From a179ef7de6a8d4147f19f0694bf4cb83a2fcdf0c Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Fri, 19 Jul 2024 15:52:54 -0300 Subject: [PATCH 1/5] feat: add confidential_instance_type to instance_template module --- .../confidential_computing/main.tf | 32 +++++++++++++++ .../confidential_computing/outputs.tf | 26 ++++++++++++ .../confidential_computing/variables.tf | 40 ++++++++++++++++++ metadata.yaml | 2 + modules/compute_disk_snapshot/metadata.yaml | 2 + modules/compute_instance/metadata.yaml | 2 + modules/instance_template/README.md | 1 + modules/instance_template/main.tf | 14 +++++-- modules/instance_template/metadata.yaml | 6 +++ modules/instance_template/variables.tf | 6 +++ modules/mig/metadata.yaml | 2 + modules/mig_with_percent/metadata.yaml | 2 + .../metadata.yaml | 2 + modules/umig/metadata.yaml | 2 + .../confidential_instance_template/main.tf | 23 +++++++++++ .../confidential_instance_template/network.tf | 1 + .../confidential_instance_template/outputs.tf | 35 ++++++++++++++++ .../variables.tf | 29 +++++++++++++ .../versions.tf | 19 +++++++++ .../confidential_instance_template_test.go | 41 +++++++++++++++++++ 20 files changed, 283 insertions(+), 4 deletions(-) create mode 100644 examples/instance_template/confidential_computing/main.tf create mode 100644 examples/instance_template/confidential_computing/outputs.tf create mode 100644 examples/instance_template/confidential_computing/variables.tf create mode 100644 test/fixtures/confidential_instance_template/main.tf create mode 120000 test/fixtures/confidential_instance_template/network.tf create mode 100644 test/fixtures/confidential_instance_template/outputs.tf create mode 100644 test/fixtures/confidential_instance_template/variables.tf create mode 100644 test/fixtures/confidential_instance_template/versions.tf create mode 100644 test/integration/confidential_instance_template/confidential_instance_template_test.go diff --git a/examples/instance_template/confidential_computing/main.tf b/examples/instance_template/confidential_computing/main.tf new file mode 100644 index 00000000..f46a18c8 --- /dev/null +++ b/examples/instance_template/confidential_computing/main.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "instance_template" { + source = "../../../modules/instance_template" + + region = var.region + project_id = var.project_id + service_account = var.service_account + subnetwork = var.subnetwork + + name_prefix = "confidential-template" + source_image_project = "ubuntu-os-cloud" + source_image = "ubuntu-2004-lts" + machine_type = "n2d-standard-2" + min_cpu_platform = "AMD Milan" + enable_confidential_vm = true + confidential_instance_type = "SEV_SNP" +} diff --git a/examples/instance_template/confidential_computing/outputs.tf b/examples/instance_template/confidential_computing/outputs.tf new file mode 100644 index 00000000..4f405c44 --- /dev/null +++ b/examples/instance_template/confidential_computing/outputs.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +output "self_link" { + description = "Self-link to the instance template." + value = module.instance_template.self_link +} + +output "name" { + description = "Name of the instance templates." + value = module.instance_template.name +} diff --git a/examples/instance_template/confidential_computing/variables.tf b/examples/instance_template/confidential_computing/variables.tf new file mode 100644 index 00000000..ea9b5990 --- /dev/null +++ b/examples/instance_template/confidential_computing/variables.tf @@ -0,0 +1,40 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The Google Cloud project ID." + type = string +} + +variable "region" { + description = "The GCP region to create and test resources in." + type = string + default = "us-central1" +} + +variable "subnetwork" { + description = "The subnetwork selflink to host the compute instances in." + type = string +} + +variable "service_account" { + description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account." + type = object({ + email = string, + scopes = set(string) + }) + default = null +} diff --git a/metadata.yaml b/metadata.yaml index 20a33f59..23332753 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -48,6 +48,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml index 4b36f6cc..b536f0eb 100644 --- a/modules/compute_disk_snapshot/metadata.yaml +++ b/modules/compute_disk_snapshot/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml index 8682c855..f8002ab7 100644 --- a/modules/compute_instance/metadata.yaml +++ b/modules/compute_instance/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md index 1d8045e8..7ac223f7 100644 --- a/modules/instance_template/README.md +++ b/modules/instance_template/README.md @@ -20,6 +20,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example. | auto\_delete | Whether or not the boot disk should be auto-deleted | `string` | `"true"` | no | | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no | | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no | +| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". | `string` | `""` | no | | description | The template's description | `string` | `""` | no | | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no | | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no | diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf index 9971fd61..a95af076 100644 --- a/modules/instance_template/main.tf +++ b/modules/instance_template/main.tf @@ -43,13 +43,18 @@ locals { # initialize the block only if it is enabled. shielded_vm_configs = var.enable_shielded_vm ? [true] : [] - gpu_enabled = var.gpu != null - alias_ip_range_enabled = var.alias_ip_range != null + gpu_enabled = var.gpu != null + alias_ip_range_enabled = var.alias_ip_range != null + snp_confidential_instance_type = var.confidential_instance_type == "SEV_SNP" on_host_maintenance = ( - var.preemptible || var.enable_confidential_vm || local.gpu_enabled || var.spot + var.preemptible || var.enable_confidential_vm || local.gpu_enabled || var.spot || local.snp_confidential_instance_type ? "TERMINATE" : var.on_host_maintenance ) + + # must be set to "AMD Milan" if confidential_instance_type is set to "SEV_SNP", or this will fail to create the VM. + min_cpu_platform = local.snp_confidential_instance_type ? "AMD Milan" : var.min_cpu_platform + automatic_restart = ( # must be false when preemptible or spot is true var.preemptible || var.spot ? false : var.automatic_restart @@ -76,7 +81,7 @@ resource "google_compute_instance_template" "tpl" { can_ip_forward = var.can_ip_forward metadata_startup_script = var.startup_script region = var.region - min_cpu_platform = var.min_cpu_platform + min_cpu_platform = local.min_cpu_platform resource_policies = var.resource_policies dynamic "disk" { for_each = local.all_disks @@ -204,6 +209,7 @@ resource "google_compute_instance_template" "tpl" { confidential_instance_config { enable_confidential_compute = var.enable_confidential_vm + confidential_instance_type = var.confidential_instance_type } network_performance_config { diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml index 6141ce76..1c026be1 100644 --- a/modules/instance_template/metadata.yaml +++ b/modules/instance_template/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks @@ -146,6 +148,10 @@ spec: description: Enable IP forwarding, for NAT instances for example varType: string defaultValue: "false" + - name: confidential_instance_type + description: Defines the confidential computing technology the instance uses. If this is set to "SEV_SNP", var.min_cpu_platform will be automatically set to "AMD Milan". + varType: string + defaultValue: "" - name: description description: The template's description varType: string diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf index 45528f68..cc68931e 100644 --- a/modules/instance_template/variables.tf +++ b/modules/instance_template/variables.tf @@ -365,6 +365,12 @@ variable "enable_confidential_vm" { description = "Whether to enable the Confidential VM configuration on the instance. Note that the instance image must support Confidential VMs. See https://cloud.google.com/compute/docs/images" } +variable "confidential_instance_type" { + type = string + default = "" + description = "Defines the confidential computing technology the instance uses. If this is set to \"SEV_SNP\", var.min_cpu_platform will be automatically set to \"AMD Milan\"." +} + ########################### # Public IP ########################### diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml index 31fd6d7a..fbecdc82 100644 --- a/modules/mig/metadata.yaml +++ b/modules/mig/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml index ba7e9b66..9baa487d 100644 --- a/modules/mig_with_percent/metadata.yaml +++ b/modules/mig_with_percent/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml index b642b32e..ede089cd 100644 --- a/modules/preemptible_and_regular_instance_templates/metadata.yaml +++ b/modules/preemptible_and_regular_instance_templates/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml index b74b16c5..588ac192 100644 --- a/modules/umig/metadata.yaml +++ b/modules/umig/metadata.yaml @@ -38,6 +38,8 @@ spec: location: examples/instance_template/alias_ip_range - name: autoscaler location: examples/mig/autoscaler + - name: confidential_computing + location: examples/instance_template/confidential_computing - name: disk_snapshot location: examples/compute_instance/disk_snapshot - name: encrypted_disks diff --git a/test/fixtures/confidential_instance_template/main.tf b/test/fixtures/confidential_instance_template/main.tf new file mode 100644 index 00000000..ee4c7c60 --- /dev/null +++ b/test/fixtures/confidential_instance_template/main.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "confidential_simple" { + source = "../../../examples/instance_template/confidential_computing" + project_id = var.project_id + region = "us-central1" + subnetwork = google_compute_subnetwork.main.self_link + service_account = var.service_account +} diff --git a/test/fixtures/confidential_instance_template/network.tf b/test/fixtures/confidential_instance_template/network.tf new file mode 120000 index 00000000..98e7464a --- /dev/null +++ b/test/fixtures/confidential_instance_template/network.tf @@ -0,0 +1 @@ +../shared/network.tf \ No newline at end of file diff --git a/test/fixtures/confidential_instance_template/outputs.tf b/test/fixtures/confidential_instance_template/outputs.tf new file mode 100644 index 00000000..0d3686b7 --- /dev/null +++ b/test/fixtures/confidential_instance_template/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "self_link" { + description = "Self-link to the instance template." + value = module.confidential_simple.self_link +} + +output "name" { + description = "Name of the instance templates." + value = module.confidential_simple.name +} + +output "project_id" { + description = "The GCP project to use for integration tests." + value = var.project_id +} + +output "service_account" { + description = "Service account to attach to the instance" + value = var.service_account +} diff --git a/test/fixtures/confidential_instance_template/variables.tf b/test/fixtures/confidential_instance_template/variables.tf new file mode 100644 index 00000000..f74bdc25 --- /dev/null +++ b/test/fixtures/confidential_instance_template/variables.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The GCP project to use for integration tests." + type = string +} + +variable "service_account" { + description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account." + type = object({ + email = string + scopes = list(string) + }) + default = null +} diff --git a/test/fixtures/confidential_instance_template/versions.tf b/test/fixtures/confidential_instance_template/versions.tf new file mode 100644 index 00000000..4985c0ff --- /dev/null +++ b/test/fixtures/confidential_instance_template/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">=0.12.6" +} diff --git a/test/integration/confidential_instance_template/confidential_instance_template_test.go b/test/integration/confidential_instance_template/confidential_instance_template_test.go new file mode 100644 index 00000000..a680a3d1 --- /dev/null +++ b/test/integration/confidential_instance_template/confidential_instance_template_test.go @@ -0,0 +1,41 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package confidential_instance_template + +import ( + "fmt" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" +) + +func TestConfidentialInstanceTemplate(t *testing.T) { + const instanceNamePrefix = "confidential-template" + + confInsTempl := tft.NewTFBlueprintTest(t) + confInsTempl.DefineVerify(func(assert *assert.Assertions) { + confInsTempl.DefaultVerify(assert) + + instance_template := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --format=json --project %s --filter name~%s", confInsTempl.GetStringOutput("project_id"), instanceNamePrefix)) + + assert.Len(instance_template.Array(), 1) + confidentialInstanceConfig := instance_template.Array()[0].Get("properties").Get("confidentialInstanceConfig") + assert.True(confidentialInstanceConfig.Get("enableConfidentialCompute").Bool()) + assert.Equal("SEV_SNP", confidentialInstanceConfig.Get("confidentialInstanceType").String()) + }) + confInsTempl.Test() +} From c6fde1190615e38e834d13d330ea17d0aa4e772e Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Wed, 31 Jul 2024 17:13:39 -0300 Subject: [PATCH 2/5] review fixes --- modules/instance_template/variables.tf | 2 +- modules/instance_template/versions.tf | 2 +- test/fixtures/confidential_instance_template/versions.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf index cc68931e..b9d14716 100644 --- a/modules/instance_template/variables.tf +++ b/modules/instance_template/variables.tf @@ -367,7 +367,7 @@ variable "enable_confidential_vm" { variable "confidential_instance_type" { type = string - default = "" + default = null description = "Defines the confidential computing technology the instance uses. If this is set to \"SEV_SNP\", var.min_cpu_platform will be automatically set to \"AMD Milan\"." } diff --git a/modules/instance_template/versions.tf b/modules/instance_template/versions.tf index eac8c416..319a1fbd 100644 --- a/modules/instance_template/versions.tf +++ b/modules/instance_template/versions.tf @@ -19,7 +19,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 5.5, < 6" + version = ">= 5.36, < 6" } } provider_meta "google" { diff --git a/test/fixtures/confidential_instance_template/versions.tf b/test/fixtures/confidential_instance_template/versions.tf index 4985c0ff..940b48d4 100644 --- a/test/fixtures/confidential_instance_template/versions.tf +++ b/test/fixtures/confidential_instance_template/versions.tf @@ -15,5 +15,5 @@ */ terraform { - required_version = ">=0.12.6" + required_version = ">=0.13" } From 3ae46722e671735f0b6751b7415ab7d8071f8524 Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Wed, 31 Jul 2024 20:21:10 -0300 Subject: [PATCH 3/5] update documentation --- modules/instance_template/README.md | 2 +- modules/instance_template/metadata.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md index 7ac223f7..d2ddd396 100644 --- a/modules/instance_template/README.md +++ b/modules/instance_template/README.md @@ -20,7 +20,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example. | auto\_delete | Whether or not the boot disk should be auto-deleted | `string` | `"true"` | no | | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no | | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no | -| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". | `string` | `""` | no | +| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". | `string` | `null` | no | | description | The template's description | `string` | `""` | no | | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no | | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no | diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml index 1c026be1..63ab8a26 100644 --- a/modules/instance_template/metadata.yaml +++ b/modules/instance_template/metadata.yaml @@ -151,7 +151,6 @@ spec: - name: confidential_instance_type description: Defines the confidential computing technology the instance uses. If this is set to "SEV_SNP", var.min_cpu_platform will be automatically set to "AMD Milan". varType: string - defaultValue: "" - name: description description: The template's description varType: string From e2f4d3b9f97448bf09e1bf69ea4467143a10d2ae Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Fri, 2 Aug 2024 11:17:57 -0300 Subject: [PATCH 4/5] review fixes --- .../instance_template/confidential_computing/main.tf | 2 +- modules/instance_template/main.tf | 10 +++++----- .../confidential_instance_template_test.go | 6 ++++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/examples/instance_template/confidential_computing/main.tf b/examples/instance_template/confidential_computing/main.tf index f46a18c8..9dba4505 100644 --- a/examples/instance_template/confidential_computing/main.tf +++ b/examples/instance_template/confidential_computing/main.tf @@ -28,5 +28,5 @@ module "instance_template" { machine_type = "n2d-standard-2" min_cpu_platform = "AMD Milan" enable_confidential_vm = true - confidential_instance_type = "SEV_SNP" + confidential_instance_type = "SEV" } diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf index a95af076..5c5917bb 100644 --- a/modules/instance_template/main.tf +++ b/modules/instance_template/main.tf @@ -43,17 +43,17 @@ locals { # initialize the block only if it is enabled. shielded_vm_configs = var.enable_shielded_vm ? [true] : [] - gpu_enabled = var.gpu != null - alias_ip_range_enabled = var.alias_ip_range != null - snp_confidential_instance_type = var.confidential_instance_type == "SEV_SNP" + gpu_enabled = var.gpu != null + alias_ip_range_enabled = var.alias_ip_range != null + confidential_terminate_condition = var.enable_confidential_vm && (var.confidential_instance_type != "SEV" || var.min_cpu_platform != "AMD Milan") on_host_maintenance = ( - var.preemptible || var.enable_confidential_vm || local.gpu_enabled || var.spot || local.snp_confidential_instance_type + var.preemptible || local.gpu_enabled || var.spot || local.confidential_terminate_condition ? "TERMINATE" : var.on_host_maintenance ) # must be set to "AMD Milan" if confidential_instance_type is set to "SEV_SNP", or this will fail to create the VM. - min_cpu_platform = local.snp_confidential_instance_type ? "AMD Milan" : var.min_cpu_platform + min_cpu_platform = var.confidential_instance_type == "SEV_SNP" ? "AMD Milan" : var.min_cpu_platform automatic_restart = ( # must be false when preemptible or spot is true diff --git a/test/integration/confidential_instance_template/confidential_instance_template_test.go b/test/integration/confidential_instance_template/confidential_instance_template_test.go index a680a3d1..adfdf66a 100644 --- a/test/integration/confidential_instance_template/confidential_instance_template_test.go +++ b/test/integration/confidential_instance_template/confidential_instance_template_test.go @@ -33,9 +33,11 @@ func TestConfidentialInstanceTemplate(t *testing.T) { instance_template := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --format=json --project %s --filter name~%s", confInsTempl.GetStringOutput("project_id"), instanceNamePrefix)) assert.Len(instance_template.Array(), 1) - confidentialInstanceConfig := instance_template.Array()[0].Get("properties").Get("confidentialInstanceConfig") + instanceConfigProperties := instance_template.Array()[0].Get("properties") + confidentialInstanceConfig := instanceConfigProperties.Get("confidentialInstanceConfig") assert.True(confidentialInstanceConfig.Get("enableConfidentialCompute").Bool()) - assert.Equal("SEV_SNP", confidentialInstanceConfig.Get("confidentialInstanceType").String()) + assert.Equal("SEV", confidentialInstanceConfig.Get("confidentialInstanceType").String()) + assert.Equal("MIGRATE", instanceConfigProperties.Get("scheduling").Get("onHostMaintenance").String()) }) confInsTempl.Test() } From 4c1c3d9345a54ff7625c92a890629b0de911335d Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Wed, 7 Aug 2024 18:26:24 -0300 Subject: [PATCH 5/5] code review changes --- modules/instance_template/README.md | 2 +- modules/instance_template/metadata.yaml | 2 +- modules/instance_template/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md index d2ddd396..ea16fde5 100644 --- a/modules/instance_template/README.md +++ b/modules/instance_template/README.md @@ -20,7 +20,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example. | auto\_delete | Whether or not the boot disk should be auto-deleted | `string` | `"true"` | no | | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no | | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no | -| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". | `string` | `null` | no | +| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no | | description | The template's description | `string` | `""` | no | | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no | | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no | diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml index 63ab8a26..4dd52c84 100644 --- a/modules/instance_template/metadata.yaml +++ b/modules/instance_template/metadata.yaml @@ -149,7 +149,7 @@ spec: varType: string defaultValue: "false" - name: confidential_instance_type - description: Defines the confidential computing technology the instance uses. If this is set to "SEV_SNP", var.min_cpu_platform will be automatically set to "AMD Milan". + description: Defines the confidential computing technology the instance uses. If this is set to "SEV_SNP", var.min_cpu_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. varType: string - name: description description: The template's description diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf index b9d14716..5fe65be0 100644 --- a/modules/instance_template/variables.tf +++ b/modules/instance_template/variables.tf @@ -368,7 +368,7 @@ variable "enable_confidential_vm" { variable "confidential_instance_type" { type = string default = null - description = "Defines the confidential computing technology the instance uses. If this is set to \"SEV_SNP\", var.min_cpu_platform will be automatically set to \"AMD Milan\"." + description = "Defines the confidential computing technology the instance uses. If this is set to \"SEV_SNP\", var.min_cpu_platform will be automatically set to \"AMD Milan\". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type." } ###########################