Cloud

GCP Create SSL Certificate

by Ulysses · Jun 13, 2021

gcloud compute ssl-certificates create certificate-name \
--description="ssl cert for domain-name.com" \
--domains=domain-name.com \
--certificate=certificate-file \
--private-key=private-key \
--region=us-central1-c \
--global

GCP Update Instance Metadata

by Ulysses · Jun 13, 2021

How to update an instance metadata in GCP.

gcloud compute instances add-metadata instance-name \
--metadata key-name=value \
--project data-intg-svc-pr-cah \
--zone us-central1-a

GCP Reserve Alias IP

by Ulysses · Jun 13, 2021

Make an IP alias reservation.

gcloud compute instances network-interfaces update instance-name \
--zone us-central1-c \
--aliases default:/32 \
--project project-id

Terraform GCP Firewall

by Ulysses · Jun 6, 2021

How to create GCP firewall via Terraform.

Ingress

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "INGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"]
    source_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

Egress

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "EGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"]
    destination_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

Service account to Service account.

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "INGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    source_service_accounts = ["source-service-account-compute@developer.gserviceaccount.com"]
    target_service_accounts = ["target-service-account-compute@developer.gserviceaccount.com"]
    source_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

GCP Instance Scheduler

by Ulysses · May 28, 2021

GCP recently added Instance Schedule to its console.

To configure, perform the following.

– Create an instance schedule.
– Add instance(s) to a schedule.
– If no errors, the service account has the correct permissions.

The service account used by Instance Schedule is owned by GCP and is not visible in the GCP console.

If service account has no permissions, the you must perform the following.

– Create a custom role with compute.instances.start and compute.instances.stop permissions.
– Add custom role to the service account.

Finally, validate instances are starting and stopping based on schedule.