Google Compute Engine Packet Mirroring

google_compute_packet_mirroring (Terraform)

The Packet Mirroring in Compute Engine can be configured in Terraform with the resource name google_compute_packet_mirroring. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

terraform-google-modules/terraform-docs-samples

resource "google_compute_packet_mirroring" "foobar" {
  name = "my-mirroring"
  description = "bar"
  network {
    url = google_compute_network.default.id
  }

freight-hub/terraform-modules-demo

resource "google_compute_packet_mirroring" "default" {
  project     = google_compute_instance.mirror.project # Replace this with a reference to your project ID
  region      = "us-central1"
  name        = "my-mirroring"
  description = "My packet mirror"
  network {

rituraj-tiwari/terraform-google-network

resource "google_compute_packet_mirroring" "default" {
  project     = google_compute_instance.mirror.project # Replace this with a reference to your project ID
  region      = "us-central1"
  name        = "my-mirroring"
  description = "My packet mirror"
  network {

boltops-learn/terraspace-google-network-registry

resource "google_compute_packet_mirroring" "default" {
  project     = google_compute_instance.mirror.project # Replace this with a reference to your project ID
  region      = "us-central1"
  name        = "my-mirroring"
  description = "My packet mirror"
  network {

Nixon120/terraform-google-network

resource "google_compute_packet_mirroring" "default" {
  project     = google_compute_instance.mirror.project # Replace this with a reference to your project ID
  region      = "us-central1"
  name        = "my-mirroring"
  description = "My packet mirror"
  network {

Parameters

• description optional - string

A human-readable description of the rule.

• id optional computed - string
• name required - string

The name of the packet mirroring rule

• priority optional computed - number

Since only one rule can be active at a time, priority is used to break ties in the case of two rules that apply to the same instances.

• project optional computed - string
• region optional computed - string

The Region in which the created address should reside. If it is not provided, the provider region is used.

• collector_ilb list block
  • url required - string

  The URL of the forwarding rule.

• filter list block
  • cidr_ranges optional - list of string

  IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported.

  • direction optional - string

  Direction of traffic to mirror. Default value: "BOTH" Possible values: ["INGRESS", "EGRESS", "BOTH"]

  • ip_protocols optional - list of string

  Protocols that apply as a filter on mirrored traffic. Possible values: ["tcp", "udp", "icmp"]

• mirrored_resources list block
  • tags optional - list of string

  All instances with these tags will be mirrored.

  • instances list block
    • url required - string

    The URL of the instances where this rule should be active.

  • subnetworks list block
    • url required - string

    The URL of the subnetwork where this rule should be active.

• network list block
  • url required - string

  The full self_link URL of the network where this rule is active.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Packet Mirroring mirrors traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance. To get more information about PacketMirroring, see:

• API documentation
• How-to Guides
  • Using Packet Mirroring

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.