Add Shielded VM config option to compute-vm (#111)

* Add shielded config option to compute-vm * Update CHANGELOG
2020-07-09 08:09:47 +02:00 · 2020-07-09 08:09:47 +02:00 · 569e52e12a
parent 4beedc5ba8
commit 569e52e12a
4 changed files with 23 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.

 ## [Unreleased]

+- add support for Shielded VM to `compute-vm`
+
 ## [2.4.1] - 2020-07-06

 - better fix external IP assignment in `compute-vm`
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@ -167,6 +167,7 @@ module "instance-group" {
 | *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> |  | <code title="">null</code> |
 | *service_account_create* | Auto-create service account. | <code title="">bool</code> |  | <code title="">false</code> |
 | *service_account_scopes* | Scopes applied to service account. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *shielded_config* | Shielded VM configuration of the instances. | <code title="object&#40;&#123;&#10;enable_secure_boot          &#61; bool&#10;enable_vtpm                 &#61; bool&#10;enable_integrity_monitoring &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *tags* | Instance tags. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *use_instance_template* | Create instance template instead of instances. | <code title="">bool</code> |  | <code title="">false</code> |

--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@ -163,9 +163,17 @@ resource "google_compute_instance" "default" {
    scopes = local.service_account_scopes
  }

-  # guest_accelerator
-  # shielded_instance_config
+  dynamic shielded_instance_config {
+    for_each = var.shielded_config != null ? [var.shielded_config] : []
+    iterator = config
+    content {
+      enable_secure_boot          = config.value.enable_secure_boot
+      enable_vtpm                 = config.value.enable_vtpm
+      enable_integrity_monitoring = config.value.enable_integrity_monitoring
+    }
+  }

+  # guest_accelerator
 }

 resource "google_compute_instance_iam_binding" "default" {
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@ -218,3 +218,13 @@ variable "zone" {
  description = "Compute zone."
  type        = string
 }
+
+variable "shielded_config" {
+  description = "Shielded VM configuration of the instances."
+  type = object({
+    enable_secure_boot          = bool
+    enable_vtpm                 = bool
+    enable_integrity_monitoring = bool
+  })
+  default = null
+}