1. Answers
  2. Creating Shielded VMs in GCP with Terraform

How do I create a Shielded VM in GCP?

Shielded virtual machines (VMs) are virtual machine instances that run on Google Cloud and are hardened by a set of security controls that help defend against rootkits and bootkits. In this guide, we will walk through the code required to create a Google Cloud Compute Engine instance with Shielded VMs enabled.

To start, we need to set up a few key resources: a Google Cloud project and a virtual machine with Shielded VM features enabled.

Below is the code to create a Google Cloud project, a network, and a Shielded VM instance:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const vpcNetwork = new gcp.compute.Network("vpc_network", {name: "my-vpc-network"});
const shieldedVmInstance = new gcp.compute.Instance("shielded_vm_instance", {
    networkInterfaces: [{
        accessConfigs: [{}],
        network: vpcNetwork.name,
    }],
    name: "shielded-vm-instance",
    machineType: "e2-medium",
    zone: "us-central1-a",
    bootDisk: {
        initializeParams: {
            image: "debian-cloud/debian-10",
        },
    },
    shieldedInstanceConfig: {
        enableSecureBoot: true,
        enableVtpm: true,
        enableIntegrityMonitoring: true,
    },
    metadataStartupScript: `#!/bin/bash
echo "Hello, World!" > /var/www/html/index.html
`,
});
export const instanceName = shieldedVmInstance.name;
export const instanceZone = shieldedVmInstance.zone;
export const instanceSelfLink = shieldedVmInstance.selfLink;

In this configuration:

  • The provider block sets up the Google Cloud provider configurations.
  • The google_compute_network resource creates a virtual private cloud (VPC) network.
  • The google_compute_instance resource defines the Shielded VM instance. We have enabled secure boot, vTPM, and integrity monitoring—essential Shielded VM security features.
  • The metadata_startup_script includes a simple script that runs on VM startup.
  • The output blocks at the end expose the VM instance name, zone, and self-link.

In summary, we configured a GCP provider, created a network, and launched a Shielded VM instance with security features enabled. The outputs provide useful details about the created resource.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up