zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for confidential compute to compute-vm module (#179) 

* add support for confidential compute

* add support for confidential compute to instance template
This commit is contained in:
Ludovico Magnocavallo 2020-12-05 09:14:12 +01:00 committed by GitHub
parent 2c0f949f07
commit 7aaf24afd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 78 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/compute-vm/README.md
View File

@ -9,7 +9,7 @@ In both modes, an optional service account can be created and assigned to either
## Examples
### Instance leveraging defaults
### Instance using defaults
The simplest example leverages defaults for the boot disk image and size, and uses a service account created by the module. Multiple instances can be managed via the `instance_count` variable.
@ -189,6 +189,7 @@ module "instance-group" {
| *attached_disks* | Additional disks, if options is null defaults will be used in its place. | <code title="list&#40;object&#40;&#123;&#10;name &#61; string&#10;image &#61; string&#10;size &#61; string&#10;options &#61; object&#40;&#123;&#10;auto_delete &#61; bool&#10;mode &#61; string&#10;source &#61; string&#10;type &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">list(object({...}))</code> | | <code title="">[]</code> |
| *boot_disk* | Boot disk properties. | <code title="object&#40;&#123;&#10;image &#61; string&#10;size &#61; number&#10;type &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;image &#61; &#34;projects&#47;debian-cloud&#47;global&#47;images&#47;family&#47;debian-10&#34;&#10;type &#61; &#34;pd-ssd&#34;&#10;size &#61; 10&#10;&#125;">...</code> |
| *can_ip_forward* | Enable IP forwarding. | <code title="">bool</code> | | <code title="">false</code> |
| *confidential_compute* | Enable Confidential Compute for these instances. | <code title="">bool</code> | | <code title="">false</code> |
| *enable_display* | Enable virtual display on the instances | <code title="">bool</code> | | <code title="">false</code> |
| *encryption* | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object&#40;&#123;&#10;encrypt_boot &#61; bool&#10;disk_encryption_key_raw &#61; string&#10;kms_key_self_link &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *group* | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object&#40;&#123;&#10;named_ports &#61; map&#40;number&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |

25
modules/compute-vm/main.tf
View File

@ -25,6 +25,11 @@ locals {
for pair in setproduct(keys(local.names), keys(local.attached_disks)) :
"${pair[0]}-${pair[1]}" => { disk_name = pair[1], name = pair[0] }
}
on_host_maintenance = (
var.options.preemptible || var.confidential_compute
? "TERMINATE"
: "MIGRATE"
)
iam_members = var.use_instance_template ? {} : {
for pair in setproduct(keys(var.iam), keys(local.names)) :
"${pair.0}/${pair.1}" => { role = pair.0, name = pair.1, members = var.iam[pair.0] }
@ -89,6 +94,7 @@ resource "google_compute_disk" "disks" {
}
resource "google_compute_instance" "default" {
provider = google-beta
for_each = var.use_instance_template ? {} : local.names
project = var.project_id
zone = local.zones[each.key]
@ -130,6 +136,13 @@ resource "google_compute_instance" "default" {
kms_key_self_link = var.encryption != null ? var.encryption.kms_key_self_link : null
}
dynamic confidential_instance_config {
for_each = var.confidential_compute ? [""] : []
content {
enable_confidential_compute = true
}
}
dynamic network_interface {
for_each = var.network_interfaces
iterator = config
@ -163,7 +176,7 @@ resource "google_compute_instance" "default" {
scheduling {
automatic_restart = ! var.options.preemptible
on_host_maintenance = var.options.preemptible ? "TERMINATE" : "MIGRATE"
on_host_maintenance = local.on_host_maintenance
preemptible = var.options.preemptible
}
@ -206,6 +219,7 @@ resource "google_compute_instance_iam_binding" "default" {
}
resource "google_compute_instance_template" "default" {
provider = google-beta
count = var.use_instance_template ? 1 : 0
project = var.project_id
region = var.region
@ -225,6 +239,13 @@ resource "google_compute_instance_template" "default" {
boot = true
}
dynamic confidential_instance_config {
for_each = var.confidential_compute ? [""] : []
content {
enable_confidential_compute = true
}
}
dynamic disk {
for_each = local.attached_disks
iterator = config
@ -255,7 +276,7 @@ resource "google_compute_instance_template" "default" {
scheduling {
automatic_restart = ! var.options.preemptible
on_host_maintenance = var.options.preemptible ? "TERMINATE" : "MIGRATE"
on_host_maintenance = local.on_host_maintenance
preemptible = var.options.preemptible
}

6
modules/compute-vm/variables.tf
View File

@ -66,6 +66,12 @@ variable "can_ip_forward" {
default = false
}
variable "confidential_compute" {
description = "Enable Confidential Compute for these instances."
type = bool
default = false
}
variable "encryption" {
description = "Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk."
type = object({

22
modules/compute-vm/versions.tf Normal file
View File

@ -0,0 +1,22 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_version = ">= 0.13.0"
required_providers {
google-beta = ">= 3.36.0"
}
}

1
tests/modules/compute_vm/fixture/main.tf
View File

@ -24,6 +24,7 @@ module "test" {
service_account_create = var.service_account_create
instance_count = var.instance_count
use_instance_template = var.use_instance_template
confidential_compute = var.confidential_compute
group = var.group
iam = var.iam
metadata = var.metadata

5
tests/modules/compute_vm/fixture/variables.tf
View File

@ -14,6 +14,11 @@
* limitations under the License.
*/
variable "confidential_compute" {
type = bool
default = false
}
variable "group" {
type = any
default = null

19
tests/modules/compute_vm/test_plan.py
View File

@ -75,3 +75,22 @@ def test_iam(plan_runner):
'roles/iam.serviceAccountUser/test-1': ['user:a@a.com'],
'roles/iam.serviceAccountUser/test-2': ['user:a@a.com'],
}
def test_confidential_compute(plan_runner):
_, resources = plan_runner(FIXTURES_DIR, instance_count=1,
confidential_compute='true')
assert len(resources) == 1
assert resources[0]['values']['confidential_instance_config'] == [
{'enable_confidential_compute': True}]
assert resources[0]['values']['scheduling'][0]['on_host_maintenance'] == 'TERMINATE'
def test_confidential_compute_template(plan_runner):
_, resources = plan_runner(FIXTURES_DIR, instance_count=1,
confidential_compute='true',
use_instance_template='true')
assert len(resources) == 1
assert resources[0]['values']['confidential_instance_config'] == [
{'enable_confidential_compute': True}]
assert resources[0]['values']['scheduling'][0]['on_host_maintenance'] == 'TERMINATE'