terraform: enable creation of SEV-SNP VMs on GCP

terraform/infrastructure/gcp/.terraform.lock.hcl

@@ -2,26 +2,50 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.17.0"
-  constraints = "5.17.0"
+  version     = "5.23.0"
+  constraints = "5.23.0"
   hashes = [
-    "h1:9DKCaGp9EFKDLWIOWI3yA/RgWTMh0EMD6+iggVXC9l0=",
-    "h1:JEfDiodirnMqwNaub/anXoOtWt68aEN80QtPJxg3jsc=",
-    "h1:TANQI64JuScQ2LTITQqz7eh1RjhYDItdbI5p1aBOtXY=",
-    "h1:dT3UftIyARC7YjS4yurPlNS7WJAHICDHMXSluAAvavA=",
-    "h1:lu84RYioCT4OxXbFBdqom4QvSPAjMkEyHPSIAxuS7oo=",
-    "zh:31b4d485ee66e6ff2eb1d8e476e694904447ce2b7143a2e067e4b80a84958d13",
-    "zh:32e86a51c4b0b29b7a18dd95616ea2976f08a4a7385e00f2bcab266217ee4320",
-    "zh:357f352bf04e7bc10d61d49296bf6503f31a3db0500169cb532afde7d318643e",
-    "zh:4b4637ca397cc771136edf7ec5578b5ab8631a8955a86d4fce3b8c40ca8c26b4",
-    "zh:4fe198b7427f7bf04270a5491a0352379c2b0a1caf12e206e6e224ceb085f56a",
-    "zh:7abb8509a61602d5ed4c801e7cd7c8299d109bc07980352251ba79880a99abab",
-    "zh:b1550fe08c650d8419860da1568d3f77093d269f880cad7d720d843b2a9ec545",
-    "zh:c91d7079646a3fdbb927085e368a16b221a23c17cf7455d5088f0c8f5da48c9f",
-    "zh:d367213a5f392852ef0708283df583703b2efd0b44f9e599cd055086c371cf74",
-    "zh:d5b557f294f4094a865afaa0611dc2e657d485b60903f12795eeedc2e1c3aa87",
+    "h1:2VJTKCZWQ1DaNwclFxSo27avsYwWgq/itwLZ3xKyl/o=",
+    "h1:4evtipODvV5s86gihS+jyk1cSW1xLn22jy8Ox8zzhAs=",
+    "h1:BD+iQfFcZ0OeaZI2JWDp2sLqSr+DfZtWy4yo1OVMnTI=",
+    "h1:my3kqg4hIpWLu2WwRewOFxBS+FXfkAIiw8xTYVPNS9M=",
+    "h1:xpm8QPNp2soGqIEnf4SNoZaTlQ/SbNH63BooJkSbgX0=",
+    "zh:18eaaa51a8b30fed61c73799b8716a9bd08ccd382bc395c63e45b9a52ed8b300",
+    "zh:20c71acf091a282db88473ec6f0a684ac59891713c49b2ff1cb35c1539da3121",
+    "zh:2e3e9ae1d3b045dcaa39053f4d1d066fa17e5b81f4ed7a5e57cc4e6e1e651900",
+    "zh:531d1552f251c5a0176543defa95c2cc259fc8b9359ef6fd3df404dcead555a0",
+    "zh:67a7800023fa09a7d87ac02231364988749663e37e2906aa89c70eecc5955ccf",
+    "zh:6a8076b59d2766a05ffe521cc115f3e8df7cd2ee4c6d60de4ee4636f47714f2e",
+    "zh:7b39fe720bb7a1f35cd0e4dfeff617338342fc2d16bb22274b42c080ff633140",
+    "zh:b181e04c32aa53ad78eaf6f2746ec5fd94977187ba7314ae8e9815ef6ea56532",
+    "zh:bf605be2f8942d5cabb8755ff0d18f243b53f1148f5f32db762667cf64bfa949",
+    "zh:e981988558310df5d94e56adaa76f7444d991357fe9600c46eb70fa61f4a1394",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f663776d79e7e5d131b4fbd68c152f2bef3e899a19c9baabe3a441e3f5e809ea",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/google-beta" {
+  version     = "5.23.0"
+  constraints = "5.23.0"
+  hashes = [
+    "h1:EGIz78npj995XQdJyKRqgiCqFrcfDPXJwVrVw3PFGE0=",
+    "h1:cxF5B8zWRmTStRAY5o+A3iIFtsiKN0NNr72YTtKSSJw=",
+    "h1:irFKUONsaAiMFJPCyViRAuIWH/aRUKjEzL5mwzSMMRY=",
+    "h1:kiwwYe7qrzmxT5L/T6kuWMSqSR5THlGybmZ17hxpPI4=",
+    "h1:lvEvKrY8nPjumNwHxRmSXxmWnlq5bLq2CUq4FrUQDdM=",
+    "zh:074f276975ffc873d8f9848d54073ef8320428828611d803c82b7c2559c696fb",
+    "zh:12bc0f45071b1af5d4c2beddd1ad54c3d91f246c04a41d51570fed2f56d4e7f2",
+    "zh:2310eac5e8a0286d11a830f33b9d7b93804a02abb63874d8ff9f08b11cc015ed",
+    "zh:43d70d5a760afd0b4d7d21a852ea4b507c6a6673a2ecd135b6991097bae723ce",
+    "zh:44d0fb42b80504497c0983f34135c7619a7f7dcd22ed7ef3c916c4d444ee73d5",
+    "zh:663d82298c96decffc9617183d3d1d5b36fa4aa3e7922897cbed2ca7766c7609",
+    "zh:9b81cc5347409b8f99fbc5ac289e0f2c82a4904615919001555303621791729f",
+    "zh:bc532772de1286cc931b6f672044f71d6be66a9ea81961c38b544495c9d6d765",
+    "zh:c6d1c975bc55a1bd3729daa5bbb7153ae664e2086ed1acf8781581f547b1dce9",
+    "zh:caaa3ebbdcc74205622f3cd3544860989295fba63a62c1e74f5f5161bdf81d53",
+    "zh:e71df7cf923bf5a8b11ddce562266904505d5dd3eb25d3797bdb308940ad5890",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fdad54c5e50751cef3f39a8666ff6adbb3bd860d396d5a9a0a3526e204f60454",
   ]
 }
 

terraform/infrastructure/gcp/main.tf

@@ -2,7 +2,12 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
+    }
+
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "5.23.0"
     }
 
     random = {
@@ -18,6 +23,12 @@ provider "google" {
   zone    = var.zone
 }
 
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+  zone    = var.zone
+}
+
 locals {
   uid              = random_id.uid.hex
   name             = "${var.name}-${local.uid}"
@@ -175,6 +186,7 @@ module "instance_group" {
   labels              = local.labels
   init_secret_hash    = local.init_secret_hash
   custom_endpoint     = var.custom_endpoint
+  cc_technology       = var.cc_technology
 }
 
 resource "google_compute_address" "loadbalancer_ip_internal" {

terraform/infrastructure/gcp/modules/instance_group/main.tf

@@ -2,7 +2,12 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
+    }
+
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "5.23.0"
     }
 
     random = {
@@ -23,6 +28,10 @@ resource "random_id" "uid" {
 }
 
 resource "google_compute_instance_template" "template" {
+  # Beta provider is necessary to set confidential instance types.
+  # TODO(msanft): Remove beta provider once confidential instance type setting is in GA.
+  provider = google-beta
+
   name         = local.name
   machine_type = var.instance_type
   tags         = ["constellation-${var.uid}"] // Note that this is also applied as a label
@@ -33,8 +42,13 @@ resource "google_compute_instance_template" "template" {
 
   confidential_instance_config {
     enable_confidential_compute = true
+    confidential_instance_type  = var.cc_technology
   }
 
+  # If SEV-SNP is used, we have to explicitly select a Milan processor, as per
+  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template#confidential_instance_type
+  min_cpu_platform = var.cc_technology == "SEV_SNP" ? "AMD Milan" : null
+
   disk {
     disk_size_gb = 10
     source_image = var.image_id

terraform/infrastructure/gcp/modules/instance_group/variables.tf

@@ -99,3 +99,12 @@ variable "custom_endpoint" {
   type        = string
   description = "Custom endpoint to use for the Kubernetes API server. If not set, the default endpoint will be used."
 }
+
+variable "cc_technology" {
+  type        = string
+  description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`."
+  validation {
+    condition     = contains(["SEV", "SEV_SNP"], var.cc_technology)
+    error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
+  }
+}

terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
     }
   }
 }

terraform/infrastructure/gcp/modules/jump_host/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
     }
   }
 }

terraform/infrastructure/gcp/modules/loadbalancer/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
     }
   }
 }

terraform/infrastructure/gcp/variables.tf

@@ -60,3 +60,12 @@ variable "zone" {
   type        = string
   description = "GCP zone to deploy the cluster in."
 }
+
+variable "cc_technology" {
+  type        = string
+  description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`."
+  validation {
+    condition     = contains(["SEV", "SEV_SNP"], var.cc_technology)
+    error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
+  }
+}