feat(gke): Enable Shielded Instances

google_gke/README.md

@@ -415,6 +415,7 @@ module "gke" {
 | <a name="input_node_pools_guest_accelerator"></a> [node\_pools\_guest\_accelerator](#input\_node\_pools\_guest\_accelerator) | Map containing node pools guest accelerator. Each node pool's name is the key. See locals.tf for defaults. | `map(map(string))` | <pre>{<br/>  "tf-default-node-pool": {}<br/>}</pre> | no |
 | <a name="input_node_pools_labels"></a> [node\_pools\_labels](#input\_node\_pools\_labels) | Map containing node pools non-default labels (as a map of strings). Each key is used as node pool's name prefix. See locals.tf for defaults. | `map(map(string))` | <pre>{<br/>  "tf-default-node-pool": {}<br/>}</pre> | no |
 | <a name="input_node_pools_oauth_scopes"></a> [node\_pools\_oauth\_scopes](#input\_node\_pools\_oauth\_scopes) | Map containing node pools non-default OAuth scopes (as an list). Each node pool's name is the key. See locals.tf for defaults. | `map(list(string))` | <pre>{<br/>  "tf-default-node-pool": []<br/>}</pre> | no |
+| <a name="input_node_pools_shielded_instance_config"></a> [node\_pools\_shielded\_instance\_config](#input\_node\_pools\_shielded\_instance\_config) | Per-node-pool shielded instance config. Keyed by node pool name. Pools not present in this map fall back to GKE provider defaults (integrity monitoring on, secure boot off). Changing shielded\_instance\_config on an existing pool forces recreation, so opt in per pool. | <pre>map(object({<br/>    enable_secure_boot          = optional(bool, true)<br/>    enable_integrity_monitoring = optional(bool, true)<br/>  }))</pre> | `{}` | no |
 | <a name="input_node_pools_spot_enabled"></a> [node\_pools\_spot\_enabled](#input\_node\_pools\_spot\_enabled) | Map containing node pools spot enabled. Each node pool's name is the key. See locals.tf for defaults. | `map(bool)` | <pre>{<br/>  "tf-default-node-pool": false<br/>}</pre> | no |
 | <a name="input_node_pools_sysctls"></a> [node\_pools\_sysctls](#input\_node\_pools\_sysctls) | Map containing node pools non-default linux node config sysctls (as a map of maps). Each node pool's name is the key. | `map(map(any))` | <pre>{<br/>  "tf-default-node-pool": {}<br/>}</pre> | no |
 | <a name="input_node_pools_tags"></a> [node\_pools\_tags](#input\_node\_pools\_tags) | Map containing node pools non-default tags (as an list). Each node pool's name is the key. See locals.tf for defaults. | `map(list(string))` | <pre>{<br/>  "tf-default-node-pool": []<br/>}</pre> | no |

google_gke/cluster.tf

@@ -4,7 +4,6 @@
 # * cluster telemetry (some kinda new monitoring / logging / metrics aggregation & dashboard for gke clusters; in beta)
 # * enable_binary_authorization (all container images validated by Google Binary Authorization; needs further impact investigation)
 # * enable_l4_ilb_subsetting (needs further impact investigation)
-# * shielded_instance_config.enable_secure_boot & shielded_instance_config.enable_integrity_monitoring (needs further impact investigation)
 # * database_encryption to be added with CloudKMS key (postponed for adding CloudKMS keys structure to Terraform or secrets management)
 
 #
@@ -311,6 +310,15 @@ resource "google_container_node_pool" "pools" {
 
     spot = local.node_pools_spot_enabled[each.key]
 
+    dynamic "shielded_instance_config" {
+      for_each = local.node_pools_shielded_instance_config[each.key] != null ? [local.node_pools_shielded_instance_config[each.key]] : []
+
+      content {
+        enable_secure_boot          = shielded_instance_config.value.enable_secure_boot
+        enable_integrity_monitoring = shielded_instance_config.value.enable_integrity_monitoring
+      }
+    }
+
     machine_type    = each.value.machine_type
     oauth_scopes    = local.node_pools_oauth_scopes[each.key]
     service_account = google_service_account.cluster_service_account.email

google_gke/locals.tf

@@ -55,6 +55,8 @@ locals {
   node_pools_taints            = { for node_pool in var.node_pools : node_pool.name => lookup(var.node_pools_taints, node_pool.name, []) }
   node_pools_spot_enabled      = { for node_pool in var.node_pools : node_pool.name => lookup(var.node_pools_spot_enabled, node_pool.name, false) }
 
+  node_pools_shielded_instance_config = { for node_pool in var.node_pools : node_pool.name => lookup(var.node_pools_shielded_instance_config, node_pool.name, null) }
+
   # Google Group for RBAC
   cluster_authenticator_security_group = var.google_group_name == null ? [] : [{
     security_group = var.google_group_name

google_gke/variables.tf

@@ -249,6 +249,15 @@ variable "node_pools_sysctls" {
   }
 }
 
+variable "node_pools_shielded_instance_config" {
+  description = "Per-node-pool shielded instance config. Keyed by node pool name. Pools not present in this map fall back to GKE provider defaults (integrity monitoring on, secure boot off). Changing shielded_instance_config on an existing pool forces recreation, so opt in per pool."
+  type = map(object({
+    enable_secure_boot          = optional(bool, true)
+    enable_integrity_monitoring = optional(bool, true)
+  }))
+  default = {}
+}
+
 variable "node_pools_tags" {
   description = "Map containing node pools non-default tags (as an list). Each node pool's name is the key. See locals.tf for defaults."
   type        = map(list(string))