Google Compute Engine SSL Certificate

google_compute_ssl_certificate (Terraform)

The SSL Certificate in Compute Engine can be configured in Terraform with the resource name google_compute_ssl_certificate. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

• certificate required - string

The certificate in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.

• certificate_id optional computed - number

The unique identifier for the resource.

• creation_timestamp optional computed - string

Creation timestamp in RFC3339 text format.

• description optional - string

An optional description of this resource.

• id optional computed - string
• name optional computed - string

Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. These are in the same namespace as the managed SSL certificates.

• name_prefix optional computed - string

Creates a unique name beginning with the specified prefix. Conflicts with name.

• private_key required - string

The write-only private key in PEM format.

• project optional computed - string
• self_link optional computed - string
• timeouts single block
  • create optional - string
  • delete optional - string

Explanation in Terraform Registry

An SslCertificate resource, used for HTTPS load balancing. This resource provides a mechanism to upload an SSL key and certificate to the load balancer to serve secure connections from the user. To get more information about SslCertificate, see:

• API documentation
• How-to Guides
  • Official Documentation

    Warning: All arguments including certificate and private_key will be stored in the raw state as plain-text. Read more about sensitive data in state.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.