gcp: add secureBoot option to gcp TF

note that the shileded_instance_config options have 3 states: 1. User-specified enabled 2. User-specified disabled 3. Not user-specfiied: default The shileded_instance_config is defined as dynamic block and will be only in case the user specified it. This should allow us to get the cloud provider default in case the user didn't specify the config (and will not require code updates if the cloud provider default changes).
openshift · Jan 10, 2023 · a0b9c49 · a0b9c49
1 parent 8bdeceb
commit a0b9c49
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 0 deletions.
diff --git a/data/data/gcp/cluster/main.tf b/data/data/gcp/cluster/main.tf
@@ -32,6 +32,7 @@ module "master" {
   ignition        = var.ignition_master
   subnet          = module.network.master_subnet
   zones           = distinct(var.gcp_master_availability_zones)
+  secure_boot     = var.gcp_master_secure_boot
 
   root_volume_size = var.gcp_master_root_volume_size
   root_volume_type = var.gcp_master_root_volume_type

diff --git a/data/data/gcp/cluster/master/main.tf b/data/data/gcp/cluster/master/main.tf
@@ -61,6 +61,15 @@ resource "google_compute_instance" "master" {
     kms_key_self_link = var.root_volume_kms_key_link
   }
 
+
+  dynamic "shielded_instance_config" {
+    for_each = var.secure_boot != "" ? [1] : []
+
+    content {
+      enable_secure_boot = var.secure_boot == "Enabled"
+    }
+  }
+
   network_interface {
     subnetwork = var.subnet
   }

diff --git a/data/data/gcp/cluster/master/variables.tf b/data/data/gcp/cluster/master/variables.tf
@@ -67,3 +67,9 @@ variable "root_volume_kms_key_link" {
 variable "zones" {
   type = list
 }
+
+variable "secure_boot" {
+  type        = string
+  description = "Verify the digital signature of all boot components."
+  default     = ""
+}
diff --git a/data/data/gcp/variables-gcp.tf b/data/data/gcp/variables-gcp.tf
@@ -163,3 +163,9 @@ variable "gcp_private_zone_project" {
   default = ""
   description = "Project where the private managed zone will exist."
 }
+
+variable "gcp_master_secure_boot" {
+  type = string
+  description = "Verify the digital signature of all boot components."
+  default = ""
+}
diff --git a/pkg/tfvars/gcp/gcp.go b/pkg/tfvars/gcp/gcp.go
@@ -44,6 +44,7 @@ type config struct {
 	ControlPlaneSubnet      string   `json:"gcp_control_plane_subnet,omitempty"`
 	ComputeSubnet           string   `json:"gcp_compute_subnet,omitempty"`
 	ControlPlaneTags        []string `json:"gcp_control_plane_tags,omitempty"`
+	SecureBoot              string   `json:"gcp_master_secure_boot,omitempty"`
 }
 
 // TFVarsSources contains the parameters to be converted into Terraform variables
@@ -95,7 +96,9 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 		ComputeSubnet:           workerConfig.NetworkInterfaces[0].Subnetwork,
 		PreexistingNetwork:      sources.PreexistingNetwork,
 		ControlPlaneTags:        masterConfig.Tags,
+		SecureBoot:              string(masterConfig.ShieldedInstanceConfig.SecureBoot),
 	}
+
 	cfg.PreexistingImage = true
 	if len(sources.ImageLicenses) > 0 {
 		cfg.PreexistingImage = false