Google Compute Engine Instance From Template
This page shows how to write Terraform for Compute Engine Instance From Template and write them securely.
google_compute_instance_from_template (Terraform)
The Instance From Template in Compute Engine can be configured in Terraform with the resource name google_compute_instance_from_template
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_compute_instance_from_template" "linux_static_build_agent" {
for_each = var.static_agents.linux
name = each.key
resource "google_compute_instance_from_template" "lfclass_master" {
name = "lfclass-master"
source_instance_template = google_compute_instance_template.lfclass_template.id
metadata_startup_script = data.template_file.master_init_script.rendered
Parameters
-
allow_stopping_for_update
optional computed - bool
If true, allows Terraform to stop the instance to update its properties. If you try to update a property that requires stopping the instance without setting this field, the update will fail.
-
attached_disk
optional computed - list of object
List of disks attached to the instance
-
device_name
- string -
disk_encryption_key_raw
- string -
disk_encryption_key_sha256
- string -
kms_key_self_link
- string -
mode
- string -
source
- string -
can_ip_forward
optional computed - bool
Whether sending and receiving of packets with non-matching source or destination IPs is allowed.
-
cpu_platform
optional computed - string
The CPU platform used by this instance.
-
current_status
optional computed - string
Current status of the instance.
-
deletion_protection
optional computed - bool
Whether deletion protection is enabled on this instance.
-
description
optional computed - string
A brief description of the resource.
-
desired_status
optional computed - string
Desired status of the instance. Either "RUNNING" or "TERMINATED".
-
enable_display
optional computed - bool
Whether the instance has virtual displays enabled.
-
guest_accelerator
optional computed - list of object
List of the type and count of accelerator cards attached to the instance.
A custom hostname for the instance. Must be a fully qualified DNS name and RFC-1035-valid. Valid format is a series of labels 1-63 characters long matching the regular expression a-z, concatenated with periods. The entire hostname must not exceed 253 characters. Changing this forces a new resource to be created.
-
id
optional computed - string -
instance_id
optional computed - string
The server-assigned unique identifier of this instance.
-
label_fingerprint
optional computed - string
The unique fingerprint of the labels.
-
labels
optional computed - map from string to string
A set of key/value label pairs assigned to the instance.
-
machine_type
optional computed - string
The machine type to create.
-
metadata
optional computed - map from string to string
Metadata key/value pairs made available within the instance.
-
metadata_fingerprint
optional computed - string
The unique fingerprint of the metadata.
-
metadata_startup_script
optional computed - string
Metadata startup scripts made available within the instance.
-
min_cpu_platform
optional computed - string
The minimum CPU platform specified for the VM instance.
-
name
required - string
The name of the instance. One of name or self_link must be provided.
-
project
optional computed - string
The ID of the project in which the resource belongs. If self_link is provided, this value is ignored. If neither self_link nor project are provided, the provider project is used.
-
resource_policies
optional computed - list of string
A list of short names or self_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.
-
scratch_disk
optional computed - list of object
The scratch disks attached to the instance.
The URI of the created resource.
-
service_account
optional computed - list of object
The service account to attach to the instance.
-
email
- string -
scopes
- set of string -
source_instance_template
required - string
Name or self link of an instance template to create the instance based on.
-
tags
optional computed - set of string
The list of tags attached to the instance.
-
tags_fingerprint
optional computed - string
The unique fingerprint of the tags.
-
zone
optional computed - string
The zone of the instance. If self_link is provided, this value is ignored. If neither self_link nor zone are provided, the provider zone is used.
-
boot_disk
list block-
auto_delete
optional computed - bool
Whether the disk will be auto-deleted when the instance is deleted.
-
device_name
optional computed - string
Name with which attached disk will be accessible under /dev/disk/by-id/
-
disk_encryption_key_raw
optional computed - string
A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
disk_encryption_key_sha256
optional computed - string
The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
-
kms_key_self_link
optional computed - string
The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
mode
optional computed - string
Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
-
source
optional computed - string
The name or self_link of the disk attached to this instance.
-
initialize_params
list block-
image
optional computed - string
The image from which this disk was initialised.
-
labels
optional computed - map from string to string
A set of key/value label pairs assigned to the disk.
-
size
optional computed - number
The size of the image in gigabytes.
-
type
optional computed - string
The Google Compute Engine disk type. One of pd-standard, pd-ssd or pd-balanced.
-
-
-
confidential_instance_config
list block-
enable_confidential_compute
required - bool
Defines whether the instance should have confidential compute enabled.
-
-
network_interface
list block-
access_config
optional computed - list of object
Access configurations, i.e. IPs via which this instance can be accessed via the Internet.
-
nat_ip
- string -
network_tier
- string -
public_ptr_domain_name
- string -
alias_ip_range
optional computed - list of object
An array of alias IP ranges for this network interface.
-
ip_cidr_range
- string -
subnetwork_range_name
- string -
name
optional computed - string
The name of the interface
-
network
optional computed - string
The name or self_link of the network attached to this interface.
-
network_ip
optional computed - string
The private IP address assigned to the instance.
-
nic_type
optional computed - string
The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET
-
subnetwork
optional computed - string
The name or self_link of the subnetwork attached to this interface.
-
subnetwork_project
optional computed - string
The project in which the subnetwork belongs.
-
-
scheduling
list block-
automatic_restart
optional computed - bool
Specifies if the instance should be restarted if it was terminated by Compute Engine (not a user).
-
min_node_cpus
optional computed - number -
on_host_maintenance
optional computed - string
Describes maintenance behavior for the instance. One of MIGRATE or TERMINATE,
-
preemptible
optional computed - bool
Whether the instance is preemptible.
-
node_affinities
set block
-
-
shielded_instance_config
list block-
enable_integrity_monitoring
optional computed - bool
Whether integrity monitoring is enabled for the instance.
-
enable_secure_boot
optional computed - bool
Whether secure boot is enabled for the instance.
-
enable_vtpm
optional computed - bool
Whether the instance uses vTPM.
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a VM instance resource within GCE. For more information see the official documentation and API. This resource is specifically to create a compute instance from a given
source_instance_template
. To create an instance without a template, use thegoogle_compute_instance
resource.
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_compute_disk
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
google_compute_firewall
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
google_compute_instance
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
google_compute_project_metadata
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
google_compute_ssl_policy
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
google_compute_subnetwork
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.
Frequently asked questions
What is Google Compute Engine Instance From Template?
Google Compute Engine Instance From Template is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Compute Engine Instance From Template?
For Terraform, the Kalmalyzer/UE-Jenkins-BuildSystem and Brunomachadob/lfs258 source code examples are useful. See the Terraform Example section for further details.