Configure a Firewall and a Startup Script with Deployment Manager https://www.qwiklabs.com/focuses/1736?parent=catalog

step1-qwiklabs.jinja

resources:
- type: compute.v1.instance
  name: vm-test
  properties:
    zone: {{ properties["zone"] }}
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro
    # For examples on how to use startup scripts on an instance, see:
    #   https://cloud.google.com/compute/docs/startupscript
    metadata:
      items:
      # For more ways to use startup scripts on an instance, see:
      #   https://cloud.google.com/compute/docs/startupscript
      - key: startup-script
        value: |
          {{ properties["startup-script"]|indent(10) }}
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        diskName: disk-{{ env["deployment"] }}
        sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
      # Access Config required to give the instance a public IP address
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT

step1-qwiklabs.yaml

# Copyright 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

imports:
- path: qwiklabs.jinja

resources:
- name: qwiklabs
  type: qwiklabs.jinja
  properties:
    zone: us-central1-a
    startup-script: |
      #!/bin/bash
      apt-get update
      apt-get install -y apache2

step2-qwiklabs.jinja

resources:
- name: default-allow-http
  type: compute.v1.firewall
  properties:
    targetTags: ["http"]
    sourceRanges: ["0.0.0.0/0"]
    allowed:
      - IPProtocol: TCP
        ports: ["80"]
- type: compute.v1.instance
  name: vm-test
  properties:
    zone: {{ properties["zone"] }}
    tags:
      items: ["http"]
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro
    # For examples on how to use startup scripts on an instance, see:
    #   https://cloud.google.com/compute/docs/startupscript
    metadata:
      items:
      # For more ways to use startup scripts on an instance, see:
      #   https://cloud.google.com/compute/docs/startupscript
      - key: startup-script
        value: |
          {{ properties["startup-script"]|indent(10) }}
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        diskName: disk-{{ env["deployment"] }}
        sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
      # Access Config required to give the instance a public IP address
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT

step1:

gcloud deployment-manager deployments create qwiklabs --config qwiklabs.yaml

step2:

gcloud deployment-manager deployments update  qwiklabs --config qwiklabs.yaml