Merge pull request #38 from onetwopunch/support-shielded-vm

Support Shielded VMs in Instance Template

Author: morgante

modules/instance_template/README.md

@@ -20,6 +20,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | string | `"false"` | no |
 | disk\_size\_gb | Boot disk size in GB | string | `"100"` | no |
 | disk\_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | string | `"pd-standard"` | no |
+| enable\_shielded\_vm | Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images | string | `"false"` | no |
 | labels | Labels, provided as a map | map(string) | `<map>` | no |
 | machine\_type | Machine type to create, e.g. n1-standard-1 | string | `"n1-standard-1"` | no |
 | metadata | Metadata, provided as a map | map(string) | `<map>` | no |
@@ -28,9 +29,10 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | preemptible | Allow the instance to be preempted | bool | `"false"` | no |
 | project\_id | The GCP project ID | string | `"null"` | no |
 | service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account. | object | n/a | yes |
+| shielded\_instance\_config | Not used unless enable_shielded_vm is true. Shielded VM configuration for the instance. | object | `<map>` | no |
 | source\_image | Source disk image. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image. | string | `""` | no |
-| source\_image\_family | Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image. | string | `""` | no |
-| source\_image\_project | Project where the source image comes from | string | `""` | no |
+| source\_image\_family | Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image. | string | `"centos-7"` | no |
+| source\_image\_project | Project where the source image comes from. The default project contains images that support Shielded VMs if desired | string | `"gce-uefi-images"` | no |
 | startup\_script | User startup script to run when instances spin up | string | `""` | no |
 | subnetwork | The name of the subnetwork to attach this interface to. The subnetwork must exist in the same region this instance will be created in. Either network or subnetwork must be provided. | string | `""` | no |
 | subnetwork\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the provider project is used. | string | `""` | no |

modules/instance_template/main.tf

@@ -43,6 +43,12 @@ locals {
   ]
 
   all_disks = concat(local.boot_disk, var.additional_disks)
+
+  # NOTE: Even if all the shielded_instance_config values are false, if the
+  # config block exists and an unsupported image is chosen, the apply will fail
+  # so we use a single-value array with the default value to initialize the block
+  # only if it is enabled.
+  shielded_vm_configs = var.enable_shielded_vm ? [true] : []
 }
 
 ####################
@@ -80,6 +86,7 @@ resource "google_compute_instance_template" "tpl" {
       }
     }
   }
+
   dynamic "service_account" {
     for_each = [var.service_account]
     content {
@@ -98,9 +105,18 @@ resource "google_compute_instance_template" "tpl" {
     create_before_destroy = "true"
   }
 
-  // scheduling must have automatic_restart be false when preemptible is true.
+  # scheduling must have automatic_restart be false when preemptible is true.
   scheduling {
     preemptible       = var.preemptible
     automatic_restart = ! var.preemptible
   }
+
+  dynamic "shielded_instance_config" {
+    for_each = local.shielded_vm_configs
+    content {
+      enable_secure_boot          = lookup(var.shielded_instance_config, "enable_secure_boot", shielded_instance_config.value)
+      enable_vtpm                 = lookup(var.shielded_instance_config, "enable_vtpm", shielded_instance_config.value)
+      enable_integrity_monitoring = lookup(var.shielded_instance_config, "enable_integrity_monitoring", shielded_instance_config.value)
+    }
+  }
 }

modules/instance_template/variables.tf

@@ -63,12 +63,12 @@ variable "source_image" {
 
 variable "source_image_family" {
   description = "Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image."
-  default     = ""
+  default     = "centos-7"
 }
 
 variable "source_image_project" {
-  description = "Project where the source image comes from"
-  default     = ""
+  description = "Project where the source image comes from. The default project contains images that support Shielded VMs if desired"
+  default     = "gce-uefi-images"
 }
 
 variable "disk_size_gb" {
@@ -141,3 +141,26 @@ variable "service_account" {
   })
   description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account."
 }
+
+###########################
+# Shielded VMs
+###########################
+variable "enable_shielded_vm" {
+  default     = false
+  description = "Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images"
+}
+
+variable "shielded_instance_config" {
+  description = "Not used unless enable_shielded_vm is true. Shielded VM configuration for the instance."
+  type = object({
+    enable_secure_boot          = bool
+    enable_vtpm                 = bool
+    enable_integrity_monitoring = bool
+  })
+
+  default = {
+    enable_secure_boot          = true
+    enable_vtpm                 = true
+    enable_integrity_monitoring = true
+  }
+}