diff --git a/CHANGELOG.md b/CHANGELOG.md
index 354856614..42d8d05db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+- add support for Shielded VM to `compute-vm`
+
 ## [2.4.1] - 2020-07-06
 
 - better fix external IP assignment in `compute-vm`
diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index 91b35abba..ec5183727 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -167,6 +167,7 @@ module "instance-group" {
 | *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> |  | <code title="">null</code> |
 | *service_account_create* | Auto-create service account. | <code title="">bool</code> |  | <code title="">false</code> |
 | *service_account_scopes* | Scopes applied to service account. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *shielded_config* | Shielded VM configuration of the instances. | <code title="object&#40;&#123;&#10;enable_secure_boot          &#61; bool&#10;enable_vtpm                 &#61; bool&#10;enable_integrity_monitoring &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *tags* | Instance tags. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *use_instance_template* | Create instance template instead of instances. | <code title="">bool</code> |  | <code title="">false</code> |
 
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index 003d8c005..a25a94138 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -163,9 +163,17 @@ resource "google_compute_instance" "default" {
     scopes = local.service_account_scopes
   }
 
-  # guest_accelerator
-  # shielded_instance_config
+  dynamic shielded_instance_config {
+    for_each = var.shielded_config != null ? [var.shielded_config] : []
+    iterator = config
+    content {
+      enable_secure_boot          = config.value.enable_secure_boot
+      enable_vtpm                 = config.value.enable_vtpm
+      enable_integrity_monitoring = config.value.enable_integrity_monitoring
+    }
+  }
 
+  # guest_accelerator
 }
 
 resource "google_compute_instance_iam_binding" "default" {
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index 2102d2fbf..07d1c4406 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -218,3 +218,13 @@ variable "zone" {
   description = "Compute zone."
   type        = string
 }
+
+variable "shielded_config" {
+  description = "Shielded VM configuration of the instances."
+  type = object({
+    enable_secure_boot          = bool
+    enable_vtpm                 = bool
+    enable_integrity_monitoring = bool
+  })
+  default = null
+}