From 856293dd887e3eb7e15f2cf805ad069fca3d34b9 Mon Sep 17 00:00:00 2001 From: Josef Reinhard Brandl Date: Fri, 29 Oct 2021 09:33:24 +0200 Subject: [PATCH] Set security relevant settings on default node pool to comply with Sentinel --- autogen/main/cluster.tf.tmpl | 10 +++++++++- cluster.tf | 7 ++++++- modules/beta-private-cluster-update-variant/cluster.tf | 8 +++++++- modules/beta-private-cluster/cluster.tf | 8 +++++++- modules/beta-public-cluster-update-variant/cluster.tf | 8 +++++++- modules/beta-public-cluster/cluster.tf | 8 +++++++- modules/private-cluster-update-variant/cluster.tf | 7 ++++++- modules/private-cluster/cluster.tf | 7 ++++++- 8 files changed, 55 insertions(+), 8 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6f9f52209d..b7852655af 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -263,6 +263,15 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + {% if beta_cluster %} + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + {% endif %} + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -635,4 +644,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/cluster.tf b/cluster.tf index 3b829768fa..a0182f42fb 100644 --- a/cluster.tf +++ b/cluster.tf @@ -149,6 +149,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -330,4 +336,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 970b4568c3..7a9601d4a0 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -236,6 +236,13 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -578,4 +585,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 04aa845abf..4c4012db94 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -236,6 +236,13 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -493,4 +500,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index fbde380f5d..501d78ad09 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -236,6 +236,13 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -559,4 +566,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1268d04d4c..e9a5253e41 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -236,6 +236,13 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -474,4 +481,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ce1342b05e..8f27c6fcf5 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -149,6 +149,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -428,4 +434,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1ec65d0ce8..ddd72f27d0 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -149,6 +149,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -343,4 +349,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } -