Refactor terraform main file to be more alike with aws and azure scripts and fixed some things that were wrong in the install script. Changed variables.tf and output.tf as needed

2025-09-01 18:53:34 +02:00 · 2025-09-01 18:53:34 +02:00 · 0dfb87698b
parent 1f8a4bd8c7
commit 0dfb87698b
3 changed files with 353 additions and 222 deletions
--- a/openvidu-deployment/community/singlenode/gcp/output.tf
+++ b/openvidu-deployment/community/singlenode/gcp/output.tf
@ -8,9 +8,9 @@ output "openvidu_public_ip" {
  value = length(google_compute_address.openvidu_ip) > 0 ? google_compute_address.openvidu_ip[0].address : google_compute_instance.openvidu.network_interface[0].access_config[0].nat_ip
 }

-output "services_and_credentials_secret_id" {
-  value = google_secret_manager_secret.openvidu.secret_id
-}
+# output "services_and_credentials_secret_id" {
+#   value = google_secret_manager_secret.openvidu.secret_id
+# }

 output "appdata_bucket" {
  value = local.isEmpty ? "openvidu-appdata" : var.bucketName
--- a/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf
+++ b/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf
@ -6,49 +6,49 @@ resource "google_project_service" "storage_api" { service = "storage.googleapis.
 resource "random_id" "bucket_suffix" { byte_length = 3 }

 # GCS bucket (conditional)
-# resource "google_storage_bucket" "bucket" {
-#   count                       = 1
-#   name                        = local.isEmpty ? "openvidu-appdata" : var.bucketName
-#   location                    = var.region
-#   force_destroy               = false
-#   uniform_bucket_level_access = true
-# }
+resource "google_storage_bucket" "bucket" {
+  count                       = 1
+  name                        = local.isEmpty ? "openvidu-appdata" : var.bucketName
+  location                    = var.region
+  force_destroy               = false
+  uniform_bucket_level_access = true
+}

 # Secret Manager secret that stores deployment info and seed secrets
-# resource "google_secret_manager_secret" "openvidu" {
-#   secret_id = "openvidu-${var.region}-${var.stackName}"
-#   replication {
-#     auto {}
-#   }
-# }
+resource "google_secret_manager_secret" "openvidu_secret_manager" {
+  secret_id = "openvidu-${var.region}-${var.stackName}"
+  replication {
+    auto {}
+  }
+}

-# resource "google_secret_manager_secret_version" "openvidu_version" {
-#   secret = google_secret_manager_secret.openvidu.id
-#   secret_data = jsonencode({
-#     domainName               = "none",
-#     LIVEKIT_turnDomainName   = "none",
-#     LETSENCRYPT_EMAIL        = "none",
-#     REDIS_PASSWORD           = "none",
-#     MONGO_ADMIN_USERNAME     = "none",
-#     MONGO_ADMIN_PASSWORD     = "none",
-#     MONGO_REPLICA_SET_KEY    = "none",
-#     MINIO_URL                = "none",
-#     MINIO_ACCESS_KEY         = "none",
-#     MINIO_SECRET_KEY         = "none",
-#     DASHBOARD_URL            = "none",
-#     DASHBOARD_ADMIN_USERNAME = "none",
-#     DASHBOARD_ADMIN_PASSWORD = "none",
-#     GRAFANA_URL              = "none",
-#     GRAFANA_ADMIN_USERNAME   = "none",
-#     GRAFANA_ADMIN_PASSWORD   = "none",
-#     LIVEKIT_API_KEY          = "none",
-#     LIVEKIT_API_SECRET       = "none",
-#     MEET_ADMIN_USER          = "none",
-#     MEET_ADMIN_SECRET        = "none",
-#     MEET_API_KEY             = "none",
-#     ENABLED_MODULES          = "none"
-#   })
-# }
+resource "google_secret_manager_secret_version" "openvidu_version" {
+  secret = google_secret_manager_secret.openvidu.id
+  secret_data = jsonencode({
+    DOMAIN_NAME              = "none",
+    LIVEKIT_TURN_DOMAIN_NAME = "none",
+    LETSENCRYPT_EMAIL        = "none",
+    REDIS_PASSWORD           = "none",
+    MONGO_ADMIN_USERNAME     = "none",
+    MONGO_ADMIN_PASSWORD     = "none",
+    MONGO_REPLICA_SET_KEY    = "none",
+    MINIO_URL                = "none",
+    MINIO_ACCESS_KEY         = "none",
+    MINIO_SECRET_KEY         = "none",
+    DASHBOARD_URL            = "none",
+    DASHBOARD_ADMIN_USERNAME = "none",
+    DASHBOARD_ADMIN_PASSWORD = "none",
+    GRAFANA_URL              = "none",
+    GRAFANA_ADMIN_USERNAME   = "none",
+    GRAFANA_ADMIN_PASSWORD   = "none",
+    LIVEKIT_API_KEY          = "none",
+    LIVEKIT_API_SECRET       = "none",
+    MEET_ADMIN_USER          = "none",
+    MEET_ADMIN_SECRET        = "none",
+    MEET_API_KEY             = "none",
+    ENABLED_MODULES          = "none"
+  })
+}

 # Service account for the instance
 resource "google_service_account" "openvidu_sa" {
@ -104,7 +104,7 @@ resource "google_compute_instance" "openvidu" {

  boot_disk {
    initialize_params {
-      image = var.boot_image
+      image = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2204-lts"
      size  = 200
      type  = "pd-standard"
    }
@ -139,176 +139,7 @@ resource "google_compute_instance" "openvidu" {
    scopes = ["https://www.googleapis.com/auth/cloud-platform"]
  }

-
-  metadata_startup_script = <<EOF
-  #!/bin/bash -x
-  set -euo pipefail
-
-  # Metadata helper
-  METADATA_URL="http://metadata.google.internal/computeMetadata/v1"
-  get_meta() { curl -s -H "Metadata-Flavor: Google" "$${METADATA_URL}/$1"; }
-
-  projevar.projectId=$(get_meta "project/project-id")
-  REGION=$(get_meta "instance/attributes/region")
-  stackName=$(get_meta "instance/attributes/stackName")
-  SECRET_NAME=$(get_meta "instance/attributes/secret_name")
-  CERT_TYPE=$(get_meta "instance/attributes/certificateType")
-  domainName=$(get_meta "instance/attributes/domainName")
-  LE_EMAIL=$(get_meta "instance/attributes/letsEncryptEmail")
-  ADDITIONAL_FLAGS=$(get_meta "instance/attributes/additional_install_flags")
-  turnDomainName=$(get_meta "instance/attributes/turnDomainName")
-  OWN_CERT_URL=$(get_meta "instance/attributes/ownPublicCertificate")
-  OWN_KEY_URL=$(get_meta "instance/attributes/ownPrivateCertificate")
-  S3_BUCKET_NAME=$(get_meta "instance/attributes/s3_bucket_name")
-
-  # Install deps
-  apt-get update
-  apt-get install -y curl unzip jq wget ca-certificates gnupg lsb-release openssl
-
-  # Install google-cloud-sdk (to read secrets)
-  if ! command -v gcloud >/dev/null 2>&1; then
-    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee /etc/apt/sources.list.d/google-cloud-sdk.list
-    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
-    apt-get update && apt-get install -y google-cloud-sdk
-  fi
-
-  # Install yq
-  YQ_VERSION=v4.44.5
-  wget https://github.com/mikefarah/yq/releases/download/$${YQ_VERSION}/yq_linux_amd64.tar.gz -O - | tar xz && mv yq_linux_amd64 /usr/bin/yq
-
-  # Fetch secret (the secret contains a JSON string as in Terraform)
-  SHARED_SECRET_JSON=$(gcloud secrets versions access latest --secret="$${SECRET_NAME}" --project="$${projevar.projectId}") || SHARED_SECRET_JSON='{}'
-
-  # Helper to update secret using gcloud (we will use it to save values)
-  save_secret() {
-    KEY=$1
-    VALUE=$2
-    # read current, update key, and write a new version
-    TMP=$(mktemp)
-    echo "$SHARED_SECRET_JSON" | jq ". + { \"$${KEY}\": \"$${VALUE}\" }" > "$TMP" || echo '{ }' > "$TMP"
-    gcloud secrets versions add "$${SECRET_NAME}" --data-file="$TMP" --project="$${projevar.projectId}" >/dev/null
-    SHARED_SECRET_JSON=$(cat "$TMP")
-    rm -f "$TMP"
-  }
-
-  # Generate randoms and save to secret when needed (similar to CFN store_secret.sh)
-  generate_and_save() {
-    KEY=$1
-    PREFIX=$${2:-}
-    LENGTH=$${3:-44}
-    RAND=$(openssl rand -base64 64 | tr -d '+/=\n' | cut -c -$${LENGTH})
-    VALUE="$${PREFIX}$${RAND}"
-    save_secret "$KEY" "$VALUE"
-    echo "$VALUE"
-  }
-
-  # Configure domain
-  if [[ -z "$domainName" || "$domainName" == "none" ]]; then
-    # Use external IP
-    EXTERNAL_IP=$(curl -s ifconfig.co || true)
-    DOMAIN="$EXTERNAL_IP"
-  else
-    DOMAIN="$domainName"
-  fi
-  save_secret domainName "$DOMAIN"
-
-  # Generate/store secrets used by OpenVidu
-  REDIS_PASSWORD=$(generate_and_save REDIS_PASSWORD)
-  MONGO_ADMIN_USERNAME=$(save_secret MONGO_ADMIN_USERNAME "mongoadmin")
-  MONGO_ADMIN_PASSWORD=$(generate_and_save MONGO_ADMIN_PASSWORD)
-  MONGO_REPLICA_SET_KEY=$(generate_and_save MONGO_REPLICA_SET_KEY)
-  MINIO_ACCESS_KEY=$(save_secret MINIO_ACCESS_KEY "minioadmin")
-  MINIO_SECRET_KEY=$(generate_and_save MINIO_SECRET_KEY)
-  DASHBOARD_ADMIN_USERNAME=$(save_secret DASHBOARD_ADMIN_USERNAME "dashboardadmin")
-  DASHBOARD_ADMIN_PASSWORD=$(generate_and_save DASHBOARD_ADMIN_PASSWORD)
-  GRAFANA_ADMIN_USERNAME=$(save_secret GRAFANA_ADMIN_USERNAME "grafanaadmin")
-  GRAFANA_ADMIN_PASSWORD=$(generate_and_save GRAFANA_ADMIN_PASSWORD)
-  MEET_ADMIN_USER=$(save_secret MEET_ADMIN_USER "meetadmin")
-  MEET_ADMIN_SECRET=$(generate_and_save MEET_ADMIN_SECRET)
-  MEET_API_KEY=$(generate_and_save MEET_API_KEY)
-  ENABLED_MODULES=$(save_secret ENABLED_MODULES "observability,openviduMeet")
-  LIVEKIT_API_KEY=$(generate_and_save LIVEKIT_API_KEY "API" 12)
-  LIVEKIT_API_SECRET=$(generate_and_save LIVEKIT_API_SECRET)
-
-  # Build install command and args
-  INSTALL_COMMAND="sh <(curl -fsSL http://get.openvidu.io/community/singlenode/main/install.sh)"
-  COMMON_ARGS=(
-    "--no-tty"
-    "--install"
-    "--environment=gcp"
-    "--deployment-type=single_node"
-    "--domain-name=$DOMAIN"
-    "--enabled-modules='$ENABLED_MODULES'"
-    "--redis-password=$REDIS_PASSWORD"
-    "--mongo-admin-user=$MONGO_ADMIN_USERNAME"
-    "--mongo-admin-password=$MONGO_ADMIN_PASSWORD"
-    "--mongo-replica-set-key=$MONGO_REPLICA_SET_KEY"
-    "--minio-access-key=$MINIO_ACCESS_KEY"
-    "--minio-secret-key=$MINIO_SECRET_KEY"
-    "--dashboard-admin-user=$DASHBOARD_ADMIN_USERNAME"
-    "--dashboard-admin-password=$DASHBOARD_ADMIN_PASSWORD"
-    "--grafana-admin-user=$GRAFANA_ADMIN_USERNAME"
-    "--grafana-admin-password=$GRAFANA_ADMIN_PASSWORD"
-    "--meet-admin-user=$MEET_ADMIN_USER"
-    "--meet-admin-password=$MEET_ADMIN_SECRET"
-    "--meet-api-key=$MEET_API_KEY"
-    "--livekit-api-key=$LIVEKIT_API_KEY"
-    "--livekit-api-secret=$LIVEKIT_API_SECRET"
-  )
-
-  # Include additional installer flags (trimmed)
-  if [[ -n "$ADDITIONAL_FLAGS" && "$ADDITIONAL_FLAGS" != "none" ]]; then
-    IFS=',' read -ra EXTRA_FLAGS <<< "$ADDITIONAL_FLAGS"
-    for extra_flag in "$${EXTRA_FLAGS[@]}"; do
-      extra_flag="$(echo -e "$extra_flag" | sed -e 's/^\s*//' -e 's/\s*$//')"
-      if [[ -n "$extra_flag" ]]; then
-        COMMON_ARGS+=("$extra_flag")
-      fi
-    done
-  fi
-
-  # TURN domain
-  if [[ -n "$turnDomainName" && "$turnDomainName" != "none" ]]; then
-    save_secret LIVEKIT_turnDomainName "$turnDomainName"
-    COMMON_ARGS+=("--turn-domain-name=$turnDomainName")
-  fi
-
-  # Certificate handling
-  if [[ "$CERT_TYPE" == "selfsigned" ]] ; then
-    CERT_ARGS=("--certificate-type=selfsigned")
-  elif [[ "$CERT_TYPE" == "letsencrypt" ]] ; then
-    save_secret LETSENCRYPT_EMAIL "$LE_EMAIL"
-    CERT_ARGS=("--certificate-type=letsencrypt" "--letsencrypt-email=$LE_EMAIL")
-  else
-    # owncert: download from provided URLs and convert to base64
-    mkdir -p /tmp/owncert
-    if [[ -n "$OWN_CERT_URL" && -n "$OWN_KEY_URL" ]]; then
-      wget -O /tmp/owncert/fullchain.pem "$OWN_CERT_URL"
-      wget -O /tmp/owncert/privkey.pem   "$OWN_KEY_URL"
-      OWN_CERT_CRT=$(base64 -w 0 /tmp/owncert/fullchain.pem)
-      OWN_CERT_KEY=$(base64 -w 0 /tmp/owncert/privkey.pem)
-      CERT_ARGS=("--certificate-type=owncert" "--owncert-public-key=$OWN_CERT_CRT" "--owncert-private-key=$OWN_CERT_KEY")
-    else
-      echo "owncert selected but cert URLs not provided"
-      exit 1
-    fi
-  fi
-
-  # Final command
-  FINAL_COMMAND="$INSTALL_COMMAND $(printf "%s " "$${COMMON_ARGS[@]}") $(printf "%s " "$${CERT_ARGS[@]}")"
-
-  # Execute installation
-  bash -c "$FINAL_COMMAND"
-
-  # Configure GCS bucket in OpenVidu config if needed
-  if [[ -n "$S3_BUCKET_NAME" && "$S3_BUCKET_NAME" != "none" ]]; then
-    # Wait for openvidu config dir
-    CONFIG_DIR="/opt/openvidu/config"
-    if [[ -f "$${CONFIG_DIR}/openvidu.env" ]]; then
-      sed -i "s|EXTERNAL_S3_BUCKET_APP_DATA=.*|EXTERNAL_S3_BUCKET_APP_DATA=$${S3_BUCKET_NAME}|" "$${CONFIG_DIR}/openvidu.env" || true
-    fi
-  fi
-  EOF
+  metadata_startup_script = local.user_data

  labels = {
    stack = var.stackName
@ -318,5 +149,311 @@ resource "google_compute_instance" "openvidu" {
 # ------------------------- local values -------------------------

 locals {
-  isEmpty = var.bucketName == ""
+  isEmpty        = var.bucketName == ""
+  install_script = <<-EOF
+  #!/bin/bash -x
+  OPENVIDU_VERSION=3.3.0 #CHANGE
+  DOMAIN=
+  YQ_VERSION=v4.44.5
+
+  apt-get update && apt-get install -y \
+    curl \
+    unzip \
+    jq \
+    wget \
+    ca-certificates \
+    gnupg \
+    lsb-release \
+    openssl
+  
+  wget https://github.com/mikefarah/yq/releases/download/$${YQ_VERSION}/yq_linux_amd64.tar.gz -O - |\
+  tar xz && mv yq_linux_amd64 /usr/bin/yq
+
+  # Configure domain
+  if [[ -z "${var.domainName}" || "${var.domainName}" == "none" ]]; then
+    # Use external IP
+    EXTERNAL_IP=$(curl -s ifconfig.co || true)
+    DOMAIN="$$EXTERNAL_IP"
+  else
+    DOMAIN="${var.domainName}"
+  fi
+  
+  DOMAIN="$(/usr/local/bin/store_secret.sh save DOMAIN_NAME "$$DOMAIN")"
+
+  # Store usernames and generate random passwords
+  REDIS_PASSWORD="$(/usr/local/bin/store_secret.sh generate REDIS_PASSWORD)"
+  MONGO_ADMIN_USERNAME="$(/usr/local/bin/store_secret.sh save MONGO_ADMIN_USERNAME "mongoadmin")"
+  MONGO_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate MONGO_ADMIN_PASSWORD)"
+  MONGO_REPLICA_SET_KEY="$(/usr/local/bin/store_secret.sh generate MONGO_REPLICA_SET_KEY)"
+  MINIO_ACCESS_KEY="$(/usr/local/bin/store_secret.sh save MINIO_ACCESS_KEY "minioadmin")"
+  MINIO_SECRET_KEY="$(/usr/local/bin/store_secret.sh generate MINIO_SECRET_KEY)"
+  DASHBOARD_ADMIN_USERNAME="$(/usr/local/bin/store_secret.sh save DASHBOARD_ADMIN_USERNAME "dashboardadmin")"
+  DASHBOARD_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate DASHBOARD_ADMIN_PASSWORD)"
+  GRAFANA_ADMIN_USERNAME="$(/usr/local/bin/store_secret.sh save GRAFANA_ADMIN_USERNAME "grafanaadmin")"
+  GRAFANA_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate GRAFANA_ADMIN_PASSWORD)"
+  MEET_ADMIN_USER="$(/usr/local/bin/store_secret.sh save MEET_ADMIN_USER "meetadmin")"
+  MEET_ADMIN_SECRET="$(/usr/local/bin/store_secret.sh generate MEET_ADMIN_SECRET)"
+  MEET_API_KEY="$(/usr/local/bin/store_secret.sh generate MEET_API_KEY)"
+  ENABLED_MODULES="$(/usr/local/bin/store_secret.sh save ENABLED_MODULES "observability,openviduMeet")"
+  LIVEKIT_API_KEY="$(/usr/local/bin/store_secret.sh generate LIVEKIT_API_KEY "API" 12)"
+  LIVEKIT_API_SECRET="$(/usr/local/bin/store_secret.sh generate LIVEKIT_API_SECRET)"
+
+  # Build install command and args
+  INSTALL_COMMAND="sh <(curl -fsSL http://get.openvidu.io/community/singlenode/$$OPENVIDU_VERSION/install.sh)"
+  
+  # Common arguments
+  COMMON_ARGS=(
+    "--no-tty"
+    "--install"
+    "--environment=gcp"
+    "--deployment-type=single_node"
+    "--domain-name=$$DOMAIN"
+    "--enabled-modules='$$ENABLED_MODULES'"
+    "--redis-password=$$REDIS_PASSWORD"
+    "--mongo-admin-user=$$MONGO_ADMIN_USERNAME"
+    "--mongo-admin-password=$$MONGO_ADMIN_PASSWORD"
+    "--mongo-replica-set-key=$$MONGO_REPLICA_SET_KEY"
+    "--minio-access-key=$$MINIO_ACCESS_KEY"
+    "--minio-secret-key=$$MINIO_SECRET_KEY"
+    "--dashboard-admin-user=$$DASHBOARD_ADMIN_USERNAME"
+    "--dashboard-admin-password=$$DASHBOARD_ADMIN_PASSWORD"
+    "--grafana-admin-user=$$GRAFANA_ADMIN_USERNAME"
+    "--grafana-admin-password=$$GRAFANA_ADMIN_PASSWORD"
+    "--meet-admin-user=$$MEET_ADMIN_USER"
+    "--meet-admin-password=$$MEET_ADMIN_SECRET"
+    "--meet-api-key=$$MEET_API_KEY"
+    "--livekit-api-key=$$LIVEKIT_API_KEY"
+    "--livekit-api-secret=$$LIVEKIT_API_SECRET"
+  )
+
+  # Include additional installer flags (trimmed)
+  if [[ "${var.additionalInstallFlags}" != "" ]]; then
+    IFS=',' read -ra EXTRA_FLAGS <<< "${var.additionalInstallFlags}"
+    for extra_flag in "$${EXTRA_FLAGS[@]}"; do
+      # Trim whitespace around each flag
+      extra_flag="$(echo -e "$${extra_flag}" | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//')"
+      if [[ "$$extra_flag" != "" ]]; then
+        COMMON_ARGS+=("$$extra_flag")
+      fi
+    done
+  fi
+
+  # Turn with TLS
+  if [[ "${var.turnDomainName}" != "" ]]; then
+    LIVEKIT_TURN_DOMAIN_NAME=$(/usr/local/bin/store_secret.sh save LIVEKIT_TURN_DOMAIN_NAME "${TurnDomainName}")
+    COMMON_ARGS+=(
+      "--turn-domain-name=$$LIVEKIT_TURN_DOMAIN_NAME"
+    )
+  fi
+
+  # Certificate arguments
+  if [[ "${var.certificateType}" == "selfsigned" ]]; then
+    CERT_ARGS=(
+      "--certificate-type=selfsigned"
+    )
+  elif [[ "${var.certificateType}" == "letsencrypt" ]]; then
+    LETSENCRYPT_EMAIL=$(/usr/local/bin/store_secret.sh save LETSENCRYPT_EMAIL "${var.letsEncryptEmail}")
+    CERT_ARGS=(
+      "--certificate-type=letsencrypt"
+      "--letsencrypt-email=${var.letsEncryptEmail}"
+    )
+  else
+    # Download owncert files
+    mkdir -p /tmp/owncert
+    wget -O /tmp/owncert/fullchain.pem ${var.ownPublicCertificate}
+    wget -O /tmp/owncert/privkey.pem ${var.ownPrivateCertificate}
+
+    # Convert to base64
+    OWN_CERT_CRT=$(base64 -w 0 /tmp/owncert/fullchain.pem)
+    OWN_CERT_KEY=$(base64 -w 0 /tmp/owncert/privkey.pem)
+
+    CERT_ARGS=(
+      "--certificate-type=owncert"
+      "--owncert-public-key=$OWN_CERT_CRT"
+      "--owncert-private-key=$OWN_CERT_KEY"
+    )
+
+    # Turn with TLS and own certificate
+    if [[ "${var.turnDomainName}" != '' ]]; then
+      # Download owncert files
+      mkdir -p /tmp/owncert-turn
+      wget -O /tmp/owncert-turn/fullchain.pem ${var.turnOwnPublicCertificate}
+      wget -O /tmp/owncert-turn/privkey.pem ${var.turnOwnPrivateCertificate}
+
+      # Convert to base64
+      OWN_CERT_CRT_TURN=$(base64 -w 0 /tmp/owncert-turn/fullchain.pem)
+      OWN_CERT_KEY_TURN=$(base64 -w 0 /tmp/owncert-turn/privkey.pem)
+
+      CERT_ARGS+=(
+        "--turn-owncert-private-key=$OWN_CERT_KEY_TURN"
+        "--turn-owncert-public-key=$OWN_CERT_CRT_TURN"
+      )
+    fi
+  fi
+
+  # Final command
+  FINAL_COMMAND="$INSTALL_COMMAND $(printf "%s " "$${COMMON_ARGS[@]}") $(printf "%s " "$${CERT_ARGS[@]}")"
+
+  # Execute installation
+  exec bash -c "$FINAL_COMMAND"
+  EOF
+
+  after_install_script = <<-EOF
+  EOF
+
+  update_config_from_secret_script = <<-EOF
+  EOF
+
+  update_secret_from_config_script = <<-EOF
+  EOF
+
+  get_value_from_config_script = <<-EOF
+  EOF
+
+  store_secret_script = <<-EOF
+  #!/bin/bash
+  set -e
+
+  # Authenticate using instance service account
+  gcloud auth activate-service-account --key-file=/dev/null 2>/dev/null || true
+
+  # Modes: save, generate
+  # save mode: save the secret in the secret manager
+  # generate mode: generate a random password and save it in the secret manager
+  MODE="$1"
+
+  if [[ "$MODE" == "generate" ]]; then
+      SECRET_KEY_NAME="$2"
+      PREFIX="$${3:-}"
+      LENGTH="$${4:-44}"
+      RANDOM_PASSWORD="$(openssl rand -base64 64 | tr -d '+/=\n' | cut -c -$${LENGTH})"
+      RANDOM_PASSWORD="$${PREFIX}$${RANDOM_PASSWORD}"
+      gcloud secrets versions add $SECRET_KEY_NAME --data-file=<(echo -n "$RANDOM_PASSWORD") 2>/dev/null || echo "$RANDOM_PASSWORD" | gcloud secrets versions add $SECRET_KEY_NAME --data-file=-
+      if [[ $? -ne 0 ]]; then
+          echo "Error generating secret"
+      fi
+      echo "$RANDOM_PASSWORD"
+  elif [[ "$MODE" == "save" ]]; then
+      SECRET_KEY_NAME="$2"
+      SECRET_VALUE="$3"
+      gcloud secrets versions add $SECRET_KEY_NAME --data-file=<(echo -n "$SECRET_VALUE") 2>/dev/null || echo "$SECRET_VALUE" | gcloud secrets versions add $SECRET_KEY_NAME --data-file=-
+      if [[ $? -ne 0 ]]; then
+          echo "Error generating secret"
+      fi
+      echo "$SECRET_VALUE"
+  else
+      exit 1
+  fi
+  EOF
+
+  check_app_ready_script = <<-EOF
+  #!/bin/bash
+  while true; do
+    HTTP_STATUS=$(curl -Ik http://localhost:7880 | head -n1 | awk '{print $2}')
+    if [ $HTTP_STATUS == 200 ]; then
+      break
+    fi
+    sleep 5
+  done
+  EOF
+
+  restart_script = <<-EOF
+  #!/bin/bash -x
+  set -e
+  # Stop all services
+  systemctl stop openvidu
+
+  # Update config from secret
+  /usr/local/bin/update_config_from_secret.sh
+
+  # Start all services
+  systemctl start openvidu
+  EOF
+
+  user_data = <<-EOF
+  #!/bin/bash -x
+  set -eu -o pipefail
+
+  # install.sh
+  cat > /usr/local/bin/install.sh << 'INSTALL_EOF'
+  ${local.install_script}
+  INSTALL_EOF
+  chmod +x /usr/local/bin/install.sh
+
+  # after_install.sh
+  cat > /usr/local/bin/after_install.sh << 'AFTER_INSTALL_EOF'
+  ${local.after_install_script}
+  AFTER_INSTALL_EOF
+  chmod +x /usr/local/bin/after_install.sh
+
+  # update_config_from_secret.sh
+  cat > /usr/local/bin/update_config_from_secret.sh << 'UPDATE_CONFIG_EOF'
+  ${local.update_config_from_secret_script}
+  UPDATE_CONFIG_EOF
+  chmod +x /usr/local/bin/update_config_from_secret.sh
+
+  # update_secret_from_config.sh
+  cat > /usr/local/bin/update_secret_from_config.sh << 'UPDATE_SECRET_EOF'
+  ${local.update_secret_from_config_script}
+  UPDATE_SECRET_EOF
+  chmod +x /usr/local/bin/update_secret_from_config.sh
+
+  # get_value_from_config.sh
+  cat > /usr/local/bin/get_value_from_config.sh << 'GET_VALUE_EOF'
+  ${local.get_value_from_config_script}
+  GET_VALUE_EOF
+  chmod +x /usr/local/bin/get_value_from_config.sh
+
+  # store_secret.sh
+  cat > /usr/local/bin/store_secret.sh << 'STORE_SECRET_EOF'
+  ${local.store_secret_script}
+  STORE_SECRET_EOF
+  chmod +x /usr/local/bin/store_secret.sh
+
+  # check_app_ready.sh
+  cat > /usr/local/bin/check_app_ready.sh << 'CHECK_APP_EOF'
+  ${local.check_app_ready_script}
+  CHECK_APP_EOF
+  chmod +x /usr/local/bin/check_app_ready.sh
+
+  # restart.sh
+  cat > /usr/local/bin/restart.sh << 'RESTART_EOF'
+  ${local.restart_script}
+  RESTART_EOF
+  chmod +x /usr/local/bin/restart.sh
+
+  apt-get update && apt-get install -y
+
+  # Install google cli 
+  if ! command -v gcloud >/dev/null 2>&1; then
+    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
+    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
+    apt-get update && apt-get install -y google-cloud-cli
+  fi
+
+  # Authenticate with gcloud using instance service account
+  gcloud auth activate-service-account --key-file=/dev/null 2>/dev/null || true
+  gcloud config set account $(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google")
+
+  export HOME="/root"
+
+  # Install OpenVidu
+  /usr/local/bin/install.sh || { echo "[OpenVidu] error installing OpenVidu"; exit 1; }
+
+  #Config blob storage
+  # /usr/local/bin/config_blobStorage.sh || { echo "[OpenVidu] error configuring Blob Storage"; exit 1; }
+
+  # Start OpenVidu
+  systemctl start openvidu || { echo "[OpenVidu] error starting OpenVidu"; exit 1; }
+
+  # Update shared secret
+  /usr/local/bin/after_install.sh || { echo "[OpenVidu] error updating shared secret"; exit 1; }
+
+  # Launch on reboot
+  echo "@reboot /usr/local/bin/restart.sh >> /var/log/openvidu-restart.log" 2>&1 | crontab
+
+  # Wait for the app
+  /usr/local/bin/check_app_ready.sh
+  EOF
+
 }
--- a/openvidu-deployment/community/singlenode/gcp/variables.tf
+++ b/openvidu-deployment/community/singlenode/gcp/variables.tf
@ -63,7 +63,7 @@ variable "letsEncryptEmail" {
  default     = ""
 }

-variable "additional_install_flags" {
+variable "additionalInstallFlags" {
  description = "Comma-separated additional flags passed to the OpenVidu installer"
  type        = string
  default     = ""
@ -93,12 +93,6 @@ variable "instanceType" {
  default     = "e2-standard-8"
 }

-variable "boot_image" {
-  description = "Boot image for the instance (family or specific image)"
-  type        = string
-  default     = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2204-lts"
-}
-
 variable "bucketName" {
  description = "If empty, a GCS bucket will be created for app data and recordings"
  type        = string