Google Compute Engine Instance From Template

This page shows how to write Terraform for Compute Engine Instance From Template and write them securely.

google_compute_instance_from_template (Terraform)

The Instance From Template in Compute Engine can be configured in Terraform with the resource name google_compute_instance_from_template. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

builder_vms.tf#L1
resource "google_compute_instance_from_template" "linux_static_build_agent" {

    for_each = var.static_agents.linux

    name = each.key

main.tf#L41
resource "google_compute_instance_from_template" "lfclass_master" {
  name                     = "lfclass-master"
  source_instance_template = google_compute_instance_template.lfclass_template.id

  metadata_startup_script = data.template_file.master_init_script.rendered

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

If true, allows Terraform to stop the instance to update its properties. If you try to update a property that requires stopping the instance without setting this field, the update will fail.

List of disks attached to the instance

Whether sending and receiving of packets with non-matching source or destination IPs is allowed.

The CPU platform used by this instance.

Current status of the instance.

Whether deletion protection is enabled on this instance.

A brief description of the resource.

Desired status of the instance. Either "RUNNING" or "TERMINATED".

Whether the instance has virtual displays enabled.

List of the type and count of accelerator cards attached to the instance.

A custom hostname for the instance. Must be a fully qualified DNS name and RFC-1035-valid. Valid format is a series of labels 1-63 characters long matching the regular expression a-z, concatenated with periods. The entire hostname must not exceed 253 characters. Changing this forces a new resource to be created.

The server-assigned unique identifier of this instance.

The unique fingerprint of the labels.

  • labels optional computed - map from string to string

A set of key/value label pairs assigned to the instance.

The machine type to create.

  • metadata optional computed - map from string to string

Metadata key/value pairs made available within the instance.

The unique fingerprint of the metadata.

Metadata startup scripts made available within the instance.

The minimum CPU platform specified for the VM instance.

The name of the instance. One of name or self_link must be provided.

The ID of the project in which the resource belongs. If self_link is provided, this value is ignored. If neither self_link nor project are provided, the provider project is used.

A list of short names or self_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.

The scratch disks attached to the instance.

The URI of the created resource.

The service account to attach to the instance.

Name or self link of an instance template to create the instance based on.

  • tags optional computed - set of string

The list of tags attached to the instance.

The unique fingerprint of the tags.

  • zone optional computed - string

The zone of the instance. If self_link is provided, this value is ignored. If neither self_link nor zone are provided, the provider zone is used.

  • boot_disk list block

    Whether the disk will be auto-deleted when the instance is deleted.

    Name with which attached disk will be accessible under /dev/disk/by-id/

    A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.

    The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    • mode optional computed - string

    Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".

    • source optional computed - string

    The name or self_link of the disk attached to this instance.

    • initialize_params list block
      • image optional computed - string

      The image from which this disk was initialised.

      • labels optional computed - map from string to string

      A set of key/value label pairs assigned to the disk.

      • size optional computed - number

      The size of the image in gigabytes.

      • type optional computed - string

      The Google Compute Engine disk type. One of pd-standard, pd-ssd or pd-balanced.

  • confidential_instance_config list block

    Defines whether the instance should have confidential compute enabled.

  • network_interface list block

    Access configurations, i.e. IPs via which this instance can be accessed via the Internet.

    An array of alias IP ranges for this network interface.

    The name of the interface

    The name or self_link of the network attached to this interface.

    The private IP address assigned to the instance.

    The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET

    The name or self_link of the subnetwork attached to this interface.

    The project in which the subnetwork belongs.

  • scheduling list block

    Specifies if the instance should be restarted if it was terminated by Compute Engine (not a user).

    Describes maintenance behavior for the instance. One of MIGRATE or TERMINATE,

    Whether the instance is preemptible.

  • shielded_instance_config list block

    Whether integrity monitoring is enabled for the instance.

    Whether secure boot is enabled for the instance.

    Whether the instance uses vTPM.

  • timeouts single block

Explanation in Terraform Registry

Manages a VM instance resource within GCE. For more information see the official documentation and API. This resource is specifically to create a compute instance from a given source_instance_template. To create an instance without a template, use the google_compute_instance resource.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

risk-label

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

risk-label

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

risk-label

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

risk-label

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

risk-label

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.

Review your Google Compute Engine settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Compute Engine Instance From Template?

Google Compute Engine Instance From Template is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Compute Engine Instance From Template?

For Terraform, the Kalmalyzer/UE-Jenkins-BuildSystem and Brunomachadob/lfs258 source code examples are useful. See the Terraform Example section for further details.