Skip to content

Fr0ntierX/terraform-google-polaris

Repository files navigation

Polaris Terraform Module

Overview

The Polaris Terraform Module provisions a secure VM in Google Cloud with Confidential Computing enabled. It deploys two Docker containers:

  • Polaris Proxy: Exposes a secure service with configurable encryption, CORS, and logging.
  • Client Workload: Runs your custom workload.

Optional integration with Cloud KMS enables enhanced security through asymmetric decryption backed by HSM, alongside workload identity federation.

For more detailed information about Polaris, please visit the Polaris documentation.

Requirements

Requirement Details
Terraform >= 1.9.8
Google Provider >= 6.10.0
GCP Project Billing enabled with necessary IAM permissions

Key Differences Between Polaris and Polaris Pro

  • Polaris: Standard secure VM with Docker containers.
  • Polaris Pro: In addition to the standard setup, it enables Cloud KMS integration, providing enhanced security via HSM-backed asymmetric decryption and workload identity federation, which may incur additional costs.

Pricing Considerations

Be aware that deploying Polaris Pro (with enable_kms = true) may incur additional costs compared to the standard Polaris deployment. The Polaris Pro mode leverages Cloud KMS and workload identity federation, which have their own pricing. Please refer to the relevant GCP pricing documentation for Cloud KMS, identity federation, and confidential computing features for detailed cost estimates.

Variables

Project Configuration

Name Type Description Default
project_id string Project ID for provisioning resources N/A
name string Name N/A
region string Region for resource deployment N/A
zone string Zone where the instance will be deployed us-central1-a

VM Configuration

Name Type Description Default
machine_type string VM machine type n2d-standard-2
boot_disk_type string Type of boot disk for the VM pd-ssd
boot_disk_size number Boot disk size in GB 10
service_account string Service Account used by the Compute Instance ""

Network Configuration

Name Type Description Default
networks list(string) Networks where the VM will be created ["default"]
sub_networks list(string) Subnets for VM deployment ["default"]
external_ips list(string) External IP configuration for the VM ["EPHEMERAL"]
polaris_proxy_source_ranges string Comma-separated list of source IP ranges allowed to access the proxy ""

Security & Encryption

Name Type Description Default
enable_kms bool Enable Cloud KMS integration for Polaris Proxy false

Polaris Proxy Configuration

Name Type Description Default
polaris_proxy_port string Port exposed by the Polaris Proxy "3000"
polaris_proxy_enable_input_encryption bool Enable input encryption on the proxy container false
polaris_proxy_enable_output_encryption bool Enable output encryption on the proxy container false
polaris_proxy_enable_cors bool Enable CORS support for Polaris Proxy false
polaris_proxy_enable_logging bool Enable logging in the Polaris Proxy true
polaris_proxy_image_version string Image version tag of the Polaris Proxy "latest"

Workload Configuration

Name Type Description Default
workload_port string Port on which the workload container runs "8000"
workload_image string Docker image URL for the client workload container N/A
workload_entrypoint string Entrypoint command for the workload container ""
workload_arguments list(string) Arguments to pass to the workload container []
workload_env_vars string JSON-formatted environment variables for the workload container ""

Module Modes

The module offers two modes depending on the value of enable_kms:

Feature Polaris (enable_kms = false) Polaris Pro (enable_kms = true)
VM Deployment Standard secure VM with Docker containers Secure VM with additional KMS and workload identity support
Container Polaris Proxy Polaris Proxy configured for secure key management
KMS Integration Not enabled Cloud KMS key ring and crypto key are provisioned
Identity Federation N/A Workload Identity Pool and Provider configuration

Outputs

Output Name Description
instance_self_link Self-link URL for the Compute Instance.
instance_zone Zone where the instance is deployed.
instance_machine_type Type of the deployed Compute Instance.
instance_nat_ip External IP assigned to the instance.
instance_network Primary network associated with the instance.

Architecture

The module provisions the following resources:

  • Compute Instance: A secure VM with Confidential Computing (AMD SEV and shielded instance configurations).
  • Docker Containers: Bootstrapped via cloud-init metadata:
    • Polaris Proxy Container: Securely exposed with configurable networking and encryption settings.
    • Client Workload Container: Runs your application code.
  • Firewall Rules: Restrict access to the proxy based on allowed source ranges.
  • Optional Cloud KMS Setup: When enabled, creates a Key Ring, Crypto Key (HSM-backed), and configures Workload Identity Federation for secure key management.

Detailed Configuration & Examples

Confidential Computing

  • Shielded Instance Config: Secure boot, virtual TPM, and integrity monitoring are enabled.
  • Confidential Instance Config: Utilizes AMD SEV for memory encryption.

Docker & Metadata Setup

  • Cloud-Init Script: Configures the local Docker network, pulls images, and starts the Polaris Proxy and Workload containers.
  • TPM Token Setup: When KMS is active, additional steps are executed to obtain TPM tokens for attestation.

KMS and Workload Identity (Optional)

When enable_kms is true:

  • Provisions Cloud KMS Key Ring and Crypto Key with ASYMMETRIC_DECRYPT purpose.
  • Creates a Workload Identity Pool and Provider to allow federated identities secure access.

Usage Example

Below is a sample configuration:

module "polaris-terraform-module" {
  source          = "Fr0ntierX/polaris/google"

  # Basic Configuration
  project_id      = "my-project"
  name            = "polaris-instance"
  region          = "us-central1"
  zone            = "us-central1-a"

  # VM Configuration
  machine_type    = "n2d-standard-2"
  service_account = "[email protected]"

  # Workload Configuration
  workload_image  = "fr0ntierx/anonymization-service"

  # Polaris Proxy Configuration
  polaris_proxy_port = "3000"
  polaris_proxy_enable_input_encryption  = true
  polaris_proxy_enable_output_encryption = true
  polaris_proxy_enable_cors           = true

  enable_kms      = true  # Switches between Polaris (false) and Polaris Pro (true)
}

Further Documentation

For additional customizations and advanced usage, refer to:

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 2

  •  
  •  

Languages