feat: add secure boot option to instance

README.md

@@ -164,6 +164,22 @@ To this end, this provider supports the following extra specs schema:
             "type": "boolean",
             "description": "Enable boot debug on the VM."
         },
+        "disable_updates": {
+            "type": "boolean",
+            "description": "Disable OS updates on boot."
+        },
+        "enable_secure_boot": {
+            "type": "boolean",
+            "desctipyion": "Enable Secure Boot on the VM. Requires a Shielded VM compatible image."
+        },
+        "enable_vtpm": {
+            "type": "boolean",
+            "desctipyion": "Enable virtual Trusted Platform Module (vTPM) on the VM."
+        },
+        "enable_integrity_monitoring": {
+            "type": "boolean",
+            "desctipyion": "Enable integrity monitoring on the VM."
+        },
         "runner_install_template": {
             "type": "string",
             "description": "This option can be used to override the default runner install template. If used, the caller is responsible for the correctness of the template as well as the suitability of the template for the target OS. Use the extra_context extra spec if your template has variables in it that need to be expanded."

internal/client/gcp.go

@@ -173,6 +173,11 @@ func (g *GcpCli) CreateInstance(ctx context.Context, spec *spec.RunnerSpec) (*co
 			Items: spec.NetworkTags,
 		},
 		ServiceAccounts: spec.ServiceAccounts,
+		ShieldedInstanceConfig: &computepb.ShieldedInstanceConfig{
+			EnableSecureBoot:          proto.Bool(spec.EnableSecureBoot),
+			EnableVtpm:                proto.Bool(spec.EnableVTPM),
+			EnableIntegrityMonitoring: proto.Bool(spec.EnableIntegrityMonitoring),
+		},
 	}
 
 	if !g.cfg.ExternalIPAccess {

internal/spec/spec.go

@@ -141,6 +141,10 @@ type extraSpecs struct {
 	SSHKeys         []string                    `json:"ssh_keys,omitempty" jsonschema:"description=A list of SSH keys to be added to the instance. The format is USERNAME:SSH_KEY"`
 	EnableBootDebug *bool                       `json:"enable_boot_debug,omitempty" jsonschema:"description=Enable boot debug on the VM."`
 	DisableUpdates  *bool                       `json:"disable_updates,omitempty" jsonschema:"description=Disable OS updates on boot."`
+	// Shielded VM options
+	EnableSecureBoot          bool `json:"enable_secure_boot,omitempty" jsonschema:"description=Enable Secure Boot on the VM. Requires a Shielded VM compatible image."`
+	EnableVTPM                bool `json:"enable_vtpm,omitempty" jsonschema:"description=Enable virtual Trusted Platform Module (vTPM) on the VM."`
+	EnableIntegrityMonitoring bool `json:"enable_integrity_monitoring,omitempty" jsonschema:"description=Enable integrity monitoring on the VM."`
 	// The Cloudconfig struct from common package
 	cloudconfig.CloudConfigSpec
 }
@@ -197,6 +201,10 @@ type RunnerSpec struct {
 	SSHKeys         string
 	EnableBootDebug bool
 	DisableUpdates  bool
+	// Shielded VM options
+	EnableSecureBoot          bool
+	EnableVTPM                bool
+	EnableIntegrityMonitoring bool
 }
 
 func (r *RunnerSpec) MergeExtraSpecs(extraSpecs *extraSpecs) {
@@ -241,6 +249,15 @@ func (r *RunnerSpec) MergeExtraSpecs(extraSpecs *extraSpecs) {
 	if extraSpecs.DisableUpdates != nil {
 		r.DisableUpdates = *extraSpecs.DisableUpdates
 	}
+	if extraSpecs.EnableSecureBoot {
+		r.EnableSecureBoot = extraSpecs.EnableSecureBoot
+	}
+	if extraSpecs.EnableVTPM {
+		r.EnableVTPM = extraSpecs.EnableVTPM
+	}
+	if extraSpecs.EnableIntegrityMonitoring {
+		r.EnableIntegrityMonitoring = extraSpecs.EnableIntegrityMonitoring
+	}
 }
 
 func (r *RunnerSpec) Validate() error {