Merge pull request #130 from nosportugal/confidential-vms

feat: add option to enable confidential vm
runatlantis · Dec 8, 2023 · a167d33 · a167d33
2 parents 0bc790d + 85dfb1c
commit a167d33
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -43,6 +43,8 @@ This Terraform module deploys various resources to run Atlantis on Google Comput
 
 - **Cloud Armor** - Use Google Cloud Armor security policies to protect the default backend service from distributed denial-of-service (DDoS) and other web-based attacks. Security policies can be configured manually, with configurable match conditions and actions in a security policy. Google Cloud Armor also features preconfigured security policies, which cover a variety of use cases.
 
+- **Confidential VM** - A Confidential VM is a type of Compute Engine VM that ensures that your data and applications stay private and encrypted even while in use. You can use a Confidential VM as part of your security strategy so you do not expose sensitive data or workloads during processing. Note that Confidential VM [does not support live migration](https://cloud.google.com/confidential-computing/confidential-vm/docs/error-messages#live_migration_isnt_supported), so if this feature is enabled, `onHostMaintenance` will be set to `TERMINATE`.
+
 ## Prerequisites
 
 This module expects that you already own or create the below resources yourself.

diff --git a/main.tf b/main.tf
@@ -142,7 +142,7 @@ resource "google_compute_instance_template" "default" {
     automatic_restart           = var.spot_machine_enabled ? false : true
     preemptible                 = var.spot_machine_enabled ? true : false
     provisioning_model          = var.spot_machine_enabled ? "SPOT" : "STANDARD"
-    on_host_maintenance         = var.spot_machine_enabled ? "TERMINATE" : "MIGRATE"
+    on_host_maintenance         = (var.spot_machine_enabled || var.enable_confidential_vm) ? "TERMINATE" : "MIGRATE"
     instance_termination_action = var.spot_machine_enabled ? "STOP" : null
   }
 
@@ -206,6 +206,10 @@ resource "google_compute_instance_template" "default" {
     scopes = var.service_account.scopes
   }
 
+  confidential_instance_config {
+    enable_confidential_compute = var.enable_confidential_vm
+  }
+
   tags    = concat(local.atlantis_network_traffic_tags, var.tags)
   labels  = local.atlantis_labels
   project = var.project

diff --git a/variables.tf b/variables.tf
@@ -181,3 +181,9 @@ variable "iap_backend_security_policy" {
   description = "Name of the security policy to apply to the IAP backend service"
   default     = null
 }
+
+variable "enable_confidential_vm" {
+  type        = bool
+  description = "Enable Confidential VM. If true, on host maintenance will be set to TERMINATE"
+  default     = false
+}