feat: add confidential computing example for intel arch (#435)

arthurlapertosa · web-flow · commit cf84229c7e1f · 2024-10-09T12:10:30.000-07:00
diff --git a/examples/confidential_computing_intel/README.md b/examples/confidential_computing_intel/README.md
@@ -0,0 +1,35 @@
+# confidential computing vm
+
+This is an example of a vm creation with confidential computing,
+intel architecture, encrypted disk using a multiregion (US by default)
+Cloud HSM key and a custom service account with cloud-platform scope.
+It also creates org policies enforcing the use of CMEK encrypted instances
+and confidential computing to all newly created VMs within the project.
+Also, an additional org policy constraint is created, which only allows
+Cloud KMS keys (used for CMEK protection) that come from the provided input project.
+Note: existing VM instances won't be affected by the new org policy.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| key | Key name. | `string` | n/a | yes |
+| keyring | Keyring name. | `string` | n/a | yes |
+| location | Location for the resources (keyring, key, network, etc.). | `string` | `"us"` | no |
+| project\_id | The Google Cloud project ID. | `string` | n/a | yes |
+| region | The GCP region to create and test resources in. | `string` | `"us-central1"` | no |
+| service\_account\_roles | Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM. | `list(string)` | `[]` | no |
+| subnetwork | The subnetwork selflink to host the compute instances in. | `string` | n/a | yes |
+| suffix | A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring). | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance\_self\_link | Self-link for compute instance. |
+| name | Name of the instance templates. |
+| self\_link | Self-link to the instance template. |
+| suffix | Suffix used as an identifier for resources. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/confidential_computing_intel/main.tf b/examples/confidential_computing_intel/main.tf
@@ -0,0 +1,99 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_suffix = var.suffix == "" ? random_string.suffix.result : "${random_string.suffix.result}-${var.suffix}"
+  key_name       = "${var.key}-${local.default_suffix}"
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "3.0.0"
+
+  keyring              = "${var.keyring}-${local.default_suffix}"
+  location             = var.location
+  project_id           = var.project_id
+  keys                 = [local.key_name]
+  purpose              = "ENCRYPT_DECRYPT"
+  key_protection_level = "HSM"
+  prevent_destroy      = false
+}
+
+resource "google_service_account" "default" {
+  project      = var.project_id
+  account_id   = "confidential-compute-sa"
+  display_name = "Custom SA for confidential VM Instance"
+}
+
+resource "google_project_iam_member" "service_account_roles" {
+  for_each = toset(var.service_account_roles)
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+  crypto_key_id = module.kms.keys[local.key_name]
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
+  ]
+}
+
+module "instance_template" {
+  source = "terraform-google-modules/vm/google//modules/instance_template"
+
+  region     = var.region
+  project_id = var.project_id
+  subnetwork = var.subnetwork
+
+  name_prefix                = "confidential-intel-encrypted"
+  source_image_project       = "tdx-guest-images"
+  source_image               = "ubuntu-2204-lts"
+  disk_type                  = "pd-ssd"
+  machine_type               = "c3-standard-4"
+  min_cpu_platform           = "Intel Sapphire Rapids"
+  enable_confidential_vm     = true
+  confidential_instance_type = "TDX"
+
+  service_account = {
+    email  = google_service_account.default.email
+    scopes = ["cloud-platform"]
+  }
+  disk_encryption_key = module.kms.keys[local.key_name]
+}
+
+module "compute_instance" {
+  source  = "terraform-google-modules/vm/google//modules/compute_instance"
+  version = "~> 12.0"
+
+  region              = var.region
+  subnetwork          = var.subnetwork
+  hostname            = "confidential-intel-encrypted"
+  instance_template   = module.instance_template.self_link
+  deletion_protection = false
+}
diff --git a/examples/confidential_computing_intel/org_policies.tf b/examples/confidential_computing_intel/org_policies.tf
@@ -0,0 +1,51 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential-computing-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/compute.restrictNonConfidentialComputing"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}
+
+module "enforce-cmek-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/gcp.restrictNonCmekServices"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}
+
+module "restrict-cmek-cryptokey-projects-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id        = var.project_id
+  policy_for        = "project"
+  constraint        = "constraints/gcp.restrictCmekCryptoKeyProjects"
+  policy_type       = "list"
+  allow             = ["projects/${var.project_id}"]
+  allow_list_length = 1
+}
diff --git a/examples/confidential_computing_intel/outputs.tf b/examples/confidential_computing_intel/outputs.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+output "self_link" {
+  description = "Self-link to the instance template."
+  value       = module.instance_template.self_link
+}
+
+output "name" {
+  description = "Name of the instance templates."
+  value       = module.instance_template.name
+}
+
+output "instance_self_link" {
+  description = "Self-link for compute instance."
+  value       = module.compute_instance.instances_self_links[0]
+}
+
+output "suffix" {
+  description = "Suffix used as an identifier for resources."
+  value       = local.default_suffix
+}
diff --git a/examples/confidential_computing_intel/variables.tf b/examples/confidential_computing_intel/variables.tf
@@ -0,0 +1,59 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The Google Cloud project ID."
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region to create and test resources in."
+  type        = string
+  default     = "us-central1"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork selflink to host the compute instances in."
+  type        = string
+}
+
+variable "location" {
+  description = "Location for the resources (keyring, key, network, etc.)."
+  type        = string
+  default     = "us"
+}
+
+variable "suffix" {
+  description = "A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring)."
+  type        = string
+  default     = ""
+}
+
+variable "keyring" {
+  description = "Keyring name."
+  type        = string
+}
+
+variable "key" {
+  description = "Key name."
+  type        = string
+}
+
+variable "service_account_roles" {
+  description = "Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM."
+  type        = list(string)
+  default     = []
+}
diff --git a/metadata.yaml b/metadata.yaml
@@ -52,6 +52,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml
@@ -42,6 +42,8 @@ spec:
         location: examples/confidential_computing
       - name: confidential_computing
         location: examples/instance_template/confidential_computing
+      - name: confidential_computing_intel
+        location: examples/confidential_computing_intel
       - name: disk_snapshot
         location: examples/compute_instance/disk_snapshot
       - name: encrypted_disks
diff --git a/test/fixtures/confidential_intel_compute_instance/main.tf b/test/fixtures/confidential_intel_compute_instance/main.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential_computing_intel" {
+  source                = "../../../examples/confidential_computing_intel"
+  project_id            = var.project_id
+  region                = "us-central1"
+  subnetwork            = google_compute_subnetwork.main.self_link
+  keyring               = "key-ring-test"
+  key                   = "key-test"
+  service_account_roles = ["roles/compute.imageUser", "roles/compute.networkUser"]
+}
diff --git a/test/fixtures/confidential_intel_compute_instance/network.tf b/test/fixtures/confidential_intel_compute_instance/network.tf
@@ -0,0 +1 @@
+../shared/network.tf
diff --git a/test/fixtures/confidential_intel_compute_instance/outputs.tf b/test/fixtures/confidential_intel_compute_instance/outputs.tf
diff --git a/test/fixtures/confidential_intel_compute_instance/variables.tf b/test/fixtures/confidential_intel_compute_instance/variables.tf
diff --git a/test/fixtures/confidential_intel_compute_instance/versions.tf b/test/fixtures/confidential_intel_compute_instance/versions.tf
diff --git a/test/integration/confidential_intel_compute_instance/confidential_intel_compute_instance_test.go b/test/integration/confidential_intel_compute_instance/confidential_intel_compute_instance_test.go
