Adding Update

.gitignore

@@ -1,9 +1,39 @@
-sambit.pem
-google-93274b98dc61.json
-.terraform/plugins/windows_amd64/terraform-provider-google_v3.18.0_x5.exe
-.terraform/plugins/windows_amd64/terraform-provider-random_v2.2.1_x4.exe
-terraform.tfstate
-.terraform/plugins/windows_amd64/lock.json
-terraform.tfstate.backup
-sambit.pub
-.terraform.tfstate.lock.info
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Ignore keys
+*.pem
+*.pub
+*.json

main.tf

@@ -1,67 +1,84 @@
+
+data "google_compute_image" "ubuntu" {
+  family  = "ubuntu-minimal-2404-lts-amd64"
+  project = "ubuntu-os-cloud"
+}
+
 resource "random_id" "instance_id" {
-  byte_length = 8
+  byte_length = 4
 }
 
-resource "google_compute_instance" "default" {
-#   name         = "vm-${random_id.instance_id.hex}"
-  # count        = 1
-  name         = "ubuntu-server"
-  machine_type = "n1-custom-4-4096"
-  zone         = "us-central1-a"
-
+resource "google_compute_address" "static_ip" {
+  name   = "prod-vm-ip"
+  region = var.region
+}
+
+resource "google_compute_instance" "prod_vm" {
+  name         = "vm-${random_id.instance_id.hex}"
+  machine_type = "e2-medium"
+  zone         = var.zone
 
   boot_disk {
     initialize_params {
-      image = "ubuntu-os-cloud/ubuntu-2004-lts"
+      image = data.google_compute_image.ubuntu.self_link
       type  = "pd-ssd"
       size  = 20
     }
   }
 
+  metadata_startup_script = <<-EOT
+    #!/bin/bash
+    apt-get update -y
+    apt-get dist-upgrade -y
+    apt-get install -y apache2 certbot python3-certbot-apache ufw
+
+    # Allow HTTP and HTTPS via firewall (ufw)
+    ufw allow OpenSSH
+    ufw allow 'Apache Full'
+    ufw --force enable
+
+    # Replace this with your domain
+    DOMAIN_NAME="${var.domain_name}"
 
-  metadata_startup_script = "sudo apt-get update -y  && sudo apt-get upgrade -y && sudo apt autoremove -y && sudo apt-get install apache2 -y && echo '<!doctype html><html><body><h1>Hello from Terraform on Google Cloud!</h1></body></html>' | sudo tee /var/www/html/index.html"
+    # Configure HTTPS with Certbot if domain is set
+    if [ ! -z "$DOMAIN_NAME" ]; then
+      certbot --apache -d "$DOMAIN_NAME" --non-interactive --agree-tos -m admin@$DOMAIN_NAME
+    fi
 
- metadata = {
-    ssh-keys = "sambit:${file("sambit.pub")}"
+    echo '<!doctype html><html><body><h1>Hello from secure Terraform VM!</h1></body></html>' > /var/www/html/index.html
+    systemctl restart apache2
+  EOT
+
+  metadata = {
+    ssh-keys = "${var.ssh_user}:${file(pathexpand(var.ssh_key_path))}"
   }
 
   scheduling {
-  preemptible = true
-  automatic_restart = false
-  on_host_maintenance = false
+    preemptible        = var.preemptible
+    automatic_restart  = false
+    on_host_maintenance = "TERMINATE"
   }
 
   network_interface {
     network = "default"
 
     access_config {
-      // Include this section to give the VM an external ip address
+      nat_ip = google_compute_address.static_ip.address
     }
   }
 
-  // Apply the firewall rule to allow external IPs to access this instance
-  tags = ["http-server"]
+  tags = ["http-server", "https-server"]
 }
 
-resource "google_compute_firewall" "http-server" {
-  name    = "default-allow-http"
+resource "google_compute_firewall" "allow_http_https_ssh" {
+  name    = "allow-http-https-ssh"
   network = "default"
 
-  allow {
-    protocol = "icmp"
-  }
-
   allow {
     protocol = "tcp"
-    ports    = ["80", "443", "111" , "8080"]
+    ports    = ["22", "80", "443"]
   }
 
-  // Allow traffic from everywhere to instances with an http-server tag
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = ["http-server"]
+  source_ranges = var.allowed_ssh_ranges
+  target_tags   = ["http-server", "https-server"]
 }
-
-
-output "Instance-ip" {
-  value = "${google_compute_instance.default.network_interface.0.access_config.0.nat_ip}"
-}

outputs.tf

@@ -0,0 +1,11 @@
+output "instance_name" {
+  value = google_compute_instance.prod_vm.name
+}
+
+output "instance_ip" {
+  value = google_compute_address.static_ip.address
+}
+
+output "ssh_command" {
+  value = "ssh -i ~/.ssh/id_rsa ${var.ssh_user}@${google_compute_address.static_ip.address}"
+}

providers.tf

@@ -1,5 +1,5 @@
 provider "google" {
-  credentials = file("google-93274b98dc61.json")
-  project     = "gcp-sam"
-  region      = "us-central1"
+  project = var.project
+  region  = var.region
+  zone    = var.zone
 }

ssh_key.txt

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiHvcIIHv9yym1oboZh+TVbXLoGTV2Zs8oduwyj8Lta1IUlpba+4CZvRT3NMsFh8VBmRDiCi1mXnPhyF2ipZ8EuzROJIsRZAGX4U6oA5mBuQQAqHeSvXwiitUR7eYnSpFiI115kZwoRi+bL5qee8SDrpBQZxuUn+gZBRRzRoD5wQ6y41rb4CmEGu9k9nE2lTPk3AhuXrnq0X8RN4vPo2rdJTjhiDfVSXPxcZtV2m5c64t9iBL1f1j0U/HaqHVXVT93dTRxUGdGqCiqtPZJgP9xdNmLzOHLGgi6I9HT2D4CmodiYDkhNTWhgufGsrg5Q26J1dKUSdRexP0geBAylptHw== sambit

terraform.tfvars

@@ -0,0 +1 @@
+project = "gcp-sam"

variables.tf

@@ -0,0 +1,41 @@
+variable "project" {
+  description = "Google Cloud project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "Region"
+  default     = "us-central1"
+}
+
+variable "zone" {
+  description = "Zone"
+  default     = "us-central1-a"
+}
+
+variable "ssh_user" {
+  description = "SSH username"
+  default     = "ubuntu"
+}
+
+variable "ssh_key_path" {
+  description = "Path to your public SSH key (e.g., ~/.ssh/id_rsa.pub)"
+  default     = "ssh_key.txt"
+}
+
+variable "domain_name" {
+  description = "Domain name for TLS (leave empty if not using)"
+  default     = ""
+}
+
+variable "preemptible" {
+  description = "Use preemptible instance?"
+  type        = bool
+  default     = false
+}
+
+variable "allowed_ssh_ranges" {
+  description = "List of IP ranges allowed to SSH into the instance"
+  type        = list(string)
+  default     = ["0.0.0.0/0"] # Change this to your IP range for security
+}