Add support for confidential compute to compute-vm module (#179)
* add support for confidential compute * add support for confidential compute to instance template
This commit is contained in:
parent
2c0f949f07
commit
7aaf24afd3
|
@ -9,7 +9,7 @@ In both modes, an optional service account can be created and assigned to either
|
|||
|
||||
## Examples
|
||||
|
||||
### Instance leveraging defaults
|
||||
### Instance using defaults
|
||||
|
||||
The simplest example leverages defaults for the boot disk image and size, and uses a service account created by the module. Multiple instances can be managed via the `instance_count` variable.
|
||||
|
||||
|
@ -189,6 +189,7 @@ module "instance-group" {
|
|||
| *attached_disks* | Additional disks, if options is null defaults will be used in its place. | <code title="list(object({ name = string image = string size = string options = object({ auto_delete = bool mode = string source = string type = string }) }))">list(object({...}))</code> | | <code title="">[]</code> |
|
||||
| *boot_disk* | Boot disk properties. | <code title="object({ image = string size = number type = string })">object({...})</code> | | <code title="{ image = "projects/debian-cloud/global/images/family/debian-10" type = "pd-ssd" size = 10 }">...</code> |
|
||||
| *can_ip_forward* | Enable IP forwarding. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *confidential_compute* | Enable Confidential Compute for these instances. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *enable_display* | Enable virtual display on the instances | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *encryption* | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = bool disk_encryption_key_raw = string kms_key_self_link = string })">object({...})</code> | | <code title="">null</code> |
|
||||
| *group* | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({...})</code> | | <code title="">null</code> |
|
||||
|
|
|
@ -25,6 +25,11 @@ locals {
|
|||
for pair in setproduct(keys(local.names), keys(local.attached_disks)) :
|
||||
"${pair[0]}-${pair[1]}" => { disk_name = pair[1], name = pair[0] }
|
||||
}
|
||||
on_host_maintenance = (
|
||||
var.options.preemptible || var.confidential_compute
|
||||
? "TERMINATE"
|
||||
: "MIGRATE"
|
||||
)
|
||||
iam_members = var.use_instance_template ? {} : {
|
||||
for pair in setproduct(keys(var.iam), keys(local.names)) :
|
||||
"${pair.0}/${pair.1}" => { role = pair.0, name = pair.1, members = var.iam[pair.0] }
|
||||
|
@ -89,6 +94,7 @@ resource "google_compute_disk" "disks" {
|
|||
}
|
||||
|
||||
resource "google_compute_instance" "default" {
|
||||
provider = google-beta
|
||||
for_each = var.use_instance_template ? {} : local.names
|
||||
project = var.project_id
|
||||
zone = local.zones[each.key]
|
||||
|
@ -130,6 +136,13 @@ resource "google_compute_instance" "default" {
|
|||
kms_key_self_link = var.encryption != null ? var.encryption.kms_key_self_link : null
|
||||
}
|
||||
|
||||
dynamic confidential_instance_config {
|
||||
for_each = var.confidential_compute ? [""] : []
|
||||
content {
|
||||
enable_confidential_compute = true
|
||||
}
|
||||
}
|
||||
|
||||
dynamic network_interface {
|
||||
for_each = var.network_interfaces
|
||||
iterator = config
|
||||
|
@ -163,7 +176,7 @@ resource "google_compute_instance" "default" {
|
|||
|
||||
scheduling {
|
||||
automatic_restart = ! var.options.preemptible
|
||||
on_host_maintenance = var.options.preemptible ? "TERMINATE" : "MIGRATE"
|
||||
on_host_maintenance = local.on_host_maintenance
|
||||
preemptible = var.options.preemptible
|
||||
}
|
||||
|
||||
|
@ -206,6 +219,7 @@ resource "google_compute_instance_iam_binding" "default" {
|
|||
}
|
||||
|
||||
resource "google_compute_instance_template" "default" {
|
||||
provider = google-beta
|
||||
count = var.use_instance_template ? 1 : 0
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
|
@ -225,6 +239,13 @@ resource "google_compute_instance_template" "default" {
|
|||
boot = true
|
||||
}
|
||||
|
||||
dynamic confidential_instance_config {
|
||||
for_each = var.confidential_compute ? [""] : []
|
||||
content {
|
||||
enable_confidential_compute = true
|
||||
}
|
||||
}
|
||||
|
||||
dynamic disk {
|
||||
for_each = local.attached_disks
|
||||
iterator = config
|
||||
|
@ -255,7 +276,7 @@ resource "google_compute_instance_template" "default" {
|
|||
|
||||
scheduling {
|
||||
automatic_restart = ! var.options.preemptible
|
||||
on_host_maintenance = var.options.preemptible ? "TERMINATE" : "MIGRATE"
|
||||
on_host_maintenance = local.on_host_maintenance
|
||||
preemptible = var.options.preemptible
|
||||
}
|
||||
|
||||
|
|
|
@ -66,6 +66,12 @@ variable "can_ip_forward" {
|
|||
default = false
|
||||
}
|
||||
|
||||
variable "confidential_compute" {
|
||||
description = "Enable Confidential Compute for these instances."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "encryption" {
|
||||
description = "Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk."
|
||||
type = object({
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
/**
|
||||
* Copyright 2020 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
terraform {
|
||||
required_version = ">= 0.13.0"
|
||||
required_providers {
|
||||
google-beta = ">= 3.36.0"
|
||||
}
|
||||
}
|
|
@ -24,6 +24,7 @@ module "test" {
|
|||
service_account_create = var.service_account_create
|
||||
instance_count = var.instance_count
|
||||
use_instance_template = var.use_instance_template
|
||||
confidential_compute = var.confidential_compute
|
||||
group = var.group
|
||||
iam = var.iam
|
||||
metadata = var.metadata
|
||||
|
|
|
@ -14,6 +14,11 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "confidential_compute" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "group" {
|
||||
type = any
|
||||
default = null
|
||||
|
|
|
@ -75,3 +75,22 @@ def test_iam(plan_runner):
|
|||
'roles/iam.serviceAccountUser/test-1': ['user:a@a.com'],
|
||||
'roles/iam.serviceAccountUser/test-2': ['user:a@a.com'],
|
||||
}
|
||||
|
||||
|
||||
def test_confidential_compute(plan_runner):
|
||||
_, resources = plan_runner(FIXTURES_DIR, instance_count=1,
|
||||
confidential_compute='true')
|
||||
assert len(resources) == 1
|
||||
assert resources[0]['values']['confidential_instance_config'] == [
|
||||
{'enable_confidential_compute': True}]
|
||||
assert resources[0]['values']['scheduling'][0]['on_host_maintenance'] == 'TERMINATE'
|
||||
|
||||
|
||||
def test_confidential_compute_template(plan_runner):
|
||||
_, resources = plan_runner(FIXTURES_DIR, instance_count=1,
|
||||
confidential_compute='true',
|
||||
use_instance_template='true')
|
||||
assert len(resources) == 1
|
||||
assert resources[0]['values']['confidential_instance_config'] == [
|
||||
{'enable_confidential_compute': True}]
|
||||
assert resources[0]['values']['scheduling'][0]['on_host_maintenance'] == 'TERMINATE'
|
||||
|
|
Loading…
Reference in New Issue