Skip to content
/ terraform-module-gcp-confidential-vm Public

Terraform module to deploy Confidential Virtual Machines on GCP

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

flashbots/terraform-module-gcp-confidential-vm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.github
.github
 
 
examples
examples
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Terraform module to deploy Confidential Virtual Machines on GCP using Intel TDX (Trust Domain Extensions) secure execution environment.

The module focuses on deploying VMs for BuilderNet using custom images and does not rely on standard GCP VM provisioning features like cloud-init or OS Login.

Overview

The module handles the following infrastructure components:

  • Creates a GCS bucket for storing VM images (optional);
  • Downloads images from remote HTTP(S) URLs (optional);
  • Uploads local or downloaded image files to GCS (optional);
  • Creates GCP Compute Images with TDX-capable guest OS features;
  • Allocates static external IP addresses;
  • Creates firewall rules for ingress/egress traffic;
  • Deploys Confidential VMs with Intel TDX enabled.

Prerequisites

Before using this module, you must:

  • Have a GCP project with Compute Engine API enabled;
  • Prepare your VM image as a .tar.gz file compatible with GCP;
  • Provide the image via one of: local path, GCS URI, or remote HTTP(S) URL;
  • Have curl installed locally (required only if downloading images from remote HTTP(S) URLs).

Important Notes

  • Intel TDX requires C3 series machine types (e.g., c3-standard-44);
  • TDX VMs do not support live migration (on_host_maintenance is set to TERMINATE);
  • The module creates empty secure boot certificates by default.

Usage

Refer to the examples directory for detailed configuration examples.

Requirements

Name Version
terraform >= 1.1
google >= 7.0.0
null >= 3.0.0

Inputs

Name Description Type Default Required
create_empty_secure_boot_keys Create empty secure boot keys for TDX images bool true no
create_image_bucket Whether to create a new GCS bucket for storing VM images bool true no
image_bucket_name Name of the GCS bucket for storing VM images. Used both for creating new bucket or referencing existing one string n/a yes
images Map of image names to their source URI.
The source type is auto-detected based on the URI scheme:
- https://storage.googleapis.com/bucket/path - GCS URI, image already in cloud storage (used directly)
- https://... or http:// - Remote URL, downloaded via curl then uploaded to GCS
- /path/to/file - Local file path, uploaded to GCS

Example:
terraform
images = {
  # Existing image in GCS (used directly)
  "buildernet-v2-0-0-rc4" = {
    source_uri = "https://storage.googleapis.com/buildernet-images/buildernet-gcp_2.0.0-rc4-88fd8d54-import.tar.gz"
  }
  # Local file (will be uploaded to GCS)
  "buildernet-v2-0-1" = {
    source_uri = "/path/to/local/image.tar.gz"
  }
  # Remote URL (will be downloaded then uploaded to GCS)
  "buildernet-v2-2-0" = {
    source_uri = "https://downloads.buildernet.org/buildernet-images/v2.2.0/buildernet-gcp_2.2.0-9818c3f0-import.tar.gz"
  }
}
 
map(object({
    source_uri = string
  }))
 n/a yes
project The GCP project ID where all resources will be created string n/a yes
region The GCP region where resources will be created string n/a yes
secure_boot_keys Custom secure boot keys in base64 format. Only used if create_empty_secure_boot_keys is false 
object({
    pk   = optional(string)
    keks = optional(string)
    dbs  = optional(string)
    dbxs = optional(string)
  })
 {} no
vms Map of VM configurations keyed by VM name.

Example:
terraform
vms = {
  "buildernet-flashbots-gcp-ap-01" = {
    zone              = "asia-northeast1-b"
    image_name        = "buildernet-v2-0-0-rc4"
    machine_type      = "c3-standard-44"
    data_disk_size_gb = 2250
    network           = "base"
    subnetwork        = "base-asia-northeast1"
    firewall_ingress_rules = {
      "22
 tcp ssh" = ["0.0.0.0/0"]
"30303		 tcp

Outputs

Name Description
image_bucket Name of the GCS bucket used for VM images
images Map of created compute images
vm_details VM details

Image Source Options

The source_uri field auto-detects the source type based on the URI scheme:

URI Scheme Behavior
https://storage.googleapis.com/bucket/path GCS URI - used directly, no upload needed
https://... or http://... Remote URL - downloaded via curl, then uploaded to GCS
/path/to/file Local file path - uploaded to GCS

Note: When using HTTP(S) URLs, the image is downloaded to .terraform/image-downloads/ within the module directory using curl, then uploaded to GCS. Ensure you have sufficient disk space for large images.

Firewall Rule Format

Firewall rules use a pipe-delimited format: "PORT | PROTOCOL | DESCRIPTION"

  • PORT: Single port (22), port range (8000-8100), or 0 for all ports
  • PROTOCOL: tcp, udp, icmp, or all
  • DESCRIPTION: Optional human-readable description (used in rule naming)

Refer to the examples directory for detailed configuration examples.

Note for contributors

Make sure to use terraform-docs to generate the configuration parameters of the module (provider requirements, input variables, outputs) should you update them.

terraform-docs markdown --hide modules,resources,providers ./

About

Terraform module to deploy Confidential Virtual Machines on GCP

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages