Google Compute Engine Instance Group Manager

google_compute_instance_group_manager (Terraform)

The Instance Group Manager in Compute Engine can be configured in Terraform with the resource name google_compute_instance_group_manager. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

chaconmelgarejo/tf-labs

resource "google_compute_instance_group_manager" "web-igm" {
  name                = "webserver-igm"
  base_instance_name  = "webserver"
  zone                = data.google_compute_zones.available.names[0]

  version {

Parameters

• base_instance_name required - string

The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name.

• description optional - string

An optional textual description of the instance group manager.

• fingerprint optional computed - string

The fingerprint of the instance group manager.

• id optional computed - string
• instance_group optional computed - string

The full URL of the instance group created by the manager.

• name required - string

The name of the instance group manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens.

• operation optional computed - string
• project optional computed - string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• self_link optional computed - string

The URL of the created resource.

• target_pools optional - set of string

The full URL of all target pools to which new instances in the group are added. Updating the target pools attribute does not affect existing instances.

• target_size optional computed - number

The target number of running instances for this managed instance group. This value should always be explicitly set unless this resource is attached to an autoscaler, in which case it should never be set. Defaults to 0.

• wait_for_instances optional - bool

Whether to wait for all instances to be created/updated before returning. Note that if this is set to true and the operation does not succeed, Terraform will continue trying until it times out.

• zone optional computed - string

The zone that instances in this group should be created in.

• auto_healing_policies list block
  • health_check required - string

  The health check resource that signals autohealing.

  • initial_delay_sec required - number

  The number of seconds that the managed instance group waits before it applies autohealing policies to new instances or recently recreated instances. Between 0 and 3600.

• named_port set block
  • name required - string

  The name of the port.

  • port required - number

  The port number.

• stateful_disk set block
  • delete_rule optional - string

  A value that prescribes what should happen to the stateful disk when the VM instance is deleted. The available options are NEVER and ON_PERMANENT_INSTANCE_DELETION. NEVER - detach the disk when the VM is deleted, but do not delete the disk. ON_PERMANENT_INSTANCE_DELETION will delete the stateful disk when the VM is permanently deleted from the instance group. The default is NEVER.

  • device_name required - string

  The device name of the disk to be attached.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string
• update_policy list block
  • max_surge_fixed optional computed - number

  The maximum number of instances that can be created above the specified targetSize during the update process. Conflicts with max_surge_percent. If neither is set, defaults to 1

  • max_surge_percent optional - number

  The maximum number of instances(calculated as percentage) that can be created above the specified targetSize during the update process. Conflicts with max_surge_fixed.

  • max_unavailable_fixed optional computed - number

  The maximum number of instances that can be unavailable during the update process. Conflicts with max_unavailable_percent. If neither is set, defaults to 1.

  • max_unavailable_percent optional - number

  The maximum number of instances(calculated as percentage) that can be unavailable during the update process. Conflicts with max_unavailable_fixed.

  • min_ready_sec optional - number

  Minimum number of seconds to wait for after a newly created instance becomes available. This value must be from range [0, 3600].

  • minimal_action required - string

  Minimal action to be taken on an instance. You can specify either RESTART to restart existing instances or REPLACE to delete and create new instances from the target template. If you specify a RESTART, the Updater will attempt to perform that action only. However, if the Updater determines that the minimal action you specify is not enough to perform the update, it might perform a more disruptive action.

  • replacement_method optional - string

  The instance replacement method for managed instance groups. Valid values are: "RECREATE", "SUBSTITUTE". If SUBSTITUTE (default), the group replaces VM instances with new instances that have randomly generated names. If RECREATE, instance names are preserved. You must also set max_unavailable_fixed or max_unavailable_percent to be greater than 0.

  • type required - string

  The type of update process. You can specify either PROACTIVE so that the instance group manager proactively executes actions in order to bring instances to their target versions or OPPORTUNISTIC so that no action is proactively executed but the update will be performed as part of other actions (for example, resizes or recreateInstances calls).

• version list block
  • instance_template required - string

  The full URL to an instance template from which all new instances of this version will be created.

  • name optional - string

  Version name.

  • target_size list block
    • fixed optional - number

    The number of instances which are managed for this version. Conflicts with percent.

    • percent optional - number

    The number of instances (calculated as percentage) which are managed for this version. Conflicts with fixed. Note that when using percent, rounding will be in favor of explicitly set target_size values; a managed instance group with 2 instances and 2 versions, one of which has a target_size.percent of 60 will create 2 instances of that version.

Explanation in Terraform Registry

The Google Compute Engine Instance Group Manager API creates and manages pools of homogeneous Compute Engine virtual machine instances from a common instance template. For more information, see the official documentation and API

Note: Use google_compute_region_instance_group_manager to create a regional (multi-zone) instance group manager.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.