From 7f40aba4cd90786af2d3515a4839a873995ba28d Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 30 May 2020 08:57:21 +0200 Subject: [PATCH] Support Cloud KMS on Compute-VM module + Fixes (#79) * * Add support to KMS disk encryption (boot and attached) * Fix Instance Group Example * Fix * * Fix image boot disk * Add example with disk encryption * Fix Title * Improve logic * Fix Readme Fix viariable description * Update README.md * update README variables/outputs table * add change to CHANGELOG Co-authored-by: Ludovico Magnocavallo --- CHANGELOG.md | 1 + modules/compute-vm/README.md | 51 +++++++++++++++++++++++++++++++-- modules/compute-vm/main.tf | 10 +++++++ modules/compute-vm/variables.tf | 10 +++++++ 4 files changed, 69 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 16d91567d..3b3d0bb50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +- add support for disk encryption to the `compute-vm` module - new `datafusion` module - new `container-registry` module - new `artifact-registry` module diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md index 14fb10dc7..4e37dc7eb 100644 --- a/modules/compute-vm/README.md +++ b/modules/compute-vm/README.md @@ -31,12 +31,57 @@ module "simple-vm-example" { } ``` +### Disk encryption with Cloud KMS + +This example shows how to control disk encryption via the the `encryption` variable, in this case the self link to a KMS CryptoKey that will be used to encrypt boot and attached disk. Managing the key with the `../kms` module is of course possible, but is not shown here. + +```hcl +module "kms-vm-example" { + source = "../modules/compute-vm" + project_id = local.project_id + region = local.region + zone = local.zone + name = "kms-test" + network_interfaces = [{ + network = local.network_self_link, + subnetwork = local.subnet_self_link, + nat = false, + addresses = null + }] + attached_disks = [ + { + name = "attached-disk" + size = 10 + image = null + options = { + auto_delete = true + mode = null + source = null + type = null + } + } + ] + service_account_create = true + instance_count = 1 + boot_disk = { + image = "projects/debian-cloud/global/images/family/debian-10" + type = "pd-ssd" + size = 10 + } + encryption = { + encrypt_boot = true + disk_encryption_key_raw = null + kms_key_self_link = local.kms_key.self_link + } +} +``` + ### Instance template This example shows how to use the module to manage an instance template that defines an additional attached disk for each instance, and overrides defaults for the boot disk image and service account. ```hcl -module "debian-test" { +module "cos-test" { source = "../modules/compute-vm" project_id = "my-project" region = "europe-west1" @@ -86,11 +131,10 @@ module "instance-group" { } service_account = local.service_account_email service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - use_instance_template = true metadata = { user-data = local.cloud_config } - group = {} + group = { named_ports = {} } } ``` @@ -108,6 +152,7 @@ module "instance-group" { | *attached_disk_defaults* | Defaults for attached disks options. | object({...}) | | ... | | *attached_disks* | Additional disks, if options is null defaults will be used in its place. | list(object({...})) | | [] | | *boot_disk* | Boot disk properties. | object({...}) | | ... | +| *encryption* | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | object({...}) | | null | | *group* | Define this variable to create an instance group for instances. Disabled for template use. | object({...}) | | null | | *hostname* | Instance FQDN name. | string | | null | | *instance_count* | Number of instances to create (only for non-template usage). | number | | 1 | diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf index e97d576c2..7542e1143 100644 --- a/modules/compute-vm/main.tf +++ b/modules/compute-vm/main.tf @@ -66,6 +66,14 @@ resource "google_compute_disk" "disks" { disk_type = local.attached_disks[each.value.disk_name].options.type image = local.attached_disks[each.value.disk_name].image }) + dynamic disk_encryption_key { + for_each = var.encryption != null ? [""] : [] + + content { + raw_key = var.encryption.disk_encryption_key_raw + kms_key_self_link = var.encryption.kms_key_self_link + } + } } resource "google_compute_instance" "default" { @@ -103,6 +111,8 @@ resource "google_compute_instance" "default" { image = var.boot_disk.image size = var.boot_disk.size } + disk_encryption_key_raw = var.encryption != null ? var.encryption.disk_encryption_key_raw : null + kms_key_self_link = var.encryption != null ? var.encryption.kms_key_self_link : null } dynamic network_interface { diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf index 3593fef2c..0470290d8 100644 --- a/modules/compute-vm/variables.tf +++ b/modules/compute-vm/variables.tf @@ -60,6 +60,16 @@ variable "boot_disk" { } } +variable "encryption" { + description = "Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk." + type = object({ + encrypt_boot = bool + disk_encryption_key_raw = string + kms_key_self_link = string + }) + default = null +} + variable "group" { description = "Define this variable to create an instance group for instances. Disabled for template use." type = object({