Merge pull request #113 from argyle-engineering/shielded_vm_config

Allow configuring Shielded VM options
runatlantis · May 1, 2023 · d2157aa · d2157aa
2 parents d89899e + 3d42797
commit d2157aa
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -229,6 +229,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | <pre>object({<br>    email  = string,<br>    scopes = list(string)<br>  })</pre> | <pre>{<br>  "email": "",<br>  "scopes": [<br>    "cloud-platform"<br>  ]<br>}</pre> | no |
+| <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded instance configuration | <pre>object({<br>    enable_integrity_monitoring = bool<br>    enable_vtpm                 = bool<br>    enable_secure_boot          = bool<br>})</pre> | <pre>{<br>  enable_integrity_monitoring = true<br>  enable_vtpm                 = true<br>  enable_secure_boot          = true<br>}</pre> | no |
 | <a name="input_spot_machine_enabled"></a> [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no |
 | <a name="input_startup_script"></a> [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no |
 | <a name="input_subnetwork"></a> [subnetwork](#input\_subnetwork) | Name of the subnetwork to attach a network interface to | `string` | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -179,9 +179,9 @@ resource "google_compute_instance_template" "default" {
   }
 
   shielded_instance_config {
-    enable_integrity_monitoring = true
-    enable_vtpm                 = true
-    enable_secure_boot          = true
+    enable_integrity_monitoring = var.shielded_instance_config.enable_integrity_monitoring
+    enable_vtpm                 = var.shielded_instance_config.enable_vtpm
+    enable_secure_boot          = var.shielded_instance_config.enable_secure_boot
   }
 
   service_account {

diff --git a/variables.tf b/variables.tf
@@ -82,6 +82,20 @@ variable "service_account" {
   }
 }
 
+variable "shielded_instance_config" {
+  type = object({
+    enable_integrity_monitoring = optional(bool)
+    enable_vtpm                 = optional(bool)
+    enable_secure_boot          = optional(bool)
+  })
+  description = "Shielded VM provides verifiable integrity to prevent against malware and rootkits"
+  default = {
+    enable_integrity_monitoring = true
+    enable_vtpm                 = true
+    enable_secure_boot          = true
+  }
+}
+
 variable "domain" {
   type        = string
   description = "Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://`"