Support Cloud KMS on Compute-VM module + Fixes (#79)
* * Add support to KMS disk encryption (boot and attached) * Fix Instance Group Example * Fix * * Fix image boot disk * Add example with disk encryption * Fix Title * Improve logic * Fix Readme Fix viariable description * Update README.md * update README variables/outputs table * add change to CHANGELOG Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
parent
476c41d333
commit
7f40aba4cd
|
@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
- add support for disk encryption to the `compute-vm` module
|
||||
- new `datafusion` module
|
||||
- new `container-registry` module
|
||||
- new `artifact-registry` module
|
||||
|
|
|
@ -31,12 +31,57 @@ module "simple-vm-example" {
|
|||
}
|
||||
```
|
||||
|
||||
### Disk encryption with Cloud KMS
|
||||
|
||||
This example shows how to control disk encryption via the the `encryption` variable, in this case the self link to a KMS CryptoKey that will be used to encrypt boot and attached disk. Managing the key with the `../kms` module is of course possible, but is not shown here.
|
||||
|
||||
```hcl
|
||||
module "kms-vm-example" {
|
||||
source = "../modules/compute-vm"
|
||||
project_id = local.project_id
|
||||
region = local.region
|
||||
zone = local.zone
|
||||
name = "kms-test"
|
||||
network_interfaces = [{
|
||||
network = local.network_self_link,
|
||||
subnetwork = local.subnet_self_link,
|
||||
nat = false,
|
||||
addresses = null
|
||||
}]
|
||||
attached_disks = [
|
||||
{
|
||||
name = "attached-disk"
|
||||
size = 10
|
||||
image = null
|
||||
options = {
|
||||
auto_delete = true
|
||||
mode = null
|
||||
source = null
|
||||
type = null
|
||||
}
|
||||
}
|
||||
]
|
||||
service_account_create = true
|
||||
instance_count = 1
|
||||
boot_disk = {
|
||||
image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
type = "pd-ssd"
|
||||
size = 10
|
||||
}
|
||||
encryption = {
|
||||
encrypt_boot = true
|
||||
disk_encryption_key_raw = null
|
||||
kms_key_self_link = local.kms_key.self_link
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Instance template
|
||||
|
||||
This example shows how to use the module to manage an instance template that defines an additional attached disk for each instance, and overrides defaults for the boot disk image and service account.
|
||||
|
||||
```hcl
|
||||
module "debian-test" {
|
||||
module "cos-test" {
|
||||
source = "../modules/compute-vm"
|
||||
project_id = "my-project"
|
||||
region = "europe-west1"
|
||||
|
@ -86,11 +131,10 @@ module "instance-group" {
|
|||
}
|
||||
service_account = local.service_account_email
|
||||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
use_instance_template = true
|
||||
metadata = {
|
||||
user-data = local.cloud_config
|
||||
}
|
||||
group = {}
|
||||
group = { named_ports = {} }
|
||||
}
|
||||
|
||||
```
|
||||
|
@ -108,6 +152,7 @@ module "instance-group" {
|
|||
| *attached_disk_defaults* | Defaults for attached disks options. | <code title="object({ auto_delete = bool mode = string type = string source = string })">object({...})</code> | | <code title="{ auto_delete = true source = null mode = "READ_WRITE" type = "pd-ssd" }">...</code> |
|
||||
| *attached_disks* | Additional disks, if options is null defaults will be used in its place. | <code title="list(object({ name = string image = string size = string options = object({ auto_delete = bool mode = string source = string type = string }) }))">list(object({...}))</code> | | <code title="">[]</code> |
|
||||
| *boot_disk* | Boot disk properties. | <code title="object({ image = string size = number type = string })">object({...})</code> | | <code title="{ image = "projects/debian-cloud/global/images/family/debian-10" type = "pd-ssd" size = 10 }">...</code> |
|
||||
| *encryption* | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = bool disk_encryption_key_raw = string kms_key_self_link = string })">object({...})</code> | | <code title="">null</code> |
|
||||
| *group* | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({...})</code> | | <code title="">null</code> |
|
||||
| *hostname* | Instance FQDN name. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *instance_count* | Number of instances to create (only for non-template usage). | <code title="">number</code> | | <code title="">1</code> |
|
||||
|
|
|
@ -66,6 +66,14 @@ resource "google_compute_disk" "disks" {
|
|||
disk_type = local.attached_disks[each.value.disk_name].options.type
|
||||
image = local.attached_disks[each.value.disk_name].image
|
||||
})
|
||||
dynamic disk_encryption_key {
|
||||
for_each = var.encryption != null ? [""] : []
|
||||
|
||||
content {
|
||||
raw_key = var.encryption.disk_encryption_key_raw
|
||||
kms_key_self_link = var.encryption.kms_key_self_link
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_instance" "default" {
|
||||
|
@ -103,6 +111,8 @@ resource "google_compute_instance" "default" {
|
|||
image = var.boot_disk.image
|
||||
size = var.boot_disk.size
|
||||
}
|
||||
disk_encryption_key_raw = var.encryption != null ? var.encryption.disk_encryption_key_raw : null
|
||||
kms_key_self_link = var.encryption != null ? var.encryption.kms_key_self_link : null
|
||||
}
|
||||
|
||||
dynamic network_interface {
|
||||
|
|
|
@ -60,6 +60,16 @@ variable "boot_disk" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "encryption" {
|
||||
description = "Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk."
|
||||
type = object({
|
||||
encrypt_boot = bool
|
||||
disk_encryption_key_raw = string
|
||||
kms_key_self_link = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "group" {
|
||||
description = "Define this variable to create an instance group for instances. Disabled for template use."
|
||||
type = object({
|
||||
|
|
Loading…
Reference in New Issue