Execution fails when shielded VMs org policy is enforced

[peterschen]

When the constraints/compute.requireShieldedVm organization policy is enforced the execution fails as the helper VMs that are created by daisy do not enable secure boot and there is no flag to enable it.

[peterschen]

Only external IP address constraints are handled by daisy:

[windows-2019-dc-uefi-byol]: 2022-01-18T17:44:19+01:00 Error running workflow: step "windows-build" run error: step "run-bootstrap" run error: googleapi: Error 412: Constraint constraints/compute.vmExternalIpAccess violated for project [REDACTED]. Add instance projects/[REDACTED]/zones/europe-west4-b/instances/bootstrap-windows-2019-dc-uefi-byol-windows-build-n1jlb to the constraint to use external IP with it.
More details:
Reason: conditionNotMet, Message: Constraint constraints/compute.vmExternalIpAccess violated for project [REDACTED]. Add instance projects/[REDACTED]/zones/europe-west4-b/instances/bootstrap-windows-2019-dc-uefi-byol-windows-build-n1jlb to the constraint to use external IP with it.
Reason: conditionNotMet, Message: Constraint constraints/compute.requireShieldedVm violated for project projects/[REDACTED]. Secure Boot is not enabled in the 'shielded_instance_config' field. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information.

[windows-2019-dc-uefi-byol]: 2022-01-18T17:44:19+01:00 Workflow "windows-2019-dc-uefi-byol" cleaning up (this may take up to 2 minutes).

[zoran15]

Hi Peter,
Thansk for the report.

Can you please include steps to reproduce this issue? compute-image-tools project contains many different tools so we need to know which tool failed and what where the flags/configuration for it.

[peterschen]

@zoran15 Sorry for the late reply. I'm building a Windows BYOL base image using this guide. The project I've been using for the build has organization policies set that enforce no external IPs and Shielded VMs.