Confidential compute for workbench instances (#13311)

Author: bcreddy-gcp

mmv1/products/workbench/Instance.yaml

@@ -105,6 +105,12 @@ examples:
       - 'gce_setup.0.vm_image'
       - 'gce_setup.0.boot_disk.0.disk_type'
       - 'gce_setup.0.data_disks.0.disk_type'
+  - name: 'workbench_instance_confidential_compute'
+    primary_resource_id: 'instance'
+    primary_resource_name: 'fmt.Sprintf("tf-test-workbench-instance%s", context["random_suffix"])'
+    region_override: 'us-west1-a'
+    vars:
+      instance_name: 'workbench-instance'
 virtual_fields:
   - name: 'desired_state'
     description: |
@@ -441,6 +447,18 @@ properties:
           Optional. Flag to enable ip forwarding or not, default false/off.
           https://cloud.google.com/vpc/docs/using-routes#canipforward
         immutable: true
+      - name: 'confidentialInstanceConfig'
+        type: NestedObject
+        immutable: true
+        description: |
+          Confidential instance configuration.
+        properties:
+          - name: 'confidentialInstanceType'
+            type: Enum
+            description: |
+              Defines the type of technology used by the confidential instance.
+            enum_values:
+              - 'SEV'
   - name: 'proxyUri'
     type: String
     description: |

mmv1/templates/terraform/examples/workbench_instance_confidential_compute.tf.tmpl

@@ -0,0 +1,23 @@
+resource "google_workbench_instance" "{{$.PrimaryResourceId}}" {
+  name = "{{index $.Vars "instance_name"}}"
+  location = "us-central1-a"
+
+  gce_setup {
+    machine_type = "n2d-standard-2" // cant be e2 because of accelerator
+
+    shielded_instance_config {
+      enable_secure_boot = true
+      enable_vtpm = true
+      enable_integrity_monitoring = true
+    }
+
+    metadata = {
+      terraform = "true"
+    }
+
+    confidential_instance_config {
+      confidential_instance_type = "SEV"
+    }
+
+  }
+}