Issue 501: Expose node pool enable_secure_boot and enable_integrity_m…

…onitoring options (#506)

* Expose node pool shielded_instance_config

Co-authored-by: c0feec0der <>

autogen/main/cluster.tf.tmpl

@@ -497,6 +497,11 @@ resource "google_container_node_pool" "pools" {
       }
     }
     {% endif %}
+
+    shielded_instance_config {
+      enable_secure_boot =  lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

cluster.tf

@@ -230,6 +230,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

examples/deploy_service/README.md

@@ -28,18 +28,8 @@ It will:
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/disable_client_cert/README.md

@@ -26,18 +26,8 @@ This example illustrates how to create a simple cluster and disable deprecated s
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/node_pool/README.md

@@ -24,18 +24,8 @@ This example illustrates how to create a cluster with multiple custom node-pool
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/shared_vpc/README.md

@@ -23,18 +23,8 @@ This example illustrates how to create a simple cluster where the host network i
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/simple_regional/README.md

@@ -23,18 +23,8 @@ This example illustrates how to create a simple cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/simple_regional_private/README.md

@@ -22,18 +22,8 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/simple_zonal_private/README.md

@@ -23,18 +23,8 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/simple_zonal_with_acm/README.md

@@ -29,18 +29,8 @@ It incorporates the standard cluster module and the [ACM install module](../../m
 | acm\_git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/stub_domains/README.md

@@ -27,18 +27,8 @@ It will:
 |------|-------------|
 | ca\_certificate |  |
 | client\_token |  |
-| cluster\_name | Cluster name |
-| ip\_range\_pods | The secondary IP range used for pods |
-| ip\_range\_services | The secondary IP range used for services |
 | kubernetes\_endpoint |  |
-| location |  |
-| master\_kubernetes\_version | The master Kubernetes version |
-| network |  |
-| project\_id |  |
-| region |  |
 | service\_account | The default service account used for running nodes. |
-| subnetwork |  |
-| zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

modules/beta-private-cluster-update-variant/cluster.tf

@@ -451,6 +451,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

modules/beta-private-cluster/cluster.tf

@@ -379,6 +379,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

modules/beta-public-cluster/cluster.tf

@@ -366,6 +366,11 @@ resource "google_container_node_pool" "pools" {
         sandbox_type = sandbox_config.value
       }
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

modules/private-cluster-update-variant/cluster.tf

@@ -315,6 +315,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {

modules/private-cluster/cluster.tf

@@ -243,6 +243,11 @@ resource "google_container_node_pool" "pools" {
         count = guest_accelerator["count"]
       }
     ]
+
+    shielded_instance_config {
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
+      enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
+    }
   }
 
   lifecycle {