In the previous Terraform lab, I created a private Compute Engine VM using module composition. The VM was created from a reusable gcp-vm module, while the network was created from a reusable gcp-network module. That lab helped me understand this pattern: network module output -> root module -> VM module input Enter fullscreen mode Exit fullscreen mode For this lab, I wanted to improve the access pattern. Previously, the VM already had: no external IP an IAP SSH firewall rule the iap-ssh network tag However, that was only half of the private access story. In this lab, I wanted to make the private VM access pattern more complete by adding: custom VM service account OS Login IAP TCP forwarding access IAM bindings startup script verification SSH access through IAP The goal was to move from: VM exists Enter fullscreen mode Exit fullscreen mode to: VM exists, has no external IP, and can be accessed in a controlled way through IAP.…