review fixes

terraform-google-modules · Aug 2, 2024 · e2f4d3b · e2f4d3b
1 parent ce49b59
commit e2f4d3b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/examples/instance_template/confidential_computing/main.tf b/examples/instance_template/confidential_computing/main.tf
@@ -28,5 +28,5 @@ module "instance_template" {
   machine_type               = "n2d-standard-2"
   min_cpu_platform           = "AMD Milan"
   enable_confidential_vm     = true
-  confidential_instance_type = "SEV_SNP"
+  confidential_instance_type = "SEV"
 }
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
@@ -43,17 +43,17 @@ locals {
   # initialize the block only if it is enabled.
   shielded_vm_configs = var.enable_shielded_vm ? [true] : []
 
-  gpu_enabled                    = var.gpu != null
-  alias_ip_range_enabled         = var.alias_ip_range != null
-  snp_confidential_instance_type = var.confidential_instance_type == "SEV_SNP"
+  gpu_enabled                      = var.gpu != null
+  alias_ip_range_enabled           = var.alias_ip_range != null
+  confidential_terminate_condition = var.enable_confidential_vm && (var.confidential_instance_type != "SEV" || var.min_cpu_platform != "AMD Milan")
   on_host_maintenance = (
-    var.preemptible || var.enable_confidential_vm || local.gpu_enabled || var.spot || local.snp_confidential_instance_type
+    var.preemptible || local.gpu_enabled || var.spot || local.confidential_terminate_condition
     ? "TERMINATE"
     : var.on_host_maintenance
   )
 
   # must be set to "AMD Milan" if confidential_instance_type is set to "SEV_SNP", or this will fail to create the VM.
-  min_cpu_platform = local.snp_confidential_instance_type ? "AMD Milan" : var.min_cpu_platform
+  min_cpu_platform = var.confidential_instance_type == "SEV_SNP" ? "AMD Milan" : var.min_cpu_platform
 
   automatic_restart = (
     # must be false when preemptible or spot is true

diff --git a/test/integration/confidential_instance_template/confidential_instance_template_test.go b/test/integration/confidential_instance_template/confidential_instance_template_test.go
@@ -33,9 +33,11 @@ func TestConfidentialInstanceTemplate(t *testing.T) {
 		instance_template := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --format=json --project %s --filter name~%s", confInsTempl.GetStringOutput("project_id"), instanceNamePrefix))
 
 		assert.Len(instance_template.Array(), 1)
-		confidentialInstanceConfig := instance_template.Array()[0].Get("properties").Get("confidentialInstanceConfig")
+		instanceConfigProperties := instance_template.Array()[0].Get("properties")
+		confidentialInstanceConfig := instanceConfigProperties.Get("confidentialInstanceConfig")
 		assert.True(confidentialInstanceConfig.Get("enableConfidentialCompute").Bool())
-		assert.Equal("SEV_SNP", confidentialInstanceConfig.Get("confidentialInstanceType").String())
+		assert.Equal("SEV", confidentialInstanceConfig.Get("confidentialInstanceType").String())
+		assert.Equal("MIGRATE", instanceConfigProperties.Get("scheduling").Get("onHostMaintenance").String())
 	})
 	confInsTempl.Test()
 }