feat: Add confidential compute flags (#131)

salrashid123 · web-flow · commit 615c8bce7e9c · 2021-04-06T10:57:47.000-07:00
diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
@@ -19,13 +19,15 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
 | disk\_size\_gb | Boot disk size in GB | `string` | `"100"` | no |
 | disk\_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `"pd-standard"` | no |
+| enable\_confidential\_vm | Whether to enable the Confidential VM configuration on the instance. Note that the instance image must support Confidential VMs. See https://cloud.google.com/compute/docs/images | `bool` | `false` | no |
 | enable\_shielded\_vm | Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images | `bool` | `false` | no |
 | labels | Labels, provided as a map | `map(string)` | `{}` | no |
 | machine\_type | Machine type to create, e.g. n1-standard-1 | `string` | `"n1-standard-1"` | no |
 | metadata | Metadata, provided as a map | `map(string)` | `{}` | no |
 | name\_prefix | Name prefix for the instance template | `string` | `"default-instance-template"` | no |
 | network | The name or self\_link of the network to attach this interface to. Use network attribute for Legacy or Auto subnetted networks and subnetwork for custom subnetted networks. | `string` | `""` | no |
 | network\_ip | Private IP address to assign to the instance if desired. | `string` | `""` | no |
+| on\_host\_maintenance | Instance availability Policy | `string` | `"MIGRATE"` | no |
 | preemptible | Allow the instance to be preempted | `bool` | `false` | no |
 | project\_id | The GCP project ID | `string` | `null` | no |
 | region | Region where the instance template should be created. | `string` | `null` | no |
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
@@ -44,11 +44,18 @@ locals {
 
   all_disks = concat(local.boot_disk, var.additional_disks)
 
-  # NOTE: Even if all the shielded_instance_config values are false, if the
-  # config block exists and an unsupported image is chosen, the apply will fail
-  # so we use a single-value array with the default value to initialize the block
-  # only if it is enabled.
-  shielded_vm_configs = var.enable_shielded_vm ? [true] : []
+  # NOTE: Even if all the shielded_instance_config or confidential_instance_config
+  # values are false, if the config block exists and an unsupported image is chosen,
+  # the apply will fail so we use a single-value array with the default value to
+  # initialize the block only if it is enabled.
+  shielded_vm_configs          = var.enable_shielded_vm ? [true] : []
+  confidential_instance_config = var.enable_confidential_vm ? [true] : []
+
+  on_host_maintenance = (
+    var.preemptible || var.enable_confidential_vm
+    ? "TERMINATE"
+    : var.on_host_maintenance
+  )
 }
 
 ####################
@@ -116,8 +123,9 @@ resource "google_compute_instance_template" "tpl" {
 
   # scheduling must have automatic_restart be false when preemptible is true.
   scheduling {
-    preemptible       = var.preemptible
-    automatic_restart = ! var.preemptible
+    preemptible         = var.preemptible
+    automatic_restart   = ! var.preemptible
+    on_host_maintenance = local.on_host_maintenance
   }
 
   dynamic "shielded_instance_config" {
@@ -128,4 +136,8 @@ resource "google_compute_instance_template" "tpl" {
       enable_integrity_monitoring = lookup(var.shielded_instance_config, "enable_integrity_monitoring", shielded_instance_config.value)
     }
   }
+
+  confidential_instance_config {
+    enable_confidential_compute = var.enable_confidential_vm
+  }
 }
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
@@ -53,6 +53,12 @@ variable "preemptible" {
   default     = false
 }
 
+variable "on_host_maintenance" {
+  type        = string
+  description = "Instance availability Policy"
+  default     = "MIGRATE"
+}
+
 variable "region" {
   type        = string
   description = "Region where the instance template should be created."
@@ -178,6 +184,14 @@ variable "shielded_instance_config" {
   }
 }
 
+###########################
+# Confidential Compute VMs
+###########################
+variable "enable_confidential_vm" {
+  default     = false
+  description = "Whether to enable the Confidential VM configuration on the instance. Note that the instance image must support Confidential VMs. See https://cloud.google.com/compute/docs/images"
+}
+
 ###########################
 # Public IP
 ###########################
