Skip to content

Commit

Permalink
feat: add confidential computing example (#421)
Browse files Browse the repository at this point in the history
  • Loading branch information
arthurlapertosa authored Sep 9, 2024
1 parent a1c19b0 commit ddb6985
Show file tree
Hide file tree
Showing 20 changed files with 404 additions and 6 deletions.
30 changes: 30 additions & 0 deletions examples/confidential_computing/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# confidential computing vm

This is an example of a vm creation with confidential computing,
encrypted disk using a multiregion (US by default) Cloud HSM key
and a custom service account with cloud-platform scope.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| key | Key name. | `string` | n/a | yes |
| keyring | Keyring name. | `string` | n/a | yes |
| location | Location for the resources (keyring, key, network, etc.). | `string` | `"us"` | no |
| project\_id | The Google Cloud project ID. | `string` | n/a | yes |
| region | The GCP region to create and test resources in. | `string` | `"us-central1"` | no |
| service\_account\_roles | Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM. | `list(string)` | `[]` | no |
| subnetwork | The subnetwork selflink to host the compute instances in. | `string` | n/a | yes |
| suffix | A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring). | `string` | `""` | no |

## Outputs

| Name | Description |
|------|-------------|
| instance\_self\_link | Self-link for compute instance. |
| name | Name of the instance templates. |
| self\_link | Self-link to the instance template. |
| suffix | Suffix used as an identifier for resources. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
98 changes: 98 additions & 0 deletions examples/confidential_computing/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

locals {
default_suffix = var.suffix == "" ? random_string.suffix.result : "${random_string.suffix.result}-${var.suffix}"
key_name = "${var.key}-${local.default_suffix}"
}

resource "random_string" "suffix" {
length = 4
special = false
upper = false
}

module "kms" {
source = "terraform-google-modules/kms/google"
version = "2.3.0"

keyring = "${var.keyring}-${local.default_suffix}"
location = var.location
project_id = var.project_id
keys = [local.key_name]
purpose = "ENCRYPT_DECRYPT"
key_protection_level = "HSM"
prevent_destroy = false
}

resource "google_service_account" "default" {
project = var.project_id
account_id = "confidential-compute-sa"
display_name = "Custom SA for confidential VM Instance"
}

resource "google_project_iam_member" "service_account_roles" {
for_each = toset(var.service_account_roles)

project = var.project_id
role = each.key
member = "serviceAccount:${google_service_account.default.email}"
}

data "google_project" "project" {
project_id = var.project_id
}

resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = module.kms.keys[local.key_name]
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
]
}

module "instance_template" {
source = "../../modules/instance_template"

region = var.region
project_id = var.project_id
subnetwork = var.subnetwork

name_prefix = "confidential-encrypted-template"
source_image_project = "ubuntu-os-cloud"
source_image = "ubuntu-2004-lts"
machine_type = "n2d-standard-2"
min_cpu_platform = "AMD Milan"
enable_confidential_vm = true
confidential_instance_type = "SEV"

service_account = {
email = google_service_account.default.email
scopes = ["cloud-platform"]
}
disk_encryption_key = module.kms.keys[local.key_name]
}

module "compute_instance" {
source = "terraform-google-modules/vm/google//modules/compute_instance"
version = "~> 11.0"

region = var.region
subnetwork = var.subnetwork
hostname = "confidential-encrypted-instance"
instance_template = module.instance_template.self_link
deletion_protection = false
}
36 changes: 36 additions & 0 deletions examples/confidential_computing/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/


output "self_link" {
description = "Self-link to the instance template."
value = module.instance_template.self_link
}

output "name" {
description = "Name of the instance templates."
value = module.instance_template.name
}

output "instance_self_link" {
description = "Self-link for compute instance."
value = module.compute_instance.instances_self_links[0]
}

output "suffix" {
description = "Suffix used as an identifier for resources."
value = local.default_suffix
}
59 changes: 59 additions & 0 deletions examples/confidential_computing/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

variable "project_id" {
description = "The Google Cloud project ID."
type = string
}

variable "region" {
description = "The GCP region to create and test resources in."
type = string
default = "us-central1"
}

variable "subnetwork" {
description = "The subnetwork selflink to host the compute instances in."
type = string
}

variable "location" {
description = "Location for the resources (keyring, key, network, etc.)."
type = string
default = "us"
}

variable "suffix" {
description = "A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring)."
type = string
default = ""
}

variable "keyring" {
description = "Keyring name."
type = string
}

variable "key" {
description = "Key name."
type = string
}

variable "service_account_roles" {
description = "Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM."
type = list(string)
default = []
}
2 changes: 2 additions & 0 deletions metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
4 changes: 2 additions & 2 deletions modules/compute_disk_snapshot/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ See the [disk snapshot](https://github.com/terraform-google-modules/terraform-go

| Name | Description |
|------|-------------|
| attachments | Disk attachments to the resource policy |
| policy | Resource snapshot policy details |
| attachments | Disk attachments to the resource policy. |
| policy | Resource snapshot policy details. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
6 changes: 4 additions & 2 deletions modules/compute_disk_snapshot/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down Expand Up @@ -148,9 +150,9 @@ spec:
required: true
outputs:
- name: attachments
description: Disk attachments to the resource policy
description: Disk attachments to the resource policy.
- name: policy
description: Resource snapshot policy details
description: Resource snapshot policy details.
requirements:
roles:
- level: Project
Expand Down
4 changes: 2 additions & 2 deletions modules/compute_disk_snapshot/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
*/

output "policy" {
description = "Resource snapshot policy details"
description = "Resource snapshot policy details."
value = google_compute_resource_policy.policy
}

output "attachments" {
description = "Disk attachments to the resource policy"
description = "Disk attachments to the resource policy."
value = google_compute_disk_resource_policy_attachment.attachment[*]
}
2 changes: 2 additions & 0 deletions modules/compute_instance/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
2 changes: 2 additions & 0 deletions modules/instance_template/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
2 changes: 2 additions & 0 deletions modules/mig/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
2 changes: 2 additions & 0 deletions modules/mig_with_percent/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
2 changes: 2 additions & 0 deletions modules/umig/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
location: examples/instance_template/alias_ip_range
- name: autoscaler
location: examples/mig/autoscaler
- name: confidential_computing
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
- name: disk_snapshot
Expand Down
25 changes: 25 additions & 0 deletions test/fixtures/confidential_compute_instance/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

module "confidential_computing" {
source = "../../../examples/confidential_computing"
project_id = var.project_id
region = "us-central1"
subnetwork = google_compute_subnetwork.main.self_link
keyring = "key-ring-test"
key = "key-test"
service_account_roles = ["roles/compute.imageUser", "roles/compute.networkUser"]
}
1 change: 1 addition & 0 deletions test/fixtures/confidential_compute_instance/network.tf
Loading

0 comments on commit ddb6985

Please sign in to comment.