# DIY & Terraform

> :::info
Ensure you've visited our [marketplace page](https://console.cloud.google.com/marketplace/details/chasersystems-public/discriminat) and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.
:::

:::info
Ensure you've visited our [marketplace page](https://console.cloud.google.com/marketplace/details/chasersystems-public/discriminat) and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.
:::

## IMAGE IDENTIFIERS

| key     | value                |
| ------- | -------------------- |
| family  | discriminat          |
| project | chasersystems-public |

## DEPLOYMENT ESSENTIALS

For effective functioning, DiscrimiNAT will need:

1. A machine type with at least 2 vCPU and 2 GiB RAM. An `e2-small` should suffice where throughput requirements are basic and allowlists small. Otherwise an `n2-highcpu-2` makes a good choice for constant throughput. [Talk to our DevSecOps](/support/) to get the sizing right.
1. A service account that can read/write compute metadata, and write to logging and monitoring:
   ```plaintext
   serviceAccounts:
       - email: <project_number>-compute@developer.gserviceaccount.com
         scopes:
           - https://www.googleapis.com/auth/compute
           - https://www.googleapis.com/auth/logging.write
           - https://www.googleapis.com/auth/monitoring.write
   ```
1. Ability to forward IP packets with the `canIpForward` property turned on.
1. A public IP.
1. SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation [here](https://github.com/ChaserSystems/terraform-google-discriminat-ilb/blob/main/discriminat.tf#L300)), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination `0.0.0.0/0` for instances without a public IP and should pass through the DiscrimiNAT instance – whether by tagging or by internal load-balancing.

**For monitoring the logs and configuring the FQDN-based firewall egress rules, see the [logs](/docs/discriminat/gcp/logs-ref/) and [config](/docs/discriminat/gcp/config-ref/) references.**

## TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working [modules at the Terraform Registry](https://registry.terraform.io/namespaces/ChaserSystems), which include **preconfigured high-availability** and further examples. In fact, one of the examples extends from the canonical [terraform-google-modules/network/google](https://registry.terraform.io/modules/terraform-google-modules/network/google/) module at the registry.

You will find [two modules](https://registry.terraform.io/namespaces/ChaserSystems) relevant to Google Cloud at the registry, which can be briefly described as:

### discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

### discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

:::info
Drop us an email at `devsecops@chasersystems.com` to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.
:::

## gcloud CLI EXAMPLE

#### Lookup

```plaintext
gcloud compute images describe-from-family  \
  --format="value(selfLink)"                   \
  --project chasersystems-public               \
  discriminat
```