diff --git a/google/compute_instance_helpers.go b/google/compute_instance_helpers.go index b42b0035cd3..82646be8422 100644 --- a/google/compute_instance_helpers.go +++ b/google/compute_instance_helpers.go @@ -303,3 +303,29 @@ func resourceInstanceTags(d TerraformResourceData) *computeBeta.Tags { return tags } + +func expandShieldedVmConfigs(d *schema.ResourceData) *computeBeta.ShieldedVmConfig { + if _, ok := d.GetOk("shielded_vm_config"); !ok { + return nil + } + + prefix := "shielded_vm_config.0" + return &computeBeta.ShieldedVmConfig{ + EnableSecureBoot: d.Get(prefix + ".enable_secure_boot").(bool), + EnableVtpm: d.Get(prefix + ".enable_vtpm").(bool), + EnableIntegrityMonitoring: d.Get(prefix + ".enable_integrity_monitoring").(bool), + ForceSendFields: []string{"EnableSecureBoot", "EnableVtpm", "EnableIntegrityMonitoring"}, + } +} + +func flattenShieldedVmConfig(shieldedVmConfig *computeBeta.ShieldedVmConfig) []map[string]bool { + if shieldedVmConfig == nil { + return nil + } + + return []map[string]bool{{ + "enable_secure_boot": shieldedVmConfig.EnableSecureBoot, + "enable_vtpm": shieldedVmConfig.EnableVtpm, + "enable_integrity_monitoring": shieldedVmConfig.EnableIntegrityMonitoring, + }} +} diff --git a/google/data_source_google_compute_instance.go b/google/data_source_google_compute_instance.go index 0caf5bcf5a6..b2ec522218c 100644 --- a/google/data_source_google_compute_instance.go +++ b/google/data_source_google_compute_instance.go @@ -134,6 +134,11 @@ func dataSourceGoogleComputeInstanceRead(d *schema.ResourceData, meta interface{ return err } + err = d.Set("shielded_vm_config", flattenShieldedVmConfig(instance.ShieldedVmConfig)) + if err != nil { + return err + } + d.Set("attached_disk", ads) d.Set("cpu_platform", instance.CpuPlatform) d.Set("min_cpu_platform", instance.MinCpuPlatform) diff --git a/google/resource_compute_instance.go b/google/resource_compute_instance.go index 37c3705fa52..d70f7a873f2 100644 --- a/google/resource_compute_instance.go +++ b/google/resource_compute_instance.go @@ -495,6 +495,33 @@ func resourceComputeInstance() *schema.Resource { }, }, + "shielded_vm_config": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + + "enable_vtpm": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + }, + }, + }, + "tags": { Type: schema.TypeSet, Optional: true, @@ -670,6 +697,7 @@ func expandComputeInstance(project string, zone *compute.Zone, d *schema.Resourc DeletionProtection: d.Get("deletion_protection").(bool), Hostname: d.Get("hostname").(string), ForceSendFields: []string{"CanIpForward", "DeletionProtection"}, + ShieldedVmConfig: expandShieldedVmConfigs(d), }, nil } @@ -879,6 +907,7 @@ func resourceComputeInstanceRead(d *schema.ResourceData, meta interface{}) error d.Set("scratch_disk", scratchDisks) d.Set("scheduling", flattenScheduling(instance.Scheduling)) d.Set("guest_accelerator", flattenGuestAccelerators(instance.GuestAccelerators)) + d.Set("shielded_vm_config", flattenShieldedVmConfig(instance.ShieldedVmConfig)) d.Set("cpu_platform", instance.CpuPlatform) d.Set("min_cpu_platform", instance.MinCpuPlatform) d.Set("deletion_protection", instance.DeletionProtection) @@ -1341,6 +1370,22 @@ func resourceComputeInstanceUpdate(d *schema.ResourceData, meta interface{}) err } } + if d.HasChange("shielded_vm_config") { + shieldedVmConfig := expandShieldedVmConfigs(d) + + op, err := config.clientComputeBeta.Instances.UpdateShieldedVmConfig(project, zone, d.Id(), shieldedVmConfig).Do() + if err != nil { + return fmt.Errorf("Error updating shielded vm config: %s", err) + } + + opErr := computeSharedOperationWaitTime(config.clientCompute, op, project, int(d.Timeout(schema.TimeoutUpdate).Minutes()), "shielded vm config update") + if opErr != nil { + return opErr + } + + d.SetPartial("shielded_vm_config") + } + // We made it, disable partial mode d.Partial(false) diff --git a/google/resource_compute_instance_template.go b/google/resource_compute_instance_template.go index 1bc81f0006e..4608e2a01af 100644 --- a/google/resource_compute_instance_template.go +++ b/google/resource_compute_instance_template.go @@ -389,6 +389,37 @@ func resourceComputeInstanceTemplate() *schema.Resource { }, }, + "shielded_vm_config": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + ForceNew: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + + "enable_vtpm": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + }, + }, + }, + "guest_accelerator": { Type: schema.TypeList, Optional: true, @@ -644,6 +675,7 @@ func resourceComputeInstanceTemplateCreate(d *schema.ResourceData, meta interfac Scheduling: scheduling, ServiceAccounts: expandServiceAccounts(d.Get("service_account").([]interface{})), Tags: resourceInstanceTags(d), + ShieldedVmConfig: expandShieldedVmConfigs(d), } if _, ok := d.GetOk("labels"); ok { @@ -841,6 +873,11 @@ func resourceComputeInstanceTemplateRead(d *schema.ResourceData, meta interface{ return fmt.Errorf("Error setting guest_accelerator: %s", err) } } + if instanceTemplate.Properties.ShieldedVmConfig != nil { + if err = d.Set("shielded_vm_config", flattenShieldedVmConfig(instanceTemplate.Properties.ShieldedVmConfig)); err != nil { + return fmt.Errorf("Error setting shielded_vm_config: %s", err) + } + } return nil } diff --git a/google/resource_compute_instance_template_test.go b/google/resource_compute_instance_template_test.go index bd43e757645..10b50206ff5 100644 --- a/google/resource_compute_instance_template_test.go +++ b/google/resource_compute_instance_template_test.go @@ -9,6 +9,7 @@ import ( "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + computeBeta "google.golang.org/api/compute/v0.beta" "google.golang.org/api/compute/v1" ) @@ -520,6 +521,136 @@ func TestAccComputeInstanceTemplate_soleTenantNodeAffinities(t *testing.T) { }) } +func TestAccComputeInstanceTemplate_shieldedVmConfig1(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_shieldedVmConfig(true, true, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateHasShieldedVmConfig(&instanceTemplate, true, true, true), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeInstanceTemplate_shieldedVmConfig2(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_shieldedVmConfig(true, true, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateHasShieldedVmConfig(&instanceTemplate, true, true, false), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeInstanceTemplate_shieldedVmConfig3(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_shieldedVmConfigDefaults(true, true, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateHasShieldedVmConfig(&instanceTemplate, true, true, false), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeInstanceTemplate_shieldedVmConfig4(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_shieldedVmConfigDefaults(false, false, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateHasShieldedVmConfig(&instanceTemplate, false, false, false), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeInstanceTemplate_shieldedVmConfigSkip(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_basic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateLacksShieldedVmConfig(&instanceTemplate), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccCheckComputeInstanceTemplateDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -538,8 +669,19 @@ func testAccCheckComputeInstanceTemplateDestroy(s *terraform.State) error { return nil } -func testAccCheckComputeInstanceTemplateExists(n string, instanceTemplate *compute.InstanceTemplate) resource.TestCheckFunc { - return testAccCheckComputeInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate) +func testAccCheckComputeInstanceTemplateExists(n string, instanceTemplate interface{}) resource.TestCheckFunc { + if instanceTemplate == nil { + panic("Attempted to check existence of Instance template that was nil.") + } + + switch instanceTemplate.(type) { + case *compute.InstanceTemplate: + return testAccCheckComputeInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate.(*compute.InstanceTemplate)) + case *computeBeta.InstanceTemplate: + return testAccCheckComputeBetaInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate.(*computeBeta.InstanceTemplate)) + default: + panic("Attempted to check existence of an Instance template of unknown type.") + } } func testAccCheckComputeInstanceTemplateExistsInProject(n, p string, instanceTemplate *compute.InstanceTemplate) resource.TestCheckFunc { @@ -571,6 +713,35 @@ func testAccCheckComputeInstanceTemplateExistsInProject(n, p string, instanceTem } } +func testAccCheckComputeBetaInstanceTemplateExistsInProject(n, p string, instanceTemplate *computeBeta.InstanceTemplate) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + found, err := config.clientComputeBeta.InstanceTemplates.Get( + p, rs.Primary.ID).Do() + if err != nil { + return err + } + + if found.Name != rs.Primary.ID { + return fmt.Errorf("Instance template not found") + } + + *instanceTemplate = *found + + return nil + } +} + func testAccCheckComputeInstanceTemplateMetadata( instanceTemplate *compute.InstanceTemplate, k string, v string) resource.TestCheckFunc { @@ -783,6 +954,34 @@ func testAccCheckComputeInstanceTemplateHasMinCpuPlatform(instanceTemplate *comp } } +func testAccCheckComputeInstanceTemplateHasShieldedVmConfig(instanceTemplate *computeBeta.InstanceTemplate, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) resource.TestCheckFunc { + + return func(s *terraform.State) error { + if instanceTemplate.Properties.ShieldedVmConfig.EnableSecureBoot != enableSecureBoot { + return fmt.Errorf("Wrong shieldedVmConfig enableSecureBoot: expected %t, got, %t", enableSecureBoot, instanceTemplate.Properties.ShieldedVmConfig.EnableSecureBoot) + } + + if instanceTemplate.Properties.ShieldedVmConfig.EnableVtpm != enableVtpm { + return fmt.Errorf("Wrong shieldedVmConfig enableVtpm: expected %t, got, %t", enableVtpm, instanceTemplate.Properties.ShieldedVmConfig.EnableVtpm) + } + + if instanceTemplate.Properties.ShieldedVmConfig.EnableIntegrityMonitoring != enableIntegrityMonitoring { + return fmt.Errorf("Wrong shieldedVmConfig enableIntegrityMonitoring: expected %t, got, %t", enableIntegrityMonitoring, instanceTemplate.Properties.ShieldedVmConfig.EnableIntegrityMonitoring) + } + return nil + } +} + +func testAccCheckComputeInstanceTemplateLacksShieldedVmConfig(instanceTemplate *computeBeta.InstanceTemplate) resource.TestCheckFunc { + return func(s *terraform.State) error { + if instanceTemplate.Properties.ShieldedVmConfig != nil { + return fmt.Errorf("Expected no shielded vm config") + } + + return nil + } +} + func testAccComputeInstanceTemplate_basic() string { return fmt.Sprintf(` data "google_compute_image" "my_image" { @@ -1508,3 +1707,77 @@ resource "google_compute_instance_template" "foobar" { } }`, acctest.RandString(10)) } + +func testAccComputeInstanceTemplate_shieldedVmConfig(enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) string { + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance_template" "foobar" { + name = "instancet-test-%s" + machine_type = "n1-standard-1" + can_ip_forward = false + + disk { + source_image = "${data.google_compute_image.my_image.self_link}" + auto_delete = true + boot = true + } + + network_interface { + network = "default" + } + + shielded_vm_config { + enable_secure_boot = %t + enable_vtpm = %t + enable_integrity_monitoring = %t + } +}`, acctest.RandString(10), enableSecureBoot, enableVtpm, enableIntegrityMonitoring) +} + +func testAccComputeInstanceTemplate_shieldedVmConfigDefaults(enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) string { + secureBootStr := "" + if enableSecureBoot { + secureBootStr = "enable_secure_boot = true" + } + vtpmStr := "" + if enableVtpm { + vtpmStr = "enable_vtpm = true" + } + + integrityMonitoringStr := "" + if enableIntegrityMonitoring { + integrityMonitoringStr = "enable_integrity_monitoring = true" + } + + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance_template" "foobar" { + name = "instancet-test-%s" + machine_type = "n1-standard-1" + can_ip_forward = false + + disk { + source_image = "${data.google_compute_image.my_image.self_link}" + auto_delete = true + boot = true + } + + network_interface { + network = "default" + } + + shielded_vm_config { +%s +%s +%s + } +}`, acctest.RandString(10), secureBootStr, vtpmStr, integrityMonitoringStr) +} diff --git a/google/resource_compute_instance_test.go b/google/resource_compute_instance_test.go index 0b6b24cdec7..5cd249aa86a 100644 --- a/google/resource_compute_instance_test.go +++ b/google/resource_compute_instance_test.go @@ -10,6 +10,7 @@ import ( "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + computeBeta "google.golang.org/api/compute/v0.beta" "google.golang.org/api/compute/v1" ) @@ -1095,6 +1096,120 @@ func TestAccComputeInstance_hostname(t *testing.T) { }) } +func TestAccComputeInstance_shieldedVmConfig1(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_shieldedVmConfig(instanceName, true, true, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceHasShieldedVmConfig(&instance, true, true, true), + ), + }, + computeInstanceImportStep("us-central1-a", instanceName, []string{}), + }, + }) +} + +func TestAccComputeInstance_shieldedVmConfig2(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_shieldedVmConfig(instanceName, true, true, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceHasShieldedVmConfig(&instance, true, true, false), + ), + }, + computeInstanceImportStep("us-central1-a", instanceName, []string{}), + }, + }) +} + +func TestAccComputeInstance_shieldedVmConfig3(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_shieldedVmConfigDefaults(instanceName, true, true, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceHasShieldedVmConfig(&instance, true, true, false), + ), + }, + computeInstanceImportStep("us-central1-a", instanceName, []string{}), + }, + }) +} + +func TestAccComputeInstance_shieldedVmConfig4(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_shieldedVmConfigDefaults(instanceName, false, false, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceHasShieldedVmConfig(&instance, false, false, false), + ), + }, + computeInstanceImportStep("us-central1-a", instanceName, []string{}), + }, + }) +} + +func TestAccComputeInstance_shieldedVmConfigSkip(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_basic(instanceName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceLacksShieldedVmConfig(&instance), + ), + }, + }, + }) +} + func testAccCheckComputeInstanceUpdateMachineType(n string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -1152,8 +1267,19 @@ func testAccCheckComputeInstanceDestroy(s *terraform.State) error { return nil } -func testAccCheckComputeInstanceExists(n string, instance *compute.Instance) resource.TestCheckFunc { - return testAccCheckComputeInstanceExistsInProject(n, getTestProjectFromEnv(), instance) +func testAccCheckComputeInstanceExists(n string, instance interface{}) resource.TestCheckFunc { + if instance == nil { + panic("Attempted to check existence of Instance that was nil.") + } + + switch instance.(type) { + case *compute.Instance: + return testAccCheckComputeInstanceExistsInProject(n, getTestProjectFromEnv(), instance.(*compute.Instance)) + case *computeBeta.Instance: + return testAccCheckComputeBetaInstanceExistsInProject(n, getTestProjectFromEnv(), instance.(*computeBeta.Instance)) + default: + panic("Attempted to check existence of an Instance of unknown type.") + } } func testAccCheckComputeInstanceExistsInProject(n, p string, instance *compute.Instance) resource.TestCheckFunc { @@ -1185,6 +1311,35 @@ func testAccCheckComputeInstanceExistsInProject(n, p string, instance *compute.I } } +func testAccCheckComputeBetaInstanceExistsInProject(n, p string, instance *computeBeta.Instance) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + found, err := config.clientComputeBeta.Instances.Get( + p, rs.Primary.Attributes["zone"], rs.Primary.ID).Do() + if err != nil { + return err + } + + if found.Name != rs.Primary.ID { + return fmt.Errorf("Instance not found") + } + + *instance = *found + + return nil + } +} + func testAccCheckComputeInstanceMetadata( instance *compute.Instance, k string, v string) resource.TestCheckFunc { @@ -1566,6 +1721,34 @@ func testAccCheckComputeInstanceHasConfiguredDeletionProtection(instance *comput } } +func testAccCheckComputeInstanceHasShieldedVmConfig(instance *computeBeta.Instance, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) resource.TestCheckFunc { + + return func(s *terraform.State) error { + if instance.ShieldedVmConfig.EnableSecureBoot != enableSecureBoot { + return fmt.Errorf("Wrong shieldedVmConfig enableSecureBoot: expected %t, got, %t", enableSecureBoot, instance.ShieldedVmConfig.EnableSecureBoot) + } + + if instance.ShieldedVmConfig.EnableVtpm != enableVtpm { + return fmt.Errorf("Wrong shieldedVmConfig enableVtpm: expected %t, got, %t", enableVtpm, instance.ShieldedVmConfig.EnableVtpm) + } + + if instance.ShieldedVmConfig.EnableIntegrityMonitoring != enableIntegrityMonitoring { + return fmt.Errorf("Wrong shieldedVmConfig enableIntegrityMonitoring: expected %t, got, %t", enableIntegrityMonitoring, instance.ShieldedVmConfig.EnableIntegrityMonitoring) + } + return nil + } +} + +func testAccCheckComputeInstanceLacksShieldedVmConfig(instance *computeBeta.Instance) resource.TestCheckFunc { + return func(s *terraform.State) error { + if instance.ShieldedVmConfig != nil { + return fmt.Errorf("Expected no shielded vm config") + } + + return nil + } +} + func testAccComputeInstance_basic(instance string) string { return fmt.Sprintf(` data "google_compute_image" "my_image" { @@ -3243,3 +3426,84 @@ resource "google_compute_node_group" "nodes" { } `, instance, nodeTemplate, nodeGroup) } + +func testAccComputeInstance_shieldedVmConfig(instance string, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) string { + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance" "foobar" { + name = "%s" + machine_type = "n1-standard-1" + zone = "us-central1-a" + + boot_disk { + initialize_params{ + image = "${data.google_compute_image.my_image.self_link}" + } + } + + network_interface { + network = "default" + } + + shielded_vm_config { + enable_secure_boot = %t + enable_vtpm = %t + enable_integrity_monitoring = %t + } +} +`, instance, enableSecureBoot, enableVtpm, enableIntegrityMonitoring) +} + +// Same as above but allow testing of default shieldedVmConfig settings +// by omitting explicit configuration string if param is false +func testAccComputeInstance_shieldedVmConfigDefaults(instance string, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) string { + // Allow testing for explicit false + secureBootStr := "" + if enableSecureBoot { + secureBootStr = "enable_secure_boot = true" + } + + // Implicit false (default) + vtpmStr := "" + if enableVtpm { + vtpmStr = "enable_vtpm = true" + } + + integrityMonitoringStr := "" + if enableIntegrityMonitoring { + integrityMonitoringStr = "enable_integrity_monitoring = true" + } + + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance" "foobar" { + name = "%s" + machine_type = "n1-standard-1" + zone = "us-central1-a" + + boot_disk { + initialize_params{ + image = "${data.google_compute_image.my_image.self_link}" + } + } + + network_interface { + network = "default" + } + + shielded_vm_config { +%s +%s +%s + } +} +`, instance, secureBootStr, vtpmStr, integrityMonitoringStr) +} diff --git a/website/docs/d/datasource_compute_instance.html.markdown b/website/docs/d/datasource_compute_instance.html.markdown index 0292936b7c0..4cf1c7c7c84 100644 --- a/website/docs/d/datasource_compute_instance.html.markdown +++ b/website/docs/d/datasource_compute_instance.html.markdown @@ -85,6 +85,8 @@ The following arguments are supported: * `cpu_platform` - The CPU platform used by this instance. +* `shielded_vm_config` - The shielded vm config being used by the instance. Structure is documented below. + * `network_interface.0.network_ip` - The internal ip address of the instance, either manually or dynamically assigned. * `network_interface.0.access_config.0.nat_ip` - If the instance has an access config, either the given external ip (in the `nat_ip` field) or the ephemeral (generated) ip (if you didn't provide one). @@ -192,3 +194,11 @@ The `guest_accelerator` block supports: * `count` - The number of the guest accelerator cards exposed to this instance. [network-tier]: https://cloud.google.com/network-tiers/docs/overview + +The `shielded_vm_config` block supports: + +* `enable_secure_boot` -- Whether secure boot is enable for the instance. + +* `enable_vtpm` -- Whether the instance uses vTPM. + +* `enable_integrity_monitoring` -- Whether integrity monitoring is enable for the instance. \ No newline at end of file diff --git a/website/docs/r/compute_instance.html.markdown b/website/docs/r/compute_instance.html.markdown index 2b16666622a..7416f7983dd 100644 --- a/website/docs/r/compute_instance.html.markdown +++ b/website/docs/r/compute_instance.html.markdown @@ -134,6 +134,9 @@ The following arguments are supported: * `tags` - (Optional) A list of tags to attach to the instance. +* `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. + **Note**: [`shielded_vm_config`](#shielded_vm_config) can only be used with boot images with shielded vm support. See the complete list [here](https://cloud.google.com/compute/docs/images#shielded-images). + --- The `boot_disk` block supports: @@ -295,6 +298,14 @@ The `node_affinities` block supports: * `value` (Required) - The values for the node affinity label. +The `shielded_vm_config` block supports: + +* `enable_secure_boot` (Optional) -- Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false. + +* `enable_vtpm` (Optional) -- Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to false. + +* `enable_integrity_monitoring` (Optional) -- Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to false. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are diff --git a/website/docs/r/compute_instance_template.html.markdown b/website/docs/r/compute_instance_template.html.markdown index 156cb90f8a2..c32fbdebe98 100644 --- a/website/docs/r/compute_instance_template.html.markdown +++ b/website/docs/r/compute_instance_template.html.markdown @@ -244,6 +244,9 @@ The following arguments are supported: * `min_cpu_platform` - (Optional) Specifies a minimum CPU platform. Applicable values are the friendly names of CPU platforms, such as `Intel Haswell` or `Intel Skylake`. See the complete list [here](https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform). +* `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. + **Note**: [`shielded_vm_config`](#shielded_vm_config) can only be used with boot images with shielded vm support. See the complete list [here](https://cloud.google.com/compute/docs/images#shielded-images). + The `disk` block supports: * `auto_delete` - (Optional) Whether or not the disk should be auto-deleted. @@ -273,7 +276,7 @@ The `disk` block supports: read-write mode. * `source` - (Required if source_image not set) The name (**not self_link**) - of the disk (such as those managed by `google_compute_disk`) to attach. + of the disk (such as those managed by `google_compute_disk`) to attach. * `disk_type` - (Optional) The GCE disk type. Can be either `"pd-ssd"`, `"local-ssd"`, or `"pd-standard"`. @@ -372,7 +375,7 @@ The `scheduling` block supports: * `preemptible` - (Optional) Allows instance to be preempted. This defaults to false. Read more on this [here](https://cloud.google.com/compute/docs/instances/preemptible). - + * `node_affinities` - (Optional) Specifies node affinities or anti-affinities to determine which sole-tenant nodes your instances and managed instance groups will use as host systems. Read more on sole-tenant node creation @@ -394,6 +397,14 @@ The `node_affinities` block supports: * `value` (Required) - The values for the node affinity label. +The `shielded_vm_config` block supports: + +* `enable_secure_boot` (Optional) -- Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false. + +* `enable_vtpm` (Optional) -- Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to false. + +* `enable_integrity_monitoring` (Optional) -- Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to false. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are