[terraform] enable secure boot in k8s node pools (#15068)

cjllanwarne · web-flow · commit e89954656d27 · 2025-09-19T10:19:48.000-04:00
## Change Description Fixes hail-is/hail-security#47 Enables secure boot and shielded nodes for node pools and vdc cluster. Note: - [x] Apply terraform and validate that it works in a sandbox instance before bringing to production - [ ] Must be applied manually in production after the PR merges ## Security Assessment - This change potentially impacts the Hail Batch instance as deployed by Broad Institute in GCP ### Impact Rating - This change has a medium security impact ### Impact Description Enables secure boot and shielded nodes. Makes sure the kernels being loaded in are properly protected ### Appsec Review - [x] Required: The impact has been assessed and approved by appsec
diff --git a/infra/gcp-broad/main.tf b/infra/gcp-broad/main.tf
@@ -143,7 +143,7 @@ resource "google_container_cluster" "vdc" {
   name = "vdc"
   location = var.gcp_zone
   network = google_compute_network.default.name
-  enable_shielded_nodes = false
+  enable_shielded_nodes = true
 
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default
@@ -263,7 +263,7 @@ resource "google_container_node_pool" "vdc_preemptible_pool" {
 
     shielded_instance_config {
       enable_integrity_monitoring = true
-      enable_secure_boot          = false
+      enable_secure_boot          = true
     }
   }
 
@@ -310,7 +310,7 @@ resource "google_container_node_pool" "vdc_nonpreemptible_pool" {
 
     shielded_instance_config {
       enable_integrity_monitoring = true
-      enable_secure_boot          = false
+      enable_secure_boot          = true
     }
   }
 
diff --git a/infra/gcp/main.tf b/infra/gcp/main.tf
@@ -121,6 +121,7 @@ resource "google_container_cluster" "vdc" {
   name = "vdc"
   location = var.gcp_zone
   network = google_compute_network.default.name
+  enable_shielded_nodes = true
 
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default
@@ -200,6 +201,11 @@ resource "google_container_node_pool" "vdc_preemptible_pool" {
     metadata = {
       disable-legacy-endpoints = "true"
     }
+
+    shielded_instance_config {
+      enable_integrity_monitoring = true
+      enable_secure_boot          = true
+    }
   }
 }
 
@@ -228,6 +234,11 @@ resource "google_container_node_pool" "vdc_nonpreemptible_pool" {
     metadata = {
       disable-legacy-endpoints = "true"
     }
+
+    shielded_instance_config {
+      enable_integrity_monitoring = true
+      enable_secure_boot          = true
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ resource "google_container_cluster" "vdc" {`
`143`	`143`	`name = "vdc"`
`144`	`144`	`location = var.gcp_zone`
`145`	`145`	`network = google_compute_network.default.name`
`146`		`- enable_shielded_nodes = false`
	`146`	`+ enable_shielded_nodes = true`
`147`	`147`
`148`	`148`	`# We can't create a cluster with no node pool defined, but we want to only use`
`149`	`149`	`# separately managed node pools. So we create the smallest possible default`
`@@ -263,7 +263,7 @@ resource "google_container_node_pool" "vdc_preemptible_pool" {`
`263`	`263`
`264`	`264`	`shielded_instance_config {`
`265`	`265`	`enable_integrity_monitoring = true`
`266`		`- enable_secure_boot = false`
	`266`	`+ enable_secure_boot = true`
`267`	`267`	`}`
`268`	`268`	`}`
`269`	`269`
`@@ -310,7 +310,7 @@ resource "google_container_node_pool" "vdc_nonpreemptible_pool" {`
`310`	`310`
`311`	`311`	`shielded_instance_config {`
`312`	`312`	`enable_integrity_monitoring = true`
`313`		`- enable_secure_boot = false`
	`313`	`+ enable_secure_boot = true`
`314`	`314`	`}`
`315`	`315`	`}`
`316`	`316`
Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,7 @@ resource "google_container_cluster" "vdc" {`
`121`	`121`	`name = "vdc"`
`122`	`122`	`location = var.gcp_zone`
`123`	`123`	`network = google_compute_network.default.name`
	`124`	`+ enable_shielded_nodes = true`
`124`	`125`
`125`	`126`	`# We can't create a cluster with no node pool defined, but we want to only use`
`126`	`127`	`# separately managed node pools. So we create the smallest possible default`
`@@ -200,6 +201,11 @@ resource "google_container_node_pool" "vdc_preemptible_pool" {`
`200`	`201`	`metadata = {`
`201`	`202`	`disable-legacy-endpoints = "true"`
`202`	`203`	`}`
	`204`	`+`
	`205`	`+ shielded_instance_config {`
	`206`	`+ enable_integrity_monitoring = true`
	`207`	`+ enable_secure_boot = true`
	`208`	`+ }`
`203`	`209`	`}`
`204`	`210`	`}`
`205`	`211`
`@@ -228,6 +234,11 @@ resource "google_container_node_pool" "vdc_nonpreemptible_pool" {`
`228`	`234`	`metadata = {`
`229`	`235`	`disable-legacy-endpoints = "true"`
`230`	`236`	`}`
	`237`	`+`
	`238`	`+ shielded_instance_config {`
	`239`	`+ enable_integrity_monitoring = true`
	`240`	`+ enable_secure_boot = true`
	`241`	`+ }`
`231`	`242`	`}`
`232`	`243`	`}`
`233`	`244`