feat: add confidential computing example (#421)

Author: arthurlapertosa

examples/confidential_computing/README.md

@@ -0,0 +1,30 @@
+# confidential computing vm
+
+This is an example of a vm creation with confidential computing,
+encrypted disk using a multiregion (US by default) Cloud HSM key
+and a custom service account with cloud-platform scope.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| key | Key name. | `string` | n/a | yes |
+| keyring | Keyring name. | `string` | n/a | yes |
+| location | Location for the resources (keyring, key, network, etc.). | `string` | `"us"` | no |
+| project\_id | The Google Cloud project ID. | `string` | n/a | yes |
+| region | The GCP region to create and test resources in. | `string` | `"us-central1"` | no |
+| service\_account\_roles | Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM. | `list(string)` | `[]` | no |
+| subnetwork | The subnetwork selflink to host the compute instances in. | `string` | n/a | yes |
+| suffix | A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring). | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance\_self\_link | Self-link for compute instance. |
+| name | Name of the instance templates. |
+| self\_link | Self-link to the instance template. |
+| suffix | Suffix used as an identifier for resources. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/confidential_computing/main.tf

@@ -0,0 +1,98 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_suffix = var.suffix == "" ? random_string.suffix.result : "${random_string.suffix.result}-${var.suffix}"
+  key_name       = "${var.key}-${local.default_suffix}"
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "2.3.0"
+
+  keyring              = "${var.keyring}-${local.default_suffix}"
+  location             = var.location
+  project_id           = var.project_id
+  keys                 = [local.key_name]
+  purpose              = "ENCRYPT_DECRYPT"
+  key_protection_level = "HSM"
+  prevent_destroy      = false
+}
+
+resource "google_service_account" "default" {
+  project      = var.project_id
+  account_id   = "confidential-compute-sa"
+  display_name = "Custom SA for confidential VM Instance"
+}
+
+resource "google_project_iam_member" "service_account_roles" {
+  for_each = toset(var.service_account_roles)
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+  crypto_key_id = module.kms.keys[local.key_name]
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
+  ]
+}
+
+module "instance_template" {
+  source = "../../modules/instance_template"
+
+  region     = var.region
+  project_id = var.project_id
+  subnetwork = var.subnetwork
+
+  name_prefix                = "confidential-encrypted-template"
+  source_image_project       = "ubuntu-os-cloud"
+  source_image               = "ubuntu-2004-lts"
+  machine_type               = "n2d-standard-2"
+  min_cpu_platform           = "AMD Milan"
+  enable_confidential_vm     = true
+  confidential_instance_type = "SEV"
+
+  service_account = {
+    email  = google_service_account.default.email
+    scopes = ["cloud-platform"]
+  }
+  disk_encryption_key = module.kms.keys[local.key_name]
+}
+
+module "compute_instance" {
+  source  = "terraform-google-modules/vm/google//modules/compute_instance"
+  version = "~> 11.0"
+
+  region              = var.region
+  subnetwork          = var.subnetwork
+  hostname            = "confidential-encrypted-instance"
+  instance_template   = module.instance_template.self_link
+  deletion_protection = false
+}

examples/confidential_computing/outputs.tf

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+output "self_link" {
+  description = "Self-link to the instance template."
+  value       = module.instance_template.self_link
+}
+
+output "name" {
+  description = "Name of the instance templates."
+  value       = module.instance_template.name
+}
+
+output "instance_self_link" {
+  description = "Self-link for compute instance."
+  value       = module.compute_instance.instances_self_links[0]
+}
+
+output "suffix" {
+  description = "Suffix used as an identifier for resources."
+  value       = local.default_suffix
+}

examples/confidential_computing/variables.tf

@@ -0,0 +1,59 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The Google Cloud project ID."
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region to create and test resources in."
+  type        = string
+  default     = "us-central1"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork selflink to host the compute instances in."
+  type        = string
+}
+
+variable "location" {
+  description = "Location for the resources (keyring, key, network, etc.)."
+  type        = string
+  default     = "us"
+}
+
+variable "suffix" {
+  description = "A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring)."
+  type        = string
+  default     = ""
+}
+
+variable "keyring" {
+  description = "Keyring name."
+  type        = string
+}
+
+variable "key" {
+  description = "Key name."
+  type        = string
+}
+
+variable "service_account_roles" {
+  description = "Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM."
+  type        = list(string)
+  default     = []
+}

metadata.yaml

@@ -48,6 +48,8 @@ spec:
         location: examples/instance_template/alias_ip_range
       - name: autoscaler
         location: examples/mig/autoscaler
+      - name: confidential_computing
+        location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
       - name: disk_snapshot

modules/compute_disk_snapshot/README.md

@@ -26,7 +26,7 @@ See the [disk snapshot](https://github.com/terraform-google-modules/terraform-go
 
 | Name | Description |
 |------|-------------|
-| attachments | Disk attachments to the resource policy |
-| policy | Resource snapshot policy details |
+| attachments | Disk attachments to the resource policy. |
+| policy | Resource snapshot policy details. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/compute_disk_snapshot/metadata.yaml

@@ -38,6 +38,8 @@ spec:
         location: examples/instance_template/alias_ip_range
       - name: autoscaler
         location: examples/mig/autoscaler
+      - name: confidential_computing
+        location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
       - name: disk_snapshot
@@ -148,9 +150,9 @@ spec:
         required: true
     outputs:
       - name: attachments
-        description: Disk attachments to the resource policy
+        description: Disk attachments to the resource policy.
       - name: policy
-        description: Resource snapshot policy details
+        description: Resource snapshot policy details.
   requirements:
     roles:
       - level: Project

modules/compute_disk_snapshot/outputs.tf

@@ -15,11 +15,11 @@
  */
 
 output "policy" {
-  description = "Resource snapshot policy details"
+  description = "Resource snapshot policy details."
   value       = google_compute_resource_policy.policy
 }
 
 output "attachments" {
-  description = "Disk attachments to the resource policy"
+  description = "Disk attachments to the resource policy."
   value       = google_compute_disk_resource_policy_attachment.attachment[*]
 }

modules/compute_instance/metadata.yaml

@@ -38,6 +38,8 @@ spec:
         location: examples/instance_template/alias_ip_range
       - name: autoscaler
         location: examples/mig/autoscaler
+      - name: confidential_computing
+        location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
       - name: disk_snapshot

modules/instance_template/metadata.yaml

@@ -38,6 +38,8 @@ spec:
         location: examples/instance_template/alias_ip_range
       - name: autoscaler
         location: examples/mig/autoscaler
+      - name: confidential_computing
+        location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
       - name: disk_snapshot