From 42b662ea90efa7651aaa2700dd572c93130b3a6d Mon Sep 17 00:00:00 2001 From: Miriam Lauter Date: Tue, 30 Apr 2019 11:51:15 -0400 Subject: [PATCH] Add support for Shielded VMs to compute_instance and compute_instance_template (#3209) --- google/compute_instance_helpers.go | 25 +++ google/data_source_google_compute_instance.go | 5 + google/resource_compute_instance.go | 49 ++++++ google/resource_compute_instance_template.go | 38 +++++ ...resource_compute_instance_template_test.go | 150 +++++++++++++++++- google/resource_compute_instance_test.go | 149 ++++++++++++++++- .../datasource_compute_instance.html.markdown | 10 ++ website/docs/r/compute_instance.html.markdown | 11 ++ .../r/compute_instance_template.html.markdown | 11 ++ 9 files changed, 444 insertions(+), 4 deletions(-) diff --git a/google/compute_instance_helpers.go b/google/compute_instance_helpers.go index a1b8e0e39c5..4a79ca64ace 100644 --- a/google/compute_instance_helpers.go +++ b/google/compute_instance_helpers.go @@ -204,3 +204,28 @@ func resourceInstanceTags(d TerraformResourceData) *computeBeta.Tags { return tags } + +func expandShieldedVmConfigs(d *schema.ResourceData) *computeBeta.ShieldedVmConfig { + if _, ok := d.GetOk("shielded_vm_config"); !ok { + return nil + } + + prefix := "shielded_vm_config.0" + return &computeBeta.ShieldedVmConfig{ + EnableSecureBoot: d.Get(prefix + ".enable_secure_boot").(bool), + EnableVtpm: d.Get(prefix + ".enable_vtpm").(bool), + EnableIntegrityMonitoring: d.Get(prefix + ".enable_integrity_monitoring").(bool), + } +} + +func flattenShieldedVmConfig(shieldedVmConfig *computeBeta.ShieldedVmConfig) []map[string]bool { + if shieldedVmConfig == nil { + return nil + } + + return []map[string]bool{{ + "enable_secure_boot": shieldedVmConfig.EnableSecureBoot, + "enable_vtpm": shieldedVmConfig.EnableVtpm, + "enable_integrity_monitoring": shieldedVmConfig.EnableIntegrityMonitoring, + }} +} diff --git a/google/data_source_google_compute_instance.go b/google/data_source_google_compute_instance.go index 0caf5bcf5a6..b2ec522218c 100644 --- a/google/data_source_google_compute_instance.go +++ b/google/data_source_google_compute_instance.go @@ -134,6 +134,11 @@ func dataSourceGoogleComputeInstanceRead(d *schema.ResourceData, meta interface{ return err } + err = d.Set("shielded_vm_config", flattenShieldedVmConfig(instance.ShieldedVmConfig)) + if err != nil { + return err + } + d.Set("attached_disk", ads) d.Set("cpu_platform", instance.CpuPlatform) d.Set("min_cpu_platform", instance.MinCpuPlatform) diff --git a/google/resource_compute_instance.go b/google/resource_compute_instance.go index 980e36a9dc3..df15a630d21 100644 --- a/google/resource_compute_instance.go +++ b/google/resource_compute_instance.go @@ -488,6 +488,33 @@ func resourceComputeInstance() *schema.Resource { }, }, + "shielded_vm_config": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + + "enable_vtpm": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, + }, + }, + }, + "tags": { Type: schema.TypeSet, Optional: true, @@ -676,6 +703,7 @@ func expandComputeInstance(project string, zone *compute.Zone, d *schema.Resourc DeletionProtection: d.Get("deletion_protection").(bool), Hostname: d.Get("hostname").(string), ForceSendFields: []string{"CanIpForward", "DeletionProtection"}, + ShieldedVmConfig: expandShieldedVmConfigs(d), }, nil } @@ -880,6 +908,11 @@ func resourceComputeInstanceRead(d *schema.ResourceData, meta interface{}) error } } + err = d.Set("shielded_vm_config", flattenShieldedVmConfig(instance.ShieldedVmConfig)) + if err != nil { + return err + } + d.Set("service_account", flattenServiceAccounts(instance.ServiceAccounts)) d.Set("attached_disk", ads) d.Set("scratch_disk", scratchDisks) @@ -1349,6 +1382,22 @@ func resourceComputeInstanceUpdate(d *schema.ResourceData, meta interface{}) err } } + if d.HasChange("shielded_vm_config") { + shieldedVmConfig := expandShieldedVmConfigs(d) + + op, err := config.clientComputeBeta.Instances.UpdateShieldedVmConfig(project, zone, d.Id(), shieldedVmConfig).Do() + if err != nil { + return fmt.Errorf("Error updating shielded vm config: %s", err) + } + + opErr := computeSharedOperationWaitTime(config.clientCompute, op, project, int(d.Timeout(schema.TimeoutUpdate).Minutes()), "shielded vm config update") + if opErr != nil { + return opErr + } + + d.SetPartial("shielded_vm_config") + } + // We made it, disable partial mode d.Partial(false) diff --git a/google/resource_compute_instance_template.go b/google/resource_compute_instance_template.go index d316005ce26..1246f1530b3 100644 --- a/google/resource_compute_instance_template.go +++ b/google/resource_compute_instance_template.go @@ -381,6 +381,37 @@ func resourceComputeInstanceTemplate() *schema.Resource { }, }, + "shielded_vm_config": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + ForceNew: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + + "enable_vtpm": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ForceNew: true, + }, + }, + }, + }, + "guest_accelerator": { Type: schema.TypeList, Optional: true, @@ -667,6 +698,8 @@ func resourceComputeInstanceTemplateCreate(d *schema.ResourceData, meta interfac instanceProperties.GuestAccelerators = expandInstanceTemplateGuestAccelerators(d, config) + instanceProperties.ShieldedVmConfig = expandShieldedVmConfigs(d) + instanceProperties.Tags = resourceInstanceTags(d) if _, ok := d.GetOk("labels"); ok { instanceProperties.Labels = expandLabels(d) @@ -863,6 +896,11 @@ func resourceComputeInstanceTemplateRead(d *schema.ResourceData, meta interface{ return fmt.Errorf("Error setting guest_accelerator: %s", err) } } + if instanceTemplate.Properties.ShieldedVmConfig != nil { + if err = d.Set("shielded_vm_config", flattenShieldedVmConfig(instanceTemplate.Properties.ShieldedVmConfig)); err != nil { + return fmt.Errorf("Error setting shielded_vm_config: %s", err) + } + } return nil } diff --git a/google/resource_compute_instance_template_test.go b/google/resource_compute_instance_template_test.go index c729623ddcb..ee957162b14 100644 --- a/google/resource_compute_instance_template_test.go +++ b/google/resource_compute_instance_template_test.go @@ -9,6 +9,7 @@ import ( "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + computeBeta "google.golang.org/api/compute/v0.beta" "google.golang.org/api/compute/v1" ) @@ -498,6 +499,53 @@ func TestAccComputeInstanceTemplate_EncryptKMS(t *testing.T) { }) } +func TestAccComputeInstanceTemplate_shieldedVmConfig(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_shieldedVmConfig(), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateHasShieldedVmConfig(&instanceTemplate, true, true, true), + ), + }, + { + ResourceName: "google_compute_instance_template.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccComputeInstanceTemplate_shieldedVmConfigSkip(t *testing.T) { + t.Parallel() + + var instanceTemplate computeBeta.InstanceTemplate + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstanceTemplate_basic(), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceTemplateExists("google_compute_instance_template.foobar", &instanceTemplate), + testAccCheckComputeInstanceTemplateLacksShieldedVmConfig(&instanceTemplate), + ), + }, + }, + }) +} + func testAccCheckComputeInstanceTemplateDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -516,8 +564,19 @@ func testAccCheckComputeInstanceTemplateDestroy(s *terraform.State) error { return nil } -func testAccCheckComputeInstanceTemplateExists(n string, instanceTemplate *compute.InstanceTemplate) resource.TestCheckFunc { - return testAccCheckComputeInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate) +func testAccCheckComputeInstanceTemplateExists(n string, instanceTemplate interface{}) resource.TestCheckFunc { + if instanceTemplate == nil { + panic("Attempted to check existence of Instance template that was nil.") + } + + switch instanceTemplate.(type) { + case *compute.InstanceTemplate: + return testAccCheckComputeInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate.(*compute.InstanceTemplate)) + case *computeBeta.InstanceTemplate: + return testAccCheckComputeBetaInstanceTemplateExistsInProject(n, getTestProjectFromEnv(), instanceTemplate.(*computeBeta.InstanceTemplate)) + default: + panic("Attempted to check existence of an Instance template of unknown type.") + } } func testAccCheckComputeInstanceTemplateExistsInProject(n, p string, instanceTemplate *compute.InstanceTemplate) resource.TestCheckFunc { @@ -549,6 +608,35 @@ func testAccCheckComputeInstanceTemplateExistsInProject(n, p string, instanceTem } } +func testAccCheckComputeBetaInstanceTemplateExistsInProject(n, p string, instanceTemplate *computeBeta.InstanceTemplate) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + found, err := config.clientComputeBeta.InstanceTemplates.Get( + p, rs.Primary.ID).Do() + if err != nil { + return err + } + + if found.Name != rs.Primary.ID { + return fmt.Errorf("Instance template not found") + } + + *instanceTemplate = *found + + return nil + } +} + func testAccCheckComputeInstanceTemplateMetadata( instanceTemplate *compute.InstanceTemplate, k string, v string) resource.TestCheckFunc { @@ -761,6 +849,34 @@ func testAccCheckComputeInstanceTemplateHasMinCpuPlatform(instanceTemplate *comp } } +func testAccCheckComputeInstanceTemplateHasShieldedVmConfig(instanceTemplate *computeBeta.InstanceTemplate, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) resource.TestCheckFunc { + + return func(s *terraform.State) error { + if instanceTemplate.Properties.ShieldedVmConfig.EnableSecureBoot != enableSecureBoot { + return fmt.Errorf("Wrong shieldedVmConfig enableSecureBoot: expected %t, got, %t", enableSecureBoot, instanceTemplate.Properties.ShieldedVmConfig.EnableSecureBoot) + } + + if instanceTemplate.Properties.ShieldedVmConfig.EnableVtpm != enableVtpm { + return fmt.Errorf("Wrong shieldedVmConfig enableVtpm: expected %t, got, %t", enableVtpm, instanceTemplate.Properties.ShieldedVmConfig.EnableVtpm) + } + + if instanceTemplate.Properties.ShieldedVmConfig.EnableIntegrityMonitoring != enableIntegrityMonitoring { + return fmt.Errorf("Wrong shieldedVmConfig enableIntegrityMonitoring: expected %t, got, %t", enableIntegrityMonitoring, instanceTemplate.Properties.ShieldedVmConfig.EnableIntegrityMonitoring) + } + return nil + } +} + +func testAccCheckComputeInstanceTemplateLacksShieldedVmConfig(instanceTemplate *computeBeta.InstanceTemplate) resource.TestCheckFunc { + return func(s *terraform.State) error { + if instanceTemplate.Properties.ShieldedVmConfig != nil { + return fmt.Errorf("Expected no shielded vm config") + } + + return nil + } +} + func testAccComputeInstanceTemplate_basic() string { return fmt.Sprintf(` data "google_compute_image" "my_image" { @@ -1449,3 +1565,33 @@ resource "google_compute_instance_template" "foobar" { } }`, acctest.RandString(10), kmsLink) } + +func testAccComputeInstanceTemplate_shieldedVmConfig() string { + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance_template" "foobar" { + name = "instancet-test-%s" + machine_type = "n1-standard-1" + can_ip_forward = false + + disk { + source_image = "${data.google_compute_image.my_image.self_link}" + auto_delete = true + boot = true + } + + network_interface { + network = "default" + } + + shielded_vm_config { + enable_secure_boot = true + enable_vtpm = true + enable_integrity_monitoring = true + } +}`, acctest.RandString(10)) +} diff --git a/google/resource_compute_instance_test.go b/google/resource_compute_instance_test.go index 827ebd24f4f..435458bf596 100644 --- a/google/resource_compute_instance_test.go +++ b/google/resource_compute_instance_test.go @@ -10,6 +10,7 @@ import ( "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" + computeBeta "google.golang.org/api/compute/v0.beta" "google.golang.org/api/compute/v1" ) @@ -1063,6 +1064,51 @@ func TestAccComputeInstance_hostname(t *testing.T) { }) } +func TestAccComputeInstance_shieldedVmConfig(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_shieldedVmConfig(instanceName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceHasShieldedVmConfig(&instance, true, true, true), + ), + }, + computeInstanceImportStep("us-central1-a", instanceName, []string{}), + }, + }) +} + +func TestAccComputeInstance_shieldedVmConfigSkip(t *testing.T) { + t.Parallel() + + var instance computeBeta.Instance + instanceName := fmt.Sprintf("terraform-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeInstanceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccComputeInstance_basic(instanceName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeInstanceExists("google_compute_instance.foobar", &instance), + testAccCheckComputeInstanceLacksShieldedVmConfig(&instance), + ), + }, + }, + }) +} + func testAccCheckComputeInstanceUpdateMachineType(n string) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -1120,8 +1166,19 @@ func testAccCheckComputeInstanceDestroy(s *terraform.State) error { return nil } -func testAccCheckComputeInstanceExists(n string, instance *compute.Instance) resource.TestCheckFunc { - return testAccCheckComputeInstanceExistsInProject(n, getTestProjectFromEnv(), instance) +func testAccCheckComputeInstanceExists(n string, instance interface{}) resource.TestCheckFunc { + if instance == nil { + panic("Attempted to check existence of Instance that was nil.") + } + + switch instance.(type) { + case *compute.Instance: + return testAccCheckComputeInstanceExistsInProject(n, getTestProjectFromEnv(), instance.(*compute.Instance)) + case *computeBeta.Instance: + return testAccCheckComputeBetaInstanceExistsInProject(n, getTestProjectFromEnv(), instance.(*computeBeta.Instance)) + default: + panic("Attempted to check existence of an Instance of unknown type.") + } } func testAccCheckComputeInstanceExistsInProject(n, p string, instance *compute.Instance) resource.TestCheckFunc { @@ -1153,6 +1210,35 @@ func testAccCheckComputeInstanceExistsInProject(n, p string, instance *compute.I } } +func testAccCheckComputeBetaInstanceExistsInProject(n, p string, instance *computeBeta.Instance) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + found, err := config.clientComputeBeta.Instances.Get( + p, rs.Primary.Attributes["zone"], rs.Primary.ID).Do() + if err != nil { + return err + } + + if found.Name != rs.Primary.ID { + return fmt.Errorf("Instance not found") + } + + *instance = *found + + return nil + } +} + func testAccCheckComputeInstanceMetadata( instance *compute.Instance, k string, v string) resource.TestCheckFunc { @@ -1534,6 +1620,34 @@ func testAccCheckComputeInstanceHasConfiguredDeletionProtection(instance *comput } } +func testAccCheckComputeInstanceHasShieldedVmConfig(instance *computeBeta.Instance, enableSecureBoot bool, enableVtpm bool, enableIntegrityMonitoring bool) resource.TestCheckFunc { + + return func(s *terraform.State) error { + if instance.ShieldedVmConfig.EnableSecureBoot != enableSecureBoot { + return fmt.Errorf("Wrong shieldedVmConfig enableSecureBoot: expected %t, got, %t", enableSecureBoot, instance.ShieldedVmConfig.EnableSecureBoot) + } + + if instance.ShieldedVmConfig.EnableVtpm != enableVtpm { + return fmt.Errorf("Wrong shieldedVmConfig enableVtpm: expected %t, got, %t", enableVtpm, instance.ShieldedVmConfig.EnableVtpm) + } + + if instance.ShieldedVmConfig.EnableIntegrityMonitoring != enableIntegrityMonitoring { + return fmt.Errorf("Wrong shieldedVmConfig enableIntegrityMonitoring: expected %t, got, %t", enableIntegrityMonitoring, instance.ShieldedVmConfig.EnableIntegrityMonitoring) + } + return nil + } +} + +func testAccCheckComputeInstanceLacksShieldedVmConfig(instance *computeBeta.Instance) resource.TestCheckFunc { + return func(s *terraform.State) error { + if instance.ShieldedVmConfig != nil { + return fmt.Errorf("Expected no shielded vm config") + } + + return nil + } +} + func testAccComputeInstance_basic(instance string) string { return fmt.Sprintf(` data "google_compute_image" "my_image" { @@ -3055,3 +3169,34 @@ resource "google_compute_instance" "foobar" { } `, instance) } + +func testAccComputeInstance_shieldedVmConfig(instance string) string { + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "centos-7" + project = "gce-uefi-images" +} + +resource "google_compute_instance" "foobar" { + name = "%s" + machine_type = "n1-standard-1" + zone = "us-central1-a" + + boot_disk { + initialize_params{ + image = "${data.google_compute_image.my_image.self_link}" + } + } + + network_interface { + network = "default" + } + + shielded_vm_config { + enable_secure_boot = true + enable_vtpm = true + enable_integrity_monitoring = true + } +} +`, instance) +} diff --git a/website/docs/d/datasource_compute_instance.html.markdown b/website/docs/d/datasource_compute_instance.html.markdown index 0292936b7c0..4cf1c7c7c84 100644 --- a/website/docs/d/datasource_compute_instance.html.markdown +++ b/website/docs/d/datasource_compute_instance.html.markdown @@ -85,6 +85,8 @@ The following arguments are supported: * `cpu_platform` - The CPU platform used by this instance. +* `shielded_vm_config` - The shielded vm config being used by the instance. Structure is documented below. + * `network_interface.0.network_ip` - The internal ip address of the instance, either manually or dynamically assigned. * `network_interface.0.access_config.0.nat_ip` - If the instance has an access config, either the given external ip (in the `nat_ip` field) or the ephemeral (generated) ip (if you didn't provide one). @@ -192,3 +194,11 @@ The `guest_accelerator` block supports: * `count` - The number of the guest accelerator cards exposed to this instance. [network-tier]: https://cloud.google.com/network-tiers/docs/overview + +The `shielded_vm_config` block supports: + +* `enable_secure_boot` -- Whether secure boot is enable for the instance. + +* `enable_vtpm` -- Whether the instance uses vTPM. + +* `enable_integrity_monitoring` -- Whether integrity monitoring is enable for the instance. \ No newline at end of file diff --git a/website/docs/r/compute_instance.html.markdown b/website/docs/r/compute_instance.html.markdown index 45c1f35ecdb..7c78aeab8a7 100644 --- a/website/docs/r/compute_instance.html.markdown +++ b/website/docs/r/compute_instance.html.markdown @@ -134,6 +134,9 @@ The following arguments are supported: * `tags` - (Optional) A list of tags to attach to the instance. +* `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. + **Note**: [`shielded_vm_config`](#shielded_vm_config) can only be used with boot images with shielded vm support. See the complete list [here](https://cloud.google.com/compute/docs/images#shielded-images). + --- The `boot_disk` block supports: @@ -279,6 +282,14 @@ The `guest_accelerator` block supports: * `count` (Required) - The number of the guest accelerator cards exposed to this instance. +The `shielded_vm_config` block supports: + +* `enable_secure_boot` (Optional) -- Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false. + +* `enable_vtpm` (Optional) -- Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to false. + +* `enable_integrity_monitoring` (Optional) -- Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to false. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are diff --git a/website/docs/r/compute_instance_template.html.markdown b/website/docs/r/compute_instance_template.html.markdown index fa537afe4a5..ca4ae310032 100644 --- a/website/docs/r/compute_instance_template.html.markdown +++ b/website/docs/r/compute_instance_template.html.markdown @@ -246,6 +246,9 @@ The following arguments are supported: * `min_cpu_platform` - (Optional) Specifies a minimum CPU platform. Applicable values are the friendly names of CPU platforms, such as `Intel Haswell` or `Intel Skylake`. See the complete list [here](https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform). +* `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. + **Note**: [`shielded_vm_config`](#shielded_vm_config) can only be used with boot images with shielded vm support. See the complete list [here](https://cloud.google.com/compute/docs/images#shielded-images). + The `disk` block supports: * `auto_delete` - (Optional) Whether or not the disk should be auto-deleted. @@ -381,6 +384,14 @@ The `guest_accelerator` block supports: * `count` (Required) - The number of the guest accelerator cards exposed to this instance. +The `shielded_vm_config` block supports: + +* `enable_secure_boot` (Optional) -- Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false. + +* `enable_vtpm` (Optional) -- Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to false. + +* `enable_integrity_monitoring` (Optional) -- Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to false. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are