The Polaris Terraform Module provisions a secure VM in Google Cloud with Confidential Computing enabled. It deploys two Docker containers:
- Polaris Proxy: Exposes a secure service with configurable encryption, CORS, and logging.
- Client Workload: Runs your custom workload.
Optional integration with Cloud KMS enables enhanced security through asymmetric decryption backed by HSM, alongside workload identity federation.
For more detailed information about Polaris, please visit the Polaris documentation.
Requirement | Details |
---|---|
Terraform | >= 1.9.8 |
Google Provider | >= 6.10.0 |
GCP Project | Billing enabled with necessary IAM permissions |
- Polaris: Standard secure VM with Docker containers.
- Polaris Pro: In addition to the standard setup, it enables Cloud KMS integration, providing enhanced security via HSM-backed asymmetric decryption and workload identity federation, which may incur additional costs.
Be aware that deploying Polaris Pro (with enable_kms = true
) may incur additional costs compared to the standard Polaris deployment. The Polaris Pro mode leverages Cloud KMS and workload identity federation, which have their own pricing. Please refer to the relevant GCP pricing documentation for Cloud KMS, identity federation, and confidential computing features for detailed cost estimates.
Name | Type | Description | Default |
---|---|---|---|
project_id | string | Project ID for provisioning resources | N/A |
name | string | Name | N/A |
region | string | Region for resource deployment | N/A |
zone | string | Zone where the instance will be deployed | us-central1-a |
Name | Type | Description | Default |
---|---|---|---|
machine_type | string | VM machine type | n2d-standard-2 |
boot_disk_type | string | Type of boot disk for the VM | pd-ssd |
boot_disk_size | number | Boot disk size in GB | 10 |
service_account | string | Service Account used by the Compute Instance | "" |
Name | Type | Description | Default |
---|---|---|---|
networks | list(string) | Networks where the VM will be created | ["default"] |
sub_networks | list(string) | Subnets for VM deployment | ["default"] |
external_ips | list(string) | External IP configuration for the VM | ["EPHEMERAL"] |
polaris_proxy_source_ranges | string | Comma-separated list of source IP ranges allowed to access the proxy | "" |
Name | Type | Description | Default |
---|---|---|---|
enable_kms | bool | Enable Cloud KMS integration for Polaris Proxy | false |
Name | Type | Description | Default |
---|---|---|---|
polaris_proxy_port | string | Port exposed by the Polaris Proxy | "3000" |
polaris_proxy_enable_input_encryption | bool | Enable input encryption on the proxy container | false |
polaris_proxy_enable_output_encryption | bool | Enable output encryption on the proxy container | false |
polaris_proxy_enable_cors | bool | Enable CORS support for Polaris Proxy | false |
polaris_proxy_enable_logging | bool | Enable logging in the Polaris Proxy | true |
polaris_proxy_image_version | string | Image version tag of the Polaris Proxy | "latest" |
Name | Type | Description | Default |
---|---|---|---|
workload_port | string | Port on which the workload container runs | "8000" |
workload_image | string | Docker image URL for the client workload container | N/A |
workload_entrypoint | string | Entrypoint command for the workload container | "" |
workload_arguments | list(string) | Arguments to pass to the workload container | [] |
workload_env_vars | string | JSON-formatted environment variables for the workload container | "" |
The module offers two modes depending on the value of enable_kms
:
Feature | Polaris (enable_kms = false) | Polaris Pro (enable_kms = true) |
---|---|---|
VM Deployment | Standard secure VM with Docker containers | Secure VM with additional KMS and workload identity support |
Container | Polaris Proxy | Polaris Proxy configured for secure key management |
KMS Integration | Not enabled | Cloud KMS key ring and crypto key are provisioned |
Identity Federation | N/A | Workload Identity Pool and Provider configuration |
Output Name | Description |
---|---|
instance_self_link | Self-link URL for the Compute Instance. |
instance_zone | Zone where the instance is deployed. |
instance_machine_type | Type of the deployed Compute Instance. |
instance_nat_ip | External IP assigned to the instance. |
instance_network | Primary network associated with the instance. |
The module provisions the following resources:
- Compute Instance: A secure VM with Confidential Computing (AMD SEV and shielded instance configurations).
- Docker Containers: Bootstrapped via cloud-init metadata:
- Polaris Proxy Container: Securely exposed with configurable networking and encryption settings.
- Client Workload Container: Runs your application code.
- Firewall Rules: Restrict access to the proxy based on allowed source ranges.
- Optional Cloud KMS Setup: When enabled, creates a Key Ring, Crypto Key (HSM-backed), and configures Workload Identity Federation for secure key management.
- Shielded Instance Config: Secure boot, virtual TPM, and integrity monitoring are enabled.
- Confidential Instance Config: Utilizes AMD SEV for memory encryption.
- Cloud-Init Script: Configures the local Docker network, pulls images, and starts the Polaris Proxy and Workload containers.
- TPM Token Setup: When KMS is active, additional steps are executed to obtain TPM tokens for attestation.
When enable_kms
is true:
- Provisions Cloud KMS Key Ring and Crypto Key with
ASYMMETRIC_DECRYPT
purpose. - Creates a Workload Identity Pool and Provider to allow federated identities secure access.
Below is a sample configuration:
module "polaris-terraform-module" {
source = "Fr0ntierX/polaris/google"
# Basic Configuration
project_id = "my-project"
name = "polaris-instance"
region = "us-central1"
zone = "us-central1-a"
# VM Configuration
machine_type = "n2d-standard-2"
service_account = "[email protected]"
# Workload Configuration
workload_image = "fr0ntierx/anonymization-service"
# Polaris Proxy Configuration
polaris_proxy_port = "3000"
polaris_proxy_enable_input_encryption = true
polaris_proxy_enable_output_encryption = true
polaris_proxy_enable_cors = true
enable_kms = true # Switches between Polaris (false) and Polaris Pro (true)
}
For additional customizations and advanced usage, refer to: