Issue 501: Expose node pool enable_secure_boot and enable_integrity_monitoring options (#506)

c0ffeec0der · web-flow · commit 92cc19f09e63 · 2020-05-05T13:00:10.000-04:00
* Expose node pool shielded_instance_config

Co-authored-by: c0feec0der &lt;&gt;
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -497,6 +497,11 @@ resource "google_container_node_pool" "pools" {
       }
     }
     {% endif %}
+
+    shielded_instance_config {
+      enable_secure_boot =  lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/cluster.tf b/cluster.tf
@@ -230,6 +230,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/examples/deploy_service/README.md b/examples/deploy_service/README.md
@@ -28,18 +28,8 @@ It will:
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md
@@ -26,18 +26,8 @@ This example illustrates how to create a simple cluster and disable deprecated s
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md
@@ -24,18 +24,8 @@ This example illustrates how to create a cluster with multiple custom node-pool
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/shared_vpc/README.md b/examples/shared_vpc/README.md
@@ -23,18 +23,8 @@ This example illustrates how to create a simple cluster where the host network i
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/simple_regional/README.md b/examples/simple_regional/README.md
@@ -23,18 +23,8 @@ This example illustrates how to create a simple cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/simple_regional_private/README.md b/examples/simple_regional_private/README.md
@@ -22,18 +22,8 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/simple_zonal_private/README.md b/examples/simple_zonal_private/README.md
@@ -23,18 +23,8 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/simple_zonal_with_acm/README.md b/examples/simple_zonal_with_acm/README.md
@@ -29,18 +29,8 @@ It incorporates the standard cluster module and the [ACM install module](../../m
 | acm\_git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/stub_domains/README.md b/examples/stub_domains/README.md
@@ -27,18 +27,8 @@ It will:
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -451,6 +451,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -379,6 +379,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -366,6 +366,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -315,6 +315,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -243,6 +243,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

Original file line number	Diff line number	Diff line change
`@@ -497,6 +497,11 @@ resource "google_container_node_pool" "pools" {`
`497`	`497`	`}`
`498`	`498`	`}`
`499`	`499`	`{% endif %}`
	`500`	`+`
	`501`	`+ shielded_instance_config {`
	`502`	`+ enable_secure_boot = lookup(each.value, "enable_secure_boot", false)`
	`503`	`+ enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)`
	`504`	`+ }`
`500`	`505`	`}`
`501`	`506`
`502`	`507`	`lifecycle {`
Original file line number	Diff line number	Diff line change
`@@ -230,6 +230,11 @@ resource "google_container_node_pool" "pools" {`
`230`	`230`	`count = guest_accelerator["count"]`
`231`	`231`	`}`
`232`	`232`	`]`
	`233`	`+`
	`234`	`+ shielded_instance_config {`
	`235`	`+ enable_secure_boot = lookup(each.value, "enable_secure_boot", false)`
	`236`	`+ enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)`
	`237`	`+ }`
`233`	`238`	`}`
`234`	`239`
`235`	`240`	`lifecycle {`