How do I create a Shielded VM in GCP?
Shielded virtual machines (VMs) are virtual machine instances that run on Google Cloud and are hardened by a set of security controls that help defend against rootkits and bootkits. In this guide, we will walk through the code required to create a Google Cloud Compute Engine instance with Shielded VMs enabled.
To start, we need to set up a few key resources: a Google Cloud project and a virtual machine with Shielded VM features enabled.
Below is the code to create a Google Cloud project, a network, and a Shielded VM instance:
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const vpcNetwork = new gcp.compute.Network("vpc_network", {name: "my-vpc-network"});
const shieldedVmInstance = new gcp.compute.Instance("shielded_vm_instance", {
networkInterfaces: [{
accessConfigs: [{}],
network: vpcNetwork.name,
}],
name: "shielded-vm-instance",
machineType: "e2-medium",
zone: "us-central1-a",
bootDisk: {
initializeParams: {
image: "debian-cloud/debian-10",
},
},
shieldedInstanceConfig: {
enableSecureBoot: true,
enableVtpm: true,
enableIntegrityMonitoring: true,
},
metadataStartupScript: `#!/bin/bash
echo "Hello, World!" > /var/www/html/index.html
`,
});
export const instanceName = shieldedVmInstance.name;
export const instanceZone = shieldedVmInstance.zone;
export const instanceSelfLink = shieldedVmInstance.selfLink;
In this configuration:
- The
provider
block sets up the Google Cloud provider configurations. - The
google_compute_network
resource creates a virtual private cloud (VPC) network. - The
google_compute_instance
resource defines the Shielded VM instance. We have enabled secure boot, vTPM, and integrity monitoring—essential Shielded VM security features. - The
metadata_startup_script
includes a simple script that runs on VM startup. - The
output
blocks at the end expose the VM instance name, zone, and self-link.
In summary, we configured a GCP provider, created a network, and launched a Shielded VM instance with security features enabled. The outputs provide useful details about the created resource.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.