Add more security options to GKE nodes (#4)

basisai · Apr 8, 2021 · a33cbbd · a33cbbd
1 parent b4500f9
commit a33cbbd
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -210,8 +210,12 @@ unsealing Vault if the nodes have access to the keys.
 | gcs\_extra\_parameters | Additional paramaters for GCS storage. See https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage | `map` | `{}` | no |
 | gcs\_storage\_enable | Enable the use of GCS Storage | `any` | n/a | yes |
 | gcs\_storage\_use | Use GCS storage in Vault configuration. Setting this to false allows GCS storage resouces to be created but not used with Vault | `bool` | `true` | no |
+| gke\_boot\_disk\_kms\_key | KMS Key to encrypt the boot disk. Set to `null` to not use any | `string` | `null` | no |
 | gke\_cluster | Cluster to create node pool for | `string` | `"<REQUIRED if gke_pool_create is true>"` | no |
 | gke\_disk\_type | Disk type for the nodes | `string` | `"pd-standard"` | no |
+| gke\_enable\_integrity\_monitoring | Enable integrity monitoring of nodes | `bool` | `false` | no |
+| gke\_enable\_secure\_boot | Enable secure boot for GKE nodes | `bool` | `false` | no |
+| gke\_image\_type | Type of image for GKE nodes | `string` | `"COS_CONTAINERD"` | no |
 | gke\_labels | Labels for the GKE nodes | `map` | `{}` | no |
 | gke\_machine\_type | Machine type for the GKE nodes. Make sure this matches the resources you are requesting | `string` | `"n1-standard-2"` | no |
 | gke\_metadata | Metadata for the GKE nodes | `map` | `{}` | no |

diff --git a/gke.tf b/gke.tf
@@ -37,10 +37,13 @@ resource "google_container_node_pool" "vault" {
   }
 
   node_config {
-    disk_size_gb = var.gke_node_size_gb
-    disk_type    = var.gke_disk_type
     machine_type = var.gke_machine_type
 
+    disk_size_gb      = var.gke_node_size_gb
+    disk_type         = var.gke_disk_type
+    boot_disk_kms_key = var.gke_boot_disk_kms_key
+    image_type        = var.gke_image_type
+
     labels   = var.gke_labels
     metadata = var.gke_metadata
     tags     = var.gke_tags
@@ -66,6 +69,11 @@ resource "google_container_node_pool" "vault" {
     workload_metadata_config {
       node_metadata = var.workload_identity_enable ? "GKE_METADATA_SERVER" : "SECURE"
     }
+
+    shielded_instance_config {
+      enable_secure_boot          = var.gke_enable_secure_boot
+      enable_integrity_monitoring = var.gke_enable_integrity_monitoring
+    }
   }
 
   dynamic "upgrade_settings" {

diff --git a/variables.tf b/variables.tf
@@ -767,6 +767,30 @@ variable "gke_disk_type" {
   default     = "pd-standard"
 }
 
+variable "gke_boot_disk_kms_key" {
+  description = "KMS Key to encrypt the boot disk. Set to `null` to not use any"
+  type        = string
+  default     = null
+}
+
+variable "gke_image_type" {
+  description = "Type of image for GKE nodes"
+  type        = string
+  default     = "COS_CONTAINERD"
+}
+
+variable "gke_enable_secure_boot" {
+  description = "Enable secure boot for GKE nodes"
+  type        = bool
+  default     = false
+}
+
+variable "gke_enable_integrity_monitoring" {
+  description = "Enable integrity monitoring of nodes"
+  type        = bool
+  default     = false
+}
+
 variable "gke_machine_type" {
   description = "Machine type for the GKE nodes. Make sure this matches the resources you are requesting"
   default     = "n1-standard-2"