Compute VM module refactor (#3805)

* add ad for compute-vm refactor * Exclue nic_type from validated fields, add split of main.tf and template.tf * boot disk * fix examples and fixtures * attached disks * fix further examples and module-level tests * remove extra file * fix mig examples * finish refactoring variables * align fast and other modules * refactor(compute-vm): align examples and ADR with the newly implemented interface This commit addresses the remaining references of the `instance_type` and `confidential_compute` parameters in the testing environment and updates the ADR. * feat(compute-vm): add network_performance_config to instance and templates This change implements the usage of the `network_performance_tier` variable we added earlier into the actual Terraform resources. --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2026-03-26 12:31:40 +01:00
parent 2c39df6453
commit a4eb4d24fd
64 changed files with 1971 additions and 1119 deletions
--- a/fast/addons/2-networking-test/main.tf
+++ b/fast/addons/2-networking-test/main.tf
@@ -50,14 +50,14 @@ module "service-accounts" {
 }

 module "instances" {
-  source        = "../../../modules/compute-vm"
-  for_each      = { for k in local.instances : k.name => k }
-  project_id    = each.value.project_id
-  zone          = each.value.zone
-  name          = each.key
-  instance_type = each.value.type
+  source       = "../../../modules/compute-vm"
+  for_each     = { for k in local.instances : k.name => k }
+  project_id   = each.value.project_id
+  zone         = each.value.zone
+  name         = each.key
+  machine_type = each.value.type
  boot_disk = {
-    initialize_params = {
+    source = {
      image = each.value.image
    }
  }
--- a/fast/addons/2-networking-test/outputs.tf
+++ b/fast/addons/2-networking-test/outputs.tf
@@ -25,7 +25,7 @@ output "instance_ssh" {
  description = "Instance SSH commands."
  value = {
    for k, v in module.instances : k => (
-      "gcloud compute ssh ${k} --project ${v.instance.project} --zone ${v.instance.zone}"
+      "gcloud compute ssh ${k} --project ${nonsensitive(v.instance.project)} --zone ${nonsensitive(v.instance.zone)}"
    )
  }
 }
--- a/fast/extras/0-cicd-gitlab/README.md
+++ b/fast/extras/0-cicd-gitlab/README.md
@@ -70,7 +70,7 @@ group with source ref:
 ```hcl
 modules_config = {
  project_name = "modules"
-  key_config   = {
+  key_config = {
    create_key     = true
    create_secrets = true
  }
@@ -86,7 +86,7 @@ repository:
 ```hcl
 modules_config = {
  project_name = "modules"
-  key_config   = {
+  key_config = {
    create_key     = true
    create_secrets = true
  }
@@ -106,11 +106,11 @@ deploy key in the modules project, and as secrets in the stage repositories:
 ```hcl
 modules_config = {
  project_name = "modules"
-  key_config   = {
+  key_config = {
    create_key     = true
    create_secrets = true
  }
-  group      = "shared"
+  group = "shared"
  key_config = {
    create_key     = true
    create_secrets = true
@@ -127,11 +127,11 @@ and new repositories need to be created and their corresponding secret set:
 ```hcl
 modules_config = {
  project_name = "modules"
-  key_config   = {
+  key_config = {
    create_key     = true
    create_secrets = true
  }
-  group      = "shared"
+  group = "shared"
  key_config = {
    create_secrets = true
    keypair_path   = "~/modules-repository-key"
--- a/fast/project-templates/devops-azure-wif/self-hosted-agents/main.tf
+++ b/fast/project-templates/devops-azure-wif/self-hosted-agents/main.tf
@@ -68,17 +68,19 @@ module "secret" {
 }

 module "instance" {
-  source        = "../../../../modules/compute-vm"
-  count         = local.create_instance ? 1 : 0
-  project_id    = var.project_id
-  zone          = "${var.location}-${var.instance_config.zone}"
-  name          = "${var.name}-agent"
-  instance_type = "e2-micro"
+  source       = "../../../../modules/compute-vm"
+  count        = local.create_instance ? 1 : 0
+  project_id   = var.project_id
+  zone         = "${var.location}-${var.instance_config.zone}"
+  name         = "${var.name}-agent"
+  machine_type = "e2-micro"
  boot_disk = {
    auto_delete = false
-    initialize_params = {
+    source = {
      image = "projects/cos-cloud/global/images/family/cos-117-lts"
-      size  = 10
+    }
+    initialize_params = {
+      size = 10
    }
  }
  network_interfaces = [{
--- a/fast/stages/2-networking/factory-nva.tf
+++ b/fast/stages/2-networking/factory-nva.tf
@@ -47,7 +47,7 @@ locals {
              nva_def.auto_instance_config.image,
              "projects/debian-cloud/global/images/family/debian-12"
            )
-            instance_type = try(
+            machine_type = try(
              nva_def.auto_instance_config.instance_type, "e2-standard-4"
            )
            metadata = coalesce(
@@ -60,7 +60,7 @@ locals {
              }
            )
            attachments          = try(nva_def.auto_instance_config.nics, [])
-            confidential_compute = try(nva_def.auto_instance_config.confidential_compute, false)
+            confidential_compute = try(nva_def.auto_instance_config.confidential_compute, null)
            encryption           = try(nva_def.auto_instance_config.encryption, null)
            options              = try(nva_def.auto_instance_config.options, null)
            shielded_config      = try(nva_def.auto_instance_config.shielded_config, null)
@@ -117,7 +117,7 @@ module "nva-instance" {
  project_id     = each.value.project_id
  name           = "nva-${each.key}"
  zone           = each.value.zone
-  instance_type  = each.value.instance_type
+  machine_type   = each.value.machine_type
  tags           = each.value.tags
  can_ip_forward = true
  network_interfaces = [for k, v in each.value.attachments :
@@ -129,14 +129,18 @@ module "nva-instance" {
    }
  ]
  boot_disk = {
+    source = {
+      image = each.value.image
+    }
    initialize_params = {
-      image                  = each.value.image
-      google-logging-enabled = true
-      type                   = "pd-ssd"
-      size                   = 10 # TODO: make configurable?
+      type = "pd-ssd"
+      size = 10 # TODO: make configurable?
    }
  }
-  metadata             = each.value.metadata
+  metadata = merge(
+    each.value.metadata,
+    { google-logging-enabled = true }
+  )
  encryption           = each.value.encryption
  shielded_config      = each.value.shielded_config
  confidential_compute = each.value.confidential_compute
--- a/fast/stages/3-gke-dev/README.md
+++ b/fast/stages/3-gke-dev/README.md
@@ -115,19 +115,19 @@ clusters = {
      }
      private_nodes = true
    }
-    enable_features =  {
+    enable_features = {
      binary_authorization = true
      groups_for_rbac      = "gke-security-groups@example.com"
      intranode_visibility = true
      rbac_binding_config = {
-        enable_insecure_binding_system_unauthenticated: false
-        enable_insecure_binding_system_authenticated: false
+        enable_insecure_binding_system_unauthenticated : false
+        enable_insecure_binding_system_authenticated : false
      }
-      shielded_nodes       = true
+      shielded_nodes = true
      upgrade_notifications = {
        event_types = ["SECURITY_BULLETIN_EVENT", "UPGRADE_AVAILABLE_EVENT", "UPGRADE_INFO_EVENT", "UPGRADE_EVENT"]
      }
-      workload_identity    = true
+      workload_identity = true
    }
    vpc_config = {
      subnetwork             = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke"
@@ -141,7 +141,7 @@ clusters = {
 nodepools = {
  test-00 = {
    00 = {
-      node_count  = { initial = 1 }
+      node_count = { initial = 1 }
      node_config = {
        sandbox_config_gvisor = true
      }