Enable Secure Boot for GKE clusters.

world-federation-of-advertisers · Nov 7, 2023 · dc290e1 · dc290e1
1 parent d185fbc
commit dc290e1
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/main/terraform/gcloud/modules/cluster/main.tf b/src/main/terraform/gcloud/modules/cluster/main.tf
@@ -55,4 +55,9 @@ resource "google_container_cluster" "cluster" {
   # See https://registry.terraform.io/providers/hashicorp/google/4.63.0/docs/resources/container_cluster#example-usage---with-a-separately-managed-node-pool-recommended
   remove_default_node_pool = true
   initial_node_count       = 1
+  node_config {
+    shielded_instance_config {
+      enable_secure_boot = true
+    }
+  }
 }
diff --git a/src/main/terraform/gcloud/modules/node-pool/main.tf b/src/main/terraform/gcloud/modules/node-pool/main.tf
@@ -25,6 +25,9 @@ resource "google_container_node_pool" "node_pool" {
     machine_type    = var.machine_type
     disk_type       = "pd-balanced"
     spot            = var.spot
+    shielded_instance_config {
+      enable_secure_boot = true
+    }
 
     dynamic "taint" {
       for_each = var.spot ? [{