diff --git a/CHANGELOG.md b/CHANGELOG.md
index b478927c..86b071d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@
All notable changes to this project will be documented in this file. See [conventional-commits](https://www.conventionalcommits.org/) for commit guidelines.
+## [12.1.0](https://github.com/terraform-google-modules/terraform-google-vm/compare/v12.0.0...v12.1.0) (2024-10-22)
+
+
+### Features
+
+* add confidential computing example for intel arch ([#435](https://github.com/terraform-google-modules/terraform-google-vm/issues/435)) ([cf84229](https://github.com/terraform-google-modules/terraform-google-vm/commit/cf84229c7e1fb5e4233d0d24d34c17732bae0e4f))
+* add org policies to confidential computing example ([#427](https://github.com/terraform-google-modules/terraform-google-vm/issues/427)) ([c5788d0](https://github.com/terraform-google-modules/terraform-google-vm/commit/c5788d034414e4e3821db1918e40201066194017))
+
## [12.0.0](https://github.com/terraform-google-modules/terraform-google-vm/compare/v11.1.0...v12.0.0) (2024-09-09)
diff --git a/CODEOWNERS b/CODEOWNERS
index c043343b..fc37be5d 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,7 +1,7 @@
# NOTE: This file is automatically generated from values at:
# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/infra/terraform/test-org/org/locals.tf
-* @terraform-google-modules/cft-admins
+* @terraform-google-modules/cft-admins @erlanderlo @q2w
# NOTE: GitHub CODEOWNERS locations:
# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
diff --git a/autogen/versions.tf.tmpl b/autogen/versions.tf.tmpl
index be7a6915..a8318021 100644
--- a/autogen/versions.tf.tmpl
+++ b/autogen/versions.tf.tmpl
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:{% if mig %}mig{% else %}mig_with_percent{% endif %}/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:{% if mig %}mig{% else %}mig_with_percent{% endif %}/v12.1.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-vm:{% if mig %}mig{% else %}mig_with_percent{% endif %}/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:{% if mig %}mig{% else %}mig_with_percent{% endif %}/v12.1.0"
}
}
diff --git a/examples/confidential_computing_intel/README.md b/examples/confidential_computing_intel/README.md
new file mode 100644
index 00000000..c071a6dc
--- /dev/null
+++ b/examples/confidential_computing_intel/README.md
@@ -0,0 +1,35 @@
+# confidential computing vm
+
+This is an example of a vm creation with confidential computing,
+intel architecture, encrypted disk using a multiregion (US by default)
+Cloud HSM key and a custom service account with cloud-platform scope.
+It also creates org policies enforcing the use of CMEK encrypted instances
+and confidential computing to all newly created VMs within the project.
+Also, an additional org policy constraint is created, which only allows
+Cloud KMS keys (used for CMEK protection) that come from the provided input project.
+Note: existing VM instances won't be affected by the new org policy.
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| key | Key name. | `string` | n/a | yes |
+| keyring | Keyring name. | `string` | n/a | yes |
+| location | Location for the resources (keyring, key, network, etc.). | `string` | `"us"` | no |
+| project\_id | The Google Cloud project ID. | `string` | n/a | yes |
+| region | The GCP region to create and test resources in. | `string` | `"us-central1"` | no |
+| service\_account\_roles | Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM. | `list(string)` | `[]` | no |
+| subnetwork | The subnetwork selflink to host the compute instances in. | `string` | n/a | yes |
+| suffix | A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring). | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance\_self\_link | Self-link for compute instance. |
+| name | Name of the instance templates. |
+| self\_link | Self-link to the instance template. |
+| suffix | Suffix used as an identifier for resources. |
+
+
diff --git a/examples/confidential_computing_intel/main.tf b/examples/confidential_computing_intel/main.tf
new file mode 100644
index 00000000..f8c90959
--- /dev/null
+++ b/examples/confidential_computing_intel/main.tf
@@ -0,0 +1,99 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ default_suffix = var.suffix == "" ? random_string.suffix.result : "${random_string.suffix.result}-${var.suffix}"
+ key_name = "${var.key}-${local.default_suffix}"
+}
+
+resource "random_string" "suffix" {
+ length = 4
+ special = false
+ upper = false
+}
+
+module "kms" {
+ source = "terraform-google-modules/kms/google"
+ version = "3.0.0"
+
+ keyring = "${var.keyring}-${local.default_suffix}"
+ location = var.location
+ project_id = var.project_id
+ keys = [local.key_name]
+ purpose = "ENCRYPT_DECRYPT"
+ key_protection_level = "HSM"
+ prevent_destroy = false
+}
+
+resource "google_service_account" "default" {
+ project = var.project_id
+ account_id = "confidential-compute-sa"
+ display_name = "Custom SA for confidential VM Instance"
+}
+
+resource "google_project_iam_member" "service_account_roles" {
+ for_each = toset(var.service_account_roles)
+
+ project = var.project_id
+ role = each.key
+ member = "serviceAccount:${google_service_account.default.email}"
+}
+
+data "google_project" "project" {
+ project_id = var.project_id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+ crypto_key_id = module.kms.keys[local.key_name]
+ role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+ members = [
+ "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
+ ]
+}
+
+module "instance_template" {
+ source = "terraform-google-modules/vm/google//modules/instance_template"
+
+ region = var.region
+ project_id = var.project_id
+ subnetwork = var.subnetwork
+
+ name_prefix = "confidential-intel-encrypted"
+ source_image_project = "tdx-guest-images"
+ source_image = "ubuntu-2204-lts"
+ disk_type = "pd-ssd"
+ machine_type = "c3-standard-4"
+ min_cpu_platform = "Intel Sapphire Rapids"
+ enable_confidential_vm = true
+ confidential_instance_type = "TDX"
+
+ service_account = {
+ email = google_service_account.default.email
+ scopes = ["cloud-platform"]
+ }
+ disk_encryption_key = module.kms.keys[local.key_name]
+}
+
+module "compute_instance" {
+ source = "terraform-google-modules/vm/google//modules/compute_instance"
+ version = "~> 12.0"
+
+ region = var.region
+ subnetwork = var.subnetwork
+ hostname = "confidential-intel-encrypted"
+ instance_template = module.instance_template.self_link
+ deletion_protection = false
+}
diff --git a/examples/confidential_computing_intel/org_policies.tf b/examples/confidential_computing_intel/org_policies.tf
new file mode 100644
index 00000000..3c9ad5f4
--- /dev/null
+++ b/examples/confidential_computing_intel/org_policies.tf
@@ -0,0 +1,51 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential-computing-org-policy" {
+ source = "terraform-google-modules/org-policy/google"
+ version = "~> 5.3"
+
+ project_id = var.project_id
+ policy_for = "project"
+ constraint = "constraints/compute.restrictNonConfidentialComputing"
+ policy_type = "list"
+ deny = ["compute.googleapis.com"]
+ deny_list_length = 1
+}
+
+module "enforce-cmek-org-policy" {
+ source = "terraform-google-modules/org-policy/google"
+ version = "~> 5.3"
+
+ project_id = var.project_id
+ policy_for = "project"
+ constraint = "constraints/gcp.restrictNonCmekServices"
+ policy_type = "list"
+ deny = ["compute.googleapis.com"]
+ deny_list_length = 1
+}
+
+module "restrict-cmek-cryptokey-projects-policy" {
+ source = "terraform-google-modules/org-policy/google"
+ version = "~> 5.3"
+
+ project_id = var.project_id
+ policy_for = "project"
+ constraint = "constraints/gcp.restrictCmekCryptoKeyProjects"
+ policy_type = "list"
+ allow = ["projects/${var.project_id}"]
+ allow_list_length = 1
+}
diff --git a/examples/confidential_computing_intel/outputs.tf b/examples/confidential_computing_intel/outputs.tf
new file mode 100644
index 00000000..6bcf2e82
--- /dev/null
+++ b/examples/confidential_computing_intel/outputs.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+output "self_link" {
+ description = "Self-link to the instance template."
+ value = module.instance_template.self_link
+}
+
+output "name" {
+ description = "Name of the instance templates."
+ value = module.instance_template.name
+}
+
+output "instance_self_link" {
+ description = "Self-link for compute instance."
+ value = module.compute_instance.instances_self_links[0]
+}
+
+output "suffix" {
+ description = "Suffix used as an identifier for resources."
+ value = local.default_suffix
+}
diff --git a/examples/confidential_computing_intel/variables.tf b/examples/confidential_computing_intel/variables.tf
new file mode 100644
index 00000000..6fe70f28
--- /dev/null
+++ b/examples/confidential_computing_intel/variables.tf
@@ -0,0 +1,59 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+ description = "The Google Cloud project ID."
+ type = string
+}
+
+variable "region" {
+ description = "The GCP region to create and test resources in."
+ type = string
+ default = "us-central1"
+}
+
+variable "subnetwork" {
+ description = "The subnetwork selflink to host the compute instances in."
+ type = string
+}
+
+variable "location" {
+ description = "Location for the resources (keyring, key, network, etc.)."
+ type = string
+ default = "us"
+}
+
+variable "suffix" {
+ description = "A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring)."
+ type = string
+ default = ""
+}
+
+variable "keyring" {
+ description = "Keyring name."
+ type = string
+}
+
+variable "key" {
+ description = "Key name."
+ type = string
+}
+
+variable "service_account_roles" {
+ description = "Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM."
+ type = list(string)
+ default = []
+}
diff --git a/metadata.yaml b/metadata.yaml
index b7ccf310..c7a0a690 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -52,6 +52,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml
index 9a9607e3..9e384df7 100644
--- a/modules/compute_disk_snapshot/metadata.yaml
+++ b/modules/compute_disk_snapshot/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/compute_disk_snapshot
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=0.13.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/compute_disk_snapshot/versions.tf b/modules/compute_disk_snapshot/versions.tf
index 50f5d64f..bfb028e3 100644
--- a/modules/compute_disk_snapshot/versions.tf
+++ b/modules/compute_disk_snapshot/versions.tf
@@ -27,6 +27,6 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:compute_instance/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:compute_instance/v12.1.0"
}
}
diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml
index 4c1adc2f..e7f38d95 100644
--- a/modules/compute_instance/metadata.yaml
+++ b/modules/compute_instance/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/compute_instance
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=0.13.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/compute_instance/versions.tf b/modules/compute_instance/versions.tf
index a1a13fdb..d8e05736 100644
--- a/modules/compute_instance/versions.tf
+++ b/modules/compute_instance/versions.tf
@@ -23,6 +23,6 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:compute_instance/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:compute_instance/v12.1.0"
}
}
diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
index ea16fde5..0127382c 100644
--- a/modules/instance_template/README.md
+++ b/modules/instance_template/README.md
@@ -47,7 +47,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
| project\_id | The GCP project ID | `string` | `null` | no |
| region | Region where the instance template should be created. | `string` | `null` | no |
| resource\_policies | A list of self\_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported. | `list(string)` | `[]` | no |
-| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | object({
email = string
scopes = set(string)
}) | n/a | yes |
+| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | object({
email = string
scopes = optional(set(string), ["cloud-platform"])
}) | n/a | yes |
| shielded\_instance\_config | Not used unless enable\_shielded\_vm is true. Shielded VM configuration for the instance. | object({
enable_secure_boot = bool
enable_vtpm = bool
enable_integrity_monitoring = bool
}) | {
"enable_integrity_monitoring": true,
"enable_secure_boot": true,
"enable_vtpm": true
} | no |
| source\_image | Source disk image. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `""` | no |
| source\_image\_family | Source image family. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `"rocky-linux-9-optimized-gcp"` | no |
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
new file mode 100644
index 00000000..0811efe2
--- /dev/null
+++ b/modules/instance_template/metadata.display.yaml
@@ -0,0 +1,180 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-vm-instance-template-display
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: instance_template
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-vm
+ sourceType: git
+ dir: /modules/instance_template
+ ui:
+ input:
+ variables:
+ access_config:
+ name: access_config
+ title: Access Config
+ altDefaults:
+ - type: ALTERNATE_TYPE_DC
+ value:
+ nat_ip: null
+ network_tier: PREMIUM
+ additional_disks:
+ name: additional_disks
+ title: Additional Disks
+ additional_networks:
+ name: additional_networks
+ title: Additional Networks
+ alias_ip_range:
+ name: alias_ip_range
+ title: Alias Ip Range
+ auto_delete:
+ name: auto_delete
+ title: Auto Delete
+ automatic_restart:
+ name: automatic_restart
+ title: Automatic Restart
+ can_ip_forward:
+ name: can_ip_forward
+ title: Can Ip Forward
+ confidential_instance_type:
+ name: confidential_instance_type
+ title: Confidential Instance Type
+ description:
+ name: description
+ title: Description
+ disk_encryption_key:
+ name: disk_encryption_key
+ title: Disk Encryption Key
+ disk_labels:
+ name: disk_labels
+ title: Disk Labels
+ disk_resource_policies:
+ name: disk_resource_policies
+ title: Disk Resource Policies
+ disk_size_gb:
+ name: disk_size_gb
+ title: Disk Size Gb
+ disk_type:
+ name: disk_type
+ title: Disk Type
+ enable_confidential_vm:
+ name: enable_confidential_vm
+ title: Enable Confidential Vm
+ enable_nested_virtualization:
+ name: enable_nested_virtualization
+ title: Enable Nested Virtualization
+ enable_shielded_vm:
+ name: enable_shielded_vm
+ title: Enable Shielded Vm
+ gpu:
+ name: gpu
+ title: Gpu
+ instance_description:
+ name: instance_description
+ title: Instance Description
+ ipv6_access_config:
+ name: ipv6_access_config
+ title: Ipv6 Access Config
+ labels:
+ name: labels
+ title: Labels
+ machine_type:
+ name: machine_type
+ title: Machine Type
+ maintenance_interval:
+ name: maintenance_interval
+ title: Maintenance Interval
+ metadata:
+ name: metadata
+ title: Metadata
+ min_cpu_platform:
+ name: min_cpu_platform
+ title: Min Cpu Platform
+ name_prefix:
+ name: name_prefix
+ title: Name Prefix
+ network:
+ name: network
+ title: Network
+ network_ip:
+ name: network_ip
+ title: Network Ip
+ nic_type:
+ name: nic_type
+ title: Nic Type
+ on_host_maintenance:
+ name: on_host_maintenance
+ title: On Host Maintenance
+ preemptible:
+ name: preemptible
+ title: Preemptible
+ project_id:
+ name: project_id
+ title: Project Id
+ region:
+ name: region
+ title: Region
+ resource_policies:
+ name: resource_policies
+ title: Resource Policies
+ service_account:
+ name: service_account
+ title: Service Account
+ shielded_instance_config:
+ name: shielded_instance_config
+ title: Shielded Instance Config
+ source_image:
+ name: source_image
+ title: Source Image
+ source_image_family:
+ name: source_image_family
+ title: Source Image Family
+ source_image_project:
+ name: source_image_project
+ title: Source Image Project
+ spot:
+ name: spot
+ title: Spot
+ spot_instance_termination_action:
+ name: spot_instance_termination_action
+ title: Spot Instance Termination Action
+ stack_type:
+ name: stack_type
+ title: Stack Type
+ startup_script:
+ name: startup_script
+ title: Startup Script
+ subnetwork:
+ name: subnetwork
+ title: Subnetwork
+ subnetwork_project:
+ name: subnetwork_project
+ title: Subnetwork Project
+ tags:
+ name: tags
+ title: Tags
+ threads_per_core:
+ name: threads_per_core
+ title: Threads Per Core
+ total_egress_bandwidth_tier:
+ name: total_egress_bandwidth_tier
+ title: Total Egress Bandwidth Tier
+
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 5f50a426..6a4f74cd 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/instance_template
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=1.3"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
@@ -221,6 +223,27 @@ spec:
description: Metadata, provided as a map
varType: map(string)
defaultValue: {}
+ connections:
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-memorystore
+ version: ~> 10.0
+ spec:
+ outputExpr: env_vars
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-sql-db//modules/postgresql
+ version: ~> 21.0
+ spec:
+ outputExpr: env_vars
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-sql-db//modules/mysql
+ version: ~> 22.0
+ spec:
+ outputExpr: env_vars
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
+ version: ~> 4.3
+ spec:
+ outputExpr: env_vars
- name: min_cpu_platform
description: "Specifies a minimum CPU platform. Applicable values are the friendly names of CPU platforms, such as Intel Haswell or Intel Skylake. See the complete list: https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform"
varType: string
@@ -262,9 +285,16 @@ spec:
varType: |-
object({
email = string
- scopes = set(string)
+ scopes = optional(set(string), ["cloud-platform"])
})
required: true
+ connections:
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
+ version: ~> 4.3
+ spec:
+ outputExpr: email
+ inputPath: email
- name: shielded_instance_config
description: Not used unless enable_shielded_vm is true. Shielded VM configuration for the instance.
varType: |-
@@ -326,12 +356,18 @@ spec:
outputs:
- name: name
description: Name of instance template
+ type: string
- name: self_link
description: Self-link of instance template
+ type: string
- name: self_link_unique
description: Unique self-link of instance template (recommended output to use instead of self_link)
+ type: string
- name: tags
description: Tags that will be associated with instance(s)
+ type:
+ - list
+ - string
requirements:
roles:
- level: Project
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
index 5fe65be0..0a64a80d 100644
--- a/modules/instance_template/variables.tf
+++ b/modules/instance_template/variables.tf
@@ -327,7 +327,7 @@ variable "metadata" {
variable "service_account" {
type = object({
email = string
- scopes = set(string)
+ scopes = optional(set(string), ["cloud-platform"])
})
description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account."
}
diff --git a/modules/instance_template/versions.tf b/modules/instance_template/versions.tf
index 7bccbd40..633d5112 100644
--- a/modules/instance_template/versions.tf
+++ b/modules/instance_template/versions.tf
@@ -23,6 +23,6 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:instance_template/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:instance_template/v12.1.0"
}
}
diff --git a/modules/mig/metadata.display.yaml b/modules/mig/metadata.display.yaml
new file mode 100644
index 00000000..e6dc52a2
--- /dev/null
+++ b/modules/mig/metadata.display.yaml
@@ -0,0 +1,117 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-vm-mig-display
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: Managed Instance Group (MIG)
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-vm
+ sourceType: git
+ dir: /modules/mig
+ ui:
+ input:
+ variables:
+ autoscaler_name:
+ name: autoscaler_name
+ title: Autoscaler Name
+ autoscaling_cpu:
+ name: autoscaling_cpu
+ title: Autoscaling Cpu
+ autoscaling_enabled:
+ name: autoscaling_enabled
+ title: Autoscaling Enabled
+ autoscaling_lb:
+ name: autoscaling_lb
+ title: Autoscaling Lb
+ autoscaling_metric:
+ name: autoscaling_metric
+ title: Autoscaling Metric
+ autoscaling_mode:
+ name: autoscaling_mode
+ title: Autoscaling Mode
+ autoscaling_scale_in_control:
+ name: autoscaling_scale_in_control
+ title: Autoscaling Scale In Control
+ cooldown_period:
+ name: cooldown_period
+ title: Cooldown Period
+ distribution_policy_target_shape:
+ name: distribution_policy_target_shape
+ title: Distribution Policy Target Shape
+ distribution_policy_zones:
+ name: distribution_policy_zones
+ title: Distribution Policy Zones
+ health_check:
+ name: health_check
+ title: Health Check
+ health_check_name:
+ name: health_check_name
+ title: Health Check Name
+ hostname:
+ name: hostname
+ title: Hostname
+ instance_template:
+ name: instance_template
+ title: Instance Template
+ labels:
+ name: labels
+ title: Labels
+ max_replicas:
+ name: max_replicas
+ title: Max Replicas
+ mig_name:
+ name: mig_name
+ title: Mig Name
+ mig_timeouts:
+ name: mig_timeouts
+ title: Mig Timeouts
+ min_replicas:
+ name: min_replicas
+ title: Min Replicas
+ named_ports:
+ name: named_ports
+ title: Named Ports
+ project_id:
+ name: project_id
+ title: Project Id
+ region:
+ name: region
+ title: Region
+ scaling_schedules:
+ name: scaling_schedules
+ title: Scaling Schedules
+ stateful_disks:
+ name: stateful_disks
+ title: Stateful Disks
+ stateful_ips:
+ name: stateful_ips
+ title: Stateful Ips
+ target_pools:
+ name: target_pools
+ title: Target Pools
+ target_size:
+ name: target_size
+ title: Target Size
+ update_policy:
+ name: update_policy
+ title: Update Policy
+ wait_for_instances:
+ name: wait_for_instances
+ title: Wait For Instances
diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml
index 476ed396..f7b48051 100644
--- a/modules/mig/metadata.yaml
+++ b/modules/mig/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/mig
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=1.3.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
@@ -177,6 +179,12 @@ spec:
description: Instance template self_link used to create compute instances
varType: string
required: true
+ connections:
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-vm//modules/instance_template
+ version: ~> 12.0
+ spec:
+ outputExpr: self_link
- name: labels
description: Labels, provided as a map
varType: map(string)
@@ -280,12 +288,17 @@ spec:
outputs:
- name: health_check_self_links
description: All self_links of healthchecks created for the instance group.
+ type:
+ - list
+ - string
- name: instance_group
description: Instance-group url of managed instance group
+ type: string
- name: instance_group_manager
description: An instance of google_compute_region_instance_group_manager of the instance group.
- name: self_link
description: Self-link of managed instance group
+ type: string
requirements:
roles:
- level: Project
diff --git a/modules/mig/versions.tf b/modules/mig/versions.tf
index 819b551c..0b643278 100644
--- a/modules/mig/versions.tf
+++ b/modules/mig/versions.tf
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:mig/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:mig/v12.1.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-vm:mig/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:mig/v12.1.0"
}
}
diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml
index 9e7efaa6..40a0bf4c 100644
--- a/modules/mig_with_percent/metadata.yaml
+++ b/modules/mig_with_percent/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/mig_with_percent
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=1.3.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/mig_with_percent/versions.tf b/modules/mig_with_percent/versions.tf
index 2520c7c2..c8f7d263 100644
--- a/modules/mig_with_percent/versions.tf
+++ b/modules/mig_with_percent/versions.tf
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:mig_with_percent/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:mig_with_percent/v12.1.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-vm:mig_with_percent/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:mig_with_percent/v12.1.0"
}
}
diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml
index 25f622a4..f63ce997 100644
--- a/modules/preemptible_and_regular_instance_templates/metadata.yaml
+++ b/modules/preemptible_and_regular_instance_templates/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/preemptible_and_regular_instance_templates
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=0.13.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/preemptible_and_regular_instance_templates/versions.tf b/modules/preemptible_and_regular_instance_templates/versions.tf
index 42da5a06..eff8dbe4 100644
--- a/modules/preemptible_and_regular_instance_templates/versions.tf
+++ b/modules/preemptible_and_regular_instance_templates/versions.tf
@@ -21,9 +21,9 @@ terraform {
google-beta = ">= 3.88, < 7"
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:preemptible_and_regular_instance_templates/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:preemptible_and_regular_instance_templates/v12.1.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-vm:preemptible_and_regular_instance_templates/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:preemptible_and_regular_instance_templates/v12.1.0"
}
}
diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml
index 6ab20114..c774ca26 100644
--- a/modules/umig/metadata.yaml
+++ b/modules/umig/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-vm
sourceType: git
dir: /modules/umig
- version: 12.0.0
+ version: 12.1.0
actuationTool:
flavor: Terraform
version: ">=0.13.0"
@@ -42,6 +42,8 @@ spec:
location: examples/confidential_computing
- name: confidential_computing
location: examples/instance_template/confidential_computing
+ - name: confidential_computing_intel
+ location: examples/confidential_computing_intel
- name: disk_snapshot
location: examples/compute_instance/disk_snapshot
- name: encrypted_disks
diff --git a/modules/umig/versions.tf b/modules/umig/versions.tf
index 3d694cae..cae90817 100644
--- a/modules/umig/versions.tf
+++ b/modules/umig/versions.tf
@@ -23,6 +23,6 @@ terraform {
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-vm:umig/v12.0.0"
+ module_name = "blueprints/terraform/terraform-google-vm:umig/v12.1.0"
}
}
diff --git a/test/fixtures/confidential_intel_compute_instance/main.tf b/test/fixtures/confidential_intel_compute_instance/main.tf
new file mode 100644
index 00000000..9ca70e10
--- /dev/null
+++ b/test/fixtures/confidential_intel_compute_instance/main.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential_computing_intel" {
+ source = "../../../examples/confidential_computing_intel"
+ project_id = var.project_id
+ region = "us-central1"
+ subnetwork = google_compute_subnetwork.main.self_link
+ keyring = "key-ring-test"
+ key = "key-test"
+ service_account_roles = ["roles/compute.imageUser", "roles/compute.networkUser"]
+}
diff --git a/test/fixtures/confidential_intel_compute_instance/network.tf b/test/fixtures/confidential_intel_compute_instance/network.tf
new file mode 120000
index 00000000..98e7464a
--- /dev/null
+++ b/test/fixtures/confidential_intel_compute_instance/network.tf
@@ -0,0 +1 @@
+../shared/network.tf
\ No newline at end of file
diff --git a/test/fixtures/confidential_intel_compute_instance/outputs.tf b/test/fixtures/confidential_intel_compute_instance/outputs.tf
new file mode 100644
index 00000000..1fcc0026
--- /dev/null
+++ b/test/fixtures/confidential_intel_compute_instance/outputs.tf
@@ -0,0 +1,40 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "self_link" {
+ description = "Self-link to the instance template."
+ value = module.confidential_computing_intel.self_link
+}
+
+output "name" {
+ description = "Name of the instance templates."
+ value = module.confidential_computing_intel.name
+}
+
+output "instance_self_link" {
+ description = "Self-link for compute instance."
+ value = module.confidential_computing_intel.instance_self_link
+}
+
+output "project_id" {
+ description = "The GCP project to use for integration tests."
+ value = var.project_id
+}
+
+output "suffix" {
+ description = "Suffix used as an identifier for resources."
+ value = module.confidential_computing_intel.suffix
+}
diff --git a/test/fixtures/confidential_intel_compute_instance/variables.tf b/test/fixtures/confidential_intel_compute_instance/variables.tf
new file mode 100644
index 00000000..e232b248
--- /dev/null
+++ b/test/fixtures/confidential_intel_compute_instance/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+ description = "The GCP project to use for integration tests."
+ type = string
+}
diff --git a/test/fixtures/confidential_intel_compute_instance/versions.tf b/test/fixtures/confidential_intel_compute_instance/versions.tf
new file mode 100644
index 00000000..940b48d4
--- /dev/null
+++ b/test/fixtures/confidential_intel_compute_instance/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_version = ">=0.13"
+}
diff --git a/test/integration/confidential_intel_compute_instance/confidential_intel_compute_instance_test.go b/test/integration/confidential_intel_compute_instance/confidential_intel_compute_instance_test.go
new file mode 100644
index 00000000..3c4250ec
--- /dev/null
+++ b/test/integration/confidential_intel_compute_instance/confidential_intel_compute_instance_test.go
@@ -0,0 +1,70 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package confidential_intel_compute_instance
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestConfidentialIntelComputeInstance(t *testing.T) {
+ const instanceNamePrefix = "confidential-intel-encrypted"
+
+ confCompInst := tft.NewTFBlueprintTest(t)
+ confCompInst.DefineVerify(func(assert *assert.Assertions) {
+ confCompInst.DefaultVerify(assert)
+ projectId := confCompInst.GetStringOutput("project_id")
+
+ computeInstanceList := gcloud.Run(t, fmt.Sprintf("compute instances list --format=json --project %s --filter name~%s", projectId, instanceNamePrefix))
+
+ assert.Len(computeInstanceList.Array(), 1)
+ computeInstance := computeInstanceList.Array()[0]
+ confidentialInstanceConfig := computeInstance.Get("confidentialInstanceConfig")
+ assert.True(confidentialInstanceConfig.Get("enableConfidentialCompute").Bool())
+ assert.Equal("TDX", confidentialInstanceConfig.Get("confidentialInstanceType").String())
+ assert.Equal("TERMINATE", computeInstance.Get("scheduling").Get("onHostMaintenance").String())
+ serviceAccounts := computeInstance.Get("serviceAccounts").Array()
+ assert.Len(serviceAccounts, 1)
+ assert.Equal(fmt.Sprintf("confidential-compute-sa@%s.iam.gserviceaccount.com", projectId), serviceAccounts[0].Get("email").String())
+ serviceAccountBindings := gcloud.Runf(t, "projects get-iam-policy %s --flatten bindings --filter bindings.members:'serviceAccount:%s' --format json", projectId, serviceAccounts[0].Get("email").String()).Array()
+ assert.Equal(2, len(serviceAccountBindings), "expect two bindings")
+ assert.ElementsMatch([]string{"roles/compute.imageUser", "roles/compute.networkUser"}, []string{serviceAccountBindings[0].Get("bindings.role").String(), serviceAccountBindings[1].Get("bindings.role").String()})
+ disks := computeInstance.Get("disks").Array()
+ assert.Len(disks, 1)
+ defaultSuffix := confCompInst.GetStringOutput("suffix")
+ assert.Equal(fmt.Sprintf("projects/%s/locations/us/keyRings/key-ring-test-%s/cryptoKeys/key-test-%s/cryptoKeyVersions/1", projectId, defaultSuffix, defaultSuffix), disks[0].Get("diskEncryptionKey").Get("kmsKeyName").String())
+
+ org_policy_cmek_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictNonCmekServices'", projectId).Array()
+ assert.Len(org_policy_cmek_constraint, 1)
+ cmek_denied_values_list := org_policy_cmek_constraint[0].Get("listPolicy.deniedValues").Array()
+ assert.Len(cmek_denied_values_list, 1)
+ assert.Equal("compute.googleapis.com", cmek_denied_values_list[0].String())
+ org_policy_cmek_projects := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictCmekCryptoKeyProjects'", projectId).Array()
+ assert.Len(org_policy_cmek_projects, 1)
+ cmek_allowed_projects := org_policy_cmek_projects[0].Get("listPolicy.allowedValues").Array()
+ assert.Len(cmek_allowed_projects, 1)
+ assert.Equal(fmt.Sprintf("projects/%s", projectId), cmek_allowed_projects[0].String())
+ org_policy_confidential_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/compute.restrictNonConfidentialComputing'", projectId).Array()
+ assert.Len(org_policy_confidential_constraint, 1)
+ cc_denied_values_list := org_policy_confidential_constraint[0].Get("listPolicy.deniedValues").Array()
+ assert.Len(cc_denied_values_list, 1)
+ assert.Equal("compute.googleapis.com", cc_denied_values_list[0].String())
+ })
+ confCompInst.Test()
+}