[WIP] Add support for KMS autokey (#3515)
* wip * folder module * project factory schema * remove spurious project template * gcs and compute-vm modules * variable order
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
16da9ffaad
commit
7e32058010
@@ -31,6 +31,8 @@ In both modes, an optional service account can be created and assigned to either
|
||||
- [Spot VM](#spot-vm)
|
||||
- [Confidential compute](#confidential-compute)
|
||||
- [Disk encryption with Cloud KMS](#disk-encryption-with-cloud-kms)
|
||||
- [External keys](#external-keys)
|
||||
- [KMS Autokey](#kms-autokey)
|
||||
- [Advanced machine features](#advanced-machine-features)
|
||||
- [Instance template](#instance-template)
|
||||
- [Global template](#global-template)
|
||||
@@ -731,6 +733,8 @@ module "template-confidential-example" {
|
||||
|
||||
### Disk encryption with Cloud KMS
|
||||
|
||||
#### External keys
|
||||
|
||||
This example shows how to control disk encryption via the the `encryption` variable, in this case the self link to a KMS CryptoKey that will be used to encrypt boot and attached disk. Managing the key with the `../kms` module is of course possible, but is not shown here.
|
||||
|
||||
```hcl
|
||||
@@ -801,6 +805,38 @@ module "kms-vm-example" {
|
||||
# tftest inventory=cmek.yaml e2e
|
||||
```
|
||||
|
||||
#### KMS Autokey
|
||||
|
||||
For KMS Autokey to be used the [project needs to be enabled](https://docs.cloud.google.com/kms/docs/enable-autokey) and the principal running Terraform needs to have the `roles/cloudkms.autokeyUser` on the Autokey project.
|
||||
|
||||
```hcl
|
||||
module "autokey-vm-example" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
project_id = "myproject"
|
||||
zone = "europe-west8-b"
|
||||
name = "kms-test"
|
||||
network_interfaces = [{
|
||||
network = "projects/myhost/global/networks/dev-spoke-0"
|
||||
subnetwork = "projects/myhost/regions/europe-west8/subnetworks/gce"
|
||||
}]
|
||||
attached_disks = [{
|
||||
name = "attached-disk"
|
||||
size = 10
|
||||
}]
|
||||
service_account = {
|
||||
auto_create = true
|
||||
}
|
||||
kms_autokeys = {
|
||||
default = {}
|
||||
}
|
||||
encryption = {
|
||||
encrypt_boot = true
|
||||
kms_key_self_link = "$kms_keys:autokey/default"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
```
|
||||
|
||||
### Advanced machine features
|
||||
|
||||
Advanced machine features can be configured via the `options.advanced_machine_features` variable.
|
||||
@@ -1122,10 +1158,10 @@ module "sole-tenancy" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L304) | Instance name. | <code>string</code> | ✓ | |
|
||||
| [network_interfaces](variables.tf#L316) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ network = string subnetwork = string alias_ips = optional(map(string), {}) nat = optional(bool, false) nic_type = optional(string) stack_type = optional(string) addresses = optional(object({ internal = optional(string) external = optional(string) }), null) network_tier = optional(string) }))">list(object({…}))</code> | ✓ | |
|
||||
| [project_id](variables.tf#L401) | Project id. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L521) | Compute zone. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L322) | Instance name. | <code>string</code> | ✓ | |
|
||||
| [network_interfaces](variables.tf#L334) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ network = string subnetwork = string alias_ips = optional(map(string), {}) nat = optional(bool, false) nic_type = optional(string) stack_type = optional(string) addresses = optional(object({ internal = optional(string) external = optional(string) }), null) network_tier = optional(string) }))">list(object({…}))</code> | ✓ | |
|
||||
| [project_id](variables.tf#L419) | Project id. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L539) | Compute zone. | <code>string</code> | ✓ | |
|
||||
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | <code title="object({ auto_delete = optional(bool, false) mode = string replica_zone = string type = string })">object({…})</code> | | <code title="{ auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" }">{…}</code> |
|
||||
| [attached_disks](variables.tf#L37) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | <code title="list(object({ name = optional(string) device_name = optional(string) size = string snapshot_schedule = optional(list(string)) source = optional(string) source_type = optional(string) options = optional( object({ architecture = optional(string) auto_delete = optional(bool, false) # applies only to vm templates mode = optional(string, "READ_WRITE") provisioned_iops = optional(number) provisioned_throughput = optional(number) # in MiB/s replica_zone = optional(string) storage_pool = optional(string) type = optional(string, "pd-balanced") }), { auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" } ) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [boot_disk](variables.tf#L92) | Boot disk properties. Initialize params are ignored when source is set. | <code title="object({ auto_delete = optional(bool, true) snapshot_schedule = optional(list(string)) source = optional(string) initialize_params = optional(object({ architecture = optional(string) image = optional(string, "projects/debian-cloud/global/images/family/debian-11") provisioned_iops = optional(number) provisioned_throughput = optional(number) # in MiB/s size = optional(number, 10) storage_pool = optional(string) type = optional(string, "pd-balanced") }), {}) use_independent_disk = optional(bool, false) })">object({…})</code> | | <code title="{ initialize_params = {} }">{…}</code> |
|
||||
@@ -1142,22 +1178,23 @@ module "sole-tenancy" {
|
||||
| [iam](variables.tf#L243) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_schedule](variables.tf#L249) | Assign or create and assign an instance schedule policy. Either resource policy id or create_config must be specified if not null. Set active to null to dtach a policy from vm before destroying. | <code title="object({ active = optional(bool, true) description = optional(string) expiration_time = optional(string) start_time = optional(string) timezone = optional(string, "UTC") vm_start = optional(string) vm_stop = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [instance_type](variables.tf#L273) | Instance type. | <code>string</code> | | <code>"f1-micro"</code> |
|
||||
| [labels](variables.tf#L279) | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata](variables.tf#L285) | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata_startup_script](variables.tf#L291) | Instance startup script. Will trigger recreation on change, even after importing. | <code>string</code> | | <code>null</code> |
|
||||
| [min_cpu_platform](variables.tf#L298) | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| [network_attached_interfaces](variables.tf#L309) | Network interfaces using network attachments. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [network_tag_bindings](variables.tf#L337) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L344) | Instance options. | <code title="object({ advanced_machine_features = optional(object({ enable_nested_virtualization = optional(bool) enable_turbo_mode = optional(bool) enable_uefi_networking = optional(bool) performance_monitoring_unit = optional(string) threads_per_core = optional(number) visible_core_count = optional(number) })) allow_stopping_for_update = optional(bool, true) deletion_protection = optional(bool, false) graceful_shutdown = optional(object({ enabled = optional(bool, false) max_duration_secs = optional(number) })) max_run_duration = optional(object({ nanos = optional(number) seconds = number })) node_affinities = optional(map(object({ values = list(string) in = optional(bool, true) })), {}) spot = optional(bool, false) termination_action = optional(string) })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false spot = false termination_action = null }">{…}</code> |
|
||||
| [project_number](variables.tf#L406) | Project number. Used in tag bindings to avoid a permadiff. | <code>string</code> | | <code>null</code> |
|
||||
| [resource_policies](variables.tf#L412) | Resource policies to attach to the instance or template. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [scratch_disks](variables.tf#L419) | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| [service_account](variables.tf#L431) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object({ auto_create = optional(bool, false) email = optional(string) scopes = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [shielded_config](variables.tf#L441) | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = optional(bool, true) enable_vtpm = optional(bool, true) enable_integrity_monitoring = optional(bool, true) })">object({…})</code> | | <code>null</code> |
|
||||
| [snapshot_schedules](variables.tf#L451) | Snapshot schedule resource policies that can be attached to disks. | <code title="map(object({ schedule = object({ daily = optional(object({ days_in_cycle = number start_time = string })) hourly = optional(object({ hours_in_cycle = number start_time = string })) weekly = optional(list(object({ day = string start_time = string }))) }) description = optional(string) retention_policy = optional(object({ max_retention_days = number on_source_disk_delete_keep = optional(bool) })) snapshot_properties = optional(object({ chain_name = optional(string) guest_flush = optional(bool) labels = optional(map(string)) storage_locations = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L494) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tag_bindings_immutable](variables.tf#L501) | Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L515) | Instance network tags for firewall rule targets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [kms_autokeys](variables.tf#L279) | KMS Autokey key handles. If location is not specified it will be inferred from the zone. Key handle names will be added to the kms_keys context with an `autokey/` prefix. | <code title="map(object({ location = optional(string) resource_type_selector = optional(string, "compute.googleapis.com/Disk") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L297) | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata](variables.tf#L303) | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata_startup_script](variables.tf#L309) | Instance startup script. Will trigger recreation on change, even after importing. | <code>string</code> | | <code>null</code> |
|
||||
| [min_cpu_platform](variables.tf#L316) | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| [network_attached_interfaces](variables.tf#L327) | Network interfaces using network attachments. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [network_tag_bindings](variables.tf#L355) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L362) | Instance options. | <code title="object({ advanced_machine_features = optional(object({ enable_nested_virtualization = optional(bool) enable_turbo_mode = optional(bool) enable_uefi_networking = optional(bool) performance_monitoring_unit = optional(string) threads_per_core = optional(number) visible_core_count = optional(number) })) allow_stopping_for_update = optional(bool, true) deletion_protection = optional(bool, false) graceful_shutdown = optional(object({ enabled = optional(bool, false) max_duration_secs = optional(number) })) max_run_duration = optional(object({ nanos = optional(number) seconds = number })) node_affinities = optional(map(object({ values = list(string) in = optional(bool, true) })), {}) spot = optional(bool, false) termination_action = optional(string) })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false spot = false termination_action = null }">{…}</code> |
|
||||
| [project_number](variables.tf#L424) | Project number. Used in tag bindings to avoid a permadiff. | <code>string</code> | | <code>null</code> |
|
||||
| [resource_policies](variables.tf#L430) | Resource policies to attach to the instance or template. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [scratch_disks](variables.tf#L437) | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| [service_account](variables.tf#L449) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object({ auto_create = optional(bool, false) email = optional(string) scopes = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [shielded_config](variables.tf#L459) | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = optional(bool, true) enable_vtpm = optional(bool, true) enable_integrity_monitoring = optional(bool, true) })">object({…})</code> | | <code>null</code> |
|
||||
| [snapshot_schedules](variables.tf#L469) | Snapshot schedule resource policies that can be attached to disks. | <code title="map(object({ schedule = object({ daily = optional(object({ days_in_cycle = number start_time = string })) hourly = optional(object({ hours_in_cycle = number start_time = string })) weekly = optional(list(object({ day = string start_time = string }))) }) description = optional(string) retention_policy = optional(object({ max_retention_days = number on_source_disk_delete_keep = optional(bool) })) snapshot_properties = optional(object({ chain_name = optional(string) guest_flush = optional(bool) labels = optional(map(string)) storage_locations = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L512) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tag_bindings_immutable](variables.tf#L519) | Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L533) | Instance network tags for firewall rule targets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
Reference in New Issue
Block a user