Skip to content

Latest commit

 

History

History
113 lines (82 loc) · 7.88 KB

File metadata and controls

113 lines (82 loc) · 7.88 KB

Terraform Google Cloud Storage Module

This module makes it easy to create a GCS bucket, and assign basic permissions on it to arbitrary users.

The resources/services/activations/deletions that this module will create/trigger are:

  • One GCS bucket
  • Zero or more IAM bindings for that bucket

Compatibility

This module is meant for use with Terraform 0.13+.

Usage

Basic usage of this module is as follows:

module "bucket" {
  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
  version = "~> 9.0"

  name       = "example-bucket"
  project_id = "example-project"
  location   = "us-east1"
  iam_members = [{
    role   = "roles/storage.objectViewer"
    member = "user:[email protected]"
  }]
}

Functional examples are included in the examples directory.

Inputs

Name Description Type Default Required
autoclass While set to true, autoclass is enabled for this bucket. bool false no
bucket_policy_only Enables Bucket Policy Only access to a bucket. bool true no
cors Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. any [] no
custom_placement_config Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null.
object({
data_locations = list(string)
})
null no
encryption A Cloud KMS key that will be used to encrypt objects inserted into this bucket. To use a Cloud KMS key automatically created by the module use internal_encryption_config.
object({
default_kms_key_name = string
})
null no
force_destroy When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. bool false no
iam_members The list of IAM members to grant permissions on the bucket.
list(object({
role = string
member = string
}))
[] no
internal_encryption_config Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket
instead of creating one in advance and providing the key in the variable encryption.default_kms_key_name.
create_encryption_key: If true a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created
prevent_destroy: Set the prevent_destroy lifecycle attribute on keys.
key_destroy_scheduled_duration: Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
key_rotation_period: Generate a new key every time this period passes.
object({
create_encryption_key = optional(bool, false)
prevent_destroy = optional(bool, false)
key_destroy_scheduled_duration = optional(string, null)
key_rotation_period = optional(string, "7776000s")
})
{} no
labels A set of key/value label pairs to assign to the bucket. map(string) null no
lifecycle_rules The bucket's Lifecycle Rules configuration.
list(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = any

# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
# - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
# - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
condition = any
}))
[] no
location The location of the bucket. See https://cloud.google.com/storage/docs/locations. string n/a yes
log_bucket The bucket that will receive log objects. string null no
log_object_prefix The object prefix for log objects. If it's not provided, by default GCS sets this to this bucket's name string null no
name The name of the bucket. string n/a yes
project_id The ID of the project to create the bucket in. string n/a yes
public_access_prevention Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint. string "inherited" no
retention_policy Configuration of the bucket's data retention policy for how long objects in the bucket should be retained.
object({
is_locked = bool
retention_period = number
})
null no
soft_delete_policy Soft delete policies to apply. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#nested_soft_delete_policy
object({
retention_duration_seconds = optional(number)
})
{} no
storage_class The Storage Class of the new bucket. string null no
versioning While set to true, versioning is fully enabled for this bucket. bool true no
website Map of website values. Supported attributes: main_page_suffix, not_found_page map(any) {} no

Outputs

Name Description
bucket The created storage bucket
internal_kms_configuration The intenal KMS Resource.
name Bucket name.
url Bucket URL.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Service Account

User or service account credentials with the following roles must be used to provision the resources of this module:

  • Storage Admin: roles/storage.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.