diff --git a/README.md b/README.md index 8628ce3..460ebda 100644 --- a/README.md +++ b/README.md @@ -4,35 +4,32 @@ maintain Confidential VM instances. Tower integrates with a long list of Cloud Service Providers (CSPs), private and bare-metal infrastructure to provide governance of the resources defining your Trusted Execution Environment (TEE). -It implements Infrastructure-as-Code (IaC) and SecDevOps methodologies to provide integrity and state of the art security -to your workloads runtime. + +It implements Infrastructure-as-Code (IaC) and SecDevOps best-practices to provide integrity and state of the art security to your workloads runtime. ## 🌟 Features - 🀹 **Confidential VM Orchestration**: Deploy confidential VMs on AMD SEV-SNP and Intel TDX platforms. +- πŸ”¬ **Hardware & Environment Verification**: Integrate with [CanaryBit Inspector](https://www.canarybit.eu/confidential-cloud-inspector/) to support Remote Attestation of deployed confidential VMs. (* Requires a CanaryBit account) - πŸ›  **Extensible Configuration**: Configure your confidential VM using available configuration options or write your own. - βš–οΈ **No lock-in**: Support for multiple hardware platforms and virtualisation software. -- πŸ”¬ **Attestation verification support**: Integrates with [Inspector](https://www.canarybit.eu/confidential-cloud-inspector/) -to support remote attestation of deployed confidential VMs. Contact hi@canarybit.eu to learn more about CanaryBit's solution for remote attestation of confidential VMs. ## 🧩 Integrations - **Galaxy server**: Support for the [Galaxy project](https://github.com/galaxyproject) for data-intensive computation. -- **Write your own**: Simple to crate new integrations using the [cloud-init-generator](https://github.com/canarybit/tower/tree/main/extensions/cloud-init-generator) - +- **Write your own**: Simple to create new integrations with custom `cloud-init` configurations. + ## πŸ› οΈ How It Works 1. **Clone** the repository to get the configurations. 2. **Configure** the cloud-init script fine-tune your target setup. 3. **Run** the Terraform scripts for your target Cloud Service Provider. 4. **Need help?** Check the examples to help you get started. - ## 🧱 Requirements - [Terraform](https://developer.hashicorp.com/terraform) or [OpenTofu](https://opentofu.org/docs/intro/install/) installed; -- Credentials to access your favourite Cloud Service Provider; -- An SSH key to access Confidential VM instances. +- Credentials to access your target Cloud Service Provider; +- A SSH RSA keypair to access Confidential VM instances. ## πŸ“– Documentation -For setup instructions, API references, and usage examples, see the documentation: -πŸ”— [Documentation Link](https://docs.confidentialcloud.io/tower/) +For setup instructions, API references, and usage examples, read the [technical documentation](https://docs.confidentialcloud.io/tower/). ## πŸ€ Use Cases - πŸ€– **Confidential AI**: Train models in a secure environment to protect intellectual property at all times. @@ -44,23 +41,32 @@ For setup instructions, API references, and usage examples, see the documentatio ## πŸ’ͺ Contributing Contributions are welcome! Please check the [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to get started. -## πŸ“‘ License -Tower is licensed under the **Apache-2.0 License**. See the [LICENSE](LICENSE) file for more details. -The Standard version contains the Terraform/OpenTofu configurations for deploying Confidential VMs in **Public Clouds**. -Currently Tower supports the following platforms and public cloud providers: +## 🎟️ Licences + +Tower is a Freemium service: basic features are free for Public Cloud setups while additional features, such as Remote Attestation and On-prem support, are offered via a paid subscription. + +### πŸ”° Standard +The [Apache-2.0 License](LICENSE) *free* version contains the Terraform/OpenTofu configurations for deploying Confidential VMs in **Public Clouds**. -| Cloud Platform | AMD SEV-SNP | Intel TDX | -|-----------------| ------- |------- | -| [AWS](/aws) | yes | upcoming | -| [Azure](/azure) | yes | upcoming | -| [GCP](/gcp) | yes | yes | +Currently, Tower supports the following platforms and public cloud providers: + +| Cloud Platform | AMD SEV-SNP | Intel TDX | +|-------------------------| ----------- |------------ | +| [AWS](/modules/aws) | yes | upcoming | +| [Azure](/modules/azure) | yes | upcoming | +| [GCP](/modules/gcp) | yes | yes | ### πŸ’Ž Premium The Premium version contains the Terraform configurations for deploying Confidential VMs **on-premise** and for **bare-metal** setups. -Currently Tower supports the following virtualisation plaftorms: + +Currently, Tower supports the following virtualisation plaftorms: - [Libvirt/Qemu/KVM](https://libvirt.org/) - [Proxmox](https://www.proxmox.com/) - [VMware vSphere 9.0](https://www.vmware.com/products/cloud-infrastructure/vsphere) -Reach out to [hi@canarybit.eu](mailto:hi@canarybit.eu) if you want to use Tower to deploy confidential VMs in on-prem deployments (that requires the Premium version). + +## 🎟️ Contacts +Reach us out at [hi@canarybit.eu](mailto:hi@canarybit.eu) for more information. + +/Β The CanaryBit Team \ No newline at end of file diff --git a/aws/examples/single.tf b/aws/examples/single.tf deleted file mode 100644 index fec4867..0000000 --- a/aws/examples/single.tf +++ /dev/null @@ -1,29 +0,0 @@ -terraform { - required_version = ">= 1.0" - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.5" - } - } -} - -provider "aws" {} - -// ===================== -// Confidential VM (CVM) -// ===================== -module "confidential-vm" { - source = "git@github.com:canarybit/tower//aws?ref=main" - - cvm_name = "my-confidential-vm" - cvm_cloud_init = "../../commons/cloud-init.yml" - cvm_ssh_enabled = true -} - -// ===================== -// Print CVM info -// ===================== -output "Confidential_VM_Info" { - value = module.confidential-vm.cvm-info -} diff --git a/aws/servers.tf b/aws/servers.tf deleted file mode 100644 index 7c63bd1..0000000 --- a/aws/servers.tf +++ /dev/null @@ -1,52 +0,0 @@ -/////////////////////// -// AMD SNP -/////////////////////// - -resource "aws_instance" "amd-snp" { - count = strcontains(var.cvm_size,"m6a") || strcontains(var.cvm_size,"c6a") || strcontains(var.cvm_size,"r6a") ? 1 : 0 - tags = { - Name = var.cvm_name - } - - ami = var.cvm_os - instance_type = var.cvm_size - - user_data = var.cvm_cloud_init != null ? base64encode(file(var.cvm_cloud_init)) : null - - vpc_security_group_ids = [aws_security_group.default.id] - associate_public_ip_address = true - - root_block_device { - volume_size = var.cvm_disk_size_gb - delete_on_termination = true - } - - cpu_options { - amd_sev_snp = "enabled" // Enables AMD SEV-SNP - } - -} - -/////////////////////// -// INTEL TDX -/////////////////////// - -resource "aws_instance" "intel-tdx" { - count = strcontains(var.cvm_size,"m7i") || strcontains(var.cvm_size,"m7i-flex") ? 1 : 0 - tags = { - Name = var.cvm_name - } - - ami = var.cvm_os - instance_type = var.cvm_size - - user_data = base64encode(file(var.cvm_cloud_init)) - - vpc_security_group_ids = [aws_security_group.default.id] - associate_public_ip_address = true - - root_block_device { - volume_size = var.cvm_disk_size_gb - delete_on_termination = true - } -} \ No newline at end of file diff --git a/azure/examples/single.tf b/azure/examples/single.tf deleted file mode 100644 index 656444b..0000000 --- a/azure/examples/single.tf +++ /dev/null @@ -1,34 +0,0 @@ -terraform { - required_version = ">= 1.0" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = ">= 4.0.1" - } - } -} - -provider "azurerm" { - features {} -} - -// ===================== -// Confidential VM (CVM) -// ===================== -module "confidential-vm" { - source = "git@github.com:canarybit/tower//azure?ref=main" - - az_resource_group_name = "my-resource-group" - - cvm_name = "my-confidential-vm" - cvm_cloud_init = "../../commons/cloud-init.yml" - cvm_ssh_enabled = true - cvm_ssh_pubkey = "~/.ssh/id_rsa.pub" -} - -// ===================== -// Print CVM info -// ===================== -output "Confidential_VM_Info" { - value = module.confidential-vm.cvm-info -} diff --git a/azure/server.tf b/azure/server.tf deleted file mode 100644 index 0974bc3..0000000 --- a/azure/server.tf +++ /dev/null @@ -1,41 +0,0 @@ -resource "azurerm_linux_virtual_machine" "cvm" { - name = var.cvm_name - resource_group_name = data.azurerm_resource_group.default.name - location = data.azurerm_resource_group.default.location - size = var.cvm_size - user_data = base64encode(file(var.cvm_cloud_init)) - - # The required AZ approach to add a VM user in addition to cloud-init config - admin_username = var.cvm_username - admin_ssh_key { - username = var.cvm_username - public_key = file(var.cvm_ssh_pubkey) - } - - disable_password_authentication = true - - network_interface_ids = [ - azurerm_network_interface.default.id - ] - - vtpm_enabled = true - secure_boot_enabled = true - - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - security_encryption_type = "DiskWithVMGuestState" - disk_size_gb = var.cvm_disk_size_gb - } - - source_image_reference { - publisher = local.cvm_os_urn[0] - offer = local.cvm_os_urn[1] - sku = local.cvm_os_urn[2] - version = local.cvm_os_urn[3] - } - - lifecycle { - ignore_changes = [user_data] - } -} diff --git a/commons/cloud-init.yml b/cloud-init/default.yml similarity index 85% rename from commons/cloud-init.yml rename to cloud-init/default.yml index 934afce..bab16ab 100644 --- a/commons/cloud-init.yml +++ b/cloud-init/default.yml @@ -1,11 +1,11 @@ #cloud-config users: - default - - name: + - name: ${USERNAME} sudo: false shell: /bin/bash ssh_authorized_keys: - - + - ${SSH_PUBKEY} timezone: UTC locale: "en_US.UTF-8" diff --git a/cloud-init/remote-attestation.yml b/cloud-init/remote-attestation.yml new file mode 100644 index 0000000..ef5f5ff --- /dev/null +++ b/cloud-init/remote-attestation.yml @@ -0,0 +1,65 @@ +#cloud-config +users: + - default + - name: ${USERNAME} + groups: [canarybit] + sudo: false + shell: /bin/bash + ssh_authorized_keys: + - ${SSH_PUBKEY} + +timezone: UTC +locale: "en_US.UTF-8" + +package_update: true +package_upgrade: true +package_reboot_if_required: true +packages: + - libtss2-dev + - jq + +write_files: + - path: /etc/environment + append: true + content: | + CB_TOKENS=${CB_TOKENS} + CBCLIENT_LOG_LEVEL=info + CBCLIENT_INSPECTOR_URL=${CBINSPECTOR_URL} + CBCLIENT_ENVIRONMENTS=${CC_ENVIRONMENTS} + + - path: /etc/udev/rules.d/61-canarybit-udev.rules + owner: root:root + content: | + # Custom udev rules for CanaryBit attestation client + # SNP on non-Hyper-V guest + # Preserves OWNER="root", gives the group "canarybit" ownership and read access + KERNEL=="sev-guest",MODE="0640",GROUP="canarybit" + # SNP on Hyper-V guest + # Preserves OWNER="tss" and MODE="0660", gives the group "canarybit" ownership and read/write access + KERNEL=="tpmrm0",MODE="0660",GROUP="canarybit" + + - path: /home/${USERNAME}/signing-key.pem + owner: ${USERNAME}:${USERNAME} + defer: true + permissions: '0600' + content: | + ${SIGNING_KEY} + + - path: /home/${USERNAME}/launch-cbclient.sh + owner: ${USERNAME}:${USERNAME} + defer: true + permissions: '0755' + content: | + #!/bin/bash + ############################# + # FETCH & RUN THE CBCLIENT + ############################# + curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/${CBCLI_V}/cb-x86_64-unknown-linux-gnu -o cb; chmod +x cb + ./cb download cbclient ${CBCLIENT_V}/cbclient; chmod +x cbclient + ./cbclient attestation --token $(./cb login inspector) --key signing-key.pem 2> cbclient-logs.txt + +runcmd: + - udevadm trigger + - su -c '/home/${USERNAME}/launch-cbclient.sh' - ${USERNAME} + +final_message: "========== TOWER SETUP COMPLETED IN $UPTIME secs ==========" \ No newline at end of file diff --git a/aws/.gitignore b/examples/.gitignore similarity index 100% rename from aws/.gitignore rename to examples/.gitignore diff --git a/examples/single.tf b/examples/single.tf new file mode 100644 index 0000000..6d576f7 --- /dev/null +++ b/examples/single.tf @@ -0,0 +1,67 @@ +terraform { + required_version = ">= 1.0" + required_providers { + // Use only the required provider + aws = { + source = "hashicorp/aws" + version = "~> 5.5" + } + azurerm = { + source = "hashicorp/azurerm" + version = ">= 4.0.1" + } + google = { + source = "hashicorp/google" + version = "~> 6.8.0" + } + } +} + +// Use only the required provider +provider "aws" {} +provider "azurerm" { + features { } +} +provider "gcp" {} + +// ===================== +// Tower Arguments +// ===================== + +variable "cb_login" { + description = "Enter your CanaryBit Authentication token." + type = string +} + +// ===================== +// Confidential VM (CVM) +// ===================== +module "confidential-vm" { + source = "canarybit/tower/canarybit/" // : aws, azure, gcp + cb_auth = var.cb_login + + // Azure deployments only, remove otherwise! + az_resource_group_name = "" + + // Confidential VM + cvm_name = "demo-cvm" + cvm_ssh_enabled = true + cvm_ssh_pubkey = "~/.ssh/id_rsa.pub" + + // Remote Attestation + remote_attestation = { + cc_environments = "snp" + } +} + +// ===================== +// Print CVM info +// ===================== +output "cvm-info" { + value = module.confidential-vm.cvm-info +} + +output "cvm_cloud_init" { + value = module.confidential-vm.cloud-init + sensitive = true +} \ No newline at end of file diff --git a/extensions/cloud-init-generator/README.md b/extensions/cloud-init-generator/README.md deleted file mode 100644 index 8ccc288..0000000 --- a/extensions/cloud-init-generator/README.md +++ /dev/null @@ -1,64 +0,0 @@ -# Cloud-init Generator - -Generate a cloud-init.yml file extending the standard Confidential VM configuration with CanaryBit Remote Attestation service (Inspector). - -## Requirements - -- `jq` installed - -## Instructions - -### 1. Downlaod `cb` CLI - -#### Linux - -``` -$Β curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/0.1.0/cb-x86_64-unknown-linux-gnu -o cb; chmod +x cb -``` - -#### Windows - -``` -curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/0.1.0/cb-x86_64-pc-windows-msvc.exe -o cb; chmod +x cb -``` - -#### MacOS - -**M-series** - -``` -curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/0.1.0/cb-aarch64-apple-darwin -o cb; chmod +x cb -``` - -**Intel** - -``` -curl -fsSL https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com/cb-cli/0.1.0/cb-x86_64-apple-darwin -o cb; chmod +x cb -``` - -### 2. Login and get your CanaryBit credentials - -Source your credentials: -``` -export CB_USERNAME="***" -export CB_PASSWORD="***" -``` - -and retrieve your CanaryBit tokens: - -``` -export $CB_TOKENS=$(./cb login | jq -c) -``` - -### 4. Generate the cloud-init file - -Example: -``` -$ ./cloud-init-gen.sh --cb-tokens $CB_TOKENS --environment snp --cvm-username demo --cvm-ssh-pubkey ~/.ssh/id_rsa.pub --cbclient-version 0.2.1 --inspector-url https://stag.inspector.confidentialcloud.cc -``` - -Need Help? - -``` -./cloud-init-gen.sh --help -``` diff --git a/extensions/cloud-init-generator/cloud-init-gen.sh b/extensions/cloud-init-generator/cloud-init-gen.sh deleted file mode 100755 index 1de83ab..0000000 --- a/extensions/cloud-init-generator/cloud-init-gen.sh +++ /dev/null @@ -1,178 +0,0 @@ -#!/bin/bash -set -euo pipefail - -# Generates cloud-init.yml with all template variables substituted by provided values. -usage() { - cat < CanaryBit id_ and auth_ token in a single json block - --environment Target environment: [ "snp", "tdx" ] - --cvm-username Username to access the VM - --cvm-ssh-pubkey Path to Public Key file - -Optional: - --custom-policy Path to Policy file - --inspector-url Default: https://inspector.confidentialcloud.io - --cbclient Default: latest - --cb-cli Default: latest - --output Default: ./cloud-init.yml - -h, --help Show this help - -Example: - - $0 \\ - --cb-tokens \$CB_TOKENS \\ - --environment snp \\ - --cvm-username john \\ - --cvm-ssh-pubkey ~/.ssh/id_rsa.pub \\ - --cbclient-version 0.2.1 \\ - --inspector-url https://stag.inspector.confidentialcloud.cc - -EOF - exit 1 -} - -# Parse args -while [[ $# -gt 0 ]]; do - case "$1" in - --cb-tokens) CB_TOKENS="$2"; shift 2 ;; - --environment) ENV="$2"; shift 2 ;; - --cvm-username) USERNAME="$2"; shift 2 ;; - --cvm-ssh-pubkey) SSH_PUBKEY_FILE="$2"; shift 2 ;; - --cbclient-version) CBCLIENT_VERSION="$2"; shift 2 ;; - --custom-policy) CUSTOM_POLICY="$2"; shift 2 ;; - --inspector-url) INSPECTOR_URL="$2"; shift 2 ;; - --output) OUTFILE="$2"; shift 2 ;; - -h|--help) usage ;; - *) echo "Unknown arg: $1"; usage ;; - esac -done - -# Check required arguments -: "${CB_TOKENS?:--cb-tokens is required}" -: "${ENV?:--environment is required: 'snp' or 'tdx'}" -: "${USERNAME?:--username is required}" -: "${SSH_PUBKEY_FILE?:--ssh-pubkey filepath is required}" -: "${CBCLIENT_VERSION?:--cbclient-version is required}" - -# Set arguments defaults -INSPECTOR_URL="${INSPECTOR_URL:-'https://inspector.confidentialcloud.io'}" -CBCLI_VERSION="${CBCLI_VERSION:-latest}" -CUSTOM_POLICY="${CUSTOM_POLICY:-}" -OUTFILE="${OUTFILE:-./cloud-init.yml}" - -# Set global variables defaults -CB_PUBLIC_REPO="https://canarybit-public-binaries.s3.eu-west-1.amazonaws.com" -CUSTOM_POLICY_CONFIG='' -CBCLIENT_ARG_POLICY='' - -# Get CB CLI 'latest' version -if [[ "${CBCLI_VERSION}" == "latest" ]]; then - CBCLI_VERSION=$(curl -fsSL $CB_PUBLIC_REPO/cb-cli/latest) -fi - -# Create the Policy file (policy.rego) if file exists -if [[ -n "${CUSTOM_POLICY}" ]]; then - CBCLIENT_ARG_POLICY="--policy policy.rego" - CUSTOM_POLICY_CONTENT=$(cat ${CUSTOM_POLICY}) - CUSTOM_POLICY_CONFIG=$(cat <&2 - exit 2 -fi - -# Read single-line public key and strip CR if present -SSH_PUBKEY="$(sed -e 's/\r$//' "${SSH_PUBKEY_FILE}" | tr -d '\n')" - -if [[ -z "${SSH_PUBKEY}" ]]; then - echo "Error: SSH public key file appears empty: ${SSH_PUBKEY_FILE}" >&2 - exit 2 -fi - -# Check Environment values -if [[ "${ENV}" != "snp" && "${ENV}" != "tdx" ]]; then - echo "Error: --environment must be either 'snp' or 'tdx'." >&2 - exit 2 -fi - -# Create output file (cloud-init YAML) -cat > "${OUTFILE}" < 0 - error_message = "Valid values are n2d-* or c3-standard-* series" - } -} - -variable "cvm_cpu_platform" { - // All CPU platforms here: https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform - description = "Supported CPU Platforms are ['AMD Milan','AMD Genoa'] for AMD SNP and ['sapphirerapids'] for Intel TDX" - type = string - default = "AMD Milan" -} - -variable "cvm_os" { - description = "" - type = string - default = "ubuntu-2404-lts-amd64" -} - -variable "cvm_disk_size_gb" { - description = "" - type = string - default = "30" -} - -variable "cvm_ports_open" { - description = "" - type = list(string) - default = [] -} - -variable "cvm_ssh_enabled" { - description = "" - default = null -} \ No newline at end of file diff --git a/aws/examples/.gitignore b/modules/aws/.gitignore similarity index 100% rename from aws/examples/.gitignore rename to modules/aws/.gitignore diff --git a/aws/.pre-commit-config.yaml b/modules/aws/.pre-commit-config.yaml similarity index 100% rename from aws/.pre-commit-config.yaml rename to modules/aws/.pre-commit-config.yaml diff --git a/aws/README.md b/modules/aws/README.md similarity index 100% rename from aws/README.md rename to modules/aws/README.md diff --git a/aws/outputs.tf b/modules/aws/outputs.tf similarity index 50% rename from aws/outputs.tf rename to modules/aws/outputs.tf index 09a7f23..55a898a 100644 --- a/aws/outputs.tf +++ b/modules/aws/outputs.tf @@ -1,13 +1,25 @@ output "cvm-info" { description = "Details of the running CVM instance(s)" - value = <<-EOF + value = < 0 @@ -31,12 +31,34 @@ variable "cvm_size" { } } +/////////////////////// +// DEFAULT +/////////////////////// + +variable "remote_attestation" { + description = "Enable CanaryBit Inspector Remote Attestation" + type = object({ + cc_environments = string + cbinspector_url = optional(string, "https://inspector.confidentialcloud.io") + cbclient_version = optional(string, "0.2.2") + cbcli_version = optional(string, "0.2.0") + signing_key = optional(string) + }) + default = null +} + variable "cvm_os" { description = "AMI of the OS image" type = string default = "ami-09040d770ffe2224f" // Canonical, Ubuntu, 24.04 LTS, amd64 noble image build on 2024-04-23 } +variable "cvm_username" { + description = "" + type = string + default = "tower" +} + variable "cvm_disk_size_gb" { description = "" type = string diff --git a/azure/.gitignore b/modules/azure/.gitignore similarity index 100% rename from azure/.gitignore rename to modules/azure/.gitignore diff --git a/azure/.pre-commit-config.yaml b/modules/azure/.pre-commit-config.yaml similarity index 100% rename from azure/.pre-commit-config.yaml rename to modules/azure/.pre-commit-config.yaml diff --git a/azure/README.md b/modules/azure/README.md similarity index 100% rename from azure/README.md rename to modules/azure/README.md diff --git a/azure/data.tf b/modules/azure/data.tf similarity index 100% rename from azure/data.tf rename to modules/azure/data.tf diff --git a/azure/locals.tf b/modules/azure/locals.tf similarity index 100% rename from azure/locals.tf rename to modules/azure/locals.tf diff --git a/azure/network.tf b/modules/azure/network.tf similarity index 100% rename from azure/network.tf rename to modules/azure/network.tf diff --git a/azure/outputs.tf b/modules/azure/outputs.tf similarity index 72% rename from azure/outputs.tf rename to modules/azure/outputs.tf index d6d87de..fb609ba 100644 --- a/azure/outputs.tf +++ b/modules/azure/outputs.tf @@ -1,6 +1,6 @@ output "cvm-info" { description = "Details of the running CVM instance(s)" - value = <<-EOF + value = < 0 error_message = "Valid values are Standard_DC* or Standard_EC* series" } diff --git a/azure/examples/.gitignore b/modules/gcp/.gitignore similarity index 100% rename from azure/examples/.gitignore rename to modules/gcp/.gitignore diff --git a/gcp/.pre-commit-config.yaml b/modules/gcp/.pre-commit-config.yaml similarity index 100% rename from gcp/.pre-commit-config.yaml rename to modules/gcp/.pre-commit-config.yaml diff --git a/gcp/README.md b/modules/gcp/README.md similarity index 100% rename from gcp/README.md rename to modules/gcp/README.md diff --git a/modules/gcp/locals.tf b/modules/gcp/locals.tf new file mode 100644 index 0000000..84d8902 --- /dev/null +++ b/modules/gcp/locals.tf @@ -0,0 +1,9 @@ +locals { + cvm_running_os = split("/", google_compute_instance.cvm.boot_disk.0.initialize_params.0.image) + // Map VM size with CPU type + cvm_size_prefix = split("-",var.cvm_size)[0] + cvm_size_cpu_type_map = { + TDX = ["c3"] + SEV_SNP = ["n2d"] + } +} \ No newline at end of file diff --git a/gcp/outputs.tf b/modules/gcp/outputs.tf similarity index 73% rename from gcp/outputs.tf rename to modules/gcp/outputs.tf index 7db07ff..c1a3e00 100644 --- a/gcp/outputs.tf +++ b/modules/gcp/outputs.tf @@ -8,9 +8,21 @@ output "cvm-info" { Disk: 0 GB PublicIp: ${google_compute_instance.cvm.network_interface.0.access_config.0.nat_ip} SshEnabled: ${var.cvm_ssh_enabled} + Username: ${var.cvm_username} Secure Boot: ${google_compute_instance.cvm.shielded_instance_config.0.enable_secure_boot} vTPM: ${google_compute_instance.cvm.shielded_instance_config.0.enable_vtpm} + EnclaveID / Signing Key Fingerprint: + ${data.local_file.signing-key-fingerprint.content} + + EOF +} + +output "cloud-init" { + value = < 0 + error_message = "ERROR - Invalid VM size" + } +} + +/////////////////////// +// DEFAULT +/////////////////////// + +variable "remote_attestation" { + description = "Enable CanaryBit Inspector Remote Attestation" + type = object({ + cc_environments = string + cbinspector_url = optional(string, "https://inspector.confidentialcloud.io") + cbclient_version = optional(string, "0.2.2") + cbcli_version = optional(string, "0.2.0") + signing_key = optional(string) + }) + default = null +} + +variable "cvm_os" { + description = "" + type = string + default = "ubuntu-2404-lts-amd64" +} + +variable "cvm_username" { + description = "" + type = string + default = "tower" +} + +variable "cvm_disk_size_gb" { + description = "" + type = string + default = "0" +} + +variable "cvm_ports_open" { + description = "" + type = list(string) + default = [] +} + +variable "cvm_ssh_enabled" { + description = "" + default = null +} \ No newline at end of file diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..a8e6192 --- /dev/null +++ b/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 1.0.0" +} \ No newline at end of file