Google Compute Engine Instance Template

This page shows how to write Terraform for Compute Engine Instance Template and write them securely.

google_compute_instance_template (Terraform)

The Instance Template in Compute Engine can be configured in Terraform with the resource name google_compute_instance_template. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_compute_instance_template" "gcloud_no_args" {
  name         = "gcloud-no-args"
  machine_type = "n1-standard-1"

  disk {
    source_image = "debian-cloud/debian-10"
resource "google_compute_instance_template" "default" {
  name        = "us-central1-template"
  description = "This template is used to create app server instances."
  machine_type= "e2-medium"
  region = "us-central1"
  disk {
resource "google_compute_instance_template" "browse_asia" {
  name         = "browse-asia"
  region       =
  machine_type =

  tags = ["web", "lockdown"]
resource "google_compute_instance_template" "tf-server-staging" {
  name = "tf-server-staging"
  project = "comp698-dml1037"
  disk {
    source_image = "cos-cloud/cos-stable"

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


Whether to allow sending and receiving of packets with non-matching source or destination IPs. This defaults to false.

A brief description of this resource.

Enable Virtual Displays on this instance. Note: allow_stopping_for_update must be set to true in order to update this field.

A description of the instance.

  • labels optional - map from string to string

A set of key/value label pairs to assign to instances created from this template,

The machine type to create. To create a machine with a custom type (such as extended memory), format the value like custom-VCPUS-MEM_IN_MB like custom-6-20480 for 6 vCPU and 20GB of RAM.

  • metadata optional - map from string to string

Metadata key/value pairs to make available from within instances created from this template.

The unique fingerprint of the metadata.

An alternative to using the startup-script metadata key, mostly to match the compute_instance resource. This replaces the startup-script metadata key on the created instance and thus the two mechanisms are not allowed to be used simultaneously.

Specifies a minimum CPU platform. Applicable values are the friendly names of CPU platforms, such as Intel Haswell or Intel Skylake.

  • name optional computed - string

The name of the instance template. If you leave this blank, Terraform will auto-generate a unique name.

Creates a unique name beginning with the specified prefix. Conflicts with name.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

  • region optional computed - string

An instance template is a global resource that is not bound to a zone or a region. However, you can still specify some regional resources in an instance template, which restricts the template to the region where that resource resides. For example, a custom subnetwork resource is tied to a specific region. Defaults to the region of the Provider if no value is given.

The URI of the created resource.

  • tags optional - set of string

Tags to attach to the instance.

The unique fingerprint of the tags.

  • confidential_instance_config list block

    Defines whether the instance should have confidential compute enabled.

  • disk list block

    Whether or not the disk should be auto-deleted. This defaults to true.

    • boot optional computed - bool

    Indicates that this is a boot disk.

    A unique device name that is reflected into the /dev/ tree of a Linux operating system running within the instance. If not specified, the server chooses a default device name to apply to this disk.

    Name of the disk. When not provided, this defaults to the name of the instance.

    The size of the image in gigabytes. If not specified, it will inherit the size of its base image. For SCRATCH disks, the size must be exactly 375GB.

    The Google Compute Engine disk type. Can be either "pd-ssd", "local-ssd", "pd-balanced" or "pd-standard".

    Specifies the disk interface to use for attaching this disk.

    • labels optional - map from string to string

    A set of key/value label pairs to assign to disks,

    • mode optional computed - string

    The mode in which to attach this disk, either READ_WRITE or READ_ONLY. If you are attaching or creating a boot disk, this must read-write mode.

    A list (short name or id) of resource policies to attach to this disk. Currently a max of 1 resource policy is supported.

    The name (not self_link) of the disk (such as those managed by google_compute_disk) to attach. > Note: Either source or source_image is required when creating a new instance except for when creating a local SSD.

    The image from which to initialize this disk. This can be one of: the image's self_link, projects/[project]/global/images/[image], projects/[project]/global/images/family/[family], global/images/[image], global/images/family/[family], family/[family], [project]/[family], [project]/[image], [family], or [image]. > Note: Either source or source_image is required when creating a new instance except for when creating a local SSD.

    • type optional computed - string

    The type of Google Compute Engine disk, can be either "SCRATCH" or "PERSISTENT".

  • guest_accelerator list block

    The number of the guest accelerator cards exposed to this instance.

    The accelerator type resource to expose to this instance. E.g. nvidia-tesla-k80.

  • network_interface list block
    • name optional computed - string

    The name of the network_interface.

    The name or self_link of the network to attach this interface to. Use network attribute for Legacy or Auto subnetted networks and subnetwork for custom subnetted networks.

    The private IP address to assign to the instance. If empty, the address will be automatically assigned.

    The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET

    The name of the subnetwork to attach this interface to. The subnetwork must exist in the same region this instance will be created in. Either network or subnetwork must be provided.

    The ID of the project in which the subnetwork belongs. If it is not provided, the provider project is used.

    • access_config list block
      • nat_ip optional computed - string

      The IP address that will be 1:1 mapped to the instance's network ip. If not given, one will be generated.

      The networking tier used for configuring this instance template. This field can take the following values: PREMIUM or STANDARD. If this field is not specified, it is assumed to be PREMIUM.

      The DNS domain name for the public PTR record.The DNS domain name for the public PTR record.

    • alias_ip_range list block

      The IP CIDR range represented by this alias IP range. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. At the time of writing only a netmask (e.g. /24) may be supplied, with a CIDR format resulting in an API error.

      The subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range. If left unspecified, the primary range of the subnetwork will be used.

  • scheduling list block

    Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). This defaults to true.

    Minimum number of cpus for the instance.

    Defines the maintenance behavior for this instance.

    Allows instance to be preempted. This defaults to false.

  • service_account list block
    • email optional computed - string

    The service account e-mail address. If not given, the default Google Compute Engine service account is used.

    A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the cloud-platform scope.

  • shielded_instance_config list block

    Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to true.

    Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false.

    Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to true.

  • timeouts single block

Explanation in Terraform Registry

Manages a VM instance template resource within GCE. For more information see the official documentation and API.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.



Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.



Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.



Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.



Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.



Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.

Review your Google Compute Engine settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Compute Engine Instance Template?

Google Compute Engine Instance Template is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Compute Engine Instance Template?

For Terraform, the bleything/gcp-terraform-snippets, PhaniVemuri912/gcp-sg-01 and kaysal/cloud-networking source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.