From 1614ac051f06d642e879b478b64da96c1be6726a Mon Sep 17 00:00:00 2001
From: Niels Hofmans <niels@ironpeak.be>
Date: Fri, 24 Jun 2022 09:44:48 +0200
Subject: [PATCH] fix: disable confidential nodes

---
 google/gke/gke.tf | 11 ++++++++---
 google/gke/kms.tf |  4 ++--
 providers.tf      |  2 +-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/google/gke/gke.tf b/google/gke/gke.tf
index 239ec4d..726fa37 100644
--- a/google/gke/gke.tf
+++ b/google/gke/gke.tf
@@ -11,7 +11,7 @@ resource "google_container_cluster" "gke_cluster" {
   ]
 
   project  = var.project_id
-  name     = var.cluster_name
+  name     = "${var.cluster_name}-cluster"
   location = var.cluster_location
 
   resource_labels = {
@@ -55,8 +55,9 @@ resource "google_container_cluster" "gke_cluster" {
   }
 
   # use confidential nodes which have memory encryption
+  # disabled since it requires the N2D machine type 
   confidential_nodes {
-    enabled = true
+    enabled = false
   }
 
   node_config {
@@ -138,7 +139,11 @@ resource "google_container_cluster" "gke_cluster" {
 
   # use stackdriver GKE native system monitoring for everything
   monitoring_config {
-    enable_components = ["SYSTEM_COMPONENTS", "WORKLOADS"]
+    enable_components = ["SYSTEM_COMPONENTS"]
+
+    managed_prometheus {
+      enabled = true
+    }
   }
 
   # kubernetes addons
diff --git a/google/gke/kms.tf b/google/gke/kms.tf
index b4e8d3e..209c55f 100644
--- a/google/gke/kms.tf
+++ b/google/gke/kms.tf
@@ -1,11 +1,11 @@
 resource "google_kms_key_ring" "k8s_key_ring" {
   project  = var.project_id
-  name     = "gke-etcd-keyring-gke-${var.cluster_name}"
+  name     = "gke-api-keyring-gke-${var.cluster_name}"
   location = var.cluster_region
 }
 
 resource "google_kms_crypto_key" "k8s_etcd_kms_key" {
-  name            = "gke-etcd-enc-key-gke-${var.cluster_name}"
+  name            = "gke-api-enc-key-gke-${var.cluster_name}"
   key_ring        = google_kms_key_ring.k8s_key_ring.id
   rotation_period = "100000s"
 }
\ No newline at end of file
diff --git a/providers.tf b/providers.tf
index 2adcdb9..d000790 100644
--- a/providers.tf
+++ b/providers.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= v1.1.4"
+  required_version = ">= v1.2.3"
 
   backend "gcs" {
     bucket = "ironsecurity-terraform-state"