Add support for Shielded VMs to compute_instance and compute_instance_template (#3209) #3531
Conversation
| PreCheck: func() { testAccPreCheck(t) }, | ||
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckComputeInstanceTemplateDestroy, | ||
| Steps: []resource.TestStep{ |
There was a problem hiding this comment.
Do you mind adding an import step to this test like the one above?
| PreCheck: func() { testAccPreCheck(t) }, | ||
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckComputeInstanceDestroy, | ||
| Steps: []resource.TestStep{ |
There was a problem hiding this comment.
Do you mind adding an import step here like in the test above?
There was a problem hiding this comment.
Looking great! I have a few comments about defaults, I think we want to keep in line with API defaults. This is mostly because Terraform won't send schema-defined defaults when a field is undefined so for consistency we need to define exactly what the API does.
In addition, I think we can eliminate a few test cases. Since tests on the provider are acceptance-level and take a while to run (At 8x parallelism a run takes 4 hours today!) we tend towards testing minimum novel behaviour instead of testing as thoroughly as you have, unfortunately.
| }) | ||
| } | ||
|
|
||
| func TestAccComputeInstanceTemplate_shieldedVmConfigSkip(t *testing.T) { |
There was a problem hiding this comment.
I'm inclined to omit this test since it's nearly identical to https://github.com/terraform-providers/terraform-provider-google/blob/b1e181e09ffc6492d17ccb220f0c03ccd6d39ef3/google/resource_compute_instance_template_test.go#L18. You can add testAccCheckComputeInstanceTemplateHasShieldedVmConfig to that test if you'd like, though.
There was a problem hiding this comment.
I initially wanted to add the lacksShieldedVmConfig check to the basic test. That would just make sure that omitting shieldedVmConfig from the instance config would mean the block was absent rather than shieldedVmConfig {} which would result in an api error.
The issue is that TestAcccomputeInstance(Template)_basic uses compute.Instance and not compute.BetaInstance. This actually was a bit of a point of confusion for me. ShieldedVmConfig settings are available in the v1 REST api (under the name ShieldedInstanceConfig, but neither ShieldedInstanceConfig nor ShieldedVmConfig are available in the generated go structs for the v1 api. I wasn't sure where that left the provider in terms of including the block in the regular vs beta provider.
There was a problem hiding this comment.
I'd be happy with it being added to any test that's already using the beta instance, or changing that test to use the beta instance. They're pretty indistinguishable.
I hadn't noticed that the field was renamed from Beta -> GA, how do you feel about using the GA naming in the Terraform schema name for the block? That way we'll be aligned with the finalised naming of the feature.
| }) | ||
| } | ||
|
|
||
| func TestAccComputeInstanceTemplate_shieldedVmConfig3(t *testing.T) { |
There was a problem hiding this comment.
I think cases 3 and 4 are redundant with 1 and 2, they're testing how Terraform's defaults work more than they're testing novel resource behaviour. Let me know if you think I'm missing something, though.
| @@ -389,6 +389,37 @@ func resourceComputeInstanceTemplate() *schema.Resource { | |||
| }, | |||
| }, | |||
|
|
|||
| "shielded_vm_config": { | |||
There was a problem hiding this comment.
The suggestions for compute instance apply here as well, unless this resource behaves differently in your experience.
| @@ -134,6 +134,9 @@ The following arguments are supported: | |||
|
|
|||
| * `tags` - (Optional) A list of tags to attach to the instance. | |||
|
|
|||
| * `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. | |||
There was a problem hiding this comment.
Nice! I was gonna ask if we could list the images, but you already did.
| @@ -134,6 +134,9 @@ The following arguments are supported: | |||
|
|
|||
| * `tags` - (Optional) A list of tags to attach to the instance. | |||
|
|
|||
| * `shielded_vm_config` - (Optional) Enable [Shielded VM](https://cloud.google.com/security/shielded-cloud/shielded-vm) on this instance. Shielded VM provides verifiable integrity to prevent against malware and rootkits. Defaults to disabled. Structure is documented below. | |||
There was a problem hiding this comment.
(also, remember to update the defaults in these docs too)
|
Latest update:
Thanks so much for being so patient and helpful! |
There was a problem hiding this comment.
Thanks @mlauter, great work!
I'll upstream these changes to our code generator (https://github.com/GoogleCloudPlatform/magic-modules) so it targets google-beta as well and then merge this PR.
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Adds support for Shielded VMs to compute instances and instance templates.
Test output: