Google Compute Engine Instance From Template

google_compute_instance_from_template (Terraform)

The Instance From Template in Compute Engine can be configured in Terraform with the resource name google_compute_instance_from_template. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

Kalmalyzer/UE-Jenkins-BuildSystem

resource "google_compute_instance_from_template" "linux_static_build_agent" {

    for_each = var.static_agents.linux

    name = each.key

Brunomachadob/lfs258

resource "google_compute_instance_from_template" "lfclass_master" {
  name                     = "lfclass-master"
  source_instance_template = google_compute_instance_template.lfclass_template.id

  metadata_startup_script = data.template_file.master_init_script.rendered

Parameters

• allow_stopping_for_update optional computed - bool

If true, allows Terraform to stop the instance to update its properties. If you try to update a property that requires stopping the instance without setting this field, the update will fail.

• attached_disk optional computed - list of object

List of disks attached to the instance

• device_name - string
• disk_encryption_key_raw - string
• disk_encryption_key_sha256 - string
• kms_key_self_link - string
• mode - string
• source - string
• can_ip_forward optional computed - bool

Whether sending and receiving of packets with non-matching source or destination IPs is allowed.

• cpu_platform optional computed - string

The CPU platform used by this instance.

• current_status optional computed - string

Current status of the instance.

• deletion_protection optional computed - bool

Whether deletion protection is enabled on this instance.

• description optional computed - string

A brief description of the resource.

• desired_status optional computed - string

Desired status of the instance. Either "RUNNING" or "TERMINATED".

• enable_display optional computed - bool

Whether the instance has virtual displays enabled.

• guest_accelerator optional computed - list of object

List of the type and count of accelerator cards attached to the instance.

• count - number
• type - string
• hostname optional computed - string

A custom hostname for the instance. Must be a fully qualified DNS name and RFC-1035-valid. Valid format is a series of labels 1-63 characters long matching the regular expression a-z, concatenated with periods. The entire hostname must not exceed 253 characters. Changing this forces a new resource to be created.

• id optional computed - string
• instance_id optional computed - string

The server-assigned unique identifier of this instance.

• label_fingerprint optional computed - string

The unique fingerprint of the labels.

• labels optional computed - map from string to string

A set of key/value label pairs assigned to the instance.

• machine_type optional computed - string

The machine type to create.

• metadata optional computed - map from string to string

Metadata key/value pairs made available within the instance.

• metadata_fingerprint optional computed - string

The unique fingerprint of the metadata.

• metadata_startup_script optional computed - string

Metadata startup scripts made available within the instance.

• min_cpu_platform optional computed - string

The minimum CPU platform specified for the VM instance.

• name required - string

The name of the instance. One of name or self_link must be provided.

• project optional computed - string

The ID of the project in which the resource belongs. If self_link is provided, this value is ignored. If neither self_link nor project are provided, the provider project is used.

• resource_policies optional computed - list of string

A list of short names or self_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.

• scratch_disk optional computed - list of object

The scratch disks attached to the instance.

• interface - string
• self_link optional computed - string

The URI of the created resource.

• service_account optional computed - list of object

The service account to attach to the instance.

• email - string
• scopes - set of string
• source_instance_template required - string

Name or self link of an instance template to create the instance based on.

• tags optional computed - set of string

The list of tags attached to the instance.

• tags_fingerprint optional computed - string

The unique fingerprint of the tags.

• zone optional computed - string

The zone of the instance. If self_link is provided, this value is ignored. If neither self_link nor zone are provided, the provider zone is used.

• boot_disk list block
  • auto_delete optional computed - bool

  Whether the disk will be auto-deleted when the instance is deleted.

  • device_name optional computed - string

  Name with which attached disk will be accessible under /dev/disk/by-id/

  • disk_encryption_key_raw optional computed - string

  A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

  • disk_encryption_key_sha256 optional computed - string

  The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.

  • kms_key_self_link optional computed - string

  The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

  • mode optional computed - string

  Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".

  • source optional computed - string

  The name or self_link of the disk attached to this instance.

  • initialize_params list block
    • image optional computed - string

    The image from which this disk was initialised.

    • labels optional computed - map from string to string

    A set of key/value label pairs assigned to the disk.

    • size optional computed - number

    The size of the image in gigabytes.

    • type optional computed - string

    The Google Compute Engine disk type. One of pd-standard, pd-ssd or pd-balanced.

• confidential_instance_config list block
  • enable_confidential_compute required - bool

  Defines whether the instance should have confidential compute enabled.

• network_interface list block
  • access_config optional computed - list of object

  Access configurations, i.e. IPs via which this instance can be accessed via the Internet.

  • nat_ip - string
  • network_tier - string
  • public_ptr_domain_name - string
  • alias_ip_range optional computed - list of object

  An array of alias IP ranges for this network interface.

  • ip_cidr_range - string
  • subnetwork_range_name - string
  • name optional computed - string

  The name of the interface

  • network optional computed - string

  The name or self_link of the network attached to this interface.

  • network_ip optional computed - string

  The private IP address assigned to the instance.

  • nic_type optional computed - string

  The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET

  • subnetwork optional computed - string

  The name or self_link of the subnetwork attached to this interface.

  • subnetwork_project optional computed - string

  The project in which the subnetwork belongs.

• scheduling list block
  • automatic_restart optional computed - bool

  Specifies if the instance should be restarted if it was terminated by Compute Engine (not a user).

  • min_node_cpus optional computed - number
  • on_host_maintenance optional computed - string

  Describes maintenance behavior for the instance. One of MIGRATE or TERMINATE,

  • preemptible optional computed - bool

  Whether the instance is preemptible.

  • node_affinities set block
    • key required - string
    • operator required - string
    • values required - set of string
• shielded_instance_config list block
  • enable_integrity_monitoring optional computed - bool

  Whether integrity monitoring is enabled for the instance.

  • enable_secure_boot optional computed - bool

  Whether secure boot is enabled for the instance.

  • enable_vtpm optional computed - bool

  Whether the instance uses vTPM.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Manages a VM instance resource within GCE. For more information see the official documentation and API. This resource is specifically to create a compute instance from a given source_instance_template. To create an instance without a template, use the google_compute_instance resource.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.