From 10f1b1430efb3d0f0c687dec941d730155238123 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:30:35 +0200 Subject: [PATCH] terraform: enable creation of SEV-SNP VMs on GCP --- .../infrastructure/gcp/.terraform.lock.hcl | 60 +++++++++++++------ terraform/infrastructure/gcp/main.tf | 14 ++++- .../gcp/modules/instance_group/main.tf | 16 ++++- .../gcp/modules/instance_group/variables.tf | 9 +++ .../modules/internal_load_balancer/main.tf | 2 +- .../gcp/modules/jump_host/main.tf | 2 +- .../gcp/modules/loadbalancer/main.tf | 2 +- terraform/infrastructure/gcp/variables.tf | 9 +++ 8 files changed, 91 insertions(+), 23 deletions(-) diff --git a/terraform/infrastructure/gcp/.terraform.lock.hcl b/terraform/infrastructure/gcp/.terraform.lock.hcl index bc58c4246..557993381 100644 --- a/terraform/infrastructure/gcp/.terraform.lock.hcl +++ b/terraform/infrastructure/gcp/.terraform.lock.hcl @@ -2,26 +2,50 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "5.17.0" - constraints = "5.17.0" + version = "5.23.0" + constraints = "5.23.0" hashes = [ - "h1:9DKCaGp9EFKDLWIOWI3yA/RgWTMh0EMD6+iggVXC9l0=", - "h1:JEfDiodirnMqwNaub/anXoOtWt68aEN80QtPJxg3jsc=", - "h1:TANQI64JuScQ2LTITQqz7eh1RjhYDItdbI5p1aBOtXY=", - "h1:dT3UftIyARC7YjS4yurPlNS7WJAHICDHMXSluAAvavA=", - "h1:lu84RYioCT4OxXbFBdqom4QvSPAjMkEyHPSIAxuS7oo=", - "zh:31b4d485ee66e6ff2eb1d8e476e694904447ce2b7143a2e067e4b80a84958d13", - "zh:32e86a51c4b0b29b7a18dd95616ea2976f08a4a7385e00f2bcab266217ee4320", - "zh:357f352bf04e7bc10d61d49296bf6503f31a3db0500169cb532afde7d318643e", - "zh:4b4637ca397cc771136edf7ec5578b5ab8631a8955a86d4fce3b8c40ca8c26b4", - "zh:4fe198b7427f7bf04270a5491a0352379c2b0a1caf12e206e6e224ceb085f56a", - "zh:7abb8509a61602d5ed4c801e7cd7c8299d109bc07980352251ba79880a99abab", - "zh:b1550fe08c650d8419860da1568d3f77093d269f880cad7d720d843b2a9ec545", - "zh:c91d7079646a3fdbb927085e368a16b221a23c17cf7455d5088f0c8f5da48c9f", - "zh:d367213a5f392852ef0708283df583703b2efd0b44f9e599cd055086c371cf74", - "zh:d5b557f294f4094a865afaa0611dc2e657d485b60903f12795eeedc2e1c3aa87", + "h1:2VJTKCZWQ1DaNwclFxSo27avsYwWgq/itwLZ3xKyl/o=", + "h1:4evtipODvV5s86gihS+jyk1cSW1xLn22jy8Ox8zzhAs=", + "h1:BD+iQfFcZ0OeaZI2JWDp2sLqSr+DfZtWy4yo1OVMnTI=", + "h1:my3kqg4hIpWLu2WwRewOFxBS+FXfkAIiw8xTYVPNS9M=", + "h1:xpm8QPNp2soGqIEnf4SNoZaTlQ/SbNH63BooJkSbgX0=", + "zh:18eaaa51a8b30fed61c73799b8716a9bd08ccd382bc395c63e45b9a52ed8b300", + "zh:20c71acf091a282db88473ec6f0a684ac59891713c49b2ff1cb35c1539da3121", + "zh:2e3e9ae1d3b045dcaa39053f4d1d066fa17e5b81f4ed7a5e57cc4e6e1e651900", + "zh:531d1552f251c5a0176543defa95c2cc259fc8b9359ef6fd3df404dcead555a0", + "zh:67a7800023fa09a7d87ac02231364988749663e37e2906aa89c70eecc5955ccf", + "zh:6a8076b59d2766a05ffe521cc115f3e8df7cd2ee4c6d60de4ee4636f47714f2e", + "zh:7b39fe720bb7a1f35cd0e4dfeff617338342fc2d16bb22274b42c080ff633140", + "zh:b181e04c32aa53ad78eaf6f2746ec5fd94977187ba7314ae8e9815ef6ea56532", + "zh:bf605be2f8942d5cabb8755ff0d18f243b53f1148f5f32db762667cf64bfa949", + "zh:e981988558310df5d94e56adaa76f7444d991357fe9600c46eb70fa61f4a1394", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f663776d79e7e5d131b4fbd68c152f2bef3e899a19c9baabe3a441e3f5e809ea", + ] +} + +provider "registry.terraform.io/hashicorp/google-beta" { + version = "5.23.0" + constraints = "5.23.0" + hashes = [ + "h1:EGIz78npj995XQdJyKRqgiCqFrcfDPXJwVrVw3PFGE0=", + "h1:cxF5B8zWRmTStRAY5o+A3iIFtsiKN0NNr72YTtKSSJw=", + "h1:irFKUONsaAiMFJPCyViRAuIWH/aRUKjEzL5mwzSMMRY=", + "h1:kiwwYe7qrzmxT5L/T6kuWMSqSR5THlGybmZ17hxpPI4=", + "h1:lvEvKrY8nPjumNwHxRmSXxmWnlq5bLq2CUq4FrUQDdM=", + "zh:074f276975ffc873d8f9848d54073ef8320428828611d803c82b7c2559c696fb", + "zh:12bc0f45071b1af5d4c2beddd1ad54c3d91f246c04a41d51570fed2f56d4e7f2", + "zh:2310eac5e8a0286d11a830f33b9d7b93804a02abb63874d8ff9f08b11cc015ed", + "zh:43d70d5a760afd0b4d7d21a852ea4b507c6a6673a2ecd135b6991097bae723ce", + "zh:44d0fb42b80504497c0983f34135c7619a7f7dcd22ed7ef3c916c4d444ee73d5", + "zh:663d82298c96decffc9617183d3d1d5b36fa4aa3e7922897cbed2ca7766c7609", + "zh:9b81cc5347409b8f99fbc5ac289e0f2c82a4904615919001555303621791729f", + "zh:bc532772de1286cc931b6f672044f71d6be66a9ea81961c38b544495c9d6d765", + "zh:c6d1c975bc55a1bd3729daa5bbb7153ae664e2086ed1acf8781581f547b1dce9", + "zh:caaa3ebbdcc74205622f3cd3544860989295fba63a62c1e74f5f5161bdf81d53", + "zh:e71df7cf923bf5a8b11ddce562266904505d5dd3eb25d3797bdb308940ad5890", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fdad54c5e50751cef3f39a8666ff6adbb3bd860d396d5a9a0a3526e204f60454", ] } diff --git a/terraform/infrastructure/gcp/main.tf b/terraform/infrastructure/gcp/main.tf index f38195522..33c359b68 100644 --- a/terraform/infrastructure/gcp/main.tf +++ b/terraform/infrastructure/gcp/main.tf @@ -2,7 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "5.17.0" + version = "5.23.0" + } + + google-beta = { + source = "hashicorp/google-beta" + version = "5.23.0" } random = { @@ -18,6 +23,12 @@ provider "google" { zone = var.zone } +provider "google-beta" { + project = var.project + region = var.region + zone = var.zone +} + locals { uid = random_id.uid.hex name = "${var.name}-${local.uid}" @@ -175,6 +186,7 @@ module "instance_group" { labels = local.labels init_secret_hash = local.init_secret_hash custom_endpoint = var.custom_endpoint + cc_technology = var.cc_technology } resource "google_compute_address" "loadbalancer_ip_internal" { diff --git a/terraform/infrastructure/gcp/modules/instance_group/main.tf b/terraform/infrastructure/gcp/modules/instance_group/main.tf index 2681c4d47..fe9da14ae 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/main.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/main.tf @@ -2,7 +2,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "5.17.0" + version = "5.23.0" + } + + google-beta = { + source = "hashicorp/google-beta" + version = "5.23.0" } random = { @@ -23,6 +28,10 @@ resource "random_id" "uid" { } resource "google_compute_instance_template" "template" { + # Beta provider is necessary to set confidential instance types. + # TODO(msanft): Remove beta provider once confidential instance type setting is in GA. + provider = google-beta + name = local.name machine_type = var.instance_type tags = ["constellation-${var.uid}"] // Note that this is also applied as a label @@ -33,8 +42,13 @@ resource "google_compute_instance_template" "template" { confidential_instance_config { enable_confidential_compute = true + confidential_instance_type = var.cc_technology } + # If SEV-SNP is used, we have to explicitly select a Milan processor, as per + # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template#confidential_instance_type + min_cpu_platform = var.cc_technology == "SEV_SNP" ? "AMD Milan" : null + disk { disk_size_gb = 10 source_image = var.image_id diff --git a/terraform/infrastructure/gcp/modules/instance_group/variables.tf b/terraform/infrastructure/gcp/modules/instance_group/variables.tf index f4b9a7cdb..5370ec7d1 100644 --- a/terraform/infrastructure/gcp/modules/instance_group/variables.tf +++ b/terraform/infrastructure/gcp/modules/instance_group/variables.tf @@ -99,3 +99,12 @@ variable "custom_endpoint" { type = string description = "Custom endpoint to use for the Kubernetes API server. If not set, the default endpoint will be used." } + +variable "cc_technology" { + type = string + description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`." + validation { + condition = contains(["SEV", "SEV_SNP"], var.cc_technology) + error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'." + } +} diff --git a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf index 2589ba1be..263ee12a3 100644 --- a/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf +++ b/terraform/infrastructure/gcp/modules/internal_load_balancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "5.17.0" + version = "5.23.0" } } } diff --git a/terraform/infrastructure/gcp/modules/jump_host/main.tf b/terraform/infrastructure/gcp/modules/jump_host/main.tf index a0a2e4c4f..c1929792b 100644 --- a/terraform/infrastructure/gcp/modules/jump_host/main.tf +++ b/terraform/infrastructure/gcp/modules/jump_host/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "5.17.0" + version = "5.23.0" } } } diff --git a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf index 0a5074f53..5c7bab447 100644 --- a/terraform/infrastructure/gcp/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/gcp/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "5.17.0" + version = "5.23.0" } } } diff --git a/terraform/infrastructure/gcp/variables.tf b/terraform/infrastructure/gcp/variables.tf index add9eeffa..5d158c9ad 100644 --- a/terraform/infrastructure/gcp/variables.tf +++ b/terraform/infrastructure/gcp/variables.tf @@ -60,3 +60,12 @@ variable "zone" { type = string description = "GCP zone to deploy the cluster in." } + +variable "cc_technology" { + type = string + description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`." + validation { + condition = contains(["SEV", "SEV_SNP"], var.cc_technology) + error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'." + } +}