Google Compute Engine Per Instance Config
This page shows how to write Terraform for Compute Engine Per Instance Config and write them securely.
google_compute_per_instance_config (Terraform)
The Per Instance Config in Compute Engine can be configured in Terraform with the resource name google_compute_per_instance_config
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
id
optional computed - string -
instance_group_manager
required - string
The instance group manager this instance config is part of.
-
minimal_action
optional - string -
most_disruptive_allowed_action
optional - string -
name
required - string
The name for this per-instance config and its corresponding instance.
-
project
optional computed - string -
remove_instance_state_on_destroy
optional - bool -
zone
optional - string
Zone where the containing instance group manager is located
-
preserved_state
list block-
metadata
optional - map from string to string
Preserved metadata defined for this instance. This is a list of key->value pairs.
-
disk
set block-
delete_rule
optional - string
A value that prescribes what should happen to the stateful disk when the VM instance is deleted. The available options are 'NEVER' and 'ON_PERMANENT_INSTANCE_DELETION'. 'NEVER' - detach the disk when the VM is deleted, but do not delete the disk. 'ON_PERMANENT_INSTANCE_DELETION' will delete the stateful disk when the VM is permanently deleted from the instance group. Default value: "NEVER" Possible values: ["NEVER", "ON_PERMANENT_INSTANCE_DELETION"]
-
device_name
required - string
A unique device name that is reflected into the /dev/ tree of a Linux operating system running within the instance.
-
mode
optional - string
The mode of the disk. Default value: "READ_WRITE" Possible values: ["READ_ONLY", "READ_WRITE"]
-
source
required - string
The URI of an existing persistent disk to attach under the specified device-name in the format 'projects/project-id/zones/zone/disks/disk-name'.
-
-
-
timeouts
single block
Explanation in Terraform Registry
A config defined for a single managed instance that belongs to an instance group manager. It preserves the instance name across instance group manager operations and can define stateful disks or metadata that are unique to the instance. To get more information about PerInstanceConfig, see:
- API documentation
- How-to Guides
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_compute_disk
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
google_compute_firewall
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
google_compute_instance
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
google_compute_project_metadata
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
google_compute_ssl_policy
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
google_compute_subnetwork
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.