linter fixes

internal/attestation/gcp/es/validator_test.go

@@ -89,7 +89,7 @@ Y+t5OxL3kL15VzY1Ob0d5cMCAwEAAQ==
 
 	testCases := map[string]struct {
 		instanceInfo []byte
-		getClient    func(ctx context.Context, opts ...option.ClientOption) (gcp.GCPRESTClient, error)
+		getClient    func(ctx context.Context, opts ...option.ClientOption) (gcp.CVMRestClient, error)
 		wantErr      bool
 	}{
 		"success": {
@@ -177,8 +177,8 @@ type fakeInstanceClient struct {
 	ident       *computepb.ShieldedInstanceIdentity
 }
 
-func prepareFakeClient(ident *computepb.ShieldedInstanceIdentity, newErr, getIdentErr error) func(ctx context.Context, opts ...option.ClientOption) (gcp.GCPRESTClient, error) {
-	return func(_ context.Context, _ ...option.ClientOption) (gcp.GCPRESTClient, error) {
+func prepareFakeClient(ident *computepb.ShieldedInstanceIdentity, newErr, getIdentErr error) func(ctx context.Context, opts ...option.ClientOption) (gcp.CVMRestClient, error) {
+	return func(_ context.Context, _ ...option.ClientOption) (gcp.CVMRestClient, error) {
 		return &fakeInstanceClient{
 			getIdentErr: getIdentErr,
 			ident:       ident,

internal/attestation/gcp/metadata.go

@@ -50,17 +50,20 @@ type gcpMetadataClient interface {
 	Zone() (string, error)
 }
 
-// a MetadataClient fetches metadata from the GCE Metadata API.
+// A MetadataClient fetches metadata from the GCE Metadata API.
 type MetadataClient struct{}
 
+// ProjectID returns the project ID of the GCE instance.
 func (c MetadataClient) ProjectID() (string, error) {
 	return metadata.ProjectID()
 }
 
+// InstanceName returns the instance name of the GCE instance.
 func (c MetadataClient) InstanceName() (string, error) {
 	return metadata.InstanceName()
 }
 
+// Zone returns the zone the GCE instance is located in.
 func (c MetadataClient) Zone() (string, error) {
 	return metadata.Zone()
 }

internal/attestation/gcp/restclient.go

@@ -30,7 +30,7 @@ type RESTClient struct {
 }
 
 // NewRESTClient creates a new RESTClient.
-func NewRESTClient(ctx context.Context, opts ...option.ClientOption) (GCPRESTClient, error) {
+func NewRESTClient(ctx context.Context, opts ...option.ClientOption) (CVMRestClient, error) {
 	c, err := compute.NewInstancesRESTClient(ctx, opts...)
 	if err != nil {
 		return nil, err
@@ -38,8 +38,8 @@ func NewRESTClient(ctx context.Context, opts ...option.ClientOption) (GCPRESTCli
 	return &RESTClient{c}, nil
 }
 
-// GCPRESTClient is the interface a GCP REST client must implement.
-type GCPRESTClient interface {
+// CVMRestClient is the interface a GCP REST client for a CVM must implement.
+type CVMRestClient interface {
 	GetShieldedInstanceIdentity(ctx context.Context, req *computepb.GetShieldedInstanceIdentityInstanceRequest, opts ...gax.CallOption) (*computepb.ShieldedInstanceIdentity, error)
 	Close() error
 }
@@ -48,7 +48,7 @@ type GCPRESTClient interface {
 // This key can be used to verify attestation statements issued by the VM.
 func TrustedKeyGetter(
 	attestationVariant variant.Variant,
-	newRESTClient func(ctx context.Context, opts ...option.ClientOption) (GCPRESTClient, error),
+	newRESTClient func(ctx context.Context, opts ...option.ClientOption) (CVMRestClient, error),
 ) (func(ctx context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error), error) {
 	return func(ctx context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error) {
 		client, err := newRESTClient(ctx)

internal/attestation/gcp/snp/validator.go

@@ -79,7 +79,7 @@ func (v *Validator) getTrustedKey(ctx context.Context, attDoc vtpm.AttestationDo
 }
 
 // validateCVM validates the SEV-SNP attestation document.
-func (v *Validator) validateCVM(attDoc vtpm.AttestationDocument, state *attest.MachineState) error {
+func (v *Validator) validateCVM(attDoc vtpm.AttestationDocument, _ *attest.MachineState) error {
 	pubArea, err := tpm2.DecodePublic(attDoc.Attestation.AkPub)
 	if err != nil {
 		return fmt.Errorf("decoding public area: %w", err)

terraform/infrastructure/iam/gcp/.terraform.lock.hcl

@@ -2,26 +2,26 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.17.0"
-  constraints = "5.17.0"
+  version     = "5.23.0"
+  constraints = "5.23.0"
   hashes = [
-    "h1:9DKCaGp9EFKDLWIOWI3yA/RgWTMh0EMD6+iggVXC9l0=",
-    "h1:JEfDiodirnMqwNaub/anXoOtWt68aEN80QtPJxg3jsc=",
-    "h1:TANQI64JuScQ2LTITQqz7eh1RjhYDItdbI5p1aBOtXY=",
-    "h1:dT3UftIyARC7YjS4yurPlNS7WJAHICDHMXSluAAvavA=",
-    "h1:lu84RYioCT4OxXbFBdqom4QvSPAjMkEyHPSIAxuS7oo=",
-    "zh:31b4d485ee66e6ff2eb1d8e476e694904447ce2b7143a2e067e4b80a84958d13",
-    "zh:32e86a51c4b0b29b7a18dd95616ea2976f08a4a7385e00f2bcab266217ee4320",
-    "zh:357f352bf04e7bc10d61d49296bf6503f31a3db0500169cb532afde7d318643e",
-    "zh:4b4637ca397cc771136edf7ec5578b5ab8631a8955a86d4fce3b8c40ca8c26b4",
-    "zh:4fe198b7427f7bf04270a5491a0352379c2b0a1caf12e206e6e224ceb085f56a",
-    "zh:7abb8509a61602d5ed4c801e7cd7c8299d109bc07980352251ba79880a99abab",
-    "zh:b1550fe08c650d8419860da1568d3f77093d269f880cad7d720d843b2a9ec545",
-    "zh:c91d7079646a3fdbb927085e368a16b221a23c17cf7455d5088f0c8f5da48c9f",
-    "zh:d367213a5f392852ef0708283df583703b2efd0b44f9e599cd055086c371cf74",
-    "zh:d5b557f294f4094a865afaa0611dc2e657d485b60903f12795eeedc2e1c3aa87",
+    "h1:2VJTKCZWQ1DaNwclFxSo27avsYwWgq/itwLZ3xKyl/o=",
+    "h1:4evtipODvV5s86gihS+jyk1cSW1xLn22jy8Ox8zzhAs=",
+    "h1:BD+iQfFcZ0OeaZI2JWDp2sLqSr+DfZtWy4yo1OVMnTI=",
+    "h1:my3kqg4hIpWLu2WwRewOFxBS+FXfkAIiw8xTYVPNS9M=",
+    "h1:xpm8QPNp2soGqIEnf4SNoZaTlQ/SbNH63BooJkSbgX0=",
+    "zh:18eaaa51a8b30fed61c73799b8716a9bd08ccd382bc395c63e45b9a52ed8b300",
+    "zh:20c71acf091a282db88473ec6f0a684ac59891713c49b2ff1cb35c1539da3121",
+    "zh:2e3e9ae1d3b045dcaa39053f4d1d066fa17e5b81f4ed7a5e57cc4e6e1e651900",
+    "zh:531d1552f251c5a0176543defa95c2cc259fc8b9359ef6fd3df404dcead555a0",
+    "zh:67a7800023fa09a7d87ac02231364988749663e37e2906aa89c70eecc5955ccf",
+    "zh:6a8076b59d2766a05ffe521cc115f3e8df7cd2ee4c6d60de4ee4636f47714f2e",
+    "zh:7b39fe720bb7a1f35cd0e4dfeff617338342fc2d16bb22274b42c080ff633140",
+    "zh:b181e04c32aa53ad78eaf6f2746ec5fd94977187ba7314ae8e9815ef6ea56532",
+    "zh:bf605be2f8942d5cabb8755ff0d18f243b53f1148f5f32db762667cf64bfa949",
+    "zh:e981988558310df5d94e56adaa76f7444d991357fe9600c46eb70fa61f4a1394",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fdad54c5e50751cef3f39a8666ff6adbb3bd860d396d5a9a0a3526e204f60454",
+    "zh:f663776d79e7e5d131b4fbd68c152f2bef3e899a19c9baabe3a441e3f5e809ea",
   ]
 }
 

terraform/infrastructure/iam/gcp/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "5.17.0"
+      version = "5.23.0"
     }
   }
 }

terraform/legacy-module/gcp-constellation/main.tf

@@ -41,6 +41,7 @@ module "gcp" {
   zone            = var.zone
   debug           = var.debug
   custom_endpoint = var.custom_endpoint
+  cc_technology   = var.cc_technology
 }
 
 module "constellation" {

terraform/legacy-module/gcp-constellation/variables.tf

@@ -70,3 +70,12 @@ variable "internal_load_balancer" {
   default     = false
   description = "Use an internal load balancer."
 }
+
+variable "cc_technology" {
+  type        = string
+  description = "The confidential computing technology to use for the nodes. One of `SEV`, `SEV_SNP`."
+  validation {
+    condition     = contains(["SEV", "SEV_SNP"], var.cc_technology)
+    error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
+  }
+}