Top / Google Cloud Platform / Google Compute Engine / Instance

Google Compute Engine Instance

This page shows how to write Terraform for Compute Engine Instance and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_compute_instance (Terraform)

The Instance in Compute Engine can be configured in Terraform with the resource name google_compute_instance. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

instances.tf#L41
resource "google_compute_instance" "tf-instance-1" {
  name = "tf-instance-1"

  # Task 4 - Change machine type
  machine_type = "n1-standard-2"
  zone = var.zone
compute.tf#L1
resource "google_compute_instance" "jump" {
  name         = "jump"
  machine_type = "f1-micro"
  zone         = "us-east1-c"
  tags         = ["public"]
main.tf#L6
resource "google_compute_instance" "myvm" {
        name = "myfirstvm"
        machine_type = "f1-micro"
        zone = "us-central1-c"
        network_interface {
                network = "default"
compute_instance_test.tf#L6
resource "google_compute_instance" "standard" {
  name         = "standard"
  machine_type = "f1-micro"
  zone         = "us-central1-a"

  boot_disk {

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for google_compute_instance

There are 8 settings in google_compute_instance that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

risk-label

Ensure IP forwarding on your GCE instances is disabled

It is better to disable IP forwarding on the GCE instances not to open unintended communication paths.

risk-label

Ensure OS login for your GCE instance is enabled

It is better to enable OS login for your GCE instance. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

risk-label

Ensure serial port access for your GCE instance is disabled

It is better to disable serial port access for your GCE instance. If it is enabled, it could be an undesired access path to your GCE instance.

risk-label

Ensure the use of project-wide SSH keys is disabled

It is better to disable the use of project-wide SSH keys. Project-wide SSH keys increase the risk of a compromise of them.

risk-label

Ensure the boot disk for your GCE instance is encrypted

It is better to encrypt the boot disk for your GCE instance. Encryption reduces the risk of data leakage.

risk-label

Ensure your GCP instance does not have unnecessary public IPs

It is better to manage public IPs properly. To reduce the attack surface of your GCE instances, necessary public IP addresses should be assigned.

risk-label

Ensure vTPM of your GCE instance is enabled

It is better to enable vTPM of your GCE instance. The Shielded VM vTPM provides an enhanced mechanism to protect secrets through shielding or sealing or to detect rootkits.

Review your Google Compute Engine settings

You can check if the google_compute_instance setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

If true, allows Terraform to stop the instance to update its properties. If you try to update a property that requires stopping the instance without setting this field, the update will fail.

Whether sending and receiving of packets with non-matching source or destination IPs is allowed.

The CPU platform used by this instance.

Current status of the instance.

Whether deletion protection is enabled on this instance.

A brief description of the resource.

Desired status of the instance. Either "RUNNING" or "TERMINATED".

Whether the instance has virtual displays enabled.

List of the type and count of accelerator cards attached to the instance.

A custom hostname for the instance. Must be a fully qualified DNS name and RFC-1035-valid. Valid format is a series of labels 1-63 characters long matching the regular expression a-z, concatenated with periods. The entire hostname must not exceed 253 characters. Changing this forces a new resource to be created.

The server-assigned unique identifier of this instance.

The unique fingerprint of the labels.

  • labels optional - map from string to string

A set of key/value label pairs assigned to the instance.

The machine type to create.

  • metadata optional - map from string to string

Metadata key/value pairs made available within the instance.

The unique fingerprint of the metadata.

Metadata startup scripts made available within the instance.

The minimum CPU platform specified for the VM instance.

The name of the instance. One of name or self_link must be provided.

The ID of the project in which the resource belongs. If self_link is provided, this value is ignored. If neither self_link nor project are provided, the provider project is used.

A list of short names or self_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.

The URI of the created resource.

  • tags optional - set of string

The list of tags attached to the instance.

The unique fingerprint of the tags.

  • zone optional computed - string

The zone of the instance. If self_link is provided, this value is ignored. If neither self_link nor zone are provided, the provider zone is used.

  • attached_disk list block

    Name with which the attached disk is accessible under /dev/disk/by-id/

    A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.

    The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".

    The name or self_link of the disk attached to this instance.

  • boot_disk list block

    Whether the disk will be auto-deleted when the instance is deleted.

    Name with which attached disk will be accessible under /dev/disk/by-id/

    A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.

    The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.

    Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".

    • source optional computed - string

    The name or self_link of the disk attached to this instance.

    • initialize_params list block
      • image optional computed - string

      The image from which this disk was initialised.

      • labels optional computed - map from string to string

      A set of key/value label pairs assigned to the disk.

      • size optional computed - number

      The size of the image in gigabytes.

      • type optional computed - string

      The Google Compute Engine disk type. One of pd-standard, pd-ssd or pd-balanced.

  • confidential_instance_config list block

    Defines whether the instance should have confidential compute enabled.

  • network_interface list block
    • name optional computed - string

    The name of the interface

    The name or self_link of the network attached to this interface.

    The private IP address assigned to the instance.

    The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET

    The name or self_link of the subnetwork attached to this interface.

    The project in which the subnetwork belongs.

    • access_config list block
      • nat_ip optional computed - string

      The IP address that is be 1:1 mapped to the instance's network ip.

      The networking tier used for configuring this instance. One of PREMIUM or STANDARD.

      The DNS domain name for the public PTR record.

    • alias_ip_range list block

      The IP CIDR range represented by this alias IP range.

      The subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range.

  • scheduling list block

    Specifies if the instance should be restarted if it was terminated by Compute Engine (not a user).

    Describes maintenance behavior for the instance. One of MIGRATE or TERMINATE,

    Whether the instance is preemptible.

  • scratch_disk list block

    The disk interface used for attaching this disk. One of SCSI or NVME.

  • service_account list block
    • email optional computed - string

    The service account e-mail address.

    A list of service scopes.

  • shielded_instance_config list block

    Whether integrity monitoring is enabled for the instance.

    Whether secure boot is enabled for the instance.

    Whether the instance uses vTPM.

  • timeouts single block

>> from Terraform Registry

Explanation in Terraform Registry

Manages a VM instance resource within GCE. For more information see the official documentation and API.

>> from Terraform Registry

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

risk-label

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

risk-label

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

risk-label

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

risk-label

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.

Review your Google Compute Engine settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

The Other Related Google Compute Engine Resources

Frequently asked questions

What is Google Compute Engine Instance?

Google Compute Engine Instance is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Compute Engine Instance?

For Terraform, the phuongvo9/Terraform-with-GCP, kaks2015/Terraform4-CR460-H2021 and meetmuthu/lab-terra source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents