Skip to content

Compute Engine

In this section you will create the Compute Engine to run an application, with the related VPC network and a Service Account.

A VPC, or Virtual Private Cloud, is a network block all of your own. The Service Account is an account that is used to run the Compute Engine virtual machine. It could have a separate set of IAM rules, which tell what it can access. Custom Service Accounts should be used instead of the default ones according to Google's recommendations, so you have better control over the privileges.

In this exercise, you will learn how to create multiple resources and have them reference each other.

Exercises: VPC and Service Account

  1. Create a resource block with the type google_compute_network named default with the following parameters:
    • name = ${var.name}-vpc-network
    • auto_create_subnetworks = true
    • Remember to specify the project
  2. Create a resource block with the type google_service_account named default with the following parameters:
    • account_id = ${var.name}-service-account
    • display_name = ${var.name}-service-account
    • Remember to specify the project
Help

terraform/compute_engine.tf

resource "google_compute_network" "default" {
  name                    = "${var.name}-vpc-network"
  project                 = var.project
  auto_create_subnetworks = true
}

terraform/compute_engine.tf

resource "google_service_account" "default" {
  account_id   = "${var.name}-service-account"
  display_name = "${var.name} Service Account"
  project      = var.project
}

Extra

  1. Instead of using auto_create_subnetworks = true, create a separate custom subnet
    • The resource is google_compute_subnetwork, the instruction will help you select a ip_cidr_range
    • You will need to also specify the subnetwork in the network_interface block below for the Compute Engine instance

Exercises: Compute Engine Virtual Machine

  1. Create a resource block with type google_compute_instance named default with following parameters
    • name = "${var.name}-instance"
    • machine_type = "e2-micro"
    • zone = var.zone
    • Remember to specify the project
    • tags = ["http", "ssh"]
    • metadata_startup_script = "sudo apt update && sudo apt -y install apache2"
    • For the boot_disk image configuration, use debian-cloud/debian-11
    • For the network_interface reference the VPC you have created
      • Hint: You will need the self_link of the resource
      • The access_config block can be left empty
    • For the service_account email configuration reference the email of the Service Account you created
      • scopes = ["cloud-platform"]

Extra

  1. Move the metadata_startup_script to a separate file called startup.sh
    • You can then use Terraform's functions to read the file from disk
  2. Add an output to show the assigned public IP address of the created Compute Engine instance
Help

terraform/compute_engine.tf

resource "google_compute_instance" "default" {
  name         = "${var.name}-instance"
  machine_type = "e2-micro"
  zone         = var.zone
  project      = var.project

  tags = ["http", "ssh"]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = google_compute_network.default.self_link
    access_config {}
  }

  metadata_startup_script = "sudo apt update && sudo apt -y install apache2"

  service_account {
    email  = google_service_account.default.email
    scopes = ["cloud-platform"]
  }
}

Check your configuration

To check your Terraform configuration run:

terraform plan

What changed? Does everything look OK?

Apply your configuration

Run terraform apply, to make changes to the infrastructure:

terraform apply

After the apply, the VM is up and running, hopefully serving our HTTP server Apache2 and SSH.

But is it accessible? If you added the output, you can try to do that either with the browser, or SSH.

Don't worry if you didn't, it's not yet accessible because we haven't created the firewall rules. Let's do that next!

Answer

terraform/compute_engine.tf

resource "google_compute_network" "default" {
  name                    = "${var.name}-vpc-network"
  auto_create_subnetworks = true
}

resource "google_service_account" "default" {
  account_id   = "${var.name}-service-account"
  display_name = "${var.name} Service Account"
}

resource "google_compute_instance" "default" {
  name         = "${var.name}-instance"
  machine_type = "e2-micro"
  zone         = var.zone

  tags = ["http", "ssh"]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = google_compute_network.default.self_link
    access_config {}
  }

  metadata_startup_script = "sudo apt update && sudo apt -y install apache2"

  service_account {
    email  = google_service_account.default.email
    scopes = ["cloud-platform"]
  }
}

Next

Next, we set up some firewall rules for the Compute Engine instance.