Google Compute Engine Instance Template
This page shows how to write Terraform for Compute Engine Instance Template and write them securely.
google_compute_instance_template (Terraform)
The Instance Template in Compute Engine can be configured in Terraform with the resource name google_compute_instance_template
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_compute_instance_template" "gcloud_no_args" {
name = "gcloud-no-args"
machine_type = "n1-standard-1"
disk {
source_image = "debian-cloud/debian-10"
resource "google_compute_instance_template" "default" {
name = "us-central1-template"
description = "This template is used to create app server instances."
machine_type= "e2-medium"
region = "us-central1"
disk {
resource "google_compute_instance_template" "browse_asia" {
name = "browse-asia"
region = var.hub.vpc1.asia.region
machine_type = var.global.standard_machine
tags = ["web", "lockdown"]
resource "google_compute_instance_template" "tf-server-staging" {
name = "tf-server-staging"
project = "comp698-dml1037"
disk {
source_image = "cos-cloud/cos-stable"
}
Parameters
-
can_ip_forward
optional - bool
Whether to allow sending and receiving of packets with non-matching source or destination IPs. This defaults to false.
-
description
optional - string
A brief description of this resource.
-
enable_display
optional - bool
Enable Virtual Displays on this instance. Note: allow_stopping_for_update must be set to true in order to update this field.
-
id
optional computed - string -
instance_description
optional - string
A description of the instance.
-
labels
optional - map from string to string
A set of key/value label pairs to assign to instances created from this template,
-
machine_type
required - string
The machine type to create. To create a machine with a custom type (such as extended memory), format the value like custom-VCPUS-MEM_IN_MB like custom-6-20480 for 6 vCPU and 20GB of RAM.
-
metadata
optional - map from string to string
Metadata key/value pairs to make available from within instances created from this template.
-
metadata_fingerprint
optional computed - string
The unique fingerprint of the metadata.
-
metadata_startup_script
optional - string
An alternative to using the startup-script metadata key, mostly to match the compute_instance resource. This replaces the startup-script metadata key on the created instance and thus the two mechanisms are not allowed to be used simultaneously.
-
min_cpu_platform
optional - string
Specifies a minimum CPU platform. Applicable values are the friendly names of CPU platforms, such as Intel Haswell or Intel Skylake.
-
name
optional computed - string
The name of the instance template. If you leave this blank, Terraform will auto-generate a unique name.
-
name_prefix
optional computed - string
Creates a unique name beginning with the specified prefix. Conflicts with name.
-
project
optional computed - string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
region
optional computed - string
An instance template is a global resource that is not bound to a zone or a region. However, you can still specify some regional resources in an instance template, which restricts the template to the region where that resource resides. For example, a custom subnetwork resource is tied to a specific region. Defaults to the region of the Provider if no value is given.
-
self_link
optional computed - string
The URI of the created resource.
-
tags
optional - set of string
Tags to attach to the instance.
-
tags_fingerprint
optional computed - string
The unique fingerprint of the tags.
-
confidential_instance_config
list block-
enable_confidential_compute
required - bool
Defines whether the instance should have confidential compute enabled.
-
-
disk
list block-
auto_delete
optional - bool
Whether or not the disk should be auto-deleted. This defaults to true.
-
boot
optional computed - bool
Indicates that this is a boot disk.
-
device_name
optional computed - string
A unique device name that is reflected into the /dev/ tree of a Linux operating system running within the instance. If not specified, the server chooses a default device name to apply to this disk.
-
disk_name
optional - string
Name of the disk. When not provided, this defaults to the name of the instance.
-
disk_size_gb
optional computed - number
The size of the image in gigabytes. If not specified, it will inherit the size of its base image. For SCRATCH disks, the size must be exactly 375GB.
-
disk_type
optional computed - string
The Google Compute Engine disk type. Can be either "pd-ssd", "local-ssd", "pd-balanced" or "pd-standard".
-
interface
optional computed - string
Specifies the disk interface to use for attaching this disk.
-
labels
optional - map from string to string
A set of key/value label pairs to assign to disks,
-
mode
optional computed - string
The mode in which to attach this disk, either READ_WRITE or READ_ONLY. If you are attaching or creating a boot disk, this must read-write mode.
-
resource_policies
optional - list of string
A list (short name or id) of resource policies to attach to this disk. Currently a max of 1 resource policy is supported.
-
source
optional - string
The name (not self_link) of the disk (such as those managed by google_compute_disk) to attach. > Note: Either source or source_image is required when creating a new instance except for when creating a local SSD.
-
source_image
optional computed - string
The image from which to initialize this disk. This can be one of: the image's self_link, projects/[project]/global/images/[image], projects/[project]/global/images/family/[family], global/images/[image], global/images/family/[family], family/[family], [project]/[family], [project]/[image], [family], or [image]. > Note: Either source or source_image is required when creating a new instance except for when creating a local SSD.
-
type
optional computed - string
The type of Google Compute Engine disk, can be either "SCRATCH" or "PERSISTENT".
-
disk_encryption_key
list block-
kms_key_self_link
required - string
The self link of the encryption key that is stored in Google Cloud KMS.
-
-
-
guest_accelerator
list block-
count
required - number
The number of the guest accelerator cards exposed to this instance.
-
type
required - string
The accelerator type resource to expose to this instance. E.g. nvidia-tesla-k80.
-
-
network_interface
list block-
name
optional computed - string
The name of the network_interface.
-
network
optional computed - string
The name or self_link of the network to attach this interface to. Use network attribute for Legacy or Auto subnetted networks and subnetwork for custom subnetted networks.
-
network_ip
optional - string
The private IP address to assign to the instance. If empty, the address will be automatically assigned.
-
nic_type
optional - string
The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET
-
subnetwork
optional computed - string
The name of the subnetwork to attach this interface to. The subnetwork must exist in the same region this instance will be created in. Either network or subnetwork must be provided.
-
subnetwork_project
optional computed - string
The ID of the project in which the subnetwork belongs. If it is not provided, the provider project is used.
-
access_config
list block-
nat_ip
optional computed - string
The IP address that will be 1:1 mapped to the instance's network ip. If not given, one will be generated.
-
network_tier
optional computed - string
The networking tier used for configuring this instance template. This field can take the following values: PREMIUM or STANDARD. If this field is not specified, it is assumed to be PREMIUM.
-
public_ptr_domain_name
optional computed - string
The DNS domain name for the public PTR record.The DNS domain name for the public PTR record.
-
-
alias_ip_range
list block-
ip_cidr_range
required - string
The IP CIDR range represented by this alias IP range. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. At the time of writing only a netmask (e.g. /24) may be supplied, with a CIDR format resulting in an API error.
-
subnetwork_range_name
optional - string
The subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range. If left unspecified, the primary range of the subnetwork will be used.
-
-
-
scheduling
list block-
automatic_restart
optional - bool
Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). This defaults to true.
-
min_node_cpus
optional - number
Minimum number of cpus for the instance.
-
on_host_maintenance
optional computed - string
Defines the maintenance behavior for this instance.
-
preemptible
optional - bool
Allows instance to be preempted. This defaults to false.
-
node_affinities
set block
-
-
service_account
list block-
email
optional computed - string
The service account e-mail address. If not given, the default Google Compute Engine service account is used.
-
scopes
required - set of string
A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the cloud-platform scope.
-
-
shielded_instance_config
list block-
enable_integrity_monitoring
optional - bool
Compare the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. Defaults to true.
-
enable_secure_boot
optional - bool
Verify the digital signature of all boot components, and halt the boot process if signature verification fails. Defaults to false.
-
enable_vtpm
optional - bool
Use a virtualized trusted platform module, which is a specialized computer chip you can use to encrypt objects like keys and certificates. Defaults to true.
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a VM instance template resource within GCE. For more information see the official documentation and API.
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_compute_disk
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
google_compute_firewall
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
google_compute_instance
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
google_compute_project_metadata
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
google_compute_ssl_policy
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
google_compute_subnetwork
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.
Frequently asked questions
What is Google Compute Engine Instance Template?
Google Compute Engine Instance Template is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Compute Engine Instance Template?
For Terraform, the bleything/gcp-terraform-snippets, PhaniVemuri912/gcp-sg-01 and kaysal/cloud-networking source code examples are useful. See the Terraform Example section for further details.