = "/root/.ssh/id_ed25519.pub"
 }
 
+variable "nitro_enclave" {
+  default = false
+}
+
 data "aws_iam_instance_profile" "ec2_cloudwatch" {
   name       = "OpenQAEC2CloudWatchLogsRole" 
 }
@@ -139,6 +143,11 @@ resource "aws_instance" "openqa" {
     }
   }
 
+  # AWS Nitro Enclave
+  enclave_options {
+    enabled = var.nitro_enclave
+  }
+
   user_data = var.cloud_init != "" ? file(var.cloud_init) : null
 }
 
diff --git a/lib/publiccloud/provider.pm b/lib/publiccloud/provider.pm
@@ -515,6 +515,7 @@ sub terraform_apply {
             $vars{vpc_security_group_ids} = script_output("aws ec2 describe-security-groups --region '" . $self->provider_client->region . "' --filters 'Name=group-name,Values=tf-sg' --query 'SecurityGroups[0].GroupId' --output text");
             $vars{subnet_id} = script_output("aws ec2 describe-subnets --region '" . $self->provider_client->region . "' --filters 'Name=tag:Name,Values=tf-subnet' 'Name=availabilityZone,Values=" . $vars{availability_zone} . "' --query 'Subnets[0].SubnetId' --output text");
             $vars{ipv6_address_count} = get_var('PUBLIC_CLOUD_EC2_IPV6_ADDRESS_COUNT', 0);
+            $vars{nitro_enclave} = "true" if check_var("PUBLIC_CLOUD_EC2_NITRO_ENCLAVE", "1");
         } elsif (is_azure) {
             my $subnet_id = script_output("az network vnet subnet list -g 'tf-" . $self->provider_client->region . "-rg' --vnet-name 'tf-network' --query '[0].id' --output 'tsv'");
             $vars{subnet_id} = $subnet_id if ($subnet_id);
diff --git a/variables.md b/variables.md
@@ -332,6 +332,7 @@ PUBLIC_CLOUD_EC2_ACCOUNT_ID | string | `aws sts get-caller-identity --query "Acc
 PUBLIC_CLOUD_EC2_UPLOAD_AMI | string | "" | Needed to decide which image will be used for helper VM for upload some image. When not specified some predefined value will be used. Overwrite the value for `ec2uploadimg --ec2-ami`.
 PUBLIC_CLOUD_EC2_UPLOAD_SECGROUP | string | "" | Allow to instruct ec2uploadimg script to use some existing security group instead of creating new one. If given, the parameter `--security-group-ids` is passed to `ec2uploadimg`.
 PUBLIC_CLOUD_EC2_UPLOAD_VPCSUBNET | string | "" | Allow to instruct ec2uploadimg script to use some existing VPC instead of creating new one.
+PUBLIC_CLOUD_EC2_NITRO_ENCLAVE | boolean | false | Enable the AWS Nitro Enclave for this instance.
 PUBLIC_CLOUD_EMBARGOED_UPDATES_DETECTED | boolean | true | Internal variable written by the code and readed by the code . Should NOT be set manually
 PUBLIC_CLOUD_FORCE_REGISTRATION | boolean | false | If set, tests/publiccloud/registration.pm will register cloud guest
 PUBLIC_CLOUD_GCE_STACK_TYPE | string | IPV4_ONLY | Network stack type, possible values: IPV4_IPV6 or IPV4_ONLY

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,10 @@ variable "ssh_public_key" {`
`88`	`88`	`default = "/root/.ssh/id_ed25519.pub"`
`89`	`89`	`}`
`90`	`90`
	`91`	`+variable "nitro_enclave" {`
	`92`	`+ default = false`
	`93`	`+}`
	`94`	`+`
`91`	`95`	`data "aws_iam_instance_profile" "ec2_cloudwatch" {`
`92`	`96`	`name = "OpenQAEC2CloudWatchLogsRole"`
`93`	`97`	`}`
`@@ -139,6 +143,11 @@ resource "aws_instance" "openqa" {`
`139`	`143`	`}`
`140`	`144`	`}`
`141`	`145`
	`146`	`+ # AWS Nitro Enclave`
	`147`	`+ enclave_options {`
	`148`	`+ enabled = var.nitro_enclave`
	`149`	`+ }`
	`150`	`+`
`142`	`151`	`user_data = var.cloud_init != "" ? file(var.cloud_init) : null`
`143`	`152`	`}`
`144`	`153`