The gcp:workbench/instance:Instance resource, part of the Pulumi GCP provider, provisions a Vertex AI Workbench instance: a managed JupyterLab environment with configurable compute, storage, and networking. This guide focuses on four capabilities: container and VM image selection, GPU acceleration with compute reservations, custom networking and disk encryption, and confidential computing for sensitive data.
Workbench instances run in VPC networks and may reference service accounts, compute reservations, static IPs, and KMS keys that must exist separately. The examples are intentionally small. Combine them with your own VPC infrastructure, IAM configuration, and security policies.
Create a minimal instance with defaults
Most deployments start with a minimal instance that uses default compute settings and networking.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-west1-a",
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-west1-a")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-west1-a"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-west1-a",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-west1-a")
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-west1-a
The name property sets the instance identifier, and location specifies the zone. Without gceSetup configuration, the instance uses default machine type, VM image, and network settings. This provides a basic JupyterLab environment for data exploration.
Deploy with a custom container image
Teams often need specific Python versions or pre-installed libraries not available in default VM images.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-west1-a",
gceSetup: {
containerImage: {
repository: "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
tag: "latest",
},
},
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-west1-a",
gce_setup={
"container_image": {
"repository": "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
"tag": "latest",
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-west1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
ContainerImage: &workbench.InstanceGceSetupContainerImageArgs{
Repository: pulumi.String("us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310"),
Tag: pulumi.String("latest"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-west1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
ContainerImage = new Gcp.Workbench.Inputs.InstanceGceSetupContainerImageArgs
{
Repository = "us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310",
Tag = "latest",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupContainerImageArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-west1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.containerImage(InstanceGceSetupContainerImageArgs.builder()
.repository("us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310")
.tag("latest")
.build())
.build())
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-west1-a
gceSetup:
containerImage:
repository: us-docker.pkg.dev/deeplearning-platform-release/gcr.io/base-cu113.py310
tag: latest
The gceSetup.containerImage property points to a container repository and tag. Google’s Deep Learning repositories provide curated environments with specific Python and CUDA versions. The instance pulls this image at startup instead of using a VM image.
Attach GPU accelerators for ML workloads
Machine learning training and inference often require GPU acceleration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const gpuReservation = new gcp.compute.Reservation("gpu_reservation", {
name: "wbi-reservation",
zone: "us-central1-a",
specificReservation: {
count: 1,
instanceProperties: {
machineType: "n1-standard-1",
guestAccelerators: [{
acceleratorType: "nvidia-tesla-t4",
acceleratorCount: 1,
}],
},
},
specificReservationRequired: false,
});
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n1-standard-1",
acceleratorConfigs: [{
type: "NVIDIA_TESLA_T4",
coreCount: "1",
}],
vmImage: {
project: "cloud-notebooks-managed",
family: "workbench-instances",
},
reservationAffinity: {
consumeReservationType: "RESERVATION_ANY",
},
},
}, {
dependsOn: [gpuReservation],
});
import pulumi
import pulumi_gcp as gcp
gpu_reservation = gcp.compute.Reservation("gpu_reservation",
name="wbi-reservation",
zone="us-central1-a",
specific_reservation={
"count": 1,
"instance_properties": {
"machine_type": "n1-standard-1",
"guest_accelerators": [{
"accelerator_type": "nvidia-tesla-t4",
"accelerator_count": 1,
}],
},
},
specific_reservation_required=False)
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n1-standard-1",
"accelerator_configs": [{
"type": "NVIDIA_TESLA_T4",
"core_count": "1",
}],
"vm_image": {
"project": "cloud-notebooks-managed",
"family": "workbench-instances",
},
"reservation_affinity": {
"consume_reservation_type": "RESERVATION_ANY",
},
},
opts = pulumi.ResourceOptions(depends_on=[gpu_reservation]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
gpuReservation, err := compute.NewReservation(ctx, "gpu_reservation", &compute.ReservationArgs{
Name: pulumi.String("wbi-reservation"),
Zone: pulumi.String("us-central1-a"),
SpecificReservation: &compute.ReservationSpecificReservationArgs{
Count: pulumi.Int(1),
InstanceProperties: &compute.ReservationSpecificReservationInstancePropertiesArgs{
MachineType: pulumi.String("n1-standard-1"),
GuestAccelerators: compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArray{
&compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs{
AcceleratorType: pulumi.String("nvidia-tesla-t4"),
AcceleratorCount: pulumi.Int(1),
},
},
},
},
SpecificReservationRequired: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n1-standard-1"),
AcceleratorConfigs: workbench.InstanceGceSetupAcceleratorConfigArray{
&workbench.InstanceGceSetupAcceleratorConfigArgs{
Type: pulumi.String("NVIDIA_TESLA_T4"),
CoreCount: pulumi.String("1"),
},
},
VmImage: &workbench.InstanceGceSetupVmImageArgs{
Project: pulumi.String("cloud-notebooks-managed"),
Family: pulumi.String("workbench-instances"),
},
ReservationAffinity: &workbench.InstanceGceSetupReservationAffinityArgs{
ConsumeReservationType: pulumi.String("RESERVATION_ANY"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
gpuReservation,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var gpuReservation = new Gcp.Compute.Reservation("gpu_reservation", new()
{
Name = "wbi-reservation",
Zone = "us-central1-a",
SpecificReservation = new Gcp.Compute.Inputs.ReservationSpecificReservationArgs
{
Count = 1,
InstanceProperties = new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesArgs
{
MachineType = "n1-standard-1",
GuestAccelerators = new[]
{
new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs
{
AcceleratorType = "nvidia-tesla-t4",
AcceleratorCount = 1,
},
},
},
},
SpecificReservationRequired = false,
});
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n1-standard-1",
AcceleratorConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupAcceleratorConfigArgs
{
Type = "NVIDIA_TESLA_T4",
CoreCount = "1",
},
},
VmImage = new Gcp.Workbench.Inputs.InstanceGceSetupVmImageArgs
{
Project = "cloud-notebooks-managed",
Family = "workbench-instances",
},
ReservationAffinity = new Gcp.Workbench.Inputs.InstanceGceSetupReservationAffinityArgs
{
ConsumeReservationType = "RESERVATION_ANY",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
gpuReservation,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Reservation;
import com.pulumi.gcp.compute.ReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationInstancePropertiesArgs;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupVmImageArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupReservationAffinityArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gpuReservation = new Reservation("gpuReservation", ReservationArgs.builder()
.name("wbi-reservation")
.zone("us-central1-a")
.specificReservation(ReservationSpecificReservationArgs.builder()
.count(1)
.instanceProperties(ReservationSpecificReservationInstancePropertiesArgs.builder()
.machineType("n1-standard-1")
.guestAccelerators(ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs.builder()
.acceleratorType("nvidia-tesla-t4")
.acceleratorCount(1)
.build())
.build())
.build())
.specificReservationRequired(false)
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n1-standard-1")
.acceleratorConfigs(InstanceGceSetupAcceleratorConfigArgs.builder()
.type("NVIDIA_TESLA_T4")
.coreCount("1")
.build())
.vmImage(InstanceGceSetupVmImageArgs.builder()
.project("cloud-notebooks-managed")
.family("workbench-instances")
.build())
.reservationAffinity(InstanceGceSetupReservationAffinityArgs.builder()
.consumeReservationType("RESERVATION_ANY")
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(gpuReservation)
.build());
}
}
resources:
gpuReservation:
type: gcp:compute:Reservation
name: gpu_reservation
properties:
name: wbi-reservation
zone: us-central1-a
specificReservation:
count: 1
instanceProperties:
machineType: n1-standard-1
guestAccelerators:
- acceleratorType: nvidia-tesla-t4
acceleratorCount: 1
specificReservationRequired: false
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n1-standard-1
acceleratorConfigs:
- type: NVIDIA_TESLA_T4
coreCount: 1
vmImage:
project: cloud-notebooks-managed
family: workbench-instances
reservationAffinity:
consumeReservationType: RESERVATION_ANY
options:
dependsOn:
- ${gpuReservation}
The acceleratorConfigs property specifies GPU type and count. The vmImage property selects a GPU-compatible base image. The reservationAffinity property connects to a compute reservation, guaranteeing GPU capacity. The instance depends on the reservation being created first.
Control instance state and apply metadata
Cost management often requires stopping instances when not in use.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "e2-standard-4",
shieldedInstanceConfig: {
enableSecureBoot: false,
enableVtpm: false,
enableIntegrityMonitoring: false,
},
serviceAccounts: [{
email: "my@service-account.com",
}],
metadata: {
terraform: "true",
},
},
labels: {
k: "val",
},
desiredState: "STOPPED",
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "e2-standard-4",
"shielded_instance_config": {
"enable_secure_boot": False,
"enable_vtpm": False,
"enable_integrity_monitoring": False,
},
"service_accounts": [{
"email": "my@service-account.com",
}],
"metadata": {
"terraform": "true",
},
},
labels={
"k": "val",
},
desired_state="STOPPED")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("e2-standard-4"),
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(false),
EnableVtpm: pulumi.Bool(false),
EnableIntegrityMonitoring: pulumi.Bool(false),
},
ServiceAccounts: workbench.InstanceGceSetupServiceAccountArray{
&workbench.InstanceGceSetupServiceAccountArgs{
Email: pulumi.String("my@service-account.com"),
},
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
},
},
Labels: pulumi.StringMap{
"k": pulumi.String("val"),
},
DesiredState: pulumi.String("STOPPED"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "e2-standard-4",
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = false,
EnableVtpm = false,
EnableIntegrityMonitoring = false,
},
ServiceAccounts = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupServiceAccountArgs
{
Email = "my@service-account.com",
},
},
Metadata =
{
{ "terraform", "true" },
},
},
Labels =
{
{ "k", "val" },
},
DesiredState = "STOPPED",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("e2-standard-4")
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(false)
.enableVtpm(false)
.enableIntegrityMonitoring(false)
.build())
.serviceAccounts(InstanceGceSetupServiceAccountArgs.builder()
.email("my@service-account.com")
.build())
.metadata(Map.of("terraform", "true"))
.build())
.labels(Map.of("k", "val"))
.desiredState("STOPPED")
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: e2-standard-4
shieldedInstanceConfig:
enableSecureBoot: false
enableVtpm: false
enableIntegrityMonitoring: false
serviceAccounts:
- email: my@service-account.com
metadata:
terraform: 'true'
labels:
k: val
desiredState: STOPPED
The desiredState property controls whether the instance runs (ACTIVE) or stops (STOPPED). The labels property adds key-value metadata for organization and cost tracking. The metadata property passes configuration to the VM. The shieldedInstanceConfig property controls boot security features.
Configure networking, storage, and security features
Production deployments typically require custom VPC placement, encrypted disks, and static IP addresses.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myNetwork = new gcp.compute.Network("my_network", {
name: "wbi-test-default",
autoCreateSubnetworks: false,
});
const mySubnetwork = new gcp.compute.Subnetwork("my_subnetwork", {
name: "wbi-test-default",
network: myNetwork.id,
region: "us-central1",
ipCidrRange: "10.0.1.0/24",
});
const static = new gcp.compute.Address("static", {name: "wbi-test-default"});
const actAsPermission = new gcp.serviceaccount.IAMBinding("act_as_permission", {
serviceAccountId: "projects/my-project-name/serviceAccounts/my@service-account.com",
role: "roles/iam.serviceAccountUser",
members: ["user:example@example.com"],
});
const gpuReservation = new gcp.compute.Reservation("gpu_reservation", {
name: "wbi-reservation",
zone: "us-central1-a",
specificReservation: {
count: 1,
instanceProperties: {
machineType: "n1-standard-4",
guestAccelerators: [{
acceleratorType: "nvidia-tesla-t4",
acceleratorCount: 1,
}],
},
},
specificReservationRequired: true,
});
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n1-standard-4",
acceleratorConfigs: [{
type: "NVIDIA_TESLA_T4",
coreCount: "1",
}],
shieldedInstanceConfig: {
enableSecureBoot: true,
enableVtpm: true,
enableIntegrityMonitoring: true,
},
disablePublicIp: false,
serviceAccounts: [{
email: "my@service-account.com",
}],
bootDisk: {
diskSizeGb: "310",
diskType: "PD_SSD",
diskEncryption: "CMEK",
kmsKey: "my-crypto-key",
},
dataDisks: {
diskSizeGb: "330",
diskType: "PD_SSD",
diskEncryption: "CMEK",
kmsKey: "my-crypto-key",
},
networkInterfaces: [{
network: myNetwork.id,
subnet: mySubnetwork.id,
nicType: "GVNIC",
accessConfigs: [{
externalIp: static.address,
}],
}],
metadata: {
terraform: "true",
"serial-port-logging-enable": "false",
"enable-jupyterlab4": "false",
},
reservationAffinity: {
consumeReservationType: "RESERVATION_SPECIFIC",
key: "compute.googleapis.com/reservation-name",
values: [gpuReservation.name],
},
enableIpForwarding: true,
tags: [
"abc",
"def",
],
},
disableProxyAccess: true,
instanceOwners: ["example@example.com"],
labels: {
k: "val",
},
desiredState: "ACTIVE",
enableThirdPartyIdentity: true,
}, {
dependsOn: [
myNetwork,
mySubnetwork,
static,
actAsPermission,
gpuReservation,
],
});
import pulumi
import pulumi_gcp as gcp
my_network = gcp.compute.Network("my_network",
name="wbi-test-default",
auto_create_subnetworks=False)
my_subnetwork = gcp.compute.Subnetwork("my_subnetwork",
name="wbi-test-default",
network=my_network.id,
region="us-central1",
ip_cidr_range="10.0.1.0/24")
static = gcp.compute.Address("static", name="wbi-test-default")
act_as_permission = gcp.serviceaccount.IAMBinding("act_as_permission",
service_account_id="projects/my-project-name/serviceAccounts/my@service-account.com",
role="roles/iam.serviceAccountUser",
members=["user:example@example.com"])
gpu_reservation = gcp.compute.Reservation("gpu_reservation",
name="wbi-reservation",
zone="us-central1-a",
specific_reservation={
"count": 1,
"instance_properties": {
"machine_type": "n1-standard-4",
"guest_accelerators": [{
"accelerator_type": "nvidia-tesla-t4",
"accelerator_count": 1,
}],
},
},
specific_reservation_required=True)
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n1-standard-4",
"accelerator_configs": [{
"type": "NVIDIA_TESLA_T4",
"core_count": "1",
}],
"shielded_instance_config": {
"enable_secure_boot": True,
"enable_vtpm": True,
"enable_integrity_monitoring": True,
},
"disable_public_ip": False,
"service_accounts": [{
"email": "my@service-account.com",
}],
"boot_disk": {
"disk_size_gb": "310",
"disk_type": "PD_SSD",
"disk_encryption": "CMEK",
"kms_key": "my-crypto-key",
},
"data_disks": {
"disk_size_gb": "330",
"disk_type": "PD_SSD",
"disk_encryption": "CMEK",
"kms_key": "my-crypto-key",
},
"network_interfaces": [{
"network": my_network.id,
"subnet": my_subnetwork.id,
"nic_type": "GVNIC",
"access_configs": [{
"external_ip": static.address,
}],
}],
"metadata": {
"terraform": "true",
"serial-port-logging-enable": "false",
"enable-jupyterlab4": "false",
},
"reservation_affinity": {
"consume_reservation_type": "RESERVATION_SPECIFIC",
"key": "compute.googleapis.com/reservation-name",
"values": [gpu_reservation.name],
},
"enable_ip_forwarding": True,
"tags": [
"abc",
"def",
],
},
disable_proxy_access=True,
instance_owners=["example@example.com"],
labels={
"k": "val",
},
desired_state="ACTIVE",
enable_third_party_identity=True,
opts = pulumi.ResourceOptions(depends_on=[
my_network,
my_subnetwork,
static,
act_as_permission,
gpu_reservation,
]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myNetwork, err := compute.NewNetwork(ctx, "my_network", &compute.NetworkArgs{
Name: pulumi.String("wbi-test-default"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
mySubnetwork, err := compute.NewSubnetwork(ctx, "my_subnetwork", &compute.SubnetworkArgs{
Name: pulumi.String("wbi-test-default"),
Network: myNetwork.ID(),
Region: pulumi.String("us-central1"),
IpCidrRange: pulumi.String("10.0.1.0/24"),
})
if err != nil {
return err
}
static, err := compute.NewAddress(ctx, "static", &compute.AddressArgs{
Name: pulumi.String("wbi-test-default"),
})
if err != nil {
return err
}
actAsPermission, err := serviceaccount.NewIAMBinding(ctx, "act_as_permission", &serviceaccount.IAMBindingArgs{
ServiceAccountId: pulumi.String("projects/my-project-name/serviceAccounts/my@service-account.com"),
Role: pulumi.String("roles/iam.serviceAccountUser"),
Members: pulumi.StringArray{
pulumi.String("user:example@example.com"),
},
})
if err != nil {
return err
}
gpuReservation, err := compute.NewReservation(ctx, "gpu_reservation", &compute.ReservationArgs{
Name: pulumi.String("wbi-reservation"),
Zone: pulumi.String("us-central1-a"),
SpecificReservation: &compute.ReservationSpecificReservationArgs{
Count: pulumi.Int(1),
InstanceProperties: &compute.ReservationSpecificReservationInstancePropertiesArgs{
MachineType: pulumi.String("n1-standard-4"),
GuestAccelerators: compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArray{
&compute.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs{
AcceleratorType: pulumi.String("nvidia-tesla-t4"),
AcceleratorCount: pulumi.Int(1),
},
},
},
},
SpecificReservationRequired: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n1-standard-4"),
AcceleratorConfigs: workbench.InstanceGceSetupAcceleratorConfigArray{
&workbench.InstanceGceSetupAcceleratorConfigArgs{
Type: pulumi.String("NVIDIA_TESLA_T4"),
CoreCount: pulumi.String("1"),
},
},
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(true),
EnableVtpm: pulumi.Bool(true),
EnableIntegrityMonitoring: pulumi.Bool(true),
},
DisablePublicIp: pulumi.Bool(false),
ServiceAccounts: workbench.InstanceGceSetupServiceAccountArray{
&workbench.InstanceGceSetupServiceAccountArgs{
Email: pulumi.String("my@service-account.com"),
},
},
BootDisk: &workbench.InstanceGceSetupBootDiskArgs{
DiskSizeGb: pulumi.String("310"),
DiskType: pulumi.String("PD_SSD"),
DiskEncryption: pulumi.String("CMEK"),
KmsKey: pulumi.String("my-crypto-key"),
},
DataDisks: &workbench.InstanceGceSetupDataDisksArgs{
DiskSizeGb: pulumi.String("330"),
DiskType: pulumi.String("PD_SSD"),
DiskEncryption: pulumi.String("CMEK"),
KmsKey: pulumi.String("my-crypto-key"),
},
NetworkInterfaces: workbench.InstanceGceSetupNetworkInterfaceArray{
&workbench.InstanceGceSetupNetworkInterfaceArgs{
Network: myNetwork.ID(),
Subnet: mySubnetwork.ID(),
NicType: pulumi.String("GVNIC"),
AccessConfigs: workbench.InstanceGceSetupNetworkInterfaceAccessConfigArray{
&workbench.InstanceGceSetupNetworkInterfaceAccessConfigArgs{
ExternalIp: static.Address,
},
},
},
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
"serial-port-logging-enable": pulumi.String("false"),
"enable-jupyterlab4": pulumi.String("false"),
},
ReservationAffinity: &workbench.InstanceGceSetupReservationAffinityArgs{
ConsumeReservationType: pulumi.String("RESERVATION_SPECIFIC"),
Key: pulumi.String("compute.googleapis.com/reservation-name"),
Values: pulumi.StringArray{
gpuReservation.Name,
},
},
EnableIpForwarding: pulumi.Bool(true),
Tags: pulumi.StringArray{
pulumi.String("abc"),
pulumi.String("def"),
},
},
DisableProxyAccess: pulumi.Bool(true),
InstanceOwners: pulumi.StringArray{
pulumi.String("example@example.com"),
},
Labels: pulumi.StringMap{
"k": pulumi.String("val"),
},
DesiredState: pulumi.String("ACTIVE"),
EnableThirdPartyIdentity: pulumi.Bool(true),
}, pulumi.DependsOn([]pulumi.Resource{
myNetwork,
mySubnetwork,
static,
actAsPermission,
gpuReservation,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myNetwork = new Gcp.Compute.Network("my_network", new()
{
Name = "wbi-test-default",
AutoCreateSubnetworks = false,
});
var mySubnetwork = new Gcp.Compute.Subnetwork("my_subnetwork", new()
{
Name = "wbi-test-default",
Network = myNetwork.Id,
Region = "us-central1",
IpCidrRange = "10.0.1.0/24",
});
var @static = new Gcp.Compute.Address("static", new()
{
Name = "wbi-test-default",
});
var actAsPermission = new Gcp.ServiceAccount.IAMBinding("act_as_permission", new()
{
ServiceAccountId = "projects/my-project-name/serviceAccounts/my@service-account.com",
Role = "roles/iam.serviceAccountUser",
Members = new[]
{
"user:example@example.com",
},
});
var gpuReservation = new Gcp.Compute.Reservation("gpu_reservation", new()
{
Name = "wbi-reservation",
Zone = "us-central1-a",
SpecificReservation = new Gcp.Compute.Inputs.ReservationSpecificReservationArgs
{
Count = 1,
InstanceProperties = new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesArgs
{
MachineType = "n1-standard-4",
GuestAccelerators = new[]
{
new Gcp.Compute.Inputs.ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs
{
AcceleratorType = "nvidia-tesla-t4",
AcceleratorCount = 1,
},
},
},
},
SpecificReservationRequired = true,
});
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n1-standard-4",
AcceleratorConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupAcceleratorConfigArgs
{
Type = "NVIDIA_TESLA_T4",
CoreCount = "1",
},
},
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = true,
EnableVtpm = true,
EnableIntegrityMonitoring = true,
},
DisablePublicIp = false,
ServiceAccounts = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupServiceAccountArgs
{
Email = "my@service-account.com",
},
},
BootDisk = new Gcp.Workbench.Inputs.InstanceGceSetupBootDiskArgs
{
DiskSizeGb = "310",
DiskType = "PD_SSD",
DiskEncryption = "CMEK",
KmsKey = "my-crypto-key",
},
DataDisks = new Gcp.Workbench.Inputs.InstanceGceSetupDataDisksArgs
{
DiskSizeGb = "330",
DiskType = "PD_SSD",
DiskEncryption = "CMEK",
KmsKey = "my-crypto-key",
},
NetworkInterfaces = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupNetworkInterfaceArgs
{
Network = myNetwork.Id,
Subnet = mySubnetwork.Id,
NicType = "GVNIC",
AccessConfigs = new[]
{
new Gcp.Workbench.Inputs.InstanceGceSetupNetworkInterfaceAccessConfigArgs
{
ExternalIp = @static.IPAddress,
},
},
},
},
Metadata =
{
{ "terraform", "true" },
{ "serial-port-logging-enable", "false" },
{ "enable-jupyterlab4", "false" },
},
ReservationAffinity = new Gcp.Workbench.Inputs.InstanceGceSetupReservationAffinityArgs
{
ConsumeReservationType = "RESERVATION_SPECIFIC",
Key = "compute.googleapis.com/reservation-name",
Values = new[]
{
gpuReservation.Name,
},
},
EnableIpForwarding = true,
Tags = new[]
{
"abc",
"def",
},
},
DisableProxyAccess = true,
InstanceOwners = new[]
{
"example@example.com",
},
Labels =
{
{ "k", "val" },
},
DesiredState = "ACTIVE",
EnableThirdPartyIdentity = true,
}, new CustomResourceOptions
{
DependsOn =
{
myNetwork,
mySubnetwork,
@static,
actAsPermission,
gpuReservation,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.Subnetwork;
import com.pulumi.gcp.compute.SubnetworkArgs;
import com.pulumi.gcp.compute.Address;
import com.pulumi.gcp.compute.AddressArgs;
import com.pulumi.gcp.serviceaccount.IAMBinding;
import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
import com.pulumi.gcp.compute.Reservation;
import com.pulumi.gcp.compute.ReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationArgs;
import com.pulumi.gcp.compute.inputs.ReservationSpecificReservationInstancePropertiesArgs;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupBootDiskArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupDataDisksArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupReservationAffinityArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myNetwork = new Network("myNetwork", NetworkArgs.builder()
.name("wbi-test-default")
.autoCreateSubnetworks(false)
.build());
var mySubnetwork = new Subnetwork("mySubnetwork", SubnetworkArgs.builder()
.name("wbi-test-default")
.network(myNetwork.id())
.region("us-central1")
.ipCidrRange("10.0.1.0/24")
.build());
var static_ = new Address("static", AddressArgs.builder()
.name("wbi-test-default")
.build());
var actAsPermission = new IAMBinding("actAsPermission", IAMBindingArgs.builder()
.serviceAccountId("projects/my-project-name/serviceAccounts/my@service-account.com")
.role("roles/iam.serviceAccountUser")
.members("user:example@example.com")
.build());
var gpuReservation = new Reservation("gpuReservation", ReservationArgs.builder()
.name("wbi-reservation")
.zone("us-central1-a")
.specificReservation(ReservationSpecificReservationArgs.builder()
.count(1)
.instanceProperties(ReservationSpecificReservationInstancePropertiesArgs.builder()
.machineType("n1-standard-4")
.guestAccelerators(ReservationSpecificReservationInstancePropertiesGuestAcceleratorArgs.builder()
.acceleratorType("nvidia-tesla-t4")
.acceleratorCount(1)
.build())
.build())
.build())
.specificReservationRequired(true)
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n1-standard-4")
.acceleratorConfigs(InstanceGceSetupAcceleratorConfigArgs.builder()
.type("NVIDIA_TESLA_T4")
.coreCount("1")
.build())
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(true)
.enableVtpm(true)
.enableIntegrityMonitoring(true)
.build())
.disablePublicIp(false)
.serviceAccounts(InstanceGceSetupServiceAccountArgs.builder()
.email("my@service-account.com")
.build())
.bootDisk(InstanceGceSetupBootDiskArgs.builder()
.diskSizeGb("310")
.diskType("PD_SSD")
.diskEncryption("CMEK")
.kmsKey("my-crypto-key")
.build())
.dataDisks(InstanceGceSetupDataDisksArgs.builder()
.diskSizeGb("330")
.diskType("PD_SSD")
.diskEncryption("CMEK")
.kmsKey("my-crypto-key")
.build())
.networkInterfaces(InstanceGceSetupNetworkInterfaceArgs.builder()
.network(myNetwork.id())
.subnet(mySubnetwork.id())
.nicType("GVNIC")
.accessConfigs(InstanceGceSetupNetworkInterfaceAccessConfigArgs.builder()
.externalIp(static_.address())
.build())
.build())
.metadata(Map.ofEntries(
Map.entry("terraform", "true"),
Map.entry("serial-port-logging-enable", "false"),
Map.entry("enable-jupyterlab4", "false")
))
.reservationAffinity(InstanceGceSetupReservationAffinityArgs.builder()
.consumeReservationType("RESERVATION_SPECIFIC")
.key("compute.googleapis.com/reservation-name")
.values(gpuReservation.name())
.build())
.enableIpForwarding(true)
.tags(
"abc",
"def")
.build())
.disableProxyAccess(true)
.instanceOwners("example@example.com")
.labels(Map.of("k", "val"))
.desiredState("ACTIVE")
.enableThirdPartyIdentity(true)
.build(), CustomResourceOptions.builder()
.dependsOn(
myNetwork,
mySubnetwork,
static_,
actAsPermission,
gpuReservation)
.build());
}
}
resources:
myNetwork:
type: gcp:compute:Network
name: my_network
properties:
name: wbi-test-default
autoCreateSubnetworks: false
mySubnetwork:
type: gcp:compute:Subnetwork
name: my_subnetwork
properties:
name: wbi-test-default
network: ${myNetwork.id}
region: us-central1
ipCidrRange: 10.0.1.0/24
static:
type: gcp:compute:Address
properties:
name: wbi-test-default
actAsPermission:
type: gcp:serviceaccount:IAMBinding
name: act_as_permission
properties:
serviceAccountId: projects/my-project-name/serviceAccounts/my@service-account.com
role: roles/iam.serviceAccountUser
members:
- user:example@example.com
gpuReservation:
type: gcp:compute:Reservation
name: gpu_reservation
properties:
name: wbi-reservation
zone: us-central1-a
specificReservation:
count: 1
instanceProperties:
machineType: n1-standard-4
guestAccelerators:
- acceleratorType: nvidia-tesla-t4
acceleratorCount: 1
specificReservationRequired: true
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n1-standard-4
acceleratorConfigs:
- type: NVIDIA_TESLA_T4
coreCount: 1
shieldedInstanceConfig:
enableSecureBoot: true
enableVtpm: true
enableIntegrityMonitoring: true
disablePublicIp: false
serviceAccounts:
- email: my@service-account.com
bootDisk:
diskSizeGb: 310
diskType: PD_SSD
diskEncryption: CMEK
kmsKey: my-crypto-key
dataDisks:
diskSizeGb: 330
diskType: PD_SSD
diskEncryption: CMEK
kmsKey: my-crypto-key
networkInterfaces:
- network: ${myNetwork.id}
subnet: ${mySubnetwork.id}
nicType: GVNIC
accessConfigs:
- externalIp: ${static.address}
metadata:
terraform: 'true'
serial-port-logging-enable: 'false'
enable-jupyterlab4: 'false'
reservationAffinity:
consumeReservationType: RESERVATION_SPECIFIC
key: compute.googleapis.com/reservation-name
values:
- ${gpuReservation.name}
enableIpForwarding: true
tags:
- abc
- def
disableProxyAccess: 'true'
instanceOwners:
- example@example.com
labels:
k: val
desiredState: ACTIVE
enableThirdPartyIdentity: 'true'
options:
dependsOn:
- ${myNetwork}
- ${mySubnetwork}
- ${static}
- ${actAsPermission}
- ${gpuReservation}
The networkInterfaces property places the instance in a specific VPC and subnet, with a static external IP. The bootDisk and dataDisks properties configure storage size, type, and encryption using KMS keys. The instanceOwners property restricts access to specific users. The disablePublicIp property controls whether the instance gets a public IP (set to false here, allowing public access). This configuration depends on the network, subnet, static IP, IAM binding, and reservation being created first.
Enable confidential computing for sensitive workloads
Workloads processing sensitive data can use confidential computing to encrypt data in memory.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.workbench.Instance("instance", {
name: "workbench-instance",
location: "us-central1-a",
gceSetup: {
machineType: "n2d-standard-2",
shieldedInstanceConfig: {
enableSecureBoot: true,
enableVtpm: true,
enableIntegrityMonitoring: true,
},
metadata: {
terraform: "true",
},
confidentialInstanceConfig: {
confidentialInstanceType: "SEV",
},
},
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.workbench.Instance("instance",
name="workbench-instance",
location="us-central1-a",
gce_setup={
"machine_type": "n2d-standard-2",
"shielded_instance_config": {
"enable_secure_boot": True,
"enable_vtpm": True,
"enable_integrity_monitoring": True,
},
"metadata": {
"terraform": "true",
},
"confidential_instance_config": {
"confidential_instance_type": "SEV",
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workbench"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workbench.NewInstance(ctx, "instance", &workbench.InstanceArgs{
Name: pulumi.String("workbench-instance"),
Location: pulumi.String("us-central1-a"),
GceSetup: &workbench.InstanceGceSetupArgs{
MachineType: pulumi.String("n2d-standard-2"),
ShieldedInstanceConfig: &workbench.InstanceGceSetupShieldedInstanceConfigArgs{
EnableSecureBoot: pulumi.Bool(true),
EnableVtpm: pulumi.Bool(true),
EnableIntegrityMonitoring: pulumi.Bool(true),
},
Metadata: pulumi.StringMap{
"terraform": pulumi.String("true"),
},
ConfidentialInstanceConfig: &workbench.InstanceGceSetupConfidentialInstanceConfigArgs{
ConfidentialInstanceType: pulumi.String("SEV"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.Workbench.Instance("instance", new()
{
Name = "workbench-instance",
Location = "us-central1-a",
GceSetup = new Gcp.Workbench.Inputs.InstanceGceSetupArgs
{
MachineType = "n2d-standard-2",
ShieldedInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupShieldedInstanceConfigArgs
{
EnableSecureBoot = true,
EnableVtpm = true,
EnableIntegrityMonitoring = true,
},
Metadata =
{
{ "terraform", "true" },
},
ConfidentialInstanceConfig = new Gcp.Workbench.Inputs.InstanceGceSetupConfidentialInstanceConfigArgs
{
ConfidentialInstanceType = "SEV",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workbench.Instance;
import com.pulumi.gcp.workbench.InstanceArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupShieldedInstanceConfigArgs;
import com.pulumi.gcp.workbench.inputs.InstanceGceSetupConfidentialInstanceConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new Instance("instance", InstanceArgs.builder()
.name("workbench-instance")
.location("us-central1-a")
.gceSetup(InstanceGceSetupArgs.builder()
.machineType("n2d-standard-2")
.shieldedInstanceConfig(InstanceGceSetupShieldedInstanceConfigArgs.builder()
.enableSecureBoot(true)
.enableVtpm(true)
.enableIntegrityMonitoring(true)
.build())
.metadata(Map.of("terraform", "true"))
.confidentialInstanceConfig(InstanceGceSetupConfidentialInstanceConfigArgs.builder()
.confidentialInstanceType("SEV")
.build())
.build())
.build());
}
}
resources:
instance:
type: gcp:workbench:Instance
properties:
name: workbench-instance
location: us-central1-a
gceSetup:
machineType: n2d-standard-2
shieldedInstanceConfig:
enableSecureBoot: true
enableVtpm: true
enableIntegrityMonitoring: true
metadata:
terraform: 'true'
confidentialInstanceConfig:
confidentialInstanceType: SEV
The confidentialInstanceConfig property enables AMD SEV encryption, protecting data while it’s being processed. This requires specific machine types (n2d series) and shielded VM settings. The shieldedInstanceConfig must enable all three protections (secure boot, vTPM, integrity monitoring) for confidential computing to work.
Beyond these examples
These snippets focus on specific Workbench instance features: container and VM image selection, GPU acceleration and compute reservations, and networking, storage encryption, and confidential computing. They’re intentionally minimal rather than full notebook deployments.
The examples may reference pre-existing infrastructure such as VPC networks and subnets, service accounts and IAM bindings, and compute reservations, static IP addresses, or KMS keys. They focus on configuring the instance rather than provisioning everything around it.
To keep things focused, common instance patterns are omitted, including:
- Managed end user credentials (enableManagedEuc)
- Third-party identity provider integration (enableThirdPartyIdentity)
- Proxy access configuration (disableProxyAccess)
- Boot disk and data disk sizing beyond encryption
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in notebook modules. See the Workbench Instance resource reference for all available configuration options.
Let's deploy GCP Vertex AI Workbench Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Instance Lifecycle & Configuration
What properties can't I change after creating my Workbench instance?
The following properties are immutable:
location, name, project, disableProxyAccess, instanceId, and instanceOwners. Changes to these fields require recreating the instance.How do I start or stop my Workbench instance?
Set
desiredState to ACTIVE to start the instance or STOPPED to stop it.What's the difference between using a container image and a VM image?
You can configure
gceSetup.containerImage with a repository and tag (e.g., from us-docker.pkg.dev), or use gceSetup.vmImage with a project and family (e.g., cloud-notebooks-managed/workbench-instances).GPU & Compute Resources
How do I configure a GPU for my Workbench instance?
Configure
gceSetup.acceleratorConfigs with the GPU type (e.g., NVIDIA_TESLA_T4) and coreCount. You’ll also need to create a compute reservation and reference it using dependsOn.Why do I need to create a GPU reservation before my instance?
GPU-enabled instances should depend on compute reservation resources to ensure proper resource allocation. Use
dependsOn: [gpuReservation] to establish this dependency.How do I configure a specific reservation for my instance?
Set
gceSetup.reservationAffinity.consumeReservationType to RESERVATION_SPECIFIC, provide the key compute.googleapis.com/reservation-name, and specify the reservation name in values.Access Control & Permissions
What does setting instanceOwners do?
Setting
instanceOwners restricts access to a single user (format: alias@example.com) and sets the access mode to single-user. This field is immutable and input-only.What IAM permissions do I need to set instance owners?
The user specified in
instanceOwners must have roles/iam.serviceAccountUser on the VM instance’s service account. Create an IAM binding granting this role before setting instanceOwners.Security & Encryption
How do I enable disk encryption with customer-managed keys?
Set
diskEncryption to CMEK and specify your kmsKey in both gceSetup.bootDisk and gceSetup.dataDisks.How do I enable confidential computing?
Use an N2D machine type (e.g.,
n2d-standard-2), enable all shieldedInstanceConfig options (enableSecureBoot, enableVtpm, enableIntegrityMonitoring), and set confidentialInstanceConfig.confidentialInstanceType to SEV.Labels & Metadata
Why aren't all my labels showing up in the labels field?
The
labels field is non-authoritative and only manages labels in your configuration. To see all labels on the resource (including those set by other clients), use the effectiveLabels output property.Using a different cloud?
Explore analytics guides for other cloud providers: