Skip to main content

I want to launch individual Google CLOUD WORKSTATIONS when CODITECT CUSTOMERS SIGN UP. the Google CLOUD WORKSTATIONS will be either single or multi-tenant multi-user depending on the CODITECT CUSTOMER desired shared project spaces desired. DETERMINE the optimal way to manage, launch, provide CODITECT licensed access to each CODITECT customer Google CLOUD WORKSTATION with a CODITECT coditect-core licensed instance in each.

You want a per‑tenant “dev pod” on Google Cloud Workstations that Coditect provisions at signup, with Coditect‑core licensed and enforced inside each environment. A clean way to do this is: Coditect owns the control plane (tenants, users, licensing, projects/IAM), and Cloud Workstations is treated as an internal runtime that your control plane drives via API, with one or more workstation configs per Coditect plan and IAM‑based single vs multi‑tenant sharing.

High‑level architecture

  • Coditect control plane
    • Tenant + seat directory in your core SaaS (Postgres/Spanner etc.) holds: tenant_id, plan, seats, “workspace topology” (single‑user vs shared workspace), region.
    • Background or event‑driven “env‑provisioner” service in GCP (Cloud Run/GKE) that reacts to TenantCreated, UserInvited, PlanChanged events and calls Cloud Workstations + IAM APIs.12
  • Workstations layer (per environment/region)
    • One or a small set of workstation clusters per region (for Coditect, likely per environment: workstations-prod-us, workstations-prod-eu).1
    • Multiple workstation configs per cluster, representing SKUs: e.g., coditect-small, coditect-large, coditect-shared-team, all based on Coditect‑custom images that embed coditect-core + bootstrap licensing agent.32
  • Tenancy model
    • Default: 1 user ↔ 1 workstation (safer, simpler audit, maps to “developer seat”).
    • Shared project spaces: implemented as shared Git/orgs and shared storage, while still using 1:1 workstations; use true multi‑user workstations only for explicitly requested “team VM” patterns and treat them as exceptions with tighter controls.45

Single vs multi‑tenant workstation patterns

  • Workstation per seat
    • For each active seat, env‑provisioner ensures exactly one workstation resource exists in a config that matches plan + region.
    • Use labels like tenant_id, user_id, plan, coditect_env on workstation resources for tracking and billing.61
  • Access control
    • Grant roles/workstations.user on the workstation config to a Google Group representing “all developers in tenant X”, or bind per user on the workstation resource if you want fine‑grained control.24
    • Access is entirely IAM‑driven: only identities with roles/workstations.user on that workstation/config can start/stop/connect.[ ]4

Multi‑user / shared workstations (optional)

  • Shared “team” workstation
    • Create a special config coditect-shared-team with larger VM type and hardened base image.
    • Env‑provisioner creates one workstation per tenant team (e.g., per project or per Git org) and binds roles/workstations.user for multiple identities or a Google Group (tenant-X-devs) to that single workstation resource.741
  • Constraints and tradeoffs
    • Everyone uses the same OS user inside the dev container by default; this is acceptable for “pairing/lab” cases, but not for strict per‑developer isolation.54
    • For regulated tenants, strongly favor “shared repos, separate workstations” instead of “shared workstation”.89

Coditect‑core licensing inside workstations

Treat coditect‑core as a licensed sidecar/daemon in the dev image, with a central license server that issues short‑lived JWTs per tenant/seat (what you already sketched). The goal: when the workstation comes up, coditect‑core obtains and enforces a license that is scoped to tenant_id, seat, and plan.10

  • Base image strategy
    • Build Coditect workstation base images as container images (or VM images if using non‑container configs) that include: coditect-core binary, licensing agent, and bootstrap script.
    • Reference these images in workstation configs (container.image), so every workstation from those configs has coditect‑core available on first boot.32
  • License handshake flow (per workstation)
    • On workstation startup (or first coditect-core use), bootstrap script:
      • Reads environment variables/metadata injected via workstation config (e.g., TENANT_ID, PLAN, WORKSTATION_ID).2
      • Uses mTLS to call the Coditect license server (/v1/license/issue) with tenant_id, seat_id, workstation_id, and features.10
      • Receives a short‑TTL JWT with claims like { tenant_id, seat_id, plan, features, max_concurrent_jobs, exp } and caches it locally.
    • Coditect-core enforces this token on each operation (API calls, job scheduling). On expiration, the agent refreshes via /v1/license/refresh. On revoke, server stops issuing/refreshing; agent fails closed.10
  • License scoping for shared workstations
    • For multi‑user workstations, tie license to tenant_id + project_id (Coditect project space) rather than individual seat, and enforce concurrency limits at the Coditect‑core level (e.g., max_concurrent_jobs, max_active_sessions).10
    • Maintain per‑user attribution via Coditect auth inside the IDE (e.g., Coditect plugin that identifies the human user and passes a user‑scoped sub‑token or header to coditect‑core).

Lifecycle and automation at customer signup

Tenant signup → environment creation

Your env‑provisioner service should implement an idempotent “ensure dev env” workflow:

  1. Tenant created / plan selected
    • Coditect SaaS emits TenantCreated (with tenant_id, plan, region, seats, workspace_mode: {per-user, shared}) into Pub/Sub or similar.
    • Env‑provisioner consumes event and maps plan → workstation config IDs (e.g., plan_basiccoditect-small, plan_enterprisecoditect-large).32
  2. Create or update IAM bindings
    • For each tenant, create or update a Google Group (coditect-tenant-{tenant_id}-devs) in Cloud Identity/Workspace and sync Coditect user membership.
    • Grant roles/workstations.user on the relevant workstation config(s) to that group; this gives all tenant devs permission to create and use workstations from those configs.1112
  3. Create workstations (if you want pre‑provisioning) Two patterns:
    • Lazy: do not create workstation objects at signup; when user clicks “Open Coditect Workspace” in the UI, call an internal API that:
      • Ensures a workstation exists for (tenant_id, user_id, plan), creating one if missing.
      • Starts it and returns the gateway URL / connection token to front‑end.1371
    • Eager: create workstations for all seats at signup; use an “ensure one workstation per seat” job that reconciles desired vs actual.
  4. Wire license context into the workstation
    • When creating workstations via API, set metadata/labels with tenant_id, plan, seat_id, and maybe coditect_workspace_id. Coditect licensing agent reads these values at runtime to request the correct license bundle.210

User click → launch Coditect Workspace

  • Front‑end flow
    • User logs into Coditect (your IdP, possibly Google Identity Platform multi‑tenancy) and selects a project/env.
    • Coditect UI calls internal “Workspace Gateway” service: POST /v1/tenants/{tenant_id}/users/{user_id}/workstations/ensure-and-start.
    • Gateway:
      • Uses Coditect directory to pick the right workstation config (based on plan & region).
      • Calls Cloud Workstations API to create if missing and to start workstation.
      • Polls until ready and returns the workstation.url or connection token.1313
    • UI redirects user to that URL; user authenticates via Google/OAuth; IAM enforces they have roles/workstations.user on that workstation.

Concrete prompt you can reuse

You can drive next‑level design/implementation detail with something like:

“Design an end‑to‑end GCP implementation for Coditect that automatically provisions Google Cloud Workstations per tenant and per seat at signup, with:

  • A control plane service that listens to TenantCreated and SeatAssigned events and reconciles workstation resources and IAM bindings.
  • Workstation clusters/configs for multiple plans (small/large/shared) using custom container images that embed coditect-core and a mTLS/JWT licensing agent.
  • IAM patterns for single‑user workstations and optional shared team workstations, including Google Groups, roles/workstations.user, and regional projects/folders.
  • A license server API and JWT claim schema that ties coditect-core licenses to tenant_id, seat_id, plan, and workstation_id, and shows how the workstation startup script bootstraps and refreshes the license.
  • A Workspace Gateway API surface that Coditect UI calls (ensure+start+connect) and example flows for handling plan changes, seat revocation, and tenant offboarding.”

If you want, the next iteration can go into concrete Terraform + gcloud snippets (cluster/config creation, IAM bindings), and a minimal Go/Python env‑provisioner that you can drop into Cloud Run. 141516171819202122232425

Automate workstation creation via Google Cloud APIs or Terraform modules

You can automate Cloud Workstations creation either imperatively via the Workstations API/SDKs, or declaratively with Terraform resources (plus modules) on top. Both can coexist: Terraform for clusters/configs, API for per‑user/seat workstations.

Terraform: clusters, configs, workstations

Use the native google provider resources; Google documents full Terraform support for Cloud Workstations and links registry samples for each resource.2627

  • Key resources
    • google_workstations_workstation_cluster: regional cluster attached to your VPC.28
    • google_workstations_workstation_config: template (image, CPU/RAM, persistent dirs, CMEK, shielded config).2726
    • google_workstations_workstation: individual workstation instances, if you want Terraform‑managed static workstations.2926
  • Minimal Terraform sketch (conceptual)
    • Define cluster: project, region, network, subnetwork.
    • Define one or more configs referencing your Coditect container image, enabling persistent home, CMEK, etc.
    • Optionally define a small fixed set of workstations for shared or admin use; for per‑seat dynamic creation, prefer API (see next section).3026
  • When Terraform is a good fit
    • Baseline infra: clusters, configs, IAM bindings for roles like roles/workstations.admin and roles/workstations.user.
    • Static/shared workstations (e.g., “training” or “demo” environments) where you do not need to create/destroy per tenant/seat continuously.2627

Workstations API: dynamic per‑tenant/seat creation

The Cloud Workstations REST API exposes first‑class methods to create, start, and stop workstations and configs.31

  • Core endpoints (REST)
    • Create config: POST /v1/{parent=projects/*/locations/*/workstationClusters/*}/workstationConfigs.
    • Create workstation: POST /v1/{parent=projects/*/locations/*/workstationClusters/*/workstationConfigs/*}/workstations.
    • Start/stop: POST .../workstations/*:start and ...:stop.
    • Generate access token: POST .../workstations/*:generateAccessToken for short‑lived connect credentials.31
  • CLI example (maps 1:1 to API fields)
    • gcloud workstations create my-workstation --region=us-central1 --cluster=my-cluster --configuration=my-configuration shows the minimal set you must pass: region, cluster, configuration.32
  • Pattern for Coditect
    • Have a “Workspace Gateway” service (Cloud Run/GKE) that:
      • Receives a request like POST /v1/tenants/{tenant_id}/users/{user_id}/workstations/ensure-and-start.
      • Uses Workstations API list/get under the target config to see if a workstation already exists for that user; if not, create one with labels {tenant_id, user_id, plan}.
      • Calls start on that workstation and optionally generateAccessToken to return a ready‑to‑connect URL/token to the Coditect UI.333431

Terraform + API together

The recommended split for your use case:

  • Terraform
    • Define and version clusters, configs, networks, CMEK, and base IAM roles using google_workstations_workstation_cluster and google_workstations_workstation_config plus IAM data sources.2826
    • Optionally wrap these in your own reusable Terraform modules (or use future community modules like terraform-google-workstation as references).3530
  • Coditect control plane + Workstations API
    • Implement all per‑tenant/seat workstation lifecycle (create, label, start/stop, soft delete) using the REST/gRPC API or client libraries, called from your multi‑tenant control plane.3331
    • This aligns with Google’s own guidance that Terraform is suitable for provisioning configs and clusters, while dynamic workstation creation can be done programmatically.2726

If you want, next step can be a concrete Terraform snippet for a coditect-prod-us cluster/config pair plus a pseudo‑Go or Python service that implements ensureAndStartWorkstation(tenant_id, user_id, plan) using the Workstations API. 36373839404142434445

OPEN TOFU not TERRRAFORM

OpenTofu works for this almost identically to Terraform: you use the same Google provider and resource types (including the Cloud Workstations resources), just driven by the tofu CLI instead of terraform.4647

OpenTofu + Google provider

  • OpenTofu is configuration‑ and provider‑compatible with Terraform, including the Google Cloud provider; your .tf files and modules work unchanged.484746
  • Use the OpenTofu registry Google provider (or the mirrored HashiCorp one) exactly as you would in Terraform, via a required_providers block and standard provider configuration (service account, ADC, etc.).495051

Minimal example:

terraform {
  required_providers {
    google = {
      source  = "opentffoundation/google"
      version = "~> 6.0"
    }
  }
}

provider "google" {
  project = var.project_id
  region  = var.region
}

This is consumed by tofu init/plan/apply in the same way Terraform would.5051

Cloud Workstations resources under OpenTofu

Because OpenTofu uses the same provider protocol and registry, you can directly use the documented Google Workstations resources:525354

  • google_workstations_workstation_cluster – cluster per region/VPC.
  • google_workstations_workstation_config – templates for Coditect images, machine type, disks, CMEK.
  • google_workstations_workstation – optional static workstations (for shared/demo); for Coditect’s dynamic per‑seat model, you’ll mostly manage clusters/configs in OpenTofu and use the Workstations API for per‑user instances.535452

Example (conceptual) fits OpenTofu 1:1:

resource "google_workstations_workstation_cluster" "coditect_us" {
  workstation_cluster_id = "coditect-us"
  location               = var.region
  network                = var.network
  subnetwork             = var.subnetwork
}

resource "google_workstations_workstation_config" "coditect_small" {
  workstation_cluster_id = google_workstations_workstation_cluster.coditect_us.workstation_cluster_id
  location               = var.region
  workstation_config_id  = "coditect-small"

  host {
    gce_instance {
      machine_type = "e2-standard-4"
    }
  }

  container {
    image = "gcr.io/${var.project_id}/coditect-workstation:latest"
  }
}

Run with:

tofu init
tofu plan
tofu apply

The semantics are identical to Terraform; provider behavior and state format are fully compatible.554746

How to structure this for Coditect

  • Use OpenTofu for the static foundation: projects, networks, workstation clusters/configs, and IAM bindings for Coditect service accounts and base groups.5652
  • Keep per‑tenant/seat workstation creation in your Coditect control plane, via the Cloud Workstations REST/gRPC APIs, so you are not reconciling thousands of short‑lived workstation resources from OpenTofu runs.5752

Reusable prompt you can drop in next:

“Generate OpenTofu (HCL) configuration using the opentffoundation/google provider that defines:

  • A coditect-workstations project and VPC subnet.
  • One Cloud Workstations cluster per region (us-central1, europe-west1).
  • Three workstation configs (coditect-small, coditect-large, coditect-shared-team) referencing a Coditect container image and enabling persistent home directories and CMEK.
  • IAM bindings that grant a Coditect automation service account admin rights on clusters/configs, and map a coditect-platform-admins group to roles/workstations.admin. Output a single main.tf suitable for running with tofu init/plan/apply.” 5859606162636465666768

“Design an end‑to‑end GCP implementation for Coditect that automatically provisions Google Cloud Workstations per tenant and per seat at signup, with:

A control plane service that listens to TenantCreated and SeatAssigned events and reconciles workstation resources and IAM bindings. Workstation clusters/configs for multiple plans (small/large/shared) using custom container images that embed coditect-core and a mTLS/JWT licensing agent. IAM patterns for single‑user workstations and optional shared team workstations, including Google Groups, roles/workstations.user, and regional projects/folders. A license server API and JWT claim schema that ties coditect-core licenses to tenant_id, seat_id, plan, and workstation_id, and shows how the workstation startup script bootstraps and refreshes the license. A Workspace Gateway API surface that Coditect UI calls (ensure+start+connect) and example flows for handling plan changes, seat revocation, and tenant offboarding.” If

You can treat that prompt as your “north star” spec: design a Coditect control plane that owns clusters/configs and IAM, then dynamically creates per‑tenant/per‑seat workstations via API, with coditect‑core licensing and a Workspace Gateway in front.6970

Control plane and events

  • Event model
    • TenantCreated(tenant_id, plan, region, workspace_mode) and SeatAssigned(tenant_id, seat_id, user_id) go onto Pub/Sub.
    • A control‑plane service (Cloud Run/GKE) consumes these and reconciles:
      • Workstation existence and labels {tenant_id, seat_id, plan}.
      • IAM bindings for tenant groups and Coditect automation accounts.7069
  • Projects/folders
    • Use regional “workstations projects” under a Coditect folder (e.g. coditect-workstations-us, coditect-workstations-eu), with VPC‑SC and private gateways for regulated tenants.717269

Clusters/configs and images

  • Clusters
    • One Cloud Workstations cluster per region and environment, attached to a shared VPC per region, created via OpenTofu using the Google provider’s google_workstations_workstation_cluster resource.7371
  • Configs
    • For plans: create configs like coditect-small, coditect-large, coditect-shared-team, with:
      • host.gce_instance: machine type, disk size, disable public IPs, optional GPUs.
      • container.image: Coditect base image with coditect-core + a licensing bootstrap agent.
      • Persistent directories and CMEK for boot and data disks.7470

IAM patterns (single‑user vs shared)

  • Roles
    • Use roles/workstations.admin and roles/workstations.workstationCreator for Coditect automation service accounts; use roles/workstations.user for human developers.7576
  • Single‑user workstations
    • One workstation per (tenant_id, seat_id) under the plan’s config.
    • Label workstation with tenant_id, seat_id, user_id, plan.
    • Bind roles/workstations.user on that specific workstation to the user (or to a per‑tenant per‑seat group if you prefer group abstractions).7775
  • Shared “team” workstations
    • Special config coditect-shared-team (larger VM) and one workstation per tenant team/project.
    • IAM: bind roles/workstations.user on the shared workstation to a Google Group like coditect-tenant-{tenant_id}-devs.
    • Mark these resources with a shared=true label and treat in governance/audit as exceptions (extra DLP, logging).7569

License server and JWT schema

  • License server API
    • Central Coditect license server exposes:
      • POST /v1/license/issue – input: {tenant_id, seat_id, plan, workstation_id, region}.
      • POST /v1/license/refresh – input: existing token or {license_id, workstation_id}.
      • POST /v1/license/revoke – for admin actions / incident response.
  • JWT claims
    • Use RS256/ES256, short TTL (e.g., 15–60 minutes), and standard claims: iss, aud, exp, iat.78798081
    • Custom claims for Coditect:
      • tenant_id, seat_id (or project_id for shared workstations).
      • plan (e.g., basic, enterprise).
      • workstation_id (GCP resource name).
      • features array and limits like max_concurrent_jobs, max_repo_size_mb.
  • Bootstrap inside workstation
    • Startup script (or systemd unit/entrypoint) in the Coditect image:
      • Reads metadata/labels injected via workstation config (env vars like TENANT_ID, PLAN, WORKSTATION_ID).70
      • Establishes mTLS to license server (client cert from Coditect’s private CA) and calls /v1/license/issue.
      • Stores the issued JWT in a secure file or env var; coditect-core reads and enforces it on each call.
      • Periodically refreshes before exp and handles 401/403 as revocation (degrade to read‑only or block operations).798078

Workspace Gateway API and flows

  • Workspace Gateway
    • A Coditect‑owned service (Cloud Run/GKE) that fronts the Workstations API and encapsulates your policy.
    • Example endpoints:
      • POST /v1/tenants/{tenant_id}/users/{user_id}/workstations/ensure-and-start?plan=basic
      • POST /v1/tenants/{tenant_id}/shared-workstations/{project_id}/ensure-and-start
    • Internally:
      • Resolves tenant and seat from your DB.
      • Picks cluster/config based on plan + region.
      • GET/LIST workstations under that config for (tenant_id, seat_id); if none, CREATE with labels.
      • Calls start and optionally generateAccessToken, returns connection URL/token to the Coditect UI.826970
  • Plan changes
    • PlanChanged event triggers control plane to:
      • Stop workstations created from old configs.
      • Create new workstations from the new plan’s config, or lazily let Workspace Gateway do it on next ensure-and-start.
      • Update IAM if different roles/groups are required (e.g., GPU access).7675
  • Seat revocation
    • SeatRevoked(tenant_id, seat_id) event triggers:
      • Remove roles/workstations.user bindings for the seat’s principal(s).
      • Stop (and optionally delete) the seat’s workstation.
      • Call license server to revoke active leases for that seat/workstation.81767875
  • Tenant offboarding
    • TenantDeleted(tenant_id) event triggers:
      • Iterate all workstations with tenant_id label; stop and delete them.
      • Remove IAM bindings on workstation configs and any per‑tenant groups.
      • In license server, mark all licenses for tenant_id as revoked and archive audit history.697975

If you want, next step can be: “Generate OpenTofu resource definitions for the clusters/configs plus a pseudo‑Go implementation of the Workspace Gateway’s ensureAndStart endpoint and the license server’s /v1/license/issue handler, with explicit calls to the Cloud Workstations REST API.” 8384858687888990

Footnotes

  1. https://cloud.google.com/workstations 2 3 4 5 6

  2. https://docs.cloud.google.com/workstations/docs/customize-development-environment 2 3 4 5 6 7

  3. https://docs.cloud.google.com/workstations/docs/create-workstation 2 3 4

  4. https://www.perplexity.ai/search/a61fa065-944e-4e88-8d9e-f25c4088090e 2 3 4 5

  5. https://fotc.com/blog/cloud-workstations/ 2

  6. https://www.perplexity.ai/search/edde4464-08c6-4b70-aef3-ba27af024185

  7. https://www.perplexity.ai/search/f7c7e058-61fb-43d2-87ff-44d140a9ffe5 2

  8. https://www.perplexity.ai/search/004a47d5-b65a-400e-aa88-4303ea2dee7a

  9. https://www.datacenterknowledge.com/cybersecurity/multi-tenant-and-cross-tenant-threats-in-google-cloud-and-beyond

  10. https://www.perplexity.ai/search/ef0e7b39-a4a9-4a13-8855-54ae5cd37ca6 2 3 4 5

  11. https://docs.cloud.google.com/kubernetes-engine/docs/best-practices/enterprise-multitenancy

  12. https://docs.cloud.google.com/identity-platform/docs/multi-tenancy

  13. https://codelabs.developers.google.com/innerloop-dev-cloud-workstations-java-springboot 2

  14. https://docs.cloud.google.com/bigquery/docs/best-practices-for-multi-tenant-workloads-on-bigquery

  15. https://xebia.com/blog/data-isolation-tenant-architecture-google-cloud-platform-gcp/

  16. https://jumpcloud.com/blog/benefits-multi-tenant-iam

  17. https://licenseq.com/google-cloud-platform-licensing/

  18. https://patents.google.com/patent/US10484243B2/en

  19. https://cloud.google.com/skus/sku-groups/3rd-party-software

  20. https://discuss.google.dev/t/a-compartmentalized-multi-tenant-architecture-for-saas-applications/167894

  21. https://dzone.com/articles/google-cloud-workstations

  22. https://docs.cloud.google.com/marketplace/docs/partners/integrated-saas

  23. https://docs.cloud.google.com/compute/docs/nodes/bringing-your-own-licenses

  24. https://www.rekadia.co.id/news/getting-to-know-about-saas-and-its-license-types

  25. https://docs.cloud.google.com/identity-platform/docs/multi-tenancy-quickstart

  26. https://cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations 2 3 4 5 6 7

  27. https://docs.cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations 2 3 4

  28. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workstations_workstation_cluster 2

  29. https://registry.terraform.io/providers/hashicorp/google/5.31.0/docs/resources/workstations_workstation

  30. https://astrafy.io/the-hub/blog/technical/google-cloud-workstations-crafting-the-perfect-development-ecosystem 2

  31. https://docs.cloud.google.com/workstations/docs/reference/rest 2 3 4

  32. https://dev.to/devopsfundamentals/gcp-fundamentals-cloud-workstations-api-4apn

  33. https://cloud.google.com/workstations 2

  34. https://codelabs.developers.google.com/innerloop-dev-cloud-workstations-java-springboot

  35. https://github.com/akhileshmishrabiz/terraform-google-workstation

  36. https://docs.cloud.google.com/workstations/docs/create-workstation

  37. https://dzone.com/articles/google-cloud-workstations

  38. https://github.com/terraform-google-modules/terraform-google-vm

  39. https://github.com/terraform-google-modules/terraform-google-gcloud

  40. https://www.youtube.com/watch?v=TRJXY_2NMr4

  41. https://cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations?hl=ko

  42. https://dlthub.com/workspace/source/cloud-workstations-api

  43. https://pub.dev/documentation/googleapis/latest/workstations_v1/workstations_v1-library.html

  44. https://www.reddit.com/r/Terraform/comments/1c1cqz3/use_terraform_to_create_infrastructure_in_google/

  45. https://cloud.google.com/workstations/docs/create-workstation?authuser=8

  46. https://www.firefly.ai/academy/migrating-from-terraform-to-opentofu-the-how-and-why 2 3

  47. https://spacelift.io/blog/what-is-opentofu 2 3

  48. https://onidel.com/blog/terraform-vs-opentofu-vps

  49. https://search.opentofu.org/provider/opentofu/google/latest

  50. https://opentofu.org/docs/language/providers/requirements/ 2

  51. https://opentofu.org/docs/language/providers/configuration/ 2

  52. https://docs.cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations 2 3 4

  53. https://registry.terraform.io/providers/hashicorp/google/5.31.0/docs/resources/workstations_workstation 2

  54. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workstations_workstation_cluster 2

  55. https://cyberpanel.net/blog/opentofu-vs-terraform

  56. https://spacelift.io/blog/terraform-gcp-google-cloud

  57. https://docs.cloud.google.com/workstations/docs/reference/rest

  58. https://search.opentofu.org/provider/opentofu/google/latest/docs/guides/provider_reference

  59. https://www.youtube.com/watch?v=xstFUuFt5Q0

  60. https://developer.hashicorp.com/terraform/tutorials/it-saas/google-workspace

  61. https://cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations

  62. https://search.opentofu.org/provider/opentffoundation/google/latest/docs/guides/getting_started

  63. https://github.com/terraform-google-modules/terraform-example-foundation

  64. https://search.opentofu.org/provider/opentofu/google/v6.49.2/docs/guides/version_7_upgrade

  65. https://search.opentofu.org/provider/opentofu/google/latest/docs/guides/using_gke_with_terraform

  66. https://github.com/terraform-google-modules/terraform-google-vm

  67. https://platformengineering.org/blog/terraform-vs-opentofu-iac-tool

  68. https://search.opentofu.org/provider/terraform-providers/google-beta/v7.9.0

  69. https://docs.cloud.google.com/workstations/docs/architecture 2 3 4 5 6

  70. https://docs.cloud.google.com/workstations/docs/overview 2 3 4 5

  71. https://docs.cloud.google.com/workstations/docs/create-cluster 2

  72. https://cloud.google.com/workstations

  73. https://docs.cloud.google.com/workstations/docs/terraform-support-for-cloud-workstations

  74. https://www.pulumi.com/guides/how-to/gcp-workstation-config/

  75. https://cloud.google.com/workstations/docs/access-control 2 3 4 5 6

  76. https://cloud.google.com/iam/docs/roles-permissions/workstations 2 3

  77. https://gcp.permissions.cloud/iam/workstations

  78. https://ssojet.com/ciam-qna/best-practices-for-server-side-jwt-token-handling 2 3

  79. https://dev.oneground.nl/blog/best-practices-for-jwt-usage-in-apis 2 3

  80. https://curity.io/resources/learn/jwt-best-practices/ 2

  81. https://www.permit.io/blog/how-to-use-jwts-for-authorization-best-practices-and-common-mistakes 2

  82. https://docs.cloud.google.com/workstations/docs/reference/rest

  83. https://www.pulumi.com/guides/how-to/gcp-workstations-iam-member/

  84. https://cloud.ibm.com/docs/account?topic=account-userroles

  85. https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html

  86. https://www.reddit.com/r/dotnet/comments/zv6haz/jwt_what_the_best_practice_with_using_claimroles/

  87. https://stackoverflow.com/questions/76613801/how-to-login-as-a-user-to-google-cloud-workstations

  88. https://docs.aws.amazon.com/workspaces/latest/adminguide/using-iam-roles-to-grant-permissions-to-applications-scripts-streaming-instances.html

  89. https://www.reddit.com/r/aws/comments/1bqonl9/workspaces_and_roles/

  90. https://www.pulumi.com/guides/how-to/gcp-workstations-iam-binding/