Optionally create a Compute Engine instance for the ABFS example deployment.

PiperOrigin-RevId: 804745962

Author: Android Build Filesystem (ABFS) Team

examples/simple/compute.tf

@@ -0,0 +1,92 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "google_compute_instance" "abfs_client" {
+  count = var.create_client_instance_resource ? 1 : 0
+
+  project             = var.project_id
+  name                = var.abfs_client_config.name
+  zone                = var.zone
+  can_ip_forward      = var.abfs_client_config.can_ip_forward
+  deletion_protection = var.abfs_client_config.deletion_protection
+  enable_display      = var.abfs_client_config.enable_display
+  machine_type        = var.abfs_client_config.machine_type
+  boot_disk {
+    auto_delete = true
+    device_name = var.abfs_client_config.name
+    initialize_params {
+      image = format(
+        "projects/%s/global/images/%s",
+        var.abfs_client_config.image_project,
+        var.abfs_client_config.image_name
+      )
+      size = var.abfs_client_config.size
+      type = var.abfs_client_config.type
+    }
+    mode = "READ_WRITE"
+  }
+  metadata = var.abfs_client_config.enable_oslogin ? {
+    enable-osconfig = "TRUE"
+    enable-oslogin  = "true"
+  } : {}
+  network_interface {
+    access_config {
+      network_tier = "PREMIUM"
+    }
+    queue_count = 0
+    stack_type  = "IPV4_ONLY"
+    subnetwork  = module.abfs_vpc.subnets["${var.region}/${var.abfs_subnet_name}"].self_link
+  }
+  scheduling {
+    automatic_restart   = var.abfs_client_config.automatic_restart
+    on_host_maintenance = var.abfs_client_config.preemptible ? "TERMINATE" : "MIGRATE"
+    preemptible         = var.abfs_client_config.preemptible
+    provisioning_model  = var.abfs_client_config.preemptible ? "SPOT" : "STANDARD"
+  }
+  service_account {
+    email  = local.abfs_service_account_email
+    scopes = var.abfs_client_config.scopes
+  }
+  shielded_instance_config {
+    enable_integrity_monitoring = var.abfs_client_config.shielded_instance_config.enable_integrity_monitoring
+    enable_secure_boot          = var.abfs_client_config.shielded_instance_config.enable_secure_boot
+    enable_vtpm                 = var.abfs_client_config.shielded_instance_config.enable_vtpm
+  }
+}
+
+module "ops_agent_policy" {
+  count = var.create_client_instance_resource ? 1 : 0
+
+  source = "github.com/terraform-google-modules/terraform-google-cloud-operations/modules/ops-agent-policy?ref=v0.6.0"
+
+  project = google_compute_instance.abfs_client[0].project
+  zone    = google_compute_instance.abfs_client[0].zone
+  assignment_id = format(
+    "goog-ops-agent-%s-%s",
+    var.abfs_client_config.goog_ops_agent_policy,
+    google_compute_instance.abfs_client[0].zone
+  )
+  agents_rule = {
+    package_state = "installed"
+    version       = "latest"
+  }
+  instance_filter = {
+    all = false
+    inclusion_labels = [{
+      labels = {
+        goog-ops-agent-policy = var.abfs_client_config.goog_ops_agent_policy
+      }
+    }]
+  }
+}

examples/simple/dns.tf

@@ -46,7 +46,7 @@ module "cloud-dns-private-google-apis" {
   type        = "private"
 
   private_visibility_config_networks = [
-    module.abfs-vpc.network_id
+    module.abfs_vpc.network_id
   ]
 
   recordsets = [
@@ -79,7 +79,7 @@ module "cloud-dns-private-artifact-registry" {
   type        = "private"
 
   private_visibility_config_networks = [
-    module.abfs-vpc.network_id
+    module.abfs_vpc.network_id
   ]
 
   recordsets = [
@@ -112,7 +112,7 @@ module "source-repositories-private-artifact-registry" {
   type        = "private"
 
   private_visibility_config_networks = [
-    module.abfs-vpc.network_id
+    module.abfs_vpc.network_id
   ]
 
   recordsets = [

examples/simple/main.tf

@@ -28,7 +28,7 @@ module "abfs_server" {
   project_id                          = data.google_project.project.project_id
   zone                                = var.zone
   service_account_email               = local.abfs_service_account_email
-  subnetwork                          = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
+  subnetwork                          = module.abfs_vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri               = var.abfs_docker_image_uri
   abfs_license                        = var.abfs_license
   abfs_bucket_location                = var.abfs_bucket_location
@@ -43,7 +43,7 @@ module "abfs_uploaders" {
   project_id                            = data.google_project.project.project_id
   zone                                  = var.zone
   service_account_email                 = local.abfs_service_account_email
-  subnetwork                            = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
+  subnetwork                            = module.abfs_vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri                 = var.abfs_docker_image_uri
   abfs_gerrit_uploader_count            = var.abfs_gerrit_uploader_count
   abfs_gerrit_uploader_machine_type     = var.abfs_gerrit_uploader_machine_type

examples/simple/network.tf

@@ -12,12 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-module "abfs-vpc" {
+moved {
+  from = module.abfs-vpc
+  to   = module.abfs_vpc
+}
+
+module "abfs_vpc" {
   source  = "terraform-google-modules/network/google"
   version = "9.2.0"
 
   project_id   = data.google_project.project.project_id
-  network_name = "abfs-network"
+  network_name = var.abfs_network_name
   routing_mode = "GLOBAL"
 
   firewall_rules = [
@@ -80,9 +85,9 @@ module "abfs-vpc" {
 
   subnets = [
     {
-      subnet_name           = "abfs-subnet"
-      subnet_ip             = "10.2.0.0/16"
-      subnet_private_access = "true"
+      subnet_name           = var.abfs_subnet_name
+      subnet_ip             = var.abfs_subnet_ip
+      subnet_private_access = var.abfs_subnet_private_access
       subnet_region         = var.region
     }
   ]
@@ -95,7 +100,7 @@ module "abfs-vpc" {
 resource "google_compute_router" "nat_router" {
   project = var.project_id
   name    = "natgw-router"
-  network = module.abfs-vpc.network_self_link
+  network = module.abfs_vpc.network_self_link
   region  = var.region
 }
 

examples/simple/terraform.tfvars.example

@@ -45,6 +45,16 @@ abfs_spanner_database_create_tables = true
 
 #alert_notification_email = "[email protected]"
 
+# Whether to create the example GCE instance for testing ABFS.
+#create_client_instance_resource = true
+
+# Example override for the client instance configuration.
+# Note: You only need to include keys you want to override from the defaults in variables.tf.
+# abfs_client_config = {
+#   name                  = "my-abfs-client"
+#   machine_type          = "e2-standard-16"
+# }
+
 create_cloud_workstation_resources = true
 cws_clusters = {
   "cws-abfs-cluster" = {
@@ -66,7 +76,9 @@ cws_configs = {
     persistent_disk_fs_type        = "ext4"
     persistent_disk_type           = "pd-ssd"
     persistent_disk_reclaim_policy = "RETAIN"
-    creators                       = ["[email protected]"]
+    creators                       = [
+      # "[email protected]",
+    ]
     instances                      = [
       {
         name  = "cws-abfs-instance"
@@ -75,3 +87,14 @@ cws_configs = {
     ]
   }
 }
+
+# Example for custom images for Cloud Workstations.
+# The key of the map is the name of the image to be built.
+cws_custom_images = {
+  "asfp" = {
+    # Optional: The region for the Cloud Scheduler job, defaults to the region of the Cloud Build trigger.
+    scheduler_region = "europe-west1"
+    # Optional: The schedule for the image rebuild, defaults to daily at 3 AM.
+    ci_schedule      = "0 3 * * *"
+  }
+}

examples/simple/variables.tf

@@ -19,12 +19,36 @@ variable "project_id" {
 
 variable "region" {
   type        = string
-  description = "Region for ABFS servers"
+  description = "Region for ABFS resources"
 }
 
 variable "zone" {
   type        = string
-  description = "Zone for ABFS servers"
+  description = "Zone for ABFS resources"
+}
+
+variable "abfs_network_name" {
+  type        = string
+  description = "Name of the ABFS network"
+  default     = "abfs-network"
+}
+
+variable "abfs_subnet_name" {
+  type        = string
+  description = "Name of the ABFS subnetwork"
+  default     = "abfs-subnet"
+}
+
+variable "abfs_subnet_ip" {
+  type        = string
+  description = "IP range for the ABFS subnetwork"
+  default     = "10.2.0.0/16"
+}
+
+variable "abfs_subnet_private_access" {
+  type        = bool
+  description = "Enable private Google access for the ABFS subnetwork"
+  default     = true
 }
 
 variable "abfs_docker_image_uri" {
@@ -74,6 +98,59 @@ variable "abfs_gerrit_uploader_manifest_server" {
   default     = "android.googlesource.com"
 }
 
+variable "abfs_client_config" {
+  type = object({
+    name                  = string
+    machine_type          = string
+    image_project         = string
+    image_name            = string
+    size                  = number
+    type                  = string
+    scopes                = list(string)
+    goog_ops_agent_policy = string
+    preemptible           = bool
+    automatic_restart     = bool
+    enable_oslogin        = bool
+    can_ip_forward        = bool
+    deletion_protection   = bool
+    enable_display        = bool
+    shielded_instance_config = object({
+      enable_integrity_monitoring = bool
+      enable_secure_boot          = bool
+      enable_vtpm                 = bool
+    })
+  })
+  description = "Configuration for the ABFS client compute instance."
+  default = {
+    name          = "abfs-client"
+    machine_type  = "n1-standard-8"
+    image_project = "ubuntu-os-cloud"
+    image_name    = "ubuntu-minimal-2404-noble-amd64-v20250818"
+    size          = 2000
+    type          = "pd-ssd"
+    scopes = [
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/servicecontrol",
+      "https://www.googleapis.com/auth/trace.append"
+    ]
+    goog_ops_agent_policy = "v2-x86-template-1-4-0"
+    preemptible           = true
+    automatic_restart     = false
+    enable_oslogin        = true
+    can_ip_forward        = false
+    deletion_protection   = false
+    enable_display        = false
+    shielded_instance_config = {
+      enable_integrity_monitoring = true
+      enable_secure_boot          = false
+      enable_vtpm                 = true
+    }
+  }
+}
+
 # If you don't have an ABFS license yet, leave this empty and run terraform apply.
 # Submit the output via the Early Access Program (EAP) form.
 # When you received a license, insert it in your terraform.tfvars file and run terraform apply again.
@@ -134,6 +211,12 @@ variable "create_dns_zones" {
   default     = true
 }
 
+variable "create_client_instance_resource" {
+  type        = bool
+  description = "Whether to create a Google Cloud Engine compute instance for an ABFS client"
+  default     = false
+}
+
 variable "create_cloud_workstation_resources" {
   type        = bool
   description = "Whether to create Cloud Workstation resources"