Google Compute Engine Instance
This page shows how to write Terraform for Compute Engine Instance and write them securely.
google_compute_instance (Terraform)
The Instance in Compute Engine can be configured in Terraform with the resource name google_compute_instance
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_compute_instance" "tf-instance-1" {
name = "tf-instance-1"
# Task 4 - Change machine type
machine_type = "n1-standard-2"
zone = var.zone
resource "google_compute_instance" "jump" {
name = "jump"
machine_type = "f1-micro"
zone = "us-east1-c"
tags = ["public"]
resource "google_compute_instance" "myvm" {
name = "myfirstvm"
machine_type = "f1-micro"
zone = "us-central1-c"
network_interface {
network = "default"
resource "google_compute_instance" "standard" {
name = "standard"
machine_type = "f1-micro"
zone = "us-central1-a"
boot_disk {
Security Best Practices for google_compute_instance
There are 8 settings in google_compute_instance that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
Ensure IP forwarding on your GCE instances is disabled
It is better to disable IP forwarding on the GCE instances not to open unintended communication paths.
Ensure OS login for your GCE instance is enabled
It is better to enable OS login for your GCE instance. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
Ensure serial port access for your GCE instance is disabled
It is better to disable serial port access for your GCE instance. If it is enabled, it could be an undesired access path to your GCE instance.
Ensure the use of project-wide SSH keys is disabled
It is better to disable the use of project-wide SSH keys. Project-wide SSH keys increase the risk of a compromise of them.
Ensure the boot disk for your GCE instance is encrypted
It is better to encrypt the boot disk for your GCE instance. Encryption reduces the risk of data leakage.
Ensure your GCP instance does not have unnecessary public IPs
It is better to manage public IPs properly. To reduce the attack surface of your GCE instances, necessary public IP addresses should be assigned.
Ensure vTPM of your GCE instance is enabled
It is better to enable vTPM of your GCE instance. The Shielded VM vTPM provides an enhanced mechanism to protect secrets through shielding or sealing or to detect rootkits.
Parameters
-
allow_stopping_for_update
optional - bool
If true, allows Terraform to stop the instance to update its properties. If you try to update a property that requires stopping the instance without setting this field, the update will fail.
-
can_ip_forward
optional - bool
Whether sending and receiving of packets with non-matching source or destination IPs is allowed.
-
cpu_platform
optional computed - string
The CPU platform used by this instance.
-
current_status
optional computed - string
Current status of the instance.
-
deletion_protection
optional - bool
Whether deletion protection is enabled on this instance.
-
description
optional - string
A brief description of the resource.
-
desired_status
optional - string
Desired status of the instance. Either "RUNNING" or "TERMINATED".
-
enable_display
optional - bool
Whether the instance has virtual displays enabled.
-
guest_accelerator
optional computed - list of object
List of the type and count of accelerator cards attached to the instance.
A custom hostname for the instance. Must be a fully qualified DNS name and RFC-1035-valid. Valid format is a series of labels 1-63 characters long matching the regular expression a-z, concatenated with periods. The entire hostname must not exceed 253 characters. Changing this forces a new resource to be created.
-
id
optional computed - string -
instance_id
optional computed - string
The server-assigned unique identifier of this instance.
-
label_fingerprint
optional computed - string
The unique fingerprint of the labels.
-
labels
optional - map from string to string
A set of key/value label pairs assigned to the instance.
-
machine_type
required - string
The machine type to create.
-
metadata
optional - map from string to string
Metadata key/value pairs made available within the instance.
-
metadata_fingerprint
optional computed - string
The unique fingerprint of the metadata.
-
metadata_startup_script
optional - string
Metadata startup scripts made available within the instance.
-
min_cpu_platform
optional computed - string
The minimum CPU platform specified for the VM instance.
-
name
required - string
The name of the instance. One of name or self_link must be provided.
-
project
optional computed - string
The ID of the project in which the resource belongs. If self_link is provided, this value is ignored. If neither self_link nor project are provided, the provider project is used.
-
resource_policies
optional - list of string
A list of short names or self_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.
-
self_link
optional computed - string
The URI of the created resource.
-
tags
optional - set of string
The list of tags attached to the instance.
-
tags_fingerprint
optional computed - string
The unique fingerprint of the tags.
-
zone
optional computed - string
The zone of the instance. If self_link is provided, this value is ignored. If neither self_link nor zone are provided, the provider zone is used.
-
attached_disk
list block-
device_name
optional computed - string
Name with which the attached disk is accessible under /dev/disk/by-id/
-
disk_encryption_key_raw
optional - string
A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
disk_encryption_key_sha256
optional computed - string
The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
-
kms_key_self_link
optional computed - string
The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
mode
optional - string
Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
-
source
required - string
The name or self_link of the disk attached to this instance.
-
-
boot_disk
list block-
auto_delete
optional - bool
Whether the disk will be auto-deleted when the instance is deleted.
-
device_name
optional computed - string
Name with which attached disk will be accessible under /dev/disk/by-id/
-
disk_encryption_key_raw
optional - string
A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
disk_encryption_key_sha256
optional computed - string
The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
-
kms_key_self_link
optional computed - string
The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
-
mode
optional - string
Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
-
source
optional computed - string
The name or self_link of the disk attached to this instance.
-
initialize_params
list block-
image
optional computed - string
The image from which this disk was initialised.
-
labels
optional computed - map from string to string
A set of key/value label pairs assigned to the disk.
-
size
optional computed - number
The size of the image in gigabytes.
-
type
optional computed - string
The Google Compute Engine disk type. One of pd-standard, pd-ssd or pd-balanced.
-
-
-
confidential_instance_config
list block-
enable_confidential_compute
required - bool
Defines whether the instance should have confidential compute enabled.
-
-
network_interface
list block-
name
optional computed - string
The name of the interface
-
network
optional computed - string
The name or self_link of the network attached to this interface.
-
network_ip
optional computed - string
The private IP address assigned to the instance.
-
nic_type
optional - string
The type of vNIC to be used on this interface. Possible values:GVNIC, VIRTIO_NET
-
subnetwork
optional computed - string
The name or self_link of the subnetwork attached to this interface.
-
subnetwork_project
optional computed - string
The project in which the subnetwork belongs.
-
access_config
list block-
nat_ip
optional computed - string
The IP address that is be 1:1 mapped to the instance's network ip.
-
network_tier
optional computed - string
The networking tier used for configuring this instance. One of PREMIUM or STANDARD.
-
public_ptr_domain_name
optional - string
The DNS domain name for the public PTR record.
-
-
alias_ip_range
list block-
ip_cidr_range
required - string
The IP CIDR range represented by this alias IP range.
-
subnetwork_range_name
optional - string
The subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range.
-
-
-
scheduling
list block-
automatic_restart
optional - bool
Specifies if the instance should be restarted if it was terminated by Compute Engine (not a user).
-
min_node_cpus
optional - number -
on_host_maintenance
optional computed - string
Describes maintenance behavior for the instance. One of MIGRATE or TERMINATE,
-
preemptible
optional - bool
Whether the instance is preemptible.
-
node_affinities
set block
-
-
scratch_disk
list block-
interface
required - string
The disk interface used for attaching this disk. One of SCSI or NVME.
-
-
service_account
list block-
email
optional computed - string
The service account e-mail address.
-
scopes
required - set of string
A list of service scopes.
-
-
shielded_instance_config
list block-
enable_integrity_monitoring
optional - bool
Whether integrity monitoring is enabled for the instance.
-
enable_secure_boot
optional - bool
Whether secure boot is enabled for the instance.
-
enable_vtpm
optional - bool
Whether the instance uses vTPM.
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a VM instance resource within GCE. For more information see the official documentation and API.
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_compute_disk
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
google_compute_firewall
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
google_compute_project_metadata
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
google_compute_ssl_policy
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
google_compute_subnetwork
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.
Frequently asked questions
What is Google Compute Engine Instance?
Google Compute Engine Instance is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Compute Engine Instance?
For Terraform, the phuongvo9/Terraform-with-GCP, kaks2015/Terraform4-CR460-H2021 and meetmuthu/lab-terra source code examples are useful. See the Terraform Example section for further details.