feat: add confidential space

4-projects/business_unit_1/development/outputs.tf

@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "confidential_space_project" { ///added
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+output "confidential_space_project_number" { ///added
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
 output "floating_project" {
   description = "Project sample floating project."
   value       = module.env.floating_project

4-projects/business_unit_1/nonproduction/outputs.tf

@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "confidential_space_project" { ///added
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+output "confidential_space_project_number" { ///added
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
 output "floating_project" {
   description = "Project sample floating project."
   value       = module.env.floating_project

4-projects/business_unit_1/production/outputs.tf

@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "confidential_space_project" { ///added
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+output "confidential_space_project_number" { ///added
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
 output "floating_project" {
   description = "Project sample floating project."
   value       = module.env.floating_project

4-projects/modules/base_env/example_confidential_space_project.tf

@@ -0,0 +1,56 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential_space_project" {
+  source = "../single_project"
+
+  org_id                     = local.org_id
+  billing_account            = local.billing_account
+  folder_id                  = google_folder.env_business_unit.name
+  environment                = var.env
+  vpc                        = "svpc"
+  shared_vpc_host_project_id = local.shared_vpc_host_project_id
+  shared_vpc_subnets         = local.subnets_self_links
+  project_budget             = var.project_budget
+  project_prefix             = local.project_prefix
+  project_deletion_policy    = var.project_deletion_policy
+
+  enable_cloudbuild_deploy            = local.enable_cloudbuild_deploy
+  app_infra_pipeline_service_accounts = local.app_infra_pipeline_service_accounts
+
+  sa_roles = {
+    "${var.business_code}-confidential-instance" = [
+      "roles/compute.instanceAdmin.v1",
+      "roles/iam.serviceAccountUser",
+      "roles/iam.serviceAccountAdmin",
+    ]
+  }
+
+  activate_apis                      = ["accesscontextmanager.googleapis.com"]
+  vpc_service_control_attach_enabled = local.enforce_vpcsc ? "true" : "false"
+  vpc_service_control_attach_dry_run = !local.enforce_vpcsc ? "true" : "false"
+  vpc_service_control_perimeter_name = "accessPolicies/${local.access_context_manager_policy_id}/servicePerimeters/${local.perimeter_name}"
+  vpc_service_control_sleep_duration = "60s"
+
+  # Metadata
+  project_suffix    = "conf-space" //add
+  application_name  = "${var.business_code}-sample-instance"
+  billing_code      = "1234"
+  primary_contact   = "[email protected]"
+  secondary_contact = "[email protected]"
+  business_code     = var.business_code
+}
+

4-projects/modules/base_env/outputs.tf

@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "confidential_space_project" { ///added
+  description = "Confidential Space project id."
+  value       = module.confidential_space_project.project_id
+}
+
+output "confidential_space_project_number" { ///added
+  description = "Confidential Space project number."
+  value       = module.confidential_space_project.project_number
+}
+
 output "floating_project" {
   description = "Project sample floating project."
   value       = module.floating_project.project_id

4-projects/modules/base_env/remote.tf

@@ -22,6 +22,7 @@ locals {
   perimeter_name                      = data.terraform_remote_state.network_env.outputs.service_perimeter_name
   network_self_link                   = data.terraform_remote_state.network_env.outputs.network_self_link
   shared_vpc_host_project_id          = data.terraform_remote_state.network_env.outputs.shared_vpc_host_project_id
+  confidential_space_project_id       = data.terraform_remote_state.network_env.outputs.shared_vpc_host_project_id
   subnets_self_links                  = data.terraform_remote_state.network_env.outputs.subnets_self_links
   access_context_manager_policy_id    = data.terraform_remote_state.network_env.outputs.access_context_manager_policy_id
   enforce_vpcsc                       = data.terraform_remote_state.network_env.outputs.enforce_vpcsc

5-app-infra/business_unit_1/development/main.tf

@@ -38,3 +38,13 @@ module "peering_gce_instance" {
   region              = coalesce(var.instance_region, local.default_region)
   remote_state_bucket = var.remote_state_bucket
 }
+
+module "confidential_space_instance" {
+  source = "../../modules/env_base"
+
+  environment         = local.environment
+  business_unit       = local.business_unit
+  project_suffix      = "conf-space"
+  region              = coalesce(var.instance_region, local.default_region)
+  remote_state_bucket = var.remote_state_bucket
+}

5-app-infra/business_unit_1/nonproduction/main.tf

@@ -38,3 +38,13 @@ module "peering_gce_instance" {
   region              = coalesce(var.instance_region, local.default_region)
   remote_state_bucket = var.remote_state_bucket
 }
+
+module "confidential_space_instance" {
+  source = "../../modules/env_base"
+
+  environment         = local.environment
+  business_unit       = local.business_unit
+  project_suffix      = "conf-space"
+  region              = coalesce(var.instance_region, local.default_region)
+  remote_state_bucket = var.remote_state_bucket
+}

5-app-infra/business_unit_1/production/main.tf

@@ -38,3 +38,13 @@ module "peering_gce_instance" {
   region              = coalesce(var.instance_region, local.default_region)
   remote_state_bucket = var.remote_state_bucket
 }
+
+module "confidential_space_instance" {
+  source = "../../modules/env_base"
+
+  environment         = local.environment
+  business_unit       = local.business_unit
+  project_suffix      = "conf-space"
+  region              = coalesce(var.instance_region, local.default_region)
+  remote_state_bucket = var.remote_state_bucket
+}

5-app-infra/modules/env_base/main.tf

@@ -19,16 +19,19 @@ locals {
     "sample-floating" = data.terraform_remote_state.projects_env.outputs.floating_project,
     "sample-peering"  = data.terraform_remote_state.projects_env.outputs.peering_project,
     "sample-svpc"     = data.terraform_remote_state.projects_env.outputs.shared_vpc_project,
+    "conf-space"     = data.terraform_remote_state.projects_env.outputs.confidential_space_project,//added
   }
   env_project_subnets = {
     "sample-floating" = local.svpc_subnetwork_self_link,
     "sample-peering"  = data.terraform_remote_state.projects_env.outputs.peering_subnetwork_self_link,
     "sample-svpc"     = local.svpc_subnetwork_self_link,
+    "conf-space"     = local.svpc_subnetwork_self_link, //added
   }
   env_project_resource_manager_tags = {
     "sample-floating" = null,
     "sample-peering"  = data.terraform_remote_state.projects_env.outputs.iap_firewall_tags,
     "sample-svpc"     = null,
+    "conf-space"     = null,//added
   }
 
   subnetwork_self_links     = data.terraform_remote_state.projects_env.outputs.subnets_self_links
@@ -88,3 +91,128 @@ module "compute_instance" {
   instance_template     = module.instance_template.self_link
   resource_manager_tags = local.resource_manager_tags
 }
+
+
+
+///confidential space
+////
+module "confidential_instance_template" {
+  source  = "terraform-google-modules/vm/google//modules/instance_template"
+  version = "~> 13.0"
+
+  region     = var.region
+  project_id = local.env_project_id
+  subnetwork = local.subnetwork_self_link
+
+  #name_prefix                = "confidential-space-template"
+  source_image_project       = "confidential-space-images"
+  source_image               = "confidential-space"
+  machine_type               = "n2d-standard-2"
+  min_cpu_platform           = "AMD Milan"
+  enable_confidential_vm     = true
+  confidential_instance_type = "SEV"
+
+  shielded_instance_config = {
+    enable_secure_boot          = true
+    enable_vtpm                 = true
+    enable_integrity_monitoring = true
+  }
+
+  metadata = {
+    tee-image-reference = "us-central1-docker.pkg.dev/prj-p-bu1-sample-peering-cue4/prj-p-bu1-sample-repo/prj-p-bu1-repo:latest"
+
+  }
+
+  service_account = {
+    email  = google_service_account.compute_engine_service_account.email
+    scopes = ["cloud-platform"]
+  }
+}
+
+module "confidential_compute_instance" {
+  source  = "terraform-google-modules/vm/google//modules/compute_instance"
+  version = "~> 13.0"
+
+  region                = var.region
+  subnetwork_project    = local.subnetwork_project
+  subnetwork            = local.subnetwork_self_link
+  num_instances         = var.num_instances
+  hostname              = "confidential-instance"
+  instance_template     = module.confidential_instance_template.self_link
+  resource_manager_tags = local.resource_manager_tags
+}
+
+resource "google_service_account" "workload_sa" {
+  account_id   = "confidential-space-workload-sa"
+  display_name = "Workload Service Account for confidential space"
+  project      = local.env_project_id
+}
+
+resource "google_project_service" "enabled_services" {
+  project = local.env_project_id
+
+  service = [
+    "cloudkms.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "compute.googleapis.com",
+    "confidentialcomputing.googleapis.com"
+  ]
+}
+
+resource "google_project_iam_member" "workload_sa_user" {
+  project = local.env_project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "user:${data.google_client_config.default.account_id}"
+}
+
+resource "google_project_iam_member" "workload_sa_confidential_user" {
+  project = local.env_project_id
+  role    = "roles/confidentialcomputing.workloadUser"
+  member  = "serviceAccount:${google_service_account.workload_sa.email}"
+}
+
+resource "google_project_iam_member" "workload_sa_logging_writer" {
+  project = local.env_project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.workload_sa.email}"
+}
+
+resource "google_artifact_registry_repository" "ar_confidential_space" {
+  repository_id   = "ar-confidential-space"
+  format          = "DOCKER"
+  location        = "us"
+  project         = local.env_project_id
+}
+
+resource "google_artifact_registry_repository_iam_member" "artifact_registry_reader" {
+  repository = google_artifact_registry_repository.ar_confidential_space.id
+  location   = google_artifact_registry_repository.ar_confidential_space.location
+  role       = "roles/artifactregistry.reader"
+  member     = "serviceAccount:${google_service_account.workload_sa.email}"
+}
+
+resource "google_kms_key_ring" "workload_keyring" {
+  name     = "workload-key-ring"
+  location = "global"
+  project  = local.env_project_id
+}
+
+resource "google_kms_crypto_key" "workload_key" {
+  name     = "workload-key"
+  key_ring = google_kms_key_ring.workload_keyring.id
+  purpose  = "ENCRYPT_DECRYPT"
+}
+
+resource "google_kms_crypto_key_iam_member" "key_decrypter" {
+  crypto_key_id = google_kms_crypto_key.workload_key.id
+  role          = "roles/cloudkms.cryptoKeyDecrypter"
+  member        = "serviceAccount:${google_service_account.workload_sa.email}"
+
+  condition {
+    expression  = "request.auth.claims.google.container.image_digest == 'sha256:HASH-GERADO-PELO-DIGEST'"
+    title       = "RequireAttestedImage"
+    description = "OnlyAllowTrustedImage"
+  }
+}
+