The gcp:workbench/instance:Instance resource, part of the Pulumi GCP provider, provisions a Vertex AI Workbench instance: a managed JupyterLab environment with configurable compute, storage, and networking. This guide focuses on four capabilities: container and VM image selection, GPU acceleration with compute reservations, custom networking and disk encryption, and confidential computing for sensitive data.
Workbench instances may reference custom VPCs, subnets, static IPs, KMS keys, service accounts, and compute reservations that must exist separately. The examples are intentionally small. Combine them with your own networking, security, and access control infrastructure.
Create a minimal instance with defaults
Most deployments start with a minimal configuration that relies on GCP defaults for machine type, disk, and networking.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-west1-a",
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-west1-a")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-west1-a"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-west1-a",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-west1-a")
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-west1-a
The name property sets the instance identifier, and location specifies the zone. Without explicit gceSetup configuration, the instance uses GCP’s default machine type, Workbench image, and network settings. The instance starts in ACTIVE state unless you specify desiredState.
Deploy with a custom container image
Data science teams often standardize on specific container images with pre-installed libraries and frameworks.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-west1-a",
gceSetup: {
containerImage: {
repository: "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
tag: "latest",
},
},
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-west1-a",
gce_setup={
"container_image": {
"repository": "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
"tag": "latest",
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-west1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
ContainerImage: &workbench.InstanceGceSetupContainerImageArgs{
Repository: pulumi.String("us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310"),
Tag: pulumi.String("latest"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-west1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
ContainerImage = new Gcp.Workbench.Inputs.InstanceGceSetupContainerImageArgs
{
Repository = "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
Tag = "latest",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupContainerImageArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-west1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.containerImage(InstanceGceSetupContainerImageArgs.builder()
.repository("us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310")
.tag("latest")
.build())
.build())
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-west1-a
gceSetup:
containerImage:
repository: us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310
tag: latest
The gceSetup.containerImage property points to a container repository and tag. This example uses a Deep Learning container from Google’s managed registry. The instance runs JupyterLab inside this container rather than using a VM image.
Attach GPUs for accelerated workloads
Machine learning training and inference often require GPU acceleration. Workbench instances can attach GPUs and consume compute reservations to guarantee availability.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const gpuReservation = new gcp.compute.Reservation("gpu_reservation", {
name: "wbi-reservation",
zone: "us-central1-a",
specificReservation: {
count: 1,
instanceProperties: {
machineType: "n1-standard-1",
guestAccelerators: [{
acceleratorType: "nvidia-tesla-t4",
acceleratorCount: 1,
}],
},
},
specificReservationRequired: false,
});
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n1-standard-1",
acceleratorConfigs: [{
type: "NVIDIA_TESLA_T4",
coreCount: "1",
}],
vmImage: {
project: "cloud-notebooks-managed",
family: "workbench-instances",
},
reservationAffinity: {
consumeReservationType: "RESERVATION_ANY",
},
},
}, {
dependsOn: [gpuReservation],
});
import pulumi
import pulumi_gcp as gcp
gpu_reservation = gcp.compute.Reservation("gpu_reservation",
name="wbi-reservation",
zone="us-central1-a",
specific_reservation={
"count": 1,
"instance_properties": {
"machine_type": "n1-standard-1",
"guest_accelerators": [{
"accelerator_type": "nvidia-tesla-t4",
"accelerator_count": 1,
}],
},
},
specific_reservation_required=False)
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n1-standard-1",
"accelerator_configs": [{
"type": "NVIDIA_TESLA_T4",
"core_count": "1",
}],
"vm_image": {
"project": "cloud-notebooks-managed",
"family": "workbench-instances",
},
"reservation_affinity": {
"consume_reservation_type": "RESERVATION_ANY",
},
},
opts = pulumi.ResourceOptions(depends_on=[gpu_reservation]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
gpuReservation, err := compute.NewReservation(ctx, "gpu_reservation", &compute.ReservationArgs{
Name: pulumi.String("wbi-reservation"),
Zone: pulumi.String("us-central1-a"),
SpecificReservation: &compute.ReservationSpecificReservationArgs{
Count: pulumi.Int(1),
InstanceProperties: &compute.ReservationSpecificReservationInstancePropertiesArgs{
MachineType: pulumi.String("n1-standard-1"),
GuestAccelerators: compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArray{
&compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs{
AcceleratorType: pulumi.String("nvidia-tesla-t4"),
AcceleratorCount: pulumi.Int(1),
},
},
},
},
SpecificReservationRequired: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n1-standard-1"),
AcceleratorConfigs: workbench.InstanceGceSetupAcceleratorConfigArray{
&workbench.InstanceGceSetupAcceleratorConfigArgs{
Type: pulumi.String("NVIDIA_TESLA_T4"),
CoreCount: pulumi.String("1"),
},
},
VmImage: &workbench.InstanceGceSetupVmImageArgs{
Project: pulumi.String("cloud-notebooks-managed"),
Family: pulumi.String("workbench-instances"),
},
ReservationAffinity: &workbench.InstanceGceSetupReservationAffinityArgs{
ConsumeReservationType: pulumi.String("RESERVATION_ANY"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
gpuReservation,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var gpuReservation = new Gcp.Compute.Reservation("gpu_reservation", new()
{
Name = "wbi-reservation",
Zone = "us-central1-a",
SpecificReservation = new Gcp.Compute.Inputs.ReservationSpecificReservationArgs
{
Count = 1,
InstanceProperties = new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesArgs
{
MachineType = "n1-standard-1",
GuestAccelerators = new[]
{
new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs
{
AcceleratorType = "nvidia-tesla-t4",
AcceleratorCount = 1,
},
},
},
},
SpecificReservationRequired = false,
});
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n1-standard-1",
AcceleratorConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupAcceleratorConfigArgs
{
Type = "NVIDIA_TESLA_T4",
CoreCount = "1",
},
},
VmImage = new Gcp.Workbench.Inputs.InstanceGceSetupVmImageArgs
{
Project = "cloud-notebooks-managed",
Family = "workbench-instances",
},
ReservationAffinity = new Gcp.Workbench.Inputs.InstanceGceSetupReservationAffinityArgs
{
ConsumeReservationType = "RESERVATION_ANY",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
gpuReservation,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Reservation;
import com.pulumi.gcp.compute.ReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationInstancePropertiesArgs;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupVmImageArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupReservationAffinityArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gpuReservation = new Reservation("gpuReservation", ReservationArgs.builder()
.name("wbi-reservation")
.zone("us-central1-a")
.specificReservation(ReservationSpecificReservationArgs.builder()
.count(1)
.instanceProperties(ReservationSpecificReservationInstancePropertiesArgs.builder()
.machineType("n1-standard-1")
.guestAccelerators(ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs.builder()
.acceleratorType("nvidia-tesla-t4")
.acceleratorCount(1)
.build())
.build())
.build())
.specificReservationRequired(false)
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n1-standard-1")
.acceleratorConfigs(InstanceGceSetupAcceleratorConfigArgs.builder()
.type("NVIDIA_TESLA_T4")
.coreCount("1")
.build())
.vmImage(InstanceGceSetupVmImageArgs.builder()
.project("cloud-notebooks-managed")
.family("workbench-instances")
.build())
.reservationAffinity(InstanceGceSetupReservationAffinityArgs.builder()
.consumeReservationType("RESERVATION_ANY")
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(gpuReservation)
.build());
}
}
resources:
gpuReservation:
type: gcp:compute:Reservation
name: gpu_reservation
properties:
name: wbi-reservation
zone: us-central1-a
specificReservation:
count: 1
instanceProperties:
machineType: n1-standard-1
guestAccelerators:
- acceleratorType: nvidia-tesla-t4
acceleratorCount: 1
specificReservationRequired: false
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n1-standard-1
acceleratorConfigs:
- type: NVIDIA_TESLA_T4
coreCount: 1
vmImage:
project: cloud-notebooks-managed
family: workbench-instances
reservationAffinity:
consumeReservationType: RESERVATION_ANY
options:
dependsOn:
- ${gpuReservation}
The acceleratorConfigs property specifies GPU type and count. The vmImage property selects a GPU-compatible base image. The reservationAffinity property tells GCP to use any available reservation, ensuring GPU availability. This example depends on a compute reservation created separately.
Control instance state and apply metadata
Cost-conscious teams stop instances when not in use and apply labels for billing tracking.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "e2-standard-4",
shieldedInstanceConfig: {
enableSecureBoot: false,
enableVtpm: false,
enableIntegrityMonitoring: false,
},
serviceAccounts: [{
email: "my@service-account.com",
}],
metadata: {
terraform: "true",
},
},
labels: {
k: "val",
},
desiredState: "STOPPED",
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "e2-standard-4",
"shielded_instance_config": {
"enable_secure_boot": False,
"enable_vtpm": False,
"enable_integrity_monitoring": False,
},
"service_accounts": [{
"email": "my@service-account.com",
}],
"metadata": {
"terraform": "true",
},
},
labels={
"k": "val",
},
desired_state="STOPPED")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("e2-standard-4"),
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(false),
EnableVtpm: pulumi.Bool(false),
EnableIntegrityMonitoring: pulumi.Bool(false),
},
ServiceAccounts: workbench.InstanceGceSetupServiceAccountArray{
&workbench.InstanceGceSetupServiceAccountArgs{
Email: pulumi.String("my@service-account.com"),
},
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
},
},
Labels: pulumi.StringMap{
"k": pulumi.String("val"),
},
DesiredState: pulumi.String("STOPPED"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "e2-standard-4",
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = false,
EnableVtpm = false,
EnableIntegrityMonitoring = false,
},
ServiceAccounts = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupServiceAccountArgs
{
Email = "my@service-account.com",
},
},
Metadata =
{
{ "terraform", "true" },
},
},
Labels =
{
{ "k", "val" },
},
DesiredState = "STOPPED",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("e2-standard-4")
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(false)
.enableVtpm(false)
.enableIntegrityMonitoring(false)
.build())
.serviceAccounts(InstanceGceSetupServiceAccountArgs.builder()
.email("my@service-account.com")
.build())
.metadata(Map.of("terraform", "true"))
.build())
.labels(Map.of("k", "val"))
.desiredState("STOPPED")
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: e2-standard-4
shieldedInstanceConfig:
enableSecureBoot: false
enableVtpm: false
enableIntegrityMonitoring: false
serviceAccounts:
- email: my@service-account.com
metadata:
terraform: 'true'
labels:
k: val
desiredState: STOPPED
The desiredState property controls whether the instance runs (ACTIVE) or stops (STOPPED). The labels property adds key-value metadata for organization. The metadata property passes configuration to the VM, and serviceAccounts specifies the identity the instance runs as. The shieldedInstanceConfig property controls security features like Secure Boot.
Configure networking, storage, and security comprehensively
Production deployments require explicit control over networking, storage encryption, and access controls.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myNetwork = new gcp.compute.Network("my_network", {
name: "wbi-test-default",
autoCreateSubnetworks: false,
});
const mySubnetwork = new gcp.compute.Subnetwork("my_subnetwork", {
name: "wbi-test-default",
network: myNetwork.id,
region: "us-central1",
ipCidrRange: "10.0.1.0/24",
});
const static = new gcp.compute.Address("static", {name: "wbi-test-default"});
const actAsPermission = new gcp.serviceaccount.IAMBinding("act_as_permission", {
serviceAccountId: "projects/my-project-name/serviceAccounts/my@service-account.com",
role: "roles/iam.serviceAccountUser",
members: ["user:example@example.com"],
});
const gpuReservation = new gcp.compute.Reservation("gpu_reservation", {
name: "wbi-reservation",
zone: "us-central1-a",
specificReservation: {
count: 1,
instanceProperties: {
machineType: "n1-standard-4",
guestAccelerators: [{
acceleratorType: "nvidia-tesla-t4",
acceleratorCount: 1,
}],
},
},
specificReservationRequired: true,
});
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n1-standard-4",
acceleratorConfigs: [{
type: "NVIDIA_TESLA_T4",
coreCount: "1",
}],
shieldedInstanceConfig: {
enableSecureBoot: true,
enableVtpm: true,
enableIntegrityMonitoring: true,
},
disablePublicIp: false,
serviceAccounts: [{
email: "my@service-account.com",
}],
bootDisk: {
diskSizeGb: "310",
diskType: "PD_SSD",
diskEncryption: "CMEK",
kmsKey: "my-crypto-key",
},
dataDisks: {
diskSizeGb: "330",
diskType: "PD_SSD",
diskEncryption: "CMEK",
kmsKey: "my-crypto-key",
},
networkInterfaces: [{
network: myNetwork.id,
subnet: mySubnetwork.id,
nicType: "GVNIC",
accessConfigs: [{
externalIp: static.address,
}],
}],
metadata: {
terraform: "true",
"serial-port-logging-enable": "false",
},
reservationAffinity: {
consumeReservationType: "RESERVATION_SPECIFIC",
key: "compute.googleapis.com/reservation-name",
values: [gpuReservation.name],
},
enableIpForwarding: true,
tags: [
"abc",
"def",
],
},
disableProxyAccess: true,
instanceOwners: ["example@example.com"],
labels: {
k: "val",
},
desiredState: "ACTIVE",
enableThirdPartyIdentity: true,
}, {
dependsOn: [
myNetwork,
mySubnetwork,
static,
actAsPermission,
gpuReservation,
],
});
import pulumi
import pulumi_gcp as gcp
my_network = gcp.compute.Network("my_network",
name="wbi-test-default",
auto_create_subnetworks=False)
my_subnetwork = gcp.compute.Subnetwork("my_subnetwork",
name="wbi-test-default",
network=my_network.id,
region="us-central1",
ip_cidr_range="10.0.1.0/24")
static = gcp.compute.Address("static", name="wbi-test-default")
act_as_permission = gcp.serviceaccount.IAMBinding("act_as_permission",
service_account_id="projects/my-project-name/serviceAccounts/my@service-account.com",
role="roles/iam.serviceAccountUser",
members=["user:example@example.com"])
gpu_reservation = gcp.compute.Reservation("gpu_reservation",
name="wbi-reservation",
zone="us-central1-a",
specific_reservation={
"count": 1,
"instance_properties": {
"machine_type": "n1-standard-4",
"guest_accelerators": [{
"accelerator_type": "nvidia-tesla-t4",
"accelerator_count": 1,
}],
},
},
specific_reservation_required=True)
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n1-standard-4",
"accelerator_configs": [{
"type": "NVIDIA_TESLA_T4",
"core_count": "1",
}],
"shielded_instance_config": {
"enable_secure_boot": True,
"enable_vtpm": True,
"enable_integrity_monitoring": True,
},
"disable_public_ip": False,
"service_accounts": [{
"email": "my@service-account.com",
}],
"boot_disk": {
"disk_size_gb": "310",
"disk_type": "PD_SSD",
"disk_encryption": "CMEK",
"kms_key": "my-crypto-key",
},
"data_disks": {
"disk_size_gb": "330",
"disk_type": "PD_SSD",
"disk_encryption": "CMEK",
"kms_key": "my-crypto-key",
},
"network_interfaces": [{
"network": my_network.id,
"subnet": my_subnetwork.id,
"nic_type": "GVNIC",
"access_configs": [{
"external_ip": static.address,
}],
}],
"metadata": {
"terraform": "true",
"serial-port-logging-enable": "false",
},
"reservation_affinity": {
"consume_reservation_type": "RESERVATION_SPECIFIC",
"key": "compute.googleapis.com/reservation-name",
"values": [gpu_reservation.name],
},
"enable_ip_forwarding": True,
"tags": [
"abc",
"def",
],
},
disable_proxy_access=True,
instance_owners=["example@example.com"],
labels={
"k": "val",
},
desired_state="ACTIVE",
enable_third_party_identity=True,
opts = pulumi.ResourceOptions(depends_on=[
my_network,
my_subnetwork,
static,
act_as_permission,
gpu_reservation,
]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myNetwork, err := compute.NewNetwork(ctx, "my_network", &compute.NetworkArgs{
Name: pulumi.String("wbi-test-default"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
mySubnetwork, err := compute.NewSubnetwork(ctx, "my_subnetwork", &compute.SubnetworkArgs{
Name: pulumi.String("wbi-test-default"),
Network: myNetwork.ID(),
Region: pulumi.String("us-central1"),
IpCidrRange: pulumi.String("10.0.1.0/24"),
})
if err != nil {
return err
}
static, err := compute.NewAddress(ctx, "static", &compute.AddressArgs{
Name: pulumi.String("wbi-test-default"),
})
if err != nil {
return err
}
actAsPermission, err := serviceaccount.NewIAMBinding(ctx, "act_as_permission", &serviceaccount.IAMBindingArgs{
ServiceAccountId: pulumi.String("projects/my-project-name/serviceAccounts/my@service-account.com"),
Role: pulumi.String("roles/iam.serviceAccountUser"),
Members: pulumi.StringArray{
pulumi.String("user:example@example.com"),
},
})
if err != nil {
return err
}
gpuReservation, err := compute.NewReservation(ctx, "gpu_reservation", &compute.ReservationArgs{
Name: pulumi.String("wbi-reservation"),
Zone: pulumi.String("us-central1-a"),
SpecificReservation: &compute.ReservationSpecificReservationArgs{
Count: pulumi.Int(1),
InstanceProperties: &compute.ReservationSpecificReservationInstancePropertiesArgs{
MachineType: pulumi.String("n1-standard-4"),
GuestAccelerators: compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArray{
&compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs{
AcceleratorType: pulumi.String("nvidia-tesla-t4"),
AcceleratorCount: pulumi.Int(1),
},
},
},
},
SpecificReservationRequired: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n1-standard-4"),
AcceleratorConfigs: workbench.InstanceGceSetupAcceleratorConfigArray{
&workbench.InstanceGceSetupAcceleratorConfigArgs{
Type: pulumi.String("NVIDIA_TESLA_T4"),
CoreCount: pulumi.String("1"),
},
},
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(true),
EnableVtpm: pulumi.Bool(true),
EnableIntegrityMonitoring: pulumi.Bool(true),
},
DisablePublicIp: pulumi.Bool(false),
ServiceAccounts: workbench.InstanceGceSetupServiceAccountArray{
&workbench.InstanceGceSetupServiceAccountArgs{
Email: pulumi.String("my@service-account.com"),
},
},
BootDisk: &workbench.InstanceGceSetupBootDiskArgs{
DiskSizeGb: pulumi.String("310"),
DiskType: pulumi.String("PD_SSD"),
DiskEncryption: pulumi.String("CMEK"),
KmsKey: pulumi.String("my-crypto-key"),
},
DataDisks: &workbench.InstanceGceSetupDataDisksArgs{
DiskSizeGb: pulumi.String("330"),
DiskType: pulumi.String("PD_SSD"),
DiskEncryption: pulumi.String("CMEK"),
KmsKey: pulumi.String("my-crypto-key"),
},
NetworkInterfaces: workbench.InstanceGceSetupNetworkInterfaceArray{
&workbench.InstanceGceSetupNetworkInterfaceArgs{
Network: myNetwork.ID(),
Subnet: mySubnetwork.ID(),
NicType: pulumi.String("GVNIC"),
AccessConfigs: workbench.InstanceGceSetupNetworkInterfaceAccessConfigArray{
&workbench.InstanceGceSetupNetworkInterfaceAccessConfigArgs{
ExternalIp: static.Address,
},
},
},
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
"serial-port-logging-enable": pulumi.String("false"),
},
ReservationAffinity: &workbench.InstanceGceSetupReservationAffinityArgs{
ConsumeReservationType: pulumi.String("RESERVATION_SPECIFIC"),
Key: pulumi.String("compute.googleapis.com/reservation-name"),
Values: pulumi.StringArray{
gpuReservation.Name,
},
},
EnableIpForwarding: pulumi.Bool(true),
Tags: pulumi.StringArray{
pulumi.String("abc"),
pulumi.String("def"),
},
},
DisableProxyAccess: pulumi.Bool(true),
InstanceOwners: pulumi.StringArray{
pulumi.String("example@example.com"),
},
Labels: pulumi.StringMap{
"k": pulumi.String("val"),
},
DesiredState: pulumi.String("ACTIVE"),
EnableThirdPartyIdentity: pulumi.Bool(true),
}, pulumi.DependsOn([]pulumi.Resource{
myNetwork,
mySubnetwork,
static,
actAsPermission,
gpuReservation,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myNetwork = new Gcp.Compute.Network("my_network", new()
{
Name = "wbi-test-default",
AutoCreateSubnetworks = false,
});
var mySubnetwork = new Gcp.Compute.Subnetwork("my_subnetwork", new()
{
Name = "wbi-test-default",
Network = myNetwork.Id,
Region = "us-central1",
IpCidrRange = "10.0.1.0/24",
});
var @static = new Gcp.Compute.Address("static", new()
{
Name = "wbi-test-default",
});
var actAsPermission = new Gcp.ServiceAccount.IAMBinding("act_as_permission", new()
{
ServiceAccountId = "projects/my-project-name/serviceAccounts/my@service-account.com",
Role = "roles/iam.serviceAccountUser",
Members = new[]
{
"user:example@example.com",
},
});
var gpuReservation = new Gcp.Compute.Reservation("gpu_reservation", new()
{
Name = "wbi-reservation",
Zone = "us-central1-a",
SpecificReservation = new Gcp.Compute.Inputs.ReservationSpecificReservationArgs
{
Count = 1,
InstanceProperties = new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesArgs
{
MachineType = "n1-standard-4",
GuestAccelerators = new[]
{
new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs
{
AcceleratorType = "nvidia-tesla-t4",
AcceleratorCount = 1,
},
},
},
},
SpecificReservationRequired = true,
});
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n1-standard-4",
AcceleratorConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupAcceleratorConfigArgs
{
Type = "NVIDIA_TESLA_T4",
CoreCount = "1",
},
},
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = true,
EnableVtpm = true,
EnableIntegrityMonitoring = true,
},
DisablePublicIp = false,
ServiceAccounts = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupServiceAccountArgs
{
Email = "my@service-account.com",
},
},
BootDisk = new Gcp.Workbench.Inputs.InstanceGceSetupBootDiskArgs
{
DiskSizeGb = "310",
DiskType = "PD_SSD",
DiskEncryption = "CMEK",
KmsKey = "my-crypto-key",
},
DataDisks = new Gcp.Workbench.Inputs.InstanceGceSetupDataDisksArgs
{
DiskSizeGb = "330",
DiskType = "PD_SSD",
DiskEncryption = "CMEK",
KmsKey = "my-crypto-key",
},
NetworkInterfaces = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupNetworkInterfaceArgs
{
Network = myNetwork.Id,
Subnet = mySubnetwork.Id,
NicType = "GVNIC",
AccessConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupNetworkInterfaceAccessConfigArgs
{
ExternalIp = @static.IPAddress,
},
},
},
},
Metadata =
{
{ "terraform", "true" },
{ "serial-port-logging-enable", "false" },
},
ReservationAffinity = new Gcp.Workbench.Inputs.InstanceGceSetupReservationAffinityArgs
{
ConsumeReservationType = "RESERVATION_SPECIFIC",
Key = "compute.googleapis.com/reservation-name",
Values = new[]
{
gpuReservation.Name,
},
},
EnableIpForwarding = true,
Tags = new[]
{
"abc",
"def",
},
},
DisableProxyAccess = true,
InstanceOwners = new[]
{
"example@example.com",
},
Labels =
{
{ "k", "val" },
},
DesiredState = "ACTIVE",
EnableThirdPartyIdentity = true,
}, new CustomResourceOptions
{
DependsOn =
{
myNetwork,
mySubnetwork,
@static,
actAsPermission,
gpuReservation,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.Subnetwork;
import com.pulumi.gcp.compute.SubnetworkArgs;
import com.pulumi.gcp.compute.Address;
import com.pulumi.gcp.compute.AddressArgs;
import com.pulumi.gcp.serviceaccount.IAMBinding;
import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
import com.pulumi.gcp.compute.Reservation;
import com.pulumi.gcp.compute.ReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationInstancePropertiesArgs;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupBootDiskArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupDataDisksArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupReservationAffinityArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myNetwork = new Network("myNetwork", NetworkArgs.builder()
.name("wbi-test-default")
.autoCreateSubnetworks(false)
.build());
var mySubnetwork = new Subnetwork("mySubnetwork", SubnetworkArgs.builder()
.name("wbi-test-default")
.network(myNetwork.id())
.region("us-central1")
.ipCidrRange("10.0.1.0/24")
.build());
var static_ = new Address("static", AddressArgs.builder()
.name("wbi-test-default")
.build());
var actAsPermission = new IAMBinding("actAsPermission", IAMBindingArgs.builder()
.serviceAccountId("projects/my-project-name/serviceAccounts/my@service-account.com")
.role("roles/iam.serviceAccountUser")
.members("user:example@example.com")
.build());
var gpuReservation = new Reservation("gpuReservation", ReservationArgs.builder()
.name("wbi-reservation")
.zone("us-central1-a")
.specificReservation(ReservationSpecificReservationArgs.builder()
.count(1)
.instanceProperties(ReservationSpecificReservationInstancePropertiesArgs.builder()
.machineType("n1-standard-4")
.guestAccelerators(ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs.builder()
.acceleratorType("nvidia-tesla-t4")
.acceleratorCount(1)
.build())
.build())
.build())
.specificReservationRequired(true)
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n1-standard-4")
.acceleratorConfigs(InstanceGceSetupAcceleratorConfigArgs.builder()
.type("NVIDIA_TESLA_T4")
.coreCount("1")
.build())
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(true)
.enableVtpm(true)
.enableIntegrityMonitoring(true)
.build())
.disablePublicIp(false)
.serviceAccounts(InstanceGceSetupServiceAccountArgs.builder()
.email("my@service-account.com")
.build())
.bootDisk(InstanceGceSetupBootDiskArgs.builder()
.diskSizeGb("310")
.diskType("PD_SSD")
.diskEncryption("CMEK")
.kmsKey("my-crypto-key")
.build())
.dataDisks(InstanceGceSetupDataDisksArgs.builder()
.diskSizeGb("330")
.diskType("PD_SSD")
.diskEncryption("CMEK")
.kmsKey("my-crypto-key")
.build())
.networkInterfaces(InstanceGceSetupNetworkInterfaceArgs.builder()
.network(myNetwork.id())
.subnet(mySubnetwork.id())
.nicType("GVNIC")
.accessConfigs(InstanceGceSetupNetworkInterfaceAccessConfigArgs.builder()
.externalIp(static_.address())
.build())
.build())
.metadata(Map.ofEntries(
Map.entry("terraform", "true"),
Map.entry("serial-port-logging-enable", "false")
))
.reservationAffinity(InstanceGceSetupReservationAffinityArgs.builder()
.consumeReservationType("RESERVATION_SPECIFIC")
.key("compute.googleapis.com/reservation-name")
.values(gpuReservation.name())
.build())
.enableIpForwarding(true)
.tags(
"abc",
"def")
.build())
.disableProxyAccess(true)
.instanceOwners("example@example.com")
.labels(Map.of("k", "val"))
.desiredState("ACTIVE")
.enableThirdPartyIdentity(true)
.build(), CustomResourceOptions.builder()
.dependsOn(
myNetwork,
mySubnetwork,
static_,
actAsPermission,
gpuReservation)
.build());
}
}
resources:
myNetwork:
type: gcp:compute:Network
name: my_network
properties:
name: wbi-test-default
autoCreateSubnetworks: false
mySubnetwork:
type: gcp:compute:Subnetwork
name: my_subnetwork
properties:
name: wbi-test-default
network: ${myNetwork.id}
region: us-central1
ipCidrRange: 10.0.1.0/24
static:
type: gcp:compute:Address
properties:
name: wbi-test-default
actAsPermission:
type: gcp:serviceaccount:IAMBinding
name: act_as_permission
properties:
serviceAccountId: projects/my-project-name/serviceAccounts/my@service-account.com
role: roles/iam.serviceAccountUser
members:
- user:example@example.com
gpuReservation:
type: gcp:compute:Reservation
name: gpu_reservation
properties:
name: wbi-reservation
zone: us-central1-a
specificReservation:
count: 1
instanceProperties:
machineType: n1-standard-4
guestAccelerators:
- acceleratorType: nvidia-tesla-t4
acceleratorCount: 1
specificReservationRequired: true
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n1-standard-4
acceleratorConfigs:
- type: NVIDIA_TESLA_T4
coreCount: 1
shieldedInstanceConfig:
enableSecureBoot: true
enableVtpm: true
enableIntegrityMonitoring: true
disablePublicIp: false
serviceAccounts:
- email: my@service-account.com
bootDisk:
diskSizeGb: 310
diskType: PD_SSD
diskEncryption: CMEK
kmsKey: my-crypto-key
dataDisks:
diskSizeGb: 330
diskType: PD_SSD
diskEncryption: CMEK
kmsKey: my-crypto-key
networkInterfaces:
- network: ${myNetwork.id}
subnet: ${mySubnetwork.id}
nicType: GVNIC
accessConfigs:
- externalIp: ${static.address}
metadata:
terraform: 'true'
serial-port-logging-enable: 'false'
reservationAffinity:
consumeReservationType: RESERVATION_SPECIFIC
key: compute.googleapis.com/reservation-name
values:
- ${gpuReservation.name}
enableIpForwarding: true
tags:
- abc
- def
disableProxyAccess: 'true'
instanceOwners:
- example@example.com
labels:
k: val
desiredState: ACTIVE
enableThirdPartyIdentity: 'true'
options:
dependsOn:
- ${myNetwork}
- ${mySubnetwork}
- ${static}
- ${actAsPermission}
- ${gpuReservation}
The networkInterfaces property places the instance in a custom VPC with a static IP. The bootDisk and dataDisks properties configure disk size, type, and KMS encryption. The instanceOwners property restricts access to specific users. The disablePublicIp property prevents internet access, and enableIpForwarding allows the instance to route traffic. This configuration assumes you’ve created the VPC, subnet, static IP, KMS key, and service account separately, and granted appropriate IAM permissions.
Enable confidential computing for sensitive workloads
Workloads processing sensitive data can use confidential computing to encrypt data in memory.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n2d-standard-2",
shieldedInstanceConfig: {
enableSecureBoot: true,
enableVtpm: true,
enableIntegrityMonitoring: true,
},
metadata: {
terraform: "true",
},
confidentialInstanceConfig: {
confidentialInstanceType: "SEV",
},
},
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n2d-standard-2",
"shielded_instance_config": {
"enable_secure_boot": True,
"enable_vtpm": True,
"enable_integrity_monitoring": True,
},
"metadata": {
"terraform": "true",
},
"confidential_instance_config": {
"confidential_instance_type": "SEV",
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n2d-standard-2"),
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(true),
EnableVtpm: pulumi.Bool(true),
EnableIntegrityMonitoring: pulumi.Bool(true),
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
},
ConfidentialInstanceConfig: &workbench.InstanceGceSetupConfidentialInstanceConfigArgs{
ConfidentialInstanceType: pulumi.String("SEV"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n2d-standard-2",
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = true,
EnableVtpm = true,
EnableIntegrityMonitoring = true,
},
Metadata =
{
{ "terraform", "true" },
},
ConfidentialInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupConfidentialInstanceConfigArgs
{
ConfidentialInstanceType = "SEV",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupConfidentialInstanceConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n2d-standard-2")
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(true)
.enableVtpm(true)
.enableIntegrityMonitoring(true)
.build())
.metadata(Map.of("terraform", "true"))
.confidentialInstanceConfig(InstanceGceSetupConfidentialInstanceConfigArgs.builder()
.confidentialInstanceType("SEV")
.build())
.build())
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n2d-standard-2
shieldedInstanceConfig:
enableSecureBoot: true
enableVtpm: true
enableIntegrityMonitoring: true
metadata:
terraform: 'true'
confidentialInstanceConfig:
confidentialInstanceType: SEV
The confidentialInstanceConfig property enables AMD SEV encryption, protecting data in use from unauthorized access. This requires a compatible machine type (n2d series) and Shielded VM features enabled. The instance encrypts memory contents, preventing access even by cloud administrators.
Beyond these examples
These snippets focus on specific Workbench instance features: container and VM image selection, GPU acceleration and compute reservations, and networking, storage encryption, and confidential computing. They’re intentionally minimal rather than full data science environments.
The examples may reference pre-existing infrastructure such as custom VPCs, subnets, and static IP addresses, compute reservations for GPU availability, KMS encryption keys for disk encryption, and service accounts and IAM bindings. They focus on configuring the instance rather than provisioning everything around it.
To keep things focused, common instance patterns are omitted, including:
- Proxy access configuration (disableProxyAccess)
- Third-party identity integration (enableThirdPartyIdentity)
- Network tags and IP forwarding for advanced routing
- Managed end-user credentials (enableManagedEuc)
These omissions are intentional: the goal is to illustrate how each Workbench feature is wired, not provide drop-in data science platforms. See the Workbench Instance resource reference for all available configuration options.
Let's deploy GCP Vertex AI Workbench Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Immutability & Lifecycle
What properties can't I change after creating a Workbench instance?
Several properties are immutable and force resource replacement if changed:
location, name, project, disableProxyAccess, instanceId, and instanceOwners. Plan these values carefully during initial creation.How do I stop my Workbench instance without deleting it?
Set
desiredState to STOPPED to stop the instance, or ACTIVE to start it. This controls the instance lifecycle without destroying the resource.Why aren't all my labels showing up in the labels property?
The
labels field is non-authoritative and only manages labels present in your Pulumi configuration. Labels added by other clients or services won’t appear here. Use the effectiveLabels output property to see all labels on the resource.GPU & Accelerators
How do I add a GPU to my Workbench instance?
Configure
gceSetup.acceleratorConfigs with the GPU type (e.g., NVIDIA_TESLA_T4) and coreCount. You must also create a gcp.compute.Reservation resource first and add it to the instance’s dependsOn to ensure proper ordering.What's the difference between reservationAffinity types?
Set
consumeReservationType to RESERVATION_ANY to use any available reservation, or RESERVATION_SPECIFIC with key and values to target a specific reservation by name.Access & Security
Why do I need an IAM binding to use a service account?
When specifying a service account in
gceSetup.serviceAccounts, you must grant yourself roles/iam.serviceAccountUser permission via a gcp.serviceaccount.IAMBinding resource. Add this binding to the instance’s dependsOn to ensure proper ordering.What does instanceOwners do?
Setting
instanceOwners restricts access to specific users (format: alias@example.com) and sets the access mode to Single user. This property is immutable and input-only, so it can’t be changed after creation.How do I enable managed end user credentials?
Set
enableManagedEuc to true. You’ll also need to ensure the appropriate IAM permissions are in place, as shown in the EUC example.Configuration & Setup
How do I use a container image instead of a VM image?
Configure
gceSetup.containerImage with repository and tag properties instead of using vmImage.How do I connect my instance to a custom VPC network?
Configure
gceSetup.networkInterfaces with network and subnet IDs. You’ll need to create gcp.compute.Network and gcp.compute.Subnetwork resources first and reference them.How do I enable disk encryption with customer-managed keys?
Set
diskEncryption to CMEK and specify kmsKey in both gceSetup.bootDisk and gceSetup.dataDisks configurations.Using a different cloud?
Explore analytics guides for other cloud providers: