Google Compute Engine Per Instance Config
This page shows how to write Terraform for Compute Engine Per Instance Config and write them securely.
The Per Instance Config in Compute Engine can be configured in Terraform with the resource name
google_compute_per_instance_config. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
The instance group manager this instance config is part of.
minimal_actionoptional - string
most_disruptive_allowed_actionoptional - string
namerequired - string
The name for this per-instance config and its corresponding instance.
projectoptional computed - string
remove_instance_state_on_destroyoptional - bool
zoneoptional - string
Zone where the containing instance group manager is located
metadataoptional - map from string to string
Preserved metadata defined for this instance. This is a list of key->value pairs.
delete_ruleoptional - string
A value that prescribes what should happen to the stateful disk when the VM instance is deleted. The available options are 'NEVER' and 'ON_PERMANENT_INSTANCE_DELETION'. 'NEVER' - detach the disk when the VM is deleted, but do not delete the disk. 'ON_PERMANENT_INSTANCE_DELETION' will delete the stateful disk when the VM is permanently deleted from the instance group. Default value: "NEVER" Possible values: ["NEVER", "ON_PERMANENT_INSTANCE_DELETION"]
device_namerequired - string
A unique device name that is reflected into the /dev/ tree of a Linux operating system running within the instance.
modeoptional - string
The mode of the disk. Default value: "READ_WRITE" Possible values: ["READ_ONLY", "READ_WRITE"]
sourcerequired - string
The URI of an existing persistent disk to attach under the specified device-name in the format 'projects/project-id/zones/zone/disks/disk-name'.
Explanation in Terraform Registry
A config defined for a single managed instance that belongs to an instance group manager. It preserves the instance name across instance group manager operations and can define stateful disks or metadata that are unique to the instance. To get more information about PerInstanceConfig, see:
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.